Diary of a geek

February 2005
Mon Tue Wed Thu Fri Sat Sun

Andrew Pollock


Other people's blogs


RSS feed

Contact me

JavaScript required

Monday, 28 February 2005

Third migration (first enforcement module) SNAFU

Yesterday, I migrated my first actual enforcement module. What was supposed to be quite simple, went quite pear-shaped instead.

Fortunately, I picked a relatively unimportant firewall for the first cab off the rank, so the fact that I ran an hour over the alotted change window wasn't an issue. It also enabled me to keep bashing on the problem until I resolved it, rather than having to back out.

What was the problem? Well, it was actually a problem with the migration of the management server for that particular enforcement module. When I migrated the SIC (that's Secure Internal Connection for you non-Firewall-1 savvy people) related crap in $CPDIR/registry/HKLM_registry.data, I screwed up, and didn't set the 6 characters in the SIC's distinguished name to the same thing for both occurences in that file, which produced quite screwed up results when resetting the SIC between the management server and the replaced enforcement module.

What I had was:

: (SIC
        :ICAState ("[4]3")
        :ICAdn ("o=my_management_server..yyyyyy")
        :HasCertificate ("[4]1")
        :MySICname ("cn=cp_mgmt,o=my_management_server..zzzzzz")
        :CertPath ("/opt/CPshrd-53/conf/sic_cert.p12")

when I really should have had:

: (SIC
        :ICAState ("[4]3")
        :ICAdn ("o=my_management_server..zzzzzz")
        :HasCertificate ("[4]1")
        :MySICname ("cn=cp_mgmt,o=my_management_server..zzzzzz")
        :CertPath ("/opt/CPshrd-53/conf/sic_cert.p12")

This had the interesting effect of the enforcement module getting the 'zzzzzz' SIC during the initial SIC initialisation, but the management server thinking it was 'yyyyyy', and expecting this during normal SIC operation, so nothing worked.

This problem hadn't manifested itself for the other enforcement modules, as they must only deal with the 'MySICname' part of HKLM_registry.data for normal operation. I'm guessing the 'ICAdn' is only consulted when the SIC is reset.

So I just fixed up the HKLM_registry.data file on the management server and restarted Firewall-1 on it, and then lo and behold, I could establish a connection to my new enforcement module.

[16:55] [work] [permalink]

Saturday, 26 February 2005

This month's QA effort

This morning I did some bug triage on html2ps and made QA uploads of both html2ps and vcr.

It's amazing what procrastination enables you to do. I should make a "Powered by procrastination" button for my website or something. If I could be bothered.

[14:37] [debian] [permalink]

Friday, 25 February 2005

Just when you thought it was safe to eat a hot cross bun...

I'd just finished spraying all the spiders outside, and thought I'd have a hot cross bun (as you do).

The hole in the bag seems too small for a mouse to get through, yet the amount of bun gone seems too much for cockroaches, and there are cockroach baits all over the kitchen...

I suppose a mousetrap is next.

[00:15] [life] [permalink]

Thursday, 24 February 2005

How closely do you work with your upstream software author?

It's surprised me somewhat how some maintainers don't seem to interact with the upstream author(s) of the software that they package. To me, it seems the natural way to operate. It's a partnership between the author who has the intimate knowledge of the code and the software, and the package maintainer, who knows how to package for the distribution.

I'm not meaning to point fingers at peoply by using these examples, they're just some cases I've come across recently, which has prompted me to write about it.

When Andreas Barth recently made a request for adoption of iproute, I glanced over the current bug listing, and in my opinion, saw a lot of bugs that weren't specific to the packaging of the software, and should have been forwarded upstream. When I asked Andreas what sort of a relationship he had with upstream, I think he said something to the effect that he hadn't had any dealings with them during his maintainership of the package.

Similarly, the other day I was looking over the list of orphaned packages with the maintainer not set to the QA group, with the intention of perhaps doing an upload or three in some spare time that I had, and I stopped upon html2ps, which had a good number of bugs open.

I dropped the upstream author an email, as again, a lot of the bugs looking like fundamental issues with the software, not with how they were packaged in Debian. The author replied, saying he hadn't known of the BTS page for his software, and hadn't known of some of the bugs. He actually went so far as to write a bit of a narrative to a lot of the bugs listed, which I will have to followup the various bug reports with.

