From pete at nomadlogic.org Tue May 1 13:34:28 2007 From: pete at nomadlogic.org (Peter Wright) Date: Tue, 1 May 2007 10:34:28 -0700 (PDT) Subject: [nycbug-talk] what happened to darwinports? Message-ID: <58969.160.33.20.11.1178040868.squirrel@webmail.nomadlogic.org> so i've been using darwin ports for a long time now - but only recently went back to their website. am i crazy or did something major change on their site recently. i can't even find the documentation anymore...if things are changing over there is it just superfical or are there other changes happening behind the scenes as well? maybe i'm just being crazy... -p -- ~~oO00Oo~~ Peter Wright pete at nomadlogic.org www.nomadlogic.org/~pete 310.869.9459 From george at ceetonetechnology.com Tue May 1 13:43:59 2007 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 01 May 2007 13:43:59 -0400 Subject: [nycbug-talk] what happened to darwinports? In-Reply-To: <58969.160.33.20.11.1178040868.squirrel@webmail.nomadlogic.org> References: <58969.160.33.20.11.1178040868.squirrel@webmail.nomadlogic.org> Message-ID: <46377C5F.4010004@ceetonetechnology.com> Peter Wright wrote: > so i've been using darwin ports for a long time now - but only recently > went back to their website. am i crazy or did something major change on > their site recently. > > i can't even find the documentation anymore...if things are changing over > there is it just superfical or are there other changes happening behind > the scenes as well? > > maybe i'm just being crazy... > Apple collapsed and made it MacPorts. . . http://www.macports.org/ George From pete at nomadlogic.org Tue May 1 13:52:27 2007 From: pete at nomadlogic.org (Peter Wright) Date: Tue, 1 May 2007 10:52:27 -0700 (PDT) Subject: [nycbug-talk] what happened to darwinports? In-Reply-To: <46377C5F.4010004@ceetonetechnology.com> References: <58969.160.33.20.11.1178040868.squirrel@webmail.nomadlogic.org> <46377C5F.4010004@ceetonetechnology.com> Message-ID: <39656.160.33.20.11.1178041947.squirrel@webmail.nomadlogic.org> > Peter Wright wrote: >> so i've been using darwin ports for a long time now - but only recently >> went back to their website. am i crazy or did something major change on >> their site recently. >> >> i can't even find the documentation anymore...if things are changing >> over >> there is it just superfical or are there other changes happening behind >> the scenes as well? >> >> maybe i'm just being crazy... >> > > Apple collapsed and made it MacPorts. . . > > http://www.macports.org/ > ahh..so apple pulled the plug on the project? lame. are the same people in charge of it, or did new leadership come in? -p -- ~~oO00Oo~~ Peter Wright pete at nomadlogic.org www.nomadlogic.org/~pete 310.869.9459 From carton at Ivy.NET Tue May 1 15:36:23 2007 From: carton at Ivy.NET (Miles Nordin) Date: Tue, 01 May 2007 15:36:23 -0400 Subject: [nycbug-talk] what happened to darwinports? In-Reply-To: <39656.160.33.20.11.1178041947.squirrel@webmail.nomadlogic.org> (Peter Wright's message of "Tue, 1 May 2007 10:52:27 -0700 (PDT)") References: <58969.160.33.20.11.1178040868.squirrel@webmail.nomadlogic.org> <46377C5F.4010004@ceetonetechnology.com> <39656.160.33.20.11.1178041947.squirrel@webmail.nomadlogic.org> Message-ID: >>>>> "pw" == Peter Wright writes: pw> ahh..so apple pulled the plug on the project? try pkgsrc! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From george at ceetonetechnology.com Tue May 1 15:44:57 2007 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 01 May 2007 15:44:57 -0400 Subject: [nycbug-talk] T1 cards and PFSense Message-ID: <463798B9.1040407@ceetonetechnology.com> Has anyone happily used Sangoma T1 cards on a PFSense firewall. . .? George From mikel.king at techally.com Tue May 1 15:46:19 2007 From: mikel.king at techally.com (Mikel King) Date: Tue, 01 May 2007 15:46:19 -0400 Subject: [nycbug-talk] what happened to darwinports? In-Reply-To: <39656.160.33.20.11.1178041947.squirrel@webmail.nomadlogic.org> References: <58969.160.33.20.11.1178040868.squirrel@webmail.nomadlogic.org> <46377C5F.4010004@ceetonetechnology.com> <39656.160.33.20.11.1178041947.squirrel@webmail.nomadlogic.org> Message-ID: <105451EA-3A3A-43E0-8D8D-2980CBC0F23E@techally.com> On May 1, 2007, at 1:52 PM, Peter Wright wrote: > >> Peter Wright wrote: >>> so i've been using darwin ports for a long time now - but only >>> recently >>> went back to their website. am i crazy or did something major >>> change on >>> their site recently. >>> >>> i can't even find the documentation anymore...if things are changing >>> over >>> there is it just superfical or are there other changes happening >>> behind >>> the scenes as well? >>> >>> maybe i'm just being crazy... >>> >> >> Apple collapsed and made it MacPorts. . . >> >> http://www.macports.org/ >> > > ahh..so apple pulled the plug on the project? lame. are the same > people > in charge of it, or did new leadership come in? > > -p > I can not attest as to the leadership, but thus far other than the name/URL change. Everything seems to work the same. I'd recommend that you grab the latest version though from the macports site and run the seflupdate from there. Cheers, Mikel From george at ceetonetechnology.com Tue May 1 15:56:52 2007 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 01 May 2007 15:56:52 -0400 Subject: [nycbug-talk] T1 cards and PFSense In-Reply-To: <463798B9.1040407@ceetonetechnology.com> References: <463798B9.1040407@ceetonetechnology.com> Message-ID: <46379B84.5020106@ceetonetechnology.com> George Rosamond wrote: > Has anyone happily used Sangoma T1 cards on a PFSense firewall. . .? > > George This is a general answer: http://faq.pfsense.org/index.php?action=artikel&cat=2&id=114&artlang=en stating that "At this time, there is no support for any T1, E1, frame relay, or similar equipment." But not sure if that includes T1cards. . . although most likely . . . George From lavalamp at spiritual-machines.org Tue May 1 16:10:48 2007 From: lavalamp at spiritual-machines.org (Brian A. Seklecki) Date: Tue, 1 May 2007 16:10:48 -0400 (EDT) Subject: [nycbug-talk] T1 cards and PFSense In-Reply-To: <46379B84.5020106@ceetonetechnology.com> References: <463798B9.1040407@ceetonetechnology.com> <46379B84.5020106@ceetonetechnology.com> Message-ID: <20070501160828.N67008@arbitor.digitalfreaks.org> Yea. In most designs, high speed serial WAN emulation rarely happens at the same device as stateful packet inspection. Of course, I'm all for it. ~BAS On Tue, 1 May 2007, George Rosamond wrote: > George Rosamond wrote: >> Has anyone happily used Sangoma T1 cards on a PFSense firewall. . .? >> >> George > > This is a general answer: > > http://faq.pfsense.org/index.php?action=artikel&cat=2&id=114&artlang=en > > stating that "At this time, there is no support for any T1, E1, frame > relay, or similar equipment." > > But not sure if that includes T1cards. . . although most likely . . . > > George > _______________________________________________ > % NYC*BUG talk mailing list > http://lists.nycbug.org/mailman/listinfo/talk > %Be sure to check out our Jobs and NYCBUG-announce lists > %We meet the first Wednesday of the month > l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ "...from back in the heady days when "helpdesk" meant nothing, "diskquota" meant everything, and lives could be bought and sold for a couple of pages of laser printout - and frequently were." From nycbug at chrisbuechler.com Tue May 1 16:35:02 2007 From: nycbug at chrisbuechler.com (Chris Buechler) Date: Tue, 01 May 2007 16:35:02 -0400 Subject: [nycbug-talk] T1 cards and PFSense In-Reply-To: <46379B84.5020106@ceetonetechnology.com> References: <463798B9.1040407@ceetonetechnology.com> <46379B84.5020106@ceetonetechnology.com> Message-ID: <4637A476.7090802@chrisbuechler.com> Hey George, all, George Rosamond wrote: > George Rosamond wrote: > >> Has anyone happily used Sangoma T1 cards on a PFSense firewall. . .? >> >> George >> > > This is a general answer: > > http://faq.pfsense.org/index.php?action=artikel&cat=2&id=114&artlang=en > > stating that "At this time, there is no support for any T1, E1, frame > relay, or similar equipment." > > But not sure if that includes T1cards. . . although most likely . . . > Yep, no T1 support at all. None of the developers have the hardware nor test equipment to make it happen. But, somebody popped up yesterday with a working setup, and sounds like he may implement it in the GUI. http://forum.pfsense.org/index.php/topic,4628.msg28196.html (cmb is me) Even with someone saying they'll implement it, from past experience I give it maybe a 25% chance of happening. If that guy doesn't do it, for any of the existing developers to take on that project it'll likely take a bounty from a corporate sponsor to supply the hardware and pay for the development to be done. Cheers, Chris From pete at nomadlogic.org Tue May 1 16:44:06 2007 From: pete at nomadlogic.org (Peter Wright) Date: Tue, 1 May 2007 13:44:06 -0700 (PDT) Subject: [nycbug-talk] what happened to darwinports? In-Reply-To: References: <58969.160.33.20.11.1178040868.squirrel@webmail.nomadlogic.org> <46377C5F.4010004@ceetonetechnology.com> <39656.160.33.20.11.1178041947.squirrel@webmail.nomadlogic.org> Message-ID: <8933.160.33.20.11.1178052246.squirrel@webmail.nomadlogic.org> >>>>>> "pw" == Peter Wright writes: > > pw> ahh..so apple pulled the plug on the project? > > try pkgsrc! > > heh - no need to hide, we are moving to pkgsrc soon (from RPM). -p -- ~~oO00Oo~~ Peter Wright pete at nomadlogic.org www.nomadlogic.org/~pete 310.869.9459 From george at ceetonetechnology.com Tue May 1 17:15:32 2007 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 01 May 2007 17:15:32 -0400 Subject: [nycbug-talk] T1 cards and PFSense In-Reply-To: <4637A476.7090802@chrisbuechler.com> References: <463798B9.1040407@ceetonetechnology.com> <46379B84.5020106@ceetonetechnology.com> <4637A476.7090802@chrisbuechler.com> Message-ID: <4637ADF4.5000506@ceetonetechnology.com> Chris Buechler wrote: > Hey George, all, > > George Rosamond wrote: >> George Rosamond wrote: >> >>> Has anyone happily used Sangoma T1 cards on a PFSense firewall. . >>> .? >>> >>> George >>> >> This is a general answer: >> >> http://faq.pfsense.org/index.php?action=artikel&cat=2&id=114&artlang=en >> >> >> >> stating that "At this time, there is no support for any T1, E1, >> frame relay, or similar equipment." >> >> But not sure if that includes T1cards. . . although most likely . . >> . >> > > Yep, no T1 support at all. None of the developers have the hardware > nor test equipment to make it happen. > > But, somebody popped up yesterday with a working setup, and sounds > like he may implement it in the GUI. > http://forum.pfsense.org/index.php/topic,4628.msg28196.html (cmb is > me) > Nice. . . > Even with someone saying they'll implement it, from past experience I > give it maybe a 25% chance of happening. > > If that guy doesn't do it, for any of the existing developers to take > on that project it'll likely take a bounty from a corporate sponsor > to supply the hardware and pay for the development to be done. > > Cheers, Chris Ahh. . . Well, I'd strongly recommend you contacting Sangoma directly, as I know they are quite friendly to open source projects, including the BSDs. For T1 access, there are vendors some of us could speak to about access at various colos. . . then we'd need remote console access, I'd guess. g From okan at demirmen.com Tue May 1 17:47:09 2007 From: okan at demirmen.com (Okan Demirmen) Date: Tue, 1 May 2007 17:47:09 -0400 Subject: [nycbug-talk] T1 cards and PFSense In-Reply-To: <4637ADF4.5000506@ceetonetechnology.com> References: <463798B9.1040407@ceetonetechnology.com> <46379B84.5020106@ceetonetechnology.com> <4637A476.7090802@chrisbuechler.com> <4637ADF4.5000506@ceetonetechnology.com> Message-ID: <20070501214709.GM8823@clam.khaoz.org> On Tue 2007.05.01 at 17:15 -0400, George Rosamond wrote: > Chris Buechler wrote: > > Hey George, all, > > > > George Rosamond wrote: > >> George Rosamond wrote: > >> > >>> Has anyone happily used Sangoma T1 cards on a PFSense firewall. . > >>> .? > >>> > >>> George > >>> > >> This is a general answer: > >> > >> http://faq.pfsense.org/index.php?action=artikel&cat=2&id=114&artlang=en > >> > >> > >> > >> stating that "At this time, there is no support for any T1, E1, > >> frame relay, or similar equipment." > >> > >> But not sure if that includes T1cards. . . although most likely . . > >> . > >> > > > > Yep, no T1 support at all. None of the developers have the hardware > > nor test equipment to make it happen. > > > > But, somebody popped up yesterday with a working setup, and sounds > > like he may implement it in the GUI. > > http://forum.pfsense.org/index.php/topic,4628.msg28196.html (cmb is > > me) > > > > Nice. . . > > > Even with someone saying they'll implement it, from past experience I > > give it maybe a 25% chance of happening. > > > > If that guy doesn't do it, for any of the existing developers to take > > on that project it'll likely take a bounty from a corporate sponsor > > to supply the hardware and pay for the development to be done. > > > > Cheers, Chris > > Ahh. . . > > Well, I'd strongly recommend you contacting Sangoma directly, as I know > they are quite friendly to open source projects, including the BSDs. > > For T1 access, there are vendors some of us could speak to about access > at various colos. . . then we'd need remote console access, I'd guess. i'm sorry, but bugging hardware vendors for hardware for GUI applications is a waste, imho. the device drivers already exist. From pete at nomadlogic.org Tue May 1 18:22:06 2007 From: pete at nomadlogic.org (Peter Wright) Date: Tue, 1 May 2007 15:22:06 -0700 (PDT) Subject: [nycbug-talk] T1 cards and PFSense In-Reply-To: <20070501214709.GM8823@clam.khaoz.org> References: <463798B9.1040407@ceetonetechnology.com> <46379B84.5020106@ceetonetechnology.com> <4637A476.7090802@chrisbuechler.com> <4637ADF4.5000506@ceetonetechnology.com> <20070501214709.GM8823@clam.khaoz.org> Message-ID: <19395.160.33.20.11.1178058126.squirrel@webmail.nomadlogic.org> > On Tue 2007.05.01 at 17:15 -0400, George Rosamond wrote: >> Chris Buechler wrote: >> > Hey George, all, >> > >> > George Rosamond wrote: >> >> George Rosamond wrote: >> >> >> >>> Has anyone happily used Sangoma T1 cards on a PFSense firewall. . >> >>> .? >> >>> >> >>> George >> >>> >> >> This is a general answer: >> >> >> >> http://faq.pfsense.org/index.php?action=artikel&cat=2&id=114&artlang=en >> >> >> >> >> >> >> >> stating that "At this time, there is no support for any T1, E1, >> >> frame relay, or similar equipment." >> >> >> >> But not sure if that includes T1cards. . . although most likely . . >> >> . >> >> >> > >> > Yep, no T1 support at all. None of the developers have the hardware >> > nor test equipment to make it happen. >> > >> > But, somebody popped up yesterday with a working setup, and sounds >> > like he may implement it in the GUI. >> > http://forum.pfsense.org/index.php/topic,4628.msg28196.html (cmb is >> > me) >> > >> >> Nice. . . >> >> > Even with someone saying they'll implement it, from past experience I >> > give it maybe a 25% chance of happening. >> > >> > If that guy doesn't do it, for any of the existing developers to take >> > on that project it'll likely take a bounty from a corporate sponsor >> > to supply the hardware and pay for the development to be done. >> > >> > Cheers, Chris >> >> Ahh. . . >> >> Well, I'd strongly recommend you contacting Sangoma directly, as I know >> they are quite friendly to open source projects, including the BSDs. >> >> For T1 access, there are vendors some of us could speak to about access >> at various colos. . . then we'd need remote console access, I'd guess. > > i'm sorry, but bugging hardware vendors for hardware for GUI > applications is a waste, imho. the device drivers already exist. hmm...that's a tough one IMHO. i view PFSense as more of an appliance, so while sure the drivers do exist for the underlying OS - i can see how it would be helpful for the dev. to have access to "exotic" hardware to get it working and tested correctly. my reasoning is that the presentation layer is pretty tightly coupled with the kernel{drivers}/OS layer with appliances such as this. -p -- ~~oO00Oo~~ Peter Wright pete at nomadlogic.org www.nomadlogic.org/~pete 310.869.9459 From lavalamp at spiritual-machines.org Tue May 1 18:37:43 2007 From: lavalamp at spiritual-machines.org (Brian A. Seklecki) Date: Tue, 1 May 2007 18:37:43 -0400 (EDT) Subject: [nycbug-talk] T1 cards and PFSense In-Reply-To: <20070501214709.GM8823@clam.khaoz.org> References: <463798B9.1040407@ceetonetechnology.com> <46379B84.5020106@ceetonetechnology.com> <4637A476.7090802@chrisbuechler.com> <4637ADF4.5000506@ceetonetechnology.com> <20070501214709.GM8823@clam.khaoz.org> Message-ID: <20070501183351.I67008@arbitor.digitalfreaks.org> >> For T1 access, there are vendors some of us could speak to about access >> at various colos. . . then we'd need remote console access, I'd guess. In *BSD, it's the wanpipe(8), fpopemon(8), cpipemon(8) CLI and Curses based commands that help you do all of the controller-level configs like DLCI, SDLC, Frame-Relay, PPP, Clock Settings, Channels, Loopbacks, protocol specific statistics, etc. PS I'm getting rid of one of these: http://pittsburgh.craigslist.org/sys/320741894.html > > i'm sorry, but bugging hardware vendors for hardware for GUI > applications is a waste, imho. the device drivers already exist. > _______________________________________________ From george at ceetonetechnology.com Tue May 1 19:21:01 2007 From: george at ceetonetechnology.com (George Rosamond) Date: Tue, 01 May 2007 19:21:01 -0400 Subject: [nycbug-talk] T1 cards and PFSense In-Reply-To: <20070501214709.GM8823@clam.khaoz.org> References: <463798B9.1040407@ceetonetechnology.com> <46379B84.5020106@ceetonetechnology.com> <4637A476.7090802@chrisbuechler.com> <4637ADF4.5000506@ceetonetechnology.com> <20070501214709.GM8823@clam.khaoz.org> Message-ID: <4637CB5D.2050105@ceetonetechnology.com> Okan Demirmen wrote: > On Tue 2007.05.01 at 17:15 -0400, George Rosamond wrote: >> Chris Buechler wrote: >>> Hey George, all, >>> >>> George Rosamond wrote: >>>> George Rosamond wrote: >>>> >>>>> Has anyone happily used Sangoma T1 cards on a PFSense firewall. . >>>>> .? >>>>> >>>>> George >>>>> >>>> This is a general answer: >>>> >>>> http://faq.pfsense.org/index.php?action=artikel&cat=2&id=114&artlang=en >>>> >>>> >>>> >>>> stating that "At this time, there is no support for any T1, E1, >>>> frame relay, or similar equipment." >>>> >>>> But not sure if that includes T1cards. . . although most likely . . >>>> . >>>> >>> Yep, no T1 support at all. None of the developers have the hardware >>> nor test equipment to make it happen. >>> >>> But, somebody popped up yesterday with a working setup, and sounds >>> like he may implement it in the GUI. >>> http://forum.pfsense.org/index.php/topic,4628.msg28196.html (cmb is >>> me) >>> >> Nice. . . >> >>> Even with someone saying they'll implement it, from past experience I >>> give it maybe a 25% chance of happening. >>> >>> If that guy doesn't do it, for any of the existing developers to take >>> on that project it'll likely take a bounty from a corporate sponsor >>> to supply the hardware and pay for the development to be done. >>> >>> Cheers, Chris >> Ahh. . . >> >> Well, I'd strongly recommend you contacting Sangoma directly, as I know >> they are quite friendly to open source projects, including the BSDs. >> >> For T1 access, there are vendors some of us could speak to about access >> at various colos. . . then we'd need remote console access, I'd guess. > > i'm sorry, but bugging hardware vendors for hardware for GUI > applications is a waste, imho. the device drivers already exist. Uhh. . .the gui app is for managing PF. . . we're not talking about an X11 editor. And it's about the OS, which has the support, so why wouldn't it be no big deal to add gui support for it? And I know the device drivers exist. . . I was around the whole discussions on various levels about this. I'm quite sure Sangoma donated or someone bought hardware to at least some of the projects, but this is several years ago now. I am also getting a better idea that PFSense's audience and usage is beyond your normal "I want to replace my Linksys" crowd, and if this application has a better audience, I think it's worth contributing for its growth. . . g From stucchi at willystudios.com Tue May 1 19:21:46 2007 From: stucchi at willystudios.com (Massimiliano Stucchi) Date: Wed, 2 May 2007 01:21:46 +0200 Subject: [nycbug-talk] T1 cards and PFSense In-Reply-To: <463798B9.1040407@ceetonetechnology.com> References: <463798B9.1040407@ceetonetechnology.com> Message-ID: <20070501232146.GZ14893@willystudios.com> On 010507, 15:44, George Rosamond wrote: > Has anyone happily used Sangoma T1 cards on a PFSense firewall. . .? > In order to use the sangoma cards you should simply install the wanpipe drivers from them, provided as a package directly from the company. Thus, it would be easy to create a version of pfSense including the required package (apart from licensing issues). We'll be hosting a Sangoma developer at BSDCan inside my VoIP Tutorial. I'll see if I can do something. Ciao! -- Massimiliano Stucchi, CTO & Director of Operations WillyStudios.com - IT Consulting, Web and VoIP Services stucchi at willystudios.com | Tel (+39) 0244417203 | Fax (+39) 0244417204 IT-20040, Carnate (Milano), via Carducci 9 From nycbug at chrisbuechler.com Wed May 2 16:01:19 2007 From: nycbug at chrisbuechler.com (Chris Buechler) Date: Wed, 02 May 2007 16:01:19 -0400 Subject: [nycbug-talk] T1 cards and PFSense In-Reply-To: <20070501214709.GM8823@clam.khaoz.org> References: <463798B9.1040407@ceetonetechnology.com> <46379B84.5020106@ceetonetechnology.com> <4637A476.7090802@chrisbuechler.com> <4637ADF4.5000506@ceetonetechnology.com> <20070501214709.GM8823@clam.khaoz.org> Message-ID: <4638EE0F.7080604@chrisbuechler.com> Okan Demirmen wrote: > i'm sorry, but bugging hardware vendors for hardware for GUI > applications is a waste, imho. the device drivers already exist. > Depends on the vendor's point of view - if it's supported in the PFSense GUI, is the project used by enough businesses around the world willing to spend the money to buy the cards that it's worth their effort? The answer is almost certainly yes, based on frequency of past requests for this and the large and growing popularity of the project, but it depends on how they feel about it. 95% of PFSense users don't see it as FreeBSD, they see it as a firewall distro, and if it doesn't support something in the GUI it makes no difference to them whether it's because there isn't a driver, or the GUI support isn't written - it won't work, it's not supported, they're not going to buy the hardware. Since the developers have no personal need for such support, if the vendor doesn't care enough to help us support their hardware, we don't care enough to support it. All our developers have pretty decent test environments, and the 4 biggest contributors have several thousand dollars worth of equipment because there are plenty of hardware vendors willing to contribute to the project. They continue to do so, so it must be paying off for them. There's plenty of work in the project, as far as new features go, that we have a personal interest in doing. Anything outside that requires an external influence - hardware, money, or both. That approach has worked out well for us thus far, our developers make at least a pittance for their efforts through some paid development work, and we have pretty impressive home network setups. This is great for everyone involved, especially the community as a whole because it helps keep us motivated, and everybody benefits from the development. But for this, I'm not sure if there's enough developer interest to make it happen, even if given the hardware. It depends entirely on how time consuming it would be. Max - Scott and I will have to get together with you at BSDCan to discuss with the Sangoma developer. If it's easy to implement, and they can get me a card I can test with a crossover between it and a Cisco router, it shouldn't be a problem to implement I don't believe. But that's mostly up to Scott as he'd be doing the development work. I would be willing to do all the testing, and have the Cisco equipment to act as the other end of the T1. Cheers, -Chris From lego at therac25.net Thu May 3 15:08:36 2007 From: lego at therac25.net (Andy Michaels) Date: Thu, 3 May 2007 15:08:36 -0400 (EDT) Subject: [nycbug-talk] Connecting a MacOS X client to an isakmpd VPN server... In-Reply-To: <461FC106.8090404@goldenpath.org> References: <461FC106.8090404@goldenpath.org> Message-ID: Not sure if this is 100% relevant to this list, but I was wondering if anyone had any pointers to getting a Mac client connected to a VPN that runs isakmpd. I'm actually running isakmpd on Debian, but since it's an OpenBSD program, I thought there might be some experience here. Thanks in advance, -Andy From lavalamp at spiritual-machines.org Thu May 3 15:18:52 2007 From: lavalamp at spiritual-machines.org (Brian A. Seklecki) Date: Thu, 3 May 2007 15:18:52 -0400 (EDT) Subject: [nycbug-talk] Connecting a MacOS X client to an isakmpd VPN server... In-Reply-To: References: <461FC106.8090404@goldenpath.org> Message-ID: <20070503151717.F67008@arbitor.digitalfreaks.org> Right now (as in, I stopped to reply to this), I'm having moderate success using racoon(8) 0.7x with Cisco VPN Client 4.x. Split subnet works, DNS interception works, Xauth authentication works. racoon(8) is making a lot of progress that may help keep it competitive. ~BAS On Thu, 3 May 2007, Andy Michaels wrote: > Not sure if this is 100% relevant to this list, but I was wondering if > anyone had any pointers to getting a Mac client connected to a VPN that > runs isakmpd. I'm actually running isakmpd on Debian, but since it's an > OpenBSD program, I thought there might be some experience here. > > Thanks in advance, > > -Andy > > _______________________________________________ > % NYC*BUG talk mailing list > http://lists.nycbug.org/mailman/listinfo/talk > %Be sure to check out our Jobs and NYCBUG-announce lists > %We meet the first Wednesday of the month > l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ "...from back in the heady days when "helpdesk" meant nothing, "diskquota" meant everything, and lives could be bought and sold for a couple of pages of laser printout - and frequently were." From carton at Ivy.NET Thu May 3 15:27:13 2007 From: carton at Ivy.NET (Miles Nordin) Date: Thu, 03 May 2007 15:27:13 -0400 Subject: [nycbug-talk] Connecting a MacOS X client to an isakmpd VPN server... In-Reply-To: <20070503151717.F67008@arbitor.digitalfreaks.org> (Brian A. Seklecki's message of "Thu, 3 May 2007 15:18:52 -0400 (EDT)") References: <461FC106.8090404@goldenpath.org> <20070503151717.F67008@arbitor.digitalfreaks.org> Message-ID: >>>>> "bas" == Brian A Seklecki writes: bas> Right now (as in, I stopped to reply to this), I'm having bas> moderate success using racoon(8) 0.7x with Cisco VPN Client bas> 4.x. how about NAT traversal? and on which BSD? and is it a good idea to buy Cisco's VPN client for Mac OS X, or is there something better-integrated that comes with Mac OS X? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From lego at therac25.net Thu May 3 15:53:08 2007 From: lego at therac25.net (Andy Michaels) Date: Thu, 3 May 2007 15:53:08 -0400 (EDT) Subject: [nycbug-talk] Connecting a MacOS X client to an isakmpd VPN server... In-Reply-To: References: <461FC106.8090404@goldenpath.org> <20070503151717.F67008@arbitor.digitalfreaks.org> Message-ID: On Thu, 3 May 2007, Miles Nordin wrote: >>>>>> "bas" == Brian A Seklecki writes: > > bas> Right now (as in, I stopped to reply to this), I'm having > bas> moderate success using racoon(8) 0.7x with Cisco VPN Client > bas> 4.x. > > how about NAT traversal? and on which BSD? > > and is it a good idea to buy Cisco's VPN client for Mac OS X, or is > there something better-integrated that comes with Mac OS X? > Thanks for the reply, Brian, I have similar questions and some clarification. I'm trying to use non-commercial software, so my ideal setup would be: VPN server| <--IPSEC--> | Mac using built-in Apple VPN client on the VPN server side, I'd heard that isakmp was the simplest wrt setup effort. I'm willing to look at freeswan or racoon. I've heard freeswan is no fun. -Andy From brian.mcgonigle at gmail.com Thu May 3 15:58:00 2007 From: brian.mcgonigle at gmail.com (Brian McGonigle) Date: Thu, 3 May 2007 15:58:00 -0400 Subject: [nycbug-talk] Connecting a MacOS X client to an isakmpd VPN server... In-Reply-To: References: <461FC106.8090404@goldenpath.org> <20070503151717.F67008@arbitor.digitalfreaks.org> Message-ID: On May 3, 2007, at 3:53 PM, Andy Michaels wrote: > On Thu, 3 May 2007, Miles Nordin wrote: > >>>>>>> "bas" == Brian A Seklecki >>>>>>> writes: >> >> bas> Right now (as in, I stopped to reply to this), I'm having >> bas> moderate success using racoon(8) 0.7x with Cisco VPN Client >> bas> 4.x. >> >> how about NAT traversal? and on which BSD? >> >> and is it a good idea to buy Cisco's VPN client for Mac OS X, or is >> there something better-integrated that comes with Mac OS X? >> > > Thanks for the reply, Brian, I have similar questions and some > clarification. I'm trying to use non-commercial software, so my ideal > setup would be: > > VPN server| <--IPSEC--> | Mac using built-in Apple VPN client > > on the VPN server side, I'd heard that isakmp was the simplest wrt > setup > effort. I'm willing to look at freeswan or racoon. I've heard > freeswan > is no fun. > > -Andy > _______________________________________________ Check this out. Complete intructions for VPN Server/Mac Client. http://www.jacco2.dds.nl/networking/openswan- macosx.html#Configuration_Linux From lavalamp at spiritual-machines.org Thu May 3 16:36:07 2007 From: lavalamp at spiritual-machines.org (Brian A. Seklecki) Date: Thu, 3 May 2007 16:36:07 -0400 (EDT) Subject: [nycbug-talk] Connecting a MacOS X client to an isakmpd VPN server... In-Reply-To: References: <461FC106.8090404@goldenpath.org> <20070503151717.F67008@arbitor.digitalfreaks.org> Message-ID: <20070503153748.A67008@arbitor.digitalfreaks.org> Bill Moran swears by OpenVPN; but I'm a fan of (somewhat) standards based IPSec VPNs. Cisco splits the difference. .. and the licensing around the client is murky. But the client is readily available to most. As long as you have one PIX or VPNC3k in your network, then as far as I'm concerned, you can use the client. The problem I'm having right now is that the beta3 of 0.7 racoon(8) isn't properly flushing SAs out of the SAD/SPD ~BAS l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ -------------- next part -------------- >>>>> "bas" == Brian A Seklecki writes: bas> Right now (as in, I stopped to reply to this), I'm having bas> moderate success using racoon(8) 0.7x with Cisco VPN Client bas> 4.x. how about NAT traversal? and on which BSD? and is it a good idea to buy Cisco's VPN client for Mac OS X, or is there something better-integrated that comes with Mac OS X? -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ % NYC*BUG talk mailing list http://lists.nycbug.org/mailman/listinfo/talk %Be sure to check out our Jobs and NYCBUG-announce lists %We meet the first Wednesday of the month From driodeiros at gmail.com Thu May 3 18:47:59 2007 From: driodeiros at gmail.com (David Rio Deiros) Date: Thu, 3 May 2007 18:47:59 -0400 Subject: [nycbug-talk] what happened to darwinports? In-Reply-To: <8933.160.33.20.11.1178052246.squirrel@webmail.nomadlogic.org> References: <58969.160.33.20.11.1178040868.squirrel@webmail.nomadlogic.org> <46377C5F.4010004@ceetonetechnology.com> <39656.160.33.20.11.1178041947.squirrel@webmail.nomadlogic.org> <8933.160.33.20.11.1178052246.squirrel@webmail.nomadlogic.org> Message-ID: <20070503224759.GA62365@r2d2.reverse.net> On Tue, May 01, 2007 at 01:44:06PM -0700, Peter Wright wrote: > > >>>>>> "pw" == Peter Wright writes: > > > > pw> ahh..so apple pulled the plug on the project? > > > > try pkgsrc! > > > > > > > heh - no need to hide, we are moving to pkgsrc soon (from RPM). I was thinking in moving from fink to pkgsrc also but this is holding me down: "There are two methods of using pkgsrc on Mac OS X, by using a disk image, or a UFS or HFSX partition." I don't have HFSX on my partition so I would have to use the diskimage approach. What are you guys using? David From schmonz at schmonz.com Thu May 3 19:06:42 2007 From: schmonz at schmonz.com (Amitai Schlair) Date: Thu, 3 May 2007 19:06:42 -0400 Subject: [nycbug-talk] what happened to darwinports? In-Reply-To: <20070503224759.GA62365@r2d2.reverse.net> References: <58969.160.33.20.11.1178040868.squirrel@webmail.nomadlogic.org> <46377C5F.4010004@ceetonetechnology.com> <39656.160.33.20.11.1178041947.squirrel@webmail.nomadlogic.org> <8933.160.33.20.11.1178052246.squirrel@webmail.nomadlogic.org> <20070503224759.GA62365@r2d2.reverse.net> Message-ID: <1053AC2D-8AEB-43FC-9048-3197EDB4A3F8@schmonz.com> On May 3, 2007, at 6:47 PM, David Rio Deiros wrote: > On Tue, May 01, 2007 at 01:44:06PM -0700, Peter Wright wrote: >> >>>>>>>> "pw" == Peter Wright writes: >>> >>> pw> ahh..so apple pulled the plug on the project? >>> >>> try pkgsrc! >>> >>> >> >> >> heh - no need to hide, we are moving to pkgsrc soon (from RPM). > > I was thinking in moving from fink to pkgsrc also but this is holding > me down: > > "There are two methods of using pkgsrc on Mac OS X, by using a disk > image, or a UFS or HFSX partition." > > I don't have HFSX on my partition so I would have to use the diskimage > approach. You can also NFS-mount pkgsrc from somewhere else, if you have a suitable somewhere else. But the disk image approach isn't too bad. You only need enough case-sensitive disk image for pkgsrc itself; almost all packages can build and install on case-insensitive filesystems. From nikolai at fetissov.org Thu May 3 22:58:10 2007 From: nikolai at fetissov.org (nikolai) Date: Thu, 3 May 2007 22:58:10 -0400 (EDT) Subject: [nycbug-talk] May 2007 meeting audio Message-ID: <58926.69.119.146.233.1178247490.squirrel@www.geekisp.com> Folks, mp3 of Amitai's presentation is up at http://www.fetissov.org/public/nycbug/ -- Nikolai From driodeiros at gmail.com Fri May 4 00:26:06 2007 From: driodeiros at gmail.com (David Rio Deiros) Date: Fri, 4 May 2007 00:26:06 -0400 Subject: [nycbug-talk] Connecting a MacOS X client to an isakmpd VPN server... In-Reply-To: <20070503153748.A67008@arbitor.digitalfreaks.org> References: <461FC106.8090404@goldenpath.org> <20070503151717.F67008@arbitor.digitalfreaks.org> <20070503153748.A67008@arbitor.digitalfreaks.org> Message-ID: <20070504042606.GA11806@r2d2.reverse.net> On Thu, May 03, 2007 at 04:36:07PM -0400, Brian A. Seklecki wrote: > > Bill Moran swears by OpenVPN; but I'm a fan of (somewhat) standards based > IPSec VPNs. > > Cisco splits the difference. > > .. and the licensing around the client is murky. But the client is readily > available to most. As long as you have one PIX or VPNC3k in your network, > then as far as I'm concerned, you can use the client. I am using cisco VPN software 4.9. We have a PIX at the office though. NAT travesal works fine as soon as there is only one client behind the NAT router. From lavalamp at spiritual-machines.org Fri May 4 00:44:10 2007 From: lavalamp at spiritual-machines.org (Brian A. Seklecki) Date: Fri, 4 May 2007 00:44:10 -0400 (EDT) Subject: [nycbug-talk] Connecting a MacOS X client to an isakmpd VPN ... In-Reply-To: <20070504042606.GA11806@r2d2.reverse.net> References: <461FC106.8090404@goldenpath.org> <20070503151717.F67008@arbitor.digitalfreaks.org> <20070503153748.A67008@arbitor.digitalfreaks.org> <20070504042606.GA11806@r2d2.reverse.net> Message-ID: <20070504004244.R67008@arbitor.digitalfreaks.org> racoon(8) and ipsec-tools support NAT-T; it's in the 0.7x code. --enable--natt i believe is the compile-time flag. UDP is definately supported; haven't tried TCP yet. the UDP NAT-T works on the server for sure; haven't tried it as a client either. ~BAS On Fri, 4 May 2007, David Rio Deiros wrote: > On Thu, May 03, 2007 at 04:36:07PM -0400, Brian A. Seklecki wrote: >> >> Bill Moran swears by OpenVPN; but I'm a fan of (somewhat) standards based >> IPSec VPNs. >> >> Cisco splits the difference. >> >> .. and the licensing around the client is murky. But the client is readily >> available to most. As long as you have one PIX or VPNC3k in your network, >> then as far as I'm concerned, you can use the client. > > I am using cisco VPN software 4.9. We have a PIX at the office though. > NAT travesal works fine as soon as there is only one client behind the > NAT router. > _______________________________________________ > % NYC*BUG talk mailing list > http://lists.nycbug.org/mailman/listinfo/talk > %Be sure to check out our Jobs and NYCBUG-announce lists > %We meet the first Wednesday of the month > l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ "...from back in the heady days when "helpdesk" meant nothing, "diskquota" meant everything, and lives could be bought and sold for a couple of pages of laser printout - and frequently were." From josh at rivels.org Fri May 4 10:09:41 2007 From: josh at rivels.org (Josh Rivel) Date: Fri, 4 May 2007 10:09:41 -0400 Subject: [nycbug-talk] Connecting a MacOS X client to an isakmpd VPN ... In-Reply-To: <20070504004244.R67008@arbitor.digitalfreaks.org> References: <461FC106.8090404@goldenpath.org> <20070503151717.F67008@arbitor.digitalfreaks.org> <20070503153748.A67008@arbitor.digitalfreaks.org> <20070504042606.GA11806@r2d2.reverse.net> <20070504004244.R67008@arbitor.digitalfreaks.org> Message-ID: <20070504140941.GA4278@rivels.org> I've had good luck with OpenVPN on OSX using the Tunnelblix (sp?) client, connecting to an OpenBSD OpenVPN server. Josh From carton at Ivy.NET Fri May 4 10:30:06 2007 From: carton at Ivy.NET (Miles Nordin) Date: Fri, 04 May 2007 10:30:06 -0400 Subject: [nycbug-talk] Connecting a MacOS X client to an isakmpd VPN ... In-Reply-To: <20070504004244.R67008@arbitor.digitalfreaks.org> (Brian A. Seklecki's message of "Fri, 4 May 2007 00:44:10 -0400 (EDT)") References: <461FC106.8090404@goldenpath.org> <20070503151717.F67008@arbitor.digitalfreaks.org> <20070503153748.A67008@arbitor.digitalfreaks.org> <20070504042606.GA11806@r2d2.reverse.net> <20070504004244.R67008@arbitor.digitalfreaks.org> Message-ID: >>>>> "bas" == Brian A Seklecki writes: bas> racoon(8) and ipsec-tools support NAT-T; it's in the 0.7x bas> code. --enable--natt i believe is the compile-time flag. UDP bas> is definately supported; haven't tried TCP yet. but kernel support is required, too. and there are a disgustingly stupid number of variations on something so simple as NAT-T so that stacks often don't interoperate. so I was wondering with what client and with which BSD. the ``works, but only for one road warrior behind a NAT'' problem David mentioned used to be common, too. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From stucchi at willystudios.com Fri May 4 10:34:13 2007 From: stucchi at willystudios.com (Massimiliano Stucchi) Date: Fri, 4 May 2007 16:34:13 +0200 Subject: [nycbug-talk] BSDCan car trip - LAST CALL Message-ID: <20070504143413.GN14893@willystudios.com> Hi All, I'm sure there's someone out there who is still undecided either to come or not to BSDCan... We are probably going to rent a van, 7 seats, and have a couple free seats. If interested, please email me as soon as possible. We are leaving on Tuesday 15th and coming back on Sunday 20th. Ciao ! -- Massimiliano Stucchi, CTO & Director of Operations WillyStudios.com - IT Consulting, Web and VoIP Services stucchi at willystudios.com | Tel (+39) 0244417203 | Fax (+39) 0244417204 IT-20040, Carnate (Milano), via Carducci 9 -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available URL: From lavalamp at spiritual-machines.org Fri May 4 11:47:59 2007 From: lavalamp at spiritual-machines.org (Brian A. Seklecki) Date: Fri, 4 May 2007 11:47:59 -0400 (EDT) Subject: [nycbug-talk] Connecting a MacOS X client to an isakmpd VPN ... In-Reply-To: References: <461FC106.8090404@goldenpath.org> <20070503151717.F67008@arbitor.digitalfreaks.org> <20070503153748.A67008@arbitor.digitalfreaks.org> <20070504042606.GA11806@r2d2.reverse.net> <20070504004244.R67008@arbitor.digitalfreaks.org> Message-ID: <20070504114635.L67008@arbitor.digitalfreaks.org> Right; and for some reason, the FreeBSD 6.x NAT-T bug hasn't been applied to the tree; it's just floating out there. It works fine on NetBSD though. ~BAS l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ -------------- next part -------------- >>>>> "bas" == Brian A Seklecki writes: bas> racoon(8) and ipsec-tools support NAT-T; it's in the 0.7x bas> code. --enable--natt i believe is the compile-time flag. UDP bas> is definately supported; haven't tried TCP yet. but kernel support is required, too. and there are a disgustingly stupid number of variations on something so simple as NAT-T so that stacks often don't interoperate. so I was wondering with what client and with which BSD. the ``works, but only for one road warrior behind a NAT'' problem David mentioned used to be common, too. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: -------------- next part -------------- _______________________________________________ % NYC*BUG talk mailing list http://lists.nycbug.org/mailman/listinfo/talk %Be sure to check out our Jobs and NYCBUG-announce lists %We meet the first Wednesday of the month From lavalamp at spiritual-machines.org Fri May 4 13:04:50 2007 From: lavalamp at spiritual-machines.org (Brian A. Seklecki) Date: Fri, 4 May 2007 13:04:50 -0400 (EDT) Subject: [nycbug-talk] Connecting a MacOS X client to an isakmpd VPN ... In-Reply-To: <20070504114635.L67008@arbitor.digitalfreaks.org> References: <461FC106.8090404@goldenpath.org> <20070503151717.F67008@arbitor.digitalfreaks.org> <20070503153748.A67008@arbitor.digitalfreaks.org> <20070504042606.GA11806@r2d2.reverse.net> <20070504004244.R67008@arbitor.digitalfreaks.org> <20070504114635.L67008@arbitor.digitalfreaks.org> Message-ID: <20070504130256.G67008@arbitor.digitalfreaks.org> > Right; and for some reason, the FreeBSD 6.x NAT-T bug hasn't been applied to s/bug/patch/attached ~BAS -------------- next part -------------- Index: conf/options =================================================================== RCS file: /home/ncvs/src/sys/conf/options,v retrieving revision 1.510.2.19 diff -b -u -p -r1.510.2.19 options --- conf/options 2 Sep 2006 13:12:08 -0000 1.510.2.19 +++ conf/options 19 Sep 2006 12:42:53 -0000 @@ -352,6 +352,7 @@ INET opt_inet.h INET6 opt_inet6.h IPSEC opt_ipsec.h IPSEC_ESP opt_ipsec.h +IPSEC_NAT_T opt_ipsec.h IPSEC_DEBUG opt_ipsec.h IPSEC_FILTERGIF opt_ipsec.h FAST_IPSEC opt_ipsec.h Index: net/pfkeyv2.h =================================================================== RCS file: /home/ncvs/src/sys/net/pfkeyv2.h,v retrieving revision 1.14 diff -b -u -p -r1.14 pfkeyv2.h --- net/pfkeyv2.h 7 Jan 2005 01:45:35 -0000 1.14 +++ net/pfkeyv2.h 19 Sep 2006 12:44:45 -0000 @@ -75,7 +75,8 @@ you leave this credit intact on any copi #define SADB_X_SPDSETIDX 20 #define SADB_X_SPDEXPIRE 21 #define SADB_X_SPDDELETE2 22 /* by policy id */ -#define SADB_MAX 22 +#define SADB_X_NAT_T_NEW_MAPPING 23 +#define SADB_MAX 23 struct sadb_msg { u_int8_t sadb_msg_version; @@ -255,6 +256,34 @@ struct sadb_x_ipsecrequest { */ }; +/* NAT traversal type, see RFC 3948 */ +/* sizeof(struct sadb_x_nat_t_type) == 8 */ +struct sadb_x_nat_t_type { + u_int16_t sadb_x_nat_t_type_len; + u_int16_t sadb_x_nat_t_type_exttype; + u_int8_t sadb_x_nat_t_type_type; + u_int8_t sadb_x_nat_t_type_reserved[3]; +}; + +/* NAT traversal source or destination port */ +/* sizeof(struct sadb_x_nat_t_port) == 8 */ +struct sadb_x_nat_t_port { + u_int16_t sadb_x_nat_t_port_len; + u_int16_t sadb_x_nat_t_port_exttype; + u_int16_t sadb_x_nat_t_port_port; + u_int16_t sadb_x_nat_t_port_reserved; +}; + +/* ESP fragmentation size */ +/* sizeof(struct sadb_x_nat_t_frag) == 8 */ +struct sadb_x_nat_t_frag { + u_int16_t sadb_x_nat_t_frag_len; + u_int16_t sadb_x_nat_t_frag_exttype; + u_int16_t sadb_x_nat_t_frag_fraglen; + u_int16_t sadb_x_nat_t_frag_reserved; +}; + + #define SADB_EXT_RESERVED 0 #define SADB_EXT_SA 1 #define SADB_EXT_LIFETIME_CURRENT 2 @@ -275,7 +304,12 @@ struct sadb_x_ipsecrequest { #define SADB_X_EXT_KMPRIVATE 17 #define SADB_X_EXT_POLICY 18 #define SADB_X_EXT_SA2 19 -#define SADB_EXT_MAX 19 +#define SADB_X_EXT_NAT_T_TYPE 20 +#define SADB_X_EXT_NAT_T_SPORT 21 +#define SADB_X_EXT_NAT_T_DPORT 22 +#define SADB_X_EXT_NAT_T_OA 23 +#define SADB_X_EXT_NAT_T_FRAG 24 +#define SADB_EXT_MAX 24 #define SADB_SATYPE_UNSPEC 0 #define SADB_SATYPE_AH 2 Index: netinet/in_pcb.h =================================================================== RCS file: /home/ncvs/src/sys/netinet/in_pcb.h,v retrieving revision 1.80.2.4 diff -b -u -p -r1.80.2.4 in_pcb.h --- netinet/in_pcb.h 20 Aug 2006 19:28:43 -0000 1.80.2.4 +++ netinet/in_pcb.h 19 Sep 2006 12:44:49 -0000 @@ -298,6 +298,11 @@ struct inpcbinfo { /* XXX documentation #define IN6P_RFC2292 0x40000000 /* used RFC2292 API on the socket */ #define IN6P_MTU 0x80000000 /* receive path MTU */ +/* XXX should move to an UDP control block */ +#define INP_ESPINUDP 0x1000 /* ESP over UDP for NAT-T */ +#define INP_ESPINUDP_NON_IKE 0x2000 /* ESP over UDP for NAT-T */ +#define INP_ESPINUDP_ALL (INP_ESPINUDP|INP_ESPINUDP_NON_IKE) + #define INP_CONTROLOPTS (INP_RECVOPTS|INP_RECVRETOPTS|INP_RECVDSTADDR|\ INP_RECVIF|INP_RECVTTL|\ IN6P_PKTINFO|IN6P_HOPLIMIT|IN6P_HOPOPTS|\ Index: netinet/in_proto.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/in_proto.c,v retrieving revision 1.77.2.3 diff -b -u -p -r1.77.2.3 in_proto.c --- netinet/in_proto.c 3 Jan 2006 08:15:32 -0000 1.77.2.3 +++ netinet/in_proto.c 19 Sep 2006 12:44:49 -0000 @@ -122,7 +122,7 @@ struct protosw inetsw[] = { .pr_flags = PR_ATOMIC|PR_ADDR, .pr_input = udp_input, .pr_ctlinput = udp_ctlinput, - .pr_ctloutput = ip_ctloutput, + .pr_ctloutput = udp_ctloutput, .pr_init = udp_init, .pr_usrreqs = &udp_usrreqs }, Index: netinet/ip_output.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/ip_output.c,v retrieving revision 1.242.2.12 diff -b -u -p -r1.242.2.12 ip_output.c --- netinet/ip_output.c 24 Aug 2006 05:40:16 -0000 1.242.2.12 +++ netinet/ip_output.c 19 Sep 2006 12:44:49 -0000 @@ -58,6 +58,10 @@ #include #include +#ifdef IPSEC_NAT_T +#include +#endif + #include static MALLOC_DEFINE(M_IPMOPTS, "ip_moptions", "internet multicast options"); Index: netinet/udp.h =================================================================== RCS file: /home/ncvs/src/sys/netinet/udp.h,v retrieving revision 1.9 diff -b -u -p -r1.9 udp.h --- netinet/udp.h 7 Jan 2005 01:45:45 -0000 1.9 +++ netinet/udp.h 19 Sep 2006 12:44:49 -0000 @@ -44,4 +44,17 @@ struct udphdr { u_short uh_sum; /* udp checksum */ }; +/* socket options for UDP */ +#define UDP_ENCAP 100 + +/* Encapsulation types */ +#define UDP_ENCAP_ESPINUDP_NON_IKE 1 /* draft-ietf-ipsec-nat-t-ike-00/01 */ +#define UDP_ENCAP_ESPINUDP 2 /* draft-ietf-ipsec-udp-encaps-02+ */ + +/* Default encapsulation port */ +#define UDP_ENCAP_ESPINUDP_PORT 500 + +/* Maximum UDP fragment size for ESP over UDP */ +#define UDP_ENCAP_ESPINUDP_MAXFRAGLEN 552 + #endif Index: netinet/udp_usrreq.c =================================================================== RCS file: /home/ncvs/src/sys/netinet/udp_usrreq.c,v retrieving revision 1.175.2.6 diff -b -u -p -r1.175.2.6 udp_usrreq.c --- netinet/udp_usrreq.c 16 May 2006 07:27:48 -0000 1.175.2.6 +++ netinet/udp_usrreq.c 19 Sep 2006 12:44:49 -0000 @@ -78,10 +78,12 @@ #ifdef FAST_IPSEC #include +#include #endif /*FAST_IPSEC*/ #ifdef IPSEC #include +#include #endif /*IPSEC*/ #include @@ -128,6 +130,11 @@ static void udp_append(struct inpcb *las static int udp_detach(struct socket *so); static int udp_output(struct inpcb *, struct mbuf *, struct sockaddr *, struct mbuf *, struct thread *); +#ifdef INET +#ifdef IPSEC_NAT_T +static int udp4_espinudp (struct mbuf *, int, struct sockaddr *, struct socket *); +#endif +#endif static void udp_zone_change(void *tag) @@ -464,6 +471,41 @@ udp_append(last, ip, n, off, udp_in) return; } #endif /*IPSEC || FAST_IPSEC*/ +#ifdef IPSEC_NAT_T + /* Handle ESP over UDP */ + if (last->inp_flags & INP_ESPINUDP_ALL) { + struct sockaddr_in src; + struct sockaddr *sa = (struct sockaddr *)(&src); + size_t minlen; + + bzero(&src, sizeof(src)); + src.sin_family = AF_INET; + src.sin_len = sizeof(struct sockaddr_in); + bcopy(&ip->ip_src, &src.sin_addr, sizeof(src.sin_addr)); + src.sin_port = udp_in->sin_port; + + /* + * Collapse the mbuf chain if the first mbuf is too short + * The longest case is: UDP + non ESP marker + ESP + */ + minlen = off + sizeof(struct udphdr) + sizeof(u_int64_t) + sizeof(struct esp); + if (minlen > n->m_pkthdr.len) + minlen = n->m_pkthdr.len; + + if ((n = m_pullup(n, minlen)) == NULL) { + printf("udp_append: m_pullup failed\n"); + m_freem(n); + return; + } + + if (udp4_espinudp(n, off, sa, last->inp_socket) != 0) { + m_freem(n); + return; + } + + /* Normal UDP processing will take place */ + } +#endif #ifdef MAC if (mac_check_inpcb_deliver(last, n) != 0) { m_freem(n); @@ -702,6 +744,82 @@ SYSCTL_PROC(_net_inet_udp, OID_AUTO, get CTLTYPE_OPAQUE|CTLFLAG_RW|CTLFLAG_PRISON, 0, 0, udp_getcred, "S,xucred", "Get the xucred of a UDP connection"); + +int +udp_ctloutput(so, sopt) + struct socket *so; + struct sockopt *sopt; +{ + int error, optval, s; + struct inpcb *inp; + int family; + + error = 0; + family = so->so_proto->pr_domain->dom_family; + + s = splnet(); + if (sopt->sopt_level != IPPROTO_UDP) { +#ifdef INET6 + if (INP_CHECK_SOCKAF(so, AF_INET6)) + error = ip6_ctloutput(so, sopt); + else +#endif /* INET6 */ + error = ip_ctloutput(so, sopt); + splx(s); + return (error); + } + inp = sotoinpcb(so); + + switch (sopt->sopt_dir) { + case SOPT_SET: + switch (sopt->sopt_name) { + case UDP_ENCAP: + error = sooptcopyin(sopt, &optval, sizeof optval, + sizeof optval); + if (error) + break; + + switch(optval){ +#ifdef IPSEC_NAT_T + case 0: + inp->inp_flags &= ~INP_ESPINUDP_ALL; + break; + + case UDP_ENCAP_ESPINUDP: + inp->inp_flags |= INP_ESPINUDP; + break; + + case UDP_ENCAP_ESPINUDP_NON_IKE: + inp->inp_flags |= INP_ESPINUDP_NON_IKE; + break; +#endif + + default: + error = EINVAL; + goto end; + break; + } + break; + + default: + error = ENOPROTOOPT; + goto end; + break; + } + break; + + default: + error = EINVAL; + goto end; + break; + } + +end: + splx(s); + return error; +} + + static int udp_output(inp, m, addr, control, td) register struct inpcb *inp; @@ -922,6 +1040,146 @@ release: m_freem(m); return (error); } + +#ifdef INET +#ifdef IPSEC_NAT_T +/* + * Returns: + * 1 if the packet was processed + * 0 if normal UDP processing should take place + */ +static int +udp4_espinudp(m, off, src, so) + struct mbuf *m; + int off; + struct sockaddr *src; + struct socket *so; +{ + size_t len; + caddr_t data; + struct inpcb *inp; + size_t skip = 0; + size_t minlen; + size_t iphdrlen; + struct m_tag *tag; + struct ip *ip; + struct udphdr *udphdr; + u_int16_t sport, dport; + struct mbuf *n; + + /* + * Cannot collapse the mbuf chain here, must have been done in + * calling function + * The longest case is: UDP + non ESP marker + ESP + */ + minlen = off + sizeof(u_int64_t) + sizeof(struct esp); + if (minlen > m->m_pkthdr.len) + minlen = m->m_pkthdr.len; + + if (m->m_len < minlen) + return 0; + + len = m->m_len - off; + data = mtod(m, caddr_t) + off; + inp = sotoinpcb(so); + + /* Ignore keepalive packets */ + if ((len == 1) && (data[0] == '\xff')) { + return 1; + } + + /* + * Check that the payload is long enough to hold + * an ESP header and compute the length of encapsulation + * header to remove + */ + if (inp->inp_flags & INP_ESPINUDP) { + u_int32_t *st = (u_int32_t *)data; + + if ((len <= sizeof(struct esp)) || (*st == 0)) + return 0; /* Normal UDP processing */ + + skip = sizeof(struct udphdr); + } + + if (inp->inp_flags & INP_ESPINUDP_NON_IKE) { + u_int64_t *st = (u_int64_t *)data; + + if ((len <= sizeof(u_int64_t) + sizeof(struct esp)) + || (*st != 0)) + return 0; /* Normal UDP processing */ + + skip = sizeof(struct udphdr) + sizeof(u_int64_t); + } + + /* + * Get the UDP ports. They are handled in network + * order everywhere in IPSEC_NAT_T code. + */ + udphdr = (struct udphdr *)(data - skip); + sport = udphdr->uh_sport; + dport = udphdr->uh_dport; + + /* + * Remove the UDP header (and possibly the non ESP marker) + * IP header lendth is iphdrlen + * Before: + * <--- off ---> + * +----+------+-----+ + * | IP | UDP | ESP | + * +----+------+-----+ + * <-skip-> + * After: + * +----+-----+ + * | IP | ESP | + * +----+-----+ + * <-skip-> + */ + iphdrlen = off - sizeof(struct udphdr); + ovbcopy(mtod(m, caddr_t), mtod(m, caddr_t) + skip, iphdrlen); + m_adj(m, skip); + + ip = mtod(m, struct ip *); + ip->ip_len = htons(ntohs(ip->ip_len) - skip); + ip->ip_p = IPPROTO_ESP; + + /* + * Copy the mbuf to avoid multiple free, as both + * esp4_input (which we call) and udp_input (which + * called us) free the mbuf. + */ + if ((n = m_dup(m, M_DONTWAIT)) == NULL) { + printf("udp4_espinudp: m_dup failed\n"); + return 0; + } + + /* + * Add a PACKET_TAG_IPSEC_NAT_T_PORT tag to remember + * the source UDP port. This is required if we want + * to select the right SPD for multiple hosts behind + * same NAT + */ + if ((tag = m_tag_get(PACKET_TAG_IPSEC_NAT_T_PORTS, + sizeof(sport) + sizeof(dport), M_DONTWAIT)) == NULL) { + printf("udp4_espinudp: m_tag_get failed\n"); + m_freem(n); + return 