Thinkfan on Ubuntu 14.10

Thinkfan is a great piece of software, allowing the user to control fan behavior. It is primarily designed for laptops to ensure low noise operation and longer battery life.

Thinkfan configuration file (/etc/thinkfan.conf on debian-based GNU/Linux distros like Ubuntu) is rather straightforward to setup, details are available on this blog post.

However since a recent version of thinkpad-acpi kernel module, the old and deprecated interface /proc/acpi/ibm/thermal was removed. This change was not ported to thinkfan default configuration on Ubuntu 14.10 and I assume to the upstream code as well.

I will report a bug to both projects, but in the meantime, you can update thinkfan configuration file with the following:

# Path could differs
hwmon /sys/devices/platform/coretemp.0/hwmon/hwmon1/temp1_input (0)
hwmon /sys/devices/platform/coretemp.0/hwmon/hwmon1/temp2_input (0)
hwmon /sys/devices/platform/coretemp.0/hwmon/hwmon1/temp3_input (0)

# Settings for a T420s w/ Intel Sandy Bridge CPU
(0, 0, 40)
(1, 35, 70)
(2, 65, 80)
(5, 75, 128)

That’s all folks!

BTW, the Lenovo Thinkpad T420s is the perfect laptop. Actually, my only regrets are my 4 former laptops… If only I had known:)

GNU/Linux netfilter admin with Ferm: For Easy Rule Making

Ferm rules them all when you need to manage complex netfilter (iptables/ip6tables/ebtables) firewall.

Project homepage : http://ferm.foo-projects.org/

First, a dumb `ferm` wrapper enhancing edit and debug usage: bash Ferm wrapper

Current file layout:

9:39 rboissat@dresda /etc/ferm% ls -R
.:
conf.d  ferm.conf  ferm.conf.orig

./conf.d:
00-vars.ferm  01-functions.ferm  02-policies.ferm  03-custom-chains.ferm  10-table-filter.ferm  20-table-mangle.ferm  30-table-nat.ferm

ferm.conf

# -*- shell-script -*-
#
#  Configuration file for ferm(1).
#

@include 'conf.d/';

00-vars.ferm (edited out)

# FERM Variables;

## Interfaces;
@def $DEV_WAN4    = eth0;
@def $DEV_WAN6    = hev6;
@def $DEV_VPN     = brVPN;

## Networks;
@def $NET4_VPN    = (192.168.144.96/27);
@def $NET4_CHUN   = (192.168.144.0/22);
@def $NET6_VPN    = (2001:470:c8be:1::/64);
@def $NET6_CHUN   = (2001:470:c8be::/48);
@def $NET6_OVH    = (2001:41d0:1:8dc7::/64);
(...)

01-functions.ferm

# FERM Hooks
@hook post  "echo 1 >| /proc/sys/net/ipv4/ip_forward";
@hook post  "echo 1 >| /proc/sys/net/ipv6/conf/all/forwarding";
@hook flush "echo 0 >| /proc/sys/net/ipv4/ip_forward";
@hook flush "echo 0 >| /proc/sys/net/ipv6/conf/all/forwarding";

# FERM Functions
@def &PORT_FORWARD($proto, $port, $outside, $inside) = {
  daddr $outside proto $proto dport $port DNAT to $inside;
}

02-policies.ferm

# default policies
domain ( ip ip6 ) table filter {
  chain FORWARD policy DROP;
  chain INPUT   policy DROP;
  chain OUTPUT  policy ACCEPT;
}

Some cherry picked rules (did you really expect my entire ruleset? :P)

 # wan input
 mod conntrack ctstate NEW daddr @ipfilter(($ADDR4_WAN $ADDR6_WAN)) proto tcp dport $TCP_IN_WAN ACCEPT;
 mod conntrack ctstate NEW daddr @ipfilter(($ADDR4_WAN $ADDR6_WAN)) proto udp dport $UDP_IN_WAN ACCEPT;

# new to wan from local subnets
@if @eq($DOMAIN, ip) {
  outerface $DEV_WAN4 saddr $NET4_CHUN ACCEPT;
} @else {
  outerface $DEV_WAN6 saddr $NET6_CHUN ACCEPT;
}

That’s all folks. This setup should be further documented in my wiki.