I realise that there is personal style to package maintainership, and that some maintainers may be intimately familiar with the source code, but at the end of the day, we all want "Zarro Boogs" in our packages, so I'd think its in our best interests to do whatever we can to help make that goal come about as easily as possible.

I'm also personally of the opinion that the Debian packaged version of some software should attempt to walk and talk as similiarly as the original upstream version. In an ideal world, all distros would strive for this, so there'd be a degree of interoperability between distributions for given software packages. So to this end, I'd rather see an upstream bug fixed upstream, than fixed in a Debian package specific manner, which caused the Debian package to diverge in behavior from upstream.

For the packages I maintain, I'm on fairly familiar terms with the upstream authors. For packages I ITP or adopt, I generally ping the upstream author when I file the WNPP bug. If I don't get a response from the upstream author, I think twice about going through with the adoption or initial packaging. Like I said, it's a partnership, so it's a bit harder when you're on your own, and you're not intimately familiar with the code.

So, get to know your upstream. From my experience, it's a win-win situation.

[21:54] [debian] [permalink]

Monday, 21 February 2005

Second migration successful (well, kind of)

This morning I did the second (and final) Firewall-1 management server migration at this site. It wasn't as successful as the last one, in that it didn't Just Work.

With some help from Jonathan, the problem was traced back to the Get Topology function getting it wrong. I have to do a Get Topology after I've migrated the configuration as the new hardware has different Ethernet device names to the old one (gotta love how Solaris has hardware specific Ethernet device names). Unfortunately, in the process of doing the Get Topology, Firewall-1 decided to mark one of the interfaces as External, when it really should have been Internal, so then the anti-spoofing stuff kicked in and it decided that connections that were legitimate were actually spoofed, and dropped them.

It made matters worse (but was probably a blessing in disguise in that it highlighted the problem immediately) because the interface in question was the one that connected this management server to the rest of the management network, you couldn't get through the management server (which is also an enforcement module) to other hosts behind it.


It wasn't so much a case of the Get Topology function getting it wrong. It seems that Firewall-1 will assume that the interface with the default route going out it is external. So for this particular firewall, I just need to redo the routing so there are specific routes and no default route, and in theory everything should be considered internal.

[17:10] [work] [permalink]

Here we go again...

Considering I wasn't planning on continuing my studies this year, I seem to be doing a remarkably good job of being enrolled.

So work was magnanimous enough to give me 2 hours a week of paid time to attend classes, which leaves me with another 3 hours (plus travelling time) to make up myself (so no lunchbreaks and lots of early starts for me).

I'm doing COMP2100 (which actually looks quite interesting) and FINM2001.

I wasn't intending to do another Finance elective, however the only other Computer Science subject I was eligible for is taken by a lecturer who I have taken a strong disliking to, so I figured I'd rather do Corporate Finance with one 2 hour lecture a week than the Computer Science alternative with three 1 hour lectures a week.

It'll be very interesting to see how I go, doing full-time work and part-time study. I really hope I can pull it off, at least for one semester.

[03:23] [uni] [permalink]

Sunday, 20 February 2005

Visa mini is insane

I'd seen some ads around the place for this new Visa mini card, but hadn't remembered to pull up a web page for it when I'd been near an Internet connection.

Today, I got an updated terms and conditions in the mail to add conditions for the new Visa mini card (not that I had one, but the same terms and conditions cover all credit card customers).

So it seems they are trying to accessorise the credit card. Why on earth would you want to parade around with your credit card (with presumably number showing to all and sundry) around your neck or wrist?

The thing that cracked me up to the point of writing this was the added terms and conditions. They've had to add stuff to direct customers not to insert their mini card in ATMs or full card insertion readers. Customers who do so will be liable for the cost of any resulting damage. What a joke. Not to mention that most card readers at supermarkets (well Woolworths at least, Coles isn't) are the full card insertion type.

[23:51] [opinion] [permalink]

Saturday, 19 February 2005

Roadkill camp snorkel

Sarah and I went to Jervis Bay (well Huskisson to be precise) for the weekend, to camp with a bunch of the regulars who are friends with Elise and Michael, as well as a few new people.

Travelling to various places via the Federal Highway, I've noticed a tiny sign that points to Nowra via Tarago and Currawang, which has always intrigued me, as taking the "conventional" route to Nowra and similar coastal locations usually involves hopping off the highway much further north, so on Friday night after work, we decided to try this route, more to see where the heck it went than as a shortcut.

