Weblog

Tuesday July 31, 2007

Cookies and GMail

For a long while, I've been using GMail but have been keeping the privacy implicatins at bay by restricting what cookies I accept to mail.google.com (or gmail.com.)

Now a login to gmail requires me to accept cookies from .google.com. That's not quite so comfortable a thought!

By moving GMail services under www.google.com, it is now no longer as easy to distinguish between the cookies you want (ie those required for GMail) and those you don't want (those Google wants you to have while you search.)

Tuesday July 17, 2007

Scripting with cscope

The cscope (and cscope-fast) tools provide an excellent way for us to search for particular instances of phrases, etc, inside the Solaris source code. The only downside is that the tool is interactive: it wants to use curses to ask for input and display its output. How then to make use of its knowledge in scripts?

Whilst the proper solution is to have cscope and cscope-fast modified to have a non-curses output format, a workaround that can be used in the mean time is to define a special "tty" that ensures no escape sequences (or other nasties) end up in the output.

• 1. Create two directories $HOME/.terminfo and $HOME/.terminfo/c
• 2. Create a termcap definition file, $HOME/.terminfo/c/cscope.termcap. For my first attempt on this, the file I created was a termcap definition by copying vt100's and making all of the escape sequences into tab's. The contents of this file look like this:

cscope:\
        :do=^J:co#9999999:li#9999999:cl=^I:sf=^I:\
        :le=^H:bs:am:cm=^I:nd=^I:up=^I:\
        :ce=^I:cd=^I:so=^I:se=^I:us=^I:ue=^I:\
        :md=^I:mr=^I:mb=^I:me=^I:is=^I:\
        :rs=^I:ks=^I=:ke=^I:\
        :ku=^I:kd=^I:kr=^I:kl=^I:kb=^H:\
        :ho=^I:k1=^I:k2=^I:k3=^I:k4=^I:pt:sr=^I:vt#3:xn:\
        :sc=^I:rc=^I:cs=^I:

• 3. Convert the termcap into a terminfo file that can be used by curses, using captoinfo and then tic. To do this, I used the following script:

  
  #!/bin/sh
  cd $HOME/.terminfo/c
  setenv TERMINFO $HOME/.terminfo
  captoinfo cscope.termcap > cscope.terminfo
  tic cscope.terminfo
  
  

• 4. Write a front end to cscope-fast.

  
  #!/bin/sh
  TERMINFO=$HOME/.terminfo
  export TERMINFO
  TERM=cscope
  export TERM
  cat /dev/null | cscope-fast -d -0 $1 | egrep '^[1-9]'
  
  

And the end result is I can do this:

$ ~/bin/cscope-grep ip_input
1       ip.c    <global>        15017   ip_input(ill_t  *ill,   ill_rx_ring_t  *ip_ring,        mblk_t  *mp_chain,
2       ip.h    <global>        3225    extern  void    ip_input(ill_t  *,     ill_rx_ring_t    *,      mblk_t  *,
3       ip_if.c ill_capability_dls_capabl       2925    dls.dls_rx      =      (uintptr_t)ip_input;
4       ip.c    ip_rput 14993   ip_input(ill,   NULL,   mp,     NULL);
5       ip_netinfo.c    ip_ni_queue_func_impl   1293    ip_input(ill,   NULL,  packet->ni_packet,       0);
6       ip_squeue.c     ip_soft_ring_assignment 754     ip_input(ill,   NULL,   mp_chain,       mhip);                          

Update

As Alan Burlinson mentioned below, cscope-fast has a command line option, "-l", that allows for it to generate output that is not screen orientated. This can be used like this:

$ cscope-fast -l -d -0 ip_input
uts/common/inet/ip/ip.c <global> 15017 ip_input(ill_t *ill, ill_rx_ring_t *ip_ring, mblk_t *mp_chain,
uts/common/inet/ip.h <global> 3225 extern void ip_input(ill_t *, ill_rx_ring_t *, mblk_t *,
uts/common/inet/ip/ip_if.c ill_capability_dls_capable 2925 dls.dls_rx = (uintptr_t)ip_input;
uts/common/inet/ip/ip.c ip_rput 14993 ip_input(ill, NULL, mp, NULL);
uts/common/inet/ip/ip_netinfo.c ip_ni_queue_func_impl 1293 ip_input(ill, NULL, packet->ni_packet, 0);
uts/common/inet/ip/ip_squeue.c ip_soft_ring_assignment 754 ip_input(ill, NULL, mp_chain, mhip);
>>

While this gives us a leg up, there are two problems:

• 1. It is still expecting input from the user so we need to do "cat /dev/null | cscope-fast -l..." to make it terminate.
• 2. There is no clear field delimiters such as the TAB's in the other output. As long as none of the first 4 fields contains a space, this isn't too much of a problem as it can be worked around.

To wrap this up, I've used a perl script below because I'm more familiar with perl being able to carve up an array and print it out than I am with shell.

#!/bin/perl
$args = join(' ',@ARGV);
open(I, "cat /dev/null | cscope-fast -l -d $args|") || die $!;
while (<I>) {
        last if (/^>>/);
        @F = split(/ /);
        @B = splice(@F,3,$#F);
        @A = splice(@F,0,3);
        print join("\t",@A)."\t".join(' ',@B)."\n";
}
close(I);
exit(0);

Thanks Alan for the pointer and reminder.

Monday July 02, 2007

Nevada, Solaris 10 Update 4 - IPFilter and Zones

Back in "Using IPFilter between zones for firewalling", I mentioned that our project to enable IPFilter between zones had been approved. This project was made a part of OpenSolaris (or nevada) late last year and in "Packet Filtering Hooks integrated into Solaris Nevada", I mentioned that the project had been successful. But the missing ingredient: how do I use this?

Out of the box, if you start using IPFilter with Solaris Zones (using shared stack instances), you won't be able to intercept those pesky packets that are going directly from zone to zone. There's a hidden button that you need to push in ipf.conf called intercept_loopback.

How is this button used? At the top of your ipf.conf file, you need to have a line like this:

set intercept_loopback true;

Note the ; at the end of the line. Similarly, to disable it, replacing "true" with "false" is sufficient.

NOTE that as this line implies, all loopback traffic will now be intercepted, including loopback (lo0) traffic, so you may need to be more careful about what you block vs pass.