summaryrefslogtreecommitdiff
path: root/2004
diff options
context:
space:
mode:
Diffstat (limited to '2004')
-rw-r--r--2004/firewall-vpn-gse2004/firewall-vpn-gse2004.mgp281
-rw-r--r--2004/firewall-vpn-gse2004/firewall-vpn-gse2004.pdfbin0 -> 26830 bytes
-rw-r--r--2004/firewall-vpn-gse2004/firewall-vpn-gse2004_2.pdfbin0 -> 23901 bytes
-rw-r--r--2004/gpl-berlinux2004/biography21
-rw-r--r--2004/gpl-berlinux2004/extended-abstract30
-rw-r--r--2004/gpl-berlinux2004/gpl-berlinux2004.mgp253
-rw-r--r--2004/gpl-bof-ols2004/abstract21
-rw-r--r--2004/gpl-bof-ols2004/biography25
-rw-r--r--2004/gpl-bof-ols2004/gpl-bof-ols2004.mgp228
-rw-r--r--2004/gpl-ccc2004/biography24
-rw-r--r--2004/gpl-ccc2004/cfp-reply46
-rw-r--r--2004/gpl-ccc2004/extended-abstract29
-rw-r--r--2004/gpl-ccc2004/gpl-ccc2004.mgp406
-rw-r--r--2004/gpl-ccc2004/gpl-ccc2004.xml280
-rw-r--r--2004/gpl-ccc2004/short-abstract4
-rw-r--r--2004/gpl-lb2004/abstract22
-rw-r--r--2004/gpl-lb2004/gpl-lb2004.mgp406
-rw-r--r--2004/gpl-lk2004/gpl-lk2004.mgp247
-rw-r--r--2004/gpl-lk2004/gpl-lk2004.pdfbin0 -> 23332 bytes
-rw-r--r--2004/gpl-revisited-knf2004/gpl-enforcement-knf2004.mgp227
-rw-r--r--2004/gpl-revisited-knf2004/gpl-enforcement-knf2004.pdfbin0 -> 19558 bytes
-rw-r--r--2004/gpl-revisited-knf2004/gpl-revisited-knf2004.mgp260
-rw-r--r--2004/gpl-revisited-knf2004/gpl-revisited-knf2004.pdfbin0 -> 24599 bytes
-rw-r--r--2004/gpl-wos2004/.abstract.swp0
-rw-r--r--2004/gpl-wos2004/abstract21
-rw-r--r--2004/gpl-wos2004/biography25
-rw-r--r--2004/gpl-wos2004/gpl-wos2004.mgp174
-rw-r--r--2004/gpl-wos2004/gpl-wos2004.pdfbin0 -> 15191 bytes
-rw-r--r--2004/linux2.6-networktour-lb2004/abstract4
-rw-r--r--2004/linux2.6-networktour-lb2004/linux2.6-networktour-lb2004.mgp236
-rw-r--r--2004/nat-ccc2004/biography24
-rw-r--r--2004/nat-ccc2004/cfp-reply53
-rw-r--r--2004/nat-ccc2004/extended-abstract34
-rw-r--r--2004/nat-ccc2004/nat-ccc2004.mgp343
-rw-r--r--2004/nat-ccc2004/short-abstract5
-rw-r--r--2004/netfilter-bof-ols2004/netfilter-bof-ols2004.mgp272
-rw-r--r--2004/netfilter-failover-lk2004/netfilter-failover-lk2004.mgp369
-rw-r--r--2004/netfilter-failover-lk2004/netfilter-failover-lk2004.tex656
-rw-r--r--2004/netfilter-failover-lk2004/zrl.sty432
-rw-r--r--2004/netfilter-failover-lt2004/netfilter-failover-lt2004.mgp369
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/AuthorDirList.txt51
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/Authors.tex357
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/Makefile41
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/bibliography.tex180
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/bibliography2.tex41
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/Figures/example.c18
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/Figures/example.ll22
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/Makefile41
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/complexFigure.tex88
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/example-c.tex22
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/example-ll.tex24
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/lgrind.sty228
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/llvm.lst15
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/conditional.tex15
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/figures.tex40
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/includegraphics.tex15
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/legalese.tex19
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/multipleAuthors.tex68
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/myPaper.pdfbin0 -> 34244 bytes
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/myPaper.tex495
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/references.tex29
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/tables.tex79
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/Makefile61
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/MasterOLS-2side.tex538
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/MasterOLS.html671
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/MasterOLS.tex534
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/Blank.tex67
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/ProtoMake41
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/README4
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/cprog.sty249
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/csty.sty250
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/eclepsf.sty278
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/lineno.sty1517
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/mpss-commands.tex70
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/ols-fonts.tex25
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/ols.sty84
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/twocolumn.sty13
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/usenix.sty55
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/zrl.sty432
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/all.txt306
-rwxr-xr-x2004/netfilter-failover-ols2004/OLS2004-proceedings/bin/CreateIndiv.pl222
-rwxr-xr-x2004/netfilter-failover-ols2004/OLS2004-proceedings/bin/cleanurl.pl61
-rwxr-xr-x2004/netfilter-failover-ols2004/OLS2004-proceedings/bin/makeMainPaper.pl81
-rwxr-xr-x2004/netfilter-failover-ols2004/OLS2004-proceedings/bin/masterToHtml.pl32
-rwxr-xr-x2004/netfilter-failover-ols2004/OLS2004-proceedings/bin/parseall.pl126
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/texmf/ls-R16
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/texmf/tex/latex/combine/combcite.sty109
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/texmf/tex/latex/combine/combine.cls1009
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/texmf/tex/latex/combine/combinet.sty138
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/texmf/tex/latex/combine/combnat.sty543
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/Makefile41
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/Record.ols6
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/netfilter-failover-ols2002.tex504
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/welte-abstract.tex10
-rw-r--r--2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/welte.tex652
-rw-r--r--2004/netfilter-failover-ols2004/netfilter-failover-ols2004.mgp369
-rw-r--r--2004/netfilter-programming-lwe2004/ipt_workshop.c54
-rw-r--r--2004/netfilter-programming-lwe2004/ipt_workshop.h6
-rw-r--r--2004/netfilter-programming-lwe2004/libipt_workshop.c102
-rw-r--r--2004/netfilter-programming-lwe2004/netfilter-programming-lwe2004.mgp628
-rw-r--r--2004/netfilter-programming-lwe2004/nf_workshop.c57
-rw-r--r--2004/relation-community-lb2004/abstract27
-rw-r--r--2004/relation-community-lb2004/interact-community-lb2004.mgp275
-rw-r--r--2004/relation-community-lb2004/notes107
104 files changed, 18085 insertions, 0 deletions
diff --git a/2004/firewall-vpn-gse2004/firewall-vpn-gse2004.mgp b/2004/firewall-vpn-gse2004/firewall-vpn-gse2004.mgp
new file mode 100644
index 0000000..a43909c
--- /dev/null
+++ b/2004/firewall-vpn-gse2004/firewall-vpn-gse2004.mgp
@@ -0,0 +1,281 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+Firewalls, IPsec and Linux
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@netfilter.org>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Contents
+
+
+ Introduction
+ Highly Scalable Linux Network Stack
+ Netfilter Hooks
+ Packet selection based on IP Tables
+ The Connection Tracking Subsystem
+ The NAT Subsystem
+ IPsec with Free S/WAN
+ IPsec with Kernel 2.6.x
+ Cipe, vtun, openvpn and others
+ Traffic Shaping, QoS, Policy Routing
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Introduction
+
+What this is:
+ A broad overview about the advanced Linux networking features
+ Intended for a network savyy audience that has little Linux background
+
+What this presentation is not:
+ A tutorial on how to use iptables, tc, iproute2, brctl
+ An introduction into the cool code we write every day ;)
+
+It will try to show you what you can do with Linux networking, not how.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Introduction
+
+Linux and Networking
+ Linux is a true child of the Internet
+ Early adopters: ISP's, Universities
+ Lots of work went into a highly scalable network stack
+ Not only for client/server, but also for routers
+ Features unheared of in other OS's
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Introduction
+
+Did you know, that a stock 2.6.5 linux kernel can provide
+
+ a stateful packet filter ?
+ fully symmetric NA(P)T ?
+ policy routing ?
+ QoS / traffic shaping ?
+ IPv6 firewalling ?
+ packet filtering, NA(P)T on a bridge ?
+ layer 2 (mac) address translation ?
+
+If not, chances are high that this presentation will tell you something new.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Netfilter Hooks
+
+ What is netfilter?
+
+ System of callback functions within network stack
+ Callback function to be called for every packet traversing certain point (hook) within network stack
+ Protocol independent framework
+ Hooks in layer 3 stacks (IPv4, IPv6, DECnet, ARP)
+ Multiple kernel modules can register with each of the hooks
+
+Traditional packet filtering, NAT, ... is implemented on top of this framework
+
+Can be used for other stuff interfacing with the core network stack, like DECnet routing daemon.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+IP tables
+
+ Packet selection using IP tables
+
+ The kernel provides generic IP tables support
+
+ Each kernel module may create it's own IP table
+
+ The three major parts of 2.4 firewalling subsystem are implemented using IP tables
+ Packet filtering table 'filter'
+ NAT table 'nat'
+ Packet mangling table 'mangle'
+
+ Could potentially be used for other stuff, e.g. IPsec SPDB
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+IP Tables
+
+ Managing chains and tables
+
+ An IP table consists out of multiple chains
+ A chain consists out of a list of rules
+ Every single rule in a chain consists out of
+ match[es] (rule executed if all matches true)
+ target (what to do if the rule is matched)
+
+%size 4
+matches and targets can either be builtin or implemented as kernel modules
+
+%size 5
+ The userspace tool iptables is used to control IP tables
+ handles all different kinds of IP tables
+ supports a plugin/shlib interface for target/match specific options
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Connection Tracking Subsystem
+
+ Connection tracking...
+ implemented seperately from NAT
+ enables stateful filtering
+ protocol modules (currently TCP/UDP/ICMP/GRE/SCTP)
+ application helpers (currently FTP,IRC,H.323,talk,SNMP,RTSP)
+ does _NOT_ filter packets itself
+ can be utilized by iptables using the 'state' match
+ is used by NAT Subsystem
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Network Address Translation
+
+ Network Address Translation
+
+ Previous Linux Kernels only implemented one special case of NAT: Masquerading
+ Linux 2.4.x / 2.6.x can do any kind of NAT.
+ NAT subsystem implemented on top of netfilter, iptables and conntrack
+ Following targets available within 'nat' Table
+ SNAT changes the packet's source whille passing NF_IP_POST_ROUTING
+ DNAT changes the packet's destination while passing NF_IP_PRE_ROUTING
+ MASQUERADE is a special case of SNAT
+ REDIRECT is a special case of DNAT
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Packet Mangling
+
+ Purpose of mangle table
+ packet manipulation except address manipulation
+ Targets specific to the 'mangle' table:
+ DSCP - manipulate DSCP field
+ IPV4OPTSSTRIP - strip IPv4 options
+ MARK - change the nfmark field of the skb
+ TCPMSS - set TCP MSS option
+ TOS - manipulate the TOS bits
+ TTL - set / increase / decrease TTL field
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Linux Bridging
+
+ Bridging (brctl)
+ Includes support for Spanning Tree
+ Fully supports packet filtering and NAT (!) on a bridge
+ Can also filter and translate layer 2 MAC addresses
+ Can implement a 'brouter' (bridge certain traffic, route other)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Linux Policy Routing
+
+ Policy Routing (iproute2)
+ Allows routing decisions on arbitrary information
+ Provides up to 255 different routing tables within one system
+ By combining via nfmark with iptables, any matches of the packet filter can be used for the routing decision
+ Very useful in complex setups with mutiple links (e.g. multiple DSL uplinks with dynamic addresses, asymmetric routing, ...)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Linux Traffic Shaping
+
+ Traffic Control (tc)
+ Framework for lots of algorithms like RED,SFQ,TBF,CBQ,CSZ,GRED,HTB
+ Very granular control, especially for very low bandwidth links
+ Present since Linux 2.2.x but still not used widely
+ Lack of documentation, but situation is improving (www.lartc.org)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Free S/WAN
+
+ Free S/WAN
+ Was a politically motivated effort to provide IPsec for Linux 2.0+
+ Goal was to encrypt as much Internet Traffic as possible
+ Software architecture didn't fit very well with Linux 2.4/2.6 network stack
+ Project has been shut down, however Open S/WAN continues support
+ Is in widespread production use and has received a lot of testing
+ Political motivation prevented any U.S. citizen to contribute code
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Linux 2.6.x IPsec
+
+ Linux 2.6.x IPsec
+ Linux networking gods disaproved Free S/WAN political restrictions and software design
+ Thus, they decided to write their own IPsec stack
+ Result is in the stock 2.6.x kernel series
+ Offers complete support for transport and tunnel mode
+ Can be used with FreeSWAN (pluto) or KAME (isakmpd) userspace
+ Remaining problems
+ No integration with hardware crypto accelerators yet
+ No implementation of NAT traversal yet
+ Interaction with iptable_nat still has to be sorted out
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+cipe, vtun, openswan and others
+
+ Other VPN protocols/programs
+ Evolved as linux specific VPN implementations since the Linux Kernel was lacking stock IPsec support for a long time
+ Are totally incompatible to IPsec and only compatible to themselves
+ Are of questionable security (at least in case of cipe, vtun)
+ Are mostly userspace implementations
+ Are way easier to configure
+ Can provide layer 2 tunnels to route (or bridge!) all kinds of protocols
+ openvpn with X.509 certificates is a very clean and easy solution for building strong VPN tunnels between two linux gateways
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Firewalls, IPsec and Linux
+Thanks
+
+ Thanks to
+ the BBS scene, Z-Netz, FIDO, ...
+ for heavily increasing my computer usage in 1992
+ KNF (http://www.franken.de/)
+ for bringing me in touch with the internet as early as 1994
+ for providing a playground for technical people
+ for telling me about the existance of Linux!
+ Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+ for implementing (one of?) the world's best TCP/IP stacks
+ Paul 'Rusty' Russell
+ for starting the netfilter/iptables project
+ for trusting me to maintain it today
+ Astaro AG
+ for sponsoring parts of my netfilter work
+%size 3
+ The slides and the an according paper of this presentation are available at http://www.gnumonks.org/
+%size 3
diff --git a/2004/firewall-vpn-gse2004/firewall-vpn-gse2004.pdf b/2004/firewall-vpn-gse2004/firewall-vpn-gse2004.pdf
new file mode 100644
index 0000000..4386fe5
--- /dev/null
+++ b/2004/firewall-vpn-gse2004/firewall-vpn-gse2004.pdf
Binary files differ
diff --git a/2004/firewall-vpn-gse2004/firewall-vpn-gse2004_2.pdf b/2004/firewall-vpn-gse2004/firewall-vpn-gse2004_2.pdf
new file mode 100644
index 0000000..871e4a5
--- /dev/null
+++ b/2004/firewall-vpn-gse2004/firewall-vpn-gse2004_2.pdf
Binary files differ
diff --git a/2004/gpl-berlinux2004/biography b/2004/gpl-berlinux2004/biography
new file mode 100644
index 0000000..033e727
--- /dev/null
+++ b/2004/gpl-berlinux2004/biography
@@ -0,0 +1,21 @@
+ Harald Welte ist der Leiter des Netfilter Core Team und is massgeblich an der Entwicklung und Pflege des Paketfilters netfilter/iptables beteiligt.
+
+ Sein Augenmerk innerhalb der Computerwelt lag schon immer auf der
+Netzwerktechnik. So ist z.B. der Grund sich 1994 mit Linux zu beschaeftigen
+aus der Aufgabe entstanden, ein UUCP<->ZConnect<->FIDO gateway aufzusetzen.
+
+ In der wenigen Zeit, die ihm heute neben netfilter/iptables bleibt, schreibt er eigenartige Dokumente wie das UUCP-over-SSL-HOWTO.
+
+ Seit 1997 ist er als unabhaengiger IT-Consultant und -Entwickler in
+zahlreichen Projekten fuer die unterschiedlichsten Firmen (von Banken bis zu
+Computerhardware-Herstellern) taetig.
+
+ Im Jahr 2001 folgte er einem Angebot, fuer den Brasilianischen
+Linux-Distributor in Curitiba (Brasilien) zu arbeiten.
+
+ Seit Februar 2002 wird seine Arbeit am netfilter/iptables-Projekt durch ein
+Sponsoring der Fa. Astaro AG unterstuetzt. Neben diesem Sponsoring arbeitet
+er nach wie vor als freiberuflicher Berater und Entwickler.
+
+ Harald lebt seit November 2002 in Berlin.
+
diff --git a/2004/gpl-berlinux2004/extended-abstract b/2004/gpl-berlinux2004/extended-abstract
new file mode 100644
index 0000000..907590b
--- /dev/null
+++ b/2004/gpl-berlinux2004/extended-abstract
@@ -0,0 +1,30 @@
+Rechtliche Durchsetzung der GPL
+
+Immer mehr Firmen setzen Linux und andere GPL-Lizensierte Software in Ihren
+Produkten ein, insbesondere im Bereich der Network Appliances wie Router,
+NAT-Gateways und 802.11 Access Points.
+
+Einerseits darf man dies als grossen Erfolg fuer Freie Software weten.
+Andererseits gibt es eben leider auch eine Schattenseite: Nicht wenige dieser
+Firmen kuemmern sich nicht oder nicht hinreichend um die GPL
+Liznenzbedingungen.
+
+Das netfilter/iptables Projekt hat sich deshalb zur Aufgabe gemacht, die
+vollstaendige Erfuellung der GPL-Lizenzbedingungen von den betreffenden Firmen
+in allen bekannten Faellen einzufordern, notfalls auch gerichtlich.
+
+Diese Bemuehungen laufen nun seit Dezember 2003 - mit ausnahmslosem Erfolg. Das
+Ergebnis sind 12 aussergerichtliche Vergleiche, und eine Einstweilige
+Verfuegung, welche auch das Widerspruchsverfahren ueberstanden hat.
+
+Die Liste der betroffenen Firmen beinhaltet nahezu ausschliesslich bekannte
+Namen wie Siemens, Asus, Belkin.
+
+Der Autor wird einen Ueberblick ueber diese erfolgreiche GPL-Durchsetzung
+innerhalb des Deutschen Rechtsraums geben. Weiterhin wird er darueber
+sprechen, welche genauen Bedingungen erfuellt werden muessen, um den
+Softwarevertrieb GPL-konform zu gestalten.
+
+Darueberhinaus moechte er einige Empfehlungen an Autoren Freier Software geben,
+wie diese schon im Vorfeld einer moeglichen spaetere Durchsetzung ihrer Rechte
+durch konkrete Massnahmen waehrend der Entwicklung helfen koennen.
diff --git a/2004/gpl-berlinux2004/gpl-berlinux2004.mgp b/2004/gpl-berlinux2004/gpl-berlinux2004.mgp
new file mode 100644
index 0000000..00ad93b
--- /dev/null
+++ b/2004/gpl-berlinux2004/gpl-berlinux2004.mgp
@@ -0,0 +1,253 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+Enforcing the GNU GPL
+Copyright helps Copyleft
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@netfilter.org>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Contents
+
+
+ Introduction
+
+ The GNU GPL Revisited
+ Motivations for licensing under the GPL
+ Enforcing the GNU GPL
+
+ Thanks
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Introduction
+
+Who is speaking to you?
+ an independent Free Software developer
+ who earns his living off Free Software since 1997
+ who is one of the authors of the linux kernel firewall system called netfilter/iptables
+ who IS NOT A LAWYER, although this presentation is the result of dealing six months with lawyers on the GPL
+
+Why is he speaking to you?
+ because he became aware of copyright (copyleft?) infringement and took legal action within German jurisdiction
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+What is copyrightable?
+
+ The GNU GPL is a copyright license, and thus only covers copyrighted code
+ Not everything is copyrightable (German: Schoepfungshoehe)
+ Small bugfixes are not copyrightable (similar to typo-fixes in a book)
+ As soon as the programmer has a choice in the implementation, there is significant indication of a copyrightable work
+ Choice in algorithm, not in formal representation.
+ Apparently, the level for copyrightable works is relatively low.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+The GNU GPL Revisited
+
+Revisiting the GNU General Public License
+
+ Regulates distribution of copyrighted code, not usage
+ Allows distribution of source code and modified source code
+ Allows distribution of binaries or modified binaries, if
+ The license itself is mentioned
+ A copy of the license accompanies every copy
+ The complete source code is either
+ included with the copy
+ made available to any 3rd party
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Complete Source Code
+
+%size 3
+"... complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable."
+
+ Our interpretation of this is:
+ Source Code
+ Makefiles
+ Tools for generating the firmware binary from the source
+ (even if they are technically no 'scripts')
+ General Rule:
+ Intent of License is to enable user to run modified versions of the program. They need to be enabled to do so.
+ Result: Signing binaries and only accepting signed versions without providing a signature key is not acceptable!
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Derivative Works
+
+ What is a derivative work?
+ Not dependent on any particular kind of technology (static/dynamic linking, dlopen, whatever)
+ Even while the modification can itself be a copyrightable work, the combination with GPL-licensed code is subject to GPL.
+ No precendent in Germany so far
+ As soon as code is written for a specific non-standard API (such as the iptables plugin API), there is significant indication for a derivative work
+ This position has been successfully enforced out-of-court with two Vendors so far (iptables modules/plugins).
+ Result
+ Position of my lawyers (apparently also of IBM lawyers):
+ In-kernel proprietary code (binary kernel modules) are not compliant
+ Case-by-case analysis required, especially when drivers/filesystems are ported from other OS's.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Confusion about the GPL
+
+%size 4
+Unfortunately, the wide misconception about copyright, free software, public domain (even the RedHat CEO!) leads to people unknowingly, or even wilfully only benefit from the freedom but not fulfill the obligations of the GPL.
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Enforcing the GNU GPL
+
+Enforcing the GPL
+ GPL violations are nothing new, as GPL licensed software is nothing new.
+ However, the recent Linux boom
+ The FSF enforces GPL violations of code on which they hold the copyright
+ silently, without public notice
+ in lengthy negotiations
+ During 2003 the "Linksys" case drew a lot of attention
+ Linksys was selling 802.11 WLAN Acces Ponts / Routers
+ Lots of GPL licensed software embedded in the device (included Linux, uClibc, busybox, iptables, ...)
+ FSF led alliance took the 'qiet' approach and it took about four months until the full source code was released
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Enforcing the GNU GPL
+
+ The Linksys case
+ Some developers didn't agree with this approach
+ not enough publicity
+ violators don't loose anything by first not complying and wait for the FSF
+ four months delay is too much for low product lifecycles in WLAN world
+ So the netfilter/iptables project started to do their own enforcement in more cases coming up
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Enforcing the GNU GPL
+
+Enforcing the GPL
+ chronological order
+ reverse engineering of firmware images
+ sending the infringing organization a warning notice
+ wait for them to sign a statement to cease and desist
+ applying for a preliminary injunction if they don't (max 4 weeks after reverse engineering)
+
+ Success so far
+ amicable agreement with Asus, Belkin, Allnet, Fujitsu-Siemens, Siemens, Securepoint, U.S. Robotics, ...
+ some of which made significant donations to charitable organizations of the free software community
+ preliminary injunction against Sitecom, Sitecom also lost appeals case
+ more settled cases (not public yet)
+ negotiating in more cases
+ public awareness
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Enforcing the GNU GPL
+
+Enforcing the GPL
+ remains an important issue for Free Software
+ will start to happen within the court
+ has to be made public in order to raise awareness
+
+Problems
+ only the copyright holder (in most cases the author) can do it
+ users discovering GPL'd software need to communicate those issues to all copyright holders
+
+ The http://www.gpl-violations.org/ project was started
+ as a platform wher users can report alleged violations
+ to verify those violations and inform all copyright holders
+ to inform the public about ongoing enforcement efforts
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GPL enforcement report
+Cases so far
+
+Cases so far
+ Allnet GmbH
+ Siemens AG
+ Fujitsu-Siemens Computers GmbH
+ Axis A.B.
+ Securepoint GmbH
+ U.S.Robotics Germany GmbH
+ undisclosed large vendor
+ Belkin Compnents GmbH
+ Asus GmbH
+ Gateprotect GmbH
+ Sitecom GmbH
+ TomTom B.V.
+ Gigabyte Technologies GmbH
+ D-Link GmbH
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Make later enforcement easy
+
+ Practical rules for proof by reverse engineering
+ Don't fix typos in error messages and symbol names
+ Leave obscure error messages like 'Rusty needs more caffeine'
+ Make binary contain string of copyright message, not only source
+ Practical rules for potential damages claims
+ Use revision control system
+ Document source of each copyrightable contribution
+ Name+Email address in CVS commit message
+ Consider something like FSFE FLA (Fiduciary License Agreement)
+ Make sure that employers are fine with contributions of their employees
+ If you find out about violation
+ Don't make it public (has to be new/urgent for injunctive relief)
+ Contact lawyer immediately to send wanrning notice
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Thanks
+
+ Thanks to
+ Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+ for implementing (one of?) the world's best TCP/IP stacks
+ Paul 'Rusty' Russell
+ for starting the netfilter/iptables project
+ for trusting me to maintain it today
+ Astaro AG
+ for sponsoring parts of my netfilter work
+ Free Software Foundation
+ for the GNU Project
+ for the GNU General Public License
+%size 3
+ The slides of this presentation are available at http://www.gnumonks.org/
+%size 3
+ The netfilter homepage http://www.netfilter.org/
+%size 3
+ The http://www.gpl-violations.org/ project
+
+
diff --git a/2004/gpl-bof-ols2004/abstract b/2004/gpl-bof-ols2004/abstract
new file mode 100644
index 0000000..57de337
--- /dev/null
+++ b/2004/gpl-bof-ols2004/abstract
@@ -0,0 +1,21 @@
+Enforcing the GNU GPL - Copyright helps Copyleft
+
+More and more vendors of various computing devices, especially network-related
+appliances such as Routers, NAT-Gateways and 802.11 Access Points are using
+Linux and other GPL licensed free software in their products.
+
+While the linux community can look at this as a big success, there is a back
+side of that coin: A large number of those vendors have no idea about the GPL
+license terms, and as a result do not fulfill their obligations under the GPL.
+
+The netfilter/iptables project has started legal proceedngs against a number of
+companies in violation of the GPL since December 2003. Those legal proceedings
+were quite successful so far, resulting in a number of amicable agreements and
+one granted preliminary injunction.
+
+The speaker will present an overview about his recent successful enforcement of
+the GNU GPL within German jurisdiction.
+
+In the end, it seems like the idea of the founding fathers of the GNU GPL
+works: Guaranteeing Copyleft by using Copyright.
+
diff --git a/2004/gpl-bof-ols2004/biography b/2004/gpl-bof-ols2004/biography
new file mode 100644
index 0000000..2399290
--- /dev/null
+++ b/2004/gpl-bof-ols2004/biography
@@ -0,0 +1,25 @@
+ Harald Welte is the chairman of the netfilter/iptables core team.
+
+ His main interest in computing has always been networking. In the few time
+left besides netfilter/iptables related work, he's writing obscure documents
+like the UUCP over SSL HOWTO. Other kernel-related projects he has been
+contributing are user mode linux and the international (crypto) kernel patch.
+
+ He has been working as an independent IT Consultant working on projects for
+various companies ranging from banks to manufacturers of networking gear.
+During the year 2001 he was living in Curitiba (Brazil), where he got
+sponsored for his Linux related work by Conectiva Inc.
+
+ Starting with February 2002, Harald has been contracted part-time by
+<a href="http://www.astaro.com/">Astaro AG</a>, who are sponsoring him for his
+current netfilter/iptables work.
+
+ Aside from the Astaro sponsoring, he continues to work as a freelancing
+kernel developer and network security consultant.
+
+ He licenses his software under the terms of the GNU GPL. He is determined to bring all users, distributors, value added resellers and vendors of netfilter/iptables based products in full compliance with the GPL, even if it includes raising legal charges.
+
+
+ Harald is living in Berlin, Germany.
+
+
diff --git a/2004/gpl-bof-ols2004/gpl-bof-ols2004.mgp b/2004/gpl-bof-ols2004/gpl-bof-ols2004.mgp
new file mode 100644
index 0000000..db63bcb
--- /dev/null
+++ b/2004/gpl-bof-ols2004/gpl-bof-ols2004.mgp
@@ -0,0 +1,228 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+Enforcing the GNU GPL
+Copyright helps Copyleft
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@netfilter.org>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Contents
+
+
+ Introduction
+
+ The GNU GPL Revisited
+ Motivations for licensing under the GPL
+ Enforcing the GNU GPL
+
+ Thanks
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Introduction
+
+Who is speaking to you?
+
+ an independent Free Software developer
+ who earns his living off Free Software since 1997
+ who is one of the authors of the linux kernel firewall system called netfilter/iptables
+ who IS NOT A LAWYER, although this presentation is the result of dealing six months with lawyers on the GPL
+
+Why is he speaking to you?
+
+ because he became aware of copyright (copyleft?) infringement and took legal action within German jurisdiction
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+What is copyrightable?
+
+ The GNU GPL is a copyright license, and thus only covers copyrighted code
+ Not everything is copyrightable (German: Schoepfungshoehe)
+ Small bugfixes are not copyrightable (similar to typo-fixes in a book)
+ As soon as the programmer has a choice in the implementation, there is significant indication of a copyrightable work
+ Choice in algorithm, not in formal representation.
+ Apparently, the level for copyrightable works is relatively low.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+The GNU GPL Revisited
+
+Revisiting the GNU General Public License
+
+ Regulates distribution of copyrighted code, not usage
+ Allows distribution of source code and modified source code
+ Allows distribution of binaries or modified binaries, if
+ The license itself is mentioned
+ A copy of the license accompanies every copy
+ The complete source code is either
+ included with the copy
+ made available to any 3rd party
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Complete Source Code
+
+
+%size 3
+"... complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable."
+
+ Our interpretation of this is:
+ Source Code
+ Makefiles
+ Tools for generating the firmware binary from the source
+ (even if they are technically no 'scripts')
+ General Rule:
+ Intent of License is to enable user to run modified versions of the program. They need to be enabled to do so.
+ Result: Signing binaries and only accepting signed versions without providing a signature key is not acceptable!
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Derivative Works
+
+ What is a derivative work?
+ Not dependent on any particular kind of technology (static/dynamic linking, dlopen, whatever)
+ Even while the modification can itself be a copyrightable work, the combination with GPL-licensed code is subject to GPL.
+ No precendent in Germany so far
+ As soon as code is written for a specific non-standard API (such as the iptables plugin API), there is significant indication for a derivative work
+ This position has been successfully enforced out-of-court with two Vendors so far (iptables modules/plugins).
+ Result
+ Position of my lawyers and IBM lawyers:
+ In-kernel proprietary code (binary kernel modules) are not compliant
+ Case-by-case analysis required, especially when drivers/filesystems are ported from other OS's.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Confusion about the GPL
+
+Unfortunately, the wide misconception about copyright, free software, public
+domain (even the RedHat CEO!) leads to people unknowingly, or even wilfully
+only benefit from the freedom but not fulfill the obligations of the GPL.
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Enforcing the GNU GPL
+
+Enforcing the GPL
+ GPL violations are nothing new, as GPL licensed software is nothing new.
+ However, the recent Linux boom
+ The FSF enforces GPL violations of code on which they hold the copyright
+ silently, without public notice
+ in lengthy negotiations
+ During 2003 the "Linksys" case drew a lot of attention
+ Linksys was selling 802.11 WLAN Acces Ponts / Routers
+ Lots of GPL licensed software embedded in the device (included Linux, uClibc, busybox, iptables, ...)
+ FSF led alliance took the 'qiet' approach and it took about four months until the full source code was released
+ Some developers didn't agree with this approach
+ not enough publicity
+ violators don't loose anything by first not complying and wait for the FSF
+ four months delay is too much for low product lifecycles in WLAN world
+ So the netfilter/iptables project started to do their own enforcement in more cases coming up
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Enforcing the GNU GPL
+
+Enforcing the GPL
+ chronological order
+ reverse engineering of firmware images
+ sending the infringing organization a warning notice
+ wait for them to sign a statement to cease and desist
+ applying for a preliminary injunction if they don't (max 4 weeks after reverse engineering)
+
+ Success so far
+ amicable agreement with Asus, Belkin, Allnet, Fujitsu-Siemens, Siemens, Securepoint, U.S. Robotics, ...
+ some of which made significant donations to charitable organizations of the free software community
+ preliminary injunction against Sitecom, Sitecom also lost appeals case
+ more settled cases (not public yet)
+ negotiating in more cases
+ public awareness
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Enforcing the GNU GPL
+
+Enforcing the GPL
+ remains an important issue for Free Software
+ will start to happen within the court
+ has to be made public in order to raise awareness
+
+Problems
+ only the copyright holder (in most cases the author) can do it
+ users discovering GPL'd software need to communicate those issues to all copyright holders
+
+ The http://www.gpl-violations.org/ project was started
+ as a platform wher users can report alleged violations
+ to verify those violations and inform all copyright holders
+ to inform the public about ongoing enforcement efforts
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+How to make later enforcement easy
+
+ Practical rules for proof by reverse engineering
+ Don't fix typos in error messages and symbol names
+ Leave obscure error messages like 'Rusty needs more caffeine'
+ Make binary contain string of copyright message, not only source
+ Practical rules for potential damages claims
+ Use revision control system
+ Document source of each copyrightable contribution
+ Name+Email address in CVS commit message
+ Consider something like FSFE FLA (Fiduciary License Agreement)
+ Make sure that employers are fine with contributions of their employees
+ If you find out about violation
+ Don't make it public (has to be new/urgent for injunctive relief)
+ Contact lawyer immediately to send wanrning notice
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Thanks
+
+ Thanks to
+ Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+ for implementing (one of?) the world's best TCP/IP stacks
+ Paul 'Rusty' Russell
+ for starting the netfilter/iptables project
+ for trusting me to maintain it today
+ Astaro AG
+ for sponsoring parts of my netfilter work
+ Free Software Foundation
+ for the GNU Project
+ for the GNU General Public License
+%size 3
+ The slides of this presentation are available at http://www.gnumonks.org/
+%size 3
+ The netfilter homepage http://www.netfilter.org/
+%size 3
+ The http://www.gpl-violations.org/ project
+
+
diff --git a/2004/gpl-ccc2004/biography b/2004/gpl-ccc2004/biography
new file mode 100644
index 0000000..22438a2
--- /dev/null
+++ b/2004/gpl-ccc2004/biography
@@ -0,0 +1,24 @@
+ Harald Welte is the chairman of the netfilter/iptables core team.
+
+ His main interest in computing has always been networking. In the few time
+left besides netfilter/iptables related work, he's writing obscure documents
+like the UUCP over SSL HOWTO. Other kernel-related projects he has been
+contributing are user mode linux, the international (crypto) kernel patch, device drivers and the neighbour cache.
+
+ He has been working as an independent IT Consultant working on projects for
+various companies ranging from banks to manufacturers of networking gear.
+During the year 2001 he was living in Curitiba (Brazil), where he got
+sponsored for his Linux related work by Conectiva Inc.
+
+ Starting with February 2002, Harald has been contracted part-time by
+<a href="http://www.astaro.com/">Astaro AG</a>, who are sponsoring him for his
+current netfilter/iptables work.
+
+ Aside from the Astaro sponsoring, he continues to work as a freelancing
+kernel developer and network security consultant.
+
+ He licenses his software under the terms of the GNU GPL. He is determined to bring all users, distributors, value added resellers and vendors of netfilter/iptables based products in full compliance with the GPL, even if it includes raising legal charges.