It was a fairly interesting drive on the most part. Probably 50% of it was on dirt roads. We drove past some mines I didn't know exist, some tiny towns (probably questionable as to if they had town status), lots of sheep paddocks, and possibly found a way to get into the back of the intriguing Lake George.

When Elise called at about 9:30pm to find out where we were, there was much laughter in the background from the others who knew the area. Apparently everyone's taken this road once, thinking it is a shortcut.

The downer on the night was towards the end of the journey. We were on a dirt road, and what was about the fifth car we'd seen all night was heading towards us, so I'd slowed down to about 40 km/h, and a bunch of kangaroos appeared, and one hopped right in front of me, and I hit it, and then it got hit by the other car coming in the opposite direction. The other car didn't even stop.

I pulled over and had a quick look at my car to make sure it was still drivable (only minor cosmetic damage to the front grill and a damaged headlight housing thankfully), and then walked back about 20 metres to see what condition the kangaroo was in. It wasn't looking too flash. It had at least a broken back leg, with the bone sticking out, was hyperventilating and was bleeding from the nose and mouth. I dare say it was in shock.

I decided that the best thing I could do was put it out of its misery, which was not something I was really happy about doing, as if you haven't already figured out, I'm a bit of an animal lover. I returned to the car to find something to do the deed with, and the only thing I could think of was the steering wheel lock. So I grabbed that and went back to the kangaroo.

Problem was, I just couldn't do it. I raised it a few times to take a swing at the back of the head, but I just couldn't bring myself to do it. I ended up going back to get the car to try and finish it off with that. I ran over it once, and as I was turning the car around to head back off in the right direction again, I noticed it was still moving, so I ran over it again. I couldn't bring myself to check again after that. It was the first kangaroo I've ever hit, and Sarah and I were both a bit traumatised from the experience.

So that was our Friday night trip to Huskisson. We put the tent up at the caravan park we were staying in and hit the sack as Sarah was pretty tired.

The next morning, we went to Green Patch beach in the Booderee National Park to do some snorkelling. I was really looking forward to snorkelling as Sarah had given me a snorkel, mask and fins for my birthday and I hadn't had an opportunity to use them yet.

The visibility was a bit ordinary, and there wasn't a lot to see. I saw some small fish and lots of sea urchins. After lunch, we headed to Summercloud Bay, still in the national park, and had some better results there. The highlight being a huge (we guessed about a metre wide) sting ray, right underneath us.

At about 3:30pm a thunderstorm blew over, and so we decided to head back to Huskisson. Sarah and I stayed in the car for a bit, right down on the beach, watching the lightning over the ocean, and saw some spectacular lightning bolts.

When we got back to Huskisson, the others who had gone scuba diving for the morning had gotten back and were already at the pub so we headed there as well (the storm had passed by this point) and had some dinner.

We headed back early because we were tired and had turned in by about 9pm. We were woken at about midnight by Michael (he and Elise had their tent next to ours) throwing up, so something mustn't have agreed with him in his dinner (he had baby octopus, and had an unintended bit of paper in it).

It also started raining at some point after that, and didn't really let up after that, so when we got up we decided we'd break camp after breakfast and head home.

We had a pretty good weekend. It would have been better if we hadn't hit a kangaroo, and it rained less, but both things aren't really anything we had much control over.

[23:23] [life] [permalink]

Thursday, 17 February 2005

Oh no!

The dude with the disturbing ringtone has just moved directly behind me.

[16:33] [work] [permalink]

Wednesday, 16 February 2005

Mitigating against SSH brute force attacks using Netfilter and the recent module

As I mentioned previously, I recently discovered the wonders of Netfilter's recent module, and have decided to try and employ it to ward off the evil script kiddies and their brute force SSH scripts.

As I like to be able to SSH to my server from where ever I happen to be, and I won't necessarily have the infrastructure to use public key based authentication, I thought I'd see how a bit of selective packet filtering would go.

I'm using:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j LOG --log-prefix "SSH_brute_force "
iptables -A INPUT -p tcp --dport 22 -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

This will allow three port 22 connections from any given IP address within a 60 second period, and require 60 seconds of no subsequent connection attempts before it will resume allowing connections again. The --rttl option also takes into account the TTL of the datagram when matching packets, so as to endeavour to mitigate against spoofed source addresses.

As an additional nicety, I could refine this to use a custom chain and a whitelist that exited the chain for source IPs that were trusted.

