Sweet Debian Packaging

Some days ago, thanks to apoikos’ sponsorship, I got my first package accepted in Debian! https://tracker.debian.org/pkg/pytest-flask And I will maintain it within the Debian Python Modules Team. Woooooooohoo! I snatched at the occasion to create something sweet, a tiramisu. But a tiramisu alone would not be something remarkable. I wanted to adorn it in a Debian-ish theme. So I asked a friend, an elite practitioner of the sugar-fu, to create some cupcake-packages and… look at these sweet, edible little packages!
Read more

ARP proxy going rogue, part 2: tracing the kernel

Introduction This is a story of ARP Proxy going rogue. Writing down that story took more than I expected so it’s split in two different posts. In the first part I explained what proxy ARP is and how it’s used in GRNET Ganeti clusters to provide public IPv4 to guest vms. I referred to the incident of a certain host hijacking all IPv4 addresses within a VLAN. In this second part I track down this particular behavior by reading the linux source code, setting up a Debian Buster testbed environment with network namespaces, and playing around with python scapy, eBPF Compiler Collection toolkit and linux kernel static tracepoints.
Read more

ARP proxy going rogue, part 1: the incident

Intro This is a story of “Proxy ARP” going rogue. Writing down that story took more than I expected so it’s split in two different posts. In this first part we explain what proxy ARP is and how it’s used in GRNET Ganeti clusters to provide public IPv4 to guest vms. I’m going to investigate a particular incident where certain hosts caused DOS by hijacking all IPv4 addresses within a VLAN.
Read more

OpenVPN systemd CapabilityBoundingSet breaking notifications with exim4

At work we employ a openvpn server when working remotely and wanting to access firewall restricted locations. At some point a colleague of mine started facing disconnects to the server. We tracked down the issue being the feature of protecting against SWEET32 attacks, introduced in openvpn client version 2.4. We thus decided to upgrade our openvpn server too and bring version 2.4 from jessie-backports. When a client successfully connects to the VPN server a script is executed and sends email notifications to the LDAP user’s email about the VPN session details, such as the remote IP address used:
Read more