Sep 262013
When doing some tests on Suricata, I needed to setup a small IPv6 network. The setup is simple with one laptop which is Ethernet connected to a desktop. And the desktop host a Virtualbox system. This way, the desktop can act as a router with laptop on eth0 and Vbox on vboxnet0. To setup the desktop/router, I’ve used:
ip a a 4::1/64 dev eth0
ip a a 2::1/64 dev vboxnet0
echo "1">/proc/sys/net/ipv6/conf/all/forwarding
To setup the laptop who already has a IPv6 public address on eth0, I’ve done:
ip a a 4::4/64 dev wlan0
ip -6 r a 2::2/128 via 4::1 src 4::2 metric 128
Almost same thing on the Vbox:
ip a a 2::2/64 dev eth0
ip -6 r a default via 2::1
This setup should be enough but when I tried to do from the laptop:
ping6 2::2
I got a failure. I then checked the routing on the laptop:
# ip r g 2::2
2::2 via 4::1 dev wlan0  src 2a01:e35:1394:5bd0:f8b3:5a98:2715:6c8d  metric 128
A public IPv6 address is used as source address and this is confirmed by a tcpdump on the desktop:
# tcpdump -i eth0 icmp6 -nv
10:54:48.841761 IP6 (hlim 64, next-header ICMPv6 (58) payload length: 64) 2a01:e35:1394:5bd0:f8b3:5a98:2715:6c8d > 4::1: [icmp6 sum ok] ICMP6, echo request, seq 11
And the desktop does not know how to reach this IP address because it does not have a public IPv6 address. On the laptop, I’ve dumped wlan0 config to check the address:
# ip a l dev wlan0
3: wlan0:  mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether c4:85:08:33:c4:c8 brd ff:ff:ff:ff:ff:ff
    inet brd scope global wlan0
       valid_lft forever preferred_lft forever
    inet6 4::4/64 scope global
       valid_lft forever preferred_lft forever
    inet6 2a01:e35:1434:5bd0:f8b3:5a98:2715:6c8d/64 scope global temporary dynamic
       valid_lft 86251sec preferred_lft 84589sec
    inet6 2a01:e35:1434:5bd0:c685:8ff:fe33:c4c8/64 scope global dynamic
       valid_lft 86251sec preferred_lft 86251sec
    inet6 fe80::c685:8ff:fe33:c4c8/64 scope link
       valid_lft forever preferred_lft forever
And, yes, 2a01:e35:1394:5bd0:f8b3:5a98:2715:6c8d is a dynamic IPv6 address which is used by default to get out (and bring a little privacy). Deleting the address did fix the ping issue:
# ip a d 2a01:e35:1394:5bd0:f8b3:5a98:2715:6c8d/64 dev wlan0
# ping6 2::2
PING 2::2(2::2) 56 data bytes
64 bytes from 2::2: icmp_seq=1 ttl=63 time=5.47 ms
And getting the route did confirm the fix was working:
# ip r g 2::2
2::2 via 4::1 dev wlan0  src 4::4  metric 128 
All that to say, that it can be useful to desactivate temporary IPv6 address before setting up a test network:
echo "0" > /proc/sys/net/ipv6/conf/wlan0/use_tempaddr
Sep 242013

I’ve just gave a talk about nftables, the iptables successor, at Kernel Recipes 2013. You can find the slides here: 2013_kernel_recipes_nftables

A description of the talk as well as slides and video are available on Kernel Recipes website

Here’s the video of my talk:

I’ve presented a video of nftables source code evolution:

The video has been generated with gource. Git history of various components have been merged and the file path has been prefixed with project name.

Sep 202013
Recent versions of buildbot, the continuous integration framework don’t allow by default the force build feature. This feature can be used to start a build on demand. It is really useful when you’ve updated the build procedure or when you want to test new branches. It was a little tricky to add it, so I decided to share it. If c is the name of the configuration you build in your master.cfg, you can add after all builders declarations:
from buildbot.schedulers.forcesched import *
                       builderNames = [ builder.getConfigDict()['name'] for builder in c['builders'] ]))
As was saying one of my physic teacher: “easy when you’ve done it once”.
Sep 182013
The first news is that it works! It is possible to use tc to setup QoS on IPv6 but the filter have to be updated. When working on adding IPv6 support to lagfactory, I found out by reading tc sources and specifically ll_proto.c that the keyword to use for IPv6 was ipv6. Please read that file if you need to find the keyword for an other protocol. So to send packet with Netfilter mark 5000 to a specific queue, one can use:
/sbin/tc filter add dev vboxnet0 protocol ipv6 parent 1:0 prio 3 handle 5000 fw flowid 1:3
All would have been simple, if I was not trying to have IPv6 and IPv4 support. My first try was to simply do:
${TC} filter add dev ${IIF} protocol ip parent 1:0 prio 3 handle 5000 fw flowid 1:3
${TC} filter add dev ${IIF} protocol ipv6 parent 1:0 prio 3 handle 5000 fw flowid 1:3
But the result was this beautiful message:
RTNETLINK answers: Invalid argument
We have an error talking to the kernel
Please note the second message displayed that warn you you talk to rudely to kernel and that he just kick you out the room. The fix is simple. In fact, you can not use twice the same prio. So it is successful to use:
${TC} filter add dev ${IIF} protocol ip parent 1:0 prio 3 handle 5000 fw flowid 1:3
${TC} filter add dev ${IIF} protocol ipv6 parent 1:0 prio 4 handle 5000 fw flowid 1:3