Blinkenblog

I finally decided to play with ipset, given that it’s now included in the mainline Linux kernel and enabled in the default Ubuntu kernel. The use of tables/sets (like in OpenBSD’s pf) can make firewalls a lot shorter. Unfortunately Debian/Ubuntu don’t ship current versions of the userland packages. But manhandling the debian-packaging onto newer sources proved easy enough. The resulting amd64 package is available for the daring. A trivial ssh firewall using ipset looks like this:


for family in inet inet6; do
ipset -exist create ssh-allow-$family hash:net family $family
done

iptables -A INPUT -p tcp -m set --match-set ssh-allow-inet src -m tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp -m tcp --dport 22 -j DROP
ip6tables -A INPUT -p tcp -m set --match-set ssh-allow-inet6 src -m tcp --dport 22 -j ACCEPT
ip6tables -A INPUT -p tcp -m tcp --dport 22 -j DROP


The contents of /etc/ipset/ssh_allow_inet look like this:

<sten@host:~> cat /etc/ipset/ssh_allow_inet
# me
127.0.0.1
# Work network
192.0.2.0/24
# home
198.51.100.0/24
# friend
203.0.113.1


And the created set looks like this:

<sten@host:~> sudo ipset -l ssh-allow-inet
Name: ssh-allow-inet
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16944
References: 1
Members:
127.0.0.1
192.0.2.0/24
198.51.100.0/24
203.0.113.1


This was supposed to be a fixes only release, but then people started requesting features, oh well Ladvd is now hosted at googlecode in mercurial. The switch to mercurial allows more people to contribute and makes it much easier the grab the latest development release. Besides that an impressive number of small fixes and features have helped to make 0.9.2 a great release.

• Vlan Name TLV support
• LLDP mau support for Linux
• LLDP autoneg_pmd support for Linux and BSD
• use the NIC hardware name when no ifdescr is configured (Linux sysfs, FreeBSD sysctl)
• use lsb-release to report Linux distro information
• improved locally-generated packet filtering
• Improved detection of Tun/Tap interfaces, including a switch to use them
• Skip FreeBSD’s ipfw interfaces
• FreeBSD dmi/smbios support via kenv()
• added HACKING documentation
• fixes for small packets
• various other small fixes

In preparation for the next ladvd release I decided to investigate automated software builds, to make sure that it will work on as many platforms / distributions as possible. I’d like to avoid having to release a .1 version just to fix silly configure on RHEL X.Y Building the virtual machines to do this myself seemed like a lot of work, so I decided to investigate online software compile farms.
The first one I looked at was Launchpad. I started out by adding ladvd as a project to Launchpad, the whole gpg signing and upload dance is very neat. This however doesn’t allow you to actually build software, for that you need to start a PPA, which luckily also is pretty easy. However Launchpad doesn’t provide a lot of control over the compile process, and only Ubuntu is supported.
So I started playing around with the second option, the OpenSUSE Build Service. The initial signup was similar to launchpad, except no gpg this time. Which is a shame because it makes signing the packages impossible. But the amount of distributions supported (RHEL, SuSE, Debian, Ubuntu, Fedora) is great, and I especially like the buildlogs which show you exactly what is going on. Getting the packages built for Debian and Ubuntu was trivial, and even the specfile for RPM distributions was done in a few hours. After that I realized that it would be even better to run unit-tests during the package build. Then I ran into a bug which sadly makes this impossible (check’s pkg-config is missing). But there was a bugzilla link where I’ve reported the issue so hopefully it will be solved soon.

Last week I’ve released ladvd 0.8.5, a bugfix / cleanup release which solves all known issues. The next release will include a cli and possibly SNMP support.

* use wireless interfaces when the -w option is set
* disable auto-enabled protocols when peers expire
* add port-name to -z ifdescr support
* improved ifdescr supprt (only if needed, multiple peers, etc)
* used strnvis to sanitize strings for ifdescr
* fixed FreeBSD lagg ioctl
* RHEL4 compatibility fixes
* chroot the child, not the master
* use setresuid/setresgid for dropping privileges
* move the child code to child.c an refactor the eventloop
* refactored socket handling in master.c
* sockets are now fully dynamic and always have filters
* bsd vlan detection
* remove multicast registrations on shutdown
* even better unit-tests

This release has been (unit-)tested on Linux (amd64, arm), FreeBSD (i386, amd64) and OpenBSD (sparc64). I’d like to thank Paul de Weerd, Jacek Masiulaniec, Stephan A. Rickauer, David Gwynne and Mattieu Baptiste who have helped to uncover bugs and even submitted patches.

Tarballs and Debian sources are available.

I’ve just released ladvd 0.8, which supports receive mode and a host of other features resulting from that.

• privilege separation
• SIOCSIFDESCR support (the -z option)
• Automatic protocol enablling based on received packets (-a)
• syslog notifications for new/removed peers (-r)
• EDP support
• FDP support
• NDP / SoNMP support
• abstracted protocol support
• rewritten netif and message lists
• some strict alignment fixes
• unit-tests including extensive protol tests

This release has been (unit-)tested on Linux (amd64, arm), FreeBSD (i386, amd64) and OpenBSD (amd64, sparc64, vax).
Tarballs and Debian sources are available.