I'm going to run this ruleset on my server for a while and see if I

  1. don't lock myself out
  2. make a dent in SSH brute force attacks


After much discussion with Juergen Kreileder, this ruleset would appear to be slightly better:

iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --set --name SSH
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -j SSH_WHITELIST
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j ULOG --ulog-prefix SSH_brute_force
iptables -A INPUT -p tcp --dport 22 -m state --state NEW -m recent --update --seconds 60 --hitcount 4 --rttl --name SSH -j DROP

This has the (arguably) added benefit of not hosing any established SSH connections from the host that has made too many SSH connections in a short period of time, and allows for whitelisting.


I've had a few people email me and ask about the whitelisting part, which I didn't do a terribly good job of explaining. I should have said that you need to create a custom chain first:


and then add whitelisted hosts to it in a manner like this:

iptables -A SSH_WHITELIST -s $TRUSTED_HOST -m recent --remove --name SSH -j ACCEPT

this clears the whitelisted host out of the recently seen table, and because is has an ACCEPT jump target, should stop further processing anyway.

[14:32] [tech/security] [permalink]

Tuesday, 15 February 2005

Linux Journal Is Currently Unavailable Due to a DDoS Attack

That's what I just got when I tried to visit the site. Bugger.

[16:11] [tech/security] [permalink]

Psychologically scarred by mobile phone ringtone

Back in the bad old days I had a Nokia 6110 mobile phone, and I used the caller groups feature to give all work related callers the ringtone called "Trio".

Fast forward three and a bit years, and someone in the office I'm working in has the same ringtone, and everytime I hear it I have an involuntary shudder.

[14:56] [life] [permalink]

Monday, 14 February 2005

Netfilter "recent" module

I've recently had the Netfilter recent module brought to my attention, and man, is it neat! The final example on the website for it is a bunch of rules that temporarily open up a hole in the firewall to allow an ident request in when an outbound SMTP connection is seen. Very cool. I'm interested in doing something to mitigate SSH brute force login attempts.

[18:27] [tech/security] [permalink]

Learning awk

As bizarre as it my seem, I've managed to get through life until this point without knowing any awk. If cut and paste didn't cut it (no pun intended), I'd just write a Perl script and be done with it.

There's the possibility that I might have to maintain some behemoth monstrosity of an awk script, so I'm using a bit of spare time whilst the bureacratic wheels turn to read O'Reilly's sed & awk, Second Edition

[17:36] [work] [permalink]

Prior art?

The other day, Mako graced his blog with some photos of himself in a very fetching number designed by his girlfriend and knitted by his mother. I was immediately reminded of a similar outfit my lovely fiancee's grandmother knitted for her recently...

I wonder which one came first?

[03:01] [life] [permalink]

Saturday, 12 February 2005

She said yes!

I took Sarah away to Sydney for a surprise pre-Valentine's Day weekend. (Well it was as surprise as you can make something where we have such busy schedules that I had to just tell her to keep a weekend open for "something special" about 3 months ago).

We stayed at a swanky hotel and did the bridgeclimb, where I popped the question to her at the top of the bridge. A couple of photos from the climb are here

[20:56] [life] [permalink]

Wednesday, 09 February 2005

Pride in your work

The convoluted way things work (for procurement) within the client's organisation I'm working at are that all hardware is ordered through, and remains property of EDS.

So for this firewall replacement project I'm doing, a bunch of hardware (mainly V240's) was ordered. Another project ordered a few V440's with fibre channel cards. Sun being Sun, ship the cards separate to the boxes, and EDS fit them. Problem is, EDS didn't consult the order when they went to install the cards, and just saw that there were the same number of cards as boxes and installed one in each (when in fact the V440's should have had two cards each and the V240's none).

So this morning, I proceeded to remove the fibre channel card from my V240 for the next firewall I'm replacing, and put it into one of the V440's. I had to pinch a blanking plate from the V440 to fill the gap in the V240. All good, I think. Wrong.

I get the lid off the V440, and discover that the existing fibre channel card hasn't been screwed in, and the blanking plate for the (vacant) PCI slot next to it is (poorly) held in by an ill-fitting PC case screw. Looks like they lost some screws when they were installing the cards methinks.

The V440's have a mix of 33 and 66 megahertz PCI slots. The only cards to go in the box are the two fibre channel cards, and of course EDS has installed the one that is already in there in a 33 megahertz slot, when they had the pick of the slots. So I moved the existing card while I was in there, and installed the one I took out of my V240 in another 66 megahertz slot, found a random screw that fit so that both cards were screwed in, closed it up, and thought I'd have a bit of a rant about taking pride in your work.

