766 items (122 unread) in 6 feeds
friends
(122 unread)
virtual-sushi
(22 unread)
The Virtual Gigolo
(9 unread)
Jay's Personal Site
(30 unread)
James' Blog
Owing to some unresolved stability problems of gif(4) tunnels in FreeBSD, I have migrated ALIX to a Voyage Linux install. Voyage is a Debian-derived distribution optimised for embedded x86 systems in read-mostly environments. The complete install and configuration took about six hours and has fully replaced FreeBSD in its DNS/DHCP/NAT/IPv6/Firewall duties.
[root@gateway ~]$ uname -a Linux gateway 2.6.26-486-voyage #1 PREEMPT Fri Oct 24 09:21:04 GMT 2008 i586 GNU/Linux
The Netgear DG834 is a series of popular ADSL modem/firewall/router combinations. Until the DG834v4 the firewall could not be disabled on these devices. The v4 update added a web interface option to disable the firewall. Spot the design flaw:
There is no way to choose an unfirewalled non-NAT configuration. This is important in my home network, which has a delegation of public IPs, because the DG834's firewall makes an assumption that the firewall and port forwarding options are one and the same. It is not possible to allow all types of traffic to a single IP - the only way to permit ICMP to pass - without all traffic being forwarded to that IP. The next hop behind the DG834 is an ALIX device providing advanced firewalling functionality, so switching off the firewall upstream is not an unsafe thing to do.
I had hoped to take advantage of the OpenWRT open firmware project, but support for models newer than the DG834v2 is in its infancy. Instead, I decided to make use of Netgear's provision of partial source code and build tools for their hardware. The simplest approach to hard disable the firewall on routed IPs to set the policy for the FORWARD chain in iptables to ACCEPT. The firewall configuration is unfortunately not part of the provided source code (Netgear are only obliged to provide source for the GPL components) but can be found inside the target/sbin/rc binary (which is hard linked to a few other places).
By modifying this policy to ACCEPT, filtering will be disabled on routed IPs. However, there isn't enough room to replace DROP with ACCEPT without moving data throughout the binary and almost certainly breaking embedded address offsets. Since the default policy is ACCEPT, and it is not modified elsewhere, it is sufficient to simply remove the policy change here. To avoid potential problems with the handling of a blank command I replicated the -P INPUT DROP rule into this place.
After rebuilding the image and flashing it to the modem I can now pass traffic successfully to the whole network. The learning process caused a couple of device brickings. On each occasion the hardware was rescued by Wilmer van der Gaast's excellent unbricking tool, which communicates with the modem's bootloader via raw Ethernet frames to upload a working flash image.
Gank Night 11.5, yesterday's edition of Scrapheap Challenge's bimonthly drunken fun, is over! Last night's theme was inappropriate ships iftted with lasers and we raked in a fair few kills before exploding in a ball of epic disco.
My video can be found here (.mkv, 165M). It was recorded with Fraps, edited with Premiere Elements and encoded with x264. Premiere Elements 4, incidentally, seems to play happily with Vista 64-bit following a severe bug in file handling some months ago. No crashes this time!
The time for seasonal network cleaning has arrived. October's projects are to introduce IPv6 into my LAN (partly to test EthTV's compatibility) and to replace its troublesome upstream modem with an open source solution.
IPv6 was a feature of my network many years ago with a tunnel from Hurricane Electric. The immaturity of the technology and high latency1 of the service led me to nuke it a few months after setting it up, but the learning process was useful. I now have a new tunnel from SixXS with excellent latency thanks to their large pool of global peers:
[root@gateway ~]# ping6 ipv6.google.com PING6(56=40+8+8 bytes) 2a01:348:6:13a::2 --> 2001:4860:0:1001::68 16 bytes from 2001:4860:0:1001::68, icmp_seq=0 hlim=58 time=42.370 ms 16 bytes from 2001:4860:0:1001::68, icmp_seq=1 hlim=58 time=41.324 ms 16 bytes from 2001:4860:0:1001::68, icmp_seq=2 hlim=58 time=41.903 ms
SixXS is an interesting service to experience. Tunnel requests, subnet allocations, PTR delegations, etc. are approved by the company's staff if you can provide sufficient justification. Trust is built up over time through a monetary system that can be used to "purchase" additional services. Simply keeping your tunnel endpoint pingable is enough to earn these services over time, albeit at a slower rate than interacting directly with the project.
I now have a static tunnel configured on my ALIX utility box:
gif0: flags=8051 metric 0 mtu 1280 tunnel inet 82.70.152.20 --> 77.75.104.126 inet6 2a01:348:6:13a::2 --> 2a01:348:6:13a::1 prefixlen 128
Getting PF to play nicely took a little head scratching. ICMPv6 must be allowed for SixXS to monitor my endpoint. I found this was sufficient (in addition to default block rules on all interfaces and protocols):
pass in quick on vr1 inet proto ipv6 from 77.75.104.126 to 82.70.152.20 keep state pass in quick on gif0 inet6 proto ipv6-icmp from any to 2a01:348:6:13a::2 keep state
Configuring the LAN on a unique local subnet (pending enough trust with SixXS to obtain a globally routable prefix) highlighted the weaknesses in Ubuntu's GUI network configuration support. Bypassing NetworkManager for the wired connection to introduce a static IPv6 assignment did work. Interestingly, DHCPv6 is practically unsupported and one is instead meant to rely on stateless address autoconfiguration, a feature made possible by the N:1 mapping of MAC addresses to the host identifier of an IPv6 subnet. I haven't figured out how this variable mapping might interact with DNS entries yet, so I have statically assigned predictable addresses for now.
