First I worked on fixing the source address selection and flow
mangling on iked(8).
Unlike isakmpd(8), which bind(2) one DRGAM socket per local address,
iked binds its sockets on 0.0.0.0 and ::, and relies on IP_RECVDSTADDR
and IPV6_RECVPKTINFO to save the address the incoming packet has
been sent to. Until rev 1.218 of sys/netinet/udp_usrreq.c, there
was no way in IPv4 to specify the source address to use when sending
a packet. I wrote the missing glue and one 50-ish diff, a handful
of nits and a couple of ok later, the code landed in the tree.
At the beginning of 2009, isakmpd and ipsecctl(8) gained the ability
to mangle the flows they pushed into the kernel so that you could
apply NAT operations on tunnelled packets. This very useful feature
was missing from iked, and was quickly okayed and commited.
While testing my diffs I found a bug in the ipsec input routine,
where a non UDP encapsulated payload could be matched against a SA
requiring encapsulation. mikeb@ and I held a brief summit over it
at The Haymakers, and it was fixed the morning after.
I then switched to armv7.
Lots of work has been done on the armv7 port, so I brought my Novena
laptop to try and get some kind of framebuffer working. It happened
that pascal@, kettenis@ and jsg@ switched the platform to EABI
during the hackathon, so upgrading from a bsd.rd was required. I
spent some time trying to figure out why BOOTARM.EFI would not
detect my disks, but after getting mentored by kettenis@ and trying
to get some franken-u-boot to build without success, I put the
My armv7 ambitions being stalled, I moved onto sys/netinet.
One of the function involved in IPv6 source address selection checked
if the cached route was of a different family than AF_INET6 and
would invalidate it if so, assuming that the route cache could be
shared between IPv4 and IPv6. Obviously such a design deserve nothing
but the loving touch of a 16hp chainsaw. A bit of audit and a couple
of oks later, I changed this check to a KASSERT() to expose the
Shortly before the hackathon, mpi@ pointed my attention to the
routines we use to select source address from a destination address
(and a bunch of other stuff). Previous surgery made it so that
they are only used to fill in struct in_pcb source address, so they
were ripe to be rewritten to not expose struct route in their
prototype anymore; the endgame here being to replace struct route
with something better.
But we are talking about the network stack, so of course there was
something in the way, namely vxlan(4). When tunneling over IPv6,
vxlan(4) may call in6_selectsrc() if the tunnel source address is
unspecified. I brought this up to reyk@, and we agreed that it would
be good to add IPv6 multicast support before refactoring, so that
we have the full picture. The diff will pop up on tech@ soon.
Monday was wrap-up day, not the best time to commit invasive changes,
so I fixed a couple of tests in regress/sys/netinet.
Many thanks to avsm@ and Gemma for the organisation and keeping us
supplied with coffee, and also to the OpenBSD foundation for making
this event possible.