Hazard's stuff2023-06-29T10:54:29Ztag:www.hazard.maks.net,2023://1hazard.maks.netCopyright (c) 2004, hazardHuawei OPS syslog example2023-06-29T10:54:29Z2023-06-29T10:54:29tag:www.hazard.maks.net,2023://1.3682023-06-29T10:54:29ZDocumentation from the Huawei site gives non-working examples and wrong names of parameters for OPS syslog logging. Below are syslog calls that actually work:
import ops
def ...hazardhttps://www.hazard.maks.net/blog/index.php?blogId=1hazard@hazard.maks.netSoftware
Documentation from the Huawei site gives non-working examples and wrong names of parameters for OPS syslog logging. Below are syslog calls that actually work:
<pre>
import ops
def ops_condition(_ops):
status, err_log = _ops.syslog("Hello world", ops.INFORMATIONAL, ops.SYSLOG)
status, err_log = _ops.syslog("Example critical error", ops.CRITICAL, ops.SYSLOG)
</pre><br/>
Example Huawei OPS route monitoring script that changes VXLAN VTEP configuration if route goes away2023-06-17T23:42:48Z2023-06-17T23:42:48tag:www.hazard.maks.net,2023://1.3672023-06-17T23:42:48ZTo avoid using peer-link between Huawei CloudEngine switches in PtP VXLAN environment and therefore save 4 x 100G ports, I made a Python script for Huawei OPS that changes VTEP peer IP in case ...hazardhttps://www.hazard.maks.net/blog/index.php?blogId=1hazard@hazard.maks.netSoftware
To avoid using peer-link between Huawei CloudEngine switches in PtP VXLAN environment and therefore save 4 x 100G ports, I made a Python script for Huawei OPS that changes VTEP peer IP in case route to primary VTEP disappears (e.g. primary switch fails). It was much more of an effort than it should been, due to inadequate API documentation & examples which sometimes specify wrong parameter values. Non-working Python error reporting on Huawei VRP (at least on OS release I used) didn't help either. Details below.<br/><br />
The script is configured using up to 100 changevtep_targetsN environment variables. Below is an example config that monitors routes 10.1.1.0/30 used by VNI 10 and 10.2.3.0/30 used by VNI 20 (note that /30 prefix size is implied). When these routes will get added or removed from the routing table the script will configure VNI peer-list under Nve1 interface with specified VTEPs. Note that you will need to disable MAC address learning as CloudEngine learns MAC addresses from VXLAN packets from any IP address, even if it is not in peer-list.
<pre>
ops
script-assistant python change_vtep_on_route_change.py
environment changevtep_targets0 vni=10;monitor_net=10.1.1.0;add=10.1.1.1;remove=10.100.100.1
environment changevtep_targets1 vni=20;monitor_net=10.2.3.0;add=10.2.3.1;remove=10.200.200.1
</pre>
Multiple targets can also be specified in the same environment variable using / separator.<br />
<br />
Get the script source from <a href="https://github.com/vladimirivashchenko/change_vtep_on_route_change/">GitHub</a>
static bearssl https client2021-12-28T21:26:36Z2021-12-28T21:26:36tag:www.hazard.maks.net,2021://1.3652021-12-28T21:26:36ZFrom time to time I encounter a Linux system which doesn't have a proper SSL library or doesn't have one at all (e.g. embedded). For such cases I made an extremely simplistic https client using ...hazardhttps://www.hazard.maks.net/blog/index.php?blogId=1hazard@hazard.maks.netSoftware
From time to time I encounter a Linux system which doesn't have a proper SSL library or doesn't have one at all (e.g. embedded). For such cases I made an extremely simplistic <a href="/files/bearssl_https_client.tgz">https client</a> using BearSSL library that can be compiled statically with appropriate libc. It is a quick hack based on client_basic.c and may not work properly in cases of unusual server responses. Example command line: <pre>./https_client en.wikipedia.org 443 /wiki/Linux</pre><p>
The client returns response headers as STDERR, body as STDOUT and exit status 0 if HTTP response status is 200. To compile, untar into a folder containing compiled BearSSL library, cd https_client && ./make.sh<br/>
