Added a new 'licensing' section on the netfilter homepage

Since recently more and more vendors seem to disobey the terms of the GNU GPL, I decided to put some more detailed information on how to comply with this license online. It was written for the netfilter/iptables project, but should apply to any other GPL licensed free software project. You can find the section here.

Tiramisu - Why is it so hard to get?

Another dinner at the local Italian food place. Again I asked for Tiramisu (which is on their regular menu), and they didn't have it. This would make it a total 12% availability of Tiramisu over the last year. Every time I go to this place (which is quite frequent), I ask for Tiramisu - and still they don't bother regularly preparing one.

And it's not even only at that place. It's almost the same with all Italian restaurants, judging by my past experience. Why don't they get it? They won't sell anything by just putting it on the menu - they actually need to have it available. *sigh*.

New gnumonks.org mail server online

Recently I pointed out that I'm about to move my personal mail away from KNF. The new server ganesha.gnumonks.org is now co-located at noris.net, where netfilter.org is hosted, too. The netfilter and gnumonks machines are within a private VLAN, with a dedicated firewall in front of them.

Putting that machine in place turned out to be come much more difficult than expected. It seems that Intel recently decided to give their e100/e1000 chips new PCI device ID's, which in turn means that old (e.g. Debian woody install kernels ) Linux drivers don't recognize them. So in the end I had to install SuSE into a swap partition and debootstrap the system from there. *sigh*.

Thanks to the noris.net crew for their assistance, I know they spent way too much time with me considering I bought their smallest entry-level housing product.

Found a new apartment

It seems like searching for a new apartment was surprisingly easy. The landlord didn't yet sign the contract, but we found a decent place in Treptow. More details will follow soon.

Continued work on libiptc2

I finally find some time to work on what I call 'libiptc2'. It is basically a re-implementation of the 'chain cache' inside libiptc. This should remove the last O^n complexities we have in there. While I would really enjoy working on new stuff like pkttables, this kind of work keeps me from doing it :(

Finally some time for a new 'commercial' homepage

I started to work on www.hmw-consulting.de, the first professional/commercial homepage for my business in five years :)

The brave (slow, buggy) new world of XML

Some time ago I decided to write the new netfilter.org project homepage in docbook-website XML. I thought (and still think) that this was _the_ way to deal with HTML. Have some nice XSL's, generate XHTML and put all formatting information in CSS.

However, after trying to use more and more advanced functions, I have to admit that this is far from being easy or documented in any way. I didn't even manage to get the XBEL example for docbook-website running. xsltproc would return 'No template found for xlink'. I tried to find any information on the web if xsltproc did at all implement xlink. No way. All I managed to find out is that libxslt/libxml2 did in fact implement xlink, but no information if xsltproc took advantage of that.

In the end I found out that using Xinclude seemed to work. Great. Now all I need is the netfilter link collection in XBEL format

Submitting patches

I finally got around to initiate another one of my patch submission cycles. This means that DaveM is receiving a number of patches that have been pending in the netfilter patch-o-matic repository.

Apart from that, pom-ng needs some more work. It turns out I will have to do some perl scripting again.

New package 'reveng-tools' started

Since I'm reverse engineering quite a number of embedded firmware images lately, I have started a new project called 'reveng-tools'.

The idea is to provide a set of tools that can be handy if you want to do that kind of work. For one part, you need a tool to scan a binary for signatures of well known file/compression/archive types. This part is already finished and called 'magic_ofs'.

I'm now working on an endian-safe cramfs extractor and a bFLT de-compressor. Stay tuned.

A day of patch-o-matic-ng merging

Since there are slight syntactical and semantical differences in the API for iptables matches and targets between 2.4.x and 2.6.x kernels, a minimum editing has to take place in order to make even the most simple 2.4.x extension work with 2.6.x. With more than 65 extensions in current pom-ng, this can take quite a while.

Apart from a minor bug in the Netfilter_POM.pm perl module, we should now be ready for the first official pom-ng release. Finally, people will be able to use our extensions with a 2.6.x kernel.

Ordered two external Firewire Cases, both broken

Sometimes you really have to wonder what kind of stuff one of .de's largest computer suppliers is selling. I ordered two external cases, both of them broken. The 2.5" is about 1mm too small for my hard drive. The 5.25" comes with screws that are too short, and the electronics are completely broken. As soon as it is attached to a bus, all other devices will vanish, too.

