Discussion:
cerowrt-3.10.36-6 released
(too old to reply)
Dave Taht
2014-04-19 20:01:41 UTC
Permalink
+ felix's wifi patch for bug #442 added
please break wifi.

+ debloat qlens reduced again to 12 for be and bk wifi queues
+ heartbleed fix from -3 forward

I note that nearly every "secured"-by-openssl network facing daemon has been
shown vulnerable to heartbleed. The hole in openvpn bit *me*, in
particular. I've updated, rekeyed and re-certified the vpns I have in
place, and you should too for any openvpn servers and clients you have
too.

It was a real PITA for me, and I only had a few boxes on it.

For more details, see: http://community.openvpn.net/openvpn/wiki/heartbleed

For more details on the daemons potentially affected by heartbleed in
cerowrt, openwrt, and others, see the advisory at:

http://www.bufferbloat.net/news/50

+ resync with openwrt
notably there were updates to netifd, and a fix for a strongswan CVE

+ dnscrypt added as an optional package (thx stephen walker and "mailjoe")
+ snort added as an optional package

+/- full dnssec
- upgrade to httping 2.x broke
- no sqm autotuning yet
- neither snort nor dnscrypt tested

If you are not experiencing problems with wifi or with heartbleed
there are few reasons to update to this release.

I wanted to note to those that use sysupgrade without a clean reflash,
in that the
/etc/opkg.conf file is not re-written in this case, and still points
to the old repository.
If you wish to install additional packages after an inplace upgrade,
you will have
to also update /etc/opkg.conf to point to the right place.
--
Dave Täht

NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
Richard O
2014-04-20 07:37:00 UTC
Permalink
Post by Dave Taht
If you are not experiencing problems with wifi or with heartbleed
there are few reasons to update to this release.
I've been running 3.10.34-4 for awhile now and haven't run into any issues,
wifi or not.

Is there any other reasons to upgrade aside from heartbleed and DNSSEC?

Also, does this release use simplest.qos on inbound? I am hesitant to
upgrade solely for this reason.
Dave Taht
2014-04-21 19:10:16 UTC
Permalink
Post by Richard O
Post by Dave Taht
If you are not experiencing problems with wifi or with heartbleed
there are few reasons to update to this release.
I've been running 3.10.34-4 for awhile now and haven't run into any issues,
wifi or not.
Is there any other reasons to upgrade aside from heartbleed and DNSSEC?
Also, does this release use simplest.qos on inbound? I am hesitant to
upgrade solely for this reason.
It uses the algorithm from simplest.qos, yes. There is a hook to make it
use the prior three tier thing on inbound, too.
Post by Richard O
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
--
Dave Täht

NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
Sebastian Moeller
2014-04-20 20:46:49 UTC
Permalink
Hi Dave,
Post by Dave Taht
+ felix's wifi patch for bug #442 added
please break wifi.
+ debloat qlens reduced again to 12 for be and bk wifi queues
+ heartbleed fix from -3 forward
I note that nearly every "secured"-by-openssl network facing daemon has been
shown vulnerable to heartbleed. The hole in openvpn bit *me*, in
particular. I've updated, rekeyed and re-certified the vpns I have in
place, and you should too for any openvpn servers and clients you have
too.
It was a real PITA for me, and I only had a few boxes on it.
For more details, see: http://community.openvpn.net/openvpn/wiki/heartbleed
For more details on the daemons potentially affected by heartbleed in
http://www.bufferbloat.net/news/50
+ resync with openwrt
notably there were updates to netifd, and a fix for a strongswan CVE
+ dnscrypt added as an optional package (thx stephen walker and "mailjoe")
+ snort added as an optional package
+/- full dnssec
- upgrade to httping 2.x broke
- no sqm auto tuning yet
Note, all you need is to put the word "auto" (without the quotes) in the fields named:
Latency target for ingress, e.g 5ms [units: s, ms, or us]; leave empty for default, or auto for automatic selection.
and
Latency target for egress, e.g. 5ms [units: s, ms, or us]; leave empty for default, or auto for automatic selection..

The bigger caveat is that the current implementation probably is not ideal and could need a bit of data guided optimization…

@Dave: if you think this is ready to be inflicted upon the greater cerowrt community I can see what is required to actually make SQM default to that behavior..

