Fixing WiFi Multicast Flooding in bridged networks

I’m using MPD and PulseAudio’s RTP multicasting to get a seamless multi-room audio experience.

Unfortunately, if you’re using a network bridge to connect your wired and wireless LAN, using multicast RTP might have unintended consequences: All WiFi clients are flooded with multicast traffic, which can bring down the entire wireless network.

When multicast transmission arrives at the receiver’s LAN, it is flooded to every Ethernet switch port unless flooding reduction such as IGMP snooping is employed (Section 2.7). (RFC 5110, Section 2 “Multicast Routing”, page 4)

If you don’t wanto to set up IGMP snooping, you have two alternatives: You can either

  1. un-bridge Ethernet and WiFi interfaces and switch to a routed approach, or
  2. filter out multicast packets on their way from wired interface to wireless.

Since (1) has other implications that I’d rather avoid (e.g. blocking broadcast traffic, too, so that service autodiscovery won’t work anymore), so I chose the second approach.

This can easily be archieved using ebtables, which allow link layer filtering on Linux bridge interfaces.

My router is running OpenWRT, which does not with ebtables by default, so it needs to be installed first:

# opkg update
# opkg install ebtables

This is how my bridge setup looks like:

# brctl show
bridge name     bridge id               STP enabled     interfaces
br-lan          7fff.12345678abcd       no              eth0.1
                                                        wlan0
                                                        wlan1
br-wan          7fff.12345678abcd       no              eth0.2

eth0.1, wlan0 and wlan1 are bridged. It’s a dual band router that has wifi interfaces for both the 2.4 GHz (wlan0) and the 5 GHz band (wlan1).

Now the filter rules need to be added. One rule for each wifi interface is necessary:

# ebtables -A FORWARD -o wlan0 -d Multicast -j DROP
# ebtables -A FORWARD -o wlan1 -d Multicast -j DROP

These rules tell ebtables to drop all Multicast packets if their output device in either wlan0 or wlan1.

The effect is immediately noticeable. Before setting up multicast filtering the wifi interfaces were quite busy:

WiFi traffic with multicast filtering

Afterwards, there’s a lot less going on:

WiFi traffic without multicast filtering

To make the filtering permanent, simply add the ebtables commands to /etc/firewall.user.

Upgrading iLO 4 on a HPE ProLiant MicroServer from Linux

I recently got my hands on a ProLiant MicroServer Gen8 by Hewlett Packard Enterprise (HPE). As I always do when setting up a server I checked if the device needs a firmware upgrade.

And indeed it did: It’s version of Integrated Lights-Out (iLO) 4, its built-in server provisioning and management software, is affected by CVE-2017-12542, which is a solid 10.0 on the CVSS 2.0 score chart.

So I decided to update it. Fortunately, the iLO web interface has a page where firmware upgrades can be uploaded. Since it’s in an isolated network, using the web interface should not pose a security problem.

On the other hand, locating the proper firmware file to upload was not as easy as it should be. It’s Hewlett-Packard, after all.

In case someone else is looking for the iLO 4 *.bin file, here’s what I did:

  1. Visit the iLO 4 support page, but do not select OS-Independent (it’s not in there). Select “Red Hat Enterprise Linux 7” instead (direct link)
  2. Open the “Firmware - LOM (Lights-Out Management)” section and download hp-firmware-ilo4-2.55-1.1.i386.rpm.
  3. To extract the actual firmware file from the RPM, use this command:
$ rpm2cpio hp-firmware-ilo4-2.55-1.1.i386.rpm | bsdtar -x -s'|.*/||' -f - ./usr/lib/i386-linux-gnu/hp-firmware-ilo4-2.55-1.1/ilo4_255.bin

The resulting file (ìlo4_255.bin) can then be uploaded to the web interface:

iLO 4 Upgrade Process

After the upgrade process finishes, you’ll be redirected to the brand new login screen:

iLO 4 after upgrade

Generating syntax diagrams using the LaTeX rail package

If you ever had the need to add syntax specifications to your document, you basically have two options: Either write down the syntax in the Backus-Naur form (BNF) (or one of its derivatives) or opt for a more graphical approach by adding “railroad diagrams”. In my opinon, the latter are easier to grasp for less experienced readers and also look quite nice.

In LaTeX, you can use the rail package to generate those diagrams from EBNF rules:

\begin{rail}
decl : 'def' identifier '=' ( expression + ';' )
     | 'type' identifier '=' type
     ;
\end{rail}

This will result in something like this:

Railroad diagram

To archieve this, the package first generates a *.rai file. We then have to convert the rai file to a *.rao by invoking the accompanying C program named rail.

However, the rail package is fairly old. It has been written by Luc Rooijakkers in 1991 (!) and was updated by Klaus Barthelmann until 1998. Thus, the code is – at least – 19 years old and that really shows: Trying to compile it on modern systems yields a bunch of compilation errors.

Most of the issues stem from missing return types in function declarations and also missing forward declarations. I stepped up and fixed these issues, so that it works with a up-to-date compiler (I tested with gcc (GCC) 6.3.1 on Arch Linux. You can find the result on Github.

I also threw in some Makefile improvements into the mix: You can now use DESTDIR and PREFIX (defaults to /usr/local) when running make install.

