d2k17 Hackathon Report: Alexander Bluhm on Network Stack Improvements and more
Contributed by rueda on Wed Jun 28 07:49:16 2017 (GMT)
from the ref-ac-to-ring dept.
Alexander Bluhm (bluhm@) wrote in with a hackathon report:
As usual hackathons are a great time to get things commited. All
the other developers are around, you can discuss ideas and get code
To move towards network input without big kernel lock, I have looked
at the protocol functions and refactored them. Especially IP-in-IP
input that is used for IPsec tunnel mode needed some love. I have
fixed several bugs and have a diff ready that avoids one additional
queuing of the packets. This work had to be coordinated with mpi@,
who removed the kernel big lock from the forwarding path.
To make sure that functionality does not break, I have written a
regression test for IPsec. It systematically tests all combinations
- packet forwarding and local stack
- ESP, AH, IPComp, IPIP transforms, and bundles of those
- transport mode and tunnel in IPv4 and IPv6
- Ping, TCP, UDP payload
- small and big packets
- IPv4 and IPv6.
All these combinations cannot be done manually, you have to automate
As I found some inconsistencies in
on that way, I have fixed
them. IPv6 AH packets stepped over the authentication header and
matched as the real protocol, while IPv4 was only creating AH states.
Now both address families work on the inner protocol that is
authenticated. While there I also limited the length of extension
header chains in pf to avoid DoS attacks that try to consume all
CPU time in the header chain.
Another missing IPv6 check got fixed. IPv4 packets with IP options
have always been blocked unless the rule contained "allow-opts".
Now the same is true for IPv6 packets with option headers.
A ssh feature that I had done a while ago went into the tree. Now
you can specify a RemoteCommand in the ssh client config. This
command will be automatically executed when you log into a remote
machine. This allows to automate tasks using the .ssh/config file.
Create a host section and specify what should be run on which
machine. A single ssh host alias will do everything, you don't have
to type a long command line.
Thanks very much Alexander!
<< OpenBSD now has Trapsleds to make life harder for ROPers | Reply | Flattened | Collapsed | d2k17 hackathon report: Martin Pieuchot on moving the network stack out of the big lock >>
Add Story |
Copyright © 2004-2008
All rights reserved.
Articles and comments are copyright their respective authors,
submission implies license to publish on this web site.
Contents of the archive prior to April 2nd 2004 as well as images
and HTML templates were copied from the fabulous original
Jim's kind permission.
Some icons from slashdot.org
used with permission from Kathleen.
This journal runs as CGI with
on OpenBSD, the
source code is
Search engine is ht://Dig.
undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]