Submitting patches

I finally got around to initiate another one of my patch submission cycles. This means that DaveM is receiving a number of patches that have been pending in the netfilter patch-o-matic repository.

Apart from that, pom-ng needs some more work. It turns out I will have to do some perl scripting again.

A day of patch-o-matic-ng merging

Since there are slight syntactical and semantical differences in the API for iptables matches and targets between 2.4.x and 2.6.x kernels, a minimum editing has to take place in order to make even the most simple 2.4.x extension work with 2.6.x. With more than 65 extensions in current pom-ng, this can take quite a while.

Apart from a minor bug in the perl module, we should now be ready for the first official pom-ng release. Finally, people will be able to use our extensions with a 2.6.x kernel.

Ordered two external Firewire Cases, both broken

Sometimes you really have to wonder what kind of stuff one of .de's largest computer suppliers is selling. I ordered two external cases, both of them broken. The 2.5" is about 1mm too small for my hard drive. The 5.25" comes with screws that are too short, and the electronics are completely broken. As soon as it is attached to a bus, all other devices will vanish, too.

Which brings me to another issue: Why are there no external SCSI cases with built-in firewire bridge? I mean, the IDE ones you can buy everywhere have to do something like IDE -> SCSI -> SBP2 -> Firewire. So they already include a SCSI layer, at least to some degree. I have tons of SCSI devices that I would then be able to connect to my notebook and other machines.

Also, why are there no four or eight devices external firewire towers? Something where you can put all your CD/DVD/whatever drives into and connect them to any of your machines. Now I have to buy one case per device, which each has their own power supply, ...

netfilter/iptables reached settlement with Allnet GmbH

Today we have successfully announced our out-of-court settlement with Allnet GmbH on their infringing use of our GPL licensed software. Please see the original press release.

I'm extremely happy that this could be solved in such cooperative manner. It's great to see companies are paying attention if they get informed the right way.

Some people are asking me: Why didn't you just ask them, why go via a lawyer and send them a legal note? The answer is quite easy: If you just send an email to any company, you will end up with technical support. The tech people most likely already know about the GPL and it's conditions. On the other hand, if you have a lawyer send a note, then you gain attention among the administrative staff. And that's the kind of people you want to reach for a real change within a companies policies.

There is quite a number of other companies that are using netfilter/iptables without compliance to the license term. Now that we have succeeded with the first, we are going to pursue this path and subsequently ask each of them to comply to the license.

Again, it's important to state that we very much like to see more Linux and netfilter/iptables based products. We do not oppose commercial use of our code at all. We just want the license conditions to be fulfilled - and that's just fair.

redesign of dstlimit match

A couple of weeks ago I first published the dstlimit match. It provides an easy way of rate-limiting certain packets on a 'per destination ip' or 'per destination ip/port' tuple base.

However, it turned out that it had several flaws. One of them was that you could create two /proc/net/dstlimit/ files with the same name. proc-fs doesn't actually check if some file already exists, if you want to create it (within the kernel). Several hours of research within the vfs (of which I have no idea) and conversation with some other kernel developers revealed that there is no reliable way to check if a specific file already exists. Even if there was, you would never be able to atomically check-and-create.

So in the end I had to implement some major changes in the dstlimit code. However, this again changed the kernel/userspace structure layout, so you will have to recompile both in order to use it

Evaluating GTK+ / GTK-- for GSPC graphical interface

After not having done any GUI programming for the last five years or so, I'm now investigating the world of GTK+ / GTK--. GSPC will soon need a graphical frontend, running directly on the framebuffer (potentially DirectFB), with no mouse and only a very limited keyboards as input device.

Finding a suitable math parser

GSPC currently uses spar-0.5.10, a quite nice math language parser. However, it is unmaintained, still contains a lot of bugs and is incomplete. Can anybody tell me why in this big world of free software there is not a single simple mathematical parser that can be embedded into an application? I just want to evaluate simple statements like "(X*3.56)-max(y*1.23,z*1.341)".

The author of spar has since started a new project, called Iguana. It is a whole language, not only simple mathematical statements. However, it still lacks some of the functionality spar used to have - and it has a totally different syntax.

Now I face the choice between extending the good old spar with stuff like variable length argument functions, or convert everything to use Iguana (and implement the missing bits from spar in Iguana).

moving mail/web/ftp server

After being hosted in the basement of my former office, connected via an SDSL line to KNF, I have now made the decision to move my mail/web/ftp server to a commercial hosting center.

Connectivity behind that old line was becoming increasingly unreliable due to various problems at the University of Erlangen, which is part of my upstream routing path.

