Contributed by rueda on from the ref-ac-to-ring dept.
Alexander Bluhm (bluhm@) wrote in with a hackathon report:
As usual hackathons are a great time to get things commited. All the other developers are around, you can discuss ideas and get code reviewed quickly.
To move towards network input without big kernel lock, I have looked at the protocol functions and refactored them. Especially IP-in-IP input that is used for IPsec tunnel mode needed some love. I have fixed several bugs and have a diff ready that avoids one additional queuing of the packets. This work had to be coordinated with mpi@, who removed the kernel big lock from the forwarding path.
To make sure that functionality does not break, I have written a regression test for IPsec. It systematically tests all combinations of:
- packet forwarding and local stack
- ESP, AH, IPComp, IPIP transforms, and bundles of those
- transport mode and tunnel in IPv4 and IPv6
- Ping, TCP, UDP payload
- small and big packets
- IPv4 and IPv6.
All these combinations cannot be done manually, you have to automate it.
As I found some inconsistencies in pf(4) on that way, I have fixed them. IPv6 AH packets stepped over the authentication header and matched as the real protocol, while IPv4 was only creating AH states. Now both address families work on the inner protocol that is authenticated. While there I also limited the length of extension header chains in pf to avoid DoS attacks that try to consume all CPU time in the header chain.
Another missing IPv6 check got fixed. IPv4 packets with IP options have always been blocked unless the rule contained "allow-opts". Now the same is true for IPv6 packets with option headers.
A ssh feature that I had done a while ago went into the tree. Now you can specify a RemoteCommand in the ssh client config. This command will be automatically executed when you log into a remote machine. This allows to automate tasks using the .ssh/config file. Create a host section and specify what should be run on which machine. A single ssh host alias will do everything, you don't have to type a long command line.
Thanks very much Alexander!
(Comments are closed)