[17:45] [work] [permalink]

Tuesday, 08 February 2005

Windows Update is stupid

So I fire up Internet Exploder to run Windows Update (I only use it for this and submitting my timesheet) so as to download this month's plethora of critical updates for Windows, and the stupid thing wants to ignore my proxy settings and make direct connections for the downloads. This of course won't work, so the downloads fail. Nevermind the fact that I used a proxy server for every HTTP connection up to the point of initiating the downloads.

[16:04] [work] [permalink]

Loopback devices under Solaris

I was helping a co-worker grok how to loopback-mount an ISO image, and after discovering it was lofiadm that one needed to use in place of losetup, was having a bit of a peruse of the manpage and was amused no end to note that the examples they are are mounting an Red Hat Linux 6.0 for SPARC ISO image.

You wouldn't expect to find this subtle reference to a competing operating system within the Solaris documentation.

[15:49] [work] [permalink]

Sunday, 06 February 2005

I've been syndicated!

I just read the announcement from Linux Australia about how they've set up their own Planet, and casually loaded it up to see what feeds it has, and lo and behold, I'm in it. Well shucks, I didn't think I was worthy...

[18:15] [life] [permalink]

First migration successful

So this morning I migrated my first Firewall-1 management server in the production environment. Thanks to lots of testing and experimenting and breaking and fixing things in the test environment, I pulled this off without a hitch. And the management servers are the hard ones. The enforcement modules are a piece of cake. There's nothing to migrate except the license. I just need more hardware to turn up before I can proceed further. In the meantime, I've scored another project to do on the side, migrating a data service from an old firewall environment to a new(er) one.

[16:39] [work] [permalink]


My boss' boss has agreed to give me two hours a week paid study leave to attend University classes. The rest I have to make up myself. Better than a kick in the teeth, and better than having to make up the total contact hours myself. Now if I can just get tutorials outside of work hours, I should only have to make up about three hours a week of lectures.

[14:59] [work] [permalink]

Saturday, 05 February 2005

If they had half a brain...

Just reading an anti-phishing page of my bank, and they have this gem towards the bottom:

Please Note: The email address spoof@national.com.au must only be used to report suspected spoof emails or hoax websites claiming to be from the National Australia Bank. If you believe your Internet Banking information has been compromised, or you notice a transaction you did not initiate, change your Internet Banking password immediately and contact the Internet Banking Support Team via the details below:

This is after they have plastered the aforementioned email address all over the page a previous two times. Are they expecting the page skimmers the spammers use to abide by this directive?

[20:22] [opinion] [permalink]

Thursday, 03 February 2005

Why I hate Solaris

I really hate working with Solaris, and it's not because of the kernel, it's because the userspace experience is so abominable. The GNU user environment is really what makes Linux so kick arse. I can survive quite well (in a poweruser capacity) on a BSD box if the environment is GNU.

So here's my current list of things that I constantly bump into that agrieve me no end:

  • there is no decent shell by default (by decent, I mean something with command recall that doesn't suck, like Korn shell).
  • Solaris find blows goats when it comes to any decent options (my kingdom for iname)
  • there is no watch command
  • df is shite

The first thing I do, if I have the option, is GNUify the environment a bit, but that is really a band-aid solution. Invariably, the packages from Sun Freeware are used to achieve this, but I'm not a big fan of how well they are packaged, and you end up with lots of stuff in /usr/local/bin, and sooner or later, you have to get into LD_LIBRARY_PATH hell, and it all goes downhill from there.

In Sun's defense, they are getting with the program, and shipping more and more GNU stuff as optional packages. Solaris 8 (which is what I'm currently having to endure) does ship with GNU Bash, less, and gzip. Solaris 9 goes so far as to ship OpenSSH if I recall correctly. So things are improving, but the user experience (for me) still leaves a lot to be desired, compared to a stock installation of say Debian GNU/Linux.

[16:47] [work] [permalink]


Well now that the ADSL has finally been relocated, the latency is low enough to make blogging from home tolerable. I feel officially moved now that the Internet access is like it usually is.

We've been here three weeks next Monday, and we're probably about 80% unpacked (the other 20% is going to suck and drag on forever). I also need to get a couple of coffee tables and a bookcase of some sort, but that can wait until my credit card cools down a bit.