0; + } + ((u_int16_t *)(tag + 1))[0] = sport; + ((u_int16_t *)(tag + 1))[1] = dport; + m_tag_prepend(n, tag); + +#ifdef FAST_IPSEC + ipsec4_common_input(n, iphdrlen, ip->ip_p); +#else /* IPSEC */ + esp4_input(n, iphdrlen); +#endif + + /* We handled it, it shoudln't be handled by UDP */ + return 1; +} +#endif +#endif u_long udp_sendspace = 9216; /* really max datagram size */ /* 40 1K datagrams */ Index: netinet/udp_var.h =================================================================== RCS file: /home/ncvs/src/sys/netinet/udp_var.h,v retrieving revision 1.29 diff -b -u -p -r1.29 udp_var.h --- netinet/udp_var.h 7 Jan 2005 01:45:45 -0000 1.29 +++ netinet/udp_var.h 19 Sep 2006 12:44:49 -0000 @@ -100,6 +100,7 @@ extern struct udpstat udpstat; extern int log_in_vain; void udp_ctlinput(int, struct sockaddr *, void *); +int udp_ctloutput(struct socket *, struct sockopt *sopt); void udp_init(void); void udp_input(struct mbuf *, int); Index: netinet6/ah_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/ah_input.c,v retrieving revision 1.20 diff -b -u -p -r1.20 ah_input.c --- netinet6/ah_input.c 7 Jan 2005 02:30:34 -0000 1.20 +++ netinet6/ah_input.c 19 Sep 2006 12:44:51 -0000 @@ -36,6 +36,7 @@ #include "opt_inet.h" #include "opt_inet6.h" +#include "opt_ipsec.h" #include #include @@ -113,6 +114,11 @@ ah4_input(m, off) u_int16_t nxt; size_t hlen; size_t stripsiz = 0; + u_int16_t sport = 0; + u_int16_t dport = 0; +#ifdef IPSEC_NAT_T + struct m_tag *tag = NULL; +#endif #ifndef PULLDOWN_TEST if (m->m_len < off + sizeof(struct newah)) { @@ -125,6 +131,14 @@ ah4_input(m, off) } } +#ifdef IPSEC_NAT_T + /* find the source port for NAT-T */ + if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL)) != NULL) { + sport = ((u_int16_t *)(tag + 1))[0]; + dport = ((u_int16_t *)(tag + 1))[1]; + } +#endif + ip = mtod(m, struct ip *); ah = (struct ah *)(((caddr_t)ip) + off); #else @@ -149,7 +163,7 @@ ah4_input(m, off) if ((sav = key_allocsa(AF_INET, (caddr_t)&ip->ip_src, (caddr_t)&ip->ip_dst, - IPPROTO_AH, spi)) == 0) { + IPPROTO_AH, spi, sport, dport)) == 0) { ipseclog((LOG_WARNING, "IPv4 AH input: no key association found for spi %u\n", (u_int32_t)ntohl(spi))); @@ -599,7 +613,7 @@ ah6_input(mp, offp, proto) if ((sav = key_allocsa(AF_INET6, (caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst, - IPPROTO_AH, spi)) == 0) { + IPPROTO_AH, spi, 0, 0)) == 0) { ipseclog((LOG_WARNING, "IPv6 AH input: no key association found for spi %u\n", (u_int32_t)ntohl(spi))); @@ -998,7 +1012,7 @@ ah6_ctlinput(cmd, sa, d) sav = key_allocsa(AF_INET6, (caddr_t)&sa6_src->sin6_addr, (caddr_t)&sa6_dst->sin6_addr, - IPPROTO_AH, ahp->ah_spi); + IPPROTO_AH, ahp->ah_spi, 0, 0); if (sav) { if (sav->state == SADB_SASTATE_MATURE || sav->state == SADB_SASTATE_DYING) Index: netinet6/esp_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/esp_input.c,v retrieving revision 1.26 diff -b -u -p -r1.26 esp_input.c --- netinet6/esp_input.c 7 Jan 2005 02:30:34 -0000 1.26 +++ netinet6/esp_input.c 19 Sep 2006 12:44:52 -0000 @@ -36,6 +36,7 @@ #include "opt_inet.h" #include "opt_inet6.h" +#include "opt_ipsec.h" #include #include @@ -116,6 +117,11 @@ esp4_input(m, off) int ivlen; size_t hlen; size_t esplen; + u_int16_t sport = 0; + u_int16_t dport = 0; +#ifdef IPSEC_NAT_T + struct m_tag *tag = NULL; +#endif /* sanity check for alignment. */ if (off % 4 != 0 || m->m_pkthdr.len % 4 != 0) { @@ -135,6 +141,14 @@ esp4_input(m, off) } } +#ifdef IPSEC_NAT_T + /* find the source port for NAT_T */ + if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL)) != NULL) { + sport = ((u_int16_t *)(tag + 1))[0]; + dport = ((u_int16_t *)(tag + 1))[1]; + } +#endif + ip = mtod(m, struct ip *); esp = (struct esp *)(((u_int8_t *)ip) + off); #ifdef _IP_VHL @@ -148,7 +162,7 @@ esp4_input(m, off) if ((sav = key_allocsa(AF_INET, (caddr_t)&ip->ip_src, (caddr_t)&ip->ip_dst, - IPPROTO_ESP, spi)) == 0) { + IPPROTO_ESP, spi, sport, dport)) == 0) { ipseclog((LOG_WARNING, "IPv4 ESP input: no key association found for spi %u\n", (u_int32_t)ntohl(spi))); @@ -509,7 +523,7 @@ esp6_input(mp, offp, proto) if ((sav = key_allocsa(AF_INET6, (caddr_t)&ip6->ip6_src, (caddr_t)&ip6->ip6_dst, - IPPROTO_ESP, spi)) == 0) { + IPPROTO_ESP, spi, 0, 0)) == 0) { ipseclog((LOG_WARNING, "IPv6 ESP input: no key association found for spi %u\n", (u_int32_t)ntohl(spi))); @@ -951,7 +965,7 @@ esp6_ctlinput(cmd, sa, d) sav = key_allocsa(AF_INET6, (caddr_t)&sa6_src->sin6_addr, (caddr_t)&sa6_dst->sin6_addr, - IPPROTO_ESP, espp->esp_spi); + IPPROTO_ESP, espp->esp_spi, 0, 0); if (sav) { if (sav->state == SADB_SASTATE_MATURE || sav->state == SADB_SASTATE_DYING) Index: netinet6/esp_output.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/esp_output.c,v retrieving revision 1.13 diff -b -u -p -r1.13 esp_output.c --- netinet6/esp_output.c 7 Jan 2005 02:30:34 -0000 1.13 +++ netinet6/esp_output.c 19 Sep 2006 12:44:55 -0000 @@ -32,6 +32,7 @@ #include "opt_inet.h" #include "opt_inet6.h" +#include "opt_ipsec.h" /* * RFC1827/2406 Encapsulated Security Payload. @@ -56,6 +57,10 @@ #include #include +#ifdef IPSEC_NAT_T +#include +#endif + #ifdef INET6 #include #include @@ -139,6 +144,17 @@ esp_hdrsiz(isr) hdrsiz = sizeof(struct newesp) + ivlen + 9 + authlen; } +#ifdef IPSEC_NAT_T + /* + * If NAT-T is enabled, add the space for UDP encapsulation + */ + if (sav->natt_type != 0) { + hdrsiz += sizeof(struct udphdr); + if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE) + hdrsiz += sizeof(u_int64_t); + } +#endif + return hdrsiz; estimate: @@ -149,8 +165,15 @@ esp_hdrsiz(isr) * 9 = (maximum padding length without random padding length) * + (Pad Length field) + (Next Header field). * 16 = maximum ICV we support. + * sizeof(u_int64_t) = non IKE marker (NAT-T) + * sizeof(struct udphdr) = UDP encapsulation (NAT-T) */ +#ifdef IPSEC_NAT_T + return sizeof(struct newesp) + esp_max_ivlen() + 9 + 16 + + sizeof(u_int64_t) + sizeof(struct udphdr); +#else return sizeof(struct newesp) + esp_max_ivlen() + 9 + 16; +#endif } /* @@ -196,6 +219,9 @@ esp_output(m, nexthdrp, md, isr, af) size_t extendsiz; int error = 0; struct ipsecstat *stat; +#ifdef IPSEC_NAT_T + struct udphdr *udp = NULL; +#endif switch (af) { #ifdef INET @@ -334,10 +360,25 @@ esp_output(m, nexthdrp, md, isr, af) espoff = m->m_pkthdr.len - plen; +#ifdef IPSEC_NAT_T + if (sav->natt_type != 0) { + esphlen += sizeof(struct udphdr); + espoff += sizeof(struct udphdr); + + if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE) { + /* NON-IKE marker */ + esphlen += sizeof(u_int64_t); + espoff += sizeof(u_int64_t); + } + } +#endif + /* * grow the mbuf to accomodate ESP header. * before: IP ... payload - * after: IP ... ESP IV payload + * after (without NAT-T): IP ... ESP IV payload + * after (with older NAT-T): IP ... UDP non-IKE-marker ESP IV payload + * after (with newer NAT-T): IP ... UDP ESP IV payload */ if (M_LEADINGSPACE(md) < esphlen || (md->m_flags & M_EXT) != 0) { MGET(n, M_DONTWAIT, MT_DATA); @@ -358,6 +399,21 @@ esp_output(m, nexthdrp, md, isr, af) esp = mtod(md, struct esp *); } +#ifdef IPSEC_NAT_T + if (sav->natt_type != 0) { + udp = (struct udphdr *)esp; + esp = (struct esp *)(udp + 1); + + if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE) { + u_int64_t *data = (u_int64_t *)esp; + + *data = 0; /* NON-IKE marker */ + esp = (struct esp *)(data + 1); + } + } +#endif + + nxt = *nexthdrp; *nexthdrp = IPPROTO_ESP; switch (af) { @@ -523,6 +579,27 @@ esp_output(m, nexthdrp, md, isr, af) break; } +#ifdef IPSEC_NAT_T + if (sav->natt_type != 0) { + *nexthdrp = IPPROTO_UDP; + + /* + * Create the UDP encapsulation header for NAT-T + * uh_len is set later, when the size is known. + */ + if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE) + udp->uh_sport = htons(UDP_ENCAP_ESPINUDP_PORT); + else + udp->uh_sport = KEY_PORTFROMSADDR(&sav->sah->saidx.src); + + + udp->uh_dport = KEY_PORTFROMSADDR(&sav->sah->saidx.dst); + udp->uh_sum = 0; + } else { + *nexthdrp = IPPROTO_ESP; + } +#endif + /* initialize esp trailer. */ esptail = (struct esptail *) (mtod(n, u_int8_t *) + n->m_len - sizeof(struct esptail)); @@ -665,6 +742,18 @@ esp_output(m, nexthdrp, md, isr, af) #endif } } + +#ifdef IPSEC_NAT_T + if (sav->natt_type != 0) { + struct ip *ip; + ip = mtod(m, struct ip *); +#ifdef _IP_VHL + udp->uh_ulen = htons(ntohs(ip->ip_len) - (IP_VHL_HL(ip->ip_vhl) << 2)); +#else + udp->uh_ulen = htons(ntohs(ip->ip_len) - (ip->ip_hl << 2)); +#endif + } +#endif noantireplay: if (!m) { Index: netinet6/ipcomp_input.c =================================================================== RCS file: /home/ncvs/src/sys/netinet6/ipcomp_input.c,v retrieving revision 1.8.2.1 diff -b -u -p -r1.8.2.1 ipcomp_input.c --- netinet6/ipcomp_input.c 14 Feb 2006 21:36:23 -0000 1.8.2.1 +++ netinet6/ipcomp_input.c 19 Sep 2006 12:44:55 -0000 @@ -36,6 +36,7 @@ #include "opt_inet.h" #include "opt_inet6.h" +#include "opt_ipsec.h" #include #include @@ -100,6 +101,11 @@ ipcomp4_input(m, off) int error; size_t newlen, olen; struct secasvar *sav = NULL; + u_int16_t sport = 0; + u_int16_t dport = 0; +#ifdef IPSEC_NAT_T + struct m_tag *tag = NULL; +#endif if (m->m_pkthdr.len < off + sizeof(struct ipcomp)) { ipseclog((LOG_DEBUG, "IPv4 IPComp input: assumption failed " @@ -108,6 +114,14 @@ ipcomp4_input(m, off) goto fail; } +#ifdef IPSEC_NAT_T + /* find the source port for NAT-T */ + if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL)) != NULL) { + sport = ((u_int16_t *)(tag + 1))[0]; + dport = ((u_int16_t *)(tag + 1))[1]; + } +#endif + md = m_pulldown(m, off, sizeof(*ipcomp), NULL); if (!md) { m = NULL; /* already freed */ @@ -129,7 +143,7 @@ ipcomp4_input(m, off) if (cpi >= IPCOMP_CPI_NEGOTIATE_MIN) { sav = key_allocsa(AF_INET, (caddr_t)&ip->ip_src, - (caddr_t)&ip->ip_dst, IPPROTO_IPCOMP, htonl(cpi)); + (caddr_t)&ip->ip_dst, IPPROTO_IPCOMP, htonl(cpi), sport, dport); if (sav != NULL && (sav->state == SADB_SASTATE_MATURE || sav->state == SADB_SASTATE_DYING)) { @@ -273,7 +287,7 @@ ipcomp6_input(mp, offp, proto) if (cpi >= IPCOMP_CPI_NEGOTIATE_MIN) { sav = key_allocsa(AF_INET6, (caddr_t)&ip6->ip6_src, - (caddr_t)&ip6->ip6_dst, IPPROTO_IPCOMP, htonl(cpi)); + (caddr_t)&ip6->ip6_dst, IPPROTO_IPCOMP, htonl(cpi), 0, 0); if (sav != NULL && (sav->state == SADB_SASTATE_MATURE || sav->state == SADB_SASTATE_DYING)) { Index: netipsec/ipsec.c =================================================================== RCS file: /home/ncvs/src/sys/netipsec/ipsec.c,v retrieving revision 1.12 diff -b -u -p -r1.12 ipsec.c --- netipsec/ipsec.c 2 Jun 2005 23:56:10 -0000 1.12 +++ netipsec/ipsec.c 19 Sep 2006 12:44:59 -0000 @@ -1808,15 +1808,15 @@ vshiftl(bitmap, nbit, wsize) /* Return a printable string for the IPv4 address. */ static char * -inet_ntoa4(struct in_addr ina) +inet_ntoa4(const struct sockaddr_in *sin) { - static char buf[4][4 * sizeof "123" + 4]; - unsigned char *ucp = (unsigned char *) &ina; + static char buf[4][4 * sizeof "123" + 4 + 10]; + const unsigned char *ucp = (const unsigned char *)&sin->sin_addr; static int i = 3; i = (i + 1) % 4; - sprintf(buf[i], "%d.%d.%d.%d", ucp[0] & 0xff, ucp[1] & 0xff, - ucp[2] & 0xff, ucp[3] & 0xff); + sprintf(buf[i], "%d.%d.%d.%d[%u]", ucp[0] & 0xff, ucp[1] & 0xff, + ucp[2] & 0xff, ucp[3] & 0xff, ntohs(sin->sin_port)); return (buf[i]); } @@ -1827,7 +1827,7 @@ ipsec_address(union sockaddr_union* sa) switch (sa->sa.sa_family) { #if INET case AF_INET: - return inet_ntoa4(sa->sin.sin_addr); + return inet_ntoa4(&sa->sin); #endif /* INET */ #if INET6 Index: netipsec/ipsec_input.c =================================================================== RCS file: /home/ncvs/src/sys/netipsec/ipsec_input.c,v retrieving revision 1.9.2.2 diff -b -u -p -r1.9.2.2 ipsec_input.c --- netipsec/ipsec_input.c 24 Jul 2006 23:20:59 -0000 1.9.2.2 +++ netipsec/ipsec_input.c 19 Sep 2006 12:45:01 -0000 @@ -110,6 +110,9 @@ ipsec_common_input(struct mbuf *m, int s struct secasvar *sav; u_int32_t spi; int error; +#ifdef IPSEC_NAT_T + struct m_tag *tag; +#endif IPSEC_ISTAT(sproto, espstat.esps_input, ahstat.ahs_input, ipcompstat.ipcomps_input); @@ -160,6 +163,13 @@ ipsec_common_input(struct mbuf *m, int s m_copydata(m, offsetof(struct ip, ip_dst), sizeof(struct in_addr), (caddr_t) &dst_address.sin.sin_addr); +#ifdef IPSEC_NAT_T + /* find the source port for NAT_T */ + if ((tag = m_tag_find(m, PACKET_TAG_IPSEC_NAT_T_PORTS, NULL)) + != NULL) { + dst_address.sin.sin_port = ((u_int16_t *)(tag + 1))[1]; + } +#endif /* IPSEC_NAT_T */ break; #endif /* INET */ #ifdef INET6 @@ -179,7 +189,7 @@ ipsec_common_input(struct mbuf *m, int s } /* NB: only pass dst since key_allocsa follows RFC2401 */ - sav = KEY_ALLOCSA(&dst_address, sproto, spi); + sav = KEY_ALLOCSA( &dst_address, sproto, spi); if (sav == NULL) { DPRINTF(("%s: no key association found for SA %s/%08lx/%u\n", __func__, ipsec_address(&dst_address), Index: netipsec/ipsec_output.c =================================================================== RCS file: /home/ncvs/src/sys/netipsec/ipsec_output.c,v retrieving revision 1.10.8.1 diff -b -u -p -r1.10.8.1 ipsec_output.c --- netipsec/ipsec_output.c 24 Jul 2006 23:20:59 -0000 1.10.8.1 +++ netipsec/ipsec_output.c 19 Sep 2006 12:45:02 -0000 @@ -81,6 +81,10 @@ #include +#ifdef IPSEC_NAT_T +#include +#endif + int ipsec_process_done(struct mbuf *m, struct ipsecrequest *isr) { @@ -172,6 +176,51 @@ ipsec_process_done(struct mbuf *m, struc ip = mtod(m, struct ip *); ip->ip_len = ntohs(ip->ip_len); ip->ip_off = ntohs(ip->ip_off); + +#ifdef IPSEC_NAT_T + /* + * If NAT-T is enabled, now that all IPSEC processing is done + * insert UDP encapsulation header after IP header. + */ + if (sav->natt_type != 0) { + int size = sizeof(struct udphdr); +#ifdef _IP_VHL + int hlen = IP_VHL_HL(ip->ip_vhl); +#else + int hlen = (ip->ip_hl << 2); +#endif + int off; + struct mbuf *mi; + struct udphdr *udp; + + if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE) + size += sizeof(u_int64_t); + + if ( (mi = m_makespace(m, hlen, size, &off)) == NULL ) { + error = ENOBUFS; + goto bad; + } + + udp = (struct udphdr *)(mtod(mi, caddr_t) + off); + + if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE) + udp->uh_sport = htons(UDP_ENCAP_ESPINUDP_PORT); + else + udp->uh_sport = + KEY_PORTFROMSADDR(&sav->sah->saidx.src); + + udp->uh_dport = KEY_PORTFROMSADDR(&sav->sah->saidx.dst); + udp->uh_sum = 0; + udp->uh_ulen = htons(m->m_pkthdr.len - hlen); + ip->ip_len = m->m_pkthdr.len; + ip->ip_p = IPPROTO_UDP; + + if (sav->natt_type == UDP_ENCAP_ESPINUDP_NON_IKE) { + u_int64_t *marker = (u_int64_t *)(udp + 1); + *marker = 0; + } + } +#endif /* IPSEC_NAT_T */ return ip_output(m, NULL, NULL, IP_RAWOUTPUT, NULL, NULL); #endif /* INET */ Index: netipsec/key.c =================================================================== RCS file: /home/ncvs/src/sys/netipsec/key.c,v retrieving revision 1.20.2.1 diff -b -u -p -r1.20.2.1 key.c --- netipsec/key.c 4 Sep 2006 15:17:50 -0000 1.20.2.1 +++ netipsec/key.c 19 Sep 2006 12:45:24 -0000 @@ -210,6 +210,11 @@ static const int minsize[] = { 0, /* SADB_X_EXT_KMPRIVATE */ sizeof(struct sadb_x_policy), /* SADB_X_EXT_POLICY */ sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */ + sizeof(struct sadb_x_nat_t_type), /* SADB_X_EXT_NAT_T_TYPE */ + sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_SPORT */ + sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_DPORT */ + sizeof(struct sadb_address), /* SADB_X_EXT_NAT_T_OA */ + sizeof(struct sadb_x_nat_t_frag),/* SADB_X_EXT_NAT_T_FRAG */ }; static const int maxsize[] = { sizeof(struct sadb_msg), /* SADB_EXT_RESERVED */ @@ -232,6 +237,11 @@ static const int maxsize[] = { 0, /* SADB_X_EXT_KMPRIVATE */ 0, /* SADB_X_EXT_POLICY */ sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */ + sizeof(struct sadb_x_nat_t_type), /* SADB_X_EXT_NAT_T_TYPE */ + sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_SPORT */ + sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_DPORT */ + 0, /* SADB_X_EXT_NAT_T_OA */ + sizeof(struct sadb_x_nat_t_frag), /* SADB_X_EXT_NAT_T_FRAG */ }; static int ipsec_esp_keymin = 256; @@ -393,6 +403,10 @@ static int key_spdflush __P((struct sock const struct sadb_msghdr *)); static int key_spddump __P((struct socket *, struct mbuf *, const struct sadb_msghdr *)); +#ifdef IPSEC_NAT_T +static int key_nat_map(struct socket *, struct mbuf *, + const struct sadb_msghdr *); +#endif static struct mbuf *key_setdumpsp __P((struct secpolicy *, u_int8_t, u_int32_t, u_int32_t)); static u_int key_getspreqmsglen __P((struct secpolicy *)); @@ -418,6 +432,13 @@ static struct mbuf *key_setsadbmsg __P(( static struct mbuf *key_setsadbsa __P((struct secasvar *)); static struct mbuf *key_setsadbaddr __P((u_int16_t, const struct sockaddr *, u_int8_t, u_int16_t)); +#ifdef IPSEC_NAT_T +static struct mbuf *key_setsadbxport __P((u_int16_t, u_int16_t)); +static struct mbuf *key_setsadbxtype __P((u_int16_t)); +#endif +static void key_porttosaddr __P((struct sockaddr *, u_int16_t)); +#define KEY_PORTTOSADDR(saddr, port) \ + key_porttosaddr((struct sockaddr *)(saddr), (port)) static struct mbuf *key_setsadbxsa2 __P((u_int8_t, u_int32_t, u_int32_t)); static struct mbuf *key_setsadbxpolicy __P((u_int16_t, u_int8_t, u_int32_t)); @@ -1042,12 +1063,20 @@ key_allocsa( struct secasvar *sav; u_int stateidx, arraysize, state; const u_int *saorder_state_valid; + int chkport = 0; IPSEC_ASSERT(dst != NULL, ("null dst address")); KEYDEBUG(KEYDEBUG_IPSEC_STAMP, printf("DP %s from %s:%u\n", __func__, where, tag)); +#ifdef IPSEC_NAT_T + if (dst->sa.sa_family == AF_INET && + dst->sa.sa_len == sizeof(struct sockaddr_in) && + dst->sin.sin_port != 0) + chkport = 1; +#endif + /* * searching SAD. * XXX: to be checked internal IP header somewhere. Also when @@ -1079,11 +1108,11 @@ key_allocsa( continue; #if 0 /* don't check src */ /* check src address */ - if (key_sockaddrcmp(&src->sa, &sav->sah->saidx.src.sa, 0) != 0) + if (key_sockaddrcmp(&src->sa, &sav->sah->saidx.src.sa, chkport) != 0) continue; #endif /* check dst address */ - if (key_sockaddrcmp(&dst->sa, &sav->sah->saidx.dst.sa, 0) != 0) + if (key_sockaddrcmp(&dst->sa, &sav->sah->saidx.dst.sa, chkport) != 0) continue; sa_addref(sav); goto done; @@ -2355,6 +2384,71 @@ key_spdflush(so, m, mhp) return key_sendup_mbuf(so, m, KEY_SENDUP_ALL); } +#ifdef IPSEC_NAT_T +/* + * SADB_X_NAT_T_NEW_MAPPING + */ +static int +key_nat_map(so, m, mhp) + struct socket *so; + struct mbuf *m; + const struct sadb_msghdr *mhp; +{ + struct sadb_x_nat_t_type *type; + struct sadb_x_nat_t_port *sport; + struct sadb_x_nat_t_port *dport; + struct sadb_address *addr; + struct sadb_x_nat_t_frag *frag; + + /* sanity check */ + if (so == NULL || m == NULL || mhp == NULL || mhp->msg == NULL) + panic("key_nat_map: NULL pointer is passed."); + + if (mhp->ext[SADB_X_EXT_NAT_T_TYPE] == NULL || + mhp->ext[SADB_X_EXT_NAT_T_SPORT] == NULL || + mhp->ext[SADB_X_EXT_NAT_T_DPORT] == NULL) { + ipseclog((LOG_DEBUG, "key_nat_map: invalid message.\n")); + return key_senderror(so, m, EINVAL); + } + if ((mhp->extlen[SADB_X_EXT_NAT_T_TYPE] < sizeof(*type)) || + (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport)) || + (mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport))) { + ipseclog((LOG_DEBUG, "key_nat_map: invalid message.\n")); + return key_senderror(so, m, EINVAL); + } + + if ((mhp->ext[SADB_X_EXT_NAT_T_OA] != NULL) && + (mhp->extlen[SADB_X_EXT_NAT_T_OA] < sizeof(*addr))) { + ipseclog((LOG_DEBUG, "key_nat_map: invalid message\n")); + return key_senderror(so, m, EINVAL); + } + + if ((mhp->ext[SADB_X_EXT_NAT_T_FRAG] != NULL) && + (mhp->extlen[SADB_X_EXT_NAT_T_FRAG] < sizeof(*frag))) { + ipseclog((LOG_DEBUG, "key_nat_map: invalid message\n")); + return key_senderror(so, m, EINVAL); + } + + type = (struct sadb_x_nat_t_type *)mhp->ext[SADB_X_EXT_NAT_T_TYPE]; + sport = (struct sadb_x_nat_t_port *)mhp->ext[SADB_X_EXT_NAT_T_SPORT]; + dport = (struct sadb_x_nat_t_port *)mhp->ext[SADB_X_EXT_NAT_T_DPORT]; + addr = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OA]; + frag = (struct sadb_x_nat_t_frag *) mhp->ext[SADB_X_EXT_NAT_T_FRAG]; + + printf("sadb_nat_map: type %d, sport = %d, dport = %d\n", + type->sadb_x_nat_t_type_type, + sport->sadb_x_nat_t_port_port, + dport->sadb_x_nat_t_port_port); + + /* + * XXX handle that, it should also contain a SA, or anything + * that enable to update the SA information. + */ + + return 0; +} +#endif /* IPSEC_NAT_T */ + /* * SADB_SPDDUMP processing * receive @@ -2984,6 +3078,10 @@ key_setsaval(sav, m, mhp) sav->lft_c = NULL; sav->lft_h = NULL; sav->lft_s = NULL; +#ifdef IPSEC_NAT_T + sav->natt_type = 0; + sav->esp_frag = 0; +#endif sav->tdb_xform = NULL; /* transform */ sav->tdb_encalgxform = NULL; /* encoding algorithm */ sav->tdb_authalgxform = NULL; /* authentication algorithm */ @@ -3294,6 +3392,11 @@ key_setdumpsa(sav, type, satype, seq, pi SADB_EXT_ADDRESS_DST, SADB_EXT_ADDRESS_PROXY, SADB_EXT_KEY_AUTH, SADB_EXT_KEY_ENCRYPT, SADB_EXT_IDENTITY_SRC, SADB_EXT_IDENTITY_DST, SADB_EXT_SENSITIVITY, +#ifdef IPSEC_NAT_T + SADB_X_EXT_NAT_T_TYPE, SADB_X_EXT_NAT_T_SPORT, + SADB_X_EXT_NAT_T_DPORT, SADB_X_EXT_NAT_T_OA, + SADB_X_EXT_NAT_T_FRAG, +#endif }; m = key_setsadbmsg(type, 0, satype, seq, pid, sav->refcnt); @@ -3370,6 +3473,31 @@ key_setdumpsa(sav, type, satype, seq, pi p = sav->lft_s; break; +#ifdef IPSEC_NAT_T + case SADB_X_EXT_NAT_T_TYPE: + if ((m = key_setsadbxtype(sav->natt_type)) == NULL) + goto fail; + break; + + case SADB_X_EXT_NAT_T_DPORT: + if ((m = key_setsadbxport(KEY_PORTFROMSADDR + (&sav->sah->saidx.dst), + SADB_X_EXT_NAT_T_DPORT)) == NULL) + goto fail; + break; + + case SADB_X_EXT_NAT_T_SPORT: + if ((m = key_setsadbxport(KEY_PORTFROMSADDR + (&sav->sah->saidx.src), + SADB_X_EXT_NAT_T_SPORT)) == NULL) + goto fail; + break; + + case SADB_X_EXT_NAT_T_OA: + case SADB_X_EXT_NAT_T_FRAG: + continue; +#endif + case SADB_EXT_ADDRESS_PROXY: case SADB_EXT_IDENTITY_SRC: case SADB_EXT_IDENTITY_DST: @@ -3588,6 +3716,133 @@ key_setsadbxsa2(mode, seq, reqid) return m; } +#ifdef IPSEC_NAT_T +/* + * set a type in sadb_x_nat_t_type + */ +static struct mbuf * +key_setsadbxtype(type) + u_int16_t type; +{ + struct mbuf *m; + size_t len; + struct sadb_x_nat_t_type *p; + + len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_type)); + + m = key_alloc_mbuf(len); + if (!m || m->m_next) { /*XXX*/ + if (m) + m_freem(m); + return NULL; + } + + p = mtod(m, struct sadb_x_nat_t_type *); + + bzero(p, len); + p->sadb_x_nat_t_type_len = PFKEY_UNIT64(len); + p->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE; + p->sadb_x_nat_t_type_type = type; + + return m; +} +/* + * set a port in sadb_x_nat_t_port. port is in network order + */ +static struct mbuf * +key_setsadbxport(port, type) + u_int16_t port; + u_int16_t type; +{ + struct mbuf *m; + size_t len; + struct sadb_x_nat_t_port *p; + + len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_port)); + + m = key_alloc_mbuf(len); + if (!m || m->m_next) { /*XXX*/ + if (m) + m_freem(m); + return NULL; + } + + p = mtod(m, struct sadb_x_nat_t_port *); + + bzero(p, len); + p->sadb_x_nat_t_port_len = PFKEY_UNIT64(len); + p->sadb_x_nat_t_port_exttype = type; + p->sadb_x_nat_t_port_port = port; + + return m; +} + +/* + * Get port from sockaddr, port is in network order + */ +u_int16_t +key_portfromsaddr(saddr) + struct sockaddr *saddr; +{ + u_int16_t port; + + switch (saddr->sa_family) { + case AF_INET: { + struct sockaddr_in *sin = (struct sockaddr_in *)saddr; + + port = sin->sin_port; + break; + } +#ifdef INET6 + case AF_INET6: { + struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)saddr; + + port = sin6->sin6_port; + break; + } +#endif + default: + printf("key_portfromsaddr: unexpected address family\n"); + port = 0; + break; + } + + return port; +} +#endif /* IPSEC_NAT_T */ + +/* + * Set port is struct sockaddr. port is in network order + */ +static void +key_porttosaddr(saddr, port) + struct sockaddr *saddr; + u_int16_t port; +{ + switch (saddr->sa_family) { + case AF_INET: { + struct sockaddr_in *sin = (struct sockaddr_in *)saddr; + + sin->sin_port = port; + break; + } +#ifdef INET6 + case AF_INET6: { + struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)saddr; + + sin6->sin6_port = port; + break; + } +#endif + default: + printf("key_porttosaddr: unexpected address family %d\n", + saddr->sa_family); + break; + } + + return; +} + /* * set data into sadb_x_policy */ @@ -3738,6 +3993,8 @@ key_cmpsaidx( const struct secasindex *saidx1, int flag) { + int chkport = 0; + /* sanity */ if (saidx0 == NULL && saidx1 == NULL) return 1; @@ -3761,6 +4018,19 @@ key_cmpsaidx( /* CMP_MODE_REQID, CMP_REQID, CMP_HEAD */ if (flag == CMP_MODE_REQID ||flag == CMP_REQID) { +#ifdef IPSEC_NAT_T + /* + * If NAT-T is enabled, check ports for tunnel mode. + * Don't do it for transport mode, as there is no + * port information available in the SP. + * XXX also don't check ports if they are set to zero in the SPD: + * This means we bave a non-generated SPD, which can't know UDP ports. + */ + if (saidx1->mode == IPSEC_MODE_TUNNEL && + ((const struct sockaddr_in *)(&saidx1->src))->sin_port && + ((const struct sockaddr_in *)(&saidx1->dst))->sin_port ) + chkport = 1; +#endif /* IPSEC_NAT_T */ /* * If reqid of SPD is non-zero, unique SA is required. * The result must be of same reqid in this case. @@ -3768,6 +4038,10 @@ key_cmpsaidx( if (saidx1->reqid != 0 && saidx0->reqid != saidx1->reqid) return 0; } +#ifdef IPSEC_NAT_T + else + chkport = 1; +#endif if (flag == CMP_MODE_REQID) { if (saidx0->mode != IPSEC_MODE_ANY @@ -3775,10 +4049,10 @@ key_cmpsaidx( return 0; } - if (key_sockaddrcmp(&saidx0->src.sa, &saidx1->src.sa, 0) != 0) { + if (key_sockaddrcmp(&saidx0->src.sa, &saidx1->src.sa, chkport) != 0) { return 0; } - if (key_sockaddrcmp(&saidx0->dst.sa, &saidx1->dst.sa, 0) != 0) { + if (key_sockaddrcmp(&saidx0->dst.sa, &saidx1->dst.sa, chkport) != 0) { return 0; } } @@ -4398,13 +4672,17 @@ key_getspi(so, m, mhp) if (((struct sockaddr *)(src0 + 1))->sa_len != sizeof(struct sockaddr_in)) return key_senderror(so, m, EINVAL); +#ifndef IPSEC_NAT_T ((struct sockaddr_in *)(src0 + 1))->sin_port = 0; +#endif break; case AF_INET6: if (((struct sockaddr *)(src0 + 1))->sa_len != sizeof(struct sockaddr_in6)) return key_senderror(so, m, EINVAL); +#ifndef IPSEC_NAT_T ((struct sockaddr_in6 *)(src0 + 1))->sin6_port = 0; +#endif break; default: ; /*???*/ @@ -4414,13 +4692,17 @@ key_getspi(so, m, mhp) if (((struct sockaddr *)(dst0 + 1))->sa_len != sizeof(struct sockaddr_in)) return key_senderror(so, m, EINVAL); +#ifndef IPSEC_NAT_T ((struct sockaddr_in *)(dst0 + 1))->sin_port = 0; +#endif break; case AF_INET6: if (((struct sockaddr *)(dst0 + 1))->sa_len != sizeof(struct sockaddr_in6)) return key_senderror(so, m, EINVAL); +#ifndef IPSEC_NAT_T ((struct sockaddr_in6 *)(dst0 + 1))->sin6_port = 0; +#endif break; default: ; /*???