"Failed to install RT_NH entry" error on Juniper during routing-instance import2020-04-19T14:23:44Z2020-04-19T14:23:44tag:www.hazard.maks.net,2020://1.3622020-04-19T14:23:44ZI realized why I was getting errors like this on Juniper EX4200 switch when importing routes from one routing-instance to another:
fpc2 Failed to do walk over constituent nhs (status: 1004) ...hazardhttps://www.hazard.maks.net/blog/index.php?blogId=1hazard@hazard.maks.netNetworking
I realized why I was getting errors like this on Juniper EX4200 switch when importing routes from one routing-instance to another:<br />
<pre>
fpc2 Failed to do walk over constituent nhs (status: 1004)
/kernel: RT_PFE: RT msg op 1 (PREFIX ADD) failed, err 5 (Invalid)
fpc2 Failed to install RT_NH entry (status: 1004)
fpc2 Failed to create the RT_NH entry (status: 1004)
fpc2 RT-HAL,rt_entry_add_msg_proc,2873: rt_halp_vectors->rt_create failed
fpc2 RT-HAL,rt_entry_add_msg_proc,2933: proto ipv4,len 27 prefix X/24 nh X
fpc2 RT-HAL,rt_msg_handler,601: route process failed
</pre>
I was using prefix-lists to control which routes are imported, but didn't include in the list the Local address /32 for the directly connected route I wanted to import. Seems obvious now, but until I figured it out, it wasn't :)<br/>
ISC dhcpd doesn't work for unicast renewals without ARP2018-07-14T13:29:50Z2018-07-14T13:29:50tag:www.hazard.maks.net,2018://1.3612018-07-14T13:29:50ZWhile implementing a network isolation policy I encountered an interesting quirk of how ISC dhcpd works: for unicast renewals, it uses a Linux IP-based syscall to send DHCPACK towards an IP ...hazardhttps://www.hazard.maks.net/blog/index.php?blogId=1hazard@hazard.maks.netSoftware
While implementing a network isolation policy I encountered an interesting quirk of how ISC dhcpd works: for unicast renewals, it uses a Linux IP-based syscall to send DHCPACK towards an IP address, not MAC. As a result, it means that an ARP entry should exist and therefore ARP towards the client host should work. For broadcast DHCP requests, DHCP replies directly to a MAC address and ARP is not needed. I expected that DHCP server wouldn't need anything apart from ports 67/68 and isolated everything else. So, I was seeing that some devices can get DHCP while some don't, which led to quite fun troubleshooting session, especially since dhcpd was logging a successful DHCPACK response - while tcpdump was showing that no response was actually sent through the wire.<br/>
Script to automate addition of self-signed SSL certificate to Git2017-04-24T10:06:24Z2017-04-24T10:06:24tag:www.hazard.maks.net,2017://1.3602017-04-24T10:06:24ZOut of the box, Git doesn't recognize self-signed SSL https repository certificates typically used in internal networks and refuses to connect: "Peer's certificate issuer has been marked as not ...hazardhttps://www.hazard.maks.net/blog/index.php?blogId=1hazard@hazard.maks.netSoftware
Out of the box, Git doesn't recognize self-signed SSL https repository certificates typically used in internal networks and refuses to connect: "Peer's certificate issuer has been marked as not trusted by the user". A common method is to disable certificate check altogether, which opens up possibility of MITM. A more safe solution is to add SSL certificate of your internal repository to Git's config, so that it gets checked and recognized. This reduces your vulnerability window to the initial certificate download. I made a small shell script to automate the job: it downloads the SSL certificate and adds it to Git. Credit goes to ThorSummoner for the trick to fetch the cert using OpenSSL client.
<pre>
#!/bin/sh
if [ ! "$1" ] ; then
echo "Pass repository domain name as parameter (e.g. $0 git.local)"
exit
fi
mkdir ~/.gitcert 2>/dev/null
true | openssl s_client -connect $1:443 2>/dev/null |
openssl x509 -in /dev/stdin > ~/.gitcert/$1.crt
git config --global http."https://$1".sslCAInfo ~/.gitcert/$1.crt
</pre><br/>
Smokeping Mikrotik SSH plugin with VRF support2015-07-13T00:54:56Z2015-07-13T00:54:56tag:www.hazard.maks.net,2015://1.3592015-07-13T00:54:56ZI have released a Smokeping plugin for Mikrotik RouterOS devices. It supports VRFs and connects via SSH. Installation instructions:
Download the plugin to your server.
