From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mout.gmx.net (mout.gmx.net [212.227.15.15]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client CN "mout.gmx.net", Issuer "TeleSec ServerPass DE-1" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 293C421F1FE for ; Mon, 21 Apr 2014 14:34:08 -0700 (PDT) Received: from hms-beagle.home.lan ([217.86.120.237]) by mail.gmx.com (mrgmx103) with ESMTPSA (Nemesis) id 0LoVja-1X9lf42rBi-00gbxO; Mon, 21 Apr 2014 23:34:04 +0200 Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) From: Sebastian Moeller In-Reply-To: Date: Mon, 21 Apr 2014 23:34:03 +0200 Content-Transfer-Encoding: quoted-printable Message-Id: <3AB2E4CD-5DC7-4ACA-A5F7-DC2807059906@gmx.de> References: <7AADF025-DEFA-4A21-8934-CB5188D1F882@gmx.de> To: Dave Taht X-Mailer: Apple Mail (2.1510) X-Provags-ID: V03:K0:dx42YX9yd40fz6xt2N4Ry96jBt1wkrQwMkU+CDZ9Or9/MmvsS0+ g6+ZNnT6VHk+CjE1ykEP+gAMSejo4eL957I2Mt27kgQicHs9trtQKOjDQLzQMVYhJoCTTsC YyAfNdIATTLPWOu49Y8gFB7kfECht1nAzpySxLF2xiUV+xT3IvZmZw/sBclvN75JAqrlhnp 4SJzmMAJS4gZ8zA74+ASA== Cc: "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] cerowrt-3.10.36-6 released X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 21 Apr 2014 21:34:08 -0000 Hi Dave, On Apr 21, 2014, at 21:42 , Dave Taht wrote: > On Mon, Apr 21, 2014 at 12:18 PM, Sebastian Moeller = wrote: >> Hi Dave, >>=20 >> On Apr 21, 2014, at 21:09 , Dave Taht wrote: >>=20 >>> On Sun, Apr 20, 2014 at 1:46 PM, Sebastian Moeller = wrote: >>>> Hi Dave, >>>>=20 >>>>=20 >>>> On Apr 19, 2014, at 22:01 , Dave Taht wrote: >>>>=20 >>>>> + felix's wifi patch for bug #442 added >>>>> please break wifi. >>>>>=20 >>>>> + debloat qlens reduced again to 12 for be and bk wifi queues >>>>> + heartbleed fix from -3 forward >>>>>=20 >>>>> I note that nearly every "secured"-by-openssl network facing = daemon has been >>>>> shown vulnerable to heartbleed. The hole in openvpn bit *me*, in >>>>> particular. I've updated, rekeyed and re-certified the vpns I have = in >>>>> place, and you should too for any openvpn servers and clients you = have >>>>> too. >>>>>=20 >>>>> It was a real PITA for me, and I only had a few boxes on it. >>>>>=20 >>>>> For more details, see: = http://community.openvpn.net/openvpn/wiki/heartbleed >>>>>=20 >>>>> For more details on the daemons potentially affected by heartbleed = in >>>>> cerowrt, openwrt, and others, see the advisory at: >>>>>=20 >>>>> http://www.bufferbloat.net/news/50 >>>>>=20 >>>>> + resync with openwrt >>>>> notably there were updates to netifd, and a fix for a strongswan = CVE >>>>>=20 >>>>> + dnscrypt added as an optional package (thx stephen walker and = "mailjoe") >>>>> + snort added as an optional package >>>>>=20 >>>>> +/- full dnssec >>>>> - upgrade to httping 2.x broke >>>>> - no sqm auto tuning yet >>>>=20 >>>> Note, all you need is to put the word "auto" (without the = quotes) in the fields named: >>>> Latency target for ingress, e.g 5ms [units: s, ms, or us]; leave = empty for default, or auto for automatic selection. >>>> and >>>> Latency target for egress, e.g. 5ms [units: s, ms, or us]; leave = empty for default, or auto for automatic selection.. >>>>=20 >>>> The bigger caveat is that the current implementation probably is = not ideal and could need a bit of data guided optimization=85 >>>=20 >>> And more eyeballs. >>=20 >> Oh, sure! >>=20 >>>=20 >>>> @Dave: if you think this is ready to be inflicted upon the greater = cerowrt community I can see what is required to actually make SQM = default to that behavior.. >>>=20 >>> Inflict away. >>=20 >> Great, I just pushed a number of changes reworking the = handling of IFB devices (WIP, lightly tested not fully complete but = saner than the previous hard coding). I also snuck in the change