*/ @@ -4429,6 +4711,12 @@ key_getspi(so, m, mhp) /* XXX boundary check against sa_len */ KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); + /* If not using NAT-T, make sure port numbers are set to zero. */ +#ifndef IPSEC_NAT_T + KEY_PORTTOSADDR(&saidx.src, 0); + KEY_PORTTOSADDR(&saidx.dst, 0); +#endif + /* SPI allocation */ spi = key_do_getnewspi((struct sadb_spirange *)mhp->ext[SADB_EXT_SPIRANGE], &saidx); @@ -4684,6 +4972,12 @@ key_update(so, m, mhp) /* XXX boundary check against sa_len */ KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); + /* If not using NAT-T, make sure if port number is zero. */ +#ifndef IPSEC_NAT_T + KEY_PORTTOSADDR(&saidx.src, 0); + KEY_PORTTOSADDR(&saidx.dst, 0); +#endif + /* get a SA header */ if ((sah = key_getsah(&saidx)) == NULL) { ipseclog((LOG_DEBUG, "%s: no SA index found.\n", __func__)); @@ -4750,6 +5044,68 @@ key_update(so, m, mhp) return key_senderror(so, m, 0); } +#ifdef IPSEC_NAT_T + /* + * Handle NAT-T info if present + */ + if (mhp->ext[SADB_X_EXT_NAT_T_OA] != NULL) + printf("update: NAT-T OA present\n"); + + if ((mhp->ext[SADB_X_EXT_NAT_T_TYPE] != NULL) && + (mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL) && + (mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL)) { + struct sadb_x_nat_t_type *type; + struct sadb_x_nat_t_port *sport; + struct sadb_x_nat_t_port *dport; + struct sadb_address *addr; + struct sadb_x_nat_t_frag *frag; + + if ((mhp->extlen[SADB_X_EXT_NAT_T_TYPE] < sizeof(*type)) || + (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport)) || + (mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport))) { + ipseclog((LOG_DEBUG, "key_update: " + "invalid message.\n")); + return key_senderror(so, m, EINVAL); + } + + if ((mhp->ext[SADB_X_EXT_NAT_T_OA] != NULL) && + (mhp->extlen[SADB_X_EXT_NAT_T_OA] < sizeof(*addr))) { + ipseclog((LOG_DEBUG, "key_update: invalid message\n")); + return key_senderror(so, m, EINVAL); + } + + if ((mhp->ext[SADB_X_EXT_NAT_T_FRAG] != NULL) && + (mhp->extlen[SADB_X_EXT_NAT_T_FRAG] < sizeof(*frag))) { + ipseclog((LOG_DEBUG, "key_update: invalid message\n")); + return key_senderror(so, m, EINVAL); + } + + type = (struct sadb_x_nat_t_type *) + mhp->ext[SADB_X_EXT_NAT_T_TYPE]; + sport = (struct sadb_x_nat_t_port *) + mhp->ext[SADB_X_EXT_NAT_T_SPORT]; + dport = (struct sadb_x_nat_t_port *) + mhp->ext[SADB_X_EXT_NAT_T_DPORT]; + addr = (struct sadb_address *) + mhp->ext[SADB_X_EXT_NAT_T_OA]; + frag = (struct sadb_x_nat_t_frag *) + mhp->ext[SADB_X_EXT_NAT_T_FRAG]; + + if (type) + sav->natt_type = type->sadb_x_nat_t_type_type; + if (sport) + KEY_PORTTOSADDR(&sav->sah->saidx.src, + sport->sadb_x_nat_t_port_port); + if (dport) + KEY_PORTTOSADDR(&sav->sah->saidx.dst, + dport->sadb_x_nat_t_port_port); + if (frag) + sav->esp_frag = frag->sadb_x_nat_t_frag_fraglen; + else + sav->esp_frag = IP_MAXPACKET; + } +#endif /* IPSEC_NAT_T */ + { struct mbuf *n; @@ -4882,6 +5238,11 @@ key_add(so, m, mhp) /* XXX boundary check against sa_len */ KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); +#ifndef IPSEC_NAT_T + KEY_PORTTOSADDR(&saidx.src, 0); + KEY_PORTTOSADDR(&saidx.dst, 0); +#endif + /* get a SA header */ if ((newsah = key_getsah(&saidx)) == NULL) { /* create a new SA header */ @@ -4918,6 +5279,68 @@ key_add(so, m, mhp) return key_senderror(so, m, error); } +#ifdef IPSEC_NAT_T + /* + * Handle NAT-T info if present + */ + if (mhp->ext[SADB_X_EXT_NAT_T_OA] != NULL) + printf("add: NAT-T OA present\n"); + + if ((mhp->ext[SADB_X_EXT_NAT_T_TYPE] != NULL) && + (mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL) && + (mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL)) { + struct sadb_x_nat_t_type *type; + struct sadb_x_nat_t_port *sport; + struct sadb_x_nat_t_port *dport; + struct sadb_address *addr; + struct sadb_x_nat_t_frag *frag; + + if ((mhp->extlen[SADB_X_EXT_NAT_T_TYPE] < sizeof(*type)) || + (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport)) || + (mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport))) { + ipseclog((LOG_DEBUG, "key_add: " + "invalid message.\n")); + return key_senderror(so, m, EINVAL); + } + + if ((mhp->ext[SADB_X_EXT_NAT_T_OA] != NULL) && + (mhp->extlen[SADB_X_EXT_NAT_T_OA] < sizeof(*addr))) { + ipseclog((LOG_DEBUG, "key_add: invalid message\n")); + return key_senderror(so, m, EINVAL); + } + + if ((mhp->ext[SADB_X_EXT_NAT_T_FRAG] != NULL) && + (mhp->extlen[SADB_X_EXT_NAT_T_FRAG] < sizeof(*frag))) { + ipseclog((LOG_DEBUG, "key_update: invalid message\n")); + return key_senderror(so, m, EINVAL); + } + + type = (struct sadb_x_nat_t_type *) + mhp->ext[SADB_X_EXT_NAT_T_TYPE]; + sport = (struct sadb_x_nat_t_port *) + mhp->ext[SADB_X_EXT_NAT_T_SPORT]; + dport = (struct sadb_x_nat_t_port *) + mhp->ext[SADB_X_EXT_NAT_T_DPORT]; + addr = (struct sadb_address *) + mhp->ext[SADB_X_EXT_NAT_T_OA]; + frag = (struct sadb_x_nat_t_frag *) + mhp->ext[SADB_X_EXT_NAT_T_FRAG]; + + if (type) + newsav->natt_type = type->sadb_x_nat_t_type_type; + if (sport) + KEY_PORTTOSADDR(&newsav->sah->saidx.src, + sport->sadb_x_nat_t_port_port); + if (dport) + KEY_PORTTOSADDR(&newsav->sah->saidx.dst, + dport->sadb_x_nat_t_port_port); + if (frag) + newsav->esp_frag = frag->sadb_x_nat_t_frag_fraglen; + else + newsav->esp_frag = IP_MAXPACKET; + } +#endif + /* * don't call key_freesav() here, as we would like to keep the SA * in the database on success. @@ -5118,6 +5541,11 @@ key_delete(so, m, mhp) /* XXX boundary check against sa_len */ KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); +#ifndef IPSEC_NAT_T + KEY_PORTTOSADDR(&saidx.src, 0); + KEY_PORTTOSADDR(&saidx.dst, 0); +#endif + /* get a SA header */ SAHTREE_LOCK(); LIST_FOREACH(sah, &sahtree, chain) { @@ -5187,6 +5615,11 @@ key_delete_all(so, m, mhp, proto) /* XXX boundary check against sa_len */ KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); +#ifndef IPSEC_NAT_T + KEY_PORTTOSADDR(&saidx.src, 0); + KEY_PORTTOSADDR(&saidx.dst, 0); +#endif + SAHTREE_LOCK(); LIST_FOREACH(sah, &sahtree, chain) { if (sah->state == SADB_SASTATE_DEAD) @@ -5301,6 +5734,11 @@ key_get(so, m, mhp) /* XXX boundary check against sa_len */ KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); +#ifndef IPSEC_NAT_T + KEY_PORTTOSADDR(&saidx.src, 0); + KEY_PORTTOSADDR(&saidx.dst, 0); +#endif + /* get a SA header */ SAHTREE_LOCK(); LIST_FOREACH(sah, &sahtree, chain) { @@ -5988,6 +6426,11 @@ key_acquire2(so, m, mhp) /* XXX boundary check against sa_len */ KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); +#ifndef IPSEC_NAT_T + KEY_PORTTOSADDR(&saidx.src, 0); + KEY_PORTTOSADDR(&saidx.dst, 0); +#endif + /* get a SA index */ SAHTREE_LOCK(); LIST_FOREACH(sah, &sahtree, chain) { @@ -6596,6 +7039,11 @@ static int (*key_typesw[]) __P((struct s key_spdadd, /* SADB_X_SPDSETIDX */ NULL, /* SADB_X_SPDEXPIRE */ key_spddelete2, /* SADB_X_SPDDELETE2 */ +#ifdef IPSEC_NAT_T + key_nat_map, /* SADB_X_NAT_T_NEW_MAPPING */ +#else + NULL, +#endif }; /* @@ -6932,6 +7380,13 @@ key_align(m, mhp) case SADB_EXT_SPIRANGE: case SADB_X_EXT_POLICY: case SADB_X_EXT_SA2: +#ifdef IPSEC_NAT_T + case SADB_X_EXT_NAT_T_TYPE: + case SADB_X_EXT_NAT_T_SPORT: + case SADB_X_EXT_NAT_T_DPORT: + case SADB_X_EXT_NAT_T_OA: + case SADB_X_EXT_NAT_T_FRAG: +#endif /* duplicate check */ /* * XXX Are there duplication payloads of either Index: netipsec/key.h =================================================================== RCS file: /home/ncvs/src/sys/netipsec/key.h,v retrieving revision 1.4 diff -b -u -p -r1.4 key.h --- netipsec/key.h 7 Jan 2005 01:45:46 -0000 1.4 +++ netipsec/key.h 19 Sep 2006 12:45:24 -0000 @@ -99,6 +99,10 @@ extern void key_init __P((void)); extern void key_sa_recordxfer __P((struct secasvar *, struct mbuf *)); extern void key_sa_routechange __P((struct sockaddr *)); extern void key_sa_stir_iv __P((struct secasvar *)); +#ifdef IPSEC_NAT_T +u_int16_t key_portfromsaddr __P((struct sockaddr *)); +#define KEY_PORTFROMSADDR(saddr) key_portfromsaddr((struct sockaddr *)(saddr)) +#endif #ifdef MALLOC_DECLARE MALLOC_DECLARE(M_IPSEC_SA); Index: netipsec/keydb.h =================================================================== RCS file: /home/ncvs/src/sys/netipsec/keydb.h,v retrieving revision 1.5 diff -b -u -p -r1.5 keydb.h --- netipsec/keydb.h 7 Jan 2005 01:45:46 -0000 1.5 +++ netipsec/keydb.h 19 Sep 2006 12:45:24 -0000 @@ -117,6 +117,12 @@ struct secasvar { struct secashead *sah; /* back pointer to the secashead */ /* + * NAT-Traversal + */ + u_int16_t natt_type; + u_int16_t esp_frag; + + /* * NB: Fields with a tdb_ prefix are part of the "glue" used * to interface to the OpenBSD crypto support. This was done * to distinguish this code from the mainline KAME code. Index: netkey/key.c =================================================================== RCS file: /home/ncvs/src/sys/netkey/key.c,v retrieving revision 1.71.2.2 diff -b -u -p -r1.71.2.2 key.c --- netkey/key.c 4 Nov 2005 20:26:16 -0000 1.71.2.2 +++ netkey/key.c 19 Sep 2006 12:45:46 -0000 @@ -194,6 +194,11 @@ static const int minsize[] = { 0, /* SADB_X_EXT_KMPRIVATE */ sizeof(struct sadb_x_policy), /* SADB_X_EXT_POLICY */ sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */ + sizeof(struct sadb_x_nat_t_type), /* SADB_X_EXT_NAT_T_TYPE */ + sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_SPORT */ + sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_DPORT */ + sizeof(struct sadb_address), /* SADB_X_EXT_NAT_T_OA */ + sizeof(struct sadb_x_nat_t_frag),/* SADB_X_EXT_NAT_T_FRAG */ }; static const int maxsize[] = { sizeof(struct sadb_msg), /* SADB_EXT_RESERVED */ @@ -216,6 +221,11 @@ static const int maxsize[] = { 0, /* SADB_X_EXT_KMPRIVATE */ 0, /* SADB_X_EXT_POLICY */ sizeof(struct sadb_x_sa2), /* SADB_X_SA2 */ + sizeof(struct sadb_x_nat_t_type), /* SADB_X_EXT_NAT_T_TYPE */ + sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_SPORT */ + sizeof(struct sadb_x_nat_t_port), /* SADB_X_EXT_NAT_T_DPORT */ + 0, /* SADB_X_EXT_NAT_T_OA */ + sizeof(struct sadb_x_nat_t_frag), /* SADB_X_EXT_NAT_T_FRAG */ }; static int ipsec_esp_keymin = 256; @@ -384,6 +394,10 @@ static int key_spdflush(struct socket *, const struct sadb_msghdr *); static int key_spddump(struct socket *, struct mbuf *, const struct sadb_msghdr *); +#ifdef IPSEC_NAT_T +static int key_nat_map(struct socket *, struct mbuf *, + const struct sadb_msghdr *); +#endif static struct mbuf *key_setdumpsp(struct secpolicy *, u_int8_t, u_int32_t, u_int32_t); static u_int key_getspreqmsglen(struct secpolicy *); @@ -406,6 +420,13 @@ static struct mbuf *key_setsadbmsg(u_int static struct mbuf *key_setsadbsa(struct secasvar *); static struct mbuf *key_setsadbaddr(u_int16_t, struct sockaddr *, u_int8_t, u_int16_t); +#ifdef IPSEC_NAT_T +static struct mbuf *key_setsadbxport __P((u_int16_t, u_int16_t)); +static struct mbuf *key_setsadbxtype __P((u_int16_t)); +#endif +static void key_porttosaddr __P((struct sockaddr *, u_int16_t)); +#define KEY_PORTTOSADDR(saddr, port) \ + key_porttosaddr((struct sockaddr *)(saddr), (port)) #if 0 static struct mbuf *key_setsadbident(u_int16_t, u_int16_t, caddr_t, int, u_int64_t); @@ -927,10 +948,11 @@ key_do_allocsa_policy(sah, state) * keep source address in IPsec SA. We see a tricky situation here. */ struct secasvar * -key_allocsa(family, src, dst, proto, spi) +key_allocsa(family, src, dst, proto, spi, sport, dport) u_int family, proto; caddr_t src, dst; u_int32_t spi; + u_int16_t sport, dport; { struct secasvar *sav, *match; u_int stateidx, state, tmpidx, matchidx; @@ -941,11 +963,17 @@ key_allocsa(family, src, dst, proto, spi int s; const u_int *saorder_state_valid; int arraysize; + int chkport = 0; /* sanity check */ if (src == NULL || dst == NULL) panic("key_allocsa: NULL pointer is passed."); +#ifdef IPSEC_NAT_T + if ((sport != 0) && (dport != 0)) + chkport = 1; +#endif + /* * when both systems employ similar strategy to use a SA. * the search order is important even in the inbound case. @@ -1004,8 +1032,11 @@ key_allocsa(family, src, dst, proto, spi switch (family) { case AF_INET: bcopy(src, &sin.sin_addr, sizeof(sin.sin_addr)); +#ifdef IPSEC_NAT_T + sin.sin_port = sport; +#endif if (key_sockaddrcmp((struct sockaddr*)&sin, - (struct sockaddr *)&sav->sah->saidx.src, 0) != 0) + (struct sockaddr *)&sav->sah->saidx.src, chkport) != 0) continue; break; @@ -1013,10 +1044,13 @@ key_allocsa(family, src, dst, proto, spi case AF_INET6: bcopy(src, &sin6.sin6_addr, sizeof(sin6.sin6_addr)); sin6.sin6_scope_id = 0; +#ifdef IPSEC_NAT_T + sin6.sin6_port = sport; +#endif if (sa6_recoverscope(&sin6)) continue; if (key_sockaddrcmp((struct sockaddr *)&sin6, - (struct sockaddr *)&sav->sah->saidx.src, 0) != 0) + (struct sockaddr *)&sav->sah->saidx.src, chkport) != 0) continue; break; #endif @@ -1032,8 +1066,11 @@ key_allocsa(family, src, dst, proto, spi switch (family) { case AF_INET: bcopy(dst, &sin.sin_addr, sizeof(sin.sin_addr)); +#ifdef IPSEC_NAT_T + sin.sin_port = dport; +#endif if (key_sockaddrcmp((struct sockaddr*)&sin, - (struct sockaddr *)&sav->sah->saidx.dst, 0) != 0) + (struct sockaddr *)&sav->sah->saidx.dst, chkport) != 0) continue; break; @@ -1041,10 +1078,13 @@ key_allocsa(family, src, dst, proto, spi case AF_INET6: bcopy(dst, &sin6.sin6_addr, sizeof(sin6.sin6_addr)); sin6.sin6_scope_id = 0; +#ifdef IPSEC_NAT_T + sin6.sin6_port = dport; +#endif if (sa6_recoverscope(&sin6)) continue; if (key_sockaddrcmp((struct sockaddr *)&sin6, - (struct sockaddr *)&sav->sah->saidx.dst, 0) != 0) + (struct sockaddr *)&sav->sah->saidx.dst, chkport) != 0) continue; break; #endif @@ -1873,6 +1913,7 @@ key_spdadd(so, m, mhp) } } +#ifndef IPSEC_NAT_T for (isr = newsp->req; isr; isr = isr->next) { struct sockaddr *sa; @@ -1916,6 +1957,7 @@ key_spdadd(so, m, mhp) } } } +#endif /* !IPSEC_NAT_T */ /* * bark if we have different address family on tunnel address @@ -2475,6 +2517,72 @@ key_spddump(so, m, mhp) return 0; } +#ifdef IPSEC_NAT_T +/* + * SADB_X_NAT_T_NEW_MAPPING + */ +static int +key_nat_map(so, m, mhp) + struct socket *so; + struct mbuf *m; + const struct sadb_msghdr *mhp; +{ + struct sadb_x_nat_t_type *type; + struct sadb_x_nat_t_port *sport; + struct sadb_x_nat_t_port *dport; + struct sadb_address *addr; + struct sadb_x_nat_t_frag *frag; + + /* sanity check */ + if (so == NULL || m == NULL || mhp == NULL || mhp->msg == NULL) + panic("key_nat_map: NULL pointer is passed."); + + if (mhp->ext[SADB_X_EXT_NAT_T_TYPE] == NULL || + mhp->ext[SADB_X_EXT_NAT_T_SPORT] == NULL || + mhp->ext[SADB_X_EXT_NAT_T_DPORT] == NULL) { + ipseclog((LOG_DEBUG, "key_nat_map: invalid message.\n")); + return key_senderror(so, m, EINVAL); + } + if ((mhp->extlen[SADB_X_EXT_NAT_T_TYPE] < sizeof(*type)) || + (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport)) || + (mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport))) { + ipseclog((LOG_DEBUG, "key_nat_map: invalid message.\n")); + return key_senderror(so, m, EINVAL); + } + + if ((mhp->ext[SADB_X_EXT_NAT_T_OA] != NULL) && + (mhp->extlen[SADB_X_EXT_NAT_T_OA] < sizeof(*addr))) { + ipseclog((LOG_DEBUG, "key_nat_map: invalid message\n")); + return key_senderror(so, m, EINVAL); + } + + if ((mhp->ext[SADB_X_EXT_NAT_T_FRAG] != NULL) && + (mhp->extlen[SADB_X_EXT_NAT_T_FRAG] < sizeof(*frag))) { + ipseclog((LOG_DEBUG, "key_nat_map: invalid message\n")); + return key_senderror(so, m, EINVAL); + } + + type = (struct sadb_x_nat_t_type *)mhp->ext[SADB_X_EXT_NAT_T_TYPE]; + sport = (struct sadb_x_nat_t_port *)mhp->ext[SADB_X_EXT_NAT_T_SPORT]; + dport = (struct sadb_x_nat_t_port *)mhp->ext[SADB_X_EXT_NAT_T_DPORT]; + addr = (struct sadb_address *)mhp->ext[SADB_X_EXT_NAT_T_OA]; + frag = (struct sadb_x_nat_t_frag *) mhp->ext[SADB_X_EXT_NAT_T_FRAG]; + + printf("sadb_nat_map: type %d, sport = %d, dport = %d\n", + type->sadb_x_nat_t_type_type, + sport->sadb_x_nat_t_port_port, + dport->sadb_x_nat_t_port_port); + + /* + * XXX handle that, it should also contain a SA, or anything + * that enable to update the SA information. + */ + + return 0; +} +#endif /* IPSEC_NAT_T */ + + static struct mbuf * key_setdumpsp(sp, type, seq, pid) struct secpolicy *sp; @@ -3025,6 +3133,10 @@ key_setsaval(sav, m, mhp) sav->lft_c = NULL; sav->lft_h = NULL; sav->lft_s = NULL; +#ifdef IPSEC_NAT_T + sav->natt_type = 0; + sav->esp_frag = 0; +#endif /* SA */ if (mhp->ext[SADB_EXT_SA] != NULL) { @@ -3491,6 +3603,11 @@ key_setdumpsa(sav, type, satype, seq, pi SADB_EXT_ADDRESS_DST, SADB_EXT_ADDRESS_PROXY, SADB_EXT_KEY_AUTH, SADB_EXT_KEY_ENCRYPT, SADB_EXT_IDENTITY_SRC, SADB_EXT_IDENTITY_DST, SADB_EXT_SENSITIVITY, +#ifdef IPSEC_NAT_T + SADB_X_EXT_NAT_T_TYPE, SADB_X_EXT_NAT_T_SPORT, + SADB_X_EXT_NAT_T_DPORT, SADB_X_EXT_NAT_T_OA, + SADB_X_EXT_NAT_T_FRAG, +#endif }; m = key_setsadbmsg(type, 0, satype, seq, pid, sav->refcnt); @@ -3567,6 +3684,31 @@ key_setdumpsa(sav, type, satype, seq, pi p = sav->lft_s; break; +#ifdef IPSEC_NAT_T + case SADB_X_EXT_NAT_T_TYPE: + if ((m = key_setsadbxtype(sav->natt_type)) == NULL) + goto fail; + break; + + case SADB_X_EXT_NAT_T_DPORT: + if ((m = key_setsadbxport(KEY_PORTFROMSADDR + (&sav->sah->saidx.dst), + SADB_X_EXT_NAT_T_DPORT)) == NULL) + goto fail; + break; + + case SADB_X_EXT_NAT_T_SPORT: + if ((m = key_setsadbxport(KEY_PORTFROMSADDR + (&sav->sah->saidx.src), + SADB_X_EXT_NAT_T_SPORT)) == NULL) + goto fail; + break; + + case SADB_X_EXT_NAT_T_OA: + case SADB_X_EXT_NAT_T_FRAG: + continue; +#endif + case SADB_EXT_ADDRESS_PROXY: case SADB_EXT_IDENTITY_SRC: case SADB_EXT_IDENTITY_DST: @@ -3825,6 +3967,133 @@ key_setsadbxsa2(mode, seq, reqid) return m; } +#ifdef IPSEC_NAT_T +/* + * set a type in sadb_x_nat_t_type + */ +static struct mbuf * +key_setsadbxtype(type) + u_int16_t type; +{ + struct mbuf *m; + size_t len; + struct sadb_x_nat_t_type *p; + + len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_type)); + + m = key_alloc_mbuf(len); + if (!m || m->m_next) { /*XXX*/ + if (m) + m_freem(m); + return NULL; + } + + p = mtod(m, struct sadb_x_nat_t_type *); + + bzero(p, len); + p->sadb_x_nat_t_type_len = PFKEY_UNIT64(len); + p->sadb_x_nat_t_type_exttype = SADB_X_EXT_NAT_T_TYPE; + p->sadb_x_nat_t_type_type = type; + + return m; +} +/* + * set a port in sadb_x_nat_t_port. port is in network order + */ +static struct mbuf * +key_setsadbxport(port, type) + u_int16_t port; + u_int16_t type; +{ + struct mbuf *m; + size_t len; + struct sadb_x_nat_t_port *p; + + len = PFKEY_ALIGN8(sizeof(struct sadb_x_nat_t_port)); + + m = key_alloc_mbuf(len); + if (!m || m->m_next) { /*XXX*/ + if (m) + m_freem(m); + return NULL; + } + + p = mtod(m, struct sadb_x_nat_t_port *); + + bzero(p, len); + p->sadb_x_nat_t_port_len = PFKEY_UNIT64(len); + p->sadb_x_nat_t_port_exttype = type; + p->sadb_x_nat_t_port_port = port; + + return m; +} + +/* + * Get port from sockaddr, port is in network order + */ +u_int16_t +key_portfromsaddr(saddr) + struct sockaddr *saddr; +{ + u_int16_t port; + + switch (saddr->sa_family) { + case AF_INET: { + struct sockaddr_in *sin = (struct sockaddr_in *)saddr; + + port = sin->sin_port; + break; + } +#ifdef INET6 + case AF_INET6: { + struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)saddr; + + port = sin6->sin6_port; + break; + } +#endif + default: + printf("key_portfromsaddr: unexpected address family\n"); + port = 0; + break; + } + + return port; +} +#endif /* IPSEC_NAT_T */ + +/* + * Set port is struct sockaddr. port is in network order + */ +static void +key_porttosaddr(saddr, port) + struct sockaddr *saddr; + u_int16_t port; +{ + switch (saddr->sa_family) { + case AF_INET: { + struct sockaddr_in *sin = (struct sockaddr_in *)saddr; + + sin->sin_port = port; + break; + } +#ifdef INET6 + case AF_INET6: { + struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *)saddr; + + sin6->sin6_port = port; + break; + } +#endif + default: + printf("key_porttosaddr: unexpected address family %d\n", + saddr->sa_family); + break; + } + + return; +} + /* * set data into sadb_lifetime */ @@ -4015,6 +4284,8 @@ key_cmpsaidx(saidx0, saidx1, flag) struct secasindex *saidx0, *saidx1; int flag; { + int chkport = 0; + /* sanity */ if (saidx0 == NULL && saidx1 == NULL) return 1; @@ -4037,6 +4308,19 @@ key_cmpsaidx(saidx0, saidx1, flag) /* CMP_MODE_REQID, CMP_HEAD */ if (flag == CMP_MODE_REQID) { +#ifdef IPSEC_NAT_T + /* + * If NAT-T is enabled, check ports for tunnel mode. + * Don't do it for transport mode, as there is no + * port information available in the SP. + * XXX also don't check ports if they are set to zero in the SPD: + * This means we bave a non-generated SPD, which can't know UDP ports. + */ + if (saidx1->mode == IPSEC_MODE_TUNNEL && + satosin(&saidx1->src)->sin_port && + satosin(&saidx1->dst)->sin_port ) + chkport = 1; +#endif /* * If reqid of SPD is non-zero, unique SA is required. * The result must be of same reqid in this case. @@ -4044,6 +4328,10 @@ key_cmpsaidx(saidx0, saidx1, flag) if (saidx1->reqid != 0 && saidx0->reqid != saidx1->reqid) return 0; } +#ifdef IPSEC_NAT_T + else + chkport = 1; +#endif if (flag == CMP_MODE_REQID) { if (saidx0->mode != IPSEC_MODE_ANY && @@ -4052,11 +4340,11 @@ key_cmpsaidx(saidx0, saidx1, flag) } if (key_sockaddrcmp((struct sockaddr *)&saidx0->src, - (struct sockaddr *)&saidx1->src, 0) != 0) { + (struct sockaddr *)&saidx1->src, chkport) != 0) { return 0; } if (key_sockaddrcmp((struct sockaddr *)&saidx0->dst, - (struct sockaddr *)&saidx1->dst, 0) != 0) { + (struct sockaddr *)&saidx1->dst, chkport) != 0) { return 0; } } @@ -4704,19 +4992,23 @@ key_getspi(so, m, mhp) return key_senderror(so, m, EINVAL); } - /* make sure if port number is zero. */ + /* make sure if port number is zero if NAT-T support is NOT compiled. */ switch (((struct sockaddr *)(src0 + 1))->sa_family) { case AF_INET: if (((struct sockaddr *)(src0 + 1))->sa_len != sizeof(struct sockaddr_in)) return key_senderror(so, m, EINVAL); +#ifndef IPSEC_NAT_T ((struct sockaddr_in *)(src0 + 1))->sin_port = 0; +#endif break; case AF_INET6: if (((struct sockaddr *)(src0 + 1))->sa_len != sizeof(struct sockaddr_in6)) return key_senderror(so, m, EINVAL); +#ifndef IPSEC_NAT_T ((struct sockaddr_in6 *)(src0 + 1))->sin6_port = 0; +#endif break; default: ; /*???*/ @@ -4726,13 +5018,17 @@ key_getspi(so, m, mhp) if (((struct sockaddr *)(dst0 + 1))->sa_len != sizeof(struct sockaddr_in)) return key_senderror(so, m, EINVAL); +#ifndef IPSEC_NAT_T ((struct sockaddr_in *)(dst0 + 1))->sin_port = 0; +#endif break; case AF_INET6: if (((struct sockaddr *)(dst0 + 1))->sa_len != sizeof(struct sockaddr_in6)) return key_senderror(so, m, EINVAL); +#ifndef IPSEC_NAT_T ((struct sockaddr_in6 *)(dst0 + 1))->sin6_port = 0; +#endif break; default: ; /*???*/ @@ -4741,6 +5037,12 @@ key_getspi(so, m, mhp) /* XXX boundary check against sa_len */ KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); + /* If not using NAT-T, make sure port numbers are set to zero. */ +#ifndef IPSEC_NAT_T + KEY_PORTTOSADDR(&saidx.src, 0); + KEY_PORTTOSADDR(&saidx.dst, 0); +#endif + /* SPI allocation */ spi = key_do_getnewspi((struct sadb_spirange *)mhp->ext[SADB_EXT_SPIRANGE], &saidx); @@ -4994,6 +5296,12 @@ key_update(so, m, mhp) /* XXX boundary check against sa_len */ KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); + /* If not using NAT-T, make sure if port number is zero. */ +#ifndef IPSEC_NAT_T + KEY_PORTTOSADDR(&saidx.src, 0); + KEY_PORTTOSADDR(&saidx.dst, 0); +#endif + /* get a SA header */ if ((sah = key_getsah(&saidx)) == NULL) { ipseclog((LOG_DEBUG, "key_update: no SA index found.\n")); @@ -5060,6 +5368,68 @@ key_update(so, m, mhp) return key_senderror(so, m, error); } +#ifdef IPSEC_NAT_T + /* + * Handle NAT-T info if present + */ + if (mhp->ext[SADB_X_EXT_NAT_T_OA] != NULL) + printf("update: NAT-T OA present\n"); + + if ((mhp->ext[SADB_X_EXT_NAT_T_TYPE] != NULL) && + (mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL) && + (mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL)) { + struct sadb_x_nat_t_type *type; + struct sadb_x_nat_t_port *sport; + struct sadb_x_nat_t_port *dport; + struct sadb_address *addr; + struct sadb_x_nat_t_frag *frag; + + if ((mhp->extlen[SADB_X_EXT_NAT_T_TYPE] < sizeof(*type)) || + (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport)) || + (mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport))) { + ipseclog((LOG_DEBUG, "key_update: " + "invalid message.\n")); + return key_senderror(so, m, EINVAL); + } + + if ((mhp->ext[SADB_X_EXT_NAT_T_OA] != NULL) && + (mhp->extlen[SADB_X_EXT_NAT_T_OA] < sizeof(*addr))) { + ipseclog((LOG_DEBUG, "key_update: invalid message\n")); + return key_senderror(so, m, EINVAL); + } + + if ((mhp->ext[SADB_X_EXT_NAT_T_FRAG] != NULL) && + (mhp->extlen[SADB_X_EXT_NAT_T_FRAG] < sizeof(*frag))) { + ipseclog((LOG_DEBUG, "key_update: invalid message\n")); + return key_senderror(so, m, EINVAL); + } + + type = (struct sadb_x_nat_t_type *) + mhp->ext[SADB_X_EXT_NAT_T_TYPE]; + sport = (struct sadb_x_nat_t_port *) + mhp->ext[SADB_X_EXT_NAT_T_SPORT]; + dport = (struct sadb_x_nat_t_port *) + mhp->ext[SADB_X_EXT_NAT_T_DPORT]; + addr = (struct sadb_address *) + mhp->ext[SADB_X_EXT_NAT_T_OA]; + frag = (struct sadb_x_nat_t_frag *) + mhp->ext[SADB_X_EXT_NAT_T_FRAG]; + + if (type) + sav->natt_type = type->sadb_x_nat_t_type_type; + if (sport) + KEY_PORTTOSADDR(&sav->sah->saidx.src, + sport->sadb_x_nat_t_port_port); + if (dport) + KEY_PORTTOSADDR(&sav->sah->saidx.dst, + dport->sadb_x_nat_t_port_port); + if (frag) + sav->esp_frag = frag->sadb_x_nat_t_frag_fraglen; + else + sav->esp_frag = IP_MAXPACKET; + } +#endif /* IPSEC_NAT_T */ + { struct mbuf *n; @@ -5189,6 +5559,11 @@ key_add(so, m, mhp) /* XXX boundary check against sa_len */ KEY_SETSECASIDX(proto, mode, reqid, src0 + 1, dst0 + 1, &saidx); +#ifndef IPSEC_NAT_T + KEY_PORTTOSADDR(&saidx.src, 0); + KEY_PORTTOSADDR(&saidx.dst, 0); +#endif + /* get a SA header */ if ((newsah = key_getsah(&saidx)) == NULL) { /* create a new SA header */ @@ -5222,6 +5597,68 @@ key_add(so, m, mhp) return key_senderror(so, m, error); } +#ifdef IPSEC_NAT_T + /* + * Handle NAT-T info if present + */ + if (mhp->ext[SADB_X_EXT_NAT_T_OA] != NULL) + printf("add: NAT-T OA present\n"); + + if ((mhp->ext[SADB_X_EXT_NAT_T_TYPE] != NULL) && + (mhp->ext[SADB_X_EXT_NAT_T_SPORT] != NULL) && + (mhp->ext[SADB_X_EXT_NAT_T_DPORT] != NULL)) { + struct sadb_x_nat_t_type *type; + struct sadb_x_nat_t_port *sport; + struct sadb_x_nat_t_port *dport; + struct sadb_address *addr; + struct sadb_x_nat_t_frag *frag; + + if ((mhp->extlen[SADB_X_EXT_NAT_T_TYPE] < sizeof(*type)) || + (mhp->extlen[SADB_X_EXT_NAT_T_SPORT] < sizeof(*sport)) || + (mhp->extlen[SADB_X_EXT_NAT_T_DPORT] < sizeof(*dport))) { + ipseclog((LOG_DEBUG, "key_add: " + "invalid message.