Fighting for more open network at LinuxTag

I'm currently in discussion with the networking team and trying to talk them into a more open policy for their conference network.

In the previous years, they have adopted a security policy that effectively blocks any traffic that is not for a very limited list of destination ports (spop3, simap and others). You were unable to use protocols like cvspserver, rsync or even IPsec.

Apparently this kind of policy was adopted on behalf of the ISP who sponsored network access, in fear of the legal risk of providing an open network.

Had to turn down invitation to LSM

The great Libre Software Meeting conference has invited me to become co-chairman of the Security Topic. I feel greatly honored, but I had to turn down the offer. The LSM date is too close to other conferences I have already agreed to attend...

Maybe I can make it to LSM next year again... it's definitely one of the friendliest conferences I've seen so far - and one that is really about free software, not just Linux.

Some more ct_sync bug hunting

It seems like there's still a number of bugs left in ct_sync. I've spent the major part of the last three days hunting them down. Seems to be really hard ones, that only appear when compiled with recent gcc-3.2 versions... Learned a lot about objdump and strange x86 "instruction encoding artefacts", though.

Judge granted preliminary injunction on GPL infringement

It's too early to discuss the details in public, but the netfilter project has reached the first preliminary injunction on non-fulfillment of the GPL in Germany (maybe worldwide?).

This basically means that the company is no longer allowed to distribute their gpl infringing products within Germany.

The injunction now has to be formally sent to the infringing company (by the court). Expect some more details once this has happened. Stay tuned :)

Cancelled my Holiday Trip to India

For those of you assuming that I'd be gone from Apr 3 to Apr 18: I have to disappoint you. I just cancelled that trip: Too much work at the moment, can't afford to take off for two weeks.

revived the dropped table

After about two years in deep freeze, I revived the idea of a dropped table. For those of you who haven't heard about it in the past: The idea is to gather all packets that are dropped at any place within the network stack. This is very useful for auditing and debugging.

Userspace support is included in libiptc/iptables for ages, so all you need is patch-o-matic-ng from >= today.

Settlement with ASUS

ASUS has now signed a "declaration to cease and desist" on their infringing use of GPL licensed software in their WL-500g product. More news to be announced soon.

Survived a day of CeBIT

I generally don't like trade shows. As their name clearly indicates, their main goal is trade. You will have to try very hard to find really technical people. All you find is vendors who try to sell you solutions. Who's interested in solutions? I want some nice equipment and tools, then solve the problems on my own.

Anyway, I had an important appointment, so I went there. Despite the truckloads of consumers, gamers and the like, I was able to wade through the masses. Luckily Astaro and Balabit were friendly enough to offer me shelter in their booths ;)

Let's hope I won't have to do it too often.

Another GPL Violations settled out-of-court (Securepoint GmbH)

Securepoint was offering software-only firewall products based on Linux and netfilter/iptables without correctly reproducing the GPL license terms or a written offer for the source code.

An agreement has been reached now, watch out for the press release on netfilter.org later today.

Allnet source code offering incomplete

According to an email I received yesterday, the Allnet source offer does not contain the full sources for the product. As an example, uClibc seems to be missing. Luckily, I'll be meeting their CEO on Saturday, and I hope we can resolve that issue.

FSC sources corrupt

As I found out yesterday, the sources offered by Fujitsu-Siemens are corrupt (and thus incomplete). Seems like one really has to check every single bit, otherwise they are unable to comply. *sigh*

I'll keep you updated.

A black day in the history of EU legislation

In an undemocrating manner and without public discussion, the European Parliament has passed a "IP rights enforcement directive" to "counter intellectual property piracy".

How can it happen that the wife of the head of one of Europe's biggest Media Companies (Vivendi International) can propose a Directive in January, that passes the Parliament in early march, when usually this process takes half a year to years?

This makes me sick and angry. I start to completely loose faith into European lawmakers. While fighting another EU directive on the patentability of software for years, another directive gets proposed and passes so quickly, that no public reaction can take place, nobody can even contact their representative MEP's.

For more information, see

Added a new 'licensing' section on the netfilter homepage

Since recently more and more vendors seem to disobey the terms of the GNU GPL, I decided to put some more detailed information on how to comply with this license online. It was written for the netfilter/iptables project, but should apply to any other GPL licensed free software project. You can find the section here.

New gnumonks.org mail server online

Recently I pointed out that I'm about to move my personal mail away from KNF. The new server ganesha.gnumonks.org is now co-located at noris.net, where netfilter.org is hosted, too. The netfilter and gnumonks machines are within a private VLAN, with a dedicated firewall in front of them.

Putting that machine in place turned out to be come much more difficult than expected. It seems that Intel recently decided to give their e100/e1000 chips new PCI device ID's, which in turn means that old (e.g. Debian woody install kernels ) Linux drivers don't recognize them. So in the end I had to install SuSE into a swap partition and debootstrap the system from there. *sigh*.

Thanks to the noris.net crew for their assistance, I know they spent way too much time with me considering I bought their smallest entry-level housing product.

Tiramisu - Why is it so hard to get?

Another dinner at the local Italian food place. Again I asked for Tiramisu (which is on their regular menu), and they didn't have it. This would make it a total 12% availability of Tiramisu over the last year. Every time I go to this place (which is quite frequent), I ask for Tiramisu - and still they don't bother regularly preparing one.

And it's not even only at that place. It's almost the same with all Italian restaurants, judging by my past experience. Why don't they get it? They won't sell anything by just putting it on the menu - they actually need to have it available. *sigh*.

Found a new apartment

It seems like searching for a new apartment was surprisingly easy. The landlord didn't yet sign the contract, but we found a decent place in Treptow. More details will follow soon.

Continued work on libiptc2

I finally find some time to work on what I call 'libiptc2'. It is basically a re-implementation of the 'chain cache' inside libiptc. This should remove the last O^n complexities we have in there. While I would really enjoy working on new stuff like pkttables, this kind of work keeps me from doing it :(

The brave (slow, buggy) new world of XML

Some time ago I decided to write the new netfilter.org project homepage in docbook-website XML. I thought (and still think) that this was _the_ way to deal with HTML. Have some nice XSL's, generate XHTML and put all formatting information in CSS.

However, after trying to use more and more advanced functions, I have to admit that this is far from being easy or documented in any way. I didn't even manage to get the XBEL example for docbook-website running. xsltproc would return 'No template found for xlink'. I tried to find any information on the web if xsltproc did at all implement xlink. No way. All I managed to find out is that libxslt/libxml2 did in fact implement xlink, but no information if xsltproc took advantage of that.

In the end I found out that using Xinclude seemed to work. Great. Now all I need is the netfilter link collection in XBEL format

New package 'reveng-tools' started

Since I'm reverse engineering quite a number of embedded firmware images lately, I have started a new project called 'reveng-tools'.

The idea is to provide a set of tools that can be handy if you want to do that kind of work. For one part, you need a tool to scan a binary for signatures of well known file/compression/archive types. This part is already finished and called 'magic_ofs'.

I'm now working on an endian-safe cramfs extractor and a bFLT de-compressor. Stay tuned.