My IPv6 experimentation led to frustration with the Netgear DG834v3 modem/switch. SixXS requires an ICMP and ICMPv6 pingable endpoint; the latter proved to be no problem. The former appears to be defeated by the modem's firewall (which cannot be disabled). A firewall exception with the Any(ALL) type (other choices being limited to TCP or UDP) can be added to pass ICMP through, with the unfortunate side effect of making the target a DMZ - even for the modem's web interface. Joy!
Placing the modem into debug mode enables telnet access to its Busybox internals. The web interface firewall is based upon iptables and is easily circumvented with a broad accepting rule in the FORWARD chain. This is the configuration I prefer since ALIX, one hop downstream, provides a more sophisticated firewall for the LAN anyway. My exemption rule is, however, periodically deleted and of course lost when the modem is reset. I am now trying to source an ADSL modem compatible with OpenWRT so that I can eliminate the last proprietary component of my network.
1 Update: Martin Levy of Hurricane Electric wrote to let me know that their IPv6 tunnel broker service now has PoPs scattered across the globe, including one in London. This places the service on a par with SixXS and is definitely worth a look if you're interested in setting up a tunnel.
Being cooped up with the occasional antisocial traveller is an unfortunate consequence of using public transport in London. The experienced commuter has an iPod to hand to escape from the noise of the carriage. The iPod, however, is cursed with a lack of support for open formats such as Ogg Vorbis. A neat open source project called Rockbox adds this functionality and much more back in but is currently locked in a firmware access war with Apple, and consequently incompatible with the latest players.
Hence the shiny new Sansa Clip 4GB sitting on my desk. The Clip is a tiny (5.5 x 3.5 x 1.0cm), cheap (£40) portable audio player built by Sandisk. It does not support Rockbox (yet?) but a recent firmwire update added support for the Ogg Vorbis format (it also supports MP3 and WMA). The gadget mounts and charges as a standard USB storage device and lets you copy music straight in without requiring special software, ideal for Linux. I've written a little script to maintain a synchronised subset of my music with the Clip and to transcode music from any unsupported formats.
On the off chance that anyone is musing my recent online and RL presence, or lack thereof, perhaps I owe a short explanation. I'm about twenty days into a sixty day academic marathon (weekends and some evenings included) to finalise the design and implementation of my PhD thesis work by October. Until then I will be mostly unavailable and doing little other than working on this project.
It is going well and on schedule and is set to produce some impressive experimental performance results for my thesis, which will be published next year.
Summer has kicked in and a combination of hot weather and crunch time in academia has lowered my blog output. Nonetheless I've been hard at work on getting EthTV SVN into shape and things are looking good. I finally fixed a rare crash bug that has been plaguing the Windows FFmpeg backend for a few months; it was caused by a bug in weak symbol relocation in MingW GCC 4.3.0.
Improvements in the Windows GUI have brought EthTV a step closer to becoming a usable client. I tested Mono's support for Windows Forms, in order to port the GUI to Linux, but was underwhelmed by what appeared to be the .NET 2.0 style skinned onto a custom toolkit. It almost worked first time, to its credit, albeit with minor graphical corruption. In search of a better interface I built an independent GTK# interface which is working well and looking great under Linux, with some help from the Golem3D project's GLWidget.
This UI development work is in support of a target to deliver a usable multiplatform alpha client and Linux server by Q1 2009.
EthTV SVN has some exciting new features introduced since the last development update. Last month's goal was to advance the integration with Windows Forms and GTK. This was initially prototyped with the Tao and SDL.NET Form control implementations but was subsequently abandoned due to a lack of hardware acceleration. A transition of the underlying AV frameworks from SDL to OpenTK, a managed library not unlike Tao with support for OpenGL and OpenAL, was undertaken to resolve this problem.
OpenGL brings some other benefits, too. Image rescaling and YCbCr to RGB colourspace conversion is now delegated to the GPU through OpenGL shaders, lowering CPU consumption to about 10% on Windows Vista with .NET 3.5 on an E6600 Core 2 Duo. As a comparison, WinTV, a native TV client written by Hauppauge, consumes about 25% CPU. OpenAL has a pleasantly familiar interface, allowing simplification of the audio buffering system that was complicated by SDL's callback paradigm.
The results are now integrated into a Windows Form with a menu and a status bar. Further integration of GUI elements can proceed in the standard Visual Studio designer. This technology has not been tested on Linux, yet, but upstream developers claim that the Forms code will emulate correctly under Mono.
Dell's 2407WFP 24 inch LCD monitor running at 1920x1200 is a sight to behold. Two of them running at 3840x1200 is an even better one. Such was my motivation for wiring up a second monitor in some newly created space on my desk. The result is powered by a GeForce 8800 GTX with NVIDIA's TwinView technology, allowing free movement across monitors with sensible management of fullscreen applications.
Yesterday I ran into a tricky problem whilst reinstalling Windows Vista onto a larger hard disk for my gaming system. The service pack spent about forty minutes installing and then failed with the message "Service Pack did not install. Reverting changes." The error code in the Windows Update log was fairly generic and not indicative of a specific problem. Repeated attempts to install all failed with this error.
The problem turned out to be quite odd. I stumbled upon a solution during a somewhat desperate Google crawl. SP1 will apparently fail to install if the Vista installation is not set as the primary hard disk in the BIOS. I have GRUB on another drive to chainload Vista, for dual-booting Linux, which works fine in normal use. However, in order to install SP1 I had to temporarily set the Vista drive as the primary hard disk and then put it back after installation.
I guess it's a little much to expect Microsoft to test their software's compatibility with bootloaders associated with competing operating systems.