+
+ Harald is living in Berlin, Germany.
+
+
diff --git a/2004/gpl-ccc2004/cfp-reply b/2004/gpl-ccc2004/cfp-reply
new file mode 100644
index 0000000..cb58c30
--- /dev/null
+++ b/2004/gpl-ccc2004/cfp-reply
@@ -0,0 +1,46 @@
+21c3-content@cccv.de
+
+ * Name: Full name of speaker
+
+Harald Welte
+
+ * Bio: Short biography of speaker
+
+See Attachment 1
+
+ * Contact: E-Mail, phone, instant messaging etc.
+
+email: laforge@gnumonks.org
+Phone: +49-30-24033902
+Fax: +49-30-24033904
+
+ * Title: Name of event or lecture
+
+Enforcing the GNU GPL
+
+ * Subtitle: Additional title description (a couple of words, optional)
+
+Copyright helps Copyleft
+
+ * Abstract: An abstract of the event's content (max. 250 letters)
+
+Linux is used more and more, especially in the embedded market. Unfortunately,
+a number of vendors do not comply with the GNU GPL. The author has enforced
+the GPL numerous times in and out of court, and will talk about his experience.
+
+ * Description: A detailed description of the event's content (250 to 500 words)
+
+See Attachment 2
+
+ * Attachments: more information
+ o Links to background information
+
+http://www.gpl-violations.org/
+http://www.netfilter.org/licensing.html
+http://gnumonks.org/~laforge/weblog/linux/gpl-violations/
+
+ o Links to information on the lecture itself
+ o Slides, Paper in PDF or other formats
+
+Not yet available.
+
diff --git a/2004/gpl-ccc2004/extended-abstract b/2004/gpl-ccc2004/extended-abstract
new file mode 100644
index 0000000..3b5874b
--- /dev/null
+++ b/2004/gpl-ccc2004/extended-abstract
@@ -0,0 +1,29 @@
+Enforcing the GNU GPL - Copyright helps Copyleft
+
+More and more vendors of various computing devices, especially network-related
+appliances such as Routers, NAT-Gateways and 802.11 Access Points are using
+Linux and other GPL licensed free software in their products.
+
+While the Linux community can look at this as a big success, there is a back
+side of that coin: A large number of those vendors have no idea about the GPL
+license terms, and as a result do not fulfill their obligations under the GPL.
+
+The netfilter/iptables project has started legal proceedngs against a number of
+companies in violation of the GPL since December 2003. Those legal proceedings
+were quite successful so far, resulting in twelve amicable agreements and one
+granted preliminary injunction. The list of companies includes large
+corporations such as Siemens, Asus and Belkin.
+
+The speaker will present an overview about his recent successful enforcement of
+the GNU GPL within German jurisdiction.
+
+He will go on speaking about what exactly is neccessarry to fully comply with
+the GPL, including his legal position on corner cases such as cryptographic
+signing.
+
+Resulting from his experience in dealing with the german legal system, he will
+give some hints to software authors about what they can do in order to make
+eventual later license enforcement easier.
+
+In the end, it seems like the idea of the founding fathers of the GNU GPL
+works: Guaranteeing Copyleft by using Copyright.
diff --git a/2004/gpl-ccc2004/gpl-ccc2004.mgp b/2004/gpl-ccc2004/gpl-ccc2004.mgp
new file mode 100644
index 0000000..71dd062
--- /dev/null
+++ b/2004/gpl-ccc2004/gpl-ccc2004.mgp
@@ -0,0 +1,406 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+The GPL is not Public Domain
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@gnumonks.org>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Contents 1/2
+
+
+ Introduction
+ What is Copyrightable?
+ Terminology
+ Common FOSS Licenses
+ The GNU GPL Revisited
+ Complete Source Code
+ Derivative Works
+ Non-Public Modifications
+ GPL Violations
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Contents 2/2
+
+
+ Past GPL Enforcement
+ The Linksys case
+ Typical enforcement timeline
+ Success so far
+ Cases so far
+ Future GPL Enforcement
+ Thanks
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Introduction
+
+
+Who is speaking to you?
+ an independent Free Software developer
+ who earns his living off Free Software since 1997
+ who is one of the authors of the Linux kernel firewall system called netfilter/iptables
+ who IS NOT A LAWYER, although this presentation is the result of dealing almost a year with lawyers on the subject of the GPL
+
+Why is he speaking to you?
+ because he thinks there is too much confusion about copyright and free software licenses. Even Red Hat CEO Matt Szulik stated in an interview that RedHat puts investments into 'public domain' :(
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Disclaimer
+
+Legal Disclaimer
+
+ All information presented here is provided on an as-is basis
+ There is no warranty for correctness of legal information
+ The author is not a lawyer
+ This does not comprise legal advise
+ The authors experience is limited to German copyright law
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+What is copyrightable?
+
+ The GNU GPL is a copyright license, and thus only covers copyrighted works
+ Not everything is copyrightable (German: Schoepfungshoehe)
+ Small bugfixes are not copyrightable (similar to typo-fixes in a book)
+ As soon as the programmer has a choice in the implementation, there is significant indication of a copyrightable work
+ Choice in algorithm, not in formal representation
+ Apparently, the level for copyrightable works is relatively low
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Terminology
+
+ Public Domain
+ concept where copyright holder abandons all rights
+ same legal status as works where author has died 70 years ago (German: Gemeinfreie Werke)
+ Freeware
+ object code, free of cost. No source code
+ Shareware
+ proprietary "Try and Buy" model for object code.
+ Cardware/Beerware/...
+ Freeware that encourages users to send payment in kind
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Terminology
+
+ Free Software
+ source code freely distributed
+ must allow redistribution, modification, non-discriminatory use
+ mostly defined by Free Software Foundation
+ Open Source
+ source code freely distributed
+ must allow redistribution, modification, non-discriminatory use
+ defined in the "Open Source Definition" by OSI
+
+ The rest of this document will refer to Free and Open Source Software as FOSS.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Common FOSS licenses
+
+ Original BSD License
+ allows redistribution, modification
+ even allows proprietary extensions with no source code offer
+ all docs, advertisement materials have to mention copyright holder
+ Modified BSD License
+ same as "Original BSD License", but no copyright statements required in docs and advertisements
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Common FOSS licenses
+
+ GPL (GNU General Public Liense)
+ allows redistribution, including modified works
+ obliges distributor to supply source code including all modifications
+ usage rights are revoked if license conditions not met
+ LGPL (GNU Library General Public License)
+ explicitly allows linking of proprietary applications
+ written as special case for libraries (such as glibc)
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+The GNU GPL Revisited
+
+Revisiting the GNU General Public License
+
+ Regulates distribution of copyrighted code, not usage
+ Allows distribution of source code and modified source code
+ The license itself is mentioned
+ A copy of the license accompanies every copy
+ Allows distribution of binaries or modified binaries, if
+ The license itself is mentioned
+ A copy of the license accompanies every copy
+ The complete source code is either included with the copy made available to any 3rd party
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Complete Source Code
+
+%size 3
+"... complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable."
+ Our interpretation of this is:
+ Source Code
+ Makefiles
+ Tools for generating the firmware binary from the source
+ (even if they are technically no 'scripts')
+ General Rule:
+ Intent of License is to enable user to run modified versions of the program. They need to be enabled to do so.
+ Result: Signing binaries and only accepting signed versions without providing a signature key is not acceptable!
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Derivative Works
+
+ What is a derivative work?
+ Not dependent on any particular kind of technology (static/dynamic linking, dlopen, whatever)
+ Even while the modification can itself be a copyrightable work, the combination with GPL-licensed code is subject to GPL.
+ No precendent in Germany so far
+ As soon as code is written for a specific non-standard API (such as the iptables plugin API), there is significant indication for a derivative work
+ This position has been successfully enforced out-of-court with two Vendors so far (iptables modules/plugins).
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Derivative Works
+
+ Position of my lawyer:
+ In-kernel proprietary code (binary kernel modules) are hard to claim GPL compliant
+ Case-by-case analysis required, especially when drivers/filesystems are ported from other OS's.
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Collected Works
+
+%size 3
+"... it is not the intent .. to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works ..."
+%size 3
+"... mere aggregation of another work ... with the program on a volume of a storage or distribution medium does not bring the other work under the scope of this license"
+
+ GPL allows "mere aggregation"
+ like a general-porpose Linux distribution (SuSE, Red Hat, ...)
+
+ GPL disallows "collective works"
+ legal grey area
+ tends to depend a lot on jurisdiction
+ no precendent so far
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Non-Public modifications
+
+ Non-Public modifications
+ A common misconception is that if you develop code within a corporation, and the code never leaves this corporation, you don't have to ship the source code.
+ However, at least German law would count every distribution beyound a number of close colleague as distribution.
+ Therefore, if you don't go for '3a' and include the source code together with the binary, you have to distribute the source code to any third party.
+ Also, as soon as you hand code between two companies, or between a company and a consultant, the code has been distributed.
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+GPL Violations
+
+ When do I violate the license
+ when one ore more of the obligations are not fulfilled
+
+ What risk do I take if I violate the license?
+ the GPL automatically revokes any usage right
+ any copyright holder can obtain a preliminary injunction banning distribution of the infringing product
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Past GPL enforcement
+
+Past GPL enforcement
+
+ GPL violations are nothing new, as GPL licensed software is nothing new.
+ However, the recent Linux hype made GPL licensed software used more often
+ The FSF enforces GPL violations of code on which they hold the copyright
+ silently, without public notice
+ in lengthy negotiations
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+The Linksys case
+
+
+ During 2003 the "Linksys" case drew a lot of attention
+ Linksys was selling 802.11 WLAN Acces Ponts / Routers
+ Lots of GPL licensed software embedded in the device (included Linux, uClibc, busybox, iptables, ...)
+ FSF led alliance took the usual "quiet" approach
+ Linksys bought it self a lot of time
+ Some source code ws released two months later
+ About four months later, full GPL compliance was achieved
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+The Linksys case
+
+
+ Some developers didn't agree with this approach
+ not enough publicity
+ violators don't loose anything by first not complying and wait for the FSF
+ four months delay is too much for low product lifecycles in WLAN world
+ The netfilter/iptables project started to do their own enforcement in more cases that were coming up
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Enforcement case timeline
+
+
+ In chronological order
+ some user sends us a note he found our code somewhere
+ reverse engineering of firmware images
+ sending the infringing organization a warning notice
+ wait for them to sign a statement to cease and desist
+ if no statement is signed
+ contract technical expert to do a stdudy
+ apply for a preliminary injunction
+ if statement was signed
+ try to work out the details
+ grace period for boxes in stock possible
+ try to indicate that a donation would be good PR
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Sucess so far
+
+
+ Success so far
+ amicable agreements with a number of companies
+ some of which made significant donations to charitable organizations of the free software community
+ preliminary injunction against Sitecom, Sitecom also lost appeals case
+ more settled cases (not public yet)
+ negotiating in more cases
+ public awareness
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GPL enforcement report
+Cases so far
+
+ Allnet GmbH
+ Siemens AG
+ Fujitsu-Siemens Computers GmbH
+ Axis A.B.
+ Securepoint GmbH
+ U.S.Robotics Germany GmbH
+ undisclosed large vendor
+ Belkin Compnents GmbH
+ Asus GmbH
+ Gateprotect GmbH
+ Sitecom GmbH
+ TomTom B.V.
+ Gigabyte Technologies GmbH
+ D-Link GmbH
+ Sun Deutschland GmbH
+ Open-E GmbH
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Future GPL Enforcement
+
+GPL Enforcement
+ remains an important issue for Free Software
+ will start to happen within the court
+ has to be made public in order to raise awareness
+
+Problems
+ only the copyright holder (in most cases the author) can do it
+ users discovering GPL'd software need to communicate those issues to all copyright holders
+
+The http://www.gpl-violations.org/ project was started
+ as a platform wher users can report alleged violations
+ to verify those violations and inform all copyright holders
+ to inform the public about ongoing enforcement efforts
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Make later enforcement easy
+
+ Practical rules for proof by reverse engineering
+ Don't fix typos in error messages and symbol names
+ Leave obscure error messages like 'Rusty needs more caffeine'
+ Make binary contain string of copyright message, not only source
+ Practical rules for potential damages claims
+ Use revision control system
+ Document source of each copyrightable contribution
+ Name+Email address in CVS commit message
+ Consider something like FSFE FLA (Fiduciary License Agreement)
+ Make sure that employers are fine with contributions of their employees
+ If you find out about violation
+ Don't make it public (has to be new/urgent for injunctive relief)
+ Contact lawyer immediately to send wanrning notice
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Thanks
+
+ Thanks to
+ Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+ for implementing (one of?) the world's best TCP/IP stacks
+ Paul 'Rusty' Russell
+ for starting the netfilter/iptables project
+ for trusting me to maintain it today
+ Astaro AG
+ for sponsoring parts of my netfilter work
+ Free Software Foundation
+ for the GNU Project
+ for the GNU General Public License
+%size 3
+ The slides of this presentation are available at http://www.gnumonks.org/
+
+ Further Reading
+%size 3
+ The netfilter homepage http://www.netfilter.org/
+%size 3
+ The http://www.gpl-violations.org/ project
+
+
diff --git a/2004/gpl-ccc2004/gpl-ccc2004.xml b/2004/gpl-ccc2004/gpl-ccc2004.xml
new file mode 100644
index 0000000..3265e48
--- /dev/null
+++ b/2004/gpl-ccc2004/gpl-ccc2004.xml
@@ -0,0 +1,280 @@
+<?xml version='1.0' encoding='ISO-8859-1'?>
+
+<!DOCTYPE article PUBLIC '-//OASIS//DTD DocBook XML V4.3//EN' 'http://www.docbook.org/xml/4.3/docbookx.dtd'>
+
+<article id="gpl-enforcement-ccc2004">
+
+<articleinfo>
+ <title>Enforcing the GNU GPL - Copyright helps Copyleft</title>
+ <authorgroup>
+ <author>
+ <personname>
+ <firstname>Harald</firstname>
+ <surname>Welte</surname>
+ </personname>
+ <!--
+ <personblurb>Harald Welte</personblurb>
+ <affiliation>
+ <orgname>netfilter core team</orgname>
+ <address>
+ <email>laforge@netfilter.org</email>
+ </address>
+ </affiliation>
+
+ -->
+ <email>laforge@gpl-violations.org</email>
+ </author>
+ </authorgroup>
+ <copyright>
+ <year>2004</year>
+ <holder>Harald Welte &lt;laforge@gpl-violations.org&gt; </holder>
+ </copyright>
+ <date>Dec 01, 2004</date>
+ <edition>1</edition>
+ <orgname>netfilter core team</orgname>
+ <releaseinfo>
+ $Revision: 1.4 $
+ </releaseinfo>
+
+ <abstract>
+ <para>
+More and more vendors of various computing devices, especially network-related
+appliances such as Routers, NAT-Gateways and 802.11 Access Points are using
+Linux and other GPL licensed free software in their products.
+ </para>
+ <para>
+While the Linux community can look at this as a big success, there is a back
+side of that coin: A large number of those vendors have no idea about the GPL
+license terms, and as a result do not fulfill their obligations under the GPL.
+ </para>
+ <para>
+The netfilter/iptables project has started legal proceedngs against a number of
+companies in violation of the GPL since December 2003. Those legal proceedings
+were quite successful so far, resulting in twelve amicable agreements and one
+granted preliminary injunction. The list of companies includes large
+corporations such as Siemens, Asus and Belkin.
+ </para>
+ <para>
+This paper and the corresponding presentation will give an overview about the
+author's recent successful enforcement of the GNU GPL within German
+jurisdiction.
+ </para>
+ <para>
+The paper will go on describing what exactly is neccessarry to fully comply
+with the GPL, including the author's legal position on corner cases such as
+cryptographic signing.
+ </para>
+ <para>
+In the end, it seems like the idea of the founding fathers of the GNU GPL
+works: Guaranteeing Copyleft by using Copyright.
+ </para>
+ </abstract>
+
+</articleinfo>
+
+
+<section>
+<title>Legal Disclaimer</title>
+<para>
+The author of this paper is a software developer, not a lawyer. The content of
+this paper represents his knowledge after dealing with the legal issues of
+about 20 gpl violation cases.
+</para>
+<para>
+All information in this paper is presented on a nas-is basis. There is no
+warranty for correctness.
+</para>
+<para>
+The paper does not comprise legal advise, and any details might be coupled to German copyright law (UrhG)
+</para>
+</section>
+
+<section>
+<title>What is copyrightable</title>
+<para>
+Since the GNU GPL is a copyright license, it can only cover copyrightable
+works. The exact definition of what is copyrightable and what not might vary
+from legislation to legislation.
+</para>
+<para>
+Software is considered the immaterial result of a creative act, and is treated
+very much like literary works. It might therefore be applicable to look at the
+analogy of a printed book.
+</para>
+<para>
+In order for a work to be copyrightable, it has to be non-trivial (German:
+Sch&ouml;pfungsh&ouml;he). Much like a lector of a book, anybody who just
+corrects spelling mistakes, compiler warnings, or even functional fixes such as
+fixing a signedness bug or a typecast are unlikely to be seen as a
+copyrightable contribution to an existing work.
+</para>
+<para>
+An indication for copyrightability can be the question: Did the author have a
+choice (i.e. between different algorithms)? As soon as there are multiple ways
+of getting a particular job done, and the author has to make decisions on which
+way to go, this is an indication for copyrightability.
+</para>
+</section>
+
+<section>
+<title>The GNU GPL revisited</title>
+<para>
+As a copyright license, the GNU GPL mainly regulates distribution of a
+copyrighted work, not usage. To the opposite, the GNU GPL does not allow an
+author to make any additional restrictions like <quote>must not be used for
+military purpose</quote>.
+</para>
+<para>
+As a summary, the license allows distribution of the source code (including
+modifications, if any) if
+<itemizedlist>
+<listitem>The GPL license itself is mentioned</listitem>
+<listitem>A copy of the full license text accompanies every copy</listitem>
+</itemizedlist>
+</para>
+<para>
+The GPL allows distribution of the object code (including modifications) if
+<itemizedlist>
+<listitem>The GPL license itself is mentioned</listitem>
+<listitem>A copy of the full license text accompanies every copy</listitem>
+<listitem>The <quote>complete corresponding source code</quote> or a written offer to ship it to any third party is included with every copy</listitem>
+</itemizedlist>
+</para>
+</section>
+
+<section>
+<title>Complete Source Code</title>
+<para>
+The GPL contains a very specific definition of what the term <quote>full source
+code</quote> actually means in practise:
+</para>
+<quote><para>
+... complete source code means all the source code for all modules it contains,
+plus any associated interface definition files, plus the scripts used to
+control compilation and installation of the executable.
+</para></quote>
+<para>
+The interpretation of the paper's author of this (for C programs) is:
+<itemizedlist>
+<listitem>source code</listitem>
+<listitem>Header Files</listitem>
+<listitem>Makefiles</listitem>
+<listitem>Tools for installation of a modified binary, even if they are not technically implemented as scripts</listitem>
+</itemizedlist>
+<para>
+The general rule in case of any question is the intent of the license: To
+enable the user to modify the source code and run modified versions.
+</para>
+<para>
+This brings us to the conclusion that in case of a bundle of hardware and
+software, the hardware can not be implemented in a way to only accept
+cryptographically signed software, without providing either the original key,
+or the option of setting a new key in the hardware.
+</para>
+</section>
+
+
+<section>
+<title>Derivative Work</title>
+<para>
+The question of derivative works is probably the hardest question with regard
+to the GPL. According to the license text, any derivative work can only be
+distributed under the GPL, too. However, the definition of a derivative work
+is left to the legal framework of copyright.
+</para>
+<para>
+The paper's author is convinced that any court decision would not look at the
+particular technology used to integrate multiple software parts. It is much
+more a question of how much dependency there is between the two pieces.
+</para>
+<para>
+If a program is written against a specific non-standard API, this can be
+considered as an indication for a derivative work. If a program is written
+against standard APIs, and the GPL licensed parts that provide those APIs can
+be easily exchanged with other [existing] implementations, then it can be considered as indication for no derivative work.
+</para>
+<para>
+Unfortunately there is no precedent on this issue, so it's up to the first
+court decisions on the issue of derivative works to determine.
+</para>
+</section>
+
+<section>
+<title>Collective Works</title>
+<para>
+<quote>... it is not the intent ... to claim rights or contest your rights to work written entirely by you; rather, the intent is to excercise the right to control the distribution of derivative or collective works ...</quote>
+</para>
+<para>
+<quote>... mere aggregation of another work ... with the program on a volume of a storage or distribution medium does not bring the other work under the scope of this license</quote>
+</para>
+<para>
+So the GPL allows <quote>mere aggregation</quote>, which is what e.g. the
+GNU/Linux distributors like RedHat or SuSE do, when they ship GPL-licensed
+programs together with a proprietary Macromedia Flash player on one CD- or
+DVD-Medium.
+</para>
+<para>
+Further research is required to determine what exactly would be a collective
+work, and how far this is backed by copyright law.
+</para>
+</section>
+
+<section>
+<title>Non-Public Modifications</title>
+<para>
+Since the GPL regulates distribution and not use, any modifications that are
+not distributed in any form do not require offering the source code.
+</para>
+<para>
+Special emphasis has to be given on when distribution happens within the legal
+context.
+</para>
+Undoubtedly, as soon as you distribute modifications to a third party, such as
+a contractor or another company, you are bound by the GPL to either include the
+full source code, or a written offer. Please note that if you don't include
+the source code at any given time, the written offer must be available to any third party!
+</para>
+<para>
+Interestingly, at least in German copyright law, distribution can also happen
+within an organization. Apparently, as soon as a copy is distributed to a
+group larger than a small number of close colleagues whom you know personally,
+distribution happens - and thus the obligations of the GPL apply.
+</para>
+</section>
+
+<section>
+<title>GPL Violations</title>
+<para>
+The GPL is violated as soon as one or more of the obligations are not fulfilled.</para>
+<para>
+For this case, the GPL automatically revokes any right, even the usage right on
+the original unmodified code. So not only the distribution is infringing, also the mere use is no longer permitted.
+</para>
+<para>
+This very strong provision is quite common in copyright licenses, especially in
+the world of proprietary software.
+</para>
+</section>
+
+<section>
+<title>Past GPL Enforcement</title>
+</section>
+
+<section>
+<title>The Linksys Case</title>
+</section>
+
+<section>
+<title>Enforcement Case Timeline</title>
+</section>
+
+<section>
+<title>Success so far</title>
+</section>
+
+<section>
+<title>Future GPL Enforcement</title>
+</section>
+
+</article>
+
diff --git a/2004/gpl-ccc2004/short-abstract b/2004/gpl-ccc2004/short-abstract
new file mode 100644
index 0000000..e0aa9b4
--- /dev/null
+++ b/2004/gpl-ccc2004/short-abstract
@@ -0,0 +1,4 @@
+Linux is used more and more, especially in the embedded market. Unfortunately,
+a number of vendors do not comply with the GNU GPL. The author has enforced
+the GPL numerous times in and out of court, and will talk about his experience.
+
diff --git a/2004/gpl-lb2004/abstract b/2004/gpl-lb2004/abstract
new file mode 100644
index 0000000..99f5002
--- /dev/null
+++ b/2004/gpl-lb2004/abstract
@@ -0,0 +1,22 @@
+More and more vendors of various computing devices, especially network-related
+appliances such as Routers, NAT-Gateways and 802.11 Access Points are using
+Linux and other GPL licensed free software in their products.
+
+While the Linux community can look at this as a big success, there is a back
+side of that coin: A large number of those vendors have a lack of knowledge
+about the GPL license terms, and as a result do not fulfill their obligations
+under the GPL.
+
+GPL-licensed software is neither freeware nor public domain, and it is
+important to know this before you build products on GPL-based software.
+
+The author of this presentation is a developer of GPL-licensed software. He
+has legally enforced the GPL in more than 15 cases internationally. This was
+not avoidable, since the respective businesses either didn't know what the GPL
+means, or maybe even didn't care.
+
+The presentation tries to resolve the misunderstandings and rumours about the
+GNU General Public License. Afterwards, everybody in the audience should have
+a clear idea about the implications of using GPL licensed software in
+commercial projects.
+
diff --git a/2004/gpl-lb2004/gpl-lb2004.mgp b/2004/gpl-lb2004/gpl-lb2004.mgp
new file mode 100644
index 0000000..803ca48
--- /dev/null
+++ b/2004/gpl-lb2004/gpl-lb2004.mgp
@@ -0,0 +1,406 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+The GPL is not Public Domain
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@hmw-consulting.de>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Contents 1/2
+
+
+ Introduction
+ What is Copyrightable?
+ Terminology
+ Common FOSS Licenses
+ The GNU GPL Revisited
+ Complete Source Code
+ Derivative Works
+ Non-Public Modifications
+ GPL Violations
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Contents 2/2
+
+
+ Past GPL Enforcement
+ The Linksys case
+ Typical enforcement timeline
+ Success so far
+ Cases so far
+ Future GPL Enforcement
+ Thanks
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Introduction
+
+
+Who is speaking to you?
+ an independent Free Software developer
+ who earns his living off Free Software since 1997
+ who is one of the authors of the Linux kernel firewall system called netfilter/iptables
+ who IS NOT A LAWYER, although this presentation is the result of dealing almost a year with lawyers on the subject of the GPL
+
+Why is he speaking to you?
+ because he thinks there is too much confusion about copyright and free software licenses. Even Red Hat CEO Matt Szulik stated in an interview that RedHat puts investments into 'public domain' :(
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Disclaimer
+
+Legal Disclaimer
+
+ All information presented here is provided on an as-is basis
+ There is no warranty for correctness of legal information
+ The author is not a lawyer
+ This does not comprise legal advise
+ The authors experience is limited to German copyright law
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+What is copyrightable?
+
+ The GNU GPL is a copyright license, and thus only covers copyrighted works
+ Not everything is copyrightable (German: Schoepfungshoehe)
+ Small bugfixes are not copyrightable (similar to typo-fixes in a book)
+ As soon as the programmer has a choice in the implementation, there is significant indication of a copyrightable work
+ Choice in algorithm, not in formal representation
+ Apparently, the level for copyrightable works is relatively low
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Terminology
+
+ Public Domain
+ concept where copyright holder abandons all rights
+ same legal status as works where author has died 70 years ago (German: Gemeinfreie Werke)
+ Freeware
+ object code, free of cost. No source code
+ Shareware
+ proprietary "Try and Buy" model for object code.
+ Cardware/Beerware/...
+ Freeware that encourages users to send payment in kind
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Terminology
+
+ Free Software
+ source code freely distributed
+ must allow redistribution, modification, non-discriminatory use
+ mostly defined by Free Software Foundation
+ Open Source
+ source code freely distributed
+ must allow redistribution, modification, non-discriminatory use
+ defined in the "Open Source Definition" by OSI
+
+ The rest of this document will refer to Free and Open Source Software as FOSS.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Common FOSS licenses
+
+ Original BSD License
+ allows redistribution, modification
+ even allows proprietary extensions with no source code offer
+ all docs, advertisement materials have to mention copyright holder
+ Modified BSD License
+ same as "Original BSD License", but no copyright statements required in docs and advertisements
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Common FOSS licenses
+
+ GPL (GNU General Public Liense)
+ allows redistribution, including modified works
+ obliges distributor to supply source code including all modifications
+ usage rights are revoked if license conditions not met
+ LGPL (GNU Library General Public License)
+ explicitly allows linking of proprietary applications
+ written as special case for libraries (such as glibc)
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+The GNU GPL Revisited
+
+Revisiting the GNU General Public License
+
+ Regulates distribution of copyrighted code, not usage
+ Allows distribution of source code and modified source code
+ The license itself is mentioned
+ A copy of the license accompanies every copy
+ Allows distribution of binaries or modified binaries, if
+ The license itself is mentioned
+ A copy of the license accompanies every copy
+ The complete source code is either included with the copy made available to any 3rd party
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Complete Source Code
+
+%size 3
+"... complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable."
+ Our interpretation of this is:
+ Source Code
+ Makefiles
+ Tools for generating the firmware binary from the source
+ (even if they are technically no 'scripts')
+ General Rule:
+ Intent of License is to enable user to run modified versions of the program. They need to be enabled to do so.
+ Result: Signing binaries and only accepting signed versions without providing a signature key is not acceptable!
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Derivative Works
+
+ What is a derivative work?
+ Not dependent on any particular kind of technology (static/dynamic linking, dlopen, whatever)
+ Even while the modification can itself be a copyrightable work, the combination with GPL-licensed code is subject to GPL.
+ No precendent in Germany so far
+ As soon as code is written for a specific non-standard API (such as the iptables plugin API), there is significant indication for a derivative work
+ This position has been successfully enforced out-of-court with two Vendors so far (iptables modules/plugins).
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Derivative Works
+
+ Position of my lawyer:
+ In-kernel proprietary code (binary kernel modules) are hard to claim GPL compliant
+ Case-by-case analysis required, especially when drivers/filesystems are ported from other OS's.
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Collected Works
+
+%size 3
+"... it is not the intent .. to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works ..."
+%size 3
+"... mere aggregation of another work ... with the program on a volume of a storage or distribution medium does not bring the other work und the scope of this license"
+
+ GPL allows "mere aggregation"
+ like a general-porpose Linux distribution (SuSE, Red Hat, ...)
+
+ GPL disallows "collective works"
+ legal grey area
+ tends to depend a lot on jurisdiction
+ no precendent so far
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Non-Public modifications
+
+ Non-Public modifications
+ A common misconception is that if you develop code within a corporation, and the code never leaves this corporation, you don't have to ship the source code.
+ However, at least German law would count every distribution beyound a number of close colleague as distribution.
+ Therefore, if you don't go for '3a' and include the source code together with the binary, you have to distribute the source code to any third party.
+ Also, as soon as you hand code between two companies, or between a company and a consultant, the code has been distributed.
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+GPL Violations
+
+ When do I violate the license
+ when one ore more of the obligations are not fulfilled
+
+ What risk do I take if I violate the license?
+ the GPL automatically revokes any usage right
+ any copyright holder can obtain a preliminary injunction banning distribution of the infringing product
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Past GPL enforcement
+
+Past GPL enforcement
+
+ GPL violations are nothing new, as GPL licensed software is nothing new.
+ However, the recent Linux hype made GPL licensed software used more often
+ The FSF enforces GPL violations of code on which they hold the copyright
+ silently, without public notice
+ in lengthy negotiations
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+The Linksys case
+
+
+ During 2003 the "Linksys" case drew a lot of attention
+ Linksys was selling 802.11 WLAN Acces Ponts / Routers
+ Lots of GPL licensed software embedded in the device (included Linux, uClibc, busybox, iptables, ...)
+ FSF led alliance took the usual "quiet" approach
+ Linksys bought it self a lot of time
+ Some source code ws released two months later
+ About four months later, full GPL compliance was achieved
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+The Linksys case
+
+
+ Some developers didn't agree with this approach
+ not enough publicity
+ violators don't loose anything by first not complying and wait for the FSF
+ four months delay is too much for low product lifecycles in WLAN world
+ The netfilter/iptables project started to do their own enforcement in more cases that were coming up
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Enforcement case timeline
+
+
+ In chronological order
+ some user sends us a note he found our code somewhere
+ reverse engineering of firmware images
+ sending the infringing organization a warning notice
+ wait for them to sign a statement to cease and desist
+ if no statement is signed
+ contract technical expert to do a stdudy
+ apply for a preliminary injunction
+ if statement was signed
+ try to work out the details
+ grace period for boxes in stock possible
+ try to indicate that a donation would be good PR
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Sucess so far
+
+
+ Success so far
+ amicable agreements with a number of companies
+ some of which made significant donations to charitable organizations of the free software community
+ preliminary injunction against Sitecom, Sitecom also lost appeals case
+ more settled cases (not public yet)
+ negotiating in more cases
+ public awareness
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GPL enforcement report
+Cases so far
+
+ Allnet GmbH
+ Siemens AG
+ Fujitsu-Siemens Computers GmbH
+ Axis A.B.
+ Securepoint GmbH
+ U.S.Robotics Germany GmbH
+ undisclosed large vendor
+ Belkin Compnents GmbH
+ Asus GmbH
+ Gateprotect GmbH
+ Sitecom GmbH
+ TomTom B.V.
+ Gigabyte Technologies GmbH
+ D-Link GmbH
+ Sun Deutschland GmbH
+ Open-E GmbH
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Future GPL Enforcement
+
+GPL Enforcement
+ remains an important issue for Free Software
+ will start to happen within the court
+ has to be made public in order to raise awareness
+
+Problems
+ only the copyright holder (in most cases the author) can do it
+ users discovering GPL'd software need to communicate those issues to all copyright holders
+
+The http://www.gpl-violations.org/ project was started
+ as a platform wher users can report alleged violations
+ to verify those violations and inform all copyright holders
+ to inform the public about ongoing enforcement efforts
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Make later enforcement easy
+
+ Practical rules for proof by reverse engineering
+ Don't fix typos in error messages and symbol names
+ Leave obscure error messages like 'Rusty needs more caffeine'
+ Make binary contain string of copyright message, not only source
+ Practical rules for potential damages claims
+ Use revision control system
+ Document source of each copyrightable contribution
+ Name+Email address in CVS commit message
+ Consider something like FSFE FLA (Fiduciary License Agreement)
+ Make sure that employers are fine with contributions of their employees
+ If you find out about violation
+ Don't make it public (has to be new/urgent for injunctive relief)
+ Contact lawyer immediately to send wanrning notice
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Thanks
+
+ Thanks to
+ Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+ for implementing (one of?) the world's best TCP/IP stacks
+ Paul 'Rusty' Russell
+ for starting the netfilter/iptables project
+ for trusting me to maintain it today
+ Astaro AG
+ for sponsoring parts of my netfilter work
+ Free Software Foundation
+ for the GNU Project
+ for the GNU General Public License
+%size 3
+ The slides of this presentation are available at http://www.gnumonks.org/
+
+ Further Reading
+%size 3
+ The netfilter homepage http://www.netfilter.org/
+%size 3
+ The http://www.gpl-violations.org/ project
+
+
diff --git a/2004/gpl-lk2004/gpl-lk2004.mgp b/2004/gpl-lk2004/gpl-lk2004.mgp
new file mode 100644
index 0000000..82dcc85
--- /dev/null
+++ b/2004/gpl-lk2004/gpl-lk2004.mgp
@@ -0,0 +1,247 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+Enforcing the GNU GPL
+Copyright helps Copyleft
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@netfilter.org>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Contents
+
+
+ Introduction
+
+ The GNU GPL Revisited
+ Motivations for licensing under the GPL
+ Enforcing the GNU GPL
+
+ Thanks
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Introduction
+
+Who is speaking to you?
+
+ an independent Free Software developer
+ who earns his living off Free Software since 1997
+ who is one of the authors of the linux kernel firewall system called netfilter/iptables
+ who IS NOT A LAWYER, although this presentation is the result of dealing six months with lawyers on the GPL
+
+Why is he speaking to you?
+
+ because he became aware of copyright (copyleft?) infringement and took legal action within German jurisdiction
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+What is copyrightable?
+
+ The GNU GPL is a copyright license, and thus only covers copyrighted code
+ Not everything is copyrightable (German: Schoepfungshoehe)
+ Small bugfixes are not copyrightable (similar to typo-fixes in a book)
+ As soon as the programmer has a choice in the implementation, there is significant indication of a copyrightable work
+ Choice in algorithm, not in formal representation.
