Contributed by jcr on from the talking-machines dept.
Jan 9 - 15, 2010
n2k10 was held at the Victorian Partnership for Advanced Computing (VPAC) in Melbourne, Australia. It was mid-Summer in Melbourne and it was hot --one day was over 45C, which was quite a change for the Europeans who came from -10C a few days before. The organization of the event was a team effort with Damien Miller (djm@) organizing the accommodations, and David Gwynne (dlg@) organizing the venue.
The 17 developers attending n2k10:
- Bob Beck (beck@)
- Christian Weisgerber (naddy@)
- Claudio Jeker (claudio@)
- Damien Miller (djm@)
- Darren Tucker (dtucker@)
- David Gwynne (dlg@)
- Henning Brauer (henning@)
- Joel Sing (jsing@)
- Jonathan Gray (jsg@)
- Kenneth R Westerback (krw@)
- Marco Pfatschbacher (mpf@)
- Mark Kettenis (kettenis@)
- Reyk Floeter (reyk@)
- Ryan Thomas McBride (mcbride@)
- Simon Perreault (sperreault@)
- Theo de Raadt (deraadt@)
- Yasuoka Masahiko (yasuoka@)
Though it's great to show the fun the developers are having with their various coding projects, it is always a tough decision whether or not to mention new or in-progress work, since you just never know how other people will react. About half the developers at n2k10 decided to give us a glimpse at the stuff they were working on at the hackathon.
Christian Weisgerber (naddy@)
My main project at n2k10 was implementing delayed checksumming for TCP/UDP over IPv6 in our network stack. With this, the upper layer only fills in the pseudo-header checksum and sets a flag in the packet header; the final checksum is only calculated right before the packet is handed off to the network interface. This is the same approach we already take with IPv4 and it will eventually allow us to enable hardware checksum offloading for IPv6, which is a feature increasingly supported by newer ethernet chipsets.
While debugging delayed checksumming, I noticed that tcpdump(8) failed to show TCP/UDP checksums over IPv6, so I added this missing detail. I also added support for displaying IPV6CP (IPv6 Control Protocol, used to set up IPv6 over PPP) and sprinkled a lot of missing range checks over the tcpdump PPP decoder.
Damien Miller (djm@)
I worked pretty much solely on OpenSSH and managed to get a large rewrite of the multiplexing code completed. It was committed just over a week later, with some bug fixes (which always go faster when dtucker@ is in the room), as well as an initial design for the new OpenSSH certificate format.
Darren Tucker (dtucker@)
I spent most of my time working through the outstanding OpenSSH bug list with djm@, working toward the 5.4 release. Mostly this was finalizing changes that have been around for a while, and the quick back-and-forth allowed by actually being in the same room helped nail down the details. Between the hackathon, and the time djm@ and I have have been spending every two weeks or so, 5.4 shaped up to be one of the largest releases in recent years.
In another example of how porting can provide benefits in both directions, one of the bugs reported against OpenSSH turned out to actually be a bug in OpenBSD libc (readpassphrase, which is also used in the OpenSSH compatibility library). Naturally this was fixed in both places.
Kenneth R Westerback (krw@)
I worked almost exclusively on smoothing out the rough edges of the new scsi mid-layer. I worked with dlg@, claudio@, kettenis@ on various bits of non-functional hardware, or hardware that now behaved differently. By the end of n2k10 we believe we have achieved stability with the new mid-layer.
I also worked on a dvd reading issue with jsg@, where a general long standing bug was discovered in reading directories on cd9660 filesystems. jsg@ finally discovered the solution in a FreeBSD fix. But an even more general issue with very large directory files (i.e. >4GB) was noticed, and remains unsolved.
Marco Pfatschbacher (mpf@)
I started working on a live regression test framework. Its focus lies on making it easier to find and reproduce bugs in our network stack. As a fist step, I built an OpenBSD ramdisk distribution (/usr/src/distrib/i386/ramdist/) based on djm's flashboot. I've also written some Makefile and perl scripts to get a small network with a couple of qemu instances running.
Mark Kettenis (kettenis@)
Apart from fixing the fallout from dlg@'s scsi midlayer changes, I worked on some changes that would make it possible to set aside CPUs to do crypto without needing the kernel lock. That would help with things like IPSEC. The idea is not mine, but based on a diff by Michael Shalayeff with some help from Markus Friedl (markus@). Their approach is tied to i386-specific code though, which isn't really acceptable for the OpenBSD tree. So I started hacking on the kernel scheduler. I managed to make it possible to take away CPUs from the scheduler and hand them back again later. I started experimenting with running crypto code on the "free" CPU, but didn't manage to finish things during the hackathon.
Simon Perreault (sperreault@)
I implemented NAT64 in pf as part of the Ecdysis project. NAT64 is a NAT between an IPv6-only network and the IPv4 Internet. The goal is for all of us IPv6 enthusiasts to get rid of IPv4 in our LANs. I got it working with the kind help of mcbride@, dlg@, claudio@, and henning@, but we discovered many design issues.
NAT64 is very different from NAT44 or even NAT66 because we not only need to change the source address, but instead, we need to change the whole thing, so we need to do our job in pre-routing, like an rdr rule. Once NAT64 is applied to an IPv6 packet, we can't continue as usual with IPv6 routing since the packet is now an IPv4 packet. The plan was to call ipv4_input() on the resulting IPv4 packet, let pf process that one as usual, and return PF_DEFER to make pf ignore the original IPv6 packet. mcbride@ and I are currently trying to figure out a cleaner way to do it. Our current hypothesis is that we could do something similar to the way the IPv6 stack treats IPv4-mapped addresses (::ffff:a.b.c.d), that is, apply IPv4 routing to IPv6 packets whose destination address is within a given prefix.
Theo de Raadt (deraadt@)
My story is that I tried to fix and improve the pf grammer and I don't have all of it ready yet.
Yasuoka Masahiko (yasuoka@)
My mission at n2k10 was introducing npppd and pipex. npppd is a new PPP daemon and pipex is for in-kernel acceleration. They are used for handling many PPP connections on systems and they were originally developed by Internet Initiative Japan Inc.(IIJ). npppd and pipex have been merged into our tree. The code has been cleaned and fixed up with advice and feedbacks from other hackers. I also added privilege separation to npppd.
There was a need to discuss design issues. Original npppd concentrates multiple ppp sessions to one interface, but this design creates some limitations. For example, we can not apply CBQ (Class Based Queueing) for a PPP session on this design. As the result of discussion with dlg@, claudio@, mcbride@ and deraadt@, we decided to develop an "interface per ppp session" mode and an "one interface for multiple ppp sessions" mode.
(Comments are closed)