Which brings me to another issue: Why are there no external SCSI cases with built-in firewire bridge? I mean, the IDE ones you can buy everywhere have to do something like IDE -> SCSI -> SBP2 -> Firewire. So they already include a SCSI layer, at least to some degree. I have tons of SCSI devices that I would then be able to connect to my notebook and other machines.

Also, why are there no four or eight devices external firewire towers? Something where you can put all your CD/DVD/whatever drives into and connect them to any of your machines. Now I have to buy one case per device, which each has their own power supply, ...

netfilter/iptables reached settlement with Allnet GmbH

Today we have successfully announced our out-of-court settlement with Allnet GmbH on their infringing use of our GPL licensed software. Please see the original press release.

I'm extremely happy that this could be solved in such cooperative manner. It's great to see companies are paying attention if they get informed the right way.

Some people are asking me: Why didn't you just ask them, why go via a lawyer and send them a legal note? The answer is quite easy: If you just send an email to any company, you will end up with technical support. The tech people most likely already know about the GPL and it's conditions. On the other hand, if you have a lawyer send a note, then you gain attention among the administrative staff. And that's the kind of people you want to reach for a real change within a companies policies.

There is quite a number of other companies that are using netfilter/iptables without compliance to the license term. Now that we have succeeded with the first, we are going to pursue this path and subsequently ask each of them to comply to the license.

Again, it's important to state that we very much like to see more Linux and netfilter/iptables based products. We do not oppose commercial use of our code at all. We just want the license conditions to be fulfilled - and that's just fair.

redesign of dstlimit match

A couple of weeks ago I first published the dstlimit match. It provides an easy way of rate-limiting certain packets on a 'per destination ip' or 'per destination ip/port' tuple base.

However, it turned out that it had several flaws. One of them was that you could create two /proc/net/dstlimit/ files with the same name. proc-fs doesn't actually check if some file already exists, if you want to create it (within the kernel). Several hours of research within the vfs (of which I have no idea) and conversation with some other kernel developers revealed that there is no reliable way to check if a specific file already exists. Even if there was, you would never be able to atomically check-and-create.

So in the end I had to implement some major changes in the dstlimit code. However, this again changed the kernel/userspace structure layout, so you will have to recompile both in order to use it

moving gnumonks.org mail/web/ftp server

After being hosted in the basement of my former office, connected via an SDSL line to KNF, I have now made the decision to move my mail/web/ftp server to a commercial hosting center.

Connectivity behind that old line was becoming increasingly unreliable due to various problems at the University of Erlangen, which is part of my upstream routing path.

Unfortunately the old gnumonks.org machines are all desktop/mini-tower systems, so I now have to buy an expensive 19" 2U server. It will be hosted at noris network, where the netfilter.org machines are hosted, too.

My powerbook is now able to use the external VGA!

After hours of trial+error and reading the XFree86 radeon driver, I now finally managed to get the external DVI/VGA port of my Apple TiBook IV to display something useful. CloneMode didn't work for some strange reason, but I'm now running a multihead setup.

This means, that at the next conference I can give my presentation with just one single notebook, no need for second notebook, crossover cable and remote X display anymore. If that isn't good news...

The netfilter/iptables project is looking for a hardware donation

The project's mail/web/ftp/cvs/list/... servers are highly loaded, and as usual the load always increases. We're getting more list members, more downloads and more page views every month. However, our current hardware is not growing by itself. Thus, we need to buy a new machine soon.

All of the current (and past) hardware was bought from my personal wallet. While I could afford this in the past, I would very much like to see one of our corporate netfilter/iptables users step up and show his support for netfilter/iptables by donating a new machine. This would be an ideal opportunity to show the development community that you are not just using free software, but also putting in your part to make it work.

We have very specific needs with regard to the hardware we use: It has to be a 1U system, and non-x86. This basically leaves us with Sun UltrSPARC based systems, and the Apple XServe line. Both options would cost about EUR 3500 to 3800.

If you are interested in sponsoring such a system, please contact Harald to discuss the details. Thanks in advance.

