Mr Aijay Adams and I am back making my Fireplace Internet / Smart device controllable. Now, via a very sexy Web UI, when I'm heading back to Chateau Tahoe, I can turn my fireplace on to be ready as soon as I walk in the door. Sexy warmth controlled by a sexy custom made API.
A goal was to keep the original switch working too, so we can be Cave people as well!
Are you using the latest Linux kernel firewall?. Here are some notes I've saved that I use and forget all the time.
I plan to add to this as I do more. Hopefully it helps you work something out one day.
Note: I am using inet tables combining my IPv4 and IPv6 rulesets.
List Tables
sudo nft list table inet filter -n -a
sudo nft list table inet nat -n -a
-n: numeric
-a: handle (object handles)
Add a rule
nft insert rule inet filter OUTPUT position 0 icmpv6 type {nd-router-advert} drop
Delete a rule
nft delete rule inet filter OUTPUT handle 41
ICMPv6 Types
Noting some handy IPv6 ICMP types. I use nftables to block RAs when my WAN is down.
Recently in the Terragraph project I work on we changed from RPM to OPKG to removes some dependencies (e.g. perl) and make our overall image size smaller. I've never driven OPKG, but know RPM, so I made this cheat sheet for my shit memory.
I'm cheap so I don't have a Table plugin - So used Python to generate me one 🤠
Recently a teammate and I have come across a frame forwarding issue with ECMP on a hardware ASIC in a device I work on where the use of Flow labels are used in the ECMP hash. This was interesting as we found iperf was not setting the Flow label at all, unless you specify the -L option and due to this we saw TCP traffic taking different paths, contradictory to what we thought we had configured in our FIB and what we actually wanted.
This sparked interest in me then wondering how popular platforms set the IPv6 Flow label for the different protocols; that being, ICMPv6, TCP and UDP. The Flow label being at Layer 3, I would expect it used the same for each protocol, but I could not find literature to back this theory up. So I fired up Wireshark on Mac, Linux and Windows to find out what they do. Here are my results I found.
If you want to know more about what Flow Labels are I would reccomened the following links:
With each protocol the client and the server maintained consistent Flow labels for the 'session' as expected, except for Windows with ICMPv6 Requests! Here Windows set the Flow label to 0 (0x00000000).
Tests Performed
To get my results I ran:
ping6 -c 2 us.cooperlees.com
(ICMPv6)
- ping -6 us.cooperlees.com on Windows
ssh -6 us.cooperlees.com
(TCP)
- Used putty on Windows
Raw NTP UDP Query
Python 3 Code: https://pastebin.com/RDBRqG0G
(UDP)
Linux
Test Distro: Ubuntu 18.04 Test Kernel: 4.15.0-23-generic
ICMPv6
- Different Flow label, but consistent for the 2 ping packets on each ICMPv6 Type 128/129 packet from sender and receiver
TCP
- Different Flow label for sender and receiver but consistent across the SSH connection.
UDP
- Different Flow label for sender and receiver for each UDP packet as expected.
Mac OS X
Test Version: 10.13.6 17G65 Test Kernel: Darwin Kernel Version 17.7.0
ICMPv6
- Different Flow label, but consistent for the 2 ping packets on each ICMPv6 Type 128/129 packet from sender and receiver
TCP
- Different Flow label for sender and receiver but consistent across the SSH connection.
UDP
- Different Flow label for sender and receiver for each UDP packet as expected.
Windows
Test Version: Microsoft Windows [Version 10.0.16299.371]
ICMPv6
- Windows sets the ICMPv6 Type 128 (request) IPv6 Flow label to 0x00000000!
(I also noticed different DSCP for traffic class)
TCP
- Different Flow label for sender and receiver but consistent across the SSH connection.
UDP
- Different Flow label for sender and receiver for each UDP packet as expected.
From time to time I get asked (and I even have to ask a coworker) for the best way to install a Python modules (especially ones with entry points) into a virtualenv and still edit / develop with them. It seems pip install's '-e' is very unknown.
pip install -e /path/you/are/editing
Will allow you to develop and run with all dependencies install in your virtualenv.