I’ve recently bought a QNAP nas and wanted to make a serial cable for it. The Debian QNAP guru Martin Michlmayr informed me that the connector used is a JST PHR-4. So I ordered some connectors and pins. The second part needed was a ttl-serial convertor. The cheapest solution is a regular old GSM data-cable, I bought 4 Siemens C/S/M 25-45 cables. The pinout required some research, but I settled on:

• GND – Black
• RX – Yellow
• VCC – Red
• TX – Green

And lo and behold it worked first time round:


Port /dev/ttyS1
__ __ _ _
| \/ | __ _ _ ____ _____| | |
| |\/| |/ _` | '__\ \ / / _ \ | |
| | | | (_| | | \ V / __/ | |
|_| |_|\__,_|_| \_/ \___|_|_|
_ _ ____ _
| | | | | __ ) ___ ___ | |_
| | | |___| _ \ / _ \ / _ \| __|
| |_| |___| |_) | (_) | (_) | |_
\___/ |____/ \___/ \___/ \__| ** LOADER **
** MARVELL BOARD: DB-88F6281A-BP LE

Streaming disabled


I recently bought an Cyclades ACS32 console server, and figured that because it runs Linux it should be able to run ladvd. This isn’t as easy as it seems because of the embedded PPC cpu used. I started by building a crosscompiler using crosstool, which succeeded after a few patches. Unfortunately the resulting binary didn’t work. It started ok, but couldn’t find any interfaces. After some headscratching it turns out that the glibc (2.3.2) used by Cyclades has an incomplete getifaddrs implementation (IPv4 only). The quick way to fix this is to use a C-library which does, uClibc seemed like a good choice. So I created another toolchain, GCC and uClibc, using buildroot. The resulting binary again didn’t work…. This time it was because ethtool support is either missing or broken on the Cyclades ACS, which results in ladvd not accepting the “eth0″ interface. After a small fix all is well and ladvd 0.6.1 runs on my ACS32:

Chassis id: 0060.2e01.cdf1
Port id: eth0
Port Description - not advertised
System Name: zem
System Description:
Linux 2.6.22 #1 Tue Sep 30 11:12:38 PDT 2008 ppc


I’ve just released ladvd 0.6.1, which was destined to fix bugs found in 0.6.0, but a fair number of new features and improvements have crept in as well.

• Fix for interfaces without link-layer addresses (ppp0/pptp0)
• Reset (router/wlan/bridge) capabilities after each run
• Improved the linux virtual interface detection
  (the previous method only worked on 2.6.23+ kernels)
• Add support for OpenBSD’s interface descriptions
• Add support for TIA inventory management TLV set
  using dmi information available on OpenBSD and Linux
• Use an ISC-licensed strlcpy for certain string operations
• Add -m/-M switches to specify management addresses
  via the commandline
• Add ioctl code to linux bonding/bridge detection which
  works on hosts without sysfs
• Add minimal LLDP civic location support using the LOC type
  and the -C (country) switch
• Add pcap headers to debug output to make it suitable for
  piping to tcpdump.

This release owes a lot to Paul de Weerd and Alexander Ottl, their tests and patches have helped to make this release as stable as possible.

Tarballs and Debian sources are available.

I’ve just released a new version of ladvd, which brings a fair number of improvements:

• rewritten memory allocation (no more memleaks)
• autodetect all network interfaces
• autodetect bonding, bridging and wireless interfaces (on Linux, FreeBSD and OpenBSD)
• be clever about bonding/bridging sub-interfaces
• use only one raw-socket for all interfaces
• remove libnet dependency
• improved OpenBSD support
• autodetect router, wlan and bridge capabilities
• support different available / enabled capabilities
• use the first mac-address as chassis-id (which fixes HP-switch interoperability)
• rewritten tlv macro’s to support strict alignment archs (sparc)

This release has been tested on a fair number of operating systems talking to various brand-name switches, Paul de Weerd deserves kudos for suggestions and OpenBSD improvements.

Tarballs and Debian sources are available.

I’ve just released a new version of ladvd, which brings a fair number of improvements:

• Debian packaging
• Linux ethtool ioctl support
• Linux capabilities support (needed for unprivileged ethtool usage)
• BSD ifmedia ioctl support
• MTU TLV for CDP and LLDP
• Autoneg TLV for CDP and LLDP
• Duplex TLV for CDP
• Media TLV for LLDP (BSD only)
• Host capabilities selection (Bridge, Host, Router, Switch, WLAN AP)
• Improved hostname detection
• Improved OpenBSD support

This release has been tested on a fair number of operating systems talking to various brand-name switches. Which means that this code will probably still eat your kitten, but won’t burn down the house while doing so. The newly supported media/autoneg/duplex TLV‘s should prove useful when solving connectivity issues.

Tarballs and Debian sources are available.