Best Regards
sebastian
Post by Dave Taht
- neither snort nor dnscrypt tested
If you are not experiencing problems with wifi or with heartbleed
there are few reasons to update to this release.
I wanted to note to those that use sysupgrade without a clean reflash,
in that the
/etc/opkg.conf file is not re-written in this case, and still points
to the old repository.
If you wish to install additional packages after an inplace upgrade,
you will have
to also update /etc/opkg.conf to point to the right place.
--
Dave Täht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
Dave Taht
2014-04-21 19:09:09 UTC
Permalink
Post by Sebastian Moeller
Hi Dave,
Post by Dave Taht
+ felix's wifi patch for bug #442 added
please break wifi.
+ debloat qlens reduced again to 12 for be and bk wifi queues
+ heartbleed fix from -3 forward
I note that nearly every "secured"-by-openssl network facing daemon has been
shown vulnerable to heartbleed. The hole in openvpn bit *me*, in
particular. I've updated, rekeyed and re-certified the vpns I have in
place, and you should too for any openvpn servers and clients you have
too.
It was a real PITA for me, and I only had a few boxes on it.
For more details, see: http://community.openvpn.net/openvpn/wiki/heartbleed
For more details on the daemons potentially affected by heartbleed in
http://www.bufferbloat.net/news/50
+ resync with openwrt
notably there were updates to netifd, and a fix for a strongswan CVE
+ dnscrypt added as an optional package (thx stephen walker and "mailjoe")
+ snort added as an optional package
+/- full dnssec
- upgrade to httping 2.x broke
- no sqm auto tuning yet
Latency target for ingress, e.g 5ms [units: s, ms, or us]; leave empty for default, or auto for automatic selection.
and
Latency target for egress, e.g. 5ms [units: s, ms, or us]; leave empty for default, or auto for automatic selection..
The bigger caveat is that the current implementation probably is not ideal and could need a bit of data guided optimization…
And more eyeballs.
Post by Sebastian Moeller
@Dave: if you think this is ready to be inflicted upon the greater cerowrt community I can see what is required to actually make SQM default to that behavior..
Inflict away.
Post by Sebastian Moeller
Best Regards
sebastian
Post by Dave Taht
- neither snort nor dnscrypt tested
If you are not experiencing problems with wifi or with heartbleed
there are few reasons to update to this release.
I wanted to note to those that use sysupgrade without a clean reflash,
in that the
/etc/opkg.conf file is not re-written in this case, and still points
to the old repository.
If you wish to install additional packages after an inplace upgrade,
you will have
to also update /etc/opkg.conf to point to the right place.
--
Dave Täht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
--
Dave Täht

NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
Sebastian Moeller
2014-04-21 19:18:33 UTC
Permalink
Hi Dave,
Post by Dave Taht
Post by Sebastian Moeller
Hi Dave,
Post by Dave Taht
+ felix's wifi patch for bug #442 added
please break wifi.
+ debloat qlens reduced again to 12 for be and bk wifi queues
+ heartbleed fix from -3 forward
I note that nearly every "secured"-by-openssl network facing daemon has been
shown vulnerable to heartbleed. The hole in openvpn bit *me*, in
particular. I've updated, rekeyed and re-certified the vpns I have in
place, and you should too for any openvpn servers and clients you have
too.
It was a real PITA for me, and I only had a few boxes on it.
For more details, see: http://community.openvpn.net/openvpn/wiki/heartbleed
For more details on the daemons potentially affected by heartbleed in
http://www.bufferbloat.net/news/50
+ resync with openwrt
notably there were updates to netifd, and a fix for a strongswan CVE
+ dnscrypt added as an optional package (thx stephen walker and "mailjoe")
+ snort added as an optional package
+/- full dnssec
- upgrade to httping 2.x broke
- no sqm auto tuning yet
Latency target for ingress, e.g 5ms [units: s, ms, or us]; leave empty for default, or auto for automatic selection.
and
Latency target for egress, e.g. 5ms [units: s, ms, or us]; leave empty for default, or auto for automatic selection..
The bigger caveat is that the current implementation probably is not ideal and could need a bit of data guided optimization…
And more eyeballs.
Oh, sure!
Post by Dave Taht
Post by Sebastian Moeller
@Dave: if you think this is ready to be inflicted upon the greater cerowrt community I can see what is required to actually make SQM default to that behavior..
Inflict away.
Great, I just pushed a number of changes reworking the handling of IFB devices (WIP, lightly tested not fully complete but saner than the previous hard coding). I also snuck in the change I believe to me the last missing piece to change the "default" behavior to auto.
How do I build an ilk packet from ceropackages? Then I could go and test a fresh install to see whether the committed changes actually chance the default ;). Oh and I do hope you have/will have a great vacation.