New blog engine!

Well, it has been a while without blogging.

I am afraid it will last though, the change from Zwe to WordPress was security driven. It allows me to host blog post archives more securely on an up-to-date platform. Data import was quite simple, based on Atom feed import, but comments were lost forever, sorry about that.

I may resume the blogging thing someday, mostly technical.

Have fun browsing the past anyway :)

Oh btw, Apache 2 mpm-itk is great! From the official website:

apache2-mpm-itk (just mpm-itk for short) is an MPM (Multi-Processing Module) for the Apache web server. mpm-itk allows you to run each of your vhost under a separate uid and gid—in short, the scripts and configuration files for one vhost no longer have to be readable for all the other vhosts.

You have to pay attention though and chown webfiles, svn repositories, etc accordingly to the vhost configuration.

How to blackhole IPv4 and IPv6 traffic with GNU/Linux + Quagga + Zebra

IPv6 black-holing (null routing, or the action to silently discard traffic matching a given destination IP prefix) is bugged with Quagga and/or iproute2. Indeed, none of the following commands seems to be working:

quagga-router(config)# ipv6 route 2001:db8::/32 lo blackhole

linux-shell$ ip -6 route add blackhole 2001:db8::/32

Notice that the quagga command requires an interface, while its IPv4 counterpart doesn’t. I tested with the linux loopback interface lo and a dummy interface ds0 trying to mimick the FreeBSD discard interface, in vain. The iproute2 command also fails and it is apparently a known bug since 2003, wtf?

So how to circumvent this buggy behavior without breaking in blood tears?

Well, simply use a dummy interface and static, high metric routes. Here is the /etc/network/interfaces snippet from my debian routers for null routing 2001:db8::/32 and 192.168.168.0/24:

# blackhole
iface ds0 inet manual
 pre-up ip link add dev ds0 type dummy
 pre-up ip link set ds0 up
 up ip -6 route add 2001:db8::/32 dev ds0 proto static metric 255
 up ip -4 route add 192.168.168.0/24 dev ds0 proto static metric 255
 down ip link del dev ds0

If you know any proper method to achieve the same result, please share. Mine is dirty, but at least I am not leaking traffic or looping back and forth with my upstream router anymore. Yay!

Ubuntu 12.04 Precise Pangolin and IPv6 privacy addresses

The newly released Ubuntu LTS includes a very poor default configuration concerning IPv6 and privacy addresses. This feature is enabled by default, hardcoded (as it seems) in the last release of NetworkManager.

While this choice is understandable, it can’t be changed and this is unfortunate: almost no one really needs this feature and it breaks AAAA/PTR DNS mappings in well-managed networks.

How to circumvent this cleanly?

Since NetworkManager resets net/ipv6/conf/$IF/use_tempaddr during each connection attempt, sysctl alone does not suit here.

EDIT: while the fix below works, it is rather complicated. It seems that NM reads /etc/syscl.conf, but not /etc/sysctl.d/*. Therefore, you just have to comment out sysctl lines in /etc/sysctl.d/10-ipv6-privacy.conf and use them in /etc/sysctl.conf. All my thanks goes to Mathieu Trudel-Lapierre :)

I simply wrote a small executable script in /etc/network/if-up.d/no-ipv6-privacy which is called by the NetworkManager ifup plugin at each successful connection:

#!/bin/sh
sysctl -e net/ipv6/conf/wlan0/use_tempaddr=1
sysctl -e net/ipv6/conf/eth0/use_tempaddr=1

You just need to chmod +x the new script and restart NM with sudo service network-manager restart.

Want some fun with NM? On wired or wireless connection with native IPv6 connectivity, try to connect to some IPv6 enabled websites/hosts and take a look at the IPv6 routing table (ip -6 route). WTF? Every destination is present in the routing table, with a specific /128 route via the link-local address learnt by Router Advertisement… What an efficient way to fuckup a VPN setup intended to route all IP traffic through the tunnel…

You have to edit the connection profile to disable this bug: IPv6 Settings tab > Routes > Check ‘Ignore automatically obtained routes.’ and voilà!