Install by ...hazardhttps://www.hazard.maks.net/blog/index.php?blogId=1hazard@hazard.maks.netSoftware
I have released a Smokeping plugin for Mikrotik RouterOS devices. It supports VRFs and connects via SSH. Installation instructions:<br />
<ul>
<li><a href="http://www.hazard.maks.net/files/OpenSSHMikrotikPing.pm">Download</a> the plugin to your server.</li>
<li>Install by copying the file into lib/Smokeping/probes directory under your smokeping installation (e.g. to /opt/smokeping/lib/Smokeping/probes).</li>
<li>You might also have to install Net::OpenSSH Perl module, if it's not already installed (check by running " perl -e 'use Net::OpenSSH' ").</li>
<li>Add the following section to your smokeping config:<br />
<pre>
+ OpenSSHMikrotikPing
packetsize = [e.g. usual MTU is 1500]
mikrotikuser = [user]
mikrotikpass = [pass]
# feel free to change params below as you wish
forks = 5
offset = 50%
timeout = 15
step = 120
</pre>
</li>
<li>Individual targets are configured as follows:
<pre>
++ sample-target
probe = OpenSSHMikrotikPing
menu = [menu name]
title = [title]
host = [destination IP to ping from Mikrotik device]
pings = [numer of ICMP pings to send, e.g. 5]
source = [Mikrotik device to login into]
vrf = [routing-instance name, optional]
psource = [Mikrotik interface source IP to ping from, optional]
</pre></li>
<li>ssh to the Mikrotik device once from the commmand line from the account of the user who is running smokeping (su -s /bin/sh [username]). On the first connect ssh will ask to add the new host to its known_hosts file, confirm it. Otherwise Smokeping will fail to login as the ssh key of your Mikrotik box is not in the known_hosts file.</li>
</ul><br/>
bash binaries with ShellShock vulnaribility patch for old Red Hat Linux systems2014-09-25T19:06:57Z2014-09-25T19:06:57tag:www.hazard.maks.net,2014://1.3582014-09-25T19:06:57Z** UPDATED SEP 26 2014 FOR CVE-2014-7169 **
Some of us are unlucky enough to run older Linux systems (CentOS 4 and older) and need to fix bash "ShellSock" environment code injection ...hazardhttps://www.hazard.maks.net/blog/index.php?blogId=1hazard@hazard.maks.netSoftware
** UPDATED SEP 26 2014 FOR CVE-2014-7169 **<br />
<br />
Some of us are unlucky enough to run older Linux systems (CentOS 4 and older) and need to fix bash "ShellSock" environment code injection vulnerability.<br /><br />To make the job easier, you can grab my CentOS 4.x <a href="/files/bash-3.0-29centos4_vulnfix.i386.rpm">i386 RPM</a>/<a href="/files/bash-3.0-29centos4_vulnfix.src.rpm">SRC RPM</a> , as well as Red Hat Linux 6.2 (circa 2000!) <a href="/files/bash-3.0-29rh62_vulnfix.i386.rpm">RPM</a>/<a href="/files/bash-3.0-29rh62_vulnfix.src.rpm">SRC RPM</a>, which may work on older systems as well, such as RH7. SRPM should be buildable on all Red Hat systems.<br />
<br />
MD5 sums: <pre>
30d76eb29c75ca9bf5dcc4d4903de299 bash-3.0-29centos4_vulnfix.i386.rpm
89f0c72480a2dbe28d61503973e98443 bash-3.0-29centos4_vulnfix.src.rpm
57bb220cc9ac5ef2c445a4dece61814c bash-3.0-29rh62_vulnfix.i386.rpm
4ab6aa1a5958da0e5290f43134b08f2a bash-3.0-29rh62_vulnfix.src.rpm
</pre>
<br />
If you want to be 100% sure that the code wasn't tampered with, build your own binary by using src RPM and verify that all patches apart from 140/141 are Red Hat original (140/141 were taken from Oracle's bash patches).
<br/>
fix for Linux Skype 4.3 crash on startup2014-08-11T10:47:15Z2014-08-11T10:47:15tag:www.hazard.maks.net,2014://1.3572014-08-11T10:47:15ZIf you upgraded your Linux Skype to 4.3 and face a crash immediately after startup, the fix that worked for me is as follows:
Make of a backup of your home .Skype directory
Install ...hazardhttps://www.hazard.maks.net/blog/index.php?blogId=1hazard@hazard.maks.netSoftware
If you upgraded your Linux Skype to 4.3 and face a crash immediately after startup, the fix that worked for me is as follows:<br />
<br />
<ul>
<li>Make of a backup of your home .Skype directory</li>
<li>Install sqlite package on your system if it isn't there already</li>
<li>Run: <b>sqlite3 ~/.Skype/[YOURUSER}/main.db</b></li>
<li>DELETE FROM Messages WHERE type=68;</li>
<li>.quit</li>
</ul>
You will loose your file transfer history, but chat history will still be there. I found this workaround <a href="http://community.skype.com/t5/Linux/Skype-4-3-crash-on-ubuntu-14-04/td-p/3219892/page/2">here</a>. If it doesn't help, you may have to delete/rename your .Skype directory.<br /><br/>
If you don't have in audio in Adobe Flash in Fedora 20, pulseaudio is the reason2014-06-27T19:15:38Z2014-06-27T19:15:38tag:www.hazard.maks.net,2014://1.3562014-06-27T19:15:38ZIf on your Linux PC YouTube wouldn't play more than one second of videos, while flash on other websites has no sound, or you have any other issues with audio in other apps, the likely culprit is ...hazardhttps://www.hazard.maks.net/blog/index.php?blogId=1hazard@hazard.maks.netSoftware
If on your Linux PC YouTube wouldn't play more than one second of videos, while flash on other websites has no sound, or you have any other issues with audio in other apps, the likely culprit is Pulseaudio. I could never figure out the reason why the world needed pulseaudio, apart from the fact we have to use everything that Lennart Poettering creates.<br />
<br />
Anyway, solution to the pain is easy, just follow excellent 30-second instruction on <a href="http://mondogrigio.blogspot.com/2012/06/how-to-disable-pulseaudio-and-enable.html">Mondo Grigio blog</a>.<br/>