Archive for October, 2010

pr0ncollage (or so-called “efficient apparatus for the visualization of trends on social media sites”)

Sunday, October 31st, 2010

pr0ncollage is a side-project I started hacking on a couple of days ago.  It works by scraping images from Twitter and collaging them.  As the program continues to iterate, it blends it’s new image selections into the same canvases resulting in a crossfaded display between two constantly evolving images.

The interesting aspect of this project is that the images are displayed without context and disappear as quickly as they are added into the image.  Full details will be available on a project page on this site when I finish this program up.

In the meantime, you can clone the hg repository by doing:

$ hg clone
$ sh
$ ./configure
$ make
$ sudo make install

You will need GNOME development headers (e.g. gtk+/cairo/libsoup/libxml2)  installed, these are available in almost every Linux/UNIX distribution.

using the kernel routing table instead of iptables for effective IP blacklist management

Monday, October 18th, 2010

iptables is great, but not if you want to ban thousands of IPs from your box.  By design, firewalls aren’t really meant for that sort of thing, as they typically do ruleset iteration on each traffic flow (such as a sctp or tcp connection).

Instead, to do this efficiently, we use the kernel routing table.  The reason why we use the kernel routing table is because, typically, it is a radix trie which uses IP masks as keys.  This is a lot faster than iterating through thousands of iptables rules and has the same effect – since an outbound route is blocked, replies can’t be received by the hostile IP, which means that connections can’t be set up, as they require a three-way handshake.

Linux defines RTN_BLACKHOLE as the flag used to define nullroutes.  This flag is supported by the IPv4, IPv6 and DECnet routing tables.

To add an outbound nullroute, simply do the same thing as you would an inbound nullroute on your firewalling box:

# ip route add blackhole

Deleting works like this:

# ip route del blackhole

If you use FreeBSD or NetBSD or MacOS, it’s something like that. On FreeBSD, it’s:

# route add -host -blackhole
# route del -host -blackhole

I don’t know what it is on NetBSD, but I would guess that it’s the same.

The cool thing about this is that if you can aggregate your banlists to network boundaries, you can actually set them as nullroutes in CIDR format and it makes things even faster.  Mind, ruleset aggregation also improves netfilter’s performance, but this is considerably more scalable than using netfilter.  Netfilter (iptables) should be used when you actually need to do filtering, the routing table should be used when you want to ban IPs outright – that’s why the networking stack has blackhole functionality.

status update on upse’s ps2 support!

Sunday, October 10th, 2010

if you’ve been watching the upse repository recently, you will have noticed that i have published a lot of code for PSF2 support a week or so ago.

there’s a lot to do still, mostly getting the IOP calls working and calling into the IOP modules from the CPU. the MAME-based CPU code used in HE and friends is rather buggy so we can’t really know if it’s right – it doesn’t seem to be. but we load, parse and start psf2.irx now! which is a pretty big deal if you ask me.

this means that upse2 might get released by the end of the year. i’m also working on trying to figure out a way to implement it as a codec in android as an opencore module, but i have no idea how long that will take yet.