Archive for the ‘tech’ Category
I found that jool has very good tutorials, but all the commands to get going are hidden in these large tutorials. Here are the steps I took to get it working on Ubuntu 20.04 on both a Raspberry Pi + Protectli Vault.
Please pre-read and refer to to Jool's Documentation for more information.
I have two Ubuntu 20.04 routers at home that run jool. Both routers/firewalls use NFTables so I'm just using jool
in netfilter mode. When direct nftables
support is implemented, I will move to this setup.

Quick Start/Setup jool
- On ubuntu 20.04 it's just an apt install
apt install jool-dkms jool-tool
sudo modprobe jool
- Add
jool
to /etc/modules to make persistent
- Add Stateful NAT64 pool
jool instance add --netfilter --pool6 64:ff9b::/96
- Here I used a oneshot systemd service to add on boot
[Unit]
Description=Add NAT64 netfilter pool6 to jool
[Service]
Type=oneshot
ExecStart=/usr/bin/jool instance add --netfilter --pool6 64:ff9b::/96
[Install]
WantedBy=multi-user.target
Handy Commands
- See instace
jool instance display
jool instance status
- See sessions
- Global config
- Overall stats
Testing
Try and Ping + traceroute to Google's main IPv4 NS anycast address 8.8.8.8 via IPv6 64:ff9b::8.8.8.8:
My traceroute [v0.93]
coopbuntu (fd00:1::10) 2020-12-14T04:37:45+0000
Keys: Help Display mode Restart statistics Order of fields quit
Packets Pings
Host Loss% Snt Last Avg Best Wrst StDev
1. fd00:1::2 0.0% 11 2.5 2.3 2.1 2.6 0.1
2. (waiting for reply)
3. 64:ff9b::6022:7b58 0.0% 11 9.9 13.6 9.9 20.7 3.6
4. 64:ff9b::6022:7576 0.0% 11 18.6 14.0 11.3 18.6 2.7
5. 64:ff9b::6022:7932 0.0% 10 14.0 17.1 13.2 21.9 3.0
6. 64:ff9b::6022:b5 0.0% 10 20.6 22.3 18.1 28.2 3.5
7. 64:ff9b::6022:301 0.0% 10 22.1 18.9 17.0 22.1 1.5
8. 64:ff9b::4a7d:3072 0.0% 10 26.2 21.3 17.7 36.2 5.9
9. 64:ff9b::6caa:e636 0.0% 10 24.1 19.2 17.3 24.1 2.5
10. 64:ff9b::4a7d:fc97 0.0% 10 19.6 21.1 18.0 27.3 3.1
11. 64:ff9b::808:808 0.0% 10 17.1 18.2 16.5 24.5 2.4
Once ICMP works, move on to tcp.
ssh -v 64:ff9b::173.255.255.199
Session Table
jool session display
is your friend to see current translations
--numeric
stops the non parallel DNS resolution
Every 1.0s: sudo jool session display home1.cooperlees.com: Mon Dec 14 04:42:17 2020
---------------------------------
(ESTABLISHED) Expires in 1:59:31.440
Remote: us.cooperlees.com#ssh fd00:1::10#48656
Local: 66.214.99.163#61019 64:ff9b::adff:ffc7#22
---------------------------------
(V4_FIN_V6_FIN_RCV) Expires in 0:03:14.796
Remote: 5.85.222.35.bc.googleusercontent.com#http fd00:1::10#43868
Local: 66.214.99.163#62581 64:ff9b::23de:5505#80
---------------------------------
Posted in g33k, linux, tech |
I often use a lot of PyPI CLI tools. Here is an example of how to get them easily installed and kept up to date via Ansible on Ubuntu >= 18.04.
Install base pip
via apt then run pip:
- name: Get Python3 pip
package:
name: python3-pip
state: latest
- name: Add some handy Python PyPI Tools
pip:
name: "{{ item }}"
extra_args: --upgrade
with_items:
- "black"
- "coverage"
- "mypy"
- "pip"
- "setuptools"
Enjoy up to date core Python tools + handy CLIs for dev work.
Please do NOT use on a Production host ...
Posted in g33k, python, tech, Uncategorized |
Recently a teammate and I have come across a frame forwarding issue with ECMP on a hardware ASIC in a device I work on where the use of Flow labels are used in the ECMP hash. This was interesting as we found iperf
was not setting the Flow label at all, unless you specify the -L
option and due to this we saw TCP traffic taking different paths, contradictory to what we thought we had configured in our FIB and what we actually wanted.
