OpenBSD Journal

g2k16 Hackathon Report: Vincent Gross on iked(8), armv7 and sys/netinet[6]

Contributed by rueda on from the I like iked dept.

Vincent Gross supplied the next hackathon report:

Although I did attend two hackathons previously, g2k16 at Cambridge was my first general hackathon. I had three targets on my list for this week : iked(8), armv7 and sys/netinet[6].

First I worked on fixing the source address selection and flow mangling on iked(8).

Unlike isakmpd(8), which bind(2) one DRGAM socket per local address, iked binds its sockets on 0.0.0.0 and ::, and relies on IP_RECVDSTADDR and IPV6_RECVPKTINFO to save the address the incoming packet has been sent to. Until rev 1.218 of sys/netinet/udp_usrreq.c, there was no way in IPv4 to specify the source address to use when sending a packet. I wrote the missing glue and one 50-ish diff, a handful of nits and a couple of ok later, the code landed in the tree.

At the beginning of 2009, isakmpd and ipsecctl(8) gained the ability to mangle the flows they pushed into the kernel so that you could apply NAT operations on tunnelled packets. This very useful feature was missing from iked, and was quickly okayed and commited.

While testing my diffs I found a bug in the ipsec input routine, where a non UDP encapsulated payload could be matched against a SA requiring encapsulation. mikeb@ and I held a brief summit over it at The Haymakers, and it was fixed the morning after.

I then switched to armv7.

Lots of work has been done on the armv7 port, so I brought my Novena laptop to try and get some kind of framebuffer working. It happened that pascal@, kettenis@ and jsg@ switched the platform to EABI during the hackathon, so upgrading from a bsd.rd was required. I spent some time trying to figure out why BOOTARM.EFI would not detect my disks, but after getting mentored by kettenis@ and trying to get some franken-u-boot to build without success, I put the Novena aside.

My armv7 ambitions being stalled, I moved onto sys/netinet[6].

One of the function involved in IPv6 source address selection checked if the cached route was of a different family than AF_INET6 and would invalidate it if so, assuming that the route cache could be shared between IPv4 and IPv6. Obviously such a design deserve nothing but the loving touch of a 16hp chainsaw. A bit of audit and a couple of oks later, I changed this check to a KASSERT() to expose the remaining offenders.

Shortly before the hackathon, mpi@ pointed my attention to the routines we use to select source address from a destination address (and a bunch of other stuff). Previous surgery made it so that they are only used to fill in struct in_pcb source address, so they were ripe to be rewritten to not expose struct route in their prototype anymore; the endgame here being to replace struct route with something better.

But we are talking about the network stack, so of course there was something in the way, namely vxlan(4). When tunneling over IPv6, vxlan(4) may call in6_selectsrc() if the tunnel source address is unspecified. I brought this up to reyk@, and we agreed that it would be good to add IPv6 multicast support before refactoring, so that we have the full picture. The diff will pop up on tech@ soon.

Monday was wrap-up day, not the best time to commit invasive changes, so I fixed a couple of tests in regress/sys/netinet[6].

Many thanks to avsm@ and Gemma for the organisation and keeping us supplied with coffee, and also to the OpenBSD foundation for making this event possible.

Many thanks for the report, Vincent!

(Comments are closed)


Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]