Installation

Installation should be fairly straighforward. Here’s an example which will install rail into /usr:

$ curl -L https://github.com/Holzhaus/latex-rail/archive/v1.2.1.tar.gz | tar xzvf -

$ cd latex-rail-1.2.1

$ make
bison -y  -dv gram.y
gram.y: warning: 2 reduce/reduce conflicts [-Wconflicts-rr]
cmp -s gram.c y.tab.c || cp y.tab.c gram.c
cmp -s gram.h y.tab.h || cp y.tab.h gram.h
gcc -DYYDEBUG -O   -c -o rail.o rail.c
gcc -DYYDEBUG -O   -c -o gram.o gram.c
flex  -t lex.l > lex.c
gcc -DYYDEBUG -O   -c -o lex.o lex.c
gcc -DYYDEBUG -O rail.o gram.o lex.o -o rail

$ sudo make PREFIX=/usr install
$ sudo mktexlsr

Please note that installing stuff using sudo make install will circumvent your package manager and is usually not a good idea. If you’re using Arch Linux you should use the AUR package instead:

$ pacaur -S latex-rail

Manual compilation and Latexmk support

To generate a document manually, you need to run multiple commands:

  1. Run latex mydoc, which will create mydoc.rai
  2. Run rail mydoc to generate mydoc.rao from mydoc.rai
  3. Run latex mydoc for the final document

If you don’t want to bother with running LaTeX multiple times, you can use latexmk, a perl script to automate the document generation.

To make it work with the rail package, you should create a .latexmkrc in your document folder with this content:

push @file_not_found, '^Package .* Info: No file (.+) on input line \d+\.';
add_cus_dep('rai', 'rao', 0, 'rail');
sub rail {
   my ($base_name, $path, $ext) = fileparse( $_[0], qr/\.[^.\/]*/ );
   pushd $path;
   my $return = system "rail $base_name";
   popd;
   return $return;
}

The first line will add the appropriate RegEx to Latexmk’s missing file detection, the second line will instruct latexmk to run the rail subroutine with a *.rai file as input and *.rao file as output.

Alternatives

I you don’t quite like the rail package, you might want to look into one of these alternative packages:

These also an online tool to generate railroad diagrams if you don’t want to do it in LaTeX.

How to create an UEFI-bootable Windows 7 stick from Linux.

In case you rely on Windows-only software or want to play a game that isn’t on Linux yet, you might want to keep Windows 7 on a second partition. Although I didn’t use it for months, I still keep one around just in case.

Unfortunately, it’s not really straightforward to create a UEFI bootable USB installation disk without using Windows. For some strange reason we can’t just dd the ISO image to a USB disk. Instead, we need to use the Windows USB/DVD Download Tool which - incidentally - only runs on Windows.

However, there’s also a way to do this from Linux:

First, you need to create a GPT partition table with a FAT32 partition on your USB pen drive. Then you simple mount the ISO file and copy the files over. After you’ve done that, your need to extract the file 1/Windows/Boot/EFI/bootmgfw.efi from the install.wim file inside /sources folder on the Windows 7 installation ISO and move the extracted file to /EFI/Boot/bootx64.efi on the pen drive.

You don’t have to do this manually: There’s a neat little tool called WinUSB that can do this for you (it even has a GUI if you want it) and my pull request) that adds Windows 7 UEFI support support has just been merged.

Smartcard authentification in Chromium

My university’s website for exam enrollment needs smardcard authentification, but only contains instructions how to use it with Mozilla Firefox. If you prefer Chrome/Chromium over Firefox and don’t want to keep a Firefox installation around, you can do so - here are the instructions.

OT: The Ruhr-University of Bochum (RUB) uses two different systems for exam enrollment, VSPL and FlexNow. The reason for using two different, incompatible systems surpasses my understanding. I was very happy that my faculty uses FlexNow, which is browser-based, rather than VSPL, which only works via a proprietary, Windows-only client (even though the download page for that application used to show a hip student with a MacBook… oh, the irony). Anyway, VSPL recently got a web-interface, too, so if you have to use VSPL, you can also use Firefox or Chromium now.

Since I’m using ArchLinux, I’ll base my instruction on that, but any other distro also should work fine if you accomodate package names and file paths.

You’ll need a CCID-conformant smardcard reader (this is the one I am using, but the “official” reader that the university sells works too).

First, we need the software - apart from chrome that is the CCID-driver, the OpenSC-library and Mozilla’s Network Security Services:

# pacman -Sy ccid opensc nss

Next, we need to add the PKCS#11 module from OpenSC to the Chromium NSS module. Quit Chromium if necessary and run:

$ modutil -dbdir sql:.pki/nssdb/ -add "opensc" -libfile  /usr/lib/pkcs11/opensc-pkcs11.so

You can verify that everything worked by running:

$ modutil -dbdir sql:.pki/nssdb/ -list

It should print a listing of PKCS#11 modules. If your smardcard driver is attached, one of the slots of the opensc module shows the name of your smardcard reader. If you also plugged in your smardcard, the according token tells you what smardcard has been detected.

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
   slots: 2 slots attached
  status: loaded

   slot: NSS Internal Cryptographic Services
  token: NSS Generic Crypto Services

   slot: NSS User Private Key and Certificate Services
  token: NSS Certificate DB

  2. opensc
  library name: /usr/lib/opensc-pkcs11.so
   slots: 2 slots attached
  status: loaded

   slot: Virtual hotplug slot
  token: 

   slot: Hewlett-Packard Company HP USB CCID Smartcard Keyboard [HP USB C
  token: Student Card (User Pin)
-----------------------------------------------------------

That’s it.

If you now start Chromium and click “Manage certificates” button in the HTTPS/SSL section of Chromiums settings (Settings -> Show advanced settings…), you should see your smartcard certificate in the “Your certificates” tab.

You can now log into FlexNow (or VSPL), de-register all you exams and chill.