+ Apparently, the level for copyrightable works is relatively low.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+The GNU GPL Revisited
+
+Revisiting the GNU General Public License
+
+ Regulates distribution of copyrighted code, not usage
+ Allows distribution of source code and modified source code
+ Allows distribution of binaries or modified binaries, if
+ The license itself is mentioned
+ A copy of the license accompanies every copy
+ The complete source code is either
+ included with the copy
+ made available to any 3rd party
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Complete Source Code
+
+
+%size 3
+"... complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable."
+
+ Our interpretation of this is:
+ Source Code
+ Makefiles
+ Tools for generating the firmware binary from the source
+ (even if they are technically no 'scripts')
+ General Rule:
+ Intent of License is to enable user to run modified versions of the program. They need to be enabled to do so.
+ Result: Signing binaries and only accepting signed versions without providing a signature key is not acceptable!
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Derivative Works
+
+ What is a derivative work?
+ Not dependent on any particular kind of technology (static/dynamic linking, dlopen, whatever)
+ Even while the modification can itself be a copyrightable work, the combination with GPL-licensed code is subject to GPL.
+ No precendent in Germany so far
+ As soon as code is written for a specific non-standard API (such as the iptables plugin API), there is significant indication for a derivative work
+ This position has been successfully enforced out-of-court with two Vendors so far (iptables modules/plugins).
+ Result
+ Position of my lawyers and IBM lawyers:
+ In-kernel proprietary code (binary kernel modules) are not compliant
+ Case-by-case analysis required, especially when drivers/filesystems are ported from other OS's.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Confusion about the GPL
+
+Unfortunately, the wide misconception about copyright, free software, public
+domain (even the RedHat CEO!) leads to people unknowingly, or even wilfully
+only benefit from the freedom but not fulfill the obligations of the GPL.
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Enforcing the GNU GPL
+
+Enforcing the GPL
+ GPL violations are nothing new, as GPL licensed software is nothing new.
+ However, the recent Linux boom
+ The FSF enforces GPL violations of code on which they hold the copyright
+ silently, without public notice
+ in lengthy negotiations
+ During 2003 the "Linksys" case drew a lot of attention
+ Linksys was selling 802.11 WLAN Acces Ponts / Routers
+ Lots of GPL licensed software embedded in the device (included Linux, uClibc, busybox, iptables, ...)
+ FSF led alliance took the 'qiet' approach and it took about four months until the full source code was released
+ Some developers didn't agree with this approach
+ not enough publicity
+ violators don't loose anything by first not complying and wait for the FSF
+ four months delay is too much for low product lifecycles in WLAN world
+ So the netfilter/iptables project started to do their own enforcement in more cases coming up
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Enforcing the GNU GPL
+
+Enforcing the GPL
+ chronological order
+ reverse engineering of firmware images
+ sending the infringing organization a warning notice
+ wait for them to sign a statement to cease and desist
+ applying for a preliminary injunction if they don't (max 4 weeks after reverse engineering)
+
+ Success so far
+ amicable agreement with Asus, Belkin, Allnet, Fujitsu-Siemens, Siemens, Securepoint, U.S. Robotics, ...
+ some of which made significant donations to charitable organizations of the free software community
+ preliminary injunction against Sitecom, Sitecom also lost appeals case
+ more settled cases (not public yet)
+ negotiating in more cases
+ public awareness
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Enforcing the GNU GPL
+
+Enforcing the GPL
+ remains an important issue for Free Software
+ will start to happen within the court
+ has to be made public in order to raise awareness
+
+Problems
+ only the copyright holder (in most cases the author) can do it
+ users discovering GPL'd software need to communicate those issues to all copyright holders
+
+ The http://www.gpl-violations.org/ project was started
+ as a platform wher users can report alleged violations
+ to verify those violations and inform all copyright holders
+ to inform the public about ongoing enforcement efforts
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GPL enforcement report
+Cases so far
+
+Cases so far
+ Allnet GmbH
+ Siemens AG
+ Fujitsu-Siemens Computers GmbH
+ Axis A.B.
+ Securepoint GmbH
+ U.S.Robotics Germany GmbH
+ undisclosed large vendor
+ Belkin Compnents GmbH
+ Asus GmbH
+ Gateprotect GmbH
+ Sitecom GmbH
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+How to make later enforcement easy
+
+ Practical rules for proof by reverse engineering
+ Don't fix typos in error messages and symbol names
+ Leave obscure error messages like 'Rusty needs more caffeine'
+ Make binary contain string of copyright message, not only source
+ Practical rules for potential damages claims
+ Use revision control system
+ Document source of each copyrightable contribution
+ Name+Email address in CVS commit message
+ Consider something like FSFE FLA (Fiduciary License Agreement)
+ Make sure that employers are fine with contributions of their employees
+ If you find out about violation
+ Don't make it public (has to be new/urgent for injunctive relief)
+ Contact lawyer immediately to send wanrning notice
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Thanks
+
+ Thanks to
+ Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+ for implementing (one of?) the world's best TCP/IP stacks
+ Paul 'Rusty' Russell
+ for starting the netfilter/iptables project
+ for trusting me to maintain it today
+ Astaro AG
+ for sponsoring parts of my netfilter work
+ Free Software Foundation
+ for the GNU Project
+ for the GNU General Public License
+%size 3
+ The slides of this presentation are available at http://www.gnumonks.org/
+%size 3
+ The netfilter homepage http://www.netfilter.org/
+%size 3
+ The http://www.gpl-violations.org/ project
+
+
diff --git a/2004/gpl-lk2004/gpl-lk2004.pdf b/2004/gpl-lk2004/gpl-lk2004.pdf
new file mode 100644
index 0000000..220da61
--- /dev/null
+++ b/2004/gpl-lk2004/gpl-lk2004.pdf
Binary files differ
diff --git a/2004/gpl-revisited-knf2004/gpl-enforcement-knf2004.mgp b/2004/gpl-revisited-knf2004/gpl-enforcement-knf2004.mgp
new file mode 100644
index 0000000..e9a8414
--- /dev/null
+++ b/2004/gpl-revisited-knf2004/gpl-enforcement-knf2004.mgp
@@ -0,0 +1,227 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+Enforcing the GNU GPL
+Copyright helps Copyleft
+
+
+%center
+%size 4
+by
+
+Harald Welte <hwelte@hmw-consulting.de>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Contents
+
+
+ Introduction
+ Past GPL Enforcement
+ The Linksys case
+ Typical enforcement timeline
+ Success so far
+ Cases so far
+ Future GPL Enforcement
+ Thanks
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Introduction
+
+Who is speaking to you?
+
+ an independent Free Software developer
+ who earns his living off Free Software since 1997
+ who is one of the authors of the linux kernel firewall system called netfilter/iptables
+ who IS NOT A LAWYER, although this presentation is the result of dealing six months with lawyers on the GPL
+
+Why is he speaking to you?
+
+ because he became aware of copyright (copyleft?) infringement and took legal action within German jurisdiction
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Past GPL enforcement
+
+Past GPL enforcement
+
+ GPL violations are nothing new, as GPL licensed software is nothing new.
+ However, the recent Linux hype made GPL licensed software used more often
+ The FSF enforces GPL violations of code on which they hold the copyright
+ silently, without public notice
+ in lengthy negotiations
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+The Linksys case
+
+
+ During 2003 the "Linksys" case drew a lot of attention
+ Linksys was selling 802.11 WLAN Acces Ponts / Routers
+ Lots of GPL licensed software embedded in the device (included Linux, uClibc, busybox, iptables, ...)
+ FSF led alliance took the usual "quiet" approach
+ Linksys bought it self a lot of time
+ Some source code ws released two months later
+ About four months later, full GPL compliance was achieved
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+The Linksys case
+
+
+ Some developers didn't agree with this approach
+ not enough publicity
+ violators don't loose anything by first not complying and wait for the FSF
+ four months delay is too much for low product lifecycles in WLAN world
+ The netfilter/iptables project started to do their own enforcement in more cases that were coming up
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Enforcement case timeline
+
+
+ In chronological order
+ some user sends us a note he found our code somewhere
+ reverse engineering of firmware images
+ sending the infringing organization a warning notice
+ wait for them to sign a statement to cease and desist
+ if no statement is signed
+ contract technical expert to do a stdudy
+ apply for a preliminary injunction
+ if statement was signed
+ try to work out the details
+ grace period for boxes in stock possible
+ try to indicate that a donation would be good PR
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Sucess so far
+
+
+ Success so far
+ amicable agreements with a number of companies
+ some of which made significant donations to charitable organizations of the free software community
+ preliminary injunction against Sitecom, Sitecom also lost appeals case
+ more settled cases (not public yet)
+ negotiating in more cases
+ public awareness
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GPL enforcement report
+Cases so far (1/2)
+
+ Allnet GmbH
+ Siemens AG
+ Fujitsu-Siemens Computers GmbH
+ Axis A.B.
+ Securepoint GmbH
+ U.S.Robotics Germany GmbH
+ Netgear GmbH
+ Belkin Compnents GmbH
+ Asus GmbH
+ Gateprotect GmbH
+ Sitecom GmbH
+ TomTom B.V.
+ Gigabyte Technologies GmbH
+ D-Link GmbH
+ Sun Deutschland GmbH
+ Open-E GmbH
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GPL enforcement report
+Cases so far (2/2)
+
+ Siemens AG (second case)
+ Deutsche Telekom AG
+ Hitachi
+ Tecom Inc.
+ ARP Datacon GmbH
+ Conceptronic B.V.
+
+ Total about 30 cases (28 out-of-court, 2 in-court)
+ More pending
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Future GPL Enforcement
+
+GPL Enforcement
+ remains an important issue for Free Software
+ will start to happen within the court
+ has to be made public in order to raise awareness
+
+Problems
+ only the copyright holder (in most cases the author) can do it
+ users discovering GPL'd software need to communicate those issues to all copyright holders
+
+The http://www.gpl-violations.org/ project was started
+ as a platform wher users can report alleged violations
+ to verify those violations and inform all copyright holders
+ to inform the public about ongoing enforcement efforts
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Make later enforcement easy
+
+ Practical rules for proof by reverse engineering
+ Don't fix typos in error messages and symbol names
+ Leave obscure error messages like 'Rusty needs more caffeine'
+ Make binary contain string of copyright message, not only source
+ Practical rules for potential damages claims
+ Use revision control system
+ Document source of each copyrightable contribution
+ Name+Email address in CVS commit message
+ Consider something like FSFE FLA (Fiduciary License Agreement)
+ Make sure that employers are fine with contributions of their employees
+ If you find out about violation
+ Don't make it public (has to be new/urgent for injunctive relief)
+ Contact lawyer immediately to send wanrning notice
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Thanks
+
+ Thanks to
+ Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+ for implementing (one of?) the world's best TCP/IP stacks
+ Paul 'Rusty' Russell
+ for starting the netfilter/iptables project
+ for trusting me to maintain it today
+ Astaro AG
+ for sponsoring parts of my netfilter work
+ Free Software Foundation
+ for the GNU Project
+ for the GNU General Public License
+%size 3
+ The slides of this presentation are available at http://www.gnumonks.org/
+
+ Further Reading
+%size 3
+ The netfilter homepage http://www.netfilter.org/
+%size 3
+ The http://www.gpl-violations.org/ project
+
+
diff --git a/2004/gpl-revisited-knf2004/gpl-enforcement-knf2004.pdf b/2004/gpl-revisited-knf2004/gpl-enforcement-knf2004.pdf
new file mode 100644
index 0000000..14a4163
--- /dev/null
+++ b/2004/gpl-revisited-knf2004/gpl-enforcement-knf2004.pdf
Binary files differ
diff --git a/2004/gpl-revisited-knf2004/gpl-revisited-knf2004.mgp b/2004/gpl-revisited-knf2004/gpl-revisited-knf2004.mgp
new file mode 100644
index 0000000..5ef0eb5
--- /dev/null
+++ b/2004/gpl-revisited-knf2004/gpl-revisited-knf2004.mgp
@@ -0,0 +1,260 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+The GNU GPL Revisited
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@hmw-consulting.de>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Contents
+
+
+ Introduction
+ What is Copyrightable?
+ Terminology
+ Common FOSS Licenses
+ The GNU GPL Revisited
+ Complete Source Code
+ Derivative Works
+ Non-Public Modifications
+ GPL Violations
+ Thanks
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Introduction
+
+
+Who is speaking to you?
+ an independent Free Software developer
+ who earns his living off Free Software since 1997
+ who is one of the authors of the Linux kernel firewall system called netfilter/iptables
+ who IS NOT A LAWYER, although this presentation is the result of dealing almost a year with lawyers on the subject of the GPL
+
+Why is he speaking to you?
+ because he thinks there is too much confusion about copyright and free software licenses. Even Red Hat CEO Matt Szulik stated in an interview that RedHat puts investments into 'public domain' :(
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Disclaimer
+
+Legal Disclaimer
+
+ All information presented here is provided on an as-is basis
+ There is no warranty for correctness of legal information
+ The author is not a lawyer
+ This does not comprise legal advise
+ The authors experience is limited to German copyright law
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+What is copyrightable?
+
+ The GNU GPL is a copyright license, and thus only covers copyrighted works
+ Not everything is copyrightable (German: Schoepfungshoehe)
+ Small bugfixes are not copyrightable (similar to typo-fixes in a book)
+ As soon as the programmer has a choice in the implementation, there is significant indication of a copyrightable work
+ Choice in algorithm, not in formal representation
+ Apparently, the level for copyrightable works is relatively low
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Terminology
+
+ Public Domain
+ concept where copyright holder abandons all rights
+ same legal status as works where author has died 70 years ago (German: Gemeinfreie Werke)
+ Freeware
+ object code, free of cost. No source code
+ Shareware
+ proprietary "Try and Buy" model for object code.
+ Cardware/Beerware/...
+ Freeware that encourages users to send payment in kind
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Terminology
+
+ Free Software
+ source code freely distributed
+ must allow redistribution, modification, non-discriminatory use
+ mostly defined by Free Software Foundation
+ Open Source
+ source code freely distributed
+ must allow redistribution, modification, non-discriminatory use
+ defined in the "Open Source Definition" by OSI
+
+ The rest of this document will refer to Free and Open Source Software as FOSS.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Common FOSS licenses
+
+ Original BSD License
+ allows redistribution, modification
+ even allows proprietary extensions with no source code offer
+ all docs, advertisement materials have to mention copyright holder
+ Modified BSD License
+ same as "Original BSD License", but no copyright statements required in docs and advertisements
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Common FOSS licenses
+
+ GPL (GNU General Public Liense)
+ allows redistribution, including modified works
+ obliges distributor to supply source code including all modifications
+ usage rights are revoked if license conditions not met
+ LGPL (GNU Library General Public License)
+ explicitly allows linking of proprietary applications
+ written as special case for libraries (such as glibc)
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+The GNU GPL Revisited
+
+Revisiting the GNU General Public License
+
+ Regulates distribution of copyrighted code, not usage
+ Allows distribution of source code and modified source code
+ The license itself is mentioned
+ A copy of the license accompanies every copy
+ Allows distribution of binaries or modified binaries, if
+ The license itself is mentioned
+ A copy of the license accompanies every copy
+ The complete source code is either included with the copy made available to any 3rd party
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Complete Source Code
+
+%size 3
+"... complete source code means all the source code for all modules it contains, plus any associated interface definition files, plus the scripts used to control compilation and installation of the executable."
+ Our interpretation of this is:
+ Source Code
+ Makefiles
+ Tools for generating the firmware binary from the source
+ (even if they are technically no 'scripts')
+ General Rule:
+ Intent of License is to enable user to run modified versions of the program. They need to be enabled to do so.
+ Result: Signing binaries and only accepting signed versions without providing a signature key is not acceptable!
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Derivative Works
+
+ What is a derivative work?
+ Not dependent on any particular kind of technology (static/dynamic linking, dlopen, whatever)
+ Even while the modification can itself be a copyrightable work, the combination with GPL-licensed code is subject to GPL.
+ No precendent in Germany so far
+ As soon as code is written for a specific non-standard API (such as the iptables plugin API), there is significant indication for a derivative work
+ This position has been successfully enforced out-of-court with two Vendors so far (iptables modules/plugins).
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Derivative Works
+
+ Position of my lawyer:
+ In-kernel proprietary code (binary kernel modules) are hard to claim GPL compliant
+ Case-by-case analysis required, especially when drivers/filesystems are ported from other OS's.
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Collected Works
+
+%size 3
+"... it is not the intent .. to claim rights or contest your rights to work written entirely by you; rather, the intent is to exercise the right to control the distribution of derivative or collective works ..."
+%size 3
+"... mere aggregation of another work ... with the program on a volume of a storage or distribution medium does not bring the other work und the scope of this license"
+
+ GPL allows "mere aggregation"
+ like a general-porpose Linux distribution (SuSE, Red Hat, ...)
+
+ GPL disallows "collective works"
+ legal grey area
+ tends to depend a lot on jurisdiction
+ no precendent so far
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Non-Public modifications
+
+ Non-Public modifications
+ A common misconception is that if you develop code within a corporation, and the code never leaves this corporation, you don't have to ship the source code.
+ However, at least German law would count every distribution beyound a number of close colleague as distribution.
+ Therefore, if you don't go for '3a' and include the source code together with the binary, you have to distribute the source code to any third party.
+ Also, as soon as you hand code between two companies, or between a company and a consultant, the code has been distributed.
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+GPL Violations
+
+ When do I violate the license
+ when one ore more of the obligations are not fulfilled
+
+ What risk do I take if I violate the license?
+ the GPL automatically revokes any usage right
+ any copyright holder can obtain a preliminary injunction banning distribution of the infringing product
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The GNU GPL Revisited
+Thanks
+
+ Thanks to
+ KNF
+ for first bringing me in contact with linux in 1994
+ Astaro AG
+ for sponsoring most of my netfilter work
+ Free Software Foundation
+ for the GNU Project
+ for the GNU General Public License
+ Dr. Till Jaeger
+ for handling my legal cases
+
+%size 3
+ The slides of this presentation are available at http://www.gnumonks.org/
+
+ Further reading:
+%size 3
+ The netfilter homepage http://www.netfilter.org/
+%size 3
+ The http://www.gpl-violations.org/ project
+%% http://management.itmanagersjournal.com/management/04/05/31/1733229.shtml?tid=85&tid=4
+
+
diff --git a/2004/gpl-revisited-knf2004/gpl-revisited-knf2004.pdf b/2004/gpl-revisited-knf2004/gpl-revisited-knf2004.pdf
new file mode 100644
index 0000000..e2ff923
--- /dev/null
+++ b/2004/gpl-revisited-knf2004/gpl-revisited-knf2004.pdf
Binary files differ
diff --git a/2004/gpl-wos2004/.abstract.swp b/2004/gpl-wos2004/.abstract.swp
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/2004/gpl-wos2004/.abstract.swp
diff --git a/2004/gpl-wos2004/abstract b/2004/gpl-wos2004/abstract
new file mode 100644
index 0000000..57de337
--- /dev/null
+++ b/2004/gpl-wos2004/abstract
@@ -0,0 +1,21 @@
+Enforcing the GNU GPL - Copyright helps Copyleft
+
+More and more vendors of various computing devices, especially network-related
+appliances such as Routers, NAT-Gateways and 802.11 Access Points are using
+Linux and other GPL licensed free software in their products.
+
+While the linux community can look at this as a big success, there is a back
+side of that coin: A large number of those vendors have no idea about the GPL
+license terms, and as a result do not fulfill their obligations under the GPL.
+
+The netfilter/iptables project has started legal proceedngs against a number of
+companies in violation of the GPL since December 2003. Those legal proceedings
+were quite successful so far, resulting in a number of amicable agreements and
+one granted preliminary injunction.
+
+The speaker will present an overview about his recent successful enforcement of
+the GNU GPL within German jurisdiction.
+
+In the end, it seems like the idea of the founding fathers of the GNU GPL
+works: Guaranteeing Copyleft by using Copyright.
+
diff --git a/2004/gpl-wos2004/biography b/2004/gpl-wos2004/biography
new file mode 100644
index 0000000..2399290
--- /dev/null
+++ b/2004/gpl-wos2004/biography
@@ -0,0 +1,25 @@
+ Harald Welte is the chairman of the netfilter/iptables core team.
+
+ His main interest in computing has always been networking. In the few time
+left besides netfilter/iptables related work, he's writing obscure documents
+like the UUCP over SSL HOWTO. Other kernel-related projects he has been
+contributing are user mode linux and the international (crypto) kernel patch.
+
+ He has been working as an independent IT Consultant working on projects for
+various companies ranging from banks to manufacturers of networking gear.
+During the year 2001 he was living in Curitiba (Brazil), where he got
+sponsored for his Linux related work by Conectiva Inc.
+
+ Starting with February 2002, Harald has been contracted part-time by
+<a href="http://www.astaro.com/">Astaro AG</a>, who are sponsoring him for his
+current netfilter/iptables work.
+
+ Aside from the Astaro sponsoring, he continues to work as a freelancing
+kernel developer and network security consultant.
+
+ He licenses his software under the terms of the GNU GPL. He is determined to bring all users, distributors, value added resellers and vendors of netfilter/iptables based products in full compliance with the GPL, even if it includes raising legal charges.
+
+
+ Harald is living in Berlin, Germany.
+
+
diff --git a/2004/gpl-wos2004/gpl-wos2004.mgp b/2004/gpl-wos2004/gpl-wos2004.mgp
new file mode 100644
index 0000000..f818109
--- /dev/null
+++ b/2004/gpl-wos2004/gpl-wos2004.mgp
@@ -0,0 +1,174 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+Enforcing the GNU GPL
+Copyright helps Copyleft
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@netfilter.org>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Contents
+
+
+ Introduction
+
+ The GNU General Public License
+ Motivations for licensing under the GPL
+ Enforcing the GNU GPL
+
+ Thanks
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Introduction
+
+Who is speaking to you?
+
+ an independent Free Software developer
+ who earns his living off Free Software since 1997
+ who is one of the authors of the linux kernel firewall system called netfilter/iptables
+
+Why is he speaking to you?
+
+ because he became aware of copyright (copyleft?) infringement and took legal action within German jurisdiction
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+The GNU General Public License
+
+What is the GNU General Public License?
+
+ A software license issued by the Free Software Foundation, originally meant for their Free Software in the GNU project.
+ The commonly used Version is the GPLv2 from 1991
+ Can be considered as the first 'copyleft' licenses, before the idea of 'free software' spread to 'free content' and other areas.
+ Traditional software licenses are designed to restrict the rights of the user
+ no copying
+ no modificatio
+ no reverse engineering
+ The GPL instead tries to grant fundamental freedoms
+ freedom to run the program
+ freedom to study the program and adapt it (requires source code)
+ freedom to redistribute
+ freedom to improve and publish improvements
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+The GNU General Public License
+
+But, the GPL does not only grant rights!
+
+ In order to preserve the fundametal freedom, any distribution of a program has to
+ mention that the work is licensed under the GPL
+ include the GPL license text
+ either include the source code, or provide a written offer how to receive a copy of the source code
+
+ Also, any derived work that is being distributed has to
+ make available the source code of the derived work
+
+Unfortunately, the wide misconception about copyright, free software, public
+domain (even the RedHat CEO!) leads to people unknowignly, or even wilfully
+only benefit from the freedom but not fulfill the obligations stated above.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Enforcing the GNU GPL
+
+Enforcing the GPL
+ GPL violations are nothing new, as GPL licensed software is nothing new.
+ However, the recent Linux boom
+ The FSF enforces GPL violations of code on which they hold the copyright
+ silently, without public notice
+ in lengthy negotiations
+ During 2003 the "Linksys" case drew a lot of attention
+ Linksys was selling 802.11 WLAN Acces Ponts / Routers
+ Lots of GPL licensed software embedded in the device (included Linux, uClibc, busybox, iptables, ...)
+ FSF led alliance took the 'qiet' approach and it took about four months until the full source code was released
+ Some developers didn't agree with this approach
+ not enough publicity
+ violators don't loose anything by first not complying and wait for the FSF
+ four months delay is too much for low product lifecycles in WLAN world
+ So the netfilter/iptables project started to do their own enforcement in more cases coming up
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Enforcing the GNU GPL
+
+Enforcing the GPL
+ chronological order
+ reverse engineering of firmware images
+ sending the infringing organization a warning notice
+ wait for them to sign a statement to cease and desist
+ applying for a preliminary injunction if they don't (max 4 weeks after reverse engineering)
+
+ Success so far
+ amicable agreement with Asus, Belkin, Allnet, Fujitsu-Siemens, Securepoint, U.S.Robotics
+ some of which made significant donations to charitable organizations of the free software community
+ preliminary injunction against Sitecom
+ negotiating in more cases
+ public awareness
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Enforcing the GNU GPL
+
+Enforcing the GPL
+ remains an important issue for Free Software
+ will start to happen within the court
+ has to be made public in order to raise awareness
+
+Problems
+ only the copyright holder (in most cases the author) can do it
+ users discovering GPL'd software need to communicate those issues to all copyright holders
+
+ The http://www.gpl-violations.org/ project was started
+ as a platform wher users can report alleged violations
+ to verify those violations and inform all copyright holders
+ to inform the public about ongoing enforcement efforts
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Thanks
+
+ Thanks to
+ Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+ for implementing (one of?) the world's best TCP/IP stacks
+ Paul 'Rusty' Russell
+ for starting the netfilter/iptables project
+ for trusting me to maintain it today
+ Astaro AG
+ for sponsoring parts of my netfilter work
+ Free Software Foundation
+ for the GNU Project
+ for the GNU General Public License
+%size 3
+ The slides of this presentation are available at http://www.gnumonks.org/
+%size 3
+ The netfilter homepage http://www.netfilter.org/
+%size 3
+ The http://www.gpl-violations.org/ project
+
+
diff --git a/2004/gpl-wos2004/gpl-wos2004.pdf b/2004/gpl-wos2004/gpl-wos2004.pdf
new file mode 100644
index 0000000..2c8863e
--- /dev/null
+++ b/2004/gpl-wos2004/gpl-wos2004.pdf
Binary files differ
diff --git a/2004/linux2.6-networktour-lb2004/abstract b/2004/linux2.6-networktour-lb2004/abstract
new file mode 100644
index 0000000..ae466a0
--- /dev/null
+++ b/2004/linux2.6-networktour-lb2004/abstract
@@ -0,0 +1,4 @@
+Linux based systems are known for performance and realiability in the area of networking. This presentation will give a tour through the Linux 2.6 kernel network stack, it\'s structure and implementation. Some of the topics covered
+are: Network hardware drivers, core network functions, IPv4 protocol stack,
+destination cache, neighbour cache, sockets implementation, zero-copy TCP.
+
diff --git a/2004/linux2.6-networktour-lb2004/linux2.6-networktour-lb2004.mgp b/2004/linux2.6-networktour-lb2004/linux2.6-networktour-lb2004.mgp
new file mode 100644
index 0000000..7c52001
--- /dev/null
+++ b/2004/linux2.6-networktour-lb2004/linux2.6-networktour-lb2004.mgp
@@ -0,0 +1,236 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+
+
+%center
+%size 7
+A tour of the
+Linux 2.6 network stack
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@hmw-consulting.de>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Linux 2.6 Network Tour
+Contents
+
+
+ Introduction
+ Hardirq Context
+ Hard Interrupt Handler
+ Softirq Context
+ Network RX Softirq
+ IPv4 Packet Handler
+ IPv4 Packet Forwarding
+ IPv4 Packet Output
+ Driver TX routine
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Linux 2.6 Network Tour
+Introduction
+
+
+Who is speaking to you?
+ an independent Free Software developer
+ who earns his living off Free Software since 1997
+ who is one of the authors of the Linux kernel firewall system called netfilter/iptables
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Linux 2.6 Network Tour
+Interrupt context
+
+ Also called 'hardirq'
+ Triggered by external interrupt to the cpu
+ Is not reentrant, because the irq is disabled before handler is called
+ Should only do minimum of work and leave as fast as possible
+
+ hardirq handler registered via request_irq()
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Linux 2.6 Network Tour
+Receive Interrupt
+
+ NIC receives packet for local mac address
+ NIC issues interrupt
+ Interrupt is routed to one CPU
+ Kernel enters hardirq context and disables this irq on local cpu
+ Driver's interrupt handler
+ allocates skb (struct sk_buff)
+ calls net/core/dev.c:netif_rx()
+ return irqreturn_t
+ Kernel leaves hardirq context and reenables this irq
+
+ 2.6.x introduces NAPI for polling at high irq rates: netif_rx_schedule()
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Linux 2.6 Network Tour
+Softirq context
+
+ Softirq is the real workhorse of interrupts
+ Continues work where hardirq has finished
+ Can be interrupted by hardirq context
+ Can run in parallel on any number of CPU's
+
+ softirq handler registered via kernel/softirq.c:open_softirq()
+
+ softirq's need to be 'raised' by raise_softirq() from hardirq
+ softirq's are scheduled
+ after hardirq context exits
+ from softirqd in case there's too much work
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Linux 2.6 Network Tour
+Network RX Softirq
+
+
+ kernel/softirq.c:do_softirq()
+ generic softirq code
+ net/core/dev.c:net_rx_action()
+ function that is registered at open_softirq() time
+ net/core/dev.c:process_backlog()
+ dequeue skb from local CPU's backlog queue
+ uses a weighting scheme between different devices
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Linux 2.6 Network Tour
+netif_receive_skb()
+
+
+ net/core/dev.c:netif_receive_skb()
+ main network rx softirq workhorse
+ check if there are any netpoll users, if yes netpoll_rx()
+ if somebody requested skb rx timestamp, net_timestamp()
+ if interface is part of bound group, skb_bound()
+ tc ingress filtering: ing_filter()
+ packet diverter: handle_diverter()
+ bridging handler: net/core/dev.c:handle_bridge()
+ deliver to l3 protocol handler: net/core/dev.c:deliver_skb()
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Linux 2.6 Network Tour
+IPv4 packet handler
+
+
+ net/ipv4/ip_input.c:ip_rcv()
+ checksum check
+ size check
+ NF_IP_PRE_ROUTING netfilter hook
+ net/ipv4/ip_input.c:ip_rcv_finish()
+ net/ipv4/route.c/ip_route_input()
+ route/dst cache lookup
+ if lookup fails, ip_route_input_slow()
+ fib lookup
+ allocation of new dst_entry / rtable
+ include/net/dst.h:dst_input()
+ iterate over destination stack
+ call destination function of the respective stack items
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Linux 2.6 Network Tour
+IPv4 packet forwarding
+
+
+ net/ipv4/ip_forward.c:ip_forward()
+ xfrm4_policy_check()
+ router alert handling (ip_call_ra_chain)
+ ttl decrement
+ if route is redirect route, ip_rt_send_redirect()
+ call NF_IP_FORWARD netfilter hook
+ net/ipv4/ip_forward.c:ip_forward_finish()
+ increase statistics for snmp mib
+ include/net/dst.h:dst_output()
+ iterate over output functions of dst stack
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Linux 2.6 Network Tour
+IPv4 packet output
+
+
+ net/ipv4/ip_output.c:ip_output()
+ fragment packet via ip_fragment() if needed
+ net/ipv4/ip_output.c:ip_finish_output()
+ call netfilter NF_IP_POST_ROUTING hook
+ net/ipv4/ip_output.c:ip_finish_output2()
+ attach hardware header
+ call header cache output fn (if neighbour in cache)
+ net/core/dev.c:dev_skb_xmit()
+ or neighbour output function (if neighbour unknown)
+ net/core/neighbour.c:neigh_resolve_output()
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Linux 2.6 Network Tour
+dev_skb_xmit()
+
+
+ skb->dev->qdisc->enqueue()
+ enqueue into devices output queue
+ default: net/sched/sch_generic.c:pfifo_fast_enqueue()
+ net/sched/sch_generic.c:qdisc_restart():
+ dev->qdisc->dequeue()
+ dequeue skb from queue
+ dev->hard_start_xmit()
+ transmit skb via driver
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Linux 2.6 Network Tour
+Driver TX Routine
+
+ drivers/net/e1000/e1000_main.c:e1000_xmit_frame()
+ tons of workarounds for chip bugs
+ set up TX DMA descriptor
+ queue TX DMA descriptor to device hardware
+ return NETDEV_TX_OK
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Linux 2.6 Network Tour
+Thanks
+
+ Thanks to
+ Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+ for implementing (one of?) the world's best TCP/IP stacks
+ Paul 'Rusty' Russell
+ for starting the netfilter/iptables project
+ for trusting me to maintain it today
+ Astaro AG
+ for sponsoring parts of my netfilter work
+ Free Software Foundation
+ for the GNU Project
+ for the GNU General Public License
+%size 3
+ The slides of this presentation are available at http://www.gnumonks.org/
+
+ Further Reading
+%size 3
+ The netfilter homepage http://www.netfilter.org/
+%size 3
+ The http://www.gpl-violations.org/ project
+
+
diff --git a/2004/nat-ccc2004/biography b/2004/nat-ccc2004/biography
new file mode 100644
index 0000000..22438a2
--- /dev/null
+++ b/2004/nat-ccc2004/biography
@@ -0,0 +1,24 @@
+ Harald Welte is the chairman of the netfilter/iptables core team.
+
+ His main interest in computing has always been networking. In the few time
+left besides netfilter/iptables related work, he's writing obscure documents
+like the UUCP over SSL HOWTO. Other kernel-related projects he has been
+contributing are user mode linux, the international (crypto) kernel patch, device drivers and the neighbour cache.
+
+ He has been working as an independent IT Consultant working on projects for
+various companies ranging from banks to manufacturers of networking gear.
+During the year 2001 he was living in Curitiba (Brazil), where he got
+sponsored for his Linux related work by Conectiva Inc.
+
+ Starting with February 2002, Harald has been contracted part-time by
+<a href="http://www.astaro.com/">Astaro AG</a>, who are sponsoring him for his
+current netfilter/iptables work.
+
+ Aside from the Astaro sponsoring, he continues to work as a freelancing
+kernel developer and network security consultant.
+
+ He licenses his software under the terms of the GNU GPL. He is determined to bring all users, distributors, value added resellers and vendors of netfilter/iptables based products in full compliance with the GPL, even if it includes raising legal charges.
+
+ Harald is living in Berlin, Germany.
+
+
diff --git a/2004/nat-ccc2004/cfp-reply b/2004/nat-ccc2004/cfp-reply
new file mode 100644
index 0000000..0d3bde3
--- /dev/null
+++ b/2004/nat-ccc2004/cfp-reply
@@ -0,0 +1,53 @@
+21c3-content@cccv.de
+
+ * Name: Full name of speaker
+
+Harald Welte
+
+ * Bio: Short biography of speaker
+
+See Attachment 1
+
+ * Contact: E-Mail, phone, instant messaging etc.
+
+email: laforge@gnumonks.org
+Phone: +49-30-24033902
+Fax: +49-30-24033904
+
+ * Title: Name of event or lecture
+
+The Reality of Network Address Translators
+
+ * Subtitle: Additional title description (a couple of words, optional)
+
+
+ * Abstract: An abstract of the event's content (max. 250 letters)
+
+NAT's are ubiquitous in todays Internet. Unfortunately the IETF missed to
+recognize this reality. Due to this lack of standardizaiton, NAT's pose an
+enormous threat to the paradigm shift from client-server to peer-to-peer. The
+presentation covers proposed solutions.