It's nice to have a more modern place (mmm, dishwasher), and to have it to ourselves. The increased distance from town is noticeable. Driving home from the ANU tonight after a linux.conf.au organising committee meeting really helped drive that point home, but in reality, the commute is still trivial.

[02:36] [life] [permalink]

Wednesday, 02 February 2005

Underwear goes inside the pants

This song has been copping a bit of airplay in the last few weeks during the afternon drive timeslot. I think the lyrics are very poignant, and worth a read.

[01:59] [life] [permalink]

Tuesday, 01 February 2005

Just when you thought it was safe to recompile your wireless drivers...

This is a bit odd. I'm running the stock Debian 2.6.9 kernel on my laptop, and I'm just manually compiling the Intel IPW2200 driver and throwing it into my modules directory. Periodically, I grab the latest version and give it a whirl. I'm hanging out for monitor mode support so I can go wardriving again.

Anyhoo, tonight's build attempt failed:

apollock@debian:~/ipw2200-1.0.0$ make
make -C /lib/modules/2.6.10-1-686/build SUBDIRS=/home/apollock/ipw2200-1.0.0 MODVERDIR=/home/apollock/ipw2200-1.0.0 modules
make[1]: Entering directory `/usr/src/kernel-headers-2.6.10-1-686'
  CC [M]  /home/apollock/ipw2200-1.0.0/ipw2200.o
  CC [M]  /home/apollock/ipw2200-1.0.0/ieee80211_module.o
  CC [M]  /home/apollock/ipw2200-1.0.0/ieee80211_tx.o
  CC [M]  /home/apollock/ipw2200-1.0.0/ieee80211_rx.o
  CC [M]  /home/apollock/ipw2200-1.0.0/ieee80211_wx.o
  LD [M]  /home/apollock/ipw2200-1.0.0/ieee80211.o
  CC [M]  /home/apollock/ipw2200-1.0.0/ieee80211_crypt.o
  CC [M]  /home/apollock/ipw2200-1.0.0/ieee80211_crypt_wep.o
  Building modules, stage 2.
Warning: could not find versions for .tmp_versions/ipw2200.mod
*** Warning: "cleanup_module" [/home/apollock/ipw2200-1.0.0/ipw2200.ko] undefined!
*** Warning: "init_module" [/home/apollock/ipw2200-1.0.0/ipw2200.ko] undefined!
*** Warning: "cleanup_module" [/home/apollock/ipw2200-1.0.0/ieee80211_crypt_wep.ko] undefined!
*** Warning: "init_module" [/home/apollock/ipw2200-1.0.0/ieee80211_crypt_wep.ko] undefined!
*** Warning: "cleanup_module" [/home/apollock/ipw2200-1.0.0/ieee80211_crypt.ko] undefined!
*** Warning: "init_module" [/home/apollock/ipw2200-1.0.0/ieee80211_crypt.ko] undefined!
*** Warning: "cleanup_module" [/home/apollock/ipw2200-1.0.0/ieee80211.ko] undefined!
*** Warning: "init_module" [/home/apollock/ipw2200-1.0.0/ieee80211.ko] undefined!
  CC      /home/apollock/ipw2200-1.0.0/ieee80211.mod.o
  LD [M]  /home/apollock/ipw2200-1.0.0/ieee80211.ko
  CC      /home/apollock/ipw2200-1.0.0/ieee80211_crypt.mod.o
  LD [M]  /home/apollock/ipw2200-1.0.0/ieee80211_crypt.ko
  CC      /home/apollock/ipw2200-1.0.0/ieee80211_crypt_wep.mod.o
  LD [M]  /home/apollock/ipw2200-1.0.0/ieee80211_crypt_wep.ko
  CC      /home/apollock/ipw2200-1.0.0/ipw2200.mod.o
  LD [M]  /home/apollock/ipw2200-1.0.0/ipw2200.ko
make[1]: Leaving directory `/usr/src/kernel-headers-2.6.10-1-686'

I then proceeded to try and recompile the version I was previously running (and hit the same problem). Now I was mildly annoyed, because I'd gone and clobbered my working version with a dud version, irrespective of which particular version I used. So I tried it in 2.6.10 as well, for good measure (I'd previously experienced reliability issues with the driver under 2.6.10, which is why I'm still running 2.6.9).

I'm inclined to say that something is wrong with the Debian kernel headers, but not being a kernel guru by any stretch of the imagination, I'm not quite sure how to say this conclusively in order to file a bug or anything... I might get Rick to read my blog and see what he says.

[03:02] [tech] [permalink]