This sparked interest in me then wondering how popular platforms set the IPv6 Flow label for the different protocols; that being, ICMPv6, TCP and UDP. The Flow label being at Layer 3, I would expect it used the same for each protocol, but I could not find literature to back this theory up. So I fired up Wireshark on Mac, Linux and Windows to find out what they do. Here are my results I found.
If you want to know more about what Flow Labels are I would reccomened the following links:
- Wikipedia: https://en.wikipedia.org/wiki/IPv6_packet#Fixed_header
- RFC: https://tools.ietf.org/html/rfc6437
Summary
With each protocol the client and the server maintained consistent Flow labels for the 'session' as expected, except for Windows with ICMPv6 Requests! Here Windows set the Flow label to 0 (0x00000000).
Tests Performed
To get my results I ran:
ping6 -c 2 us.cooperlees.com
(ICMPv6)
- ping -6 us.cooperlees.com on Windows
ssh -6 us.cooperlees.com
(TCP)
- Used putty on Windows
Raw NTP UDP Query
Python 3 Code: https://pastebin.com/RDBRqG0G
(UDP)
Linux
Test Distro: Ubuntu 18.04
Test Kernel: 4.15.0-23-generic
ICMPv6
- Different Flow label, but consistent for the 2 ping packets on each ICMPv6 Type 128/129 packet from sender and receiver
TCP
- Different Flow label for sender and receiver but consistent across the SSH connection.
UDP
- Different Flow label for sender and receiver for each UDP packet as expected.
Mac OS X
Test Version: 10.13.6 17G65
Test Kernel: Darwin Kernel Version 17.7.0
ICMPv6
- Different Flow label, but consistent for the 2 ping packets on each ICMPv6 Type 128/129 packet from sender and receiver
TCP
- Different Flow label for sender and receiver but consistent across the SSH connection.
UDP
- Different Flow label for sender and receiver for each UDP packet as expected.
Windows
Test Version: Microsoft Windows [Version 10.0.16299.371]
ICMPv6
- Windows sets the ICMPv6 Type 128 (request) IPv6 Flow label to 0x00000000!
(I also noticed different DSCP for traffic class)
TCP
- Different Flow label for sender and receiver but consistent across the SSH connection.
UDP
- Different Flow label for sender and receiver for each UDP packet as expected.
Tags: flow, icmpv6, ipv6, label, mac, os x, ping6, tcp, tcp6, ubuntu, udp, udp6, windows
Posted in cisco, g33k, juniper, linux, tech, Uncategorized |
Ever have to update/merge a PR on BitBucket with Mercurial? I couldn't find documentation anywhere, so doing so here:
- hg up BOOKMARK_NAME
- hg merge [--preview] -r REV
- If EDITOR is not set:
export EDITOR=vim
- hg resolve --all
- hg commit -m "Merge with default"
- hg push --allow-anon
Tags: bitbucket, bookmark, control, hg, mercurial, merge, rebase, scm, source
Posted in g33k, tech |
Especially because:
https://github.com/python/cpython/commit/47320a652e872003f3dd3a9db4243067b09dd316#diff-c6a3fa0ad7b17f8e32f340835a4e5353
🙂
Tags: 3.7, path, pathlib, posix, python, python3
Posted in g33k, tech |
So, every now and then on a PR I need to rebase and fix things so I can retest etc. - I always forget this so blogging it to remember.
Scenario:
I have a diff on origin/master on my forked repo and I need a rebase from upstream/master (where I forked from).
Process:
Github recommends merging (https://help.github.com/articles/syncing-a-fork/), this is not always the best way. I do the following:
- git remote add upstream https://github.com/python/cpython.git
- git fetch upstream master
- git rebase upstream/master (no space here '/' instead)
I hope this saves you some time as I continually waste time here.
Tags: git, github, rebase, upstream
Posted in g33k, linux, tech, Uncategorized |
Recently @ Facebook we found that we required IPv6 access to TACACS for auth (AAA) for the majority of our production Network Equipment. Tacacs+ (tac_plus) is an old daemon released by Cisco in the late 90s. It still works (even at our scale) and the config was doing what we required, so it was decided that we should add IPv6 Support to it to move forwards until we no longer require TACACS for authentication, authorization and accounting.
IPv6 has been added in true dirty 90s C code style via pre-processor macros. The source is publicly available via a GitHub Repository.
This version is based off F4.0.4.19 with the following patches (full history can be seen in the Git Repository):
- Logging modifications
- PAM Support
- MD5 support
- IPv6 (AF_INET6) Socket Listening
Readme.md has most of the information you require to build the software and I have included RPM .spec files (that have been tested on CentOS 6). The specs generate two RPMS with tacacs+6 relying on the tacacs+ rpm to be installed for libraries and man pages.