+
+
+ * Description: A detailed description of the event's content (250 to 500 words)
+
+See Attachment 2
+
+ * Attachments: more information
+ o Links to background information
+
+http://www.potaroo.net/ietf/idref/draft-aoun-nsis-nslp-natfw-migration/
+http://www.ietf.org/internet-drafts/draft-audet-nat-behave-00.txt
+http://www.rnp.br/ietf/internet-drafts/draft-ford-natp2p-00.txt
+http://www.ietf.org/proceedings/03nov/I-D/draft-ietf-mmusic-ice-00.txt
+http://www.ietf.org/internet-drafts/draft-ietf-nsis-nslp-natfw-03.txt
+http://ietfreport.isoc.org/ids/draft-jennings-midcom-stun-results-01.txt
+http://www.ietf.org/internet-drafts/draft-tschofenig-nsis-natfw-security-problems-00.txt
+http://alumnus.caltech.edu/~dank/peer-nat.html
+http://www.faqs.org/rfcs/rfc3489.html
+
+ o Links to information on the lecture itself
+ o Slides, Paper in PDF or other formats
+
+Not yet available.
+
diff --git a/2004/nat-ccc2004/extended-abstract b/2004/nat-ccc2004/extended-abstract
new file mode 100644
index 0000000..de9af12
--- /dev/null
+++ b/2004/nat-ccc2004/extended-abstract
@@ -0,0 +1,34 @@
+The Reality of Network Address Translators
+
+NAT's are ubiquitous in todays Internet, not only built into so-called DSL or
+WLAN Routers within customer premises, but also in the corporate environment.
+
+The dream of an end-to-end transparent network has died one NAT at at time.
+
+Unfortunately the IETF missed to recognize this reality for a long time. This
+means that there are no up-to-date informations (like best current practice
+RFC's) specifying how an implementor should implement Network Address
+Translation. This lack of standardization leads to different NAT behaviour
+from implementor to implementor.
+
+Tradiditonal IP based protocols are built around the client-server paradigm,
+and NAT's are designed for this. However, recently protocols and applications
+based on the peer-to-peer paradigm are becomming more and more common. And
+this is where NAT's become a major problem, especially since they don't expose
+any standardized deterministic behaviour.
+
+Many approaches have been designed, usually with H.323 or SIP as driving force
+behind them. FCP, Midcom, NSIS, STUN - just to name a few examples.
+
+None of them works in all, or even the majority of all cases. In fact the
+author of this presentation believes it is impossible to solve the problem
+without making assumptions on some common behaviour of all NAT implementations.
+
+The recently published draft-audet-nat-behave tries to be a first candidate of
+such a behavioral specification. It is scheduled to evolve into a BCP RFC on
+NAT behaviour in 2005.
+
+The presentation will present the fundamental problem, look at different
+classes of NAT's, their behaviour, and give an overview about the proposed
+solutions.
+
diff --git a/2004/nat-ccc2004/nat-ccc2004.mgp b/2004/nat-ccc2004/nat-ccc2004.mgp
new file mode 100644
index 0000000..78a6cdc
--- /dev/null
+++ b/2004/nat-ccc2004/nat-ccc2004.mgp
@@ -0,0 +1,343 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+The reality of
+Network Address Translators
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@netfilter.org>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Reality of NAT
+Contents
+
+
+ RFC3489: STUN
+ RFC3714: IAB problem statement / congestion control
+ RFC3448: TFRC, TFRC-PS
+ DCCP
+ NSIS: GIMPS / NAT NSLP
+ BEHAVE
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Reality of NAT
+NAT Basics
+
+ Network Address Translation is an old technique
+ Widely used throughout the net as a way to cope with address shortage
+ More and more popular with to DSL and cable modem routers
+ Unfortunately not standardized at all
+ NAT itself is not a security technology !!
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Reality of NAT
+NAT Basics
+
+ What does NAT do?
+ Rewrite addresses of packets as they pass a particular forwarding machine
+
+ What can be translated?
+ Layer 3 (IP) addresses
+ Layer 4 (TCP/UDP/SCTP/...) specific addresses
+ Layer 5+ (e.g. FTP PORT statements)
+
+ Where can it be translated?
+ Traditionally, at a router
+ But also possible on a bridge
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Reality of NAT
+NAT Configurations
+
+ Source NAT
+ source address of the first packet of a particular connection is changed
+
+ Masquerading
+ special case of Source NAT, most common implementation
+
+ Destination NAT
+ destination address of of the first packet of a particular connection is changed
+ sometimes referred to as 'port mapping' or 'port redirection'
+
+ Bi-NAT
+ 1:1 translation of whole address ranges or networks
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Reality of NAT
+Why is NAT a nightmare
+
+ NAT might have been a solution 8 years ago
+ However,
+ it is very much designed for the traditional client/server paradigm
+ the Internet sees more advanced applications such as
+ peer-to-peer networks
+ Voice over IP
+ Multimedia streams
+ protocols are getting increasingly complex
+ multiple layer 4 connections comprising one logical connection
+ embedding layer 3/4 addresses in payload leads to ALG requirement
+ direct 'client-to-client' transmission of media streams not possible due to deployment of NAT.
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Reality of NAT
+NAT Basics
+
+ But well, even eight years ago....
+ NATing a FTP connection is a real PITA. Why?
+ First you change the source ip/port of the control connection
+ Then your ftp client sends a PORT command (in ASCII!!!)
+ PORT 123,123,123,123,1,0
+ Then your ftp nat ALG needs to change that to
+ PORT 1,1,1,1,10,10
+ Thus, the resulting string is shorter!
+ therefore you need to mangle every sequence number of each successive packet
+ now think of multiple port commands being issued within a single TCP window and retransmissions
+ if that is not enough, think of SACK
+ Summary
+ It is ugly as hell
+ Difficult to impossible to get right in all cases
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Reality of NAT
+Why is NAT a nightmare
+
+ Todays NAT's horribly violate the network layering model
+ a NAT (although it operats on a rotuer or bridge) requires knowledge of the application protocols
+ support for every new protocol needs to be added to all NAT's
+ Also, you loose the ability to encrypt the payload
+ SIP can PGP-encrypt SDP.
+ However, port numbers are inside SDP
+ Therefore, if you use crypto, it just can't work
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Reality of NAT
+Types of NAT (STUN RFC3489)
+
+
+ Full Cone
+ all requests from the same internal IP and port are mapped to the same external IP address and port
+ any external host can send a packet to the internal host by sending a packet to the mapped address
+
+ Restricted Cone
+ all requests from the same internal IP and port are mapped to the same external IP address and port.
+ an external host can send a packet to the internal host only if the internal host had previously ent a packet to that particular external host
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Reality of NAT
+Types of NAT (STUN RFC3489)
+
+
+ Port Restricted Cone
+ like restricted cone, but includes port numbers
+ an external host can send a packet with source IP X and port P to the internal host only of the internal host had perviously sent a packet to IP address X and port P
+
+ Symmetric
+ all requests from same internal IP address and port to a specifica destination IP and port are mapped to the same external IP and port.
+ if the same host sends a packet with the same source address and port, but to a different estination, a different mapping is used. Only the external host that receives a packet can send a packet back to the external host
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Reality of NAT
+Types of NAT: draft-audet-nat-behave
+
+ Address and port binding
+ External NAT binding is endpoint independent
+ External NAT binding is endpoint address dependent
+ External NAT binding is endpoint address and port dependent
+
+ Port Assignment
+ Port Preservation
+ Port Overloading
+
+ Bind Refresh Scope
+ Per binding
+ Per session
+ Only outgoing or also incoming?
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Reality of NAT
+Types of NAT: draft-audet-nat-behave
+
+ Filtering of unsolicited packets
+ External filtering is endpoint independent
+ External filtering is endpoint address dependent
+ External filtering is endpoint address and port dependent
+
+ Hairpinning Behaviour
+ What happens if two endpoints are behind same nat
+
+ Deterministic Properties
+ Chaning over time:
+ Port preservation
+ Port allocation algorithm
+ Address and port binding
+ Filtering
+
+ Multicast Behaviour
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Reality of NAT
+The IETF and NAT
+
+ The IETF has long ignored the fact that NAT's are commonplace
+ Therefore, there's a lack of standardization in NAT behaviour
+ Furthermore, it is impossible to make a protocol work with all existing NAT's
+ Protocol designers normally don't consider NAT when developing new protocols
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Reality of NAT
+The IETF and NAT
+
+ SIP was the first IETF protocol that had _serious_ NAT issues
+ Therefore, the SIP working group came up with FCP (Firewall Control Protocol)
+ Later, a new working group 'MIDCOM' was founded
+ MIDCOM took several years but didn't really come up with a solution
+ Now there are dozens of groups publishing papers, drafts and RFC's.
+ Most of them are targeted at UDP-only operation
+ Most of them target consumer side NAT devices
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Reality of NAT
+How to solve the NAT problem?
+
+ At a protocol level
+ designing protocols in a way to operate on most/all NAT's
+ SIP has some extensions for this
+ IPsec also introduced NAT-T to tackle the problem
+ Very difficult because of the number of differnet implementations and lack of standardization
+
+ At a NAT level
+ Making NAT's interoperate with all different kinds of protocols
+ Support operations like hole-punching for UDP and TCP
+ Problematic because of large existing deployment
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Reality of NAT
+How to solve the NAT problem?
+
+ With a specific NAT configuration protocol
+ FCP
+ MIDCOM
+ GIMPS NSIS NAT NSLP
+ uPnP
+
+ There is no good solution without standardization
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Reality of NAT
+RFC3489: STUN
+
+RFC3489: STUN (Simple Traversal of UDP Through NAT)
+ Helps endpoints to find out whether they are behind some form of NAT by communication with a host known to have an official IP
+ Tries to create NAT binding(s) on NAT devices
+ allows applications to 'open ports' on the NAT
+ implemented with lots of apps, including gnomemeeting
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Reality of NAT
+RFC3714
+
+ IAB problem statement about media traffic without congestion control
+ danger of congestion collapse with VoIP / streaming media
+ IETF actions to counter this problem
+ upgrade RTP to make packet loss monitoring a MUST
+ TFRC (TCP Friently Rate Control)
+ TFRC-PS (TCP Friendly Rate Control - Packet Size)
+ DCCP (Datagram Congestion Control Protocol)
+ Adaptive Audio Codecs
+ specified drop rate for mimimum sending rate (tables)
+
+ Result:
+ We'll see new layer four protocols that need NAT, too
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Reality of NAT
+NSIS WG
+
+ NSIS (Next Step In Signalling) WG:
+ Signalling Transport protocol for Signalling QoS, NAT, Firewalls
+ GIMPS (Generic Internet Messaging Protocol for Signalling)
+ Builds on top of TCP/UDP/SCTP/DCCP
+ can be combined with TLS and IPsec
+ Has Messages with 'Router Alert' that are to be processed by Routers/Firewalls/NATs
+ NAT NSIS Signalling Layer Protocol
+ wants to establish a connection between two ends, any number of Firewalls / NAT's in between
+ draft-aoun-nsis-nslp-natfw-migration-02
+ draft-tschofenig-nsis-natfw-security-problems-00
+ draft-aoun-nsis-nslp-natfw-intrarealm-00.txt
+ draft-martin-nsis-nslp-natfw-sip-00.txt
+ draft-fessi-nsis-natfw-threats-01.txt
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Reality of NAT
+BEHAVE
+
+ Behave working group
+ Parts of IETF acknowledge NAT is reality
+ Acknowledges lack of standardization
+ wants to provide vendor guidelines for NAT implementation
+ focus on UDP and TCP unicast
+ will adress multicast NAT, too
+ goal: NAT-BEHAVE BCP RFC
+ second document describing protocol design for BEHAVE-compliant NATs
+ current draft:
+ require outbound-only UDP timer refresh
+ strongly discourages port persistency
+ requires no NAT for IPv6
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Reality of NAT
+Thanks
+
+ Thanks to
+ Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+ for implementing (one of?) the world's best TCP/IP stacks
+ Paul 'Rusty' Russell
+ for starting the netfilter/iptables project
+ for trusting me to maintain it today
+ Astaro AG
+ for sponsoring parts of my netfilter work
+ Free Software Foundation
+ for the GNU Project
+ for the GNU General Public License
+%size 3
+ The slides of this presentation are available at http://www.gnumonks.org/
+
+ Further Reading
+%size 3
+ The netfilter homepage http://www.netfilter.org/
diff --git a/2004/nat-ccc2004/short-abstract b/2004/nat-ccc2004/short-abstract
new file mode 100644
index 0000000..b31c803
--- /dev/null
+++ b/2004/nat-ccc2004/short-abstract
@@ -0,0 +1,5 @@
+NAT's are ubiquitous in todays Internet. Unfortunately the IETF missed to
+recognize this reality. Due to this lack of standardizaiton, NAT's pose an
+enormous threat to the paradigm shift from client-server to peer-to-peer. The
+presentation covers proposed solutions.
+
diff --git a/2004/netfilter-bof-ols2004/netfilter-bof-ols2004.mgp b/2004/netfilter-bof-ols2004/netfilter-bof-ols2004.mgp
new file mode 100644
index 0000000..ccf8ba4
--- /dev/null
+++ b/2004/netfilter-bof-ols2004/netfilter-bof-ols2004.mgp
@@ -0,0 +1,272 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+Netfilter BOF
+
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@netfilter.org>
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Netfilter BOF
+Contents
+
+
+ Problems with current 2.4/2.6 netfilter/iptables
+ Solution to code replication
+ Solution for dynamic rulesets
+ Solution for API to GUI's and other management programs
+
+ Other current work
+ nf_conntrack - l3 independent connection tracking
+ ulogd2 - conntrack based flow accounting (ipfix)
+ qsearch - efficient in-kernel pattern matching
+ ctstat - runtime conntrack statistics
+ ipset - replacement for ippool
+ benchmarking at gigagbit wirespeed
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Netfilter BOF
+Problem with 2.4/2.6 netfilter/iptables
+
+ code replication between iptables/ip6tables/arptables/ebtables
+ iptables was never meant for other protocols, but people did copy+paste 'ports'
+ replication of
+ core kernel code
+ layer 3 independent matches (mac, interface, ...)
+ userspace library (libiptc)
+ userspace tool (iptables)
+ userspace plugins (libipt_xxx.so)
+
+ doesn't suit the needs for dynamically changing rulesets
+ dynamic rulesets becomming more common due (service selection, IDS)
+ a whole table is created in userspace and sent as blob to kernel
+ for every ruleset the table needs to be copied to userspace and back
+ inside kernel consistency checks on whole table, loop detection
+
+%page
+Netfilter BOF
+Problem with 2.4/2.6 netfilter/iptables
+
+ too extensible for writing any forward-compatible GUI
+ new extensions showing up all the time
+ a frontend would need to know about the options and use of a new extension
+ thus frontends are always incomplete and out-of-date
+ no high-level API other than piping to iptables-restore
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Netfilter BOF
+Reducing code replication
+
+ code replication is a real problem: unclean, bugfixes missed
+ we need layer 3 independent layer for
+ submitting rules to the kernel
+ traversing packet-rulesets supporting match/target modules
+ registering matches/targets
+ layer 3 specific (like matching ipv4 address)
+ layer 3 independent (like matching MAC address)
+
+ solution
+ pkt_tables inside kernel
+ pkt_tables_ipv4 registers layer 3 handler with pkt_tables
+ pkt_tables_ipv6 registers layer 3 handler with pkt_tables
+ everybody registering a pkt_table (like iptable_filter) needs to specify the l3 protocol
+ libraries in userspace (see later)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Netfilter BOF
+Supporting dynamic rulesets
+
+ atomic table-replacement turned out to be bad idea
+ need new interface for sending individual rules to kernel
+ policy routing has the same problem and good solution: rtnetlink
+ solution: nfnetlink
+ multicast-netlink based packet-orinented socket between kernel and userspace
+ has extra benefit that other userspace processes get notified of rule changes [just like routing daemons]
+ nfnetlink will be low-layer below all kernel/userspace communication
+ pkttnetlink [aka iptnetlink]
+ ctnetlink
+ ulog
+ ip_queue
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Netfilter BOF
+Communication with other programs
+
+whole set of libraries
+ libnfnetlink for low-layer communication
+ libpkttnetlink for rule modifications
+ will handle all plugins [which are currently part of iptables]
+ query functions about avaliable matches/targets
+ query functions about parameters
+ query functions for help messages about specific match/parameter of a match
+ generic structure from which rules can be built
+ conversion functions to parse generic structure into in-kernel structure
+ conversion functions to perse kernel structure into generic structure
+ functions to convert generic structure in plain text
+ libipq will stay API-compatible to current version
+ libipulog will stay API-compatible to current version
+ libiptc will go away [compatibility layer extremely difficult]
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Netfilter BOF
+Optimizing rule load time
+
+ Current situation
+ loading 10,000 rules in 1,000 chains takes about 4 minutes on a PIII 733Mhz
+ this is caused by two bottlenecks
+ loop detection algorithm on kernel side inefficient
+ a couple of O^2 complexity functions in libiptc
+
+ Solution
+ efficient loop detection and mark_source_chains() algorithm (graph coloring)
+ current CVS libiptc with only one O^2 function: 2minutes37
+ whole reimplementation of libiptc needed for removing the last O^2 function
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Netfilter BOF
+nf_conntrack
+
+ USAGI did a port of ip_conntrack to ip6_conntrack
+ same code replication we're fighting with ip[6]tables :(
+ netfilter core team had ideas about layer 3 independent conntrack
+ Yasuyuki Kozakai implemented nf_conntrack based on those ideas
+ Implementation is now clean, available from CVS
+ Needs re-sync with all the ip_conntrack changes of the last months
+ Needs support for ipv4 and ipv4<->ipv6 transition NAT
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Netfilter BOF
+ulogd2
+
+ Linux doesn't currently offer any sane accounting system
+ nacctd - needs all packets via PF_PACKET in userspace
+ ulogd - uses efficient netlink socket, but still packet based
+ Solution: add per-direction packet and byte counters to ip_conntrack
+ combination with ctnetlink delete events
+ needs userspace daemon for further processing
+ is related to what IETF ipfix working group doees
+ Redesign of ulogd to ulogd2:
+ no difference between input and output plugins
+ stack of plugins like: ctnetlink->ipfix
+ other possible stack: ULOG->interpreter->flow_aggregator->mysql
+ implementation on underway, author highly motivated ;)
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Netfilter BOF
+qsearch
+
+ Conntrack helpers (FTP, IRC, ...) often have to do pattern-matching
+ Some people like to employ ipt_string matching
+ This all became more complex through nonlinear/fragmented skb's
+ Solution:
+ Implement a single pattern-matching api to be used from all places
+ Starting point: Rusty's skb_iter() and libqsearch
+ Turns out that libqsearch API needs more work
+ Many similarities to cryptoAPI
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Netfilter BOF
+ctstat
+
+ Martin Josefsson wrote ctstat
+ similar to rtstat of Robert Olsson
+ runtime per-cpu statistics of
+ number of conntracks
+ how many lookups
+ how many found
+ how many new
+ how many invalid packets
+ how many ignored packets
+ how many deleted conntracks
+ how many instered conntrack
+ how many icmp errors
+ how many new expects
+ how many deleted expects
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Netfilter BOF
+ipset
+
+ Implemented by Jozsef Kadlecsik
+ Efficient way to handle a whole set of addresses in single rule
+ also provides target to add addresses into set
+ currently implemented: ipmap, macipmap, portmap and iphash
+ ipmap uses bitmask where each bit represents one ip address
+ ipmacmap uses memory range with 8 byte per IP/mac
+ portmap uses memory range where each bit represents one port
+ iphash uses fixed size hash (for random adresses)
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Netfilter BOF
+benchmarking at gigagbit wirespeed
+
+ Harald did lots of benchmarking
+ Dual Opteron machines
+ e1000 Gigabit adapters with irq-affinity
+ 2.4.x / 2.6.x kernel, both 32bit and 64bit
+ Results to be published soon
+ Performance problems mostly ip_tables related, not ip_conntrack
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Netfilter BOF
+Thanks
+
+ Thanks to
+ the BBS scenee, Z-Netz, FIDO, ...
+ for heavily increasing my computer usage in 1992
+ KNF
+ for bringing me in touch with the internet as early as 1994
+ for providing a playground for technical people
+ for introducing me to the existance of Linux!
+ Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+ for implementing (one of?) the world's best TCP/IP stacks
+ Paul 'Rusty' Russell
+ for starting the netfilter/iptables project
+ for trusting me to maintain it today
+ Astaro AG
+ for sponsoring my netfilter failover work
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Availability of slides / Links
+
+The slides
+ http://www.gnumonks.org/
+
+The netfilter homepage
+ http://www.netfilter.org/
+
+My Sponsor, Astaro AG
+ http://www.astaro.com/
diff --git a/2004/netfilter-failover-lk2004/netfilter-failover-lk2004.mgp b/2004/netfilter-failover-lk2004/netfilter-failover-lk2004.mgp
new file mode 100644
index 0000000..76a9206
--- /dev/null
+++ b/2004/netfilter-failover-lk2004/netfilter-failover-lk2004.mgp
@@ -0,0 +1,369 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+How to replicate the fire
+HA for netfilter-based firewalls
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@netfilter.org>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Contents
+
+
+ Introduction
+ Connection Tracking Subsystem
+ Packet selection based on IP Tables
+ The Connection Tracking Subsystem
+ The NAT Subsystem
+ Poor man's failover
+ Real state replication
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Introduction
+
+What is special about firewall failover?
+
+ Nothing, in case of the stateless packet filter
+ Common IP takeover solutions can be used
+ VRRP
+ Heartbeat
+ Distribution of packet filtering ruleset no problem
+ can be done manually
+ or implemented with simple userspace process
+ Problems arise with stateful packet filters
+ Connection state only on active node
+ NAT mappings only on active node
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Connection Tracking Subsystem
+
+Connection tracking...
+ enables stateful filtering
+ implementation
+ hooks into netfilter to track packets
+ protocol modules (currently TCP/UDP/ICMP)
+ application helpers currently (FTP,IRC,H.323,talk,SNMP)
+ divides packets in the following four categories
+ NEW - would establish new connection
+ ESTABLISHED - part of already established connection
+ RELATED - is related to established connection
+ INVALID - (multicast, errors...)
+ does _NOT_ filter packets itself
+ can be utilized by iptables using the 'state' match
+ is used by NAT Subsystem
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Connection Tracking Subsystem
+
+Common structures
+ struct ip_conntrack_tuple, representing unidirectional flow
+ layer 3 src + dst
+ layer 4 protocol
+ layer 4 src + dst
+
+ connections represented as struct ip_conntrack
+ original tuple
+ reply tuple
+ timeout
+ l4 state private data
+ app helper
+ app helper private data
+ expected connections
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Connection Tracking Subsystem
+
+Flow of events for new packet
+ packet enters NF_IP_PRE_ROUTING
+ tuple is derived from packet
+ lookup conntrack hash table with hash(tuple) -> fails
+ new ip_conntrack is allocated
+ fill in original and reply == inverted(original) tuple
+ initialize timer
+ assign app helper if applicable
+ see if we've been expected -> fails
+ call layer 4 helper 'new' function
+ ...
+ packet enters NF_IP_POST_ROUTING
+ do hashtable lookup for packet -> fails
+ place struct ip_conntrack in hashtable
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Connection Tracking Subsystem
+
+Flow of events for packet part of existing connection
+ packet enters NF_IP_PRE_ROUTING
+ tuple is derived from packet
+ lookup conntrack hash table with hash(tuple)
+ associate conntrack entry with skb->nfct
+ call l4 protocol helper 'packet' function
+ do l4 state tracking
+ update timeouts as needed [i.e. TCP TIME_WAIT,...]
+ ...
+ packet enters NF_IP_POST_ROUTING
+ do hashtable lookup for packet -> succeds
+ do nothing else
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Network Address Translation
+
+Overview
+ Previous Linux Kernels only implemented one special case of NAT: Masquerading
+ Linux 2.4.x can do any kind of NAT.
+ NAT subsystem implemented on top of netfilter, iptables and conntrack
+ NAT subsystem registers with all five netfilter hooks
+ 'nat' Table registers chains PREROUTING, POSTROUTING and OUTPUT
+ Following targets available within 'nat' Table
+ SNAT changes the packet's source while passing NF_IP_POST_ROUTING
+ DNAT changes the packet's destination while passing NF_IP_PRE_ROUTING
+ MASQUERADE is a special case of SNAT
+ REDIRECT is a special case of DNAT
+ NAT bindings determined only for NEW packet and saved in ip_conntrack
+ Further packets within connection NATed according NAT bindings
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Poor man's failover
+
+Poor man's failover
+ principle
+ let every node do its own tracking rather than replicating state
+ two possible implementations
+ connect every node to shared media (i.e. real ethernet)
+ forwarding only turned on on active node
+ slave nodes use promiscuous mode to sniff packets
+ copy all traffic to slave nodes
+ active master needs to copy all traffic to other nodes
+ disadvantage: high load, sync traffic == payload traffic
+ IMHO stupid way of solving the problem
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Poor man's failover
+
+Poor man's failover
+ advantages
+ very easy implementation
+ only addition of sniffing mode to conntrack needed
+ existing means of address takeover can be used
+ same load on active master and slave nodes
+ no additional load on active master
+ disadvantages
+ can only be used with real shared media (no switches, ...)
+ can not be used with NAT
+ remaining problem
+ no initial state sync after reboot of slave node!
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Real state replication (ct_sync)
+
+Real state replication (ct_sync)
+ characteristics
+ replicates state changes from active master to slave(s)
+ seperate shared ethernet segment for sync
+ advantages
+ can be used with any network media
+ works with NAT
+ initial sync after new slave is introduced
+ problems
+ complex implementation
+ current limitations
+ no replication of connection relations (ftp/h.323/...)
+ current problems
+ bugs, bugs, bugs
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Real state replication (ct_sync)
+
+Required parts
+ state replication protocol
+ multicast based
+ sequence numbers for detection of packet loss
+ NACK-based retransmission
+ no security, since private ethernet segment to be used
+ event interface on active node
+ calling out to callback function at all state changes
+ exported interface to manipulate conntrack hash table
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Real state replication (ct_sync)
+
+Required parts
+ kernel thread for sending conntrack state protocol messages
+ registers with event interface
+ creates and accumulates state replication packets
+ sends them via in-kernel sockets api
+ kernel thread for receiving conntrack state replication messages
+ receives state replication packets via in-kernel sockets
+ uses conntrack hashtable manipulation interface
+ kernel thread for initial or full re-sync
+ sends full conntrack table with fixed speed
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Real state replication
+
+Flow of events in chronological order:
+ on active node, inside the network RX softirq
+ connection tracking code is analyzing a forwarded packet
+ connection tracking gathers some new state information
+ connection tracking updates local connection tracking database
+ connection tracking sends event message to event API
+ function registered at event API enqueues message to send ring
+ on active node, inside the conntrack-sync kernel thread
+ conntrack sync daemon aggregates multiple event messages into a state replication protocol message, removing possible redundancy
+ conntrack sync daemon dequeues packets from ring
+ conntrack sync daemon sends state replication protocol packet via in-kernel sockets
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Real state replication
+
+Flow of events in chronological order:
+ on slave node(s), inside network RX softirq
+ connection tracking code ignores packets coming from the interface attached to the private conntrac sync network
+ state replication protocol messages is appended to socket receive queue of conntrack-sync kernel thread
+ on slave node(s), inside conntrack-sync kernel thread
+ conntrack sync daemon receives state replication message
+ conntrack sync daemon creates/updates conntrack entry
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Real state replication
+
+Neccessary changes to conntrack core
+ event generation (callback functions) for all state changes
+ is needed (and already implemented) for 'ctnetlink' API
+ conntrack hashtable manipulation API
+ is needed (and already implemented) for 'ctnetlink' API
+ conntrack exemptions
+ needed to _not_ track conntrack state replication packets
+ is needed for other cases as well (raw table / NOTRACK target)
+ works by
+ layer two packet drop (l2netfilter hooks)
+ disables any incoming or outgoing packets on other than the sync device on slave nodes
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Usage
+
+To set up a conntrack cluster you need
+
+ hardware
+ two firewalls with identical iptables rulesets
+ all ethernet interfaces (internal, dmz, external) connected to both nodes
+ seperate network segment for conntrack sync device
+ software
+ configure any working ip address range/subnet to sync device
+ assign every node a unique node id (0..255)
+ decide which of the nodes is master, which slave
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Usage
+
+To set up a conntrack cluster you need
+
+ configuration on master
+ first: modprobe ct_sync syncdev=ethX state=1 id=1 l2drop=1
+ second: configure your 'real' devices (internal, external)
+ configuration on slave
+ modprobe ct_sync syncdev=ethX state=0 id=2 l2drop=1
+ second: configure your 'real' devices (internal, external)
+
+ after loading ct_sync with l2drop=1, a slave node will be invisible on the 'real' networks. ssh access is only possible via sync device
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Usage
+
+ Cluster manager
+ set up a cluster manager with some heartbeat mechanism
+ configure it to run the following command on a slave that is to be propagated to master:
+ echo "1" > /proc/net/ct_sync
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Thanks
+
+ Thanks to
+ the BBS scenee, Z-Netz, FIDO, ...
+ for heavily increasing my computer usage in 1992
+ KNF
+ for bringing me in touch with the internet as early as 1994
+ for providing a playground for technical people
+ for introducing me to the existance of Linux!
+ Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+ for implementing (one of?) the world's best TCP/IP stacks
+ Paul 'Rusty' Russell
+ for starting the netfilter/iptables project
+ for trusting me to maintain it today
+ Astaro AG
+ for sponsoring my netfilter failover work
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Availability of slides / Links
+
+The code
+ http://cvs.netfilter.org/netfilter-ha/ct_sync
+
+The slides
+ http://www.gnumonks.org/
+
+The netfilter homepage
+ http://www.netfilter.org/
+
+Astaro AG
+ http://www.astaro.com/
diff --git a/2004/netfilter-failover-lk2004/netfilter-failover-lk2004.tex b/2004/netfilter-failover-lk2004/netfilter-failover-lk2004.tex
new file mode 100644
index 0000000..d327bac
--- /dev/null
+++ b/2004/netfilter-failover-lk2004/netfilter-failover-lk2004.tex
@@ -0,0 +1,656 @@
+\documentclass[twocolumn,12pt]{article}
+
+\usepackage{alltt}
+
+\usepackage[T1]{fontenc}
+\usepackage[latin1]{inputenc}
+\usepackage{isolatin1}
+\usepackage{latexsym}
+\usepackage{textcomp}
+\usepackage{times}
+\usepackage{url}
+\usepackage[T1,obeyspaces]{zrl}
+
+% "verbatim" with line breaks, obeying spaces
+\providecommand\code{\begingroup \xrlstyle{tt}\Xrl}
+% as above, but okay to break lines at spaces
+\providecommand\brcode{\begingroup \zrlstyle{tt}\Zrl}
+
+% Same as the pair above, but 'l' for long == small type
+\providecommand\lcode{\begingroup \small\xrlstyle{tt}\Xrl}
+\providecommand\lbrcode{\begingroup \small\zrlstyle{tt}\Zrl}
+
+% For identifiers - "verbatim" with line breaks at punctuation
+\providecommand\ident{\begingroup \urlstyle{tt}\Url}
+\providecommand\lident{\begingroup \small\urlstyle{tt}\Url}
+
+
+
+
+\begin{document}
+
+% Required: do not print the date.
+\date{}
+
+\title{\texttt{ct\_sync}: state replication of \texttt{ip\_conntrack}\\
+% {\normalsize Subtitle goes here}
+}
+
+\author{
+Harald Welte \\
+{\em netfilter core team / Astaro AG / hmw-consulting.de}\\
+{\tt\normalsize laforge@gnumonks.org}\\
+% \and
+% Second Author\\
+% {\em Second Institution}\\
+% {\tt\normalsize another@address.for.email.com}\\
+} % end author section
+
+\maketitle
+
+% Required: do not use page numbers on title page.
+\thispagestyle{empty}
+
+\section*{Abstract}
+
+With traditional, stateless firewalling (such as ipfwadm, ipchains)
+there is no need for special HA support in the firewalling
+subsystem. As long as all packet filtering rules and routing table
+entries are configured in exactly the same way, one can use any
+available tool for IP-Address takeover to accomplish the goal of
+failing over from one node to the other.
+
+With Linux 2.4/2.6 netfilter/iptables, the Linux firewalling code
+moves beyond traditional packet filtering. Netfilter provides a
+modular connection tracking susbsystem which can be employed for
+stateful firewalling. The connection tracking subsystem gathers
+information about the state of all current network flows
+(connections). Packet filtering decisions and NAT information is
+associated with this state information.
+
+In a high availability scenario, this connection tracking state needs
+to be replicated from the currently active firewall node to all
+standby slave firewall nodes. Only when all connection tracking state
+is replicated, the slave node will have all necessary state
+information at the time a failover event occurs.
+
+Due to funding by Astaro AG, the netfilter/iptables project now offers
+a \ident{ct_sync} kernel module for replicating connection tracking state
+accross multiple nodes. The presentation will cover the architectural
+design and implementation of the connection tracking failover sytem.
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%% BODY OF PAPER GOES HERE %%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\section{Failover of stateless firewalls}
+
+There are no special precautions when installing a highly available
+stateless packet filter. Since there is no state kept, all information
+needed for filtering is the ruleset and the individual, separate packets.
+
+Building a set of highly available stateless packet filters can thus be
+achieved by using any traditional means of IP-address takeover, such
+as Heartbeat or VRRPd.
+
+The only remaining issue is to make sure the firewalling ruleset is
+exactly the same on both machines. This should be ensured by the firewall
+administrator every time he updates the ruleset and can be optionally managed
+by some scripts utilizing scp or rsync.
+
+If this is not applicable, because a very dynamic ruleset is employed, one can
+build a very easy solution using iptables-supplied tools iptables-save and
+iptables-restore. The output of iptables-save can be piped over ssh to
+iptables-restore on a different host.
+
+Limitations
+\begin{itemize}
+\item
+no state tracking
+\item
+not possible in combination with iptables stateful NAT
+\item
+no counter consistency of per-rule packet/byte counters
+\end{itemize}
+
+\section{Failover of stateful firewalls}
+
+Modern firewalls implement state tracking (a.k.a.\ connection tracking) in order
+to keep some state about the currently active sessions. The amount of
+per-connection state kept at the firewall depends on the particular
+configuration and networking protocols used.
+
+As soon as \texttt{any} state is kept at the packet filter, this state
+information needs to be replicated to the slave/backup nodes within the
+failover setup.
+
+Since Linux 2.4.x, all relevant state is kept within the \textit{connection
+tracking subsystem}. In order to understand how this state could possibly be
+replicated, we need to understand the architecture of this conntrack subsystem.
+
+\subsection{Architecture of the Linux Connection Tracking Subsystem}
+
+Connection tracking within Linux is implemented as a netfilter module, called
+\ident{ip_conntrack.o} (\ident{ip_conntrack.ko} in 2.6.x kernels).
+
+Before describing the connection tracking subsystem, we need to describe a
+couple of definitions and primitives used throughout the conntrack code.
+
+A connection is represented within the conntrack subsystem using
+\brcode{struct ip_conntrack}, also called \textit{connection tracking entry}.
+
+Connection tracking is utilizing \textit{conntrack tuples}, which are tuples
+consisting of
+\begin{itemize}
+\item
+ source IP address
+\item
+ source port (or icmp type/code, gre key, ...)
+\item
+ destination IP address
+\item
+ destination port
+\item
+ layer 4 protocol number
+\end{itemize}
+
+A connection is uniquely identified by two tuples: The tuple in the original
+direction (\lident{IP_CT_DIR_ORIGINAL}) and the tuple for the reply direction
+(\lident{IP_CT_DIR_REPLY}).