\n")); + return key_senderror(so, m, EINVAL); + } + + if ((mhp->ext[SADB_X_EXT_NAT_T_OA] != NULL) && + (mhp->extlen[SADB_X_EXT_NAT_T_OA] < sizeof(*addr))) { + ipseclog((LOG_DEBUG, "key_add: invalid message\n")); + return key_senderror(so, m, EINVAL); + } + + if ((mhp->ext[SADB_X_EXT_NAT_T_FRAG] != NULL) && + (mhp->extlen[SADB_X_EXT_NAT_T_FRAG] < sizeof(*frag))) { + ipseclog((LOG_DEBUG, "key_update: invalid message\n")); + return key_senderror(so, m, EINVAL); + } + + type = (struct sadb_x_nat_t_type *) + mhp->ext[SADB_X_EXT_NAT_T_TYPE]; + sport = (struct sadb_x_nat_t_port *) + mhp->ext[SADB_X_EXT_NAT_T_SPORT]; + dport = (struct sadb_x_nat_t_port *) + mhp->ext[SADB_X_EXT_NAT_T_DPORT]; + addr = (struct sadb_address *) + mhp->ext[SADB_X_EXT_NAT_T_OA]; + frag = (struct sadb_x_nat_t_frag *) + mhp->ext[SADB_X_EXT_NAT_T_FRAG]; + + if (type) + newsav->natt_type = type->sadb_x_nat_t_type_type; + if (sport) + KEY_PORTTOSADDR(&newsav->sah->saidx.src, + sport->sadb_x_nat_t_port_port); + if (dport) + KEY_PORTTOSADDR(&newsav->sah->saidx.dst, + dport->sadb_x_nat_t_port_port); + if (frag) + newsav->esp_frag = frag->sadb_x_nat_t_frag_fraglen; + else + newsav->esp_frag = IP_MAXPACKET; + } +#endif + /* * don't call key_freesav() here, as we would like to keep the SA * in the database on success. @@ -5416,6 +5853,11 @@ key_delete(so, m, mhp) /* XXX boundary check against sa_len */ KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); +#ifndef IPSEC_NAT_T + KEY_PORTTOSADDR(&saidx.src, 0); + KEY_PORTTOSADDR(&saidx.dst, 0); +#endif + /* get a SA header */ LIST_FOREACH(sah, &sahtree, chain) { if (sah->state == SADB_SASTATE_DEAD) @@ -5483,6 +5925,11 @@ key_delete_all(so, m, mhp, proto) /* XXX boundary check against sa_len */ KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); +#ifndef IPSEC_NAT_T + KEY_PORTTOSADDR(&saidx.src, 0); + KEY_PORTTOSADDR(&saidx.dst, 0); +#endif + LIST_FOREACH(sah, &sahtree, chain) { if (sah->state == SADB_SASTATE_DEAD) continue; @@ -5592,6 +6039,11 @@ key_get(so, m, mhp) /* XXX boundary check against sa_len */ KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); +#ifndef IPSEC_NAT_T + KEY_PORTTOSADDR(&saidx.src, 0); + KEY_PORTTOSADDR(&saidx.dst, 0); +#endif + /* get a SA header */ LIST_FOREACH(sah, &sahtree, chain) { if (sah->state == SADB_SASTATE_DEAD) @@ -6272,6 +6724,11 @@ key_acquire2(so, m, mhp) /* XXX boundary check against sa_len */ KEY_SETSECASIDX(proto, IPSEC_MODE_ANY, 0, src0 + 1, dst0 + 1, &saidx); +#ifndef IPSEC_NAT_T + KEY_PORTTOSADDR(&saidx.src, 0); + KEY_PORTTOSADDR(&saidx.dst, 0); +#endif + /* get a SA index */ LIST_FOREACH(sah, &sahtree, chain) { if (sah->state == SADB_SASTATE_DEAD) @@ -6875,6 +7332,11 @@ static int (*key_typesw[])(struct socket key_spdadd, /* SADB_X_SPDSETIDX */ NULL, /* SADB_X_SPDEXPIRE */ key_spddelete2, /* SADB_X_SPDDELETE2 */ +#ifdef IPSEC_NAT_T + key_nat_map, /* SADB_X_NAT_T_NEW_MAPPING */ +#else + NULL, +#endif }; /* @@ -7227,6 +7689,13 @@ key_align(m, mhp) case SADB_EXT_SPIRANGE: case SADB_X_EXT_POLICY: case SADB_X_EXT_SA2: +#ifdef IPSEC_NAT_T + case SADB_X_EXT_NAT_T_TYPE: + case SADB_X_EXT_NAT_T_SPORT: + case SADB_X_EXT_NAT_T_DPORT: + case SADB_X_EXT_NAT_T_OA: + case SADB_X_EXT_NAT_T_FRAG: +#endif /* duplicate check */ /* * XXX Are there duplication payloads of either Index: netkey/key.h =================================================================== RCS file: /home/ncvs/src/sys/netkey/key.h,v retrieving revision 1.12 diff -b -u -p -r1.12 key.h --- netkey/key.h 7 Jan 2005 01:45:48 -0000 1.12 +++ netkey/key.h 19 Sep 2006 12:45:47 -0000 @@ -58,7 +58,8 @@ extern struct secpolicy *key_gettunnel(s struct sockaddr *, struct sockaddr *, struct sockaddr *); extern int key_checkrequest (struct ipsecrequest *isr, struct secasindex *); -extern struct secasvar *key_allocsa(u_int, caddr_t, caddr_t, u_int, u_int32_t); +extern struct secasvar *key_allocsa(u_int, caddr_t, caddr_t, u_int, u_int32_t, + u_int16_t, u_int16_t); extern void key_freesp(struct secpolicy *); extern void key_freesav(struct secasvar *); extern struct secpolicy *key_newsp(u_int32_t); @@ -78,6 +79,10 @@ extern int key_checktunnelsanity(struct extern void key_sa_recordxfer(struct secasvar *, struct mbuf *); extern void key_sa_routechange(struct sockaddr *); extern void key_sa_stir_iv(struct secasvar *); +#ifdef IPSEC_NAT_T +u_int16_t key_portfromsaddr __P((struct sockaddr *)); +#define KEY_PORTFROMSADDR(saddr) key_portfromsaddr((struct sockaddr *)(saddr)) +#endif /* to keep compatibility with FAST_IPSEC */ #define KEY_ALLOCSA(dst, proto, spi) \ Index: netkey/keydb.h =================================================================== RCS file: /home/ncvs/src/sys/netkey/keydb.h,v retrieving revision 1.12 diff -b -u -p -r1.12 keydb.h --- netkey/keydb.h 7 Jan 2005 01:45:48 -0000 1.12 +++ netkey/keydb.h 19 Sep 2006 12:45:51 -0000 @@ -114,6 +114,10 @@ struct secasvar { pid_t pid; /* message's pid */ struct secashead *sah; /* back pointer to the secashead */ + /* NAT-Traversal + */ + u_int16_t natt_type; + u_int16_t esp_frag; u_int32_t id; /* SA id */ }; Index: sys/mbuf.h =================================================================== RCS file: /home/ncvs/src/sys/sys/mbuf.h,v retrieving revision 1.170.2.6 diff -b -u -p -r1.170.2.6 mbuf.h --- sys/mbuf.h 23 Mar 2006 23:24:32 -0000 1.170.2.6 +++ sys/mbuf.h 19 Sep 2006 12:45:56 -0000 @@ -778,6 +778,7 @@ struct mbuf *m_unshare(struct mbuf *, in #define PACKET_TAG_PF_TRANSLATE_LOCALHOST 26 /* PF translate localhost */ #define PACKET_TAG_IPOPTIONS 27 /* Saved IP options */ #define PACKET_TAG_CARP 28 /* CARP info */ +#define PACKET_TAG_IPSEC_NAT_T_PORTS 29 /* two uint16_t */ /* Packet tag routines. */ struct m_tag *m_tag_alloc(u_int32_t, int, int, int); From lavalamp at spiritual-machines.org Sat May 5 01:55:39 2007 From: lavalamp at spiritual-machines.org (Brian A. Seklecki) Date: Sat, 5 May 2007 01:55:39 -0400 (EDT) Subject: [nycbug-talk] Connecting a MacOS X client to an isakmpd VPN In-Reply-To: <20070504042606.GA11806@r2d2.reverse.net> References: <461FC106.8090404@goldenpath.org> <20070503151717.F67008@arbitor.digitalfreaks.org> <20070503153748.A67008@arbitor.digitalfreaks.org> <20070504042606.GA11806@r2d2.reverse.net> Message-ID: <20070505015003.M2394@arbitor.digitalfreaks.org> One last remark about Cisco + OS/X Watch out for using 169.254.0.0/16 for VPN pool space with the MacOS/X client. At first you feel really cheeky having solved the world's RFC1918 black hole problem, then you realize that your mac clients are dead. Apparently the Bonjour/Rendezvous/Zeroconf/mDNS crap depends on it; so it's staticaly routed known as directly connected (link-local) to the first configured ethernet address. It's not done in rc(8) where you can disable it, either. ~BAS On Fri, 4 May 2007, David Rio Deiros wrote: > On Thu, May 03, 2007 at 04:36:07PM -0400, Brian A. Seklecki wrote: >> >> Bill Moran swears by OpenVPN; but I'm a fan of (somewhat) standards based >> IPSec VPNs. >> >> Cisco splits the difference. >> >> .. and the licensing around the client is murky. But the client is readily >> available to most. As long as you have one PIX or VPNC3k in your network, >> then as far as I'm concerned, you can use the client. > > I am using cisco VPN software 4.9. We have a PIX at the office though. > NAT travesal works fine as soon as there is only one client behind the > NAT router. > _______________________________________________ > % NYC*BUG talk mailing list > http://lists.nycbug.org/mailman/listinfo/talk > %Be sure to check out our Jobs and NYCBUG-announce lists > %We meet the first Wednesday of the month > l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ "...from back in the heady days when "helpdesk" meant nothing, "diskquota" meant everything, and lives could be bought and sold for a couple of pages of laser printout - and frequently were." From schmonz at schmonz.com Sun May 6 20:04:27 2007 From: schmonz at schmonz.com (Amitai Schlair) Date: Sun, 6 May 2007 20:04:27 -0400 Subject: [nycbug-talk] May 2007 meeting slides In-Reply-To: <58926.69.119.146.233.1178247490.squirrel@www.geekisp.com> References: <58926.69.119.146.233.1178247490.squirrel@www.geekisp.com> Message-ID: Slides from my presentation are here: http://www.pkgsrccon.org/2007/slides/schmonz/nycbug-pkgsrccon.html Also, almost all the slides from pkgsrcCon itself are now up here: http://www.pkgsrccon.org/2007/presentations.html Thanks again to everyone for listening! - Amitai From nycbug-list at 2xlp.com Mon May 7 20:59:23 2007 From: nycbug-list at 2xlp.com (Jonathan Vanasco) Date: Mon, 7 May 2007 20:59:23 -0400 Subject: [nycbug-talk] drive failure? Message-ID: <63931033-304D-4EE4-89C4-5FBFFF6E233E@2xlp.com> Greetings all-- Last week a server that I've been preparing for colo went down. Everything just stopped working, i was getting a ton of kernel messages ( like below ) on the screen. I tried rebooting, as I thought it could have been from too much Postgres activity, and everything spiraled out of control. I just shut it down because I had too much other work to do , and I finallly got to it today. On first bootup, it was the same thing. I sinned and just pulled the powercord, because screen messages kept a reboot from being entered. I ran fsck on startup and got 3 stalls from bad block errors -- but it seemed to clear stuff up. I did a real reboot, and the server is up and running. My question is this: I just bought this 1 month ago. I'm not too knowledgeable with FreeBSD disk errors information -- does this look to be a physical error ( ie, i make the vendor replace a drive ), or does this look to be software based ? thanks. ============= Apr 28 14:37:24 kernel: ad12: WARNING - SETFEATURES SET TRANSFER MODE taskqueue timeout - completing request directly Apr 28 14:37:24 kernel: ad12: WARNING - SETFEATURES ENABLE RCACHE taskqueue timeout - completing request directly Apr 28 14:37:24 kernel: ad12: WARNING - SET_MULTI taskqueue timeout - completing request directly Apr 28 14:37:24 kernel: ad12: TIMEOUT - READ_DMA retrying (1 retry left) LBA=20542527 Apr 28 14:38:05 kernel: ad12: TIMEOUT - WRITE_DMA retrying (1 retry left) LBA=16789279 From george at ceetonetechnology.com Mon May 7 22:00:13 2007 From: george at ceetonetechnology.com (George Rosamond) Date: Mon, 7 May 2007 22:00:13 -0400 Subject: [nycbug-talk] drive failure? In-Reply-To: <63931033-304D-4EE4-89C4-5FBFFF6E233E@2xlp.com> References: <63931033-304D-4EE4-89C4-5FBFFF6E233E@2xlp.com> Message-ID: <9792087E-6D98-4D47-8F75-7943ADD7093E@ceetonetechnology.com> On May 7, 2007, at 8:59 PM, Jonathan Vanasco wrote: > Greetings all-- > > Last week a server that I've been preparing for colo went down. > Everything just stopped working, i was getting a ton of kernel > messages ( like below ) on the screen. > > I tried rebooting, as I thought it could have been from too much > Postgres activity, and everything spiraled out of control. > > I just shut it down because I had too much other work to do , and I > finallly got to it today. > > On first bootup, it was the same thing. I sinned and just pulled the > powercord, because screen messages kept a reboot from being entered. > > I ran fsck on startup and got 3 stalls from bad block errors -- but > it seemed to clear stuff up. I did a real reboot, and the server is > up and running. > > My question is this: I just bought this 1 month ago. I'm not too > knowledgeable with FreeBSD disk errors information -- does this look > to be a physical error ( ie, i make the vendor replace a drive ), or > does this look to be software based ? > > thanks. > > ============= > > Apr 28 14:37:24 kernel: ad12: WARNING - SETFEATURES SET TRANSFER > MODE taskqueue timeout - completing request directly > > Apr 28 14:37:24 kernel: ad12: WARNING - SETFEATURES ENABLE RCACHE > taskqueue timeout - completing request directly > > Apr 28 14:37:24 kernel: ad12: WARNING - SET_MULTI taskqueue timeout > - completing request directly > > Apr 28 14:37:24 kernel: ad12: TIMEOUT - READ_DMA retrying (1 retry > left) LBA=20542527 > > Apr 28 14:38:05 kernel: ad12: TIMEOUT - WRITE_DMA retrying (1 retry > left) LBA=16789279 > From google and all. . . it could possibly be related to the hardware IRQs. . Notice anything funky in the dmesg? It would be good to provide some more info. . . is this FBSD 6.x? From the ad12, I assume you're using SATA . . . what hardware? No raid? George From af.dingo at gmail.com Mon May 7 22:10:05 2007 From: af.dingo at gmail.com (Jeff Quast) Date: Mon, 7 May 2007 22:10:05 -0400 Subject: [nycbug-talk] drive failure? In-Reply-To: <63931033-304D-4EE4-89C4-5FBFFF6E233E@2xlp.com> References: <63931033-304D-4EE4-89C4-5FBFFF6E233E@2xlp.com> Message-ID: On 5/7/07, Jonathan Vanasco wrote: > Greetings all-- > > Last week a server that I've been preparing for colo went down. > Everything just stopped working, i was getting a ton of kernel > messages ( like below ) on the screen. How about all of the kernel messages, including the dmesg? Its hard to get an idea of the timing: did a write fail, or a read fail, and at what location, are all of the errors regarding a handful of block numbers, or does everything look like poison before it crashes? > I tried rebooting, as I thought it could have been from too much > Postgres activity, and everything spiraled out of control. A lot of postgres activity... disk thrashing.. on a sata? This better be a sata drive that is rated for 24/7 disk thrashing. > I ran fsck on startup and got 3 stalls from bad block errors -- but > it seemed to clear stuff up. I did a real reboot, and the server is > up and running. Read below > My question is this: I just bought this 1 month ago. This happens. > does this look to be software based ? badblocks will prove to you that it is a hardware failure, down to exactly which blocks are bad. Especialy in write mode. Irregardless, my filesystems looked dirty after the machine locked up. Two fsck's later I was still fixing "errors". I kept telling it to fix the new errors until the programs themselves began segfaulting. The culprit was bad ram, giving everybody bad information. lesson is fsck on important data is a bad idea until you discover the root of the issue, fsck actualy ruined more data each pass in the above scenerio. thank god for a recent tape backup. I'd have lost a lot. From spork at bway.net Mon May 7 22:23:44 2007 From: spork at bway.net (Charles Sprickman) Date: Mon, 7 May 2007 22:23:44 -0400 (EDT) Subject: [nycbug-talk] drive failure? In-Reply-To: <9792087E-6D98-4D47-8F75-7943ADD7093E@ceetonetechnology.com> References: <63931033-304D-4EE4-89C4-5FBFFF6E233E@2xlp.com> <9792087E-6D98-4D47-8F75-7943ADD7093E@ceetonetechnology.com> Message-ID: On Mon, 7 May 2007, George Rosamond wrote: > On May 7, 2007, at 8:59 PM, Jonathan Vanasco wrote: > >> Greetings all-- >> >> My question is this: I just bought this 1 month ago. I'm not too >> knowledgeable with FreeBSD disk errors information -- does this look >> to be a physical error ( ie, i make the vendor replace a drive ), or >> does this look to be software based ? >> >> Apr 28 14:37:24 kernel: ad12: WARNING - SETFEATURES SET TRANSFER >> MODE taskqueue timeout - completing request directly >> > From google and all. . . it could possibly be related to the > hardware IRQs. . I already deleted the original message so I'm adding my $0.02 here, but one really quick thing to do to narrow this down is to install smartmontools and get a reading on the SMART status of the drives in question. If they are reporting bad, case closed. If not, then go on your way - passing SMART does not always mean the drive is actually good. You can also just boot the Seagate tools, they have a bootable ISO with their SMART checking tools on them. They also generally work on other drives that support SMART. Charles > Notice anything funky in the dmesg? > > It would be good to provide some more info. . . is this FBSD 6.x? > From the ad12, I assume you're using SATA . . . what hardware? No > raid? > > George > _______________________________________________ > % NYC*BUG talk mailing list > http://lists.nycbug.org/mailman/listinfo/talk > %Be sure to check out our Jobs and NYCBUG-announce lists > %We meet the first Wednesday of the month > From carton at Ivy.NET Tue May 8 00:42:07 2007 From: carton at Ivy.NET (Miles Nordin) Date: Tue, 08 May 2007 00:42:07 -0400 Subject: [nycbug-talk] drive failure? In-Reply-To: (Charles Sprickman's message of "Mon, 7 May 2007 22:23:44 -0400 (EDT)") References: <63931033-304D-4EE4-89C4-5FBFFF6E233E@2xlp.com> <9792087E-6D98-4D47-8F75-7943ADD7093E@ceetonetechnology.com> Message-ID: >>>>> "cs" == Charles Sprickman writes: cs> smartmontools seconded. I actually don't pay any attention to whether the ``overall assessment'' says PASSED or not. It seems to always say PASSED. The goal is to distinguish between two different problems: 1. bad driver. bad card. bad cable. 2. bad disk. You can look at 'smartctl -a'. If the UDMA_CRC_Error_Count raw count is increasing, it's a bad cable. If the Hardware_ECC_Recovered or Seek_Error_Rate counts are increasing, it's a bad drive. Another, maybe more decisive, method: you can start 'smartctl -t long' to tell the drive to test itself. The output will tell you the ``recommended polling interval,'' which is about how long the test will take. This will be about 1 - 4 hours. smartctl returns immediately, and the drive tests itself in the background. Do this only on a drive that's not mounted. Then run 'smartctl -a'. Then run 'smartctl -a' a second time. Make sure the test is still running. Sometimes, sending the drive a command will abort the test, and 'smartctl -a' is a command---that's why you run it twice. If your tests are getting aborted you'll see something like this: Num Test_Description Status Remaining LifeTime(hours) LBA_of_first_error # 1 Offline Aborted by host 70% 0 - In that case, (1) your drive's firmware is too old to work well, (2) your power supply is bad, or (3) you are trying to test a mounted drive. You could try starting the test with smartctl, then unplugging the IDE cable, and leaving the drive connected to power only for about four hours. If you can get the test to keep running, then after four hours or so, do 'smartctl -a' again, and the result of the test will show up at the bottom like this: Num Test_Description Status Remaining LifeTime(hours) LBA_of_first_error # 1 Extended offline Completed without error 00% 2373 - This is how the drive reports the result: by writing it to this nonvolatile log which you can check later. There is no other reporting method. This positive result shown above mostly proves the drive is good. If 'smartctl -t long' gives a good result, try another test: 'dd if=/dev/ad0 of=/dev/null bs=512'. If 'dd' reports an I/O error before the address of the end of the drive but 'smartctl -t long' reports good, that means your problem is with driver/card/cable. (it is normal on some but not all Unixes for 'dd' to get you an IDE driver error in 'dmesg' by trying to read past the end of teh disk. You need to look at the sector number of the error, and see if it's in the middle of the drive or if it's past the end.) A bad-drive result from 'smartctl -t long' should have a non-empty LBA_of_first_error like this: Num Test_Description Status Remaining LifeTime(hours) LBA_of_first_error # 1 Extended offline Completed: read failure 60% 19687 204786353 I think maybe good drives connected to bad power supplies can possibly fail this 'smartctl -t long' test, but I just RMA them unconditionally when they fail and include a copy of the smartctl output. I have had bad power supply problems twice. The first time I spotted it using a scope (~600mV ripple during disk read/write activity rather than 100-200mV), and the second time by trial-and-error part-swapping. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From josh at rivels.org Tue May 8 08:06:49 2007 From: josh at rivels.org (Josh Rivel) Date: Tue, 8 May 2007 08:06:49 -0400 Subject: [nycbug-talk] Data Center Moving Companies? Message-ID: <20070508120649.GA12823@rivels.org> Just wondering if anyone can recommend a moving company for moving one of our data centers from lower Manhattan to Jersey City. It's not a ton of stuff, about 2 racks worth, mostly just some Dell 1u and 2u servers and some network gear. We don't have to move racks or anything. Thanks, Josh -- From pete at nomadlogic.org Tue May 8 11:40:24 2007 From: pete at nomadlogic.org (Peter Wright) Date: Tue, 8 May 2007 08:40:24 -0700 (PDT) Subject: [nycbug-talk] freebsd.nycbug.org is down Message-ID: <27512.160.33.20.11.1178638824.squirrel@webmail.nomadlogic.org> hi all - just a heads up. our freebsd mirror is currently down. hostname is freebsd.nycbug.org. if you are using this host to update your cvsup sources please use an alternative mirror for the time being. this is esp. urgent as there is a critical update to php in the ports tree that you may miss if this is your primary/only mirror. feel free to email me with any questions. i'll reply to this thread when the machine is back online. -pete -- ~~oO00Oo~~ Peter Wright pete at nomadlogic.org www.nomadlogic.org/~pete 310.869.9459 From nycbug-list at 2xlp.com Tue May 8 11:54:30 2007 From: nycbug-list at 2xlp.com (Jonathan Vanasco) Date: Tue, 8 May 2007 11:54:30 -0400 Subject: [nycbug-talk] drive failure? In-Reply-To: <9792087E-6D98-4D47-8F75-7943ADD7093E@ceetonetechnology.com> References: <63931033-304D-4EE4-89C4-5FBFFF6E233E@2xlp.com> <9792087E-6D98-4D47-8F75-7943ADD7093E@ceetonetechnology.com> Message-ID: <2BE68E1A-30D6-4D5C-9119-4A35FD65C421@2xlp.com> On May 7, 2007, at 10:00 PM, George Rosamond wrote: > From google and all. . . it could possibly be related to the > hardware IRQs. . > > Notice anything funky in the dmesg? > > It would be good to provide some more info. . . is this FBSD 6.x? > From the ad12, I assume you're using SATA . . . what hardware? No > raid? FreeBSD 6.1 I was getting the same messages ( posted below ) in dmesg but only before I ran fsck. then they just stopped. thats what has me confused - it *looks* like a hardware issue, but it stopped when i fsck'd. I'm using SATA via the onboard controller (intel DQ965GFEKR ). There are 4 sata drives in the machine, 2 configured as a mirror raid via the onboard raid controller, 2 not. this error was on a non-raided drive . On May 7, 2007, at 10:10 PM, Jeff Quast wrote: > How about all of the kernel messages, including the dmesg? Its hard > to get an idea of the timing: did a write fail, or a read fail, and > at what > location, are all of the errors regarding a handful of block > numbers, or > does everything look like poison before it crashes? reads and writes were failing, first when i was running it, then when i did a reboot . >> My question is this: I just bought this 1 month ago. > This happens. tell me about it. >> does this look to be software based ? > > badblocks will prove to you that it is a hardware failure, down to > exactly which blocks are bad. Especialy in write mode. > > Irregardless, my filesystems looked dirty after the machine locked up. > Two fsck's later I was still fixing "errors". I kept telling it to fix > the new errors > until the programs themselves began segfaulting. The culprit was > bad ram, giving > everybody bad information. > > lesson is fsck on important data is a bad idea until you discover the > root of the issue, fsck actualy ruined more data each pass in the > above scenerio. thank god for a recent tape backup. I'd have lost a > lot. yeah, thats happened to me before too on an osx server. not fun. thankfully this is only my root drive -- that might sound crazy, but all PG storage is on the mirror raid, and my main filestore for files the system processes is on a third drive (its a system that spiders social networks, parsing profiles + relationships into standardized formats, then does analytics to match them against other network profiles ) > I already deleted the original message so I'm adding my $0.02 here, > but > one really quick thing to do to narrow this down is to install > smartmontools and get a reading on the SMART status of the drives in > question. If they are reporting bad, case closed. If not, then go on > your way - passing SMART does not always mean the drive is actually > good. > > You can also just boot the Seagate tools, they have a bootable ISO > with > their SMART checking tools on them. They also generally work on other > drives that support SMART. thats a really good idea. the last 5 errors were all variations of 40 51 00 d8 53 53 44 Error: UNC at LBA = XXXX = XXXX On May 8, 2007, at 12:42 AM, Miles Nordin wrote: > Another, maybe more decisive, method: you can start 'smartctl -t long' > to tell the drive to test itself. The output will tell you the > ``recommended polling interval,'' which is about how long the test > will take. This will be about 1 - 4 hours. smartctl returns > immediately, and the drive tests itself in the background. ok. i'll install freebsd on another drive so i can -t long this one, or try the seagate cd. This is quite possibly the best series of response emails I have ever read on a listserv. i'm just amazed at the knowledge here. Thank you all GREATLY. And I'd like to suggest that this be tossed on a wiki somewhere , for supreme google-ability -- because nothing this good is on google right now. ===== /var/log/dmesg.yesterday ===== Uptime: 6d2h22m59s Rebooting... cpu_reset: Stopping other CPUs Copyright (c) 1992-2007 The FreeBSD Project. Copyright (c) 1979, 1980, 1983, 1986, 1988, 1989, 1991, 1992, 1993, 1994 The Regents of the University of California. All rights reserved. FreeBSD is a registered trademark of The FreeBSD Foundation. FreeBSD 6.2-RELEASE #0: Fri Jan 12 11:05:30 UTC 2007 root at dessler.cse.buffalo.edu:/usr/obj/usr/src/sys/SMP acpi_alloc_wakeup_handler: can't alloc wake memory Timecounter "i8254" frequency 1193182 Hz quality 0 CPU: Intel(R) Xeon(R) CPU 3040 @ 1.86GHz (1876.00-MHz 686- class CPU) Origin = "GenuineIntel" Id = 0x6f6 Stepping = 6 Features=0xbfebfbff Features2=0xe3bd,CX16,, > AMD Features=0x20100000 AMD Features2=0x1 Cores per package: 2 real memory = 3479298048 (3318 MB) avail memory = 3404574720 (3246 MB) ACPI APIC Table: FreeBSD/SMP: Multiprocessor System Detected: 2 CPUs cpu0 (BSP): APIC ID: 0 cpu1 (AP): APIC ID: 1 ioapic0: Changing APIC ID to 2 ioapic0 irqs 0-23 on motherboard kbd1 at kbdmux0 ath_hal: 0.9.17.2 (AR5210, AR5211, AR5212, RF5111, RF5112, RF2413, RF5413) acpi0: on motherboard acpi0: Power Button (fixed) Timecounter "ACPI-fast" frequency 3579545 Hz quality 1000 acpi_timer0: <24-bit timer at 3.579545MHz> port 0x408-0x40b on acpi0 cpu0: on acpi0 acpi_perf0: on cpu0 acpi_perf0: failed in PERF_STATUS attach device_attach: acpi_perf0 attach returned 6 acpi_perf0: on cpu0 acpi_perf0: failed in PERF_STATUS attach device_attach: acpi_perf0 attach returned 6 acpi_throttle0: on cpu0 cpu1: on acpi0 acpi_perf1: on cpu1 acpi_perf1: failed in PERF_STATUS attach device_attach: acpi_perf1 attach returned 6 acpi_perf1: on cpu1 acpi_perf1: failed in PERF_STATUS attach device_attach: acpi_perf1 attach returned 6 acpi_throttle1: on cpu1 acpi_throttle1: failed to attach P_CNT device_attach: acpi_throttle1 attach returned 6 acpi_button0: on acpi0 pcib0: port 0xcf8-0xcff on acpi0 pci0: on pcib0 pci0: at device 2.0 (no driver attached) pci0: at device 3.0 (no driver attached) atapci0: port 0x3130-0x3137,0x314c-0x314f, 0x3128-0x312f,0x3148-0x314b,0x3100-0x310f irq 18 at device 3.2 on pci0 ata2: on atapci0 ata3: on atapci0 pci0: at device 3.3 (no driver attached) em0: port 0x30e0-0x30ff mem 0xe0300000-0xe031ffff,0xe0320000-0xe0320fff irq 20 at device 25.0 on pci0 em0: Ethernet address: 00:19:d1:25:0e:66 uhci0: port 0x30c0-0x30df irq 16 at device 26.0 on pci0 uhci0: [GIANT-LOCKED] usb0: on uhci0 usb0: USB revision 1.0 uhub0: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub0: 2 ports with 2 removable, self powered uhci1: port 0x30a0-0x30bf irq 21 at device 26.1 on pci0 uhci1: [GIANT-LOCKED] usb1: on uhci1 usb1: USB revision 1.0 uhub1: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub1: 2 ports with 2 removable, self powered ehci0: mem 0xe0322c00-0xe0322fff irq 18 at device 26.7 on pci0 ehci0: [GIANT-LOCKED] usb2: EHCI version 1.0 usb2: companion controllers, 2 ports each: usb0 usb1 usb2: on ehci0 usb2: USB revision 2.0 uhub2: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub2: 4 ports with 4 removable, self powered pcib1: at device 28.0 on pci0 pci1: on pcib1 pcib2: at device 28.1 on pci0 pci2: on pcib2 atapci1: port 0x2018-0x201f, 0x2024-0x2027,0x2010-0x2017,0x2020-0x2023,0x2000-0x200f mem 0xe0100000-0xe01001ff irq 17 at device 0.0 on pci2 ata4: on atapci1 ata5: on atapci1 pcib3: at device 28.2 on pci0 pci3: on pcib3 pcib4: at device 28.3 on pci0 pci4: on pcib4 pcib5: at device 28.4 on pci0 pci5: on pcib5 uhci2: port 0x3080-0x309f irq 23 at device 29.0 on pci0 uhci2: [GIANT-LOCKED] usb3: on uhci2 usb3: USB revision 1.0 uhub3: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub3: 2 ports with 2 removable, self powered uhci3: port 0x3060-0x307f irq 19 at device 29.1 on pci0 uhci3: [GIANT-LOCKED] usb4: on uhci3 usb4: USB revision 1.0 uhub4: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub4: 2 ports with 2 removable, self powered uhci4: port 0x3040-0x305f irq 18 at device 29.2 on pci0 uhci4: [GIANT-LOCKED] usb5: on uhci4 usb5: USB revision 1.0 uhub5: Intel UHCI root hub, class 9/0, rev 1.00/1.00, addr 1 uhub5: 2 ports with 2 removable, self powered ehci1: mem 0xe0322800-0xe0322bff irq 23 at device 29.7 on pci0 ehci1: [GIANT-LOCKED] usb6: EHCI version 1.0 usb6: companion controllers, 2 ports each: usb3 usb4 usb5 usb6: on ehci1 usb6: USB revision 2.0 uhub6: Intel EHCI root hub, class 9/0, rev 2.00/1.00, addr 1 uhub6: 6 ports with 6 removable, self powered pcib6: at device 30.0 on pci0 pci6: on pcib6 em1: port 0x1000-0x103f mem 0xe0020000-0xe003ffff,0xe0000000-0xe001ffff irq 22 at device 1.0 on pci6 em1: Ethernet address: 00:0e:0c:d0:15:c0 isab0: at device 31.0 on pci0 isa0: on isab0 atapci2: port 0x3118-0x311f, 0x3144-0x3147,0x3110-0x3117,0x3140-0x3143,0x3020-0x303f mem 0xe0322000-0xe03227ff irq 19 at device 31.2 on pci0 atapci2: AHCI Version 01.10 controller with 6 ports detected ata6: on atapci2 ata7: on atapci2 ata8: on atapci2 ata9: on atapci2 ata10: on atapci2 ata11: on atapci2 pci0: at device 31.3 (no driver attached) ppc0: port 0x378-0x37f,0x778-0x77f irq 7 on acpi0 ppc0: Generic chipset (ECP/PS2/NIBBLE) in COMPATIBLE mode ppc0: FIFO with 16/16/8 bytes threshold ppbus0: on ppc0 plip0: on ppbus0 lpt0: on ppbus0 lpt0: Interrupt-driven port ppi0: on ppbus0 atkbdc0: port 0x60,0x64 irq 1 on acpi0 atkbd0: irq 1 on atkbdc0 kbd0 at atkbd0 atkbd0: [GIANT-LOCKED] sio0: <16550A-compatible COM port> port 0x3f8-0x3ff irq 4 flags 0x10 on acpi0 sio0: type 16550A pmtimer0 on isa0 orm0: at iomem 0xd0800-0xd17ff on isa0 ata0 at port 0x1f0-0x1f7,0x3f6 irq 14 on isa0 ata1 at port 0x170-0x177,0x376 irq 15 on isa0 sc0: at flags 0x100 on isa0 sc0: VGA <16 virtual consoles, flags=0x300> sio1: configured irq 3 not in bitmap of probed irqs 0 sio1: port may not be enabled vga0: at port 0x3c0-0x3df iomem 0xa0000-0xbffff on isa0 Timecounters tick every 1.000 msec ad12: 76319MB at ata6-master SATA300 ad14: 476940MB at ata7-master SATA300 ad20: 476940MB at ata10-master SATA300 ar0: 476937MB status: READY ar0: disk0 READY (master) using ad14 at ata7-master ar0: disk1 READY (mirror) using ad20 at ata10-master SMP: AP CPU #1 Launched! Trying to mount root from ufs:/dev/ad12s1a ad12: WARNING - SETFEATURES SET TRANSFER MODE taskqueue timeout - completing request directly ad12: WARNING - SETFEATURES SET TRANSFER MODE taskqueue timeout - completing request directly ad12: WARNING - SETFEATURES ENABLE RCACHE taskqueue timeout - completing request directly ad12: WARNING - SETFEATURES ENABLE WCACHE taskqueue timeout - completing request directly ad12: WARNING - SET_MULTI taskqueue timeout - completing request directly ad12: TIMEOUT - READ_DMA retrying (1 retry left) LBA=20542527 ad12: TIMEOUT - READ_DMA retrying (1 retry left) LBA=53742935 ad12: WARNING - SETFEATURES SET TRANSFER MODE taskqueue timeout - completing request directly ad12: WARNING - SETFEATURES SET TRANSFER MODE taskqueue timeout - completing request directly ad12: WARNING - SETFEATURES ENABLE RCACHE taskqueue timeout - completing request directly ad12: WARNING - SETFEATURES ENABLE WCACHE taskqueue timeout - completing request directly ad12: WARNING - SET_MULTI taskqueue timeout - completing request directly ad12: TIMEOUT - READ_DMA retrying (1 retry left) LBA=148505343 ad12: TIMEOUT - READ_DMA retrying (1 retry left) LBA=73251691 ad12: WARNING - SETFEATURES SET TRANSFER MODE taskqueue timeout - completing request directly ad12: WARNING - SETFEATURES SET TRANSFER MODE taskqueue timeout - completing request directly ad12: WARNING - SETFEATURES ENABLE RCACHE taskqueue timeout - completing request directly ad12: WARNING - SETFEATURES ENABLE WCACHE taskqueue timeout - completing request directly ad12: WARNING - SET_MULTI taskqueue timeout - completing request directly ad12: TIMEOUT - READ_DMA retrying (1 retry left) LBA=20166335 ad12: TIMEOUT - READ_DMA retrying (1 retry left) LBA=45085775 ad12: TIMEOUT - READ_DMA retrying (1 retry left) LBA=19899015 ad12: TIMEOUT - READ_DMA retrying (1 retry left) LBA=19899019 ad12: TIMEOUT - READ_DMA retrying (1 retry left) LBA=20243439 ad12: TIMEOUT - READ_DMA retrying (0 retries left) LBA=20243439 ad12: FAILURE - READ_DMA timed out LBA=20243439 g_vfs_done():ad12s1a[READ(offset=1774673920, length=2048)]error = 5 ad12: TIMEOUT - READ_DMA retrying (1 retry left) LBA=65391579 ad12: WARNING - SETFEATURES SET TRANSFER MODE taskqueue timeout - completing request directly ad12: WARNING - SETFEATURES SET TRANSFER MODE taskqueue timeout - completing request directly ad12: WARNING - SETFEATURES ENABLE RCACHE taskqueue timeout - completing request directly ad12: WARNING - SETFEATURES ENABLE WCACHE taskqueue timeout - completing request directly ad12: WARNING - SET_MULTI taskqueue timeout - completing request directly ad12: TIMEOUT - READ_DMA retrying (1 retry left) LBA=64198335 ad12: TIMEOUT - READ_DMA retrying (1 retry left) LBA=42043543 ad12: TIMEOUT - READ_DMA retrying (1 retry left) LBA=23248891 ad12: TIMEOUT - READ_DMA retrying (1 retry left) LBA=20243439 ad12: TIMEOUT - READ_DMA retrying (0 retries left) LBA=20243439 ad12: TIMEOUT - READ_DMA retrying (1 retry left) LBA=81608107 ad12: TIMEOUT - READ_DMA retrying (1 retry left) LBA=19900027 ad12: TIMEOUT - READ_DMA retrying (1 retry left) LBA=19866907 ad12: TIMEOUT - READ_DMA retrying (0 retries left) LBA=19866907 ad12: FAILURE - READ_DMA timed out LBA=19866907 g_vfs_done():ad12s1a[READ(offset=1581889536, length=2048)]error = 5 ad12: TIMEOUT - READ_DMA retrying (1 retry left) LBA=24761387 // Jonathan Vanasco | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | SyndiClick.com | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | FindMeOn.com - The cure for Multiple Web Personality Disorder | Web Identity Management and 3D Social Networking | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | RoadSound.com - Tools For Bands, Stuff For Fans | Collaborative Online Management And Syndication Tools | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From carton at Ivy.NET Tue May 8 14:14:41 2007 From: carton at Ivy.NET (Miles Nordin) Date: Tue, 08 May 2007 14:14:41 -0400 Subject: [nycbug-talk] drive failure? In-Reply-To: <2BE68E1A-30D6-4D5C-9119-4A35FD65C421@2xlp.com> (Jonathan Vanasco's message of "Tue, 8 May 2007 11:54:30 -0400") References: <63931033-304D-4EE4-89C4-5FBFFF6E233E@2xlp.com> <9792087E-6D98-4D47-8F75-7943ADD7093E@ceetonetechnology.com> <2BE68E1A-30D6-4D5C-9119-4A35FD65C421@2xlp.com> Message-ID: >>>>> "jv" == Jonathan Vanasco writes: jv> thats what has me confused - it *looks* like a hardware issue, jv> but it stopped when i fsck'd. . maybe it'll start again. Anyway sometimes you have a drive that is only slightly bad, a drive that has ``forgotten'' what's stored in a few sectors. Maybe this could happen on a good drive if the power supply was dipping while it was writing that sector? or vibration? I don't know. but if you 'dd if=/dev/zero of=/dev/ad0 bs=56k' to write zeroes over all those unreadable sectors, this sort of drive will work perfectly again. In the old days, when a drive started to fail in this way, it was all but guaranteed to fail completely in the near future, so the writing-zeroes trick was more a scheme for luring you toward larger amounts of data loss than an actual trick. I'm not sure if this remains true of these new ridiculously high-density drives. This issue is also why, when testing a drive with 'dd', you should first test by reading, not by writing. fsck could imagineably function like 'dd if=/dev/zero' if it happened to overwrite all your unreadable sectors, but that seems far-fetched. I'd sooner bet that you jostled a cable into a more favorable EMI position. If you're putting this on a wiki, you should also note: dd if=/dev/ad0 of=/dev/ad1 bs=512 conv=noerror,sync I think this doesn't apply to your situation, but that's how you recover data from a partly-bad disk. By substituting zero sectors on ad1 for all the unreadable sectors on ad0, you can get fsck and the filesystem layer to actually read stuff off the partition, although the insides of some files will be changed without your noticing. There's also a program called 'dd_rescue' out there somewhere which will do this job faster by adjusting 'bs' to copy contiguously-good regions of the disk faster---that can be important because some bad disks seem to get worse as you read them. I tried it once, but stick with dd because dd_rescue seems goofy and Linuxy. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From josh at rivels.org Tue May 8 16:31:45 2007 From: josh at rivels.org (Josh Rivel) Date: Tue, 8 May 2007 16:31:45 -0400 Subject: [nycbug-talk] Looking to borrow a router... Message-ID: <20070508203145.GH20925@rivels.org> I'm wondering if anyone has a router with a T1 card in it I could use for a day or two. We need to test a T1 between our corporate office and our new data center in NJ prior to the actual move. We have a spare Cisco 2610 to use at one end, but need something else for the other end. I will pick up in NYC and return ASAP, probably could even do both in the same day. Thank in advance.... Josh From pete at nomadlogic.org Tue May 8 16:56:51 2007 From: pete at nomadlogic.org (Peter Wright) Date: Tue, 8 May 2007 13:56:51 -0700 (PDT) Subject: [nycbug-talk] DONE: freebsd.nycbug.org is down In-Reply-To: <27512.160.33.20.11.1178638824.squirrel@webmail.nomadlogic.org> References: <27512.160.33.20.11.1178638824.squirrel@webmail.nomadlogic.org> Message-ID: <50408.160.33.20.11.1178657811.squirrel@webmail.nomadlogic.org> > hi all - just a heads up. our freebsd mirror is currently down. hostname > is freebsd.nycbug.org. if you are using this host to update your cvsup > sources please use an alternative mirror for the time being. this is esp. > urgent as there is a critical update to php in the ports tree that you may > miss if this is your primary/only mirror. > > feel free to email me with any questions. i'll reply to this thread when > the machine is back online. > thanks for George's help the box is back online! sorry for the inconvenience it may have caused for anyone. -pete -- ~~oO00Oo~~ Peter Wright pete at nomadlogic.org www.nomadlogic.org/~pete 310.869.9459 From deep_blue at sebek.org Tue May 8 22:37:07 2007 From: deep_blue at sebek.org (deep_blue at sebek.org) Date: Tue, 8 May 2007 19:37:07 -0700 (PDT) Subject: [nycbug-talk] Looking to borrow a router... In-Reply-To: <20070508203145.GH20925@rivels.org> Message-ID: <376157.14380.qm@web413.biz.mail.mud.yahoo.com> I have a Cisco 1760 with a T1 CSU/DSU. I am in forest hills queens. I will loan it to you on the condition that when you bring it back you configure it for my T1 which I do not have the time to do. Josh Rivel wrote: I'm wondering if anyone has a router with a T1 card in it I could use for a day or two. We need to test a T1 between our corporate office and our new data center in NJ prior to the actual move. We have a spare Cisco 2610 to use at one end, but need something else for the other end. I will pick up in NYC and return ASAP, probably could even do both in the same day. Thank in advance.... Josh _______________________________________________ % NYC*BUG talk mailing list http://lists.nycbug.org/mailman/listinfo/talk %Be sure to check out our Jobs and NYCBUG-announce lists %We meet the first Wednesday of the month -------------- next part -------------- An HTML attachment was scrubbed... URL: From driodeiros at gmail.com Wed May 9 01:33:21 2007 From: driodeiros at gmail.com (David Rio Deiros) Date: Wed, 9 May 2007 01:33:21 -0400 Subject: [nycbug-talk] what happened to darwinports? In-Reply-To: <1053AC2D-8AEB-43FC-9048-3197EDB4A3F8@schmonz.com> References: <58969.160.33.20.11.1178040868.squirrel@webmail.nomadlogic.org> <46377C5F.4010004@ceetonetechnology.com> <39656.160.33.20.11.1178041947.squirrel@webmail.nomadlogic.org> <8933.160.33.20.11.1178052246.squirrel@webmail.nomadlogic.org> <20070503224759.GA62365@r2d2.reverse.net> <1053AC2D-8AEB-43FC-9048-3197EDB4A3F8@schmonz.com> Message-ID: <20070509053321.GA85382@r2d2.reverse.net> On Thu, May 03, 2007 at 07:06:42PM -0400, Amitai Schlair wrote: > You can also NFS-mount pkgsrc from somewhere else, if you have a > suitable somewhere else. But the disk image approach isn't too bad. > You only need enough case-sensitive disk image for pkgsrc itself; > almost all packages can build and install on case-insensitive > filesystems. Apparently the instructions in bootstrap/README.Darwin put everything in the disk image. I guess you would replace these: $ sudo ./bootstrap \ --prefix /Volumes/NetBSD/pkg \ --pkgdbdir /Volumes/NetBSD/pkgdb with something like this?: $ sudo ./bootstrap \ --prefix /Users/myhome/pkgsrc/pkg \ --pkgdbdir /Users/myhome/pkgsrc/pkgdb Thanks, David P.S: What a pity you guys had such a bad weather when you went to Barcelona. From marco at metm.org Wed May 9 13:14:30 2007 From: marco at metm.org (marco) Date: Wed, 09 May 2007 13:14:30 -0400 Subject: [nycbug-talk] DONE: freebsd.nycbug.org is down In-Reply-To: <50408.160.33.20.11.1178657811.squirrel@webmail.nomadlogic.org> References: <27512.160.33.20.11.1178638824.squirrel@webmail.nomadlogic.org> <50408.160.33.20.11.1178657811.squirrel@webmail.nomadlogic.org> Message-ID: <46420176.3040306@metm.org> Peter Wright wrote: >> hi all - just a heads up. our freebsd mirror is currently down. hostname >> is freebsd.nycbug.org. if you are using this host to update your cvsup >> sources please use an alternative mirror for the time being. this is esp. >> urgent as there is a critical update to php in the ports tree that you may >> miss if this is your primary/only mirror. I have tried a few mirrors. Where can I get the update to php 5.2.2? Everyone including freshports is at *5.2.1_3 When I cvsup then make deinstall ; make clean; make install my php still version still raises a flag from portaudit. Is there something wrong with my cvsup-supfile: *default host=freebsd.nycbug.org *default base=/var/db *default prefix=/usr *default release=cvs tag=. *default delete use-rel-suffix ports-base ports-accessibility ... -- Marco * From pete at nomadlogic.org Wed May 9 13:24:43 2007 From: pete at nomadlogic.org (Pete Wright) Date: Wed, 9 May 2007 13:24:43 -0400 Subject: [nycbug-talk] DONE: freebsd.nycbug.org is down In-Reply-To: <46420176.3040306@metm.org> References: <27512.160.33.20.11.1178638824.squirrel@webmail.nomadlogic.org> <50408.160.33.20.11.1178657811.squirrel@webmail.nomadlogic.org> <46420176.3040306@metm.org> Message-ID: <20070509172441.GA71978@sunset.nomadlogic.org> On Wed, May 09, 2007 at 01:14:30PM -0400, marco wrote: > Peter Wright wrote: > >> hi all - just a heads up. our freebsd mirror is currently down. hostname > >> is freebsd.nycbug.org. if you are using this host to update your cvsup > >> sources please use an alternative mirror for the time being. this is esp. > >> urgent as there is a critical update to php in the ports tree that you may > >> miss if this is your primary/only mirror. > I have tried a few mirrors. Where can I get the update to php 5.2.2? > Everyone including freshports is at *5.2.1_3 > > When I cvsup then make deinstall ; make clean; make install my php still > version still raises a flag from portaudit. > > Is there something wrong with my cvsup-supfile: > > *default host=freebsd.nycbug.org > *default base=/var/db > *default prefix=/usr > *default release=cvs tag=. > *default delete use-rel-suffix > ports-base > ports-accessibility > ... > from what i can tell no patch has been released by the ports team yet for phpv5, but when they do this mirror will be ready (i was hoping it was going to be patched by now). -p -- ~~oO00Oo~~ Peter Wright pete at nomadlogic.org www.nomadlogic.org/~pete 310.869.9459 From marco at metm.org Wed May 9 13:42:39 2007 From: marco at metm.org (marco) Date: Wed, 09 May 2007 13:42:39 -0400 Subject: [nycbug-talk] DONE: freebsd.nycbug.org is down In-Reply-To: <20070509172441.GA71978@sunset.nomadlogic.org> References: <27512.160.33.20.11.1178638824.squirrel@webmail.nomadlogic.org> <50408.160.33.20.11.1178657811.squirrel@webmail.nomadlogic.org> <46420176.3040306@metm.org> <20070509172441.GA71978@sunset.nomadlogic.org> Message-ID: <4642080F.5060909@metm.org> Pete Wright wrote: > On Wed, May 09, 2007 at 01:14:30PM -0400, marco wrote: >> Peter Wright wrote: >>>> hi all - just a heads up. our freebsd mirror is currently down. hostname >>>> is freebsd.nycbug.org. if you are using this host to update your cvsup >>>> sources please use an alternative mirror for the time being. this is esp. >>>> urgent as there is a critical update to php in the ports tree that you may >>>> miss if this is your primary/only mirror. >> I have tried a few mirrors. Where can I get the update to php 5.2.2? >> Everyone including freshports is at *5.2.1_3 >> >> When I cvsup then make deinstall ; make clean; make install my php still >> version still raises a flag from portaudit ... > > from what i can tell no patch has been released by the ports team yet > for phpv5, but when they do this mirror will be ready (i was hoping it > was going to be patched by now). > > -p > OK. Thanks. I thought I was missing something and you had some insider knowledge about updates to the ports tree... -- Marco From lists at stringsutils.com Wed May 9 19:18:31 2007 From: lists at stringsutils.com (Francisco Reyes) Date: Wed, 09 May 2007 19:18:31 -0400 Subject: [nycbug-talk] Fully managed datacenter for Freebsd servers Message-ID: Anyone can recommend a fully managed datacenter? Specifically one that supports Freebsd. We basically want to select a hardware package from the data center; they get the machine, install FreeBSD and we will just connect through a KVM and do anything/everything we need. Remote power cycling would be a great added feature too. From schmonz at schmonz.com Wed May 9 19:31:38 2007 From: schmonz at schmonz.com (Amitai Schlair) Date: Wed, 9 May 2007 19:31:38 -0400 Subject: [nycbug-talk] what happened to darwinports? In-Reply-To: <20070509053321.GA85382@r2d2.reverse.net> References: <58969.160.33.20.11.1178040868.squirrel@webmail.nomadlogic.org> <46377C5F.4010004@ceetonetechnology.com> <39656.160.33.20.11.1178041947.squirrel@webmail.nomadlogic.org> <8933.160.33.20.11.1178052246.squirrel@webmail.nomadlogic.org> <20070503224759.GA62365@r2d2.reverse.net> <1053AC2D-8AEB-43FC-9048-3197EDB4A3F8@schmonz.com> <20070509053321.GA85382@r2d2.reverse.net> Message-ID: <68D543AF-216B-46F9-AA2B-16CEB038448C@schmonz.com> On May 9, 2007, at 1:33 AM, David Rio Deiros wrote: > On Thu, May 03, 2007 at 07:06:42PM -0400, Amitai Schlair wrote: >> You can also NFS-mount pkgsrc from somewhere else, if you have a >> suitable somewhere else. But the disk image approach isn't too bad. >> You only need enough case-sensitive disk image for pkgsrc itself; >> almost all packages can build and install on case-insensitive >> filesystems. > > Apparently the instructions in bootstrap/README.Darwin put everything > in the disk image. At the time the instructions were written, it was worth being that conservative. They should probably be updated. > I guess you would replace these: > > $ sudo ./bootstrap \ > --prefix /Volumes/NetBSD/pkg \ > --pkgdbdir /Volumes/NetBSD/pkgdb > > with something like this?: > > $ sudo ./bootstrap \ > --prefix /Users/myhome/pkgsrc/pkg \ > --pkgdbdir /Users/myhome/pkgsrc/pkgdb Sure, if that's where you want stuff to go. I use: $ sudo ./bootstrap \ --prefix /usr/pkg \ --pkgdbdir /usr/pkg/.pkgdb [...] From huyslogic at gmail.com Wed May 9 21:13:21 2007 From: huyslogic at gmail.com (Huy Ton That) Date: Wed, 9 May 2007 21:13:21 -0400 Subject: [nycbug-talk] Fully managed datacenter for Freebsd servers In-Reply-To: References: Message-ID: <1cac28080705091813t7dd6a636gd23a74132bd99024@mail.gmail.com> Try New York Internet http://www.nyi.net/ On 5/9/07, Francisco Reyes wrote: > > Anyone can recommend a fully managed datacenter? > Specifically one that supports Freebsd. > > We basically want to select a hardware package from the data center; they > get the machine, install FreeBSD and we will just connect through a KVM > and > do anything/everything we need. > > Remote power cycling would be a great added feature too. > _______________________________________________ > % NYC*BUG talk mailing list > http://lists.nycbug.org/mailman/listinfo/talk > %Be sure to check out our Jobs and NYCBUG-announce lists > %We meet the first Wednesday of the month > -------------- next part -------------- An HTML attachment was scrubbed... URL: From dave at donnerjack.com Wed May 9 21:36:23 2007 From: dave at donnerjack.com (David Lawson) Date: Wed, 9 May 2007 21:36:23 -0400 Subject: [nycbug-talk] Fully managed datacenter for Freebsd servers In-Reply-To: <1cac28080705091813t7dd6a636gd23a74132bd99024@mail.gmail.com> References: <1cac28080705091813t7dd6a636gd23a74132bd99024@mail.gmail.com> Message-ID: <5912E647-EE38-4CCF-8856-8BE5F12BE300@donnerjack.com> Rackspace. When I worked there they offered a bunch of FreeBSD installation options and it was a fully supported OS under their SLA. I don't know if that's still the case, but it's likely, if not, they'll always do a custom install for you, but the support SLA wont be quite as good as with a "supported" OS. Two things you'd like are unlikely to be possible. They do have TCP/IP KVMs, but they're for internal support staff to get to remote machines, and last I heard, they didn't do remote power cycling, but they will, almost guaranteed, bounce a box or fix whatever's wrong with it before you even know it's broken, unless you were working on something and broke it. In which case, you'd probably figure it out first. Like I said, they're my former employer and I really can't speak highly enough of them and the people they have, at least, as of two years ago when I left. --Dave On May 9, 2007, at 9:13 PM, Huy Ton That wrote: > Try New York Internet > > http://www.nyi.net/ > > On 5/9/07, Francisco Reyes < lists at stringsutils.com> wrote: > Anyone can recommend a fully managed datacenter? > Specifically one that supports Freebsd. > > We basically want to select a hardware package from the data > center; they > get the machine, install FreeBSD and we will just connect through a > KVM and > do anything/everything we need. > > Remote power cycling would be a great added feature too. > _______________________________________________ > % NYC*BUG talk mailing list > http://lists.nycbug.org/mailman/listinfo/talk > %Be sure to check out our Jobs and NYCBUG-announce lists > %We meet the first Wednesday of the month > > _______________________________________________ > % NYC*BUG talk mailing list > http://lists.nycbug.org/mailman/listinfo/talk > %Be sure to check out our Jobs and NYCBUG-announce lists > %We meet the first Wednesday of the month -------------- next part -------------- An HTML attachment was scrubbed... URL: From alex at pilosoft.com Wed May 9 22:41:46 2007 From: alex at pilosoft.com (alex at pilosoft.com) Date: Wed, 9 May 2007 22:41:46 -0400 (EDT) Subject: [nycbug-talk] Fully managed datacenter for Freebsd servers In-Reply-To: Message-ID: On Wed, 9 May 2007, Francisco Reyes wrote: > Anyone can recommend a fully managed datacenter? > Specifically one that supports Freebsd. > > We basically want to select a hardware package from the data center; they > get the machine, install FreeBSD and we will just connect through a KVM and > do anything/everything we need. > > Remote power cycling would be a great added feature too. You have the terminology wrong. The above is not fully managed. The above is self-managed. Fully managed means you don't have to administer the server yourself (such as package upgrades, security monitoring, etc, etc). We do both. Prices for self-managed are at www.pilosoft.com/dhostoptions.html Prices for full management depend on the software that we have to manage (i.e. sendmail/mysql/whatever it is that you are running). From lists at stringsutils.com Wed May 9 23:04:43 2007 From: lists at stringsutils.com (Francisco Reyes) Date: Wed, 09 May 2007 23:04:43 -0400 Subject: [nycbug-talk] Fully managed datacenter for Freebsd servers References: <1cac28080705091813t7dd6a636gd23a74132bd99024@mail.gmail.com> Message-ID: Huy Ton That writes: > Try New York Internet > http://www.nyi.net/ Thanks. will give them a call. Their web prices are kind of high. Perhaps we can get a better deal based on number of servers. From matt at jobsforge.com Thu May 10 09:23:58 2007 From: matt at jobsforge.com (Matthew Terenzio) Date: Thu, 10 May 2007 09:23:58 -0400 Subject: [nycbug-talk] Fully managed datacenter for Freebsd servers In-Reply-To: References: Message-ID: There are cheap self-managed freebsd machines at http://serverpronto.com. Service has been good for me. They do one reboot a month for free. Of course you can always reboot yourself. (not sure if that is different from power cycling?) On May 9, 2007, at 10:41 PM, alex at pilosoft.com wrote: > On Wed, 9 May 2007, Francisco Reyes wrote: > >> Anyone can recommend a fully managed datacenter? >> Specifically one that supports Freebsd. >> >> We basically want to select a hardware package from the data center; >> they >> get