Unfortunately the old machines are all desktop/mini-tower systems, so I now have to buy an expensive 19" 2U server. It will be hosted at noris network, where the machines are hosted, too.

My powerbook is now able to use the external VGA!

After hours of trial+error and reading the XFree86 radeon driver, I now finally managed to get the external DVI/VGA port of my Apple TiBook IV to display something useful. CloneMode didn't work for some strange reason, but I'm now running a multihead setup.

This means, that at the next conference I can give my presentation with just one single notebook, no need for second notebook, crossover cable and remote X display anymore. If that isn't good news...

The netfilter/iptables project is looking for a hardware donation

The project's mail/web/ftp/cvs/list/... servers are highly loaded, and as usual the load always increases. We're getting more list members, more downloads and more page views every month. However, our current hardware is not growing by itself. Thus, we need to buy a new machine soon.

All of the current (and past) hardware was bought from my personal wallet. While I could afford this in the past, I would very much like to see one of our corporate netfilter/iptables users step up and show his support for netfilter/iptables by donating a new machine. This would be an ideal opportunity to show the development community that you are not just using free software, but also putting in your part to make it work.

We have very specific needs with regard to the hardware we use: It has to be a 1U system, and non-x86. This basically leaves us with Sun UltrSPARC based systems, and the Apple XServe line. Both options would cost about EUR 3500 to 3800.

If you are interested in sponsoring such a system, please contact Harald to discuss the details. Thanks in advance.

Jozsef made my day by finishing pom-ng

Jozsef was kind enough to implement the missing features in patch-o-matic-ng. This is really great. It was one of the most important pending items on my TODO list.

This basically means that we are at the brink of the first official pom-ng release, enabling 2.6.x kernel users to benefit from the vast collection of netfilter/iptables features contained in patch-o-matic.

GSPC: Statistical Process Control

This is some piece of software I wrote about a year ago for a German massive forming technology company. Luckily, they agreed to make this software available under the GNU GPL. To my knowledge, it is the only GPL-licensed software for statistical process control.

Unfortunately I didn't have the time to write any decent documentation or put up a homepage for that software so far. I will to do so shortly.

During the last week, I was contracted to extend GSPC to support up to 16 inductive displacement transducers, and support multiple data acquisition boards per system.

Survived another birthday

I hate birthday parties. Why is it worth celebrating every single year of life that has passed? Can anybody explain that, please? I really don't see any value in celebrating that day.

For those of you who tried to call me: I did intentionally not pick up the phone, since I really don't like to receive congratulations for something trivial like having survived another year.

Idea of a new conntrack-based accounting system

There has been discussion about this before, but it now came to my mind (again).

If you want to do some accounting on Linux based routers, you don't have any reasonable way of doing so. All you can do is

  • capture all packets, do any kind of evaluation later
  • This is what you can do with nacctd, ULOGD/ulogd, and various other approaches. The problem is, that you collect an incredible amount of data which needs to be processed.
  • insert iptables rules, account only what you're really interested in
  • This requires prior knowledge of exactly what you want to account. You immediately get the results, and it's not possible to do any arbitrary calculation at some later point.

So there is a need for something else: conntrack based accounting. The idea is: Let connection tracking count how many bytes+packets a connection has. When the connection terminates, the total amount is sent to some userspace process. This means you will have one record of accounting data per connection. In the worst case of extremely short-lived connections, you would end up with almost as much DMA as in the nacctd approach - but even then, significantly less processing for the actual accounting itself.

I haven't looked into the details yet, but even generating netflow data should be possible quite easy this way.

As for the implementation, a single set of counters should be sufficient. Adding per-CPU counters doesn't make sense, since the cache lines of the conntrack entry have to be valid on the current CPU anyway. We're also already under ip_conntrack_lock, so writing two more counters per packet shouldn't be that expensive. Per-CPU counters also don't make sense if they are within the same cache line...

One set of counters would have to be: bytes for each direction, packets for each direction. They could be u_int32_t, since almost all connections have less than 4GB traffic these days.

more work on the fail-over code

I'm getting more and more of the fail-over code done. It now implements conntrack exemption (NOTRACK) for the sync device, and also blocks all incoming/outgoing network traffic on any node that is currently in 'slave' state. This means that all interfaces can be configured, any applications can be running, sockets bound, ... - but none of that will be visible to the network until the node is propagated to master state.
This needs explicit support for new netfilter hooks in the core network stack (I call them l2hooks, other people NETFILTER_PACKET).