+
+Connection tracking itself does not drop packets\footnote{well, in some rare
+cases in combination with NAT it needs to drop. But don't tell anyone, this is
+secret.} or impose any policy. It just associates every packet with a
+connection tracking entry, which in turn has a particular state. All other
+kernel code can use this state information\footnote{State information is
+referenced via the \brcode{struct sk_buff.nfct} structure member of a
+packet.}.
+
+\subsubsection{Integration of conntrack with netfilter}
+
+If the \ident{ip_conntrack.[k]o} module is registered with netfilter, it
+attaches to the \lident{NF_IP_PRE_ROUTING}, \lident{NF_IP_POST_ROUTING}, \lident{NF_IP_LOCAL_IN},
+and \lident{NF_IP_LOCAL_OUT} hooks.
+
+Because forwarded packets are the most common case on firewalls, I will only
+describe how connection tracking works for forwarded packets. The two relevant
+hooks for forwarded packets are \lident{NF_IP_PRE_ROUTING} and \lident{NF_IP_POST_ROUTING}.
+
+Every time a packet arrives at the \lident{NF_IP_PRE_ROUTING} hook, connection
+tracking creates a conntrack tuple from the packet. It then compares this
+tuple to the original and reply tuples of all already-seen
+connections
+\footnote{Of course this is not implemented as a linear
+search over all existing connections.} to find out if this
+just-arrived packet belongs to any existing
+connection. If there is no match, a new conntrack table entry
+(\brcode{struct ip_conntrack}) is created.
+
+Let's assume the case where we have already existing connections but are
+starting from scratch.
+
+The first packet comes in, we derive the tuple from the packet headers, look up
+the conntrack hash table, don't find any matching entry. As a result, we
+create a new \brcode{struct ip_conntrack}. This \brcode{struct ip_conntrack} is filled with
+all necessarry data, like the original and reply tuple of the connection.
+How do we know the reply tuple? By inverting the source and destination
+parts of the original tuple.\footnote{So why do we need two tuples, if they can
+be derived from each other? Wait until we discuss NAT.}
+Please note that this new \brcode{struct ip_conntrack} is \textbf{not} yet placed
+into the conntrack hash table.
+
+The packet is now passed on to other callback functions which have registered
+with a lower priority at \lident{NF_IP_PRE_ROUTING}. It then continues traversal of
+the network stack as usual, including all respective netfilter hooks.
+
+If the packet survives (i.e., is not dropped by the routing code, network stack,
+firewall ruleset, \ldots), it re-appears at \lident{NF_IP_POST_ROUTING}. In this case,
+we can now safely assume that this packet will be sent off on the outgoing
+interface, and thus put the connection tracking entry which we created at
+\lident{NF_IP_PRE_ROUTING} into the conntrack hash table. This process is called
+\textit{confirming the conntrack}.
+
+The connection tracking code itself is not monolithic, but consists of a
+couple of separate modules\footnote{They don't actually have to be separate
+kernel modules; e.g.\ TCP, UDP, and ICMP tracking modules are all part of
+the linux kernel module \ident{ip_conntrack.o}.}. Besides the conntrack core,
+there are two important kind of modules: Protocol helpers and application
+helpers.
+
+Protocol helpers implement the layer-4-protocol specific parts. They currently
+exist for TCP, UDP, and ICMP (an experimental helper for GRE exists).
+
+\subsubsection{TCP connection tracking}
+
+As TCP is a connection oriented protocol, it is not very difficult to imagine
+how conntection tracking for this protocol could work. There are well-defined
+state transitions possible, and conntrack can decide which state transitions
+are valid within the TCP specification. In reality it's not all that easy,
+since we cannot assume that all packets that pass the packet filter actually
+arrive at the receiving end\ldots
+
+It is noteworthy that the standard connection tracking code does \textbf{not}
+do TCP sequence number and window tracking. A well-maintained patch to add
+this feature has existed for almost as long as connection tracking itself. It
+will be integrated with the 2.5.x kernel. The problem with window tracking is
+its bad interaction with connection pickup. The TCP conntrack code is able to
+pick up already existing connections, e.g.\ in case your firewall was rebooted.
+However, connection pickup is conflicting with TCP window tracking: The TCP
+window scaling option is only transferred at connection setup time, and we
+don't know about it in case of pickup\ldots
+
+\subsubsection{ICMP tracking}
+
+ICMP is not really a connection oriented protocol. So how is it possible to
+do connection tracking for ICMP?
+
+The ICMP protocol can be split in two groups of messages:
+
+\begin{itemize}
+\item
+ICMP error messages, which sort-of belong to a different connection
+ICMP error messages are associated \textit{RELATED} to a different connection.
+(\lident{ICMP_DEST_UNREACH}, \lident{ICMP_SOURCE_QUENCH},
+\lident{ICMP_TIME_EXCEEDED},
+\lident{ICMP_PARAMETERPROB}, \lident{ICMP_REDIRECT}).
+\item
+ICMP queries, which have a \ident{request-reply} character. So what
+the conntrack
+code does, is let the request have a state of \textit{NEW}, and the reply
+\textit{ESTABLISHED}. The reply closes the connection immediately.
+(\lident{ICMP_ECHO}, \lident{ICMP_TIMESTAMP}, \lident{ICMP_INFO_REQUEST}, \lident{ICMP_ADDRESS})
+\end{itemize}
+
+\subsubsection{UDP connection tracking}
+
+UDP is designed as a connectionless datagram protocol. But most common
+protocols using UDP as layer 4 protocol have bi-directional UDP communication.
+Imagine a DNS query, where the client sends an UDP frame to port 53 of the
+nameserver, and the nameserver sends back a DNS reply packet from its UDP
+port 53 to the client.
+
+Netfilter treats this as a connection. The first packet (the DNS request) is
+assigned a state of \textit{NEW}, because the packet is expected to create a new
+`connection.' The DNS server's reply packet is marked as \textit{ESTABLISHED}.
+
+\subsubsection{conntrack application helpers}
+
+More complex application protocols involving multiple connections need special
+support by a so-called ``conntrack application helper module.'' Modules in
+the stock kernel come for FTP, IRC (DCC), TFTP and Amanda. Netfilter CVS currently contains
+%%% orig: ``tftp ald talk'' -- um, 'tftp and talk'? Yes, that's correct. It refers
+%%% to the talk protocol.
+patches for PPTP, H.323, Eggdrop botnet, mms, DirectX, RTSP and talk/ntalk. We're still lacking
+a lot of protocols (e.g.\ SIP, SMB/CIFS)---but they are unlikely to appear
+until somebody really needs them and either develops them on his own or
+funds development.
+
+\subsubsection{Integration of connection tracking with iptables}
+
+As stated earlier, conntrack doesn't impose any policy on packets. It just
+determines the relation of a packet to already existing connections.
+To base
+packet filtering decision on this state information, the iptables \textit{state}
+match can be used. Every packet is within one of the following categories:
+
+\begin{itemize}
+\item
+\textbf{NEW}: packet would create a new connection, if it survives
+\item
+\textbf{ESTABLISHED}: packet is part of an already established connection
+(either direction)
+\item
+\textbf{RELATED}: packet is in some way related to an already established
+connection, e.g.\ ICMP errors or FTP data sessions
+\item
+\textbf{INVALID}: conntrack is unable to derive conntrack information
+from this packet. Please note that all multicast or broadcast packets
+fall in this category.
+\end{itemize}
+
+
+\subsection{Poor man's conntrack failover}
+
+When thinking about failover of stateful firewalls, one usually thinks about
+replication of state. This presumes that the state is gathered at one
+firewalling node (the currently active node), and replicated to several other
+passive standby nodes. There is, however, a very different approach to
+replication: concurrent state tracking on all firewalling nodes.
+
+While this scheme has not been implemented within \ident{ct_sync}, the author
+still thinks it is worth an explanation in this paper.
+
+The basic assumption of this approach is: In a setup where all firewalling
+%%% deduct or deduce? I'd guess the latter, but I don't know, so I'm
+%%% leaving it...
+nodes receive exactly the same traffic, all nodes will deduct the same state
+information.
+
+The implementability of this approach is totally dependent on fulfillment of
+this assumption.
+
+\begin{itemize}
+\item
+\textit{All packets need to be seen by all nodes}. This is not always true, but
+can be achieved by using shared media like traditional ethernet (no switches!!)
+and promiscuous mode on all ethernet interfaces.
+\item
+\textit{All nodes need to be able to process all packets}. This cannot be
+universally guaranteed. Even if the hardware (CPU, RAM, Chipset, NICs) and
+software (Linux kernel) are exactly the same, they might behave different,
+especially under high load. To avoid those effects, the hardware should be
+able to deal with way more traffic than seen during operation. Also, there
+should be no userspace processes (like proxies, etc.) running on the firewalling
+nodes at all. WARNING: Nobody guarantees this behaviour. However, the poor
+man is usually not interested in scientific proof but in usability in his
+particular practical setup.
+\end{itemize}
+
+However, even if those conditions are fulfilled, there are remaining issues:
+\begin{itemize}
+\item
+\textit{No resynchronization after reboot}. If a node is rebooted (because of
+a hardware fault, software bug, software update, etc.) it will lose all state
+information until the event of the reboot. This means, the state information
+of this node after reboot will not contain any old state, gathered before the
+reboot. The effects depend on the traffic. Generally, it is only assured that
+state information about all connections initiated after the reboot will be
+present. If there are short-lived connections (like http), the state
+information on the just rebooted node will approximate the state information of
+an older node. Only after all sessions active at the time of reboot have
+terminated, state information is guaranteed to be resynchronized.
+\item
+\textit{Only possible with shared medium}. The practical implication is that no
+switched ethernet (and thus no full duplex) can be used.
+\end{itemize}
+
+The major advantage of the poor man's approach is implementation simplicity.
+No state transfer mechanism needs to be developed. Only very little changes
+to the existing conntrack code would be needed in order to be able to
+do tracking based on packets received from promiscuous interfaces. The active
+node would have packet forwarding turned on, the passive nodes, off.
+
+I'm not proposing this as a real solution to the failover problem. It's
+hackish, buggy, and likely to break very easily. But considering it can be
+implemented in very little programming time, it could be an option for very
+small installations with low reliability criteria.
+
+\subsection{Conntrack state replication}
+
+The preferred solution to the failover problem is, without any doubt,
+replication of the connection tracking state.
+
+The proposed conntrack state replication soltution consists of several
+parts:
+\begin{itemize}
+\item
+A connection tracking state replication protocol
+\item
+An event interface generating event messages as soon as state information
+changes on the active node
+\item
+An interface for explicit generation of connection tracking table entries on
+the standby slaves
+\item
+Some code (preferrably a kernel thread) running on the active node, receiving
+state updates by the event interface and generating conntrack state replication
+protocol messages
+\item
+Some code (preferrably a kernel thread) running on the slave node(s), receiving
+conntrack state replication protocol messages and updating the local conntrack
+table accordingly
+\end{itemize}
+
+Flow of events in chronological order:
+\begin{itemize}
+\item
+\textit{on active node, inside the network RX softirq}
+\begin{itemize}
+\item
+ \ident{ip_conntrack} analyzes a forwarded packet
+\item
+ \ident{ip_conntrack} gathers some new state information
+\item
+ \ident{ip_conntrack} updates conntrack hash table
+\item
+ \ident{ip_conntrack} calls event API
+\item
+ function registered to event API builds and enqueues message to send ring
+\end{itemize}
+\item
+\textit{on active node, inside the conntrack-sync sender kernel thread}
+ \begin{itemize}
+ \item
+ \ident{ct_sync_send} aggregates multiple messages into one packet
+ \item
+ \ident{ct_sync_send} dequeues packet from ring
+ \item
+ \ident{ct_sync_send} sends packet via in-kernel sockets API
+ \end{itemize}
+\item
+\textit{on slave node(s), inside network RX softirq}
+ \begin{itemize}
+ \item
+ \ident{ip_conntrack} ignores packets coming from the \ident{ct_sync} interface via NOTRACK mechanism
+ \item
+ UDP stack appends packet to socket receive queue of \ident{ct_sync_recv} kernel thread
+ \end{itemize}
+\item
+\textit{on slave node(s), inside conntrack-sync receive kernel thread}
+ \begin{itemize}
+ \item
+ \ident{ct_sync_recv} thread receives state replication packet
+ \item
+ \ident{ct_sync_recv} thread parses packet into individual messages
+ \item
+ \ident{ct_sync_recv} thread creates/updates local \ident{ip_conntrack} entry
+ \end{itemize}
+\end{itemize}
+
+
+\subsubsection{Connection tracking state replication protocol}
+
+
+ In order to be able to replicate the state between two or more firewalls, a
+state replication protocol is needed. This protocol is used over a private
+network segment shared by all nodes for state replication. It is designed to
+work over IP unicast and IP multicast transport. IP unicast will be used for
+direct point-to-point communication between one active firewall and one
+standby firewall. IP multicast will be used when the state needs to be
+replicated to more than one standby firewall.
+
+
+ The principal design criteria of this protocol are:
+\begin{itemize}
+\item
+ \textbf{reliable against data loss}, as the underlying UDP layer only
+ provides checksumming against data corruption, but doesn't employ any
+ means against data loss
+\item
+ \textbf{lightweight}, since generating the state update messages is
+ already a very expensive process for the sender, eating additional CPU,
+ memory, and IO bandwith.
+\item
+ \textbf{easy to parse}, to minimize overhead at the receiver(s)
+\end{itemize}
+
+The protocol does not employ any security mechanism like encryption,
+authentication, or reliability against spoofing attacks. It is
+assumed that the private conntrack sync network is a secure communications
+channel, not accessible to any malicious third party.
+
+To achieve the reliability against data loss, an easy sequence numbering
+scheme is used. All protocol messages are prefixed by a sequence number,
+determined by the sender. If the slave detects packet loss by discontinuous
+sequence numbers, it can request the retransmission of the missing packets
+by stating the missing sequence number(s). Since there is no acknowledgement
+for sucessfully received packets, the sender has to keep a
+reasonably-sized\footnote{\textit{reasonable size} must be large enough for the
+round-trip time between master and slowest slave.} backlog of recently-sent
+packets in order to be able to fulfill retransmission
+requests.
+
+The different state replication protocol packet types are:
+\begin{itemize}
+\item
+\textbf{\ident{CT_SYNC_PKT_MASTER_ANNOUNCE}}: A new master announces itself.
+Any still existing master will downgrade itself to slave upon
+reception of this packet.
+\item
+\textbf{\ident{CT_SYNC_PKT_SLAVE_INITSYNC}}: A slave requests initial
+synchronization from the master (after reboot or loss of sync).
+\item
+\textbf{\ident{CT_SYNC_PKT_SYNC}}: A packet containing synchronization data
+from master to slaves
+\item
+\textbf{\ident{CT_SYNC_PKT_NACK}}: A slave indicates packet loss of a
+particular sequence number
+\end{itemize}
+
+The messages within a \lident{CT_SYNC_PKT_SYNC} packet always refer to a particular
+\textit{resource} (currently \lident{CT_SYNC_RES_CONNTRACK} and \lident{CT_SYNC_RES_EXPECT},
+although support for the latter has not been fully implemented yet).
+
+For every resource, there are several message types. So far, only
+\lident{CT_SYNC_MSG_UPDATE} and \lident{CT_SYNC_MSG_DELETE} have been implemented. This
+means a new connection as well as state changes to an existing connection will
+always be encapsulated in a \lident{CT_SYNC_MSG_UDPATE} message and therefore contain
+the full conntrack entry.
+
+To uniquely identify (and later reference) a conntrack entry, the only unique
+criteria is used: \ident{ip_conntrack_tuple}.
+
+\subsubsection{\texttt{ct\_sync} sender thread}
+
+Maximum care needs to be taken for the implementation of the ctsyncd sender.
+
+The normal workload of the active firewall node is likely to be already very
+high, so generating and sending the conntrack state replication messages needs
+to be highly efficient.
+
+It was therefore decided to use a pre-allocated ringbuffer for outbound
+\ident{ct_sync} packets. New messages are appended to individual buffers in this
+ring, and pointers into this ring are passed to the in-kernel sockets API to
+ensure a minimum number of copies and memory allocations.
+
+\subsubsection{\texttt{ct\_sync} initsync sender thread}
+
+In order to facilitate ongoing state synchronization at the same time as
+responding to initial sync requests of an individual slave, the sender has a
+separate kernel thread for initial state synchronization (and \ident{ct_sync_initsync}).
+
+At the moment it iterates over the state table and transmits packets with a
+fixed rate of about 1000 packets per second, resulting in about 4000
+connections per second, averaging to about 1.5 Mbps of bandwith consumed.
+
+The speed of this initial sync should be configurable by the system
+administrator, especially since there is no flow control mechanism, and the
+slave node(s) will have to deal with the packets or otherwise lose sync again.
+
+This is certainly an area of future improvement and development---but first we
+want to see practical problems with this primitive scheme.
+
+\subsubsection{\texttt{ct\_sync} receiver thread}
+
+Implementation of the receiver is very straightforward.
+
+For performance reasons, and to facilitate code-reuse, the receiver uses the
+same pre-allocated ring buffer structure as the sender. Incoming packets are
+written into ring members and then successively parsed into their individual
+messages.
+
+Apart from dealing with lost packets, it just needs to call the
+respective conntrack add/modify/delete functions.
+
+\subsubsection{Necessary changes within netfilter conntrack core}
+
+To be able to achieve the described conntrack state replication mechanism,
+the following changes to the conntrack core were implemented:
+\begin{itemize}
+\item
+ Ability to exclude certain packets from being tracked. This was a
+ long-wanted feature on the TODO list of the netfilter project and is
+ implemented by having a ``raw'' table in combination with a
+ ``NOTRACK'' target.
+\item
+ Ability to register callback functions to be called every time a new
+ conntrack entry is created or an existing entry modified. This is
+ part of the nfnetlink-ctnetlink patch, since the ctnetlink event
+ interface also uses this API.
+\item
+ Export an API to externally add, modify, and remove conntrack entries.
+\end{itemize}
+
+Since the number of changes is very low, their inclusion into the mainline
+kernel is not a problem and can happen during the 2.6.x stable kernel series.
+
+
+\subsubsection{Layer 2 dropping and \texttt{ct\_sync}}
+
+In most cases, netfilter/iptables-based firewalls will not only function as
+packet filter but also run local processes such as proxies, dns relays, smtp
+relays, etc.
+
+In order to minimize failover time, it is helpful if the full startup and
+configuration of all network interfaces and all of those userspace processes
+can happen at system bootup time rather then in the instance of a failover.
+
+l2drop provides a convenient way for this goal: It hooks into layer 2
+netfilter hooks (immediately attached to \ident{netif_rx()} and
+\ident{dev_queue_xmit}) and blocks all incoming and outgoing network packets at this
+very low layer. Even kernel-generated messages such as ARP replies, IPv6
+neighbour discovery, IGMP, \dots are blocked this way.
+
+Of course there has to be an exemption for the state synchronization messages
+themselves. In order to still facilitate remote administration via SSH and
+other communication between the cluster nodes, the whole network
+interface used for synchronization is subject to this exemption from
+l2drop.
+
+As soon as a node is propagated to master state, l2drop is disabled and the
+system becomes visible to the network.
+
+
+\subsubsection{Configuration}
+
+All configuration happens via module parameters.
+
+\begin{itemize}
+\item
+ \texttt{syncdev}: Name of the multicast-capable network device
+ used for state synchronization among the nodes
+\item
+ \texttt{state}: Initial state of the node (0=slave, 1=master)
+\item
+ \texttt{id}: Unique Node ID (0..255)
+\item
+ \texttt{l2drop}: Enable (1) or disable (0) the l2drop functionality
+\end{itemize}
+
+\subsubsection{Interfacing with the cluster manager}
+
+As indicated in the beginning of this paper, \ident{ct_sync} itself does not provide
+any mechanism to determine outage of the master node within a cluster. This
+job is left to a cluster manager software running in userspace.
+
+Once an outage of the master is detected, the cluster manager needs to elect
+one of the remaining (slave) nodes to become new master. On this elected node,
+the cluster manager will write the ascii character \texttt{1} into the
+\ident{/proc/net/ct_sync} file. Reading from this file will return the current state
+of the local node.
+
+\section{Acknowledgements}
+
+The author would like to thank his fellow netfilter developers for their
+help. Particularly important to \ident{ct_sync} is Krisztian KOVACS
+\ident{<hidden@balabit.hu>}, who did a proof-of-concept implementation based on my
+first paper on \ident{ct_sync} at OLS2002.
+
+Without the financial support of Astaro AG, I would not have been able to spend any
+time on \ident{ct_sync} at all.
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\end{document}
+
diff --git a/2004/netfilter-failover-lk2004/zrl.sty b/2004/netfilter-failover-lk2004/zrl.sty
new file mode 100644
index 0000000..fb97b03
--- /dev/null
+++ b/2004/netfilter-failover-lk2004/zrl.sty
@@ -0,0 +1,432 @@
+
+%%%%% This file is a kludge until such time as I learn to do it elegantly. Sorry.
+%% url - external. Intended for items which do not contain spaces, and
+%% containing global options for obeying & breaking at spaces. But
+%% we need to do change those things on the fly, so we're making a copy
+%% of url.sty and defining two extra groups, zrl and xrl, that
+%% permit handling these options on the fly.
+
+%% Thus you can mix url without obeyspaces and/or spaces with the following:
+%% zrl - url with obeyspaces,spaces turned on
+%% xrl - url with obeyspaces turned on
+
+% zrl.sty ver 1.4 02-Mar-1999 Donald Arseneau asnd@triumf.ca
+% Copyright 1996-1999 Donald Arseneau, Vancouver, Canada.
+% This program can be used, distributed, and modified under the terms
+% of the LaTeX Project Public License.
+%
+% A form of \verb that allows linebreaks at certain characters or
+% combinations of characters, accepts reconfiguration, and can usually
+% be used in the argument to another command. It is intended for email
+% addresses, hypertext links, directories/paths, etc., which normally
+% have no spaces. The font may be selected using the \zrlstyle command,
+% and new zrl-like commands can be defined using \zrldef.
+%
+% Usage: Conditions:
+% \zrl{ } If the argument contains any "%", "#", or "^^", or ends with
+% "\", it can't be used in the argument to another command.
+% The argument must not contain unbalanced braces.
+% \zrl| | ...where "|" is any character not used in the argument and not
+% "{" or a space. The same restrictions as above except that the
+% argument may contain unbalanced braces.
+% \xyz for "\xyz" a defined-zrl; this can be used anywhere, no matter
+% what characters it contains.
+%
+% See further instructions after "\endinput"
+%
+\def\Zrl@ttdo{% style assignments for tt fonts or T1 encoding
+\def\ZrlBreaks{\do\.\do\@\do\\\do\/\do\!\do\_\do\|\do\%\do\;\do\>\do\]%
+ \do\)\do\,\do\?\do\'\do\+\do\=}%
+\def\ZrlBigBreaks{\do\:\do@zrl@hyp}%
+\def\ZrlNoBreaks{\do\(\do\[\do\{\do\<}% (unnecessary)
+\def\ZrlSpecials{\do\ {\ }}%
+\def\ZrlOrds{\do\*\do\-\do\~}% any ordinary characters that aren't usually
+}
+
+\def\Xrl@ttdo{% style assignments for tt fonts or T1 encoding
+\def\XrlBreaks{\do\.\do\@\do\\\do\/\do\!\do\_\do\|\do\%\do\;\do\>\do\]%
+ \do\)\do\,\do\?\do\'\do\+\do\=}%
+\def\XrlBigBreaks{\do\:\do@xrl@hyp}%
+\def\XrlNoBreaks{\do\(\do\[\do\{\do\<}% (unnecessary)
+\def\XrlSpecials{\do\ {\ }}%
+\def\XrlOrds{\do\*\do\-\do\~}% any ordinary characters that aren't usually
+}
+
+\def\Zrl@do{% style assignments for OT1 fonts except tt
+\def\ZrlBreaks{\do\.\do\@\do\/\do\!\do\%\do\;\do\]\do\)\do\,\do\?\do\+\do\=}%
+\def\ZrlBigBreaks{\do\:\do@zrl@hyp}%
+\def\ZrlNoBreaks{\do\(\do\[\do\{}% prevents breaks after *next* character
+\def\ZrlSpecials{\do\<{\langle}\do\>{\mathbin{\rangle}}\do\_{\_%
+ \penalty\@m}\do\|{\mid}\do\{{\lbrace}\do\}{\mathbin{\rbrace}}\do
+ \\{\mathbin{\backslash}}\do\~{\raise.6ex\hbox{\m@th$\scriptstyle\sim$}}\do
+ \ {\ }}%
+\def\ZrlOrds{\do\'\do\"\do\-}%
+}
+\def\Xrl@do{% style assignments for OT1 fonts except tt
+\def\XrlBreaks{\do\.\do\@\do\/\do\!\do\%\do\;\do\]\do\)\do\,\do\?\do\+\do\=}%
+\def\XrlBigBreaks{\do\:\do@xrl@hyp}%
+\def\XrlNoBreaks{\do\(\do\[\do\{}% prevents breaks after *next* character
+\def\XrlSpecials{\do\<{\langle}\do\>{\mathbin{\rangle}}\do\_{\_%
+ \penalty\@m}\do\|{\mid}\do\{{\lbrace}\do\}{\mathbin{\rbrace}}\do
+ \\{\mathbin{\backslash}}\do\~{\raise.6ex\hbox{\m@th$\scriptstyle\sim$}}\do
+ \ {\ }}%
+\def\XrlOrds{\do\'\do\"\do\-}%
+}
+
+
+\def\zrl@ttstyle{%
+\@ifundefined{selectfont}{\def\ZrlFont{\tt}}{\def\ZrlFont{\ttfamily}}\Zrl@ttdo
+}
+\def\xrl@ttstyle{%
+\@ifundefined{selectfont}{\def\XrlFont{\tt}}{\def\XrlFont{\ttfamily}}\Xrl@ttdo
+}
+
+
+\def\zrl@rmstyle{%
+\@ifundefined{selectfont}{\def\ZrlFont{\rm}}{\def\ZrlFont{\rmfamily}}\Zrl@do
+}
+\def\xrl@rmstyle{%
+\@ifundefined{selectfont}{\def\XrlFont{\rm}}{\def\XrlFont{\rmfamily}}\Xrl@do
+}
+
+
+\def\zrl@sfstyle{%
+\@ifundefined{selectfont}{\def\ZrlFont{\sf}}{\def\ZrlFont{\sffamily}}\Zrl@do
+}
+\def\xrl@sfstyle{%
+\@ifundefined{selectfont}{\def\XrlFont{\sf}}{\def\XrlFont{\sffamily}}\Xrl@do
+}
+
+
+\def\zrl@samestyle{\ifdim\fontdimen\thr@@\font=\z@ \zrl@ttstyle \else
+ \zrl@rmstyle \fi \def\ZrlFont{}}
+\def\xrl@samestyle{\ifdim\fontdimen\thr@@\font=\z@ \xrl@ttstyle \else
+ \xrl@rmstyle \fi \def\XrlFont{}}
+
+\@ifundefined{strip@prefix}{\def\strip@prefix#1>{}}{}
+\@ifundefined{verbatim@nolig@list}{\def\verbatim@nolig@list{\do\`}}{}
+
+\def\Zrl{%
+ \begingroup \let\zrl@moving\relax\relax \endgroup
+ \ifmmode\@nomatherr$\fi
+ \ZrlFont $\fam\z@ \textfont\z@\font
+ \let\do\@makeother \dospecials % verbatim catcodes
+ \catcode`{\@ne \catcode`}\tw@ \catcode`\ 10 % except braces and spaces
+ \medmuskip0mu \thickmuskip\medmuskip \thinmuskip\medmuskip
+ \@tempcnta\fam\multiply\@tempcnta\@cclvi
+ \let\do\set@mathcode \ZrlOrds % ordinary characters that were special
+ \advance\@tempcnta 8192 \ZrlBreaks % bin
+ \advance\@tempcnta 4096 \ZrlBigBreaks % rel
+ \advance\@tempcnta 4096 \ZrlNoBreaks % open
+ \let\do\set@mathact \ZrlSpecials % active
+ \let\do\set@mathnolig \verbatim@nolig@list % prevent ligatures
+ \@ifnextchar\bgroup\Zrl@z\Zrl@y}
+
+\def\Zrl@y#1{\catcode`{11 \catcode`}11
+ \def\@tempa##1#1{\Zrl@z{##1}}\@tempa}
+\def\Zrl@z#1{\def\@tempa{#1}\expandafter\expandafter\expandafter\Zrl@Hook
+ \expandafter\strip@prefix\meaning\@tempa\ZrlRight\m@th$\endgroup}
+\def\Zrl@Hook{\ZrlLeft}
+\let\ZrlRight\@empty
+\let\ZrlLeft\@empty
+
+\def\Xrl{%
+ \begingroup \let\xrl@moving\relax\relax \endgroup
+ \ifmmode\@nomatherr$\fi
+ \XrlFont $\fam\z@ \textfont\z@\font
+ \let\do\@makeother \dospecials % verbatim catcodes
+ \catcode`{\@ne \catcode`}\tw@ \catcode`\ 10 % except braces and spaces
+ \medmuskip0mu \thickmuskip\medmuskip \thinmuskip\medmuskip
+ \@tempcnta\fam\multiply\@tempcnta\@cclvi
+ \let\do\set@mathcode \XrlOrds % ordinary characters that were special
+ \advance\@tempcnta 8192 \XrlBreaks % bin
+ \advance\@tempcnta 4096 \XrlBigBreaks % rel
+ \advance\@tempcnta 4096 \XrlNoBreaks % open
+ \let\do\set@mathact \XrlSpecials % active
+ \let\do\set@mathnolig \verbatim@nolig@list % prevent ligatures
+ \@ifnextchar\bgroup\Xrl@z\Xrl@y}
+
+\def\Xrl@y#1{\catcode`{11 \catcode`}11
+ \def\@tempa##1#1{\Xrl@z{##1}}\@tempa}
+\def\Xrl@z#1{\def\@tempa{#1}\expandafter\expandafter\expandafter\Xrl@Hook
+ \expandafter\strip@prefix\meaning\@tempa\XrlRight\m@th$\endgroup}
+\def\Xrl@Hook{\XrlLeft}
+\let\XrlRight\@empty
+\let\XrlLeft\@empty
+
+
+\def\set@mathcode#1{\count@`#1\advance\count@\@tempcnta\mathcode`#1\count@}
+\def\set@mathact#1#2{\mathcode`#132768 \lccode`\~`#1\lowercase{\def~{#2}}}
+\def\set@mathnolig#1{\ifnum\mathcode`#1<32768
+ \lccode`\~`#1\lowercase{\edef~{\mathchar\number\mathcode`#1_{\/}}}%
+ \mathcode`#132768 \fi}
+
+\def\zrldef#1#2{\begingroup \setbox\z@\hbox\bgroup
+ \def\Zrl@z{\Zrl@def{#1}{#2}}#2}
+\expandafter\ifx\csname DeclareRobustCommand\endcsname\relax
+ \def\Zrl@def#1#2#3{\m@th$\endgroup\egroup\endgroup
+ \def#1{#2{#3}}}
+\else
+ \def\Zrl@def#1#2#3{\m@th$\endgroup\egroup\endgroup
+ \DeclareRobustCommand{#1}{#2{#3}}}
+\fi
+
+\def\xrldef#1#2{\begingroup \setbox\z@\hbox\bgroup
+ \def\Xrl@z{\Xrl@def{#1}{#2}}#2}
+\expandafter\ifx\csname DeclareRobustCommand\endcsname\relax
+ \def\Xrl@def#1#2#3{\m@th$\endgroup\egroup\endgroup
+ \def#1{#2{#3}}}
+\else
+ \def\Xrl@def#1#2#3{\m@th$\endgroup\egroup\endgroup
+ \DeclareRobustCommand{#1}{#2{#3}}}
+\fi
+
+\def\zrlstyle#1{\csname zrl@#1style\endcsname}
+\def\xrlstyle#1{\csname xrl@#1style\endcsname}
+
+% Sample (and default) configuration:
+%
+\newcommand\zrl{\begingroup \Zrl}
+\newcommand\xrl{\begingroup \Xrl}
+%
+% picTeX defines \path, so declare it optionally:
+\@ifundefined{path}{\newcommand\path{\begingroup \zrlstyle{tt}\Zrl}}{}
+\@ifundefined{path}{\newcommand\path{\begingroup \xrlstyle{tt}\Xrl}}{}
+%
+% too many styles define \email like \address, so I will not define it.
+% \newcommand\email{\begingroup \zrlstyle{rm}\Zrl}
+
+% Process LaTeX \package options
+%
+\zrlstyle{tt}
+%\let\Zrl@sppen\@M
+\def\do@zrl@hyp{}% by default, no breaks after hyphens
+%%%%%
+\let\Zrl@sppen\relpenalty
+\let\Zrl@Hook\relax
+\xrlstyle{tt}
+\let\Xrl@sppen\@M
+\def\do@xrl@hyp{}% by default, no breaks after hyphens
+\let\Xrl@Hook\relax
+%%%%%
+\@ifundefined{ProvidesPackage}{}{
+ \ProvidesPackage{zrl}[1999/03/02 \space ver 1.4 \space
+ Verb mode for zrls, email addresses, and file names]
+ \DeclareOption{hyphens}{\def\do@zrl@hyp{\do\-}\def\do@xrl@hyp{\do\-}}% allow breaks after hyphens
+ \DeclareOption{obeyspaces}{\let\Zrl@Hook\relax\let\Xrl@Hook\relax}% a flag for later
+ \DeclareOption{spaces}{\let\Zrl@sppen\relpenalty}
+ \DeclareOption{T1}{\let\Zrl@do\Zrl@ttdo\let\Xrl@do\Xrl@ttdo}
+ \ProcessOptions
+\ifx\Zrl@Hook\relax % [obeyspaces] was declared
+ \def\Zrl@Hook#1\ZrlRight\m@th{\edef\@tempa{\noexpand\ZrlLeft
+ \Zrl@retain#1\Zrl@nosp\, }\@tempa\ZrlRight\m@th}
+ \def\Zrl@retain#1 {#1\penalty\Zrl@sppen\ \Zrl@retain}
+ \def\Zrl@nosp\,#1\Zrl@retain{}
+\fi
+\ifx\Xrl@Hook\relax % [obeyspaces] was declared
+ \def\Xrl@Hook#1\XrlRight\m@th{\edef\@tempa{\noexpand\XrlLeft
+ \Xrl@retain#1\Xrl@nosp\, }\@tempa\XrlRight\m@th}
+ \def\Xrl@retain#1 {#1\penalty\Xrl@sppen\ \Xrl@retain}
+ \def\Xrl@nosp\,#1\Xrl@retain{}
+\fi
+}
+
+\edef\zrl@moving{\csname Zrl Error\endcsname}
+\expandafter\edef\zrl@moving
+ {\csname zrl used in a moving argument.\endcsname}
+\expandafter\expandafter\expandafter \let \zrl@moving\undefined
+
+\edef\xrl@moving{\csname Xrl Error\endcsname}
+\expandafter\edef\xrl@moving
+ {\csname xrl used in a moving argument.\endcsname}
+\expandafter\expandafter\expandafter \let \xrl@moving\undefined
+
+\endinput
+%
+% zrl.sty ver 1.4 02-Mar-1999 Donald Arseneau asnd@reg.triumf.ca
+%
+% This package defines "\zrl", a form of "\verb" that allows linebreaks,
+% and can often be used in the argument to another command. It can be
+% configured to print in different formats, and is particularly useful for
+% hypertext links, email addresses, directories/paths, etc. The font may
+% be selected using the "\zrlstyle" command and pre-defined text can be
+% stored with the "\zrldef" command. New zrl-like commands can be defined,
+% and a "\path" command is provided this way.
