OpenBSD Journal

n2k14 hackathon report: henning@ talks about pf, checksumming, and the smash-and-grab

Contributed by tbert on from the turn-inside-out-for-another-day-of-wear dept.

Henning Brauer (henning@) wrote in with his report on the recent hackathon in New Zealand as well as events immediately before and after:

I flew to New Zealand a good week before the hackathon in Dunedin to hike with benno@ and Anja. Fortunately, we didn't plan ahead, all of that had been moot anyway - Qantas didn't feel like getting Anja's bag to NZ and couldn't even tell where it might be (I knew better than to fly Qantas after making that mistake last year), not even a day later - at that point we would have been in the mountains already under normal circumstances. So we went to buy some replacement gear and took off 2 days after arrival.

We went over the Mr. Robert ridge line to Angelus Lake, to continue on an unmarked "trail" towards hopeless hut and almost got stuck in a 500m high rock wall with rain and heavy heavy gusts - it was fun. When we returned after 3 days, we found our car broken into and almost all of our stuff stolen, including 5 laptops and most of our clothes. Most of Anja's stuff was safely at some Airport in Qantas possession, but I didn't even have underwear any more.

To cut a long story short, next day we drove 100km without the passenger window to pick up a new car, another 200 in the opposite direction to meet the police guy in charge - who found a lot of our stuff in a nearby ditch. At least we had our underwear back! However, 4 of the 5 Laptops, 2 each for Benno and me, were in there - thrown out of the window of a driving car, my ones damaged beyond repair, Benno's 2 with broken displays. They kept the cheapest and oldest one. Eventually late at night that day we arrived in Dunedin, having driven over 900km that day, including me driving for a couple of hours, first time in 5 years that I drove a car.

At the hackathon dlg@ loaned me his X60, with my recovered SSD put in there I almost felt home and could hack. Yay!

My biggest achievement on this hackathon was that I managed to not start another giant subsystem rewrite that drives me even more nuts than I already am. Instead, I did lots of small things, of which I am going to mention just two here.

We had a discussion about the pf ruleset in /etc/rc that gets loaded at boottime before we bring the network up - the real ruleset is loaded later. The question was whether we might accidentally pass carp announcements through. That would require the host to be configured as multicast router and we didn't actually check whether the order of operations even leave a (in any case tiny) window, but it was clear we want to tighten this a little more. What we'd want to express is "don't pass these if forwarded". And that means received-on. If a packet has been received on an interface, it doesn't originate from the local host (at least not with the environment set up during boot). So something like

block out quick received-on any

should catch all these. Except... that we didn't have a way to match "any" interface. So I added that, "any" (in interface matching context) matching any interface except loopback ones, because, well, loopback is special. While there, I also added "! received-on".

The other bit I want to mention is followup work to the big checksum rewrite. Since the stack now has nice software engines to offload the checksum calculation to, even if no hardware is present, we could get rid of a few checksum calculations in the upper parts of the stack, just marking the packet for "needs checksumming" is enough now. I had added the functionality for icmp too, even tho there is no hardware that can do icmp checksum offloading (that I am aware of, at least) - consistency is a good thing. So there were several places that did their icmp checksum calculations manually, and I replaced those calculations with the simple "set the flag" operation. That even fixed some minor bugs.

Benno, Anja and myself went for another week of hiking afterwards, in the Arthur's Pass area, going over Kelly Pass, then up the Taipo River valley and finally over Harman Pass. Left our car by the hotel and our gear inside, we're capable of learning from mistakes after all, got rides from nice locals in & out and finally drove back to Christchurch, where I spent and extra day with phessler@ since I am apparently incapable of booking flights on the right days - in the end, that was a nice extra day, some slacking before the 38 hours door-to-door travel back home and work the day after, so all good.

I still had one problem to solve, when they broke into our car, my house keys went missing (pretty sure they are still in a ditch in NZ), and my primary phone was stolen - I had already ordered a replacement while I was in Dunedin, shipped to my office, and a replacement SIM card too. So one of my coworkers deposited a nice package with the new phone, the new SIM card and my spare keys at my Portuguese coffee place, and when I arrived Monday morning, I got myself a galao along with the phone & the key to get into home.

By now I even acquired new laptops to replace the 2 broken ones and am curious what forgotten diffs I'll find on the SSD I used in Dunedin. Watch source-changes@ for them :)

We're terminally curious about what's in those forgotten diffs too, Henning! Thanks for the report and for putting in all this work on our favorite operating system.

(Comments are closed)


  1. By Will Backman (bitgeist) bitgeist@yahoo.com on http://bsdtalk.blogspot.com

    How terrible that the car was broken into. Amazing that you were able to recover what you did.

    What kind of security do you use to protect your work on laptops? Perhaps another article for undeadly?

    1. By sthen (2001:8b0:648e:cc01:f2de:f1ff:fef9:a752) on

      > How terrible that the car was broken into. Amazing that you were able to recover what you did.
      >
      > What kind of security do you use to protect your work on laptops? Perhaps another article for undeadly?

      Fortunately, over the years, Henning has developed a state-of-the-art distributed backup technique (-:

      1. By Michael (208.67.143.145) on

        > Fortunately, over the years, Henning has developed a state-of-the-art distributed backup technique (-:
        >

        He just has to remember who the backup is...

    2. By Richard Toohey (203.97.197.6) richardtoohey@paradise.net.nz on

      > How terrible that the car was broken into.
      New Zealand is a great place to live (moved here 12 years ago), but there are still nasty scum who do stuff like this.

      Sorry to hear that it happened and made life difficult - you were meant to be enjoying yourself and hacking!

  2. By Amit Kulkarni (amitkulz) amitkulz@gmail.com on

    who is anja? more commonly referred to as aja@?

    1. By Brad Smith (brad) on

      > who is anja? more commonly referred to as aja@?

      You do know that developers interact with people other than OpenBSD developers?

      1. By tbert (tbert) on

        > > who is anja? more commonly referred to as aja@?
        >
        > You do know that developers interact with people other than OpenBSD developers?

        Heresy. Only @openbsd.org members are allowed into the Hackerdrome.

      2. By Amit Kulkarni (amitkulz) on

        > > who is anja? more commonly referred to as aja@?
        >
        > You do know that developers interact with people other than OpenBSD developers?

        Ok then.

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]