% Personal notes provided with "%". Think of it as a potential audio overlay. \documentclass[a4paper,portrait,english]{beamer} \usepackage[utf8]{inputenc} \usepackage[T1]{fontenc} \usepackage{textcomp} \usepackage{url} \usepackage{lmodern} \setcounter{tocdepth}{1} \date{2010-10-18} \institute[\textsf{NFWS2010}]{Presented at NFWS 2010} \usetheme{CambridgeUS} \setbeamercolor*{palette primary}{fg=blue!50!black,bg=gray!20!white} \setbeamercolor*{palette secondary}{fg=blue!50!black,bg=gray!40!white} \setbeamercolor*{palette tertiary}{bg=blue!50!black,fg=white} \setbeamercolor{titlelike}{bg=gray!20!white,fg=blue!50!black} \setbeamerfont{block title}{family=\sffamily} \setbeamercolor{block title}{use=structure,fg=white,bg=structure.fg!75!black} \setbeamercolor{block title alerted}{use=alerted text,fg=white,bg=alerted text.fg!75!black} \setbeamercolor{block title example}{use=example text,fg=white,bg=example text.fg!75!black} \setbeamercolor{block body}{parent=normal text,use=block title,bg=block title.bg!10!bg} \setbeamercolor{block body alerted}{parent=normal text,use=block title alerted,bg=block title alerted.bg!10!bg} \setbeamercolor{block body example}{parent=normal text,use=block title example,bg=block title example.bg!10!bg} \begin{document} \title{The State of Xtables-addons} \author{Jan\ Engelhardt} \frame{ \titlepage } \frame{ \frametitle{Table of Contents} \tableofcontents } \AtBeginSection{ \frame{ \frametitle{Table of Contents} \tableofcontents[currentsection] } } % First of all, a bit of history. \section{patch-o-matic} \subsection{Description} \frame{ % Once upon a time in 2002, a package called patch-o-matic (and later, % patch-o-matic-ng) was conceived that held patches slated for mainline. % Eventually it became to hold those that would never be merged. \frametitle{patch-o-matic (Aug\ 2002--2007)} \begin{itemize} \item Package to hold \textbf{patches} not merged yet in mainline, and those that would never go in anyway. \pause % Because they were self-contained patches, each and every had to implement its % own #ifdef logicery to work with multiple kernel versions. That quickly went % ugly, and it was not very managable to update them all. (At the height of the % repository's size, there were over 50 patches.) \item A lot of maintenance was involved (50+ patches), each which had to be taken care of when an API change occurred \pause % Whereever there is a lot of maintenance involved, developers tend to get worn % out, and that leads to users asking more and more, until eventually, they try % to patch stuff themselves. We'll stop the story here, because that usually % ends in nightmares. \item Nobody likes that massive sort of maintenance update work \end{itemize} } \frame{ \frametitle{Pitfalls} Worse yet, \begin{itemize} \item Possibility of incorrect conflict resolution by a novice user. \pause \item The patch might even apply cleanly and you are just running right into doom. \item Ignoring compiler warnings (a classic) ({}``it compiles? ship it!'') \pause \item Stuff you probably never dealt with in your x86-limited world: alignment requirements, endianess \end{itemize} } \frame{ \frametitle{Alignment violation} \begin{alertblock}{Unaligned access} \texttt{\small \textbf{\#define get\_u16(X, O) ({*}(const \_\_u16~{*})((X) + (O)))}\\ ~\\ \textbf{if} (get\_u32(payload, 33) == \_\_constant\_htonl(0x71182b1a) \&\& \\ ~~~~get\_u16(payload, 147) == \_\_constant\_htonl(0xf792)) \{\\ ~~~~~~~~printk(KERN\_INFO \char`\"{}got WinMX\textbackslash{}n\char`\"{});\\ ~~~~~~~~\textbf{return} IPP2P\_WINMX {*} 100 + 4;\\ \}} \end{alertblock} \begin{itemize} \item often goes unnoticed because x86 handles it transparently \end{itemize} \begin{block}{Resulting oops on sparc64} \texttt{\small Kernel unaligned access at TPC{[}79c344] search\_winmx+0x123/0x789} \end{block} \begin{exampleblock}{Safe version} \texttt{\small \textbf{\#define get\_u16(X, O) get\_unaligned((const \_\_u16~{*})((X) + (O)))}} \end{exampleblock} } \frame{ \frametitle{Not good} \begin{itemize} \item silent corruption, kernel oops and an unhappy user. ~\\ \texttt{~~~~~~~~~~~~~~~~~~~~\textasciicircum{}\_\_\textasciicircum{}~\\ \textbackslash{}|/~\_\_\_\_~\textbackslash{}|/~~~~~~~~(xx)\textbackslash{}\_\_\_\_\_\_\_~\\ \char`\"{}@'/~..