OpenBSD Journal

d2k17 Hackathon Report: Alexander Bluhm on Network Stack Improvements and more

Contributed by rueda on from the ref-ac-to-ring dept.

Alexander Bluhm (bluhm@) wrote in with a hackathon report:

As usual hackathons are a great time to get things commited. All the other developers are around, you can discuss ideas and get code reviewed quickly.

To move towards network input without big kernel lock, I have looked at the protocol functions and refactored them. Especially IP-in-IP input that is used for IPsec tunnel mode needed some love. I have fixed several bugs and have a diff ready that avoids one additional queuing of the packets. This work had to be coordinated with mpi@, who removed the kernel big lock from the forwarding path.

To make sure that functionality does not break, I have written a regression test for IPsec. It systematically tests all combinations of:

  • packet forwarding and local stack
  • ESP, AH, IPComp, IPIP transforms, and bundles of those
  • transport mode and tunnel in IPv4 and IPv6
  • Ping, TCP, UDP payload
  • small and big packets
  • IPv4 and IPv6.

All these combinations cannot be done manually, you have to automate it.

As I found some inconsistencies in pf(4) on that way, I have fixed them. IPv6 AH packets stepped over the authentication header and matched as the real protocol, while IPv4 was only creating AH states. Now both address families work on the inner protocol that is authenticated. While there I also limited the length of extension header chains in pf to avoid DoS attacks that try to consume all CPU time in the header chain.

Another missing IPv6 check got fixed. IPv4 packets with IP options have always been blocked unless the rule contained "allow-opts". Now the same is true for IPv6 packets with option headers.

A ssh feature that I had done a while ago went into the tree. Now you can specify a RemoteCommand in the ssh client config. This command will be automatically executed when you log into a remote machine. This allows to automate tasks using the .ssh/config file. Create a host section and specify what should be run on which machine. A single ssh host alias will do everything, you don't have to type a long command line.

Thanks very much Alexander!

(Comments are closed)


Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]