Main parts that are missing:

  • Correctly deal with sync packet loss situations
  • Replicate expectations (needs conntrack expect notifications)
  • Testing on SMP systems, there might be locking bugs

"Parlamentary Evening" about software patents

Yesterday I was invited to a parlamentary evening organized by FFII e.V., a non-for-profit organization lobbying against the introduction of software patents in the European Union.
As you may know, they've been quite sucessful during the last year, since the European Parlament passed a directive that prevents any patent on computer software. However, due to the strange way the EU works, this directive has to be approved by the EU council before it gets enacted. The council is composed by representatives of the executive government, not by directly elected members of parliament.

The purpose of this event was to raise awareness about the dangers of software (and pure algorithmic/logic) patents. Among the invited guests were members of Bundestag (the german parliament), and various Officials of BMWA, BMBF and BMJ (economy, research and justice ministries).

I received the event as quite well. We were able to make our point and make them understand why a piece of software is different of somebody making an invention in the field fo mechanics.

More work on the fail-over code

Currently Astaro is paying me for my development on the netfilter conntrack fail-over code. That's what I'm supposed to be working on, at the least... I should stop reading my email in the morning, because otherwise my whole day will be filled with other stuff that just results from reading emails.

Anyway, the fail-over has been progressing, slowly but steadily. I should expect some working code any day now.

Thanks again to

Trying to make 2.6.x IPsec and conntrack/nat work

Spent some time thinking about how to possibly solve the long standing problem with conntrack/NAT and the 2.6.x in-kernel AH/ESP implementation.
The recent discussion on netfilter-devel was quite productive, although most of my ideas turned out to be without technical possibility :(
For example, iptables cannot attach the same CHAIN to multiple HOOKS. That would be so neat. Would somebody remind me that that has to go into pkttables?
Anyway, I've now written a surprisingly small (but still ugly) patch that should do about 60% of the solution upon which we agreed on the mailing-list.
Unfortunately, I don't have the time to set up a full IPsec test bed right now, so I have to rely on others to test it..

Ulogd is becoming a flow accounting subsystem

Some nice Russian guy wrote a patch to add BSD like ipacct flow accounting to ulogd. This is something I had on my wish list for quite some time.

He has written an OUTPUT plugin that does all the flow accounting and file-writing itself. However, I have an idea of how this could be implemented in a more generic way: Implement flow accounting as interpreter, and return a pointer to a struct flowinfovia a new ulog_iret_t. This way any output plugin could reference flow information for the current flow.

Why do people have to make winter holidays?

I tried to get a train reservation on Friday/Saturday between Berlin and Nuernberg. All the trains, even the night trains (sleeper trains) on Friday or Saturday morning are fully booked out.

Apparently winter holidays in Berlin are starting and everybody is heading south to Bavaria and Austria for winter 'sports'. Kind of annoying that you cannot even get a single ticket five days in advance.

Back home

After LWE, I've finally arrived at home again... at least for one week (when I'll be heading to Karlsruhe). Feels somehow strange to use Euro coins again ;)
Well, I see a week packed full with work, ranging from netfilter fail-over stuff to dealing with gpl violations, reading all the pending snail mail, paying bills, visiting important events (see other entry in today's blog).

Bought three interesting books

During my stay in NYC went to the NYU computer bookstore, just for browsing, not looking for anything in particular. In the end, I spent more than 150 bucks on three books:

  • Telecommunications Technologies Reference (ISBN 1-58705-036-6)
  • This makes an excellent reading for somebody with an Internet background who wants to learn about the general architecture of modern telephone systems, SS7, frame relay, ATM, SONET/SDH, ISDN BRI/PRI protocol layers, encodings, multiplexing, ...
  • 802.11 Wireless LAN Fundamentals (ISBN 1-58705-077-3)
  • A comprehensive guide on the 802.11 standards, ranging from MAC to PHY layer, advancing to encoding and modulation techniques used. It also covers roaming, Mobile IP, WPA, WEP, 802.1x. A good read for those who want to learn more about the 802.11 family.
  • Practical VoIP
  • A book about the VOCAL implementation of SIP/SDP user agent/proxy/gateway functionality, with solutions to interconnect with H.323 and MGCP. Also includes introductions to the respective protocols, however after having read the SIP relevant RFC's I had skipped that part.

First day at Linux World Expo

This is the first day of LWE 2004. It's much smaller than I expected it. The exhibition area is definitely not as large as at Linuxtag in Germany. As you'd expect at an event organized commercially, everything is perfectly organized. Too perfect for me, I'd rather like a more chaotic community-organized event.

At least I've met two people I know: Mats Wichmann and James Bottomley.

Anyway, going to give my presentation tomorrow. Let's see how many people will attend the programming tutorial.