the machine, install FreeBSD and we will just connect through a >> KVM and >> do anything/everything we need. >> >> Remote power cycling would be a great added feature too. > You have the terminology wrong. The above is not fully managed. The > above > is self-managed. > > Fully managed means you don't have to administer the server yourself > (such > as package upgrades, security monitoring, etc, etc). > > We do both. Prices for self-managed are at > www.pilosoft.com/dhostoptions.html > > Prices for full management depend on the software that we have to > manage > (i.e. sendmail/mysql/whatever it is that you are running). > > _______________________________________________ > % NYC*BUG talk mailing list > http://lists.nycbug.org/mailman/listinfo/talk > %Be sure to check out our Jobs and NYCBUG-announce lists > %We meet the first Wednesday of the month > From pete at nomadlogic.org Thu May 10 11:28:10 2007 From: pete at nomadlogic.org (Peter Wright) Date: Thu, 10 May 2007 08:28:10 -0700 (PDT) Subject: [nycbug-talk] Fully managed datacenter for Freebsd servers In-Reply-To: References: Message-ID: <41306.160.33.20.11.1178810890.squirrel@webmail.nomadlogic.org> > Anyone can recommend a fully managed datacenter? > Specifically one that supports Freebsd. > > We basically want to select a hardware package from the data center; they > get the machine, install FreeBSD and we will just connect through a KVM > and > do anything/everything we need. > > Remote power cycling would be a great added feature too. Can't say enough good things about NYI (www.nyi.net) especially since they host our NycBUG servers (any my personal servers) :) they should offer both things you mention, the fully managed host as well as self managed hosts (along with colo.). -pete -- ~~oO00Oo~~ Peter Wright pete at nomadlogic.org www.nomadlogic.org/~pete 310.869.9459 From pete at nomadlogic.org Thu May 10 11:41:14 2007 From: pete at nomadlogic.org (Peter Wright) Date: Thu, 10 May 2007 08:41:14 -0700 (PDT) Subject: [nycbug-talk] DONE: freebsd.nycbug.org is down In-Reply-To: <4642080F.5060909@metm.org> References: <27512.160.33.20.11.1178638824.squirrel@webmail.nomadlogic.org> <50408.160.33.20.11.1178657811.squirrel@webmail.nomadlogic.org> <46420176.3040306@metm.org> <20070509172441.GA71978@sunset.nomadlogic.org> <4642080F.5060909@metm.org> Message-ID: <52313.160.33.20.11.1178811674.squirrel@webmail.nomadlogic.org> > Pete Wright wrote: > > On Wed, May 09, 2007 at 01:14:30PM -0400, marco wrote: > >> Peter Wright wrote: > >>>> hi all - just a heads up. our freebsd mirror is currently down. > hostname > >>>> is freebsd.nycbug.org. if you are using this host to update your > cvsup > >>>> sources please use an alternative mirror for the time being. this > is esp. > >>>> urgent as there is a critical update to php in the ports tree that > you may > >>>> miss if this is your primary/only mirror. > >> I have tried a few mirrors. Where can I get the update to php 5.2.2? > >> Everyone including freshports is at *5.2.1_3 > >> > >> When I cvsup then make deinstall ; make clean; make install my php > still > >> version still raises a flag from portaudit ... > > > > from what i can tell no patch has been released by the ports team yet > > for phpv5, but when they do this mirror will be ready (i was hoping it > > was going to be patched by now). > > > > -p > > > OK. Thanks. I thought I was missing something and you had some insider > knowledge about updates to the ports tree... > heh - i wish i did then i could sell it to some large sites running PHP and make some money :) FWIW here's the link to the PR: http://www.freebsd.org/cgi/query-pr.cgi?pr=ports/112527 -p -- ~~oO00Oo~~ Peter Wright pete at nomadlogic.org www.nomadlogic.org/~pete 310.869.9459 From lists at stringsutils.com Thu May 10 19:29:58 2007 From: lists at stringsutils.com (Francisco Reyes) Date: Thu, 10 May 2007 19:29:58 -0400 Subject: [nycbug-talk] Fully managed datacenter for Freebsd servers References: <1cac28080705091813t7dd6a636gd23a74132bd99024@mail.gmail.com> <5912E647-EE38-4CCF-8856-8BE5F12BE300@donnerjack.com> Message-ID: David Lawson writes: > Rackspace. Thanks for the reference. I think they are one of the companies we called for pricing. From lists at stringsutils.com Thu May 10 19:42:41 2007 From: lists at stringsutils.com (Francisco Reyes) Date: Thu, 10 May 2007 19:42:41 -0400 Subject: [nycbug-talk] Fully managed datacenter for Freebsd servers References: Message-ID: Matthew Terenzio writes: > reboot a month for free. Of course you can always reboot yourself. (not > sure if that is different from power cycling? What I meant by power cycle is the ability to connect to the power strip itself and shutdown power to the machine. From nycbug-list at 2xlp.com Sat May 12 20:57:15 2007 From: nycbug-list at 2xlp.com (Jonathan Vanasco) Date: Sat, 12 May 2007 20:57:15 -0400 Subject: [nycbug-talk] Fully managed datacenter for Freebsd servers In-Reply-To: References: Message-ID: <2937B3CB-823B-4F12-9C96-27C9139B694F@2xlp.com> On May 10, 2007, at 9:23 AM, Matthew Terenzio wrote: > There are cheap self-managed freebsd machines at > http://serverpronto.com. Service has been good for me. They do one > reboot a month for free. Of course you can always reboot yourself. > (not > sure if that is different from power cycling?) I split a box w/someone off serverpronto a few years ago -- i had to quit. Their prices are good, and if you're doing web-only, its great... but they're in bad ip space. real bad ip space. so if you need to send any email , you're completely screwed. most blacklists have their whole network blocked, and have no desire to change anything. every major isp blocked the datacenter i was in, as did most OSS systems. i couldn't send any bounceback emails for website registration and I couldn't do any smtp mailings for personal use. personally, I would NEVER use a managed system. self-managed + powercycle should be all you need. do you really want to give someone else root on your machines ? From tomrue at gmail.com Mon May 14 07:03:44 2007 From: tomrue at gmail.com (Tom Rue) Date: Mon, 14 May 2007 07:03:44 -0400 Subject: [nycbug-talk] lost root! Message-ID: <89a521e10705140403v21a6812fx68a3c4a89790ac9f@mail.gmail.com> Good morning. I've been running a web server on FreeBSD 6.1 for about a year and a hal; not professionally, pretty much self-taught, partly by trial and error. Now for an error. A week or two ago, in the course of creating another user account, I evidently changed my root pw (which I discovered yesterday morning), to something which is unknown to me. Not a good thing. Aside from spending the day on Mother's Day celebrations, I spent yesterday evening attempting to reset it by directions in these links, without success. Somehow, which I don't quite understand, I did manage to get Apache and MySql started, despite still not being able to log in as root. (I did make sure to change the permissions on /etc and /etc/master.passwd back to 755 and 600, though I realize I may have to open them up again to make the change.) The problem I've been having has been getting FreeBSD to behave as the texts linked below suggest that it should when booting into Single User mode. In fact, it doesn't appear to be booting into Single User mode, which may be the problem. Is there a way to confirm this, or around it? Any other suggestions on how I can get back in as root? These are the two most relevant pages that I found. If anyone could help me figure out what I'm missing or doing wrong, I'd appreciate it. http://groups.google.com/group/mailing.freebsd.hackers/browse_frm/thread/7bd61cd70f1f23d6/061b7b1ccbd8cf56?lnk=st&q=%22freebsd+6.1%22+forgot+root+password&rnum=9#061b7b1ccbd8cf56 http://www.cyberciti.biz/tips/howto-freebsd-reset-recover-root-password.html Many thanks. Tom Rue Monticello, NY -- /} @#####{ ]::::::::::::::::::::::::::::::::::::::::::::::::> \} http://tomrue.net http://vitruvian.tomrue.net -------------- next part -------------- An HTML attachment was scrubbed... URL: From compustretch at gmail.com Mon May 14 13:24:47 2007 From: compustretch at gmail.com (forest mars) Date: Mon, 14 May 2007 13:24:47 -0400 Subject: [nycbug-talk] lost root! In-Reply-To: <89a521e10705140403v21a6812fx68a3c4a89790ac9f@mail.gmail.com> References: <89a521e10705140403v21a6812fx68a3c4a89790ac9f@mail.gmail.com> Message-ID: On 5/14/07, Tom Rue > wrote: In fact, it doesn't appear to be booting into Single User mode, which may be > the problem. Is there a way to confirm this, or around it? Did it ask ask you for the shell path? If so and the path is correct you're going to be in single user, s o if subsequent commands don't work as intended, the error would lie someplace else. Also, are all your filesytems mounted or not? Moreover can you start a virtual terminal? I'd bet the answers are no and no, which would mean you are in single user. > Any other suggestions on how I can get back in as root? If you really are not dropping into single user, it might be worth checking your permissions on /etc/ttys and /etc/rc.conf just to see if you might have another way in. hth, Forest NYNY -------------- next part -------------- An HTML attachment was scrubbed... URL: From lavalamp at spiritual-machines.org Mon May 14 13:52:54 2007 From: lavalamp at spiritual-machines.org (Brian A. Seklecki) Date: Mon, 14 May 2007 13:52:54 -0400 (EDT) Subject: [nycbug-talk] lost root! In-Reply-To: References: <89a521e10705140403v21a6812fx68a3c4a89790ac9f@mail.gmail.com> Message-ID: <20070514135227.G49745@arbitor.digitalfreaks.org> It's easy to accidentally nuke the root account using (IMHO) the rather unintuitive pw(8). ~BAS On Mon, 14 May 2007, forest mars wrote: > On 5/14/07, Tom Rue > wrote: > > In fact, it doesn't appear to be booting into Single User mode, which may be >> the problem. Is there a way to confirm this, or around it? > > > Did it ask ask you for the shell path? If so and the path is correct you're > going to be in single user, s > o if subsequent commands don't work as intended, the error would lie > someplace else. > > Also, are all your filesytems mounted or not? Moreover can you start a > virtual terminal? > I'd bet the answers are no and no, which would mean you are in single user. > > >> Any other suggestions on how I can get back in as root? > > > If you really are not dropping into single user, it might be worth checking > your permissions on /etc/ttys and /etc/rc.conf just to see if you might have > another way in. > > hth, > > Forest > NYNY > l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ "Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail?" ~James Maynard Keenan -------------- next part -------------- _______________________________________________ % NYC*BUG talk mailing list http://lists.nycbug.org/mailman/listinfo/talk %Be sure to check out our Jobs and NYCBUG-announce lists %We meet the first Wednesday of the month From lists at stringsutils.com Mon May 14 16:32:26 2007 From: lists at stringsutils.com (Francisco Reyes) Date: Mon, 14 May 2007 16:32:26 -0400 Subject: [nycbug-talk] Fully managed datacenter for Freebsd servers References: <2937B3CB-823B-4F12-9C96-27C9139B694F@2xlp.com> Message-ID: Jonathan Vanasco writes: > I split a box w/someone off serverpronto a few years ago -- i had to > quit. ...... > but they're in bad ip space. real bad ip space. so if you need to > send any email , you're completely screwed. Thanks for the heads up. that would be a problem for us. > personally, I would NEVER use a managed system. self-managed + > powercycle should be all you need. After comparing prices that is likely what we will go for. > do you really want to give someone else root on your machines ? Given that they have physicall access to the machines, if they wanted to do sometihng bad they can do it pretty easily anyways. From driodeiros at gmail.com Tue May 15 13:24:33 2007 From: driodeiros at gmail.com (David Rio Deiros) Date: Tue, 15 May 2007 13:24:33 -0400 Subject: [nycbug-talk] what happened to darwinports? In-Reply-To: <68D543AF-216B-46F9-AA2B-16CEB038448C@schmonz.com> References: <58969.160.33.20.11.1178040868.squirrel@webmail.nomadlogic.org> <46377C5F.4010004@ceetonetechnology.com> <39656.160.33.20.11.1178041947.squirrel@webmail.nomadlogic.org> <8933.160.33.20.11.1178052246.squirrel@webmail.nomadlogic.org> <20070503224759.GA62365@r2d2.reverse.net> <1053AC2D-8AEB-43FC-9048-3197EDB4A3F8@schmonz.com> <20070509053321.GA85382@r2d2.reverse.net> <68D543AF-216B-46F9-AA2B-16CEB038448C@schmonz.com> Message-ID: <20070515172433.GA14825@r2d2.reverse.net> On Wed, May 09, 2007 at 07:31:38PM -0400, Amitai Schlair wrote: > On May 9, 2007, at 1:33 AM, David Rio Deiros wrote: > > > On Thu, May 03, 2007 at 07:06:42PM -0400, Amitai Schlair wrote: > >> You can also NFS-mount pkgsrc from somewhere else, if you have a > >> suitable somewhere else. But the disk image approach isn't too bad. > >> You only need enough case-sensitive disk image for pkgsrc itself; > >> almost all packages can build and install on case-insensitive > >> filesystems. > > > > Apparently the instructions in bootstrap/README.Darwin put everything > > in the disk image. > > At the time the instructions were written, it was worth being that > conservative. They should probably be updated. > > > I guess you would replace these: > > > > $ sudo ./bootstrap \ > > --prefix /Volumes/NetBSD/pkg \ > > --pkgdbdir /Volumes/NetBSD/pkgdb > > > > with something like this?: > > > > $ sudo ./bootstrap \ > > --prefix /Users/myhome/pkgsrc/pkg \ > > --pkgdbdir /Users/myhome/pkgsrc/pkgdb > > Sure, if that's where you want stuff to go. I use: > > $ sudo ./bootstrap \ > --prefix /usr/pkg \ > --pkgdbdir /usr/pkg/.pkgdb > [...] How do you skip this?: drio at simba:/Volumes/NetBSD/pkgsrc/bootstrap $ sudo ./bootstrap \ > --prefix /usr/pkg \ > --pkgdbdir /usr/pkg/.pkgdb ... ... ===> running: /bin/sh /Volumes/NetBSD/pkgsrc/bootstrap/work/install-sh -d -o root -g wheel /usr/pkg/pkgsrc-REQUIRES-case-SENSITIVE-filesystem "/usr/pkg" needs to be on a case-sensitive filesystem (see README.Darwin) From schmonz at schmonz.com Wed May 16 15:57:48 2007 From: schmonz at schmonz.com (Amitai Schlair) Date: Wed, 16 May 2007 15:57:48 -0400 Subject: [nycbug-talk] what happened to darwinports? In-Reply-To: <20070515172433.GA14825@r2d2.reverse.net> References: <58969.160.33.20.11.1178040868.squirrel@webmail.nomadlogic.org> <46377C5F.4010004@ceetonetechnology.com> <39656.160.33.20.11.1178041947.squirrel@webmail.nomadlogic.org> <8933.160.33.20.11.1178052246.squirrel@webmail.nomadlogic.org> <20070503224759.GA62365@r2d2.reverse.net> <1053AC2D-8AEB-43FC-9048-3197EDB4A3F8@schmonz.com> <20070509053321.GA85382@r2d2.reverse.net> <68D543AF-216B-46F9-AA2B-16CEB038448C@schmonz.com> <20070515172433.GA14825@r2d2.reverse.net> Message-ID: <3F3B1A9A-023D-4020-BF3F-8B93A87661C1@schmonz.com> On May 15, 2007, at 1:24 PM, David Rio Deiros wrote: > How do you skip this?: > > drio at simba:/Volumes/NetBSD/pkgsrc/bootstrap $ sudo ./bootstrap \ >> --prefix /usr/pkg \ >> --pkgdbdir /usr/pkg/.pkgdb > ... > ... > ===> running: /bin/sh /Volumes/NetBSD/pkgsrc/bootstrap/work/install-sh > -d -o root -g wheel /usr/pkg/pkgsrc-REQUIRES-case-SENSITIVE-filesystem > "/usr/pkg" needs to be on a case-sensitive filesystem (see > README.Darwin) Pass "--ignore-case-check" to the bootstrap script. From skreuzer at f2o.org Thu May 17 11:47:33 2007 From: skreuzer at f2o.org (Steven Kreuzer) Date: Thu, 17 May 2007 08:47:33 -0700 Subject: [nycbug-talk] OpenBSD sdiff port to FreeBSD Message-ID: <20070517154732.GA2318@clamps.exit2shell.com> Greetings- OpenBSD includes a version of sdiff written by our very own Ray Lai, and released to the public domain. In a quest to remove as much GPL code from FreeBSD as possible, I ported it over. If you want to try it out, You can download the source at http://www.exit2shell.com/~skreuzer/code/sdiff.tar.gz To install: $ su - # cd to /usr/src # patch -p0 < /path/to/sdiff-cvs-merge.patch # sh /path/to/sdiff.shar # make buildworld && make installworld Let me know if you encounter any problems. I would like to see if I can get the GNU version of sdiff removed and replaced with this in FreeBSD. It might be somewhat of an uphill battle, but it is worth a shot. -- Steven Kreuzer http://www.exit2shell.com/~skreuzer From skreuzer at f2o.org Thu May 17 12:27:45 2007 From: skreuzer at f2o.org (Steven Kreuzer) Date: Thu, 17 May 2007 09:27:45 -0700 Subject: [nycbug-talk] OpenBSD sdiff port to FreeBSD In-Reply-To: <20070517154732.GA2318@clamps.exit2shell.com> References: <20070517154732.GA2318@clamps.exit2shell.com> Message-ID: <20070517162745.GB2318@clamps.exit2shell.com> On Thu, May 17, 2007 at 08:47:33AM -0700, Steven Kreuzer wrote: > If you want to try it out, You can download the source at > http://www.exit2shell.com/~skreuzer/code/sdiff.tar.gz > > To install: > $ su - > # cd to /usr/src > # patch -p0 < /path/to/sdiff-cvs-merge.patch > # sh /path/to/sdiff.shar > # make buildworld && make installworld ugh, got my wires crossed. If you don't want to sit through an entire buildworld, just cd into /usr/src/usr.bin/sdiff and as root do `make && make install` -- Steven Kreuzer http://www.exit2shell.com/~skreuzer From bonsaime at gmail.com Thu May 17 14:51:38 2007 From: bonsaime at gmail.com (Jesse Callaway) Date: Thu, 17 May 2007 14:51:38 -0400 Subject: [nycbug-talk] Data Center Moving Companies? In-Reply-To: <20070508120649.GA12823@rivels.org> References: <20070508120649.GA12823@rivels.org> Message-ID: On 5/8/07, Josh Rivel wrote: > Just wondering if anyone can recommend a moving company for > moving one of our data centers from lower Manhattan to Jersey City. > It's not a ton of stuff, about 2 racks worth, mostly just some > Dell 1u and 2u servers and some network gear. We don't have > to move racks or anything. > > Thanks, > Josh I don't know if you found anyone, but check these guys out... morgenindustries.com -jesse From driodeiros at gmail.com Thu May 17 20:14:59 2007 From: driodeiros at gmail.com (David Rio Deiros) Date: Thu, 17 May 2007 20:14:59 -0400 Subject: [nycbug-talk] what happened to darwinports? In-Reply-To: <3F3B1A9A-023D-4020-BF3F-8B93A87661C1@schmonz.com> References: <46377C5F.4010004@ceetonetechnology.com> <39656.160.33.20.11.1178041947.squirrel@webmail.nomadlogic.org> <8933.160.33.20.11.1178052246.squirrel@webmail.nomadlogic.org> <20070503224759.GA62365@r2d2.reverse.net> <1053AC2D-8AEB-43FC-9048-3197EDB4A3F8@schmonz.com> <20070509053321.GA85382@r2d2.reverse.net> <68D543AF-216B-46F9-AA2B-16CEB038448C@schmonz.com> <20070515172433.GA14825@r2d2.reverse.net> <3F3B1A9A-023D-4020-BF3F-8B93A87661C1@schmonz.com> Message-ID: <20070518001459.GA93011@r2d2.reverse.net> On Wed, May 16, 2007 at 03:57:48PM -0400, Amitai Schlair wrote: > On May 15, 2007, at 1:24 PM, David Rio Deiros wrote: > > > How do you skip this?: > > > > drio at simba:/Volumes/NetBSD/pkgsrc/bootstrap $ sudo ./bootstrap \ > >> --prefix /usr/pkg \ > >> --pkgdbdir /usr/pkg/.pkgdb > > ... > > ... > > ===> running: /bin/sh /Volumes/NetBSD/pkgsrc/bootstrap/work/install-sh > > -d -o root -g wheel /usr/pkg/pkgsrc-REQUIRES-case-SENSITIVE-filesystem > > "/usr/pkg" needs to be on a case-sensitive filesystem (see > > README.Darwin) > > Pass "--ignore-case-check" to the bootstrap script. Sweet! I have one more question though: I have been reading the pkgsrc guide but I cannot find a proper way to upgrade your packages once you update the pkgsrc tree. How do you keep your installation packages up2date? Is there some tool like portupgrade? From tbackman at childrensaidsociety.org Fri May 18 12:32:23 2007 From: tbackman at childrensaidsociety.org (Thomas Backman) Date: Fri, 18 May 2007 12:32:23 -0400 Subject: [nycbug-talk] Photos from BSDCan 2007 Message-ID: <1179505943.10089.7.camel@tbtest2> Here's a link to some photos by Will Backman (of BSDTalk fame) of BSDCan 2007. He apologizes for the poor quality, but here they are: http://www.flickr.com/photos/bitgeist/ -- ---------------------------------------------------------------------- Thomas Backman Software Developer/Analyst The Children's Aid Society Department of Information Technology tbackman at childrensaidsociety.org "Help! I'm a bug." -- Calvin From alex at pilosoft.com Fri May 18 12:51:15 2007 From: alex at pilosoft.com (alex at pilosoft.com) Date: Fri, 18 May 2007 12:51:15 -0400 (EDT) Subject: [nycbug-talk] Photos from BSDCan 2007 In-Reply-To: <1179505943.10089.7.camel@tbtest2> Message-ID: On Fri, 18 May 2007, Thomas Backman wrote: > Here's a link to some photos by Will Backman (of BSDTalk fame) of BSDCan > 2007. He apologizes for the poor quality, but here they are: > http://www.flickr.com/photos/bitgeist/ where sektie be on those pics?! -alex From dan at langille.org Fri May 18 15:27:25 2007 From: dan at langille.org (Dan Langille) Date: Fri, 18 May 2007 15:27:25 -0400 Subject: [nycbug-talk] Photos from BSDCan 2007 In-Reply-To: References: <1179505943.10089.7.camel@tbtest2>, Message-ID: <464DC5DD.26318.D62B7FD@dan.langille.org> On 18 May 2007 at 12:51, alex at pilosoft.com wrote: > On Fri, 18 May 2007, Thomas Backman wrote: > > > Here's a link to some photos by Will Backman (of BSDTalk fame) of BSDCan > > 2007. He apologizes for the poor quality, but here they are: > > http://www.flickr.com/photos/bitgeist/ > where sektie be on those pics?! AFAIK, she not be. -- Dan Langille two conferences, one trip, great value: May 2007 BSDCan - The BSD Conference - http://www.bsdcan.org/ PGCon - The PostgreSQL Conference - http://www.pgcon.org/ From nycbug-list at 2xlp.com Fri May 18 15:41:06 2007 From: nycbug-list at 2xlp.com (Jonathan Vanasco) Date: Fri, 18 May 2007 15:41:06 -0400 Subject: [nycbug-talk] soekris style boxes for memcached ? Message-ID: I need to scale up on my memcached size soon. Has anyone here seen or heard of soekris style boxes for memcached? Looking at the options , everything I've seen has been a_ people throw an extra 4gb of ram onto an existing machine, run memcached on that b_ people buy a new low-end box and max it out with ram as a dedicated box well, my boxes are maxed with ram, and while a low-end box makes sense on many levels -- this seems like something so trivial that a soekris style box could do cheaper, in less space, and with less energy / heat just wondering if anyone has heard of anythig that could work. From stucchi at willystudios.com Fri May 18 17:11:25 2007 From: stucchi at willystudios.com (Massimiliano Stucchi) Date: Fri, 18 May 2007 23:11:25 +0200 Subject: [nycbug-talk] soekris style boxes for memcached ? In-Reply-To: References: Message-ID: <20070518211125.GE4257@willystudios.com> On 180507, 15:41, Jonathan Vanasco wrote: > > just wondering if anyone has heard of anythig that could work. Soekris boxes are out of production nowadays, since the processor powering them is out of production from AMD. AMD moved the production to the Geode LX-700, 800 and 900. there are some prototypes out there of boards based on them. I have one with me here at BSDCan, and I'll be in new york sunday night and all monday (my plane leaves at 8pm from JFK. If you want to take a look at the board, I'm available. Just FYI, it has: - A 500mhz AMD geode lx-800 processor - 256mb of ram - Video - Audio - 1x Ethernet - 1x MiniPCI slot - 1x PCI slot - 1x 44 pin IDE bus - Serial - Combined PS2 - 4xUSB - CF Card slot FreeBSD works perfectly on this board, as well as mikrotik and pfSense. Ciao -- Massimiliano Stucchi, CTO & Director of Operations WillyStudios.com - IT Consulting, Web and VoIP Services stucchi at willystudios.com | Tel (+39) 0244417203 | Fax (+39) 0244417204 IT-20040, Carnate (Milano), via Carducci 9 From carton at Ivy.NET Fri May 18 17:22:30 2007 From: carton at Ivy.NET (Miles Nordin) Date: Fri, 18 May 2007 17:22:30 -0400 Subject: [nycbug-talk] soekris style boxes for memcached ? In-Reply-To: <20070518211125.GE4257@willystudios.com> (Massimiliano Stucchi's message of "Fri, 18 May 2007 23:11:25 +0200") References: <20070518211125.GE4257@willystudios.com> Message-ID: >>>>> "ms" == Massimiliano Stucchi writes: ms> Soekris boxes are out of production nowadays, since the ms> processor powering them is out of production from AMD. wow, I didn't know that. Anyway, you can probably still get these: http://www.logicsupply.com/product_info.php/cPath/78_93/products_id/544 it is still i386, and doesn't require you to provide your own FTL or FLASH-friendly filesystem, so I think it's ok for BSD. Felix, the OpenWRT guy, was excited about these (well, about eight months ago he was): http://www.magicbox.pl/ but it's not going to work with BSD. -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 304 bytes Desc: not available URL: From lavalamp at spiritual-machines.org Fri May 18 17:23:55 2007 From: lavalamp at spiritual-machines.org (Brian A. Seklecki) Date: Fri, 18 May 2007 17:23:55 -0400 (EDT) Subject: [nycbug-talk] soekris style boxes for memcached ? In-Reply-To: <20070518211125.GE4257@willystudios.com> References: <20070518211125.GE4257@willystudios.com> Message-ID: <20070518172149.C49745@arbitor.digitalfreaks.org> I'm not sure about the memcached, but if gig ethernet is the transport bus, how about an axiomtek NA-401 with 4Gigs of DDR and a PCI-X Gig nic? They're high densisty and high power. The bsd-appliance project would be a perfect platform http://www.axiomtek.com/products/ViewProduct.asp?view=184 ~~BAS On Fri, 18 May 2007, Massimiliano Stucchi wrote: > On 180507, 15:41, Jonathan Vanasco wrote: >> >> just wondering if anyone has heard of anythig that could work. > > Soekris boxes are out of production nowadays, since the processor > powering them is out of production from AMD. > > AMD moved the production to the Geode LX-700, 800 and 900. there are > some prototypes out there of boards based on them. I have one with me > here at BSDCan, and I'll be in new york sunday night and all monday (my > plane leaves at 8pm from JFK. If you want to take a look at the board, > I'm available. > > Just FYI, it has: > > - A 500mhz AMD geode lx-800 processor > - 256mb of ram > - Video > - Audio > - 1x Ethernet > - 1x MiniPCI slot > - 1x PCI slot > - 1x 44 pin IDE bus > - Serial > - Combined PS2 > - 4xUSB > - CF Card slot > > FreeBSD works perfectly on this board, as well as mikrotik and pfSense. > > Ciao > > -- > > Massimiliano Stucchi, CTO & Director of Operations > WillyStudios.com - IT Consulting, Web and VoIP Services > stucchi at willystudios.com | Tel (+39) 0244417203 | Fax (+39) 0244417204 > IT-20040, Carnate (Milano), via Carducci 9 > > _______________________________________________ > % NYC*BUG talk mailing list > http://lists.nycbug.org/mailman/listinfo/talk > %Be sure to check out our Jobs and NYCBUG-announce lists > %We meet the first Wednesday of the month > l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ "Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail?" ~James Maynard Keenan From pete at nomadlogic.org Fri May 18 17:27:24 2007 From: pete at nomadlogic.org (Peter Wright) Date: Fri, 18 May 2007 14:27:24 -0700 (PDT) Subject: [nycbug-talk] soekris style boxes for memcached ? In-Reply-To: References: Message-ID: <8058.160.33.20.11.1179523644.squirrel@webmail.nomadlogic.org> > I need to scale up on my memcached size soon. > > Has anyone here seen or heard of soekris style boxes for memcached? > > Looking at the options , everything I've seen has been > a_ people throw an extra 4gb of ram onto an existing machine, run > memcached on that > b_ people buy a new low-end box and max it out with ram as a > dedicated box > > well, my boxes are maxed with ram, and while a low-end box makes > sense on many levels -- this seems like something so trivial that a > soekris style box could do cheaper, in less space, and with less > energy / heat > > just wondering if anyone has heard of anythig that could work. I may not understand exactly how memcached works but I assume the performance, and benfit, or memcached is tied to the system under which it runs on. I.e., you most likely want a system that not only has the ability to house alot of RAM, but also has a fast bus for access to the RAM. If running it on a remote system in production, I would assume you would want a GigE NIC capable of TCP offloading as well. this looks fun - i think it's got 2 em(4) NICs - but only supports up to 4Gb of DDR2/667Mhz RAM. http://www.abacus-ipc.com/mini_itx.htm -p -- ~~oO00Oo~~ Peter Wright pete at nomadlogic.org www.nomadlogic.org/~pete 310.869.9459 From alex at pilosoft.com Fri May 18 17:49:15 2007 From: alex at pilosoft.com (alex at pilosoft.com) Date: Fri, 18 May 2007 17:49:15 -0400 (EDT) Subject: [nycbug-talk] soekris style boxes for memcached ? In-Reply-To: Message-ID: I think a better idea is to have a single box with *lots* of memory than bunch of boxes with a little bit. Note that more recent hardware can address more and more memory. Example, soekris (except the latest 500mhz ones) are 256M soldered. 