Best Regards
Sebastian
Post by Dave Taht
Post by Sebastian Moeller
Best Regards
sebastian
Post by Dave Taht
- neither snort nor dnscrypt tested
If you are not experiencing problems with wifi or with heartbleed
there are few reasons to update to this release.
I wanted to note to those that use sysupgrade without a clean reflash,
in that the
/etc/opkg.conf file is not re-written in this case, and still points
to the old repository.
If you wish to install additional packages after an inplace upgrade,
you will have
to also update /etc/opkg.conf to point to the right place.
--
Dave Täht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
--
Dave Täht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
Dave Taht
2014-04-21 19:42:13 UTC
Permalink
Post by Sebastian Moeller
Hi Dave,
Post by Dave Taht
Post by Sebastian Moeller
Hi Dave,
Post by Dave Taht
+ felix's wifi patch for bug #442 added
please break wifi.
+ debloat qlens reduced again to 12 for be and bk wifi queues
+ heartbleed fix from -3 forward
I note that nearly every "secured"-by-openssl network facing daemon has been
shown vulnerable to heartbleed. The hole in openvpn bit *me*, in
particular. I've updated, rekeyed and re-certified the vpns I have in
place, and you should too for any openvpn servers and clients you have
too.
It was a real PITA for me, and I only had a few boxes on it.
For more details, see: http://community.openvpn.net/openvpn/wiki/heartbleed
For more details on the daemons potentially affected by heartbleed in
http://www.bufferbloat.net/news/50
+ resync with openwrt
notably there were updates to netifd, and a fix for a strongswan CVE
+ dnscrypt added as an optional package (thx stephen walker and "mailjoe")
+ snort added as an optional package
+/- full dnssec
- upgrade to httping 2.x broke
- no sqm auto tuning yet
Latency target for ingress, e.g 5ms [units: s, ms, or us]; leave empty for default, or auto for automatic selection.
and
Latency target for egress, e.g. 5ms [units: s, ms, or us]; leave empty for default, or auto for automatic selection..
The bigger caveat is that the current implementation probably is not ideal and could need a bit of data guided optimization…
And more eyeballs.
Oh, sure!
Post by Dave Taht
Post by Sebastian Moeller
@Dave: if you think this is ready to be inflicted upon the greater cerowrt community I can see what is required to actually make SQM default to that behavior..
Inflict away.
Great, I just pushed a number of changes reworking the handling of IFB devices (WIP, lightly tested not fully complete but saner than the previous hard coding). I also snuck in the change I believe to me the last missing piece to change the "default" behavior to auto.
How do I build an ilk packet from ceropackages? Then I could go and test a fresh install to see whether the committed changes actually chance the default ;).
Well, it helps to have a buildable cerowrt of your own... OR, you can
just bump up the version numbers
in the makefiles like I just did, and do a new build of the
"stable"-ish cerowrt (3.10.36-6), push it out, which I just
did, and ask folk to make sure their /etc/opkg.conf points to the
right 3.10.36-6 repo, and to then do a

opkg update
opkg upgrade luci-app-sqm sqm-scripts

which should pick up and install those two packages for further testing.

I do look forward to the day where the kernel settles down enough to be able to
incrementally improve/update/fix various packages and libraries only,
or we come up with a way to make incremental updates work more often.

...

in other news, making a little headway on the ubnt edgerouter:

http://community.ubnt.com/t5/EdgeMAX/S-FQ-CoDel-Support-Possible/m-p/800436/highlight/false#M28705


...
Post by Sebastian Moeller
Oh and I do hope you have/will have a great vacation.
thx. turned out getting a hotel in SJDS on easter was too hard so I
didn't jump on a plane this weekend. I went biking in SF instead. Fell
and either bruised or broke a rib. Not sure if I'm going anywhere
after that.

It was nice to not think about the internet for a while anyway.
Post by Sebastian Moeller
Best Regards
Sebastian
Post by Dave Taht
Post by Sebastian Moeller
Best Regards
sebastian
Post by Dave Taht
- neither snort nor dnscrypt tested
If you are not experiencing problems with wifi or with heartbleed
there are few reasons to update to this release.
I wanted to note to those that use sysupgrade without a clean reflash,
in that the
/etc/opkg.conf file is not re-written in this case, and still points
to the old repository.
If you wish to install additional packages after an inplace upgrade,
you will have
to also update /etc/opkg.conf to point to the right place.
--
Dave Täht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
--
Dave Täht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
--
Dave Täht

NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
Sebastian Moeller
2014-04-21 21:34:03 UTC
Permalink
Hi Dave,
Post by Sebastian Moeller
Hi Dave,
Post by Dave Taht
Post by Sebastian Moeller
Hi Dave,
Post by Dave Taht
+ felix's wifi patch for bug #442 added
please break wifi.
+ debloat qlens reduced again to 12 for be and bk wifi queues
+ heartbleed fix from -3 forward
I note that nearly every "secured"-by-openssl network facing daemon has been
shown vulnerable to heartbleed. The hole in openvpn bit *me*, in
particular. I've updated, rekeyed and re-certified the vpns I have in
place, and you should too for any openvpn servers and clients you have
too.
It was a real PITA for me, and I only had a few boxes on it.
For more details, see: http://community.openvpn.net/openvpn/wiki/heartbleed
For more details on the daemons potentially affected by heartbleed in
http://www.bufferbloat.net/news/50
+ resync with openwrt
notably there were updates to netifd, and a fix for a strongswan CVE
+ dnscrypt added as an optional package (thx stephen walker and "mailjoe")
+ snort added as an optional package
+/- full dnssec
- upgrade to httping 2.x broke
- no sqm auto tuning yet
Latency target for ingress, e.g 5ms [units: s, ms, or us]; leave empty for default, or auto for automatic selection.
and
Latency target for egress, e.g. 5ms [units: s, ms, or us]; leave empty for default, or auto for automatic selection..
The bigger caveat is that the current implementation probably is not ideal and could need a bit of data guided optimization…
And more eyeballs.
Oh, sure!
Post by Dave Taht
Post by Sebastian Moeller
@Dave: if you think this is ready to be inflicted upon the greater cerowrt community I can see what is required to actually make SQM default to that behavior..
Inflict away.
Great, I just pushed a number of changes reworking the handling of IFB devices (WIP, lightly tested not fully complete but saner than the previous hard coding). I also snuck in the change I believe to me the last missing piece to change the "default" behavior to auto.
How do I build an ilk packet from ceropackages? Then I could go and test a fresh install to see whether the committed changes actually chance the default ;).
Well, it helps to have a buildable cerowrt of your own…
;)
OR, you can
just bump up the version numbers
in the makefiles like I just did, and do a new build of the
"stable"-ish cerowrt (3.10.36-6), push it out, which I just
did, and ask folk to make sure their /etc/opkg.conf points to the
right 3.10.36-6 repo, and to then do a
opkg update
opkg upgrade luci-app-sqm sqm-scripts
which should pick up and install those two packages for further testing.
Great, since I was still on 3.10.36-4 I just started the sysupgrade -n to the new version. I assume it will drag in the new packets automagically and I should be able to see whether it worked...
So, it seems to work now, unless one re-imports on's old config/sqm. I note that the current implementation is quite gentle, set the rates < 300kbps to actually see a change as reported by "tc -d qdisc".
Now I just need to handle the situation that we are out of IFBs and than that is hopefully finished (the sanitize IFB handling part)
I do look forward to the day where the kernel settles down enough to be able to
incrementally improve/update/fix various packages and libraries only,
or we come up with a way to make incremental updates work more often.
More like a real distribution ;)
...
http://community.ubnt.com/t5/EdgeMAX/S-FQ-CoDel-Support-Possible/m-p/800436/highlight/false#M28705
Mmmh, maybe this can act as a somewhat future proof shaper/outer firewall combination, than the secondary cerowrt router will only have to deal with isolating the radios.
...
Post by Sebastian Moeller
Oh and I do hope you have/will have a great vacation.
thx. turned out getting a hotel in SJDS on easter was too hard so I
didn't jump on a plane this weekend. I went biking in SF instead.
So far this looked like an excellent weekend!
Fell and either bruised or broke a rib.
I hope it is just a bruise...
Not sure if I'm going anywhere
after that.
"Gute Besserung", as we say over here, get well soon!
It was nice to not think about the internet for a while anyway.
Ah, exactly my plan for the rest of the moth…

Best Regards
Sebastian
Post by Sebastian Moeller
Best Regards
Sebastian
Post by Dave Taht
Post by Sebastian Moeller
Best Regards
sebastian
Post by Dave Taht
- neither snort nor dnscrypt tested
If you are not experiencing problems with wifi or with heartbleed
there are few reasons to update to this release.
I wanted to note to those that use sysupgrade without a clean reflash,
in that the
/etc/opkg.conf file is not re-written in this case, and still points
to the old repository.
If you wish to install additional packages after an inplace upgrade,
you will have
to also update /etc/opkg.conf to point to the right place.
--
Dave Täht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
_______________________________________________
Cerowrt-devel mailing list
https://lists.bufferbloat.net/listinfo/cerowrt-devel
--
Dave Täht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
--
Dave Täht
NSFW: https://w2.eff.org/Censorship/Internet_censorship_bills/russell_0296_indecent.article
Continue reading on narkive:
Loading...