+%
+% Usage: Conditions:
+% \zrl{ } If the argument contains any "%", "#", or "^^", or ends with
+% "\", it can't be used in the argument to another command.
+% The argument must not contain unbalanced braces.
+% \zrl| | ...where "|" is any character not used in the argument and not
+% "{" or a space. The same restrictions as above except that the
+% argument may contain unbalanced braces.
+% \xyz for "\xyz" a defined-zrl; this can be used anywhere, no matter
+% what characters it contains.
+%
+% The "\zrl" command is fragile, and its argument is likely to be very
+% fragile, but a defined-zrl is robust.
+%
+% Package Option: obeyspaces
+% Ordinarily, all spaces are ignored in the zrl-text. The "[obeyspaces]"
+% option allows spaces, but may introduce spurious spaces when a zrl
+% containing "\" characters is given in the argument to another command.
+% So if you need to obey spaces you can say "\usepackage[obeyspaces]{zrl}",
+% and if you need both spaces and backslashes, use a `defined-zrl' for
+% anything with "\".
+%
+% Package Option: hyphens
+% Ordinarily, breaks are not allowed after "-" characters because this
+% leads to confusion. (Is the "-" part of the address or just a hyphen?)
+% The package option "[hyphens]" allows breaks after explicit hyphen
+% characters. The "\zrl" command will *never ever* hyphenate words.
+%
+% Package Option: spaces
+% Likewise, breaks are not usually allowed after spaces under the
+% "[obeyspaces]" option, but giving the options "[obeyspaces,spaces]"
+% will allow breaks at those spaces.
+%
+% Package Option: T1
+% This signifies that you will be using T1-encoded fonts which contain
+% some characters missing from most older (OT1) encoded TeX fonts. This
+% changes the default definition for "\zrlstyle{rm}".
+%
+% Defining a defined-zrl:
+% Take for example the email address "myself%node@gateway.net" which could
+% not be given (using "\zrl" or "\verb") in a caption or parbox due to the
+% percent sign. This address can be predefined with
+% \zrldef{\myself}\zrl{myself%node@gateway.net} or
+% \zrldef{\myself}\zrl|myself%node@gateway.net|
+% and then you may use "\myself" instead of "\zrl{myself%node@gateway.net}"
+% in an argument, and even in a moving argument like a caption because a
+% defined-zrl is robust.
+%
+% Style:
+% You can switch the style of printing using "\zrlstyle{tt}", where "tt"
+% can be any defined style. The pre-defined styles are "tt", "rm", "sf",
+% and "same" which all allow the same linebreaks but different fonts --
+% the first three select a specific font and the "same" style uses the
+% current text font. You can define your own styles with different fonts
+% and/or line-breaking by following the explanations below. The "\zrl"
+% command follows whatever the currently-set style dictates.
+%
+% Alternate commands:
+% It may be desireable to have different things treated differently, each
+% in a predefined style; e.g., if you want directory paths to always be
+% in tt and email addresses to be rm, then you would define new zrl-like
+% commands as follows:
+%
+% \newcommand\email{\begingroup \zrlstyle{rm}\Zrl}
+% \newcommand\directory{\begingroup \zrlstyle{tt}\Zrl}
+%
+% You must follow this format closely, and NOTE that the final command is
+% "\Zrl", not "\zrl". In fact, the "\directory" example is exactly the
+% "\path" definition which is pre-defined in the package. If you look
+% above, you will see that "\zrl" is defined with
+% \newcommand\zrl{\begingroup \Zrl}
+% I.e., using whatever zrl-style has been selected.
+%
+% You can make a defined-zrl for these other styles, using the usual
+% "\zrldef" command as in this example:
+%
+% \zrldef{\myself}{\email}{myself%node.domain@gateway.net}
+%
+% which makes "\myself" act like "\email{myself%node.domain@gateway.net}",
+% if the "\email" command is defined as above. The "\myself" command
+% would then be robust.
+%
+% Defining styles:
+% Before describing how to customize the printing style, it is best to
+% mention something about the unusual implementation of "\zrl". Although
+% the material is textual in nature, and the font specification required
+% is a text-font command, the text is actually typeset in *math* mode.
+% This allows the context-sensitive linebreaking, but also accounts for
+% the default behavior of ignoring spaces. Now on to defining styles.
+%
+% To change the font or the list of characters that allow linebreaks, you
+% could redefine the commands "\ZrlFont", "\ZrlBreaks", "\ZrlSpecials" etc.
+% directly in the document, but it is better to define a new `zrl-style'
+% (following the example of "\zrl@ttstyle" and "\zrl@rmstyle") which defines
+% all of "\ZrlBigbreaks", "\ZrlNoBreaks", "\ZrlBreaks", "\ZrlSpecials", and
+% "\ZrlFont".
+%
+% Changing font:
+% The "\ZrlFont" command selects the font. The definition of "\ZrlFont"
+% done by the pre-defined styles varies to cope with a variety of LaTeX
+% font selection schemes, but it could be as simple as "\def\ZrlFont{\tt}".
+% Depending on the font selected, some characters may need to be defined
+% in the "\ZrlSpecials" list because many fonts don't contain all the
+% standard input characters.
+%
+% Changing linebreaks:
+% The list of characters that allow line-breaks is given by "\ZrlBreaks"
+% and "\ZrlBigBreaks", which have the format "\do\c" for character "c".
+% The differences are that `BigBreaks' have a lower penalty and have
+% different breakpoints when in sequence (as in "http://"): `BigBreaks'
+% are treated as mathrels while `Breaks' are mathbins (see The TeXbook,
+% p.170). In particular, a series of `BigBreak' characters will break at
+% the end and only at the end; a series of `Break' characters will break
+% after the first and after every following *pair*; there will be no
+% break after a `Break' character if a `BigBreak' follows. In the case
+% of "http://" it doesn't matter whether ":" is a `Break' or `BigBreak' --
+% the breaks are the same in either case; but for DECnet nodes with "::"
+% it is important to prevent breaks *between* the colons, and that is why
+% colons are `BigBreaks'.
+%
+% It is possible for characters to prevent breaks after the next following
+% character (I use this for parentheses). Specify these in "\ZrlNoBreaks".
+%
+% You can do arbitrarily complex things with characters by making them
+% active in math mode (mathcode hex-8000) and specifying the definition(s)
+% in "\ZrlSpecials". This is used in the rm and sf styles for OT1 font
+% encoding to handle several characters that are not present in those
+% computer-modern style fonts. See the definition of "\Zrl@do", which
+% is used by both "\zrl@rmstyle" and "\zrl@sfstyle"; it handles missing
+% characters via "\ZrlSpecials". The nominal format for setting each
+% special character "c" is: "\do\c{<definition>}", but you can include
+% other definitions too.
+%
+%
+% If all this sounds confusing ... well, it is! But I hope you won't need
+% to redefine breakpoints -- the default assignments seem to work well for
+% a wide variety of applications. If you do need to make changes, you can
+% test for breakpoints using regular math mode and the characters "+=(a".
+%
+% Yet more flexibility:
+% You can also customize the verbatim text by defining "\ZrlRight" and/or
+% "\ZrlLeft", e.g., for ISO formatting of zrls surrounded by "< >", define
+%
+% \renewcommand\zrl{\begingroup \def\ZrlLeft{<zrl: }\def\ZrlRight{>}%
+% \zrlstyle{tt}\Zrl}
+%
+% The meanings of "\ZrlLeft" and "\ZrlRight" are *not* reproduced verbatim.
+% This lets you use formatting commands there, but you must be careful not
+% to use TeX's special characters ("\^_%~#$&{}" etc.) improperly.
+% You can also define "\ZrlLeft" to reprocess the verbatim text, but the
+% format of the definition is special:
+%
+% \def\ZrlLeft#1\ZrlRight{ ... do things with #1 ... }
+%
+% Yes, that is "#1" followed by "\ZrlRight" then the definition. For
+% example, to put a hyperTeX hypertext link in the DVI file:
+%
+% \def\ZrlLeft#1\ZrlRight{\special{html:<a href="#1">}#1\special{html:</a>}}
+%
+% Using this technique, zrl.sty can provide a convenient interface for
+% performing various operations on verbatim text. You don't even need
+% to print out the argument! For greatest efficiency in such obscure
+% applications, you can define a null zrl-style where all the lists like
+% "\ZrlBreaks" are empty.
+%
+% Revision History:
+% ver 1.1 6-Feb-1996:
+% Fix hyphens that wouldn't break and ligatures that weren't suppressed.
+% ver 1.2 19-Oct-1996:
+% Package option for T1 encoding; Hooks: "\ZrlLeft" and "\ZrlRight".
+% ver 1.3 21-Jul-1997:
+% Prohibit spaces as delimiter characters; change ascii tilde in OT1.
+% ver 1.4 02-Mar-1999
+% LaTeX license; moving-argument-error
+% The End
+
+Test file integrity: ASCII 32-57, 58-126: !"#$%&'()*+,-./0123456789
+:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
diff --git a/2004/netfilter-failover-lt2004/netfilter-failover-lt2004.mgp b/2004/netfilter-failover-lt2004/netfilter-failover-lt2004.mgp
new file mode 100644
index 0000000..27272c8
--- /dev/null
+++ b/2004/netfilter-failover-lt2004/netfilter-failover-lt2004.mgp
@@ -0,0 +1,369 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+How to replicate the fire
+HA for netfilter-based firewalls
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@netfilter.org>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Contents
+
+
+ Introduction
+ Connection Tracking Subsystem
+ Packet selection based on IP Tables
+ The Connection Tracking Subsystem
+ The NAT Subsystem
+ Poor man's failover
+ Real state replication
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Introduction
+
+What is special about firewall failover?
+
+ Nothing, in case of the stateless packet filter
+ Common IP takeover solutions can be used
+ VRRP
+ Hartbeat
+ Distribution of packet filtering ruleset no problem
+ can be done manually
+ or implemented with simple userspace process
+ Problems arise with stateful packet filters
+ Connection state only on active node
+ NAT mappings only on active node
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Connection Tracking Subsystem
+
+Connection tracking...
+ enables stateful filtering
+ implementation
+ hooks into netfitler to track packets
+ protocol modules (currently TCP/UDP/ICMP)
+ application helpers currently (FTP,IRC,H.323,talk,SNMP)
+ divides packets in the following four categories
+ NEW - would establish new connection
+ ESTABLISHED - part of already established connection
+ RELATED - is related to established connection
+ INVALID - (multicast, errors...)
+ does _NOT_ filter packets itself
+ can be utilized by iptables using the 'state' match
+ is used by NAT Subsystem
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Connection Tracking Subsystem
+
+Common structures
+ struct ip_conntrack_tuple, representing unidirectional flow
+ layer 3 src + dst
+ layer 4 protocol
+ layer 4 src + dst
+
+ connetions represented as struct ip_conntrack
+ original tuple
+ reply tuple
+ timeout
+ l4 state private data
+ app helper
+ app helper private data
+ expected connections
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Connection Tracking Subsystem
+
+Flow of events for new packet
+ packet enters NF_IP_PRE_ROUTING
+ tuple is derived from packet
+ lookup conntrack hash table with hash(tuple) -> fails
+ new ip_conntrack is allocated
+ fill in original and reply == inverted(original) tuple
+ initialize timer
+ assign app helper if applicable
+ see if we've been expected -> fails
+ call layer 4 helper 'new' function
+ ...
+ packet enters NF_IP_POST_ROUTING
+ do hashtable lookup for packet -> fails
+ place struct ip_conntrack in hashtable
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Connection Tracking Subsystem
+
+Flow of events for packet part of existing connection
+ packet enters NF_IP_PRE_ROUTING
+ tuple is derived from packet
+ lookup conntrack hash table with hash(tuple)
+ assosiate conntrack entry with skb->nfct
+ call l4 protocol helper 'packet' function
+ do l4 state tracking
+ update timeouts as needed [i.e. TCP TIME_WAIT,...]
+ ...
+ packet enters NF_IP_POST_ROUTING
+ do hashtable lookup for packet -> succeds
+ do nothing else
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Network Address Translation
+
+Overview
+ Previous Linux Kernels only implemented one special case of NAT: Masquerading
+ Linux 2.4.x can do any kind of NAT.
+ NAT subsystem implemented on top of netfilter, iptables and conntrack
+ NAT subsystem registers with all five netfilter hooks
+ 'nat' Table registers chains PREROUTING, POSTROUTING and OUTPUT
+ Following targets available within 'nat' Table
+ SNAT changes the packet's source whille passing NF_IP_POST_ROUTING
+ DNAT changes the packet's destination while passing NF_IP_PRE_ROUTING
+ MASQUERADE is a special case of SNAT
+ REDIRECT is a special case of DNAT
+ NAT bindings determined only for NEW packet and saved in ip_conntrack
+ Further packets within connection NATed according NAT bindings
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Poor man's failover
+
+Poor man's failover
+ principle
+ let every node do it's own tracking rather than replicating state
+ two possible implementations
+ connect every node to shared media (i.e. real ethernet)
+ forwarding only turned on on active node
+ slave nodes use promiscuous mode to sniff packets
+ copy all traffic to slave nodes
+ active master needs to copy all traffic to other nodes
+ disadvantage: high load, sync traffic == payload traffic
+ IMHO stupid way of solving the problem
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Poor man's failover
+
+Poor man's failover
+ advantages
+ very easy implementation
+ only addition of sniffing mode to conntrack needed
+ existing means of address takeover can be used
+ same load on active master and slave nodes
+ no additional load on active master
+ disadvantages
+ can only be used with real shared media (no switches, ...)
+ can not be used with NAT
+ remaining problem
+ no initial state sync after reboot of slave node!
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Real state replication (ct_sync)
+
+Real state replication (ct_sync)
+ characteristics
+ replicates state changes from active master to slave(s)
+ seperate shared ethernet segment for sync
+ advantages
+ can be used with any network media
+ works with NAT
+ initial sync after new slave is introduced
+ problems
+ complex implementation
+ current limitations
+ no replication of connection relations (ftp/h.323/...)
+ current problems
+ bugs, bugs, bugs
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Real state replication (ct_sync)
+
+Required parts
+ state replication protocol
+ multicast based
+ sequence numbers for detection of packet loss
+ NACK-based retransmission
+ no security, since private ethernet segment to be used
+ event interface on active node
+ calling out to callback function at all state changes
+ exported interface to manipulate conntrack hash table
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Real state replication (ct_sync)
+
+Required parts
+ kernel thread for sending conntrack state protocol messages
+ registers with event interface
+ creates and accumulates state replication packets
+ sends them via in-kernel sockets api
+ kernel thread for receiving conntrack state replication messages
+ receives state replication packets via in-kernel sockets
+ uses conntrack hashtable manipulation interface
+ kernel thread for initial or full re-sync
+ sends full conntrack table with fixed speed
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Real state replication
+
+Flow of events in chronological order:
+ on active node, inside the network RX softirq
+ connection tracking code is analyzing a forwarded packet
+ connection tracking gathers some new state information
+ connection tracking updates local connection tracking database
+ connection tracking sends event message to event API
+ function registered at event API enqueues message to send ring
+ on active node, inside the conntrack-sync kernel thread
+ conntrack sync daemon aggregates multiple event messages into a state replication protocol message, removing possible redundancy
+ conntrack sync daemon dequeues packets from ring
+ conntrack sync daemon sends state replication protocol packet via in-kernel sockets
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Real state replication
+
+Flow of events in chronological order:
+ on slave node(s), inside network RX softirq
+ connection tracking code ignores packets coming from the interface attached to the private conntrac sync network
+ state replication protocol messages is appended to socket receive queue of conntrack-sync kernel thread
+ on slave node(s), inside conntrack-sync kernel thread
+ conntrack sync daemon receives state replication message
+ conntrack sync daemon creates/updates conntrack entry
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Real state replication
+
+Neccessary changes to conntrack core
+ event generation (callback functions) for all state changes
+ is needed (and already implemented) for 'ctnetlink' API
+ conntrack hashtable manipulation API
+ is needed (and already implemented) for 'ctnetlink' API
+ conntrack exemptions
+ needed to _not_ track conntrack state replication packets
+ is needed for other cases as well (raw table / NOTRACK target)
+ works by
+ layer two packet drop (l2netfilter hooks)
+ disables any incoming or outgoing packets on other than the sync device on slave nodes
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Usage
+
+To set up a conntrack cluster you need
+
+ hardware
+ two firewalls with identical iptables rulesets
+ all ethernet interfaces (internal, dmz, external) connected to both nodes
+ seperate network segment for conntrack sync device
+ software
+ configure any working ip address range/subnet to sync device
+ assign every node a unique node id (0..255)
+ decide which of the nodes is master, which slave
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Usage
+
+To set up a conntrack cluster you need
+
+ configuration on master
+ first: modprobe ct_sync syncdev=ethX state=1 id=1 l2drop=1
+ second: configure your 'real' devices (internal, external)
+ configuration on slave
+ modprobe ct_sync syncdev=ethX state=0 id=2 l2drop=1
+ second: configure your 'real' devices (internal, external)
+
+ after loading ct_sync with l2drop=1, a slave node will be invisible on the 'real' networks. ssh access is only possible via sync device
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Usage
+
+ Cluster manager
+ set up a cluster manager with some hartbeat mechanism
+ configure it to run the following command on a slave that is to be propagated to master:
+ echo "1" > /proc/net/ct_sync
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Thanks
+
+ Thanks to
+ the BBS scenee, Z-Netz, FIDO, ...
+ for heavily increasing my computer usage in 1992
+ KNF
+ for bringing me in touch with the internet as early as 1994
+ for providing a playground for technical people
+ for introducing me to the existance of Linux!
+ Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+ for implementing (one of?) the world's best TCP/IP stacks
+ Paul 'Rusty' Russell
+ for starting the netfilter/iptables project
+ for trusting me to maintain it today
+ Astaro AG
+ for sponsoring my netfilter failover work
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfillter/iptables
+Availability of slides / Links
+
+The code
+ http://cvs.netfilter.org/netfilter-ha/ct_sync
+
+The slides
+ http://www.gnumonks.org/
+
+The netfilter homepage
+ http://www.netfilter.org/
+
+Astaro AG
+ http://www.astaro.com/
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/AuthorDirList.txt b/2004/netfilter-failover-ols2004/OLS2004-proceedings/AuthorDirList.txt
new file mode 100644
index 0000000..75a20a7
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/AuthorDirList.txt
@@ -0,0 +1,51 @@
+almesberger
+aloni
+andersen
+anderson
+axboe
+bhattacharya
+bird
+bligh
+bottomley
+boutcher
+brown
+bryant
+chubb
+coekaerts
+corbet
+devriendt
+domsch
+feldman
+fields
+gammo
+gettys
+haddad
+halcrow
+hansen
+kroahhartman
+lindsley
+love
+mackall
+magenheimer
+maloy
+mccracken
+meeks
+melo
+miyazawa
+packard
+pai
+perezgonzalez
+pratt
+robb
+ronciak
+russell
+sarma
+shankar
+riel
+volmat
+walicki
+welte
+wichmann
+wilson
+worth
+wright
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/Authors.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/Authors.tex
new file mode 100644
index 0000000..5e744d4
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/Authors.tex
@@ -0,0 +1,357 @@
+% email=werner@almesberger.net
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=24
+\coltocauthor{Werner Almesberger}
+\coltoctitle{TCP Connection Passing}
+\label{art01}
+\import{almesberger}
+
+% email=da-x@colinux.org
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=14
+\coltocauthor{Dan Aloni}
+\coltoctitle{Cooperative Linux}
+\label{art02}
+\import{aloni}
+
+% email=andersen@codepoet.org
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=11
+\coltocauthor{Erik Andersen}
+\coltoctitle{Build your own Embedded Linux Wireless Access Point}
+\label{art03}
+\import{andersen}
+
+% email=anderson@netsweng.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=40
+\coltocauthor{Stuart Anderson}
+\coltoctitle{Run-time testing of LSB Applications}
+\label{art04}
+\import{anderson}
+
+% email=axboe@suse.de
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=152
+\coltocauthor{Jens Axboe}
+\coltoctitle{Linux Block IO: present and future}
+\label{art05}
+\import{axboe}
+
+% email=suparna@in.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=64
+\coltocauthor{Suparna Bhattacharya}
+\coltoctitle{Linux AIO Performance and Robustness for Enterprise Workloads}
+\label{art06}
+\import{bhattacharya}
+
+% email=tim.bird@am.sony.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=132
+\coltocauthor{Tim R.\ Bird}
+\coltoctitle{Methods to Improve Bootup Time in Linux}
+\label{art07}
+\import{bird}
+
+% email=~
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=153
+\coltocauthor{Martin J.\ Bligh}
+\coltoctitle{Linux on NUMA}
+\label{art08}
+\import{bligh}
+
+% email=jejb@steeleye.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=27
+\coltocauthor{James Bottomley}
+\coltoctitle{Improving Kernel Performance by Unmapping the Page Cache}
+\label{art09}
+\import{bottomley}
+
+% email=boutcher@us.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=26
+\coltocauthor{Dave Boutcher}
+\coltoctitle{Linux Virtualization on IBM Power5 Systems}
+\label{art10}
+\import{boutcher}
+
+% email=len.brown@intel.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=9
+\coltocauthor{Len Brown}
+\coltoctitle{ACPI: Advanced Configuration and Power Management Interface}
+\label{art11}
+\import{brown}
+
+% email=raybry@sgi.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=147
+\coltocauthor{Ray Bryant}
+\coltoctitle{Scaling Linux to the Extreme}
+\label{art12}
+\import{bryant}
+
+% email=peterc@gelato.unsw.edu.au
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=100
+\coltocauthor{Peter Chubb}
+\coltoctitle{Get More Device Drivers out of the Kernel!}
+\label{art13}
+\import{chubb}
+
+% email=wim.coekaerts@oracle.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=13
+\coltocauthor{Wim A.\ Coekaerts}
+\coltoctitle{2.6 kernel for big servers compared to 2.4}
+\label{art14}
+\import{coekaerts}
+
+% email=corbet@lwn.net
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=127
+\coltocauthor{Jonathan Corbet}
+\coltoctitle{Where 2.7 is going}
+\label{art15}
+\import{corbet}
+
+% email=paul.devriendt@amd.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=22
+\coltocauthor{Paul Devriendt}
+\coltoctitle{SMP and frequency scaling}
+\label{art16}
+\import{devriendt}
+
+% email=matt_domsch@dell.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=117
+\coltocauthor{Matt Domsch}
+\coltoctitle{Dynamic Kernel Module Support: From Theory to Practice}
+\label{art17}
+\import{domsch}
+
+% email=scott.feldman@intel.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=177
+\coltocauthor{Scott Feldman}
+\coltoctitle{e100 weight reduction program}
+\label{art18}
+\import{feldman}
+
+% email=bfields@umich.edu
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=76
+\coltocauthor{James Bruce Fields}
+\coltoctitle{NFSv4 and rpcsec\_gss for linux}
+\label{art19}
+\import{fields}
+
+% email=lgammo@cs.uwaterloo.ca
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=0
+\coltocauthor{Louay Gammo}
+\coltoctitle{Comparing and Evaluating epoll(), select(), and poll()}
+\label{art20}
+\import{gammo}
+
+% email=jim.gettys@hp.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=0
+\coltocauthor{James Gettys}
+\coltoctitle{The (Re)Architecture of the X Window System}
+\label{art21}
+\import{gettys}
+
+% email=ibrahim.haddad@ericsson.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=51
+\coltocauthor{Ibrahim Haddad}
+\coltoctitle{Towards Linux-based Open Telecom Platforms}
+\label{art22}
+\import{haddad}
+
+% email=linuxsymposium.org@halcrow.us
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=55
+\coltocauthor{Michael Austin Halcrow}
+\coltoctitle{Demands, Solutions, and Improvements for Linux Filesystem Security}
+\label{art23}
+\import{halcrow}
+
+% email=haveblue@us.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=131
+\coltocauthor{Dave Hansen}
+\coltoctitle{Hotplug Memory and the Linux VM}
+\label{art24}
+\import{hansen}
+
+% email=greg@kroah.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=168
+\coltocauthor{Greg Kroah-Hartman}
+\coltoctitle{kobjects and krefs: lockless reference counting for kernel structures}
+\label{art25}
+\import{kroahhartman}
+
+% email=ricklind@us.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=82
+\coltocauthor{Rick Lindsley}
+\coltoctitle{The Cursor Wiggles Faster: Measuring Scheduler Performance}
+\label{art26}
+\import{lindsley}
+
+% email=rml@ximian.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=122
+\coltocauthor{Robert Love}
+\coltoctitle{On a Kernel Events Layer and User-space Message Bus System}
+\label{art27}
+\import{love}
+
+% email=mpm@selenic.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=30
+\coltocauthor{Matt Mackall}
+\coltoctitle{Linux-tiny and directions for small systems}
+\label{art28}
+\import{mackall}
+
+% email=dan.magenheimer@hp.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=68
+\coltocauthor{Dan Magenheimer}
+\coltoctitle{Xen and the Art of Open Source Virtualization}
+\label{art29}
+\import{magenheimer}
+
+% email=jon.maloy@ericsson.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=52
+\coltocauthor{Jon Paul Maloy}
+\coltoctitle{TIPC: Providing Communication for Linux Clusters}
+\label{art30}
+\import{maloy}
+
+% email=dmccr@us.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=109
+\coltocauthor{Dave McCracken}
+\coltoctitle{Object-based reverse mapping}
+\label{art31}
+\import{mccracken}
+
+% email=michael@ximian.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=145
+\coltocauthor{Michael Meeks}
+\coltoctitle{The World of OpenOffice}
+\label{art32}
+\import{meeks}
+
+% email=~
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=130
+\coltocauthor{Arnaldo Carvalho de Melo}
+\coltoctitle{TCPfying the Poor Cousins}
+\label{art33}
+\import{melo}
+
+% email=kazunori@miyazawa.org
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=119
+\coltocauthor{Kazunori Miyazawa}
+\coltoctitle{IPv6 IPsec and Mobile IPv6 implementation of Linux}
+\label{art34}
+\import{miyazawa}
+
+% email=~
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=0
+\coltocauthor{Keith Packard}
+\coltoctitle{Getting X off the hardware}
+\label{art35}
+\import{packard}
+
+% email=linuxram@us.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=54
+\coltocauthor{Ram Pai}
+\coltoctitle{Linux 2.6 performance improvement through readahead optimization}
+\label{art36}
+\import{pai}
+
+% email=inaky.perez-gonzalez@intel.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=10
+\coltocauthor{Inaky Perez-Gonzalez}
+\coltoctitle{I would hate user space locking if it weren't that sexy\ldots}
+\label{art37}
+\import{perezgonzalez}
+
+% email=slpratt@us.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=58
+\coltocauthor{Steven L.\ Pratt}
+\coltoctitle{Workload Dependent Performance Evaluation of the 2.6 I/O Schedulers}
+\label{art38}
+\import{pratt}
+
+% email=sam.robb@timesys.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=104
+\coltocauthor{Sam Robb}
+\coltoctitle{Creating Cross-Compile Friendly Software}
+\label{art39}
+\import{robb}
+
+% email=john.ronciak@intel.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=46
+\coltocauthor{John A.\ Ronciak}
+\coltoctitle{Page-Flip Technology for use within the Linux Networking Stack}
+\label{art40}
+\import{ronciak}
+
+% email=rusty@rustcorp.com.au
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=16
+\coltocauthor{Rusty Russell}
+\coltoctitle{Linux Kernel Hotplug CPU Support}
+\label{art41}
+\import{russell}
+
+% email=dipankar@in.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=156
+\coltocauthor{Dipankar Sarma}
+\coltoctitle{Issues with Selected Scalability Features of the 2.6 Kernel}
+\label{art42}
+\import{sarma}
+
+% email=dshankar@us.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=72
+\coltocauthor{Kittur (Doc) S.\ Shankar}
+\coltoctitle{Achieving CAPP/EAL3+ Security Certification for Linux}
+\label{art43}
+\import{shankar}
+
+% email=riel@redhat.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=125
+\coltocauthor{Rik van Riel}
+\coltoctitle{Improving Linux resource control using CKRM}
+\label{art44}
+\import{riel}
+
+% email=avolmat@src.ricoh.co.jp
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=110
+\coltocauthor{Alain Volmat}
+\coltoctitle{Linux on a Digital Camera}
+\label{art45}
+\import{volmat}
+
+% email=~
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=0
+\coltocauthor{John A.\ Walicki}
+\coltoctitle{The Linux Client at IBM: Enterprise Enabling the Linux Desktop}
+\label{art46}
+\import{walicki}
+
+% email=laforge@gnumonks.org
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=86
+\coltocauthor{Harald Marc Welte}
+\coltoctitle{ct\_sync: state replication of ip\_conntrack}
+\label{art47}
+\import{welte}
+
+% email=mats.d.wichmann@intel.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=175
+\coltocauthor{Mats Wichmann}
+\coltoctitle{Increasing the appeal of Open Source projects}
+\label{art48}
+\import{wichmann}
+
+% email=~
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=0
+\coltocauthor{Matthew S.\ Wilson}
+\coltoctitle{New approaches in software provisioning and system maintenance}
+\label{art49}
+\import{wilson}
+
+% email=cworth@east.isi.edu
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=70
+\coltocauthor{Carl D.\ Worth}
+\coltoctitle{``On-demand'' Linux in a Power-aware Microsensor}
+\label{art50}
+\import{worth}
+
+% email=~
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=0
+\coltocauthor{Chris Wright}
+\coltoctitle{Linux Virtualization}
+\label{art51}
+\import{wright}
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/Makefile b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/Makefile
new file mode 100644
index 0000000..367a0c9
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/Makefile
@@ -0,0 +1,41 @@
+
+.SUFFIXES: .tex .dvi .aux .eps .fig .dia .ps .pdf .bib .bbl
+
+TOP=myPaper
+TEXFILES=$(TOP).tex
+FIGFILES:=$(wildcard *.fig)
+EPSFILES:=$(wildcard *.eps)
+EPSFILES+=$(FIGFILES:.fig=.eps)
+PDFFILES=$(EPSFILES:.eps=.pdf)
+
+.fig.eps:
+ fig2dev -L eps $< >$@
+
+.fig.pdf:
+ fig2dev -L pdf $< >$@
+
+.eps.pdf:
+ epstopdf $<
+
+all: $(TOP).ps $(TOP).pdf
+
+$(TOP).ps: $(TOP).dvi
+ dvips -o $(TOP).ps $(TOP)
+
+$(TOP).dvi: $(TEXFILES) $(EPSFILES)
+ latex $(TOP) || true
+ bibtex $(TOP) || true
+ latex $(TOP) || true
+ latex $(TOP)
+
+$(TOP).pdf: $(TEXFILES) $(PDFFILES)
+ pdflatex $(TOP) || true
+ bibtex $(TOP) || true
+ pdflatex $(TOP) || true
+ pdflatex $(TOP)
+
+clean:
+ rm -f *.aux *.dvi *.log
+ rm -f $(TOP).ps $(TOP).pdf $(TOP).bbl $(TOP).blg
+
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/bibliography.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/bibliography.tex
new file mode 100644
index 0000000..78340bc
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/bibliography.tex
@@ -0,0 +1,180 @@
+
+This example is based on Keith Packard's 2003 paper for
+the Linux Symposium Proceedings.
+
+The easiest way to do a bibliography is to use BiBTeX.
+In the body of the paper, you \cite{} various references.
+The citation name is the first name following the opening
+curly brace in the .bib file. For example, with the list below,
+I could \cite{autoconf} and \cite{freetype2}.
+
+Near the end of your main .tex file, you include a section like so:
+\begin{flushleft}
+\bibliography{keithp}
+\bibliographystyle{plain}
+\end{flushleft}
+(this comes *before* \end{document}.)
+
+And in a separate file whose name matches the \bibliography{}
+declaration above (e.g., keithp.bib in this case), you define all
+the references. Note that \url is a valid way to typeset web
+references.
+
+Note that the makefiles are already set up to process this form
+of bibliography, so using it is indeed easy. (It's also one
+reason why the input files are processed multiple times, though.)
+
+Here are some sample entries for various types
+of publications:
+
+@book{autoconf,
+ title = "GNU Autoconf, Automake and Libtool",
+ author = "Gary V. Vaughan and Ben Elliston and Tom Tromey and Ian Lance Taylor",
+ publisher = "New Riders",
+ year = 2000,
+ note = {ISBN 1-57870-190-2}, },
+
+@article{blinn:1994,
+ title = "Compositing Theory",
+ author = "Jim Blinn",
+ journal = "IEEE Computer Graphics and Applications",
+ year = 1994,
+ month = "September",
+ note = "Republished in~\cite{blinn:1998}" }
+
+@book{blinn:1998,
+ title = "{Jim Blinn's Corner: Dirty Pixels}",
+ author = "Jim Blinn",
+ year = 1998,
+ publisher = "Morgan Kaufmann",
+ isbn = "1-55860-455-3", }
+
+@techreport{dbe,
+ title = "{Double Buffer Extension Protocol}",
+ author = "Ian Elliott and David P. Wiggins",
+ institution = "X Consortium, Inc.",
+ type = "X Consortium Standard",
+ year = 1994, }
+@manual{dc,
+ title = "DC - An Interactive Desk Calculator",
+ author = "Robert Morris and Lorinda Cherry",
+ organization = "AT\&T Bell Laboratories",
+ note = "Unix Programmer's Manual Volume 2, 7th Edition",
+ year = 1978, },
+
+@misc{freetype2,
+ title = "The design of {FreeType} 2",
+ author = "David Turner and The FreeType Development Team",
+ year = 2000,
+ note = "\url{http://www.freetype.org/freetype2/docs/design/}",
+},
+
+@inproceedings{gj,
+ title = "Making the future safe for the past: Adding Genericity to the Java Programming Language",
+ author = "Gilad Bracha and Martin Odersky and David Stoutamire and Phillip Wadler",
+ month = "October",
+ booktitle = "Conference on Object-Oriented Programing systems, Languages and Applications (OOPSLA '98)",
+ year = 1998,
+ publisher = "ACM",
+ organization = "SIGPLAN", }
+
+@phdthesis{Hobby85,
+ author = {John D. Hobby},
+ title = {Digitized Brush Trajectories},
+ school = {Stanford University},
+ year = {1985},
+ note = {Also {\it Stanford Report STAN-CS-85-1070}}
+}
+
+@article{itsy,
+ title = "{Itsy: Stretching the Bounds of Mobile Computing}",
+ author = "William R. Hamburgen and Deborah A. Wallach and Marc A. Viredaz and Lawrence S. Brakmo and Carl A. Waldspurger and Joel F. Bartlett and Timothy Mann and Keith I. Farkas",
+ journal = "IEEE Computer",
+ year = 2001,
+ publisher = "Institute of Electrical and Electronics Engineers, Inc.",
+ volume = 34,
+ number = 4,
+ month = "April",
+ pages = "28-35", }
+
+@inproceedings{lbx:1993,
+ title = "{An Update on Low Bandwidth X (LBX): A Standard For X and Serial Lines}",
+ author = "Jim Fulton and Chris Kent Kantarjiev",
+ booktitle = "Proceedings of the Seventh Annual X Technical Conference",
+ month = "January",
+ year = 1993,
+ pages = "251-266",
+ address = "Boston, MA",
+ organization = "MIT X Consortium",
+},
+
+@inproceedings{lmbench:1996,
+ title = "{lmbench: Portable tools for performance analysis}",
+ author = "Larry McVoy and Carl Staelin",
+ booktitle = "Technical Conference Proceedings",
+ month = "January",
+ year = 1996,
+ pages = "279-284",
+ address = "San Diego, CA",
+ organization = "USENIX", }
+
+@Article{Nistnet00,
+ author = "NIST Internetworking Technology Group",
+ title = "{NISTNet} network emulation package",
+ journal = "\url{http://www.antd.nist.gov/itg/nistnet/}",
+ month = jun,
+ year = "2000",
+ bibdate = "Thursday, June 29, 2000 at 16:40:15 (MEST)",
+ submitter = "Katarina Asplund",
+}
+
+@TechReport{AMD:2000:XTW,
+ author = "{AMD Corporation}",
+ title = "{x86-64$^{\mathrm{TM}}$ Technology White Paper}",
+ institution = "{AMD Corporation}",
+ address = "One AMD Place, Sunnyvale, CA 94088, USA",
+ pages = "12",
+ day = "17",
+ month = aug,
+ year = "2000",
+ bibdate = "Fri May 04 12:53:45 2001",
+ bibsource = "\url{http://www.amd.com/products/cpg/64bit/index.html}",
+ URL = "\url{http://www.amd.com/products/cpg/64bit/pdf/x86-64_wp.pdf};
+ \url{http://www1.amd.com/products/cpg/x8664bit/faq}",
+ acknowledgement = ack-nhfb,
+ annote = "The x86-64 architecture is definitely not an IA-64
+ implementation, but rather, an extension of IA-32 by
+ widening the integer registers to 64-bits.",
+}
+
+@unpublished{pinzari,
+ author = "Gian Filippo Pinzari",
+ title = "The NX X Protocol Compressor",
+ note = "Electronic Communication",
+ month = "March",
+ year = "2003",
+ }
+
+@inproceedings{Gettys:2002,
+ title = "{The Future is Coming, Where the X Window System Should Go}",
+ author = "James Gettys",
+ booktitle = "FREENIX Track, 2002 Usenix Annual Technical Conference",
+ month = "June",
+ year = 2002,
+ organization = "USENIX",
+ address = "Monterey, CA",
+ url = "\url{http://www.usenix.org/publications/library/proceedings/usenix02/tech/freenix/full_papers/gettys/gettys_html/index.html}",
+}
+
+@misc{ewing,
+ title = "Linux 2.0 Penguins",
+ author = "Larry Ewing",
+ note = "\url{http://www.isc.tamu.edu/~lewing/linux}",
+}
+
+@misc{gimp,
+ title = "The {GIMP}: The {GNU} Image Manipulation Program",
+ author = "Peter Mattis and Spencer Kimball and the GIMP developers",
+ note = "\url{http://www.gimp.org}",
+}
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/bibliography2.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/bibliography2.tex
new file mode 100644
index 0000000..c838404
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/bibliography2.tex
@@ -0,0 +1,41 @@
+
+Here's another way of handling bibliographies; it does
+not use a .bib file, but includes the items at the end
+of the paper, before \end{document}.