5501 soekris can do 1G soldered. Now, recent server-type motherboards can do 64G. Recent desktop-type motherboards can do 16G. (it kind of gets expensive to do max memory because 4G sticks are 16x as expensive as 1G sticks, ie it doesn't get cheaper with scale) then there's things like ddrdrive and i-ram 4*1G on each card, stick 5 of them into a server, done/DONE now that I think about it, the last idea is probably the best $/mb, if memcached can be told to use files as storage as opposed to plain memory. rough calculations: soekris 5501 w/1G: 300$/GB desktop box (500$) and 4*1G of DDR (250$): 187$/GB desktop box (500$) and 4*2G of DDR (600$): 137$/GB desktop box (500$) and 4*4G of DDR (2000$) 156$/GB server box (1000$) with 16*1G (ecc/reg) (1200$): 137$/GB server box (1000$) with 16*2G (ecc/reg) (3200$): 131$/GB desktop box (500$) with 4*1G of DDR(250$) and 5*idrive thingies (750$) loaded with 4*1G each (1250$): 114$/GB -alex From bob at redivi.com Fri May 18 17:52:34 2007 From: bob at redivi.com (Bob Ippolito) Date: Fri, 18 May 2007 14:52:34 -0700 Subject: [nycbug-talk] soekris style boxes for memcached ? In-Reply-To: <8058.160.33.20.11.1179523644.squirrel@webmail.nomadlogic.org> References: <8058.160.33.20.11.1179523644.squirrel@webmail.nomadlogic.org> Message-ID: <6a36e7290705181452y24d18e0fg4ae563dc235eb0ae@mail.gmail.com> On 5/18/07, Peter Wright wrote: > > > I need to scale up on my memcached size soon. > > > > Has anyone here seen or heard of soekris style boxes for memcached? > > > > Looking at the options , everything I've seen has been > > a_ people throw an extra 4gb of ram onto an existing machine, run > > memcached on that > > b_ people buy a new low-end box and max it out with ram as a > > dedicated box > > > > well, my boxes are maxed with ram, and while a low-end box makes > > sense on many levels -- this seems like something so trivial that a > > soekris style box could do cheaper, in less space, and with less > > energy / heat > > > > just wondering if anyone has heard of anythig that could work. > > I may not understand exactly how memcached works but I assume the > performance, and benfit, or memcached is tied to the system under which it > runs on. I.e., you most likely want a system that not only has the > ability to house alot of RAM, but also has a fast bus for access to the > RAM. If running it on a remote system in production, I would assume you > would want a GigE NIC capable of TCP offloading as well. > > > this looks fun - i think it's got 2 em(4) NICs - but only supports up to > 4Gb of DDR2/667Mhz RAM. > > http://www.abacus-ipc.com/mini_itx.htm Some of the big memcached users like Facebook [1] are doing amd64 with 16+GB RAM per box. memcached is basically just a big hash table that people use for caching data (it's not redundant or anything, but you can code that at the application level). The bottleneck is usually the network and the amount of RAM you have, it really doesn't do much with the CPU. [1] http://lists.danga.com/pipermail/memcached/2007-May/004098.html -bob From lavalamp at spiritual-machines.org Fri May 18 18:01:58 2007 From: lavalamp at spiritual-machines.org (Brian A. Seklecki) Date: Fri, 18 May 2007 18:01:58 -0400 (EDT) Subject: [nycbug-talk] soekris style boxes for memcached ? In-Reply-To: <6a36e7290705181452y24d18e0fg4ae563dc235eb0ae@mail.gmail.com> References: <8058.160.33.20.11.1179523644.squirrel@webmail.nomadlogic.org> <6a36e7290705181452y24d18e0fg4ae563dc235eb0ae@mail.gmail.com> Message-ID: <20070518180021.B49745@arbitor.digitalfreaks.org> On Fri, 18 May 2007, Bob Ippolito wrote: > On 5/18/07, Peter Wright wrote: > memcached is basically just a big hash table that people use for > caching data (it's not redundant or anything, but you can code that at > the application level). The bottleneck is usually the network and the Right. At some point you'll need SGI's NUMALink (3.2gbps synchronous?). But maybe 802.3ad bonding/trunking of 1gbps or 10gbps and an open architecture can get you comparabile results without 3-phase power >:} ~BAS > amount of RAM you have, it really doesn't do much with the CPU. > > [1] http://lists.danga.com/pipermail/memcached/2007-May/004098.html > > -bob > _______________________________________________ > % NYC*BUG talk mailing list > http://lists.nycbug.org/mailman/listinfo/talk > %Be sure to check out our Jobs and NYCBUG-announce lists > %We meet the first Wednesday of the month > l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ "Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail?" ~James Maynard Keenan From alex at pilosoft.com Fri May 18 18:13:44 2007 From: alex at pilosoft.com (alex at pilosoft.com) Date: Fri, 18 May 2007 18:13:44 -0400 (EDT) Subject: [nycbug-talk] soekris style boxes for memcached ? In-Reply-To: <20070518180021.B49745@arbitor.digitalfreaks.org> Message-ID: On Fri, 18 May 2007, Brian A. Seklecki wrote: > On Fri, 18 May 2007, Bob Ippolito wrote: > > > On 5/18/07, Peter Wright wrote: memcached is > > basically just a big hash table that people use for caching data (it's > > not redundant or anything, but you can code that at the application > > level). The bottleneck is usually the network and the > > Right. At some point you'll need SGI's NUMALink (3.2gbps synchronous?). > But maybe 802.3ad bonding/trunking of 1gbps or 10gbps and an open > architecture can get you comparabile results without 3-phase power >:} yes, 4*GE is dirt cheap (~300$ for quad-e1000 card) 10*GE is slightly more but by no means big balling anymore (~1000$ per card, and ~200$ per switchport). -alex From alex at pilosoft.com Fri May 18 18:16:59 2007 From: alex at pilosoft.com (alex at pilosoft.com) Date: Fri, 18 May 2007 18:16:59 -0400 (EDT) Subject: [nycbug-talk] soekris style boxes for memcached ? In-Reply-To: Message-ID: On Fri, 18 May 2007 alex at pilosoft.com wrote: > 10*GE is slightly more but by no means big balling anymore (~1000$ per > card, and ~200$ per switchport). (i meant 10GE not 10*GE :) From nycbug-list at 2xlp.com Fri May 18 20:24:33 2007 From: nycbug-list at 2xlp.com (Jonathan Vanasco) Date: Fri, 18 May 2007 20:24:33 -0400 Subject: [nycbug-talk] soekris style boxes for memcached ? In-Reply-To: <6a36e7290705181452y24d18e0fg4ae563dc235eb0ae@mail.gmail.com> References: <8058.160.33.20.11.1179523644.squirrel@webmail.nomadlogic.org> <6a36e7290705181452y24d18e0fg4ae563dc235eb0ae@mail.gmail.com> Message-ID: <2A6AF026-1F24-4604-A11F-CD3EF74FBD9A@2xlp.com> On May 18, 2007, at 5:52 PM, Bob Ippolito wrote: > Some of the big memcached users like Facebook [1] are doing amd64 with > 16+GB RAM per box. > > memcached is basically just a big hash table that people use for > caching data (it's not redundant or anything, but you can code that at > the application level). The bottleneck is usually the network and the > amount of RAM you have, it really doesn't do much with the CPU. > > [1] http://lists.danga.com/pipermail/memcached/2007-May/004098.html Well Facebook has virtually unlimited funds, hot spares ready to go, and a 'sweet spot' for performance and price. I have a teeny budget. My idea is that since it basically needs little operational overhead on the OS & hardware, virtually no disk space, and a ton of RAM -- an embedded box should be able to handle it. But I've never benched it on older hardware that is closer to the design of embedded pcs. On May 18, 2007, at 5:49 PM, alex at pilosoft.com wrote: > I think a better idea is to have a single box with *lots* of memory > than > bunch of boxes with a little bit. Note that more recent hardware can > address more and more memory. Example, soekris (except the latest > 500mhz > ones) are 256M soldered. 5501 soekris can do 1G soldered. I know the soekris boxes maxed out on a low RAM, but i figured that there's got to be some other low power box out there that is similar and uses regular RAM, capable of 4 1GB or 4GB sticks. A single box with a ton of memory works if you can start off with two machines or a farm -- you have redundancy via the cluster. But if you're a bootstrapped startup , 2x 4GB machines looks a lot more attractive than 1 8GB -- because I know I'll have a box down at some point , and my applications depend on offloading db tasks. > then there's things like ddrdrive and i-ram > 4*1G on each card, stick 5 of them into a server, done/DONE > > now that I think about it, the last idea is probably the best $/mb The i-ram stuff looks interesting. i was actually looking at the old- style ram extender pci cards to max out available ram. that makes me think ghat you could probably do something similar to memcached using mysql & isam on a bunch of machines configured with the i-ram. you wouldn't get the clustering benefits of memcached, but you could assign keys to different servers at the application level. even simpler -- there might be some freebsd/linux package that will let you create a ramdisk/virtual memory on an i-ram partition. virutal memory on a virtual hard drive is probably a bit too scary to trust though. // Jonathan Vanasco | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | SyndiClick.com | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | FindMeOn.com - The cure for Multiple Web Personality Disorder | Web Identity Management and 3D Social Networking | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - | RoadSound.com - Tools For Bands, Stuff For Fans | Collaborative Online Management And Syndication Tools | - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - From driodeiros at gmail.com Sun May 20 01:49:06 2007 From: driodeiros at gmail.com (David Rio Deiros) Date: Sun, 20 May 2007 01:49:06 -0400 Subject: [nycbug-talk] what happened to darwinports? In-Reply-To: <20070518001459.GA93011@r2d2.reverse.net> References: <39656.160.33.20.11.1178041947.squirrel@webmail.nomadlogic.org> <8933.160.33.20.11.1178052246.squirrel@webmail.nomadlogic.org> <20070503224759.GA62365@r2d2.reverse.net> <1053AC2D-8AEB-43FC-9048-3197EDB4A3F8@schmonz.com> <20070509053321.GA85382@r2d2.reverse.net> <68D543AF-216B-46F9-AA2B-16CEB038448C@schmonz.com> <20070515172433.GA14825@r2d2.reverse.net> <3F3B1A9A-023D-4020-BF3F-8B93A87661C1@schmonz.com> <20070518001459.GA93011@r2d2.reverse.net> Message-ID: <20070520054906.GA95859@r2d2.reverse.net> On Thu, May 17, 2007 at 08:14:59PM -0400, David Rio Deiros wrote: > On Wed, May 16, 2007 at 03:57:48PM -0400, Amitai Schlair wrote: > > On May 15, 2007, at 1:24 PM, David Rio Deiros wrote: > > > > > How do you skip this?: > > > > > > drio at simba:/Volumes/NetBSD/pkgsrc/bootstrap $ sudo ./bootstrap \ > > >> --prefix /usr/pkg \ > > >> --pkgdbdir /usr/pkg/.pkgdb > > > ... > > > ... > > > ===> running: /bin/sh /Volumes/NetBSD/pkgsrc/bootstrap/work/install-sh > > > -d -o root -g wheel /usr/pkg/pkgsrc-REQUIRES-case-SENSITIVE-filesystem > > > "/usr/pkg" needs to be on a case-sensitive filesystem (see > > > README.Darwin) > > > > Pass "--ignore-case-check" to the bootstrap script. > > Sweet! > > I have one more question though: I have been reading the pkgsrc guide > but I cannot find a proper way to upgrade your packages once you > update the pkgsrc tree. How do you keep your installation packages > up2date? Is there some tool like portupgrade? This seems a very good approach: lintpkgsrc -i >/tmp/out_of_date pkgdepgraph -D /tmp/out_of_date >/tmp/delete pkgdepgraph -R /tmp/out_of_date >/tmp/rebuild pkg_delete `cat /tmp/delete` sh /tmp/rebuild From lists at stringsutils.com Sun May 20 15:00:41 2007 From: lists at stringsutils.com (Francisco Reyes) Date: Sun, 20 May 2007 15:00:41 -0400 Subject: [nycbug-talk] OpenBSD sdiff port to FreeBSD References: <20070517154732.GA2318@clamps.exit2shell.com> <20070517162745.GB2318@clamps.exit2shell.com> Message-ID: Steven Kreuzer writes: > ugh, got my wires crossed. If you don't want to sit through an > entire buildworld, just cd into /usr/src/usr.bin/sdiff and as > root do `make && make install` I tried it, but I see something which is confusing me. My history of commands. 106 14:48 cd /root 107 14:49 cp /usr/bin/sdiff bin/Sdiff 108 14:49 cd /usr/src 109 14:49 tar -xvf sdiff.tar.gz 110 14:50 patch -p0 < sdiff/sdiff-cvs-merge.patch ; sh sdiff/sdiff.shar 112 14:51 cd /usr/src/usr.bin/sdiff 113 14:51 make 114 14:51 make install(1) 115 14:51 md5 /usr/bin/sdiff sdiff /root/bin/Sdiff(2) (1) make Warning: Object directory not changed from original /usr/src/usr.bin/sdiff cc -O -pipe -Wall -W -c common.c cc -O -pipe -Wall -W -c edit.c cc -O -pipe -Wall -W -c sdiff.c cc -O -pipe -Wall -W -o sdiff common.o edit.o sdiff.o -lutil gzip -cn sdiff.1 > sdiff.1.gz zoraida:/usr/src/usr.bin/sdiff#make install install -s -o root -g wheel -m 555 sdiff /usr/bin install -o root -g wheel -m 444 sdiff.1.gz /usr/share/man/man1 (2) md5 /usr/bin/sdiff sdiff /home/fran/bin/Sdiff MD5 (/usr/bin/sdiff) = 128fb6707ac31369f0ff6b9e09b1579f MD5 (sdiff) = e4cc3644e62b1c504ce0ab99b7d911b8 MD5 (/root/bin/Sdiff) = f778dc758378ac93a2143b96d1361516 Other than that it seems to work. Also the original sdiff had a --help line. That would be nice. :-) But I guess if they didn't do it in the original OS you ported this from (OpenBSD), then it probably doesn't make much sense to have it in FreeBSD then. From af.dingo at gmail.com Mon May 21 12:15:54 2007 From: af.dingo at gmail.com (Jeff Quast) Date: Mon, 21 May 2007 12:15:54 -0400 Subject: [nycbug-talk] OpenBSD sdiff port to FreeBSD In-Reply-To: <20070517154732.GA2318@clamps.exit2shell.com> References: <20070517154732.GA2318@clamps.exit2shell.com> Message-ID: On 5/17/07, Steven Kreuzer wrote: > > Greetings- > > OpenBSD includes a version of sdiff written by our very own Ray > Lai, and released to the public domain. > > In a quest to remove as much GPL code from FreeBSD as possible, I > ported it over. > > If you want to try it out, You can download the source at > http://www.exit2shell.com/~skreuzer/code/sdiff.tar.gz > > To install: > $ su - > # cd to /usr/src > # patch -p0 < /path/to/sdiff-cvs-merge.patch > # sh /path/to/sdiff.shar > # make buildworld && make installworld > > Let me know if you encounter any problems. I would like to see if > I can get the GNU version of sdiff removed and replaced with this > in FreeBSD. It might be somewhat of an uphill battle, but it is > worth a shot. > > -- > Steven Kreuzer > http://www.exit2shell.com/~skreuzer I was just reading a thread concerning this very topic on diff utilities this weekend on a dragonfly bsd list (some obscure unreleated search brought me there). I was especially concerned with Dillon's reply: http://leaf.dragonflybsd.org/mailarchive/submit/2004-02/msg00123.html " Compared to all the gnu junk we depend on, I don't know why people would be concerned over something as simple-stupid as 'diff'. I see no advantage (or disadvantage) to changing our diff." I disagree with Mr. Dillon. This sort of ideology does not seem BSD-like. Its a very simple replacement. A hundred of these replacements can really add up to something! I also enjoy the availability of software in /usr/src for hacking without restrictions. /usr/src lives on my desktop as a reference manual, and one that I can build on, borrow from, or reuse as I see fit in my own programs. Running into code that is also GPL licensed is a real bummer when you're deep into a run... I stop thinking about hacking and start thinking about legal shit. -------------- next part -------------- An HTML attachment was scrubbed... URL: From af.dingo at gmail.com Mon May 21 12:18:18 2007 From: af.dingo at gmail.com (Jeff Quast) Date: Mon, 21 May 2007 12:18:18 -0400 Subject: [nycbug-talk] OpenBSD sdiff port to FreeBSD In-Reply-To: <20070517154732.GA2318@clamps.exit2shell.com> References: <20070517154732.GA2318@clamps.exit2shell.com> Message-ID: On 5/17/07, Steven Kreuzer wrote: > > Greetings- > > OpenBSD includes a version of sdiff written by our very own Ray > Lai, and released to the public domain. > > In a quest to remove as much GPL code from FreeBSD as possible, I > ported it over. Hi all! I was just reading a thread concerning this very topic on diff utilities this weekend on a dragonfly bsd list (some obscure unreleated search brought me there). I was especially concerned with Dillon's reply: http://leaf.dragonflybsd.org/mailarchive/submit/2004-02/msg00123.html " Compared to all the gnu junk we depend on, I don't know why people would be concerned over something as simple-stupid as 'diff'. I see no advantage (or disadvantage) to changing our diff." I disagree with Mr. Dillon. This sort of ideology does not seem BSD-like. Its a very simple replacement. A hundred of these replacements can really add up to something! I also enjoy the availability of software in /usr/src for hacking without restrictions. /usr/src lives on my desktop as a reference manual, and one that I can build on, borrow from, or reuse as I see fit in my own programs. Running into code that is also GPL licensed is a real bummer when you're deep into a run... I stop thinking about hacking and start thinking about legal shit. -------------- next part -------------- An HTML attachment was scrubbed... URL: From nycbug at cyth.net Tue May 22 21:24:27 2007 From: nycbug at cyth.net (Ray Lai) Date: Tue, 22 May 2007 21:24:27 -0400 Subject: [nycbug-talk] OpenBSD sdiff port to FreeBSD In-Reply-To: References: <20070517154732.GA2318@clamps.exit2shell.com> <20070517162745.GB2318@clamps.exit2shell.com> Message-ID: <20070523012450.GV19922@cybertron.cyth.net> On Sun, May 20, 2007 at 03:00:41PM -0400, Francisco Reyes wrote: > Also the original sdiff had a --help line. > That would be nice. :-) > But I guess if they didn't do it in the original OS you ported this from > (OpenBSD), then it probably doesn't make much sense to have it in FreeBSD > then. I don't really like the GNU-style --help/--version stuff. I'd rather improve the man pages instead of trying to keep two different manuals. Of course, if there are any other issues you notice, feel free to let me know! -Ray- From jca at sdf.lonestar.org Thu May 24 11:58:57 2007 From: jca at sdf.lonestar.org (Jonathan C. Allen) Date: Thu, 24 May 2007 15:58:57 +0000 Subject: [nycbug-talk] Wanted: HP Itanium Hardware Message-ID: <20070524155857.GA19966@SDF.LONESTAR.ORG> I'm looking to purchase at least one HP Integrity Itanium server for my company. Can anyone recommend local suppliers? It's for a development project -- I'm trying to get my hands on something quickly that will run HP-UX. jca From alex at pilosoft.com Thu May 24 12:16:33 2007 From: alex at pilosoft.com (alex at pilosoft.com) Date: Thu, 24 May 2007 12:16:33 -0400 (EDT) Subject: [nycbug-talk] Wanted: HP Itanium Hardware In-Reply-To: <20070524155857.GA19966@SDF.LONESTAR.ORG> Message-ID: On Thu, 24 May 2007, Jonathan C. Allen wrote: > I'm looking to purchase at least one HP Integrity Itanium server for my > company. Can anyone recommend local suppliers? It's for a development > project -- I'm trying to get my hands on something quickly that will run > HP-UX. ebay is yo friend, "local search" i have some prehistoric hpux box (like 75mhz processor) that i'm not sure condition of...if you want it, its yours ;) -alex From tbackman at childrensaidsociety.org Thu May 24 12:41:40 2007 From: tbackman at childrensaidsociety.org (Thomas Backman) Date: Thu, 24 May 2007 12:41:40 -0400 Subject: [nycbug-talk] Wanted: HP Itanium Hardware In-Reply-To: References: Message-ID: <001a01c79e22$68638de0$7c9710ac@Berlioz> -----Original Message----- From: talk-bounces at lists.nycbug.org [mailto:talk-bounces at lists.nycbug.org] On Behalf Of talk-request at lists.nycbug.org Sent: Thursday, May 24, 2007 12:00 PM To: talk at lists.nycbug.org Subject: talk Digest, Vol 42, Issue 26 Message: 1 Date: Thu, 24 May 2007 15:58:57 +0000 From: "Jonathan C. Allen" Subject: [nycbug-talk] Wanted: HP Itanium Hardware To: talk at lists.nycbug.org Message-ID: <20070524155857.GA19966 at SDF.LONESTAR.ORG> Content-Type: text/plain; charset=us-ascii I'm looking to purchase at least one HP Integrity Itanium server for my company. Can anyone recommend local suppliers? It's for a development project -- I'm trying to get my hands on something quickly that will run HP-UX. jca --------------------------------------------------------------------------- Re: Wanted: HP Itanium Hardware My employer uses ATEC Group here in NYC. We've had a long standing relationship with one of the V.P.s Ravi Jumani, and we are quite satisfied with sales as well as support and service. I used to handle all the billing for our department in years past which included quite a bit with ATEC, and we never had an issue that wasn't resolved quickly and effectively. --------------------------------------------------------------------------- Thomas Backman Software Developer/Analyst The Children's Aid Society IT Department mailto: tbackman at childrensaidsociety.org "Help! I'm a bug." - Calvin No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.467 / Virus Database: 269.7.7/816 - Release Date: 5/23/2007 3:59 PM From mspitzer at gmail.com Thu May 24 12:58:51 2007 From: mspitzer at gmail.com (Marc Spitzer) Date: Thu, 24 May 2007 12:58:51 -0400 Subject: [nycbug-talk] Wanted: HP Itanium Hardware In-Reply-To: <20070524155857.GA19966@SDF.LONESTAR.ORG> References: <20070524155857.GA19966@SDF.LONESTAR.ORG> Message-ID: <8c50a3c30705240958q46d612f3n715a2785d4f14da1@mail.gmail.com> On 5/24/07, Jonathan C. Allen wrote: > I'm looking to purchase at least one HP Integrity Itanium server > for my company. Can anyone recommend local suppliers? It's for > a development project -- I'm trying to get my hands on something > quickly that will run HP-UX. We use mrainternational.com at work for hp stuff, dl boxes not ml, and have been happy with them. marc -- Freedom is nothing but a chance to be better. Albert Camus From lavalamp at spiritual-machines.org Thu May 24 16:14:58 2007 From: lavalamp at spiritual-machines.org (Brian A. Seklecki) Date: Thu, 24 May 2007 16:14:58 -0400 (EDT) Subject: [nycbug-talk] Wanted: HP Itanium Hardware In-Reply-To: References: Message-ID: <20070524161416.O5929@arbitor.digitalfreaks.org> Those run netbsd-hp700@ really well >:} I ran one as an IPF gateway for many moons until i donated it to the local LUG. ~BAS On Thu, 24 May 2007, alex at pilosoft.com wrote: > On Thu, 24 May 2007, Jonathan C. Allen wrote: > >> I'm looking to purchase at least one HP Integrity Itanium server for my >> company. Can anyone recommend local suppliers? It's for a development >> project -- I'm trying to get my hands on something quickly that will run >> HP-UX. > ebay is yo friend, "local search" > > i have some prehistoric hpux box (like 75mhz processor) that i'm not sure > condition of...if you want it, its yours ;) > > -alex > > _______________________________________________ > % NYC*BUG talk mailing list > http://lists.nycbug.org/mailman/listinfo/talk > %Be sure to check out our Jobs and NYCBUG-announce lists > %We meet the first Wednesday of the month > l8* -lava (Brian A. Seklecki - Pittsburgh, PA, USA) http://www.spiritual-machines.org/ "Guilty? Yeah. But he knows it. I mean, you're guilty. You just don't know it. So who's really in jail?" ~James Maynard Keenan From mikel.king at techally.com Fri May 25 11:16:11 2007 From: mikel.king at techally.com (Mikel King) Date: Fri, 25 May 2007 11:16:11 -0400 Subject: [nycbug-talk] BSDCan Message-ID: Hi all, I am looking for a volunteer who attended BSDCan last week would like to do a quick write up of their experience for Daemon News. Basically looking for some one to act as a field correspondent give the rest of us who were unable to attend a glimpse into the event. Cheers, Mikel King CITO, Tech Alliance, INC Senior Editor, Daemon News 39 West Fourteenth Street Second Floor New York, NY 10011 http://www.techally.com http://www.daemonnews.org t: 212.727.2100x132 +------------------------------------------+ How do you spell cooperation? Pessimists use each other, but optimists help each other. Collaboration feeds your spirit, while competition only stokes your ego. You'll find the best way to get along. +------------------------------------------+ -------------- next part -------------- An HTML attachment was scrubbed... URL: From bonsaime at gmail.com Fri May 25 13:12:20 2007 From: bonsaime at gmail.com (Jesse Callaway) Date: Fri, 25 May 2007 13:12:20 -0400 Subject: [nycbug-talk] openbsd mibs out Message-ID: >From http://www.packetmischief.ca/openbsd/snmp/ Thanks Joel! These are really helpful. -jesse ----------------------------------------------------------------------------------------- May 13, 2007: The patches for OpenBSD 4.1 have been uploaded. >From a usability perspective there's not much difference between the 4.0 and 4.1 MIBs. The only thing that really changed was the names of some of the sensorType values in the sensors MIB. The overall sensors MIB did not change despite the changes in the kernel sensor framework between 4.0 and 4.1.