Evaluating GTK+ / GTK-- for GSPC graphical interface

After not having done any GUI programming for the last five years or so, I'm now investigating the world of GTK+ / GTK--. GSPC will soon need a graphical frontend, running directly on the framebuffer (potentially DirectFB), with no mouse and only a very limited keyboards as input device.

Finding a suitable math parser

GSPC currently uses spar-0.5.10, a quite nice math language parser. However, it is unmaintained, still contains a lot of bugs and is incomplete. Can anybody tell me why in this big world of free software there is not a single simple mathematical parser that can be embedded into an application? I just want to evaluate simple statements like "(X*3.56)-max(y*1.23,z*1.341)".

The author of spar has since started a new project, called Iguana. It is a whole language, not only simple mathematical statements. However, it still lacks some of the functionality spar used to have - and it has a totally different syntax.

Now I face the choice between extending the good old spar with stuff like variable length argument functions, or convert everything to use Iguana (and implement the missing bits from spar in Iguana).

Jozsef made my day by finishing pom-ng

Jozsef was kind enough to implement the missing features in patch-o-matic-ng. This is really great. It was one of the most important pending items on my TODO list.

This basically means that we are at the brink of the first official pom-ng release, enabling 2.6.x kernel users to benefit from the vast collection of netfilter/iptables features contained in patch-o-matic.

Survived another birthday

I hate birthday parties. Why is it worth celebrating every single year of life that has passed? Can anybody explain that, please? I really don't see any value in celebrating that day.

For those of you who tried to call me: I did intentionally not pick up the phone, since I really don't like to receive congratulations for something trivial like having survived another year.

GSPC: Gnumonks.org Statistical Process Control

This is some piece of software I wrote about a year ago for a German massive forming technology company. Luckily, they agreed to make this software available under the GNU GPL. To my knowledge, it is the only GPL-licensed software for statistical process control.

Unfortunately I didn't have the time to write any decent documentation or put up a homepage for that software so far. I will to do so shortly.

During the last week, I was contracted to extend GSPC to support up to 16 inductive displacement transducers, and support multiple data acquisition boards per system.

more work on the fail-over code

I'm getting more and more of the fail-over code done. It now implements conntrack exemption (NOTRACK) for the sync device, and also blocks all incoming/outgoing network traffic on any node that is currently in 'slave' state. This means that all interfaces can be configured, any applications can be running, sockets bound, ... - but none of that will be visible to the network until the node is propagated to master state.
This needs explicit support for new netfilter hooks in the core network stack (I call them l2hooks, other people NETFILTER_PACKET).

Main parts that are missing:

• Correctly deal with sync packet loss situations
• Replicate expectations (needs conntrack expect notifications)
• Testing on SMP systems, there might be locking bugs

Idea of a new conntrack-based accounting system

There has been discussion about this before, but it now came to my mind (again).

If you want to do some accounting on Linux based routers, you don't have any reasonable way of doing so. All you can do is

• capture all packets, do any kind of evaluation later
This is what you can do with nacctd, ULOGD/ulogd, and various other approaches. The problem is, that you collect an incredible amount of data which needs to be processed.
• insert iptables rules, account only what you're really interested in
This requires prior knowledge of exactly what you want to account. You immediately get the results, and it's not possible to do any arbitrary calculation at some later point.

So there is a need for something else: conntrack based accounting. The idea is: Let connection tracking count how many bytes+packets a connection has. When the connection terminates, the total amount is sent to some userspace process. This means you will have one record of accounting data per connection. In the worst case of extremely short-lived connections, you would end up with almost as much DMA as in the nacctd approach - but even then, significantly less processing for the actual accounting itself.

I haven't looked into the details yet, but even generating netflow data should be possible quite easy this way.

As for the implementation, a single set of counters should be sufficient. Adding per-CPU counters doesn't make sense, since the cache lines of the conntrack entry have to be valid on the current CPU anyway. We're also already under ip_conntrack_lock, so writing two more counters per packet shouldn't be that expensive. Per-CPU counters also don't make sense if they are within the same cache line...

One set of counters would have to be: bytes for each direction, packets for each direction. They could be u_int32_t, since almost all connections have less than 4GB traffic these days.

A quiet week for my weblog

This is going to be a quiet week in this weblog. I'm currently at [ /linux/netfilter | permanent link ]