+
+Each item has the format
+\bibitem[printName]{citeName} details
+
+The "printName" will be printed at the point of your citation,
+and again in the list of references. The "citeName" is what
+you use in the source to create the citation. For example,
+using the first entry below, I could \cite{menyhart} and
+have the author's name print out properly in the appropriate
+places.
+
+The bibliography below comes from Tony Luck's 2003 Linux
+Symposium paper:
+
+
+\begin{thebibliography}{99}
+\raggedright
+\bibitem[Menyh\'{a}rt]{menyhart} Z.\ Menyh\'{a}rt and D.\ Song,
+{\em OS Machine Check Recovery on Itanium Architecture-base Platforms},
+Intel Developer Forum, Fall 2002
+
+\bibitem[Ziegler]{ziegler} J.F.\ Ziegler,
+{\em Terrestrial cosmic ray intensities},
+IBM Journal of Research and Development, Volume 42, Number 1, 1998
+
+\bibitem[SDV]{SDV} Intel,
+{\em Intel Itanium Architecture Software Developer's Manual, Volume 1--3}
+
+\bibitem[EHG]{EHG} Intel,
+{\em Itanium Processor Family Error Handling Guide}, August 2001
+
+\bibitem[SAL]{SAL} Intel,
+{\em Itanium Processor Family System Abstraction Layer (SAL) Specification}, November 2002
+
+\end{thebibliography}
+
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/Figures/example.c b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/Figures/example.c
new file mode 100644
index 0000000..34d1726
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/Figures/example.c
@@ -0,0 +1,18 @@
+typedef struct QuadTree {
+ double Data;
+ struct QuadTree *Children[4];
+} QT;
+
+void Sum3rdChildren(QT *T,
+ double *Result) {
+ double Ret;
+ if (T == 0) { Ret = 0;
+ } else {
+ QT *Child3 =
+ T[0].Children[3];
+ double V;
+ Sum3rdChildren(Child3, &V);
+ Ret = V + T[0].Data;
+ }
+ *Result = Ret;
+}
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/Figures/example.ll b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/Figures/example.ll
new file mode 100644
index 0000000..f9ce373
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/Figures/example.ll
@@ -0,0 +1,22 @@
+%struct.QuadTree = type { double, [4 x %QT*] }
+%QT = type %struct.QuadTree
+
+void %Sum3rdChildren(%QT* %T, double* %Result) {
+entry: %V = alloca double ;; %V is type 'double*'
+ %tmp.0 = seteq %QT* %T, null ;; type 'bool'
+ br bool %tmp.0, label %endif, label %else
+
+else: ;;tmp.1 = &T[0].Children[3] 'Children' = Field #1
+ %tmp.1 = getelementptr %QT* %T, long 0, ubyte 1, long 3
+ %Child3 = load %QT** %tmp.1
+ call void %Sum3rdChildren(%QT* %Child3, double* %V)
+ %tmp.2 = load double* %V
+ %tmp.3 = getelementptr %QT* %T, long 0, ubyte 0
+ %tmp.4 = load double* %tmp.3
+ %tmp.5 = add double %tmp.2, %tmp.4
+ br label %endif
+
+endif: %Ret = phi double [ %tmp.5, %else ], [ 0.0, %entry ]
+ store double %Ret, double* %Result
+ ret void ;; Return with no value
+}
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/Makefile b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/Makefile
new file mode 100644
index 0000000..9777b58
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/Makefile
@@ -0,0 +1,41 @@
+
+.SUFFIXES: .tex .dvi .aux .eps .fig .dia .ps .pdf .bib .bbl
+
+TOP=complexFigure
+TEXFILES=$(TOP).tex
+FIGFILES:=$(wildcard *.fig)
+EPSFILES:=$(wildcard *.eps)
+EPSFILES+=$(FIGFILES:.fig=.eps)
+PDFFILES=$(EPSFILES:.eps=.pdf)
+
+.fig.eps:
+ fig2dev -L eps $< >$@
+
+.fig.pdf:
+ fig2dev -L pdf $< >$@
+
+.eps.pdf:
+ epstopdf $<
+
+all: $(TOP).ps $(TOP).pdf
+
+$(TOP).ps: $(TOP).dvi
+ dvips -o $(TOP).ps $(TOP)
+
+$(TOP).dvi: $(TEXFILES) $(EPSFILES)
+ latex $(TOP) || true
+ bibtex $(TOP) || true
+ latex $(TOP) || true
+ latex $(TOP)
+
+$(TOP).pdf: $(TEXFILES) $(PDFFILES)
+ pdflatex $(TOP) || true
+ bibtex $(TOP) || true
+ pdflatex $(TOP) || true
+ pdflatex $(TOP)
+
+clean:
+ rm -f *.aux *.dvi *.log
+ rm -f $(TOP).ps $(TOP).pdf $(TOP).bbl $(TOP).blg
+
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/complexFigure.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/complexFigure.tex
new file mode 100644
index 0000000..6fe6c94
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/complexFigure.tex
@@ -0,0 +1,88 @@
+\documentclass[twocolumn,12pt]{article}
+\usepackage{ols}
+\ifpdf
+\usepackage[pdftex]{epsfig}
+\else
+\usepackage{epsfig}
+\fi
+\input{ols-fonts}
+
+% These packages are Proceedings-friendly.
+\usepackage{cprog}
+\usepackage[nolineno,norules]{lgrind}
+\usepackage[hang,scriptsize]{subfigure}
+
+% These ones are only suitable for standalone
+\usepackage{subfigure}
+%%% both of these break the Proceedings and are thus evil
+\usepackage{listings}
+\input{llvm.lst} % Get listing support for llvm code
+%%%%
+
+
+\begin{document}
+
+\date{}
+
+%make title bold and 14 pt font (Latex default is non-bold, 16 pt)
+\title{Architecture for a Next-Generation GCC}
+
+\author{
+Chris Lattner \hspace*{0.5in} Vikram Adve\\
+\emph{University of Illinois at Urbana, Champaign}\\
+\texttt{\em\normalsize \{lattner, vadve\}@cs.uiuc.edu}\\
+\emph{\normalsize \url{http://llvm.cs.uiuc.edu}}}
+
+\maketitle
+
+% You have to do this to suppress page numbers. Don't ask.
+\thispagestyle{empty}
+
+Formatting team's note: The two figures here illustrate two ways of presenting
+the same information, and are hopefully more complex
+than you'll require. The first is set using Proceedings-friendly
+packages; the second works only as a standalone paper.
+
+%%% Figure typeset in a Proceedings-friendly fashion
+%%% (thanks to Diego Novillo for inspiration)
+\begin{figure*}[t]
+\scriptsize
+%%% \centering
+\subfigure[Example function]{%
+\label{figure:example_c}
+\parbox{0.65\columnwidth}{\input{example-c}}
+}\hspace*{5pt}\vrule\hspace*{5pt}
+\subfigure[Corresponding LLVM code] {%
+\label{figure:example_llvm}
+\parbox{1.35\columnwidth}{\input{example-ll}}}
+%%% }%
+\caption{C and LLVM code for a function}
+\label{figure:example}
+\end{figure*}
+
+%%===------------------------
+% Code example figure
+%
+\begin{figure*} [t]
+\scriptsize
+\centering
+\subfigure[Example function] {
+\label{figure2:example_c}
+\lstset{language=c}
+\lstinputlisting{Figures/example.c}
+}\hspace*{5pt}\vrule\hspace*{5pt}
+\subfigure[Corresponding LLVM code] {
+\label{figure2:example_llvm}
+\lstset{language=LLVM}
+\lstinputlisting{Figures/example.ll}
+}%
+\caption{C and LLVM code for a function}
+\label{figure2:example}
+\end{figure*}
+%
+%%===------------------------
+
+
+\end{document}
+
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/example-c.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/example-c.tex
new file mode 100644
index 0000000..2f8bf0d
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/example-c.tex
@@ -0,0 +1,22 @@
+\begin{cprog}
+typedef struct QuadTree {
+ double Data;
+ struct QuadTree
+ *Children[4];
+} QT;
+
+void Sum3rdChildren(QT *T,
+ double *Result) {
+ double Ret;
+ if (T == 0) { Ret = 0;
+ } else {
+ QT *Child3 =
+ T[0].Children[3];
+ double V;
+ Sum3rdChildren(Child3,
+ &V);
+ Ret = V + T[0].Data;
+ }
+ *Result = Ret;
+}
+\end{cprog}
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/example-ll.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/example-ll.tex
new file mode 100644
index 0000000..681b759
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/example-ll.tex
@@ -0,0 +1,24 @@
+\begin{verbatim}
+%struct.QuadTree = type { double, [4 x %QT*] }
+%QT = type %struct.QuadTree
+
+void %Sum3rdChildren(%QT* %T, double* %Result) {
+entry: %V = alloca double ;; %V is type 'double*'
+ %tmp.0 = seteq %QT* %T, null ;; type 'bool'
+ br bool %tmp.0, label %endif, label %else
+
+else: ;;tmp.1 = &T[0].Children[3] 'Children' = Field #1
+ %tmp.1 = getelementptr %QT* %T, long 0, ubyte 1, long 3
+ %Child3 = load %QT** %tmp.1
+ call void %Sum3rdChildren(%QT* %Child3, double* %V)
+ %tmp.2 = load double* %V
+ %tmp.3 = getelementptr %QT* %T, long 0, ubyte 0
+ %tmp.4 = load double* %tmp.3
+ %tmp.5 = add double %tmp.2, %tmp.4
+ br label %endif
+
+endif: %Ret = phi double [ %tmp.5, %else ], [ 0.0, %entry ]
+ store double %Ret, double* %Result
+ ret void ;; Return with no value
+}
+\end{verbatim}
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/lgrind.sty b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/lgrind.sty
new file mode 100644
index 0000000..2d04753
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/lgrind.sty
@@ -0,0 +1,228 @@
+%%
+%% This is file `lgrind.sty',
+%% generated with the docstrip utility.
+%%
+%% The original source files were:
+%%
+%% lgrind.dtx (with options: `package')
+%%
+%% LGrind is used to format source code of different programming
+%% languages for LaTeX.
+%%
+%% LGrind is a minor adaptation of Jerry Leichter's tgrind for LaTeX,
+%% which was a notable improvement upon Van Jacobsen's tgrind for
+%% plain TeX, which was adapted from vgrind, a troff prettyprinter.
+%%
+%% Based on Van Jacobson's ``tgrindmac'', a macro package for TeX.
+%% Modified, 1987 by Jerry Leichter. Put '@' in all internal names.
+%% Modified, 1991 by George Reilly. Changed name from tgrind to lgrind.
+%% Modified, 1995 by Michael Piefel. Made it work with \LaTeXe.
+\NeedsTeXFormat{LaTeX2e}[1995/06/01]
+\ProvidesPackage{lgrind}
+ [1997/01/30 v3.4 LGrind environment and supporting stuff]
+\newcount\lc@unt
+\newcount\ln@xt
+\newcount\LGnuminterval
+\LGnuminterval=10
+\DeclareOption{nolineno}{\LGnuminterval=50000}
+\DeclareOption{lineno5}{\LGnuminterval=5}
+\newif\ifLGleftnum
+\DeclareOption{leftnum}{\LGleftnumtrue}
+\newskip\LGindent
+\LGindent=1.6667\parindent
+\DeclareOption{noindent}{\LGindent=0pt}
+\newif\ifLGnorules
+\DeclareOption{norules}{\LGnorulestrue}
+\newlength{\LGsloppy}
+\setlength{\LGsloppy}{7.2pt}
+\DeclareOption{fussy}{\LGsloppy=0pt}
+\newcommand{\DefaultProc}{\@gobble}
+\newcommand{\DefaultProcCont}{\@gobble}
+\DeclareOption{procnames}{
+\renewcommand{\DefaultProc}[1]{\renewcommand{\Procname}{#1}%
+\global\setbox\procbox=\hbox{\PNsize #1}}
+\renewcommand{\DefaultProcCont}[1]{\renewcommand\Procname{#1}
+\global\setbox\procbox=\hbox{\PNsize\dots #1}}}
+\newbox\procbox
+\newcommand{\Procname}{}
+\ProcessOptions
+\def\BGfont{\sffamily}
+\def\CMfont{\rmfamily\itshape}
+\def\NOfont{\sffamily}
+\def\KWfont{\rmfamily\bfseries}
+\def\STfont{\ttfamily}
+\def\VRfont{\rmfamily}
+\def\PNsize{\BGfont\small}
+\def\LGsize{\small}
+\def\LGfsize{\footnotesize}
+\newif\ifLGinline
+\newif\ifLGd@fault
+\def\LGbegin{\ifLGinline$\hbox\else$$\vbox\fi\bgroup\LGd@faulttrue}
+\def\LGend{\ifLGd@fault\egroup\ifLGinline$\else$$\fi\LGd@faultfalse\fi}
+\newif\ifc@mment
+\newif\ifstr@ng
+\newif\ifright@
+\newbox\ls@far
+\newbox\tb@x
+\newdimen\TBw@d
+\newdimen\@ts
+{\catcode`\_=\active \gdef\@setunder{\let_=\sp@ce}}
+\newcommand{\lgrindheader}{}
+\newcommand{\lgrindfilename}{}\newcommand{\lgrindfilesize}{}
+\newcommand{\lgrindmodyear}{}\newcommand{\lgrindmodmonth}{}
+\newcommand{\lgrindmodday}{}\newcommand{\lgrindmodtime}{}
+\newenvironment{lgrind}[1][1]{%
+\def\Line##1{\L{\LB{##1}}}%
+\newcommand{\Head}[1]{\gdef\lgrindhead{##1}}%
+\newcommand{\File}[6]{\gdef\lgrindfilename{##1}\message{(LGround: ##1)}%
+ \gdef\lgrindmodyear{##2}\gdef\lgrindmodmonth{##3}%
+ \gdef\lgrindmodday{##4}\gdef\lgrindmodtime{##5}%
+ \gdef\lgrindfilesize{##6}}%
+\let\Proc=\DefaultProc%
+\let\ProcCont=\DefaultProcCont%
+\hfuzz=\LGsloppy
+\def\NewPage{\filbreak\bigskip}%
+\ifLGinline
+ \def\L##1{\setbox\ls@far\null{\CF\strut##1}\ignorespaces}%
+\else
+ \let\r@ghtlno\relax\let\l@ftlno\relax
+ \ifnum\LGnuminterval>\z@
+ \ifLGleftnum
+ \def\l@ftlno{\ifvoid\procbox\ifnum\lc@unt>\ln@xt
+ \global\advance\ln@xt by\LGnuminterval
+ \llap{{\normalfont\scriptsize\the\lc@unt\quad}}\fi
+ \else\llap{\box\procbox\quad}\fi}%
+ \else
+ \def\r@ghtlno{\ifvoid\procbox\ifnum\lc@unt>\ln@xt
+ \global\advance\ln@xt by\LGnuminterval
+ \rlap{{\normalfont\scriptsize\enspace\the\lc@unt}}\fi
+ \else\rlap{\enspace\box\procbox}\fi}%
+ \fi
+ \fi
+ \def\L##1{\@@par\setbox\ls@far=\null\strut
+ \global\advance\lc@unt by1%
+ \hbox to \hsize{\hskip\LGindent\l@ftlno ##1\egroup%
+ \hfil\r@ghtlno}%
+ \ignorespaces}%
+\fi
+\lc@unt=#1\advance\lc@unt by-1%
+\ln@xt=\LGnuminterval\advance\ln@xt by-1%
+\loop\ifnum\lc@unt>\ln@xt\advance\ln@xt by\LGnuminterval\repeat%
+\def\LB{\hbox\bgroup\bgroup\box\ls@far\CF\let\next=}%
+\def\Tab##1{\egroup\setbox\tb@x=\lastbox\TBw@d=\wd\tb@x%
+ \advance\TBw@d by 1\@ts\ifdim\TBw@d>##1\@ts
+ \setbox\ls@far=\hbox{\box\ls@far \box\tb@x \sp@ce}\else
+ \setbox\ls@far=\hbox to ##1\@ts{\box\ls@far \box\tb@x \hfil}\fi\LB}%
+\ifLGinline\def\sp@ce{\hskip .3333em}%
+\else \setbox\tb@x=\hbox{\texttt{0}}%
+ \@ts=0.8\wd\tb@x \def\sp@ce{\hskip 1\@ts}\fi
+\catcode`\_=\active \@setunder
+\def\CF{\ifc@mment\CMfont\else\ifstr@ng\STfont\fi\fi}
+\def\N##1{{\NOfont ##1}\global\futurelet\next\ic@r}%
+\def\K##1{{\KWfont ##1}\global\futurelet\next\ic@r}%
+\def\V##1{{\VRfont ##1}\global\futurelet\next\ic@r}%
+\def\ic@r{\let\@tempa\/\ifx.\next\let\@tempa\relax%
+ \else\ifx,\next\let\@tempa\relax\fi\fi\@tempa}%
+\def\C{\egroup\bgroup\CMfont \global\c@mmenttrue \global\right@false}%
+\def\CE{\egroup\bgroup \global\c@mmentfalse}%
+\def\S{\egroup\bgroup\STfont \global\str@ngtrue}%
+\def\SE{\egroup\bgroup \global\str@ngfalse}%
+\def\,{\relax \ifmmode\mskip\thinmuskip \else\thinspace \fi}%
+\def\!{\relax \ifmmode\mskip-\thinmuskip \else\negthinspace \fi}%
+\def\CH##1##2##3{\relax\ifmmode ##1\relax
+\else\ifstr@ng ##2\relax\else$##3$\fi\fi }%
+\def\{{\CH\lbrace {\char'173}\lbrace }%
+\def\}{\CH\rbrace {\char'175}\rbrace }%
+\def\1{\CH///}% % /
+\def\2{\CH\backslash {\char'134}\backslash }% % \
+\def\|{\CH|{\char'174}|}%
+\def\<{\CH<<<}%
+\def\>{\CH>>>}%
+\def\*{\CH***}\relax %\relax for DOCSTY
+\def\-{\CH---}%
+\def\_{\ifstr@ng {\char'137}\else
+ \leavevmode \kern.06em \vbox{\hrule width.35em}%
+ \ifdim\fontdimen\@ne\font=\z@ \kern.06em \fi\fi }%
+\def\&{\textsf{\char'046}}%
+\def\#{{\STfont\char'043}}%
+\def\%{{\char'045}}%
+\def\~{{\char'176}}%
+\def\3{\ifc@mment\ifright@ ''\global\right@false%
+ \else``\global\right@true \fi
+ \else{\texttt{\char'042}}\fi}%
+\def\4{\ifc@mment'\else {\texttt{\char'015}}\fi}%
+\def\5{{\texttt{\char'136}}}%
+\def\${{\ifmmode\slshape\else\ifdim\fontdimen\@ne\font>\z@\slshape\fi\fi
+ \char'044}}% %No $ in \it, use \sl
+\parindent\z@\parskip\z@ plus 1pt\hsize\linewidth%
+\bgroup\BGfont
+}
+{\egroup\@@par} % end of environment lgrind
+\def\lgrinde{\ifLGinline\else\LGsize\fi\begin{lgrind}}
+\def\endlgrinde{\end{lgrind}}
+\def\lagrind{\@ifstar{\@slagrind}{\@lagrind}}
+
+\def\@lagrind{\@ifnextchar[{\@@lagrind}{\@@lagrind[t]}}
+\def\@slagrind{\@ifnextchar[{\@@slagrind}{\@@slagrind[t]}}
+\def\@@lagrind[#1]#2#3#4{%
+ \begin{figure}[#1]
+\ifLGnorules\else\hrule\fi
+\vskip .5\baselineskip
+\begin{minipage}\columnwidth\LGsize\LGindent\z@
+ \begin{lgrind}
+\input #2\relax
+ \end{lgrind}
+\end{minipage}
+\vskip .5\baselineskip plus .5\baselineskip
+\ifLGnorules\else\hrule\fi\vskip .5\baselineskip
+\begingroup
+ \setbox\z@=\hbox{#4}%
+ \ifdim\wd\z@>\z@
+\caption{#3}%
+\label{#4}%
+ \else
+\captcont{#3}%
+ \fi
+\endgroup
+\vskip 2pt
+ \end{figure}
+}
+\def\@@slagrind[#1]#2#3#4{%
+ \begin{figure*}[#1]
+\ifLGnorules\else\hrule\fi
+\vskip .5\baselineskip
+\begin{minipage}\linewidth\LGsize\LGindent\z@
+ \begin{lgrind}
+\input #2\relax
+ \end{lgrind}
+\end{minipage}
+\vskip .5\baselineskip plus .5\baselineskip
+\ifLGnorules\else\hrule\fi\vskip .5\baselineskip
+\begingroup
+ \setbox\z@=\hbox{#4}%
+ \ifdim\wd\z@>\z@
+\caption{#3}%
+\label{#4}%
+ \else
+\captcont{#3}%
+ \fi
+\endgroup
+\vskip 2pt
+ \end{figure*}
+}
+\def\lgrindfile#1{%
+ \par\addvspace{0.1in}
+ \ifLGnorules\else\hrule\fi
+ \vskip .5\baselineskip
+ \begingroup\LGfsize\LGindent\z@
+\begin{lgrind}
+ \input #1\relax
+\end{lgrind}
+ \endgroup
+ \vskip .5\baselineskip
+ \ifLGnorules\else\hrule\fi
+ \addvspace{0.1in}
+}
+\endinput
+%%
+%% End of file `lgrind.sty'.
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/llvm.lst b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/llvm.lst
new file mode 100644
index 0000000..8adbb23
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/complexCode/llvm.lst
@@ -0,0 +1,15 @@
+\lstdefinelanguage{LLVM}
+ {morekeywords={
+ begin,end,true,false,declare,global,constant,const,internal,implementation,
+ null,to,except,not,
+ void,bool,sbyte,ubyte,short,ushort,int,uint,long,ulong,float,double,type,label,opaque,
+ add,sub,mul,div,rem,and,or,xor,setne,seteq,setlt,setgt,setle,setge,
+ phi,call,cast,shl,shr,
+ ret,br,switch,invoke,
+ malloc,alloca,free,load,store,getelementptr
+ },
+ sensitive=true,
+% morecomment=[l]{;},
+% morestring=[b]",
+ }
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/conditional.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/conditional.tex
new file mode 100644
index 0000000..39dd102
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/conditional.tex
@@ -0,0 +1,15 @@
+
+Sometimes you have to do things differently depending on whether
+you're building the entire Proceedings... here's an example...
+
+\ifols
+\usepackage{cprog}
+\usepackage[nolineno,norules]{lgrind}
+\usepackage[hang,scriptsize]{subfigure}
+\else
+\usepackage{subfigure}
+%%% both of these break the Proceedings and are thus evil
+\usepackage{listings}
+\input{llvm.lst} % Get listing support for llvm code
+\fi
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/figures.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/figures.tex
new file mode 100644
index 0000000..0f96dd6
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/figures.tex
@@ -0,0 +1,40 @@
+
+\begin{figure}[tb]
+ \begin{center}
+ \includegraphics[height=4cm]{ndp_table}\includegraphics[height=4cm]{ndp_table2}
+ \end{center}
+ \caption{NDP Table: Linux vs USAGI\label{ndp_table}}
+\end{figure}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+Need the whole page? Note the asterisk after 'figure'...
+
+\begin{figure*}[t]
+\begin{center}
+\includegraphics[width=0.65\textwidth]{chaos} \ \\
+(a) Chip \hspace{3cm} (b) CPU
+\caption{A micrograph of an on-chip-multiprocessor M32R prototype chip}
+\label{chaos}
+\end{center}
+\end{figure*}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\begin{figure*}
+\begin{center}
+\begin{minipage}{16cm}
+\begin{center}
+\includegraphics[width=0.475\textwidth]{mappi}
+\hspace{1cm}
+\includegraphics[scale=0.7]{mappi_diagram}
+\end{center}
+\end{minipage}
+\caption{Mappi: the M32R FPGA evaluation board; it has the M32R
+softmacro on FPGA (CPU, MMU, Cache, SDI, SDRAMC, UART, Timer), FPGA
+Xilinx XCV2000E $\times$2, SDRAM(64MB), FlashROM, 10BaseT Ethernet,
+Serial 2ch, PC-card slot $\times$2, and Display I/F(VGA)} \label{mappi}
+\end{center}
+\end{figure*}
+
+
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/includegraphics.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/includegraphics.tex
new file mode 100644
index 0000000..01ab098
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/includegraphics.tex
@@ -0,0 +1,15 @@
+
+Various options can be used for scaling and cropping. Note
+that \textwidth and \columnwidth can be your friends for such
+operations -- most often, \columnwidth.
+
+\includegraphics[clip,width=\columnwidth]{ols2003-ipsec-fig-input}
+\includegraphics[scale=0.9]{scsi-ds}
+\includegraphics[clip,height=3.0in]{relayarch}
+\includegraphics[width=2cm]{tpch-host-based-component}
+\includegraphics[width=\linewidth]{tpcw-component}
+\includegraphics{efi-fig5}
+
+This one uses 90 percent of the column width:
+\includegraphics[width=0.9\columnwidth]{rmap_shadow_pages}
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/legalese.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/legalese.tex
new file mode 100644
index 0000000..8d6e10e
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/legalese.tex
@@ -0,0 +1,19 @@
+
+% Legalese should be avoided unless your lawyers insist. Even
+% then, it is typeset in small print because, although it may
+% need to be there, there isn't a programmer on the planet
+% who actively wants to read such stuff :-)
+\begin{small}
+\copyright ~2003 Your Lawyers, Inc.
+Permission to redistribute in accordance with Linux Symposium
+submission guidelines is granted; all other rights reserved.
+A Bunch Of Things, and the Bunch Of Things logo are
+registered trademarks and
+NameOne, NameTwo, and NameThree are trademarks of Your Lawyers, Inc.,
+in the United States and/or other countries worldwide.
+Linux is a registered trademark of Linus Torvalds.
+Intel and Itanium are registered trademarks
+of Intel Corporation.
+All other trademarks mentioned herein are the property of their
+respective owners.
+\end{small}
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/multipleAuthors.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/multipleAuthors.tex
new file mode 100644
index 0000000..fd89e77
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/multipleAuthors.tex
@@ -0,0 +1,68 @@
+
+Sometimes there are more than two authors, or the authors wish to have
+a slightly different layout of names. That's fine, and here are some
+examples. Just keep the font sizes and families consistent.
+Note that we use Name, Institution, and Email address; postal addresses
+are generally omitted for this conference. (Examples below use
+fictitional email addresses, although they are otherwise from
+the 2003 Linux Symposium.)
+
+
+\title{Linux Support for NUMA Hardware}
+
+\author{
+Matthew Dobson, Patricia Gaughen, Michael Hohnbaum \\
+{\em IBM LTC, Beaverton, Oregon, USA}\\
+{\tt\normalsize one@email.addr, two@email.addr, three@email.addr} \\
+%
+\smallskip
+Erich Focht \\
+{\em NEC HPCE, Stuttgart, Germany}\\
+{\tt\normalsize four@other.email.addr}
+} % end author
+
+\maketitle
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\title{Linux\textregistered ~Scalability for Large NUMA Systems}
+
+\author{
+Ray Bryant and John Hawkes \\
+{\em Silicon Graphics, Inc.}\\
+{\tt\normalsize one@email.addr ~~~~~~~ two@email.addr}\\
+} % end author
+
+\maketitle
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+The 'and' construct may be used for more than two authors:
+
+\title{Linux IPv6 Networking \\
+{\normalsize Past, Present, and Future}}
+
+\author{
+Hideaki Yoshifuji \\
+{\em The University of Tokyo}\\
+{\tt\normalsize one@email.addr} \\
+\and
+Kazunori Miyazawa \\
+{\em Yokogawa Electric Corporation} \\
+{\tt\normalsize two@email.addr} \\
+\and
+Yuji Sekiya \\
+{\em The University of Tokyo}\\
+{\tt\normalsize three@email.addr} \\
+\and
+Hiroshi Esaki \\
+{\em The University of Tokyo}\\
+{\tt\normalsize four@another.email.addr}
+\and
+Jun Murai \\
+{\em Keio University}\\
+{\tt\normalsize five@a.different.email.addr}
+}
+
+\maketitle
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/myPaper.pdf b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/myPaper.pdf
new file mode 100644
index 0000000..9a3f880
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/myPaper.pdf
Binary files differ
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/myPaper.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/myPaper.tex
new file mode 100644
index 0000000..a0300c2
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/myPaper.tex
@@ -0,0 +1,495 @@
+\documentclass[twocolumn,12pt]{article}
+\usepackage{ols}
+\ifpdf
+\usepackage[pdftex]{epsfig}
+\else
+\usepackage{epsfig}
+\fi
+\input{ols-fonts}
+
+\begin{document}
+
+% Required: Do not print the date.
+\date{}
+
+\title{Formatting Tips and Tricks: \\
+ {\normalsize Some potentially helpful examples}}
+
+\author{
+John W.\ Lockhart \\
+{\em Red Hat, Inc.}\\
+{\tt\normalsize lockhart@\{oco.net,redhat.com\}}\\
+\and
+Optional Second Author\\
+{\em Second Institution}\\
+{\tt\normalsize another@address.for.email.com}\\
+} % end author section
+
+\maketitle
+
+% Required: Suppress page numbers on title page
+\thispagestyle{empty}
+
+\section*{Abstract}
+This example paper contains tips and tricks to ensure that what you
+write is what appears in the \textit{Proceedings} with as little
+editing as possible. The most important parts are at the end; please
+read them.
+
+If you are new to {\LaTeX}, please read this paper in its entirety,
+and check out its source and any other \texttt{.tex} files in the
+\texttt{\small EXAMPLE} directory.
+
+If you have a paper from OLS-2002 or the 2003 Linux Symposium or GCC
+Summit, and would like to crib from its final formatting, please drop
+me a note and I'll be happy to send along the edited source.
+Likewise, if you would like a copy of the final edited form of this
+year's source, just let me know.
+
+The tree was created based on the information on the conference
+website. If you don't have a subdirectory, create one along the same
+lines. Blank materials are in the \texttt{\small TEMPLATES}
+directory; \texttt{ProtoMake} and \texttt{Blank.tex} are probably the
+most interesting files. Likewise, if your Abstract was available when
+I looked, it has been included. Feel free to edit it; it's just there
+to get you started and to provide an example of how to properly
+include files should you need to.
+
+
+\section{Simple Formatting Tricks}
+
+\LaTeX\ is just a fancy markup language\ldots \textit{most} of the
+time.
+
+Some of the more common font and layout conventions follow:
+\begin{itemize}
+\item \texttt{texttt} produces \texttt{typewriter} style.
+\item \texttt{textit} produces \textit{italics}.
+\item \texttt{textbf} produces \textbf{boldface}.
+\item \texttt{textsc} produces \textsc{small caps}.
+\item \texttt{\textit{Font}} \textbf{\textsc{styles}} can be
+ \textit{\textbf{combined}}\footnote{Often eye-breakingly. Restraint is Good.}
+\end{itemize}
+
+Paragraphs
+ can be awfully messy
+in the source, and even
+% what, a comment?
+have comments interspersed. Be careful with % unintentional
+percent signs---75\% of the time you'll accidentally comment out the
+rest of the text on the line.
+
+Unescaped dollar signs will put you into math mode, so be likewise
+careful. Of course, that's sometimes exactly where you \textit{want}
+to be.
+
+Tildes do not produce tildes in \LaTeX ---think instead of
+\textsc{html}'s \texttt{\&nbsp;} and you'll get the picture. Instead,
+you can use \texttt{{\textbackslash}{\~{}}\{\}} or
+\texttt{{\textbackslash}textasciitilde} to produce a tilde.
+Table~\ref{lockhart-tab1} provides a list of characters that require
+special handling. Note that tables may ``float''---that is, {\LaTeX}
+might move your table to a place where it all fits on a single page,
+rather than putting it exactly where you have included it in your
+source.
+%
+% that's
+% \~{}
+% or
+% \textasciitilde
+% for a tilde (without all the extra typesetting).
+% Escape anything but a backslash by using a backslash. Backslash
+% itself is \textbackslash (as seen above).