~\textbackslash{}`@\char`\"{}~~~~~~~~(\_\_)\textbackslash{}~~~~~~~)\textbackslash{}/\textbackslash{}~\\ /\_|~\textbackslash{}\_\_/~|\_\textbackslash{}~~~~~~~~~U~~||-{}-{}-{}-w~|~\\ ~~~\textbackslash{}\_\_U\_/~~~~~~~~~~~~~~~||~~~~~||\\ (sparc64)~~~~~~~~~~~(parisc)}\\ \pause \item did I mention the customers that have to endure a reboot downtime now? \end{itemize} } \subsection{Outlook} \frame{ \begin{itemize} \item Why do users think they even need extra modules? \item When was the last time you used \texttt{-m fuzzy}? \end{itemize} \pause Nevertheless, that was p-o-m. \begin{itemize} \item Don't forget\ --- \textsf{ipt\_ROUTE} is \textit{gone}\ --- replaced by standard proper policy routing (cf. iproute2). \pause \item Stop using ifconfig/route/arp. Use iproute2. \end{itemize} } \section{Xtables-addons} \subsection{Description} \frame{ \frametitle{For end users} \begin{itemize} % Long gone are those days. At the start of 2008, Jan introduced % Xtables-addons, the successor to patch-o-matic, but which was not composed of % patches, but plain files that could be directly compiled as KMPs. \item No patches, just \textbf{module source files}. \item Compile, no reboot needed. % This made it wholesome easier for Linux distributions to ship these % extensions as they no longer had to patch their kernels to death. \item Much easier for Linux distros to include \item Integrates nicely with kernel updates \end{itemize} } \frame{ \frametitle{For API users} \begin{itemize} % In this process, Jan devised % compat_xtables.c, a layer that turned out a little uglier than % anticipated but still, kept most of the gruft out of the actual % xt modules. Today, we can look at xt extension code that has % just a single extra line to work with Xt-a: \item \texttt{compat\_xtables.c} acts as an API translator \item Often, \texttt{\#include \textquotedbl{}compat\_xtables.h\textquotedbl{}} is all that is needed. Barely any \texttt{\#if}s in the extension files. \item Support for a large range of Linux kernel versions, down to Linux 2.6.17 (4 years coverage) \end{itemize} } \subsection{Downsides} \frame{ \frametitle{Downsides} \begin{itemize} %Of course, there are a few drawbacks. Since Xt-a still supports %kernels before 2.6.24 (look - 4 year coverage! Happy be thy %RHEL5 addicts.), net namespaces cannot easily be used %without introducing #ifdefs. (Then again, we don't seem to need %them that much.) \item not all features translated to no-ops \begin{itemize} \item net namespaces \item crypto \item other seldom-used functions \end{itemize} \item patching the kernel source, like header files (as \textsf{IMQ} and \textsf{layer7} require), is not within scope. \begin{itemize} \item but you could still make use of the glue code for the parts that do not patch existing files \end{itemize} \end{itemize} } \subsection{Submission} \frame{ \frametitle{Submit your module to Xt-a} ...or even the kernel, because: \begin{itemize} \item your code gets an audit \item may even be fixed for you \item less porting work for you by using the compat layer \item benefit from community updates \end{itemize} Documentation: \begin{itemize} \item {}``Writing Netfilter modules''\\ {\small Book in PDF format on \url{http://jengelh.medozas.de/}} \end{itemize} } \section{Questions} \frame{ \frametitle{Questions?} \begin{itemize} \item Obligatory URLs \begin{itemize} \item \url{http://xtables-addons.sf.net/} \item \url{git://xtables-addons.git.sf.net/gitroot/xtables-addons/xtables-addons} \item \url{http://xtables-addons.git.sf.net/} (gitweb) \end{itemize} \item Availability \begin{itemize} \item Non-exhaustive list 2010: Alpine Linux, Arch, CRUX, Debian, Gentoo, openSUSE, OpenWRT, Polish Linux Distribution (PLD), Slackware \item \url{http://freshmeat.net/projects/xtables-addons/} \end{itemize} \end{itemize} } \end{document}