if I am needed

Sun Mar 25 21:12:35 UTC 2012

On Sun, Mar 25, 2012 at 1:40 PM, Francis Dupont <fdupont at isc.org> wrote:

> > wake me up at the quality inn hotel, (831) 427-1616 room 103
>
> => we got it to work, some comments about the WNDR3800 sd-b4
>

yea! I can go back to sleep.

> (we jumped the WNDR3700v2 but it should have the same problems):
>  - I tried to debug the dhclient6 init script:
>  * dhclient -6 requires '-D LL' to build a repeatable and
>   easy to predict DUID in the LL format (vs LLT format, which
>   is the MAC address + time stamp)
>
> As if you know the time before you have a  ntp lock, which you can't get
before you get on the internet.

>  * for an unknown reason the MAC address is one less than written
>   on the box and returned by 'ip addr' ? Can't say why...
>   (the answer is in the code in dhclient which computes the DUID LL)
>
>
Sorry about that.

There are only 3 mac addresses on the box that are real. The rest are
generated via various algorithms. You probably hit the flip the 'local' bit
one?

 * uci fails to get the wan interface (BTW with B4 there are two
>   wan interfaces, one (tun0) for IPv4, one (ge00) for IPv6
>
>
not clear to me this issue, something like uci get network.ge00.addr
(syntax maybe off) would work.

>  - the iptables is a mess, I had to flush it (-F -X) and to
>   put the default policy for FORWARD
>
>
I tried to clear out as many rules as possible, but in general, iptables
rules are messy to deal with. And for every rule, there's a requirement of
some sort.

My own gripe is that by default all protocols are blocked, and individually
opening up each one costs performance. (the overhead of the default
firewall rules on forwarding performance is over 20% - and I actually ship
LESS rules by default than openwrt does, and most firewall boxes have
hundreds)

I've been meaning to write an iptables module for protocol matches, so that
the ipv6tables rule would look like, for example:

ip6tables -A FORWARD -m protocols --protocols
1,2,4,6,7,17,33,41,47,50,51,58,89,94,97,98,103,112,115,124,144,132,136,138,139,140,141
-j ACCEPT

As you might imagine, writing a rule for each of these would seriously
cost, wheras this is a single bitfield lookup. Sadly, I've had no time to
do this since realizing it was a good idea, nor have I managed to tom
sawyer someone else into doing it. By default there's about 6? 7? protocols
open on ipv4...

did you also have to nuke the ip6tables ?

 - default dnsmasq arguments didn't work, I relaunched without any
>   argument to fix it
>

hmm. What I had was working for me.

>
> but it finished by working before the end of demo...
>
> I fixed the DHCPv6 server entries (required the LL prefix (03:01?)
> and -1 on the last byte. (PS: on the SD-AFTR).
>
> I had figured you'd just ifconfig ge00 and go from there.

> I runned the PCP + incoming connection from the Internet on the laptop
> SD-B4 but it should work on the WNDR SD-B4 too.
>
> I didn't try the ICMP stuff, in fact with DHCPv4 over IPv6 it was the
> only part we skipped. In particular the SD-AFTR failover works great.
>
>
cool.

Have a fun conference!

If you can slam a copy of the entire working /etc directory somewhere I
will diff it against what is in the current images and fix it for the next
demos april 4.

> Regards
>
> Francis Dupont <fdupont at isc.org>
>

-- 
Dave Täht
SKYPE: davetaht
US Tel: 1-239-829-5608
http://www.bufferbloat.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/sdcpe-devel/attachments/20120325/542ed9cc/attachment.html>