+
+\begin{table}[!th]
+\centering
+\begin{small}
+\begin{tabular}[b]{c|c|p{2.3cm}}
+Char & Command & Otherwise \\
+\hline
+% #
+\# & \texttt{{\textbackslash}\#} & argument number \tabularnewline
+\hline
+% $
+\$ & \texttt{{\textbackslash}\$} & toggle math mode \tabularnewline
+\hline
+% %
+\% & \texttt{{\textbackslash}\%} & comment: ignore rest of line \tabularnewline
+\hline
+% &
+\& & \texttt{{\textbackslash}\&} & tabstop \tabularnewline
+\hline
+% _
+\_ & \texttt{{\textbackslash}{\_}} & subscript in math mode \tabularnewline
+\hline
+% {
+\{ & \texttt{{\textbackslash}\{} & open environment \tabularnewline
+\hline
+% }
+\} & \texttt{{\textbackslash}\}} & close environment \tabularnewline
+\hline
+% ~
+{\~{}} & \texttt{{\textbackslash}{\~{}}\{\}} & non-breaking space \tabularnewline
+{\textasciitilde} & \texttt{{\textbackslash}textasciitilde} & non-breaking space \tabularnewline
+\hline
+% \
+{\textbackslash} & \texttt{{\textbackslash}textbackslash} & begin command \tabularnewline
+\end{tabular}
+\end{small}
+\caption{{\LaTeX} characters that require special handling}
+\label{lockhart-tab1}
+\end{table}
+
+\subsection{New Macros}\label{lockhart-newmacros}
+
+A number of macros based on the \texttt{url} package have been created
+for this year. They are:
+\begin{itemize}
+\item \ident{ident} -- intended for identifiers,
+ \texttt{{\textbackslash}ident\{some\_text\}} sets the text in
+ \texttt{tt} and may break the line at any punctuation. Spaces are deleted.
+\item \ident{lident} -- intended for long identifiers, this works the
+ same as \ident{ident}, but sets the text in a smaller font.
+\item \ident{code} -- intended for short excerpts of code, this works
+ like \ident{ident}, except that spaces are preserved. Lines are not
+ broken on spaces.
+\item \ident{lcode} -- intended for longer excerpts of code, this works
+ like \ident{code}, except that text is set in a smaller font. This
+ probably does not work correctly for multi-line code fragments;
+ consider using the \texttt{cprog} package for that.
+\item \ident{brcode} -- intended for excerpts of source code, this works
+ like \ident{code}, except that line breaks may occur at spaces.
+\item \ident{lbrcode} -- intended for excerpts of source code, this works
+ like \ident{brcode}, except that text is set in a smaller font.
+\end{itemize}
+
+Examples are shown in Table~\ref{lockhart-macro-examples}.
+
+\begin{table*}[tb]
+\begin{itemize}
+\item \verb|\ident{a_long_identifier}| --- this example in turn yields \ident{a_long_identifier}
+
+\item \texttt{{\textbackslash}lident|an\_even\_lon ger\_identifier|} --- this
+ in turn
+ yields \lident|an_even_lon ger_identifier|
+
+\item \verb|\lcode{int un_useful(int *a) { return *a; }}| --- this
+ yields
+ \lcode{int un_useful(int *a) { return *a; }}
+
+\item \verb|\lbrcode{int un_useful(int *a) { return *a; }}| --- this
+ yields
+ \lbrcode{int un_useful(int *a) { return *a; }}
+
+\end{itemize}
+\caption{Examples of New Macros}
+\label{lockhart-macro-examples}
+\end{table*}
+
+\section{Typesetting conventions}
+
+You shouldn't have to worry too much here, but I'll illustrate a few
+things.
+
+Quotation marks, both `single' and ``double,'' look good in body text,
+while other \texttt{"styles"} might look better for other uses. Note
+that when you're typesetting for a compiler, punctuation goes outside
+the \texttt{"quotation marks",} but punctuation is placed
+\textit{inside} the quotation marks for ``narrative.''
+
+There are multiple flavors of dashes---the em dash, the en--dash, the
+oft-used hyphen, and the minus sign (math mode: $2x - 3$).
+
+\subsection{Choices for uniformity}
+
+For source code, we have chosen the common style of not beginning a
+line with a comma. The compiler doesn't care, but keeping the printed
+page consistent between papers is useful.
+
+Identifiers may need to be split between lines, so we use a typewriter font
+and mark up the string appropriately:
+\texttt{sys\_\linebreak[0]sched\_\linebreak[0]yield()} or
+\texttt{\small A\_\linebreak[0]REALLY\_\linebreak[0]LONG\_\linebreak[0]IDENTIFIER\_\linebreak[0]THAT\_\linebreak[0]NEEDS\_\linebreak[0]TO\_\linebreak[0]BE\_\linebreak[0]THIS\_\linebreak[0]LONG}
+would be good examples\footnote{Alternatively, see the macros in
+Section~\ref{lockhart-newmacros}.}. To tell {\LaTeX} that an unhyphenated line
+break is okay if required, just use \texttt{{\textbackslash}linebreak[0]}.
+
+\subsection{Points of English}
+
+A few nitpicks:
+\begin{enumerate}
+\item \textit{it's} is a macro which expands to \textit{it is}. It
+ has no other meaning.
+\item \textit{its} is possessive.
+\item Items in a series are: \textit{a}, \textit{b}, and \textit{c}.
+ Never \textit{a}, \textit{b} and \textit{c}. This rule makes it
+ much simpler when you must use complex values of (for example)
+ \textit{b}. For truly long constructs, you may use a semicolon
+ as a delimiter rather than a comma.
+\item Some phrases should be hyphenated---for instance, when you're
+ using an adjective to modify another adjective, or a noun that
+ appears before another. A high-performance system; a win-win
+ situation; a high-level loop transformation; a slow-moving train,
+ but a slowly moving car; that sort of thing. Most of the time,
+ people will still be able to parse the results easily if the sentence isn't
+ perfect.
+\item Be happy, know your homonyms. There, they're, their. To, two,
+ too. Your, you're. And so forth. Spelling checkers show their
+ limitations on this\ldots
+\end{enumerate}
+
+Of course, proofreading is a wonderful thing, and every bit of it you
+(or any guinea pigs you can persuade) do is a Good Thing. I'll
+correct what I notice, but I have only two eyes and there's a lot of
+margin-crunching formatting to be done. There are certain
+times, often with non-native speakers, where I'm not clear on the
+meaning. If I catch something like that in time, I'll ask; if not,
+chances are that I'll keep my hands off of the section in question so
+as not to insert a woefully incorrect meaning.
+
+\section{Tools}
+
+It helps to have the following installed on your system:
+\begin{itemize}
+\item \textbf{\tt tetex}. The most common \TeX\ package for Linux.
+\item \textbf{\tt transfig}. Graphics in \texttt{.fig} format,
+ useful for figures.
+\item \textbf{\tt dia}. Also useful for figures.
+\item \textbf{\tt ImageMagick}. Great for photographs and graphics
+ manipulation \& conversion.
+\item \textbf{\tt xpdf} or \textbf{\tt acroread} for viewing PDF files.
+\item Utilites often found in {\tt tetex}, but which your distribution
+ may have packaged separately: \texttt{xdvi}, \texttt{dvips},
+ \texttt{pdflatex}.
+\item \textbf{\tt ghostscript} for handling Postscript.
+\end{itemize}
+
+\section{Examples}
+
+Some examples from previous conferences have been included
+in this package; hopefully they'll be useful in handling code
+examples. Reducing everything to \texttt{footnotesize} or setting it
+\texttt{verbatim} won't magically make it fit on the page, alas. Have
+a look in the \texttt{EXAMPLE} directory to find these items:
+\begin{itemize}
+\item {\raggedright \texttt{\small bibli\-og\-raphy.tex}, \texttt{\small bibli\-og\-ra\-phy2.tex}, and
+ \texttt{\small ref\-er\-ences.tex}. Different ways of citing any relevant
+ works external to your paper.}
+\item \texttt{conditional.tex}. If you have {\LaTeX} code that works
+ only by itself and need to do conditional processing, here's an example.
+\item \texttt{\small complexCode/complexFigure.tex}. An example of a complex
+ figure containing side-by-side C code.
+\item \texttt{figures.tex}. Different ways of doing figures.
+\item \texttt{includegraphics.tex}. Different ways to include graphics.
+\item \texttt{legalese.tex}. Legal disclaimers.
+\item \texttt{multipleAuthors.tex}. Formatting examples for multiple authors.
+\item \texttt{tables.tex}. Different ways to do tables.
+\end{itemize}
+
+\subsection{Bad Examples}
+
+A prior year's paper gave the example of setting \texttt{verbatim}
+sections in \texttt{tt}. Repetitiously and redundantly enough, that's
+the default. So, please, no instances of
+\begin{verbatim}
+ {\tt
+ \begin{verbatim}
+ ...
+\end{verbatim}
+
+\begin{small}
+\centering
+\textbf{Corrected.} You might, however, wish to do something like this instead:
+\begin{verbatim}
+ \begin{small}
+ \centering
+ \textbf{Corrected.} You ...
+ \begin{verbatim}
+ ...
+\end{verbatim}
+\end{small}
+Of course, check the source of this document
+(\lident{EXAMPLE/myPaper.tex}) for more ideas. Valid font sizes, for
+instance, include \texttt{normalsize}, \texttt{small},
+\texttt{footnotesize}, \texttt{scriptsize}, and \texttt{tiny}. Please
+don't use anything larger than \texttt{normalsize}.
+
+
+Another extant bad example is the practice of ending paragraphs with a
+double backslash (\texttt{\textbackslash\textbackslash}) \textit{and}
+a blank line. This creates unwanted, superfluous whitespace between
+paragraphs. \LaTeX\ is, believe it or not, supposed to be easy. Just
+leave one or more blank lines between paragraphs and you'll be fine.
+
+
+\section{Style packages}
+
+I've included the \texttt{combine} package used for last year's
+\textit{Proceedings}. Just copy (or move) the \texttt{texmf}
+directory to your home directory. You should then be able to use the
+``BigBuild'' script to produce a sample \textit{Proceedings}.
+
+One environment is setting necessary to make everything work:
+\begin{center}
+{\footnotesize \texttt{export TEXINPUTS='.//:\$\{LOCALTEX\}//:'}}
+\end{center}
+%
+% or for those of you who'd like to cut'n'paste from the source:
+% export TEXINPUTS='.//:${LOCALTEX}//:'
+%
+If you add the above to your \texttt{\textasciitilde/.bashrc}, you can
+dispense with \texttt{BigBuild} and just use \texttt{make}.
+
+Should you wish to download and install the latest and greatest
+version of \texttt{combine}, it may be found at
+\begin{center}\small
+\texttt{http://www.tex.ac.uk\linebreak[0]/tex-archive\linebreak[0]/macros\linebreak[0]/latex\linebreak[0]/contrib\linebreak[0]/supported\linebreak[0]/combine}
+\end{center}
+
+The most common cause of build problems is including style packages
+that aren't compatible with \texttt{combine}. Unfortunately, this
+includes\footnote{At least using last year's versions, that was the case.}
+things like \texttt{hyperref} and \texttt{html}---two
+otherwise-wonderful packages for handling URLs and such.
+
+\section{Graphics and Symbols}
+
+For importing graphics, don't forget to omit any file extensions.
+That's because \texttt{latex} and \texttt{pdflatex} look for
+different formats.
+
+The easiest ways to get special symbols such as
+Registered\textregistered\ and Trademark\texttrademark\
+is to use the \LaTeX\ 2e \texttt{{\textbackslash}text} constructs:
+thus, \texttt{{\textbackslash}textregistered} and
+\texttt{{\textbackslash}texttrademark}.
+
+\section{\TeX\ References}
+
+See \texttt{\small http://www.tug.org/} and especially
+\texttt{\small http://www.tug.org/begin.html} for
+online and paper references.
+
+For a free and extremely useful document, try:
+\texttt{\small http://www.tug.org\linebreak[0]/tex-archive\linebreak[0]/info\linebreak[0]/lshort\linebreak[0]/english\linebreak[0]/lshort.pdf}.
+Note that translations\footnote{French, for instance:
+\url{http://www.tug.org/tex-archive/info/lshort/french/flshort-3.20.pdf};
+note also that this section of the Example paper shows different ways
+of handling URLs.}
+are available, for those more comfortable in something other than
+English:
+\texttt{\small http://www.tug.org\linebreak[0]/tex-archive\linebreak[0]/info\linebreak[0]/lshort/}
+
+%%% Cut'n'paste versions of those URLs:
+% http://www.tug.org/tex-archive/info/lshort/english/lshort.pdf
+% http://www.tug.org/tex-archive/info/lshort/french/flshort-3.20.pdf
+% http://www.tug.org/tex-archive/info/lshort/
+
+I tend to use \textit{A Guide to \LaTeX} (Kopka \& Daly, ISBN 0-201-39825-7) and the
+\textit{\LaTeX\ Graphics Companion} (Goossens, Rahtz, \& Mittelbach)
+the most these days.
+
+You are also welcome to send questions to me at
+\texttt{{lockhart}{@}{redhat.com}} (work) or
+\texttt{{lockhart}{@}{oco.net}} (home).
+%
+% {}'s begin a new environment in TeX, as in C.
+% A few extra {}'s might let an email address escape notice
+% by spammers' collecting 'bots, should the .tex file wind
+% up on a website somewhere at some point.
+%
+
+As usual, please refrain from submitting anything remotely resembling
+a Microsoft Word \texttt{.doc} file\ldots \texttt{<grimace>}. It's a
+\textit{lot} easier for me to fix up plain ASCII text and
+convert/insert accompanying graphics, if you find yourself terminally
+confused or in a dire emergency.
+
+\begin{figure}[!ht]
+\begin{center}
+\begin{footnotesize}
+\begin{verbatim}
+ cd yourLastName
+ make clean
+ cd ..
+ tar zcf yourLastName.tar.gz \
+ yourLastName
+\end{verbatim}
+\end{footnotesize}
+\caption{Submitting a paper}
+\end{center}
+\label{lockhart-fig1}
+\end{figure}
+
+\section{Simple rules to keep your formatting team happy}
+\begin{enumerate}
+\item To submit your paper, just \texttt{make clean} in your
+ directory, \texttt{tar} it up, and send the resulting gzipped tarball to
+ \texttt{papers@linuxsymposium.org} or \texttt{papers@gccsummit.org},
+ as appropriate. See Figure~\ref{lockhart-fig1} for an example.
+\item Use the existing directory structure, please. The directory
+ names are intended to be the last name of the presenter (lowercase,
+ punctuation omitted); the main paper should be
+ \texttt{lastname.tex} and any additional files should be
+ \texttt{lastname-file.extension}. This is because we use the
+ \texttt{combine} package to put all the papers together, and
+ instruct {\LaTeX} to search the entire (sub)directory hierarchy for
+ input files. You don't want someone else's file by mistake, right?
+ Putting your name on it helps to keep things straight. The same
+ goes for \verb|\label{}| and \verb|\ref{}| commands.
+\item Omit file extensions and pathnames in your {\LaTeX} source,
+ please. By omitting the path and just saying \texttt{{\textbackslash}input\{lockhart-abstract\}},
+ a paper can be built from both its directory and from its
+ parent directory. For graphics, omitting the extension lets \texttt{latex} or
+ \texttt{pdflatex} pick its preferred input format for the best
+ possible results.
+\item No proprietary document/graphics formats, please. This especially means MS
+ Office, Visio, or other such tools. \LaTeX\ can, however, import
+ EPS and PDF, if you can save in those formats.
+\item Originals, please. For example, if you have photographs, send
+ along the full-resolution JPG (crop out any undesired elements if
+ necessary, but use the maximum resolution). For diagrams, the XFig or Dia files.
+ This ensures the best possible print quality. Printing will be in
+ black and white, but the online PDF's will be in full color. Your
+ screen is probably about 72dpi, but the typesetter is probably using
+ something that's at least 1200dpi. The more resolution, the better.
+ Since hardcopy will be printed in Ottawa, the papersize will be
+ North American ``letter.'' Please keep that in mind if you are
+ concerned about page breaks and such.
+\item Do \textbf{\textit{not}} use sans-serif fonts, or go changing
+ global font sizes. We're using 12-point Times Roman for body text.
+ Likewise, please don't go haywire with italics. I once received a
+ huge collection of tables, each of which set the font size and face
+ on an item-by-item basis. \textit{Incorrectly}.
+\item The Postscript--to/from--PDF conversion tools aren't always a
+ good choice\ldots try it yourself and see. There's a good reason we
+ use \texttt{pdflatex} directly\ldots
+\item Those of you who like to begin lines of code with commas: as
+ previously mentioned, we're
+ typesetting the code with the comma attached to the preceding
+ identifier (as most publishers do). Feel free to post your
+ preferred version to the web and to refer to it in the paper.
+\item If possible, please avoid trivial new macros. Should you need
+ to add something, though, please use
+ \texttt{{\textbackslash}providecommand} rather than
+ \texttt{{\textbackslash}newcommand}, and preface the command with
+ your last name. This minimizes naming conflicts in the global
+ namespace of \texttt{combine}, and helps to ensure that you get the
+ macro that you want.
+\item Trivia note: generally speaking, it takes longer to edit a
+ submission from a {\TeX}spert than plain, unmarked ASCII. If you
+ consider yourself a {\LaTeX} expert and love to write fancy new
+ commands, please consider contributing clean-ups or well-tested
+ new features for the infrastructure rather than customizing the
+ daylights out of your submission. Thanks!
+\end{enumerate}
+
+This paper builds correctly using the tetex-1.0.7-66 package on Red
+Hat Linux 9, and also on Fedora Core 2 (Test 1) with tetex-2.0.2-12.1.
+Other distributions haven't been tested, but should work. If you run
+into problems, please let me know.
+
+And remember, it's only typesetting, not rocket science. Or hacking
+compilers or kernels. \texttt{:-)} Have some fun along the way\ldots
+
+\end{document}
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/references.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/references.tex
new file mode 100644
index 0000000..9359956
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/references.tex
@@ -0,0 +1,29 @@
+
+For those who don't want to use BiBTeX, a simple References section
+can do the trick. The following is from Rik van Riel's 2003
+Linux Symposium paper:
+
+\section{References}
+\raggedright
+Draves, Richard P. \textit{Page Replacement and Reference Bit
+Emulation in Mach.} In Proceedings of the USENIX Mach Symposium,
+Monterey, CA, November 1991.
+
+Y.\ Smaragdakis, S.\ Kaplan, and P.\ Wilson, \textit{EELRU: Simple and
+Effective Adaptive Page Replacement} in Proceeding of the 1999 ACM
+SIGMETRICS Conference, 1999.
+
+Gideon Glass and Pei Cao. \textit{Adaptive Page Replacement Based on
+Memory Reference Behavior.} In Proceedings of ACM SIGMETRICS 1997,
+June, 1997.
+
+D.\ Lee, J.\ Choi, J.-H.\ Kim, S.H.\ Noh, S.L.\ Min, Y.\ Cho, and
+C.S.\ Kim, \textit{LRFU: A spectrum of policies that subsumes the
+least recently used and least frequently used policies} IEEE
+Trans.\ Computers, vol.\ 50, no.\ 12, pp. 1352--1360, 2001.
+
+S.\ Jiang and X.\ Zhuang. \textit{LIRS: An efficient low inter-reference
+recency set replacement policy to improve buffer cache performance.}
+In Proc.\ of SIGMETRICS 2002.
+
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/tables.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/tables.tex
new file mode 100644
index 0000000..e2cfb6c
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/EXAMPLE/tables.tex
@@ -0,0 +1,79 @@
+
+A simple table....
+
+\begin{table}[tbph]
+\begin{center}
+\caption{Summary of TAHI Conformance Test (usagi24-s20020401, \%)\label{tahi-usagi24}}
+\begin{tabular}{|c|c|c|c|}
+\hline
+Test Series & Pass & Warn & Fail \\
+\hline
+\hline
+Spec. & 100 & 0 & 0 \\
+ICMPv6 & 100 & 0 & 0 \\
+Neighbor Discovery & 79 & 5 & 15 \\
+Autoconf & 98 & 2 & 0 \\
+PMTU & 50 & 0 & 50 \\
+IPv6/IPv4 Tunnel & 100 & 0 & 0 \\
+Robustness & 100 & 0 & 0 \\
+\hline
+\end{tabular}
+\end{center}
+\end{table}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+A full-page, far more complex table....
+
+\begin{table*}[t]
+\begin{center}
+\footnotesize
+\begin{tabular}{|l|l||r|r|r|r|r|r|r|r|r||r|}
+ \hline
+ \multicolumn{2}{|c||}{} & & \multicolumn{2}{|c|}{ANSI.os}
+ & & \multicolumn{2}{|c|}{POSIX.os} & \multicolumn{2}{|c|}{LSB.os}
+ & & RedHat7.3 \\
+ \cline{4-5} \cline{7-10}
+ \multicolumn{2}{|c||}{\raisebox{1.3ex}[0pt]{Section}}
+ & \multicolumn{1}{|c|}{\raisebox{1.3ex}[0pt]{ANSI.hdr}}
+ & \multicolumn{1}{|c|}{F} & \multicolumn{1}{|c|}{M}
+ & \multicolumn{1}{|c|}{\raisebox{1.3ex}[0pt]{POSIX.hdr}}
+ & \multicolumn{1}{|c|}{F} & \multicolumn{1}{|c|}{M}
+ & \multicolumn{1}{|c|}{F} & \multicolumn{1}{|c|}{M}
+ & \multicolumn{1}{|c||}{\raisebox{1.3ex}[0pt]{Total}} & Total \\
+ \hline
+ \hline
+ & Expect
+ & 386 & 1244 & 1244 & 394 & 1600 & 1600 & 908 & 908 & 8284 & 8284 \\
+ \cline{2-12}
+ \multicolumn{1}{|c|}{\raisebox{1.3ex}[0pt]{Total}}
+ & Actual
+ & 386 & 1244 & 1244 & 394 & 1600 & 1600 & 908 & 908 & 8284 & 8284 \\
+ \hline
+ \multicolumn{2}{|l||}{Succeeded}
+ & 176 & 1112 & 86 & 207 & 1333 & 0 & 695 & 0 & 3609 & 3583 \\
+ \multicolumn{2}{|l||}{Failed}
+ & 4 & 0 & 0 & 5 & 2 & 0 & 49 & 0 & 60 & 45 \\
+ \multicolumn{2}{|l||}{Warnings}
+ & 0 & 12 & 0 & 0 & 5 & 0 & 2 & 0 & 19 & 18 \\
+ \multicolumn{2}{|l||}{FIP}
+ & 2 & 0 & 0 & 2 & 2 & 0 & 1 & 0 & 7 & 7 \\
+ \multicolumn{2}{|l||}{Unresolved}
+ & 0 & 0 & 0 & 0 & 0 & 0 & 5 & 0 & 5 & 4 \\
+ \multicolumn{2}{|l||}{Uninitiated}
+ & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 & 0 \\
+ \multicolumn{2}{|l||}{Unsupported}
+ & 203 & 0 & 0 & 179 & 72 & 0 & 59 & 0 & 513 & 513 \\
+ \multicolumn{2}{|l||}{Untested}
+ & 0 & 4 & 0 & 0 & 7 & 0 & 39 & 0 & 50 & 43 \\
+ \multicolumn{2}{|l||}{NotInUse}
+ & 1 & 116 & 1158 & 1 & 179 & 1600 & 58 & 908 & 4021 & 4021 \\
+ \hline
+\end{tabular}
+Key: F:function, M:macro;\ FIP: Further Information Provided
+\end{center}
+\hspace{5mm}
+\caption{LSB 1.2 testsuites result}
+\label{lsb_result}
+\end{table*}
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/Makefile b/2004/netfilter-failover-ols2004/OLS2004-proceedings/Makefile
new file mode 100644
index 0000000..66dfd97
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/Makefile
@@ -0,0 +1,61 @@
+
+.SUFFIXES: .dvi .tex .ps .eps .tif .pdf .fig .bbl .bib .gif
+
+MASTER=MasterOLS
+TMASTER=MasterOLS-2side
+TESTER=QuickMaster
+SUBDIRS=welte
+
+
+all : eachdir ps pdf
+
+eachdir :
+ for i in $(SUBDIRS) ; do $(MAKE) -C $$i ; done
+
+clean : topclean
+ for i in $(SUBDIRS) ; do $(MAKE) -C $$i clean ; done
+
+topclean :
+ rm -f *.aux *.log $(MASTER)-bak.pdf $(MASTER).dvi $(MASTER).ps
+ rm -f *.bbl $(MASTER).bbl $(MASTER).blg
+ if [ -f $(MASTER).pdf ] ; then mv $(MASTER).pdf $(MASTER)-bak.pdf ; fi
+
+
+ps : $(MASTER).dvi
+ dvips -o $(MASTER).ps $(MASTER)
+
+# there seems to be a problem with extra brackets in some
+# figure refs that occasionally crops up on the first run...
+# thus the nonstop mode...
+
+$(MASTER).dvi:
+ latex -interaction=nonstopmode $(MASTER) || true
+ bibtex $(MASTER) || true
+ latex $(MASTER) || true
+ latex $(MASTER)
+
+twoside:
+ latex -interaction=nonstopmode $(TMASTER) || true
+ bibtex $(TMASTER) || true
+ latex -interaction=nonstopmode $(TMASTER) || true
+ latex $(TMASTER)
+
+twosidepdf:
+ pdflatex -interaction=nonstopmode $(TMASTER) || true
+ bibtex $(TMASTER) || true
+ pdflatex $(TMASTER) || true
+ pdflatex $(TMASTER)
+
+pdf:
+ pdflatex -interaction=nonstopmode $(MASTER) || true
+ bibtex $(MASTER) || true
+ pdflatex $(MASTER) || true
+ pdflatex $(MASTER)
+
+test:
+ pdflatex -interaction=nonstopmode $(TESTER) || true
+ bibtex $(TESTER) || true
+ pdflatex $(TESTER) || true
+ pdflatex $(TESTER)
+
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/MasterOLS-2side.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/MasterOLS-2side.tex
new file mode 100644
index 0000000..aef21ca
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/MasterOLS-2side.tex
@@ -0,0 +1,538 @@
+%% First set up a variable that docs can check
+%% to see if we're doing the whole proceedings at once.
+%% This can make a difference in how things are to be
+%% processed, especially in instances where TeX's default
+%% internal memory is insufficient for the whole proceedings,
+%% but would work fine for a single document.
+%%
+%% Mostly it's used to conditionally create substitute commands
+%% for packages like hyperref and html that won't play
+%% nicely with the combine package.
+%%
+
+\newcount\olsmaster
+\olsmaster=1
+
+\documentclass[twocolumn,twoside,12pt]{combine}
+\usepackage{ols}
+\ifpdf
+\usepackage[pdftex]{epsfig}
+\else
+\usepackage{epsfig}
+\fi
+\usepackage{rotating}
+
+% Other packages that authors have used...
+% nonstd: lineno
+\usepackage[modulo]{lineno}
+\usepackage{alltt}
+
+\usepackage[T1]{fontenc}
+% \usepackage[dvips]{color,graphics,graphicx}
+% \usepackage{color}
+\ifpdf
+\usepackage[pdftex]{graphicx}
+\else
+\usepackage{graphicx}
+\fi
+
+\usepackage[english]{babel}
+\usepackage[latin1]{inputenc}
+% \usepackage[normalem]{ulem}
+% \usepackage{amsfonts,amsmath,amssymb,latexsym}
+% nonstd:
+%%% \usepackage{ascmac}
+\usepackage{csty}
+%% \usepackage{eclepsf}
+
+\usepackage{enumerate}
+\usepackage{geometry}
+%%%%% html breaks 'combine' rather badly
+% \usepackage{html}
+%%% hyperref is nearly as bad
+% \usepackage{hyperref}
+\usepackage{isolatin1}
+\usepackage{latexsym}
+\usepackage{longtable}
+\usepackage{multicol}
+% nonstd:
+\usepackage{cprog}
+
+\usepackage{float}
+\usepackage{supertabular}
+\usepackage{textcomp}
+%% \usepackage{thumbpdf}
+\usepackage{times}
+\usepackage{url}
+\usepackage[T1,obeyspaces]{zrl}
+% nonstd:
+\usepackage{usenix}
+
+\usepackage{wrapfig}
+% \input{mpss-commands}
+%%% okay, are these evil?
+%%% \newcounter{chapter}
+%%% \setcounter{chapter}{0}
+\usepackage{fancyvrb}
+%%% \usepackage{listings}
+%%% (probably :-(
+
+
+\title{Proceedings of the\\
+Linux Symposium}
+\author{\vspace{4in}}
+\date{July 21st--24th, 2004\\
+ Ottawa, Ontario\\
+ Canada}
+
+% make room for "OLS2004...pagenumber" header
+\setlength{\topmargin}{-0.5in}
+\setlength{\headheight}{0.2in}
+\setlength{\headsep}{0.3in}
+\setlength{\evensidemargin}{0pt}
+\setlength{\oddsidemargin}{0pt}
+
+%%%%%%%%%%%%%%%%% DOC STARTS HERE %%%%%%%%%%%%%%%%%%%%
+\begin{document}
+\pagestyle{empty}
+\thispagestyle{empty}
+
+
+%%%%%%%%%%%%%% TITLE PAGE %%%%%%%%%%%%%%%%%%%
+\onecolumn
+\thispagestyle{empty}
+\maketitle
+\thispagestyle{empty}
+
+%%%%%%%%%%%%%%% TABLE OF CONTENTS %%%%%%%%%%%%%%
+\onecolumn
+\thispagestyle{empty}
+\cleardoublepage
+\thispagestyle{empty}
+\tableofcontents
+\cleardoublepage
+\thispagestyle{empty}
+
+
+%%%%%%%%%%%%%%%%%%%%% CREDITS PAGE %%%%%%%%%%%%%%%%%%
+\twocolumn[\thispagestyle{empty}
+
+\vspace{2cm}
+
+\textbf{{\Large Conference Organizers}}
+
+\vspace{5mm}
+\begin{large}
+\hspace*{0.5in}Andrew J.\ Hutton, \textit{Steamballoon, Inc.}\\
+\hspace*{0.5in}Stephanie Donovan, \textit{Linux Symposium}\\
+\hspace*{0.5in}C.\ Craig Ross, \textit{Linux Symposium}
+\end{large}
+
+\vspace{1cm}
+\textbf{{\Large Review Committee}}
+
+\vspace{5mm}
+\begin{large}
+\hspace*{0.5in}Jes Sorensen, \textit{Wild Open Source, Inc.}\\
+\hspace*{0.5in}Matt Domsch, \textit{Dell}\\
+\hspace*{0.5in}Gerrit Huizenga, \textit{IBM}\\
+\hspace*{0.5in}Matthew Wilcox, \textit{Hewlett-Packard}\\
+\hspace*{0.5in}Dirk Hohndel, \textit{Intel}\\
+\hspace*{0.5in}Val Henson, \textit{Sun Microsystems}\\
+\hspace*{0.5in}Jamal Hadi Salimi, \textit{Znyx}\\
+\hspace*{0.5in}Andrew Hutton, \textit{Steamballoon, Inc.}
+\end{large}
+
+\vspace{1cm}
+
+\textbf{{\Large Proceedings Formatting Team}}
+
+\vspace{5mm}
+\begin{large}
+\hspace*{0.5in}John W.\ Lockhart, \textit{Red Hat, Inc.}\\
+\end{large}
+
+\vspace{3.5in}
+
+\vspace*{\fill}
+
+\begin{center}
+Authors retain copyright to all submitted papers, but have granted
+unlimited redistribution rights to all as a condition of submission.
+\end{center}]
+
+%%%%%%%% PAGE HEADINGS DEFINITIONS %%%%%%%%%%%%%%%%%%%%
+\pagestyle{myheadings}
+%\markright{Linux Symposium\ \hrulefill\ }
+\markboth{~~{\textbullet}~~Linux Symposium\ ~\hrulefill\ }{\ \hrulefill\ Linux Symposium 2004~~{\textbullet}~~}
+
+
+%%%%%%%%%%%%%%% PAPERS BEGIN HERE %%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{papers}[\cleardoublepage]
+
+%% \coltocauthor{}
+%% \coltoctitle{}
+%% \label{}
+%% \import{}
+
+% email=werner@almesberger.net
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=24
+\coltocauthor{Werner Almesberger}
+\coltoctitle{TCP Connection Passing}
+\label{art01}
+\import{almesberger}
+
+% email=da-x@colinux.org
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=14
+\coltocauthor{Dan Aloni}
+\coltoctitle{Cooperative Linux}
+\label{art02}
+\import{aloni}
+
+% email=andersen@codepoet.org
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=11
+\coltocauthor{Erik Andersen}
+\coltoctitle{Build your own Embedded Linux Wireless Access Point}
+\label{art03}
+\import{andersen}
+
+% email=anderson@netsweng.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=40
+\coltocauthor{Stuart Anderson}
+\coltoctitle{Run-time testing of LSB Applications}
+\label{art04}
+\import{anderson}
+
+% email=axboe@suse.de
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=152
+\coltocauthor{Jens Axboe}
+\coltoctitle{Linux Block IO: present and future}
+\label{art05}
+\import{axboe}
+
+% email=suparna@in.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=64
+\coltocauthor{Suparna Bhattacharya}
+\coltoctitle{Linux AIO Performance and Robustness for Enterprise Workloads}
+\label{art06}
+\import{bhattacharya}
+
+% email=tim.bird@am.sony.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=132
+\coltocauthor{Tim R.\ Bird}
+\coltoctitle{Methods to Improve Bootup Time in Linux}
+\label{art07}
+\import{bird}
+
+% email=~
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=153
+\coltocauthor{Martin J.\ Bligh}
+\coltoctitle{Linux on NUMA}
+\label{art08}
+\import{bligh}
+
+% email=jejb@steeleye.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=27
+\coltocauthor{James Bottomley}
+\coltoctitle{Improving Kernel Performance by Unmapping the Page Cache}
+\label{art09}
+\import{bottomley}
+
+% email=boutcher@us.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=26
+\coltocauthor{Dave Boutcher}
+\coltoctitle{Linux Virtualization on IBM Power5 Systems}
+\label{art10}
+\import{boutcher}
+
+% email=len.brown@intel.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=9
+\coltocauthor{Len Brown}
+\coltoctitle{ACPI: Advanced Configuration and Power Management Interface}
+\label{art11}
+\import{brown}
+
+% email=raybry@sgi.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=147
+\coltocauthor{Ray Bryant}
+\coltoctitle{Scaling Linux to the Extreme}
+\label{art12}
+\import{bryant}
+
+% email=peterc@gelato.unsw.edu.au
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=100
+\coltocauthor{Peter Chubb}
+\coltoctitle{Get More Device Drivers out of the Kernel!}
+\label{art13}
+\import{chubb}
+
+% email=wim.coekaerts@oracle.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=13
+\coltocauthor{Wim A.\ Coekaerts}
+\coltoctitle{2.6 kernel for big servers compared to 2.4}
+\label{art14}
+\import{coekaerts}
+
+% email=corbet@lwn.net
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=127
+\coltocauthor{Jonathan Corbet}
+\coltoctitle{Where 2.7 is going}
+\label{art15}
+\import{corbet}
+
+% email=paul.devriendt@amd.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=22
+\coltocauthor{Paul Devriendt}
+\coltoctitle{SMP and frequency scaling}
+\label{art16}
+\import{devriendt}
+
+% email=matt_domsch@dell.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=117
+\coltocauthor{Matt Domsch}
+\coltoctitle{Dynamic Kernel Module Support: From Theory to Practice}
+\label{art17}
+\import{domsch}
+
+% email=scott.feldman@intel.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=177
+\coltocauthor{Scott Feldman}
+\coltoctitle{e100 weight reduction program}
+\label{art18}
+\import{feldman}
+
+% email=bfields@umich.edu
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=76
+\coltocauthor{James Bruce Fields}
+\coltoctitle{NFSv4 and rpcsec\_gss for linux}
+\label{art19}
+\import{fields}
+
+% email=lgammo@cs.uwaterloo.ca
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=0
+\coltocauthor{Louay Gammo}
+\coltoctitle{Comparing and Evaluating epoll(), select(), and poll()}
+\label{art20}
+\import{gammo}
+
+% email=jim.gettys@hp.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=0
+\coltocauthor{