RPMS Build on CentOS 6.5 x86_64 + SRC rpms avaliable here: http://cooperlees.com/rpms/
Usage Tips:
- Do not add listen directives into tac_plus.conf so that each daemon can load the same conf file (for consistency)
- Logging:
- /var/log/tac_plus.acct and tac_plus6.acct are where accounting information will go (as well as syslog) - Logrotate time ...
- /var/log/tac_plus.log and tac_plus6.log is where default debug logs will go
- Configure syslog to send the LOG_LOCAL3 somewhere useful (this will get both tac_plus and tac_plus6 log information)
- Pid Files will live in /var/run/tac_plus.pid.0.0.0.0 and tac_plus6.pid.::
- The RPM does not /sbin/chkconfig --add or enable, so be sure to enable the version of tac_plus you require.
Tested Support on Vendor Hardware
- Arista EoS (4.13.3F): need to use 'ipv6 host name ::1' as TACACS conf can't handle raw IPv6 addresses (lame)
- Cisco NXOS (6.0(2)U2(4) [build 6.0(2)U2(3.6)]):
feature tacacs+
tacacs-server key 7 "c00p3rIstheMan"
tacacs-server host a:cafe::1
tacacs-server host b:b00c::2
aaa group server tacacs+ TACACS
server a:cafe::1
server b:b00c::2
source-interface Vlan2001 (ensure what IP request will come from)
- Juniper: >= Junos 13.3R2.7 required for IPv6 Tacacs (Tested on MX)
I know it's old school code but please feel free to submit bug patches / enhancements. This should allow us to keep this beast running until we can deprecate it's need ...
Tags: c, centos, code, cooper, facebook, github, ipv6, junos, lees, nxos, rpm, source, source code, tac_plus, tac_plus6, tacacs, v6
Posted in cisco, g33k, juniper, linux, tech |
Have you ever used the VMWare console over a WAN with latency and it enters multiple key strokes into the console and makes using the console super annoying! It makes me HATE VMWare and want to smash it into 10000 pieces with a baseball bat.
Well the answer is to add a line to your VMs VMX file to allow it to be 'laggier'. For example the following will give you 2 second between key strokes:
- keyboard.typematicMinDelay = "2000000"
For more information: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=196
Tags: annoying, fix, keystrokes, latency, linux, multiple, repeating, unusable, vmware
Posted in g33k, tech |
Recently I was required to do a network performance test between a Head Office and a WAN site. I knocked up this quick python script to parse the data collect to see the results. Thought it could be handy for others so here it is to download / share.
Download Script
Sample Output:
[plain]
cooper@dfbit:~/scripts/iperf-parse$ ./iperf-summary.py
------------------------------------
-- IPERF CSV Summariser --
-- Cooper Lees <me@cooperlees.com --
------------------------------------
-- SUMMARY --
- 20111212103043 to 20120103090052
- 1004 runs of IPERF
- Averages:
- Average Sent = 2.64M
- Average Received = 2.28M
- Average Send Bandwidth = 985.75K
- Average Receive Bandwidth = 805.12K
- Max Send Bandwidth = 1.08M (at 20111230183021)
- Max Receive Bandwidth = 837.16K (at 20120102113052)
------------------------------------
[/plain]
Code:
[python]
#!/usr/bin/python
# date,sender-ip,sender-port,receiver-ip,receiver-port,id,interval,transfer,bandwidth
# 20111212103043,10.120.15.8,45020,10.120.13.120,5001,5,0.0-21.4,2490368,931080
# 20111212103109,10.120.15.8,5001,10.120.13.120,57022,4,0.0-24.2,2228224,736145
FILENAME = 'client-iperf.log'
RUNS = 1
MAX_BANDWIDTH_SENT = 0
MAX_BANDWIDTH_SENT_DATE = 0
MAX_BANDWIDTH_RECEIVED = 0
MAX_BANDWIDTH_RECEIVED_DATE = 0
TOTAL_BANDWIDTH_SENT = 0
TOTAL_BANDWIDTH_RECEIVED = 0
TOTAL_SENT = 0
TOTAL_RECEIVED = 0
def convert_bytes(bytes):
bytes = float(bytes)
if bytes >= 1099511627776:
terabytes = bytes / 1099511627776
size = '%.2fT' % terabytes
elif bytes >= 1073741824:
gigabytes = bytes / 1073741824
size = '%.2fG' % gigabytes
elif bytes >= 1048576:
megabytes = bytes / 1048576
size = '%.2fM' % megabytes
elif bytes >= 1024:
kilobytes = bytes / 1024
size = '%.2fK' % kilobytes
else:
size = '%.2fb' % bytes
return size
f = open(FILENAME)
l1 = f.readline().strip().split(',')
l2 = f.readline().strip().split(',')
while l2 and l2[0] != '':
if RUNS == 1:
START = l1[0]
BW_SENT = int(l1[8])
BW_RECEIVED = int(l2[8])
TOTAL_SENT = TOTAL_SENT + int(l1[7])
TOTAL_RECEIVED = TOTAL_RECEIVED + int(l2[7])
TOTAL_BANDWIDTH_SENT = TOTAL_BANDWIDTH_SENT + int(l1[8])
TOTAL_BANDWIDTH_RECEIVED = TOTAL_BANDWIDTH_RECEIVED + int(l2[8])
if BW_SENT > MAX_BANDWIDTH_SENT:
MAX_BANDWIDTH_SENT = BW_SENT
MAX_BANDWIDTH_SENT_DATE = l1[0]
if BW_RECEIVED > MAX_BANDWIDTH_RECEIVED:
MAX_BANDWIDTH_RECEIVED = BW_RECEIVED
MAX_BANDWIDTH_RECEIVED_DATE = l2[0]
END = l2[0]
RUNS = RUNS + 1
l1 = f.readline().strip().split(',')
l2 = f.readline().strip().split(',')
f.close()
print "------------------------------------"
print " -- IPERF CSV Summariser -- "
print "-- Cooper Lees <me@cooperlees.com --"
print "------------------------------------"
print "-- SUMMARY --"
print "- %s to %s" % ( START, END )
print "- %d runs of IPERF" % RUNS
print "- Averages:"
print "-tAverage Sentttt= %s" % convert_bytes((TOTAL_SENT / RUNS))
print "-tAverage Receivedtt= %s" % convert_bytes((TOTAL_RECEIVED / RUNS))
print "-tAverage Send Bandwidthtt= %s" % convert_bytes((TOTAL_BANDWIDTH_SENT / RUNS))
print "-tAverage Receive Bandwidtht= %s" % convert_bytes((TOTAL_BANDWIDTH_RECEIVED / RUNS))
print "-tMax Send Bandwidthtt= %s (at %s)" % (convert_bytes((MAX_BANDWIDTH_SENT)), MAX_BANDWIDTH_SENT_DATE)
print "-tMax Receive Bandwidthtt= %s (at %s)" % (convert_bytes((MAX_BANDWIDTH_RECEIVED)), MAX_BANDWIDTH_RECEIVED_DATE)
print "------------------------------------"
[/python]
Cron Job Script to Collect Data:
[bash]
#!/bin/bash
SERVER="x.x.x.x"
LOG="client-iperf.log"
TIME="5"
echo "--> Starting iperf client @ $(date) ..." | tee -a $LOG
if [ "$1" == "-v" ]; then
iperf -t $TIME -c $SERVER -r -y C | tee -a $LOG
else
iperf -t $TIME -c $SERVER -r -y C >> $LOG
fi
echo "--> Finished iperf client @ $(date)" | tee -a $LOG
[/bash]
Tags: average, averages, csv, data, iperf, max, maximum, parse, python, summary
Posted in g33k, linux, solaris, tech |
32- and 64-bit PL2303 drivers for OS X 10.6 are available here.
You'll need to modify, as root, the '/System/Library/Extensions/ProlificUsbSerial.kext/Contents/Info.plist ' file after installing the driver to suit the USB manufacturer and device ID. For the ATEN UC232A, examples below appear to work for it (for me in 10.7).
To obtain the IDs, Wayne Roberts (who informed my via the SAGE-AU mailing lists), used 'USB Prober.app' which comes with the developer tools/XCode.
Modify the current lines of the XML:
[text]
# <key> can be the Hex values as 'Vendor'_'Product', Wayne thinks this is more cosmetic however.
<dict>
<key>0557_2008</key>
<dict>
----
# <idProduct> and <idVendor> should be the decimal of the respective values, as per USB Prober.app
<key>idProduct</key>
<integer>8200</integer>
<key>idVendor</key>
<integer>1367</integer>
[/text]
Once you've done this, either restart the machine or run 'kextunload' and 'kextload' on ProlificUsbSerial.kext and it should show up as /dev/tty.usbserial.
** If you have installed the UC232A Drivers, either rm or mv the 'UC-232AC.kext' before the reboot to avoid conflicts **
Tags: 107, aten, lion, mac, os, screen, serial, uc232a, usb, x
Posted in g33k, tech |