I = believe to me the last missing piece to change the "default" behavior to = auto. >> How do I build an ilk packet from ceropackages? Then I could = go and test a fresh install to see whether the committed changes = actually chance the default ;). >=20 >=20 > Well, it helps to have a buildable cerowrt of your own=85 ;) > OR, you can > just bump up the version numbers > in the makefiles like I just did, and do a new build of the > "stable"-ish cerowrt (3.10.36-6), push it out, which I just > did, and ask folk to make sure their /etc/opkg.conf points to the > right 3.10.36-6 repo, and to then do a >=20 > opkg update > opkg upgrade luci-app-sqm sqm-scripts >=20 > which should pick up and install those two packages for further = testing. Great, since I was still on 3.10.36-4 I just started the = sysupgrade -n to the new version. I assume it will drag in the new = packets automagically and I should be able to see whether it worked... So, it seems to work now, unless one re-imports on's old = config/sqm. I note that the current implementation is quite gentle, set = the rates < 300kbps to actually see a change as reported by "tc -d = qdisc".=20 Now I just need to handle the situation that we are out of IFBs = and than that is hopefully finished (the sanitize IFB handling part) >=20 > I do look forward to the day where the kernel settles down enough to = be able to > incrementally improve/update/fix various packages and libraries only, > or we come up with a way to make incremental updates work more often. More like a real distribution ;) >=20 > ... >=20 > in other news, making a little headway on the ubnt edgerouter: >=20 > = http://community.ubnt.com/t5/EdgeMAX/S-FQ-CoDel-Support-Possible/m-p/80043= 6/highlight/false#M28705 Mmmh, maybe this can act as a somewhat future proof shaper/outer = firewall combination, than the secondary cerowrt router will only have = to deal with isolating the radios. =20 >=20 >=20 > ... >=20 >> Oh and I do hope you have/will have a great vacation. >=20 > thx. turned out getting a hotel in SJDS on easter was too hard so I > didn't jump on a plane this weekend. I went biking in SF instead. So far this looked like an excellent weekend! > Fell and either bruised or broke a rib. I hope it is just a bruise... > Not sure if I'm going anywhere > after that. "Gute Besserung", as we say over here, get well soon! >=20 > It was nice to not think about the internet for a while anyway. Ah, exactly my plan for the rest of the moth=85 Best Regards Sebastian >>=20 >> Best Regards >> Sebastian >>=20 >>>=20 >>>> Best Regards >>>> sebastian >>>>=20 >>>>> - neither snort nor dnscrypt tested >>>>>=20 >>>>> If you are not experiencing problems with wifi or with heartbleed >>>>> there are few reasons to update to this release. >>>>>=20 >>>>> I wanted to note to those that use sysupgrade without a clean = reflash, >>>>> in that the >>>>> /etc/opkg.conf file is not re-written in this case, and still = points >>>>> to the old repository. >>>>> If you wish to install additional packages after an inplace = upgrade, >>>>> you will have >>>>> to also update /etc/opkg.conf to point to the right place. >>>>>=20 >>>>> -- >>>>> Dave T=E4ht >>>>>=20 >>>>> NSFW: = https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indec= ent.article >>>>> _______________________________________________ >>>>> Cerowrt-devel mailing list >>>>> Cerowrt-devel@lists.bufferbloat.net >>>>> https://lists.bufferbloat.net/listinfo/cerowrt-devel >>>>=20 >>>=20 >>>=20 >>>=20 >>> -- >>> Dave T=E4ht >>>=20 >>> NSFW: = https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indec= ent.article >>=20 >=20 >=20 >=20 > --=20 > Dave T=E4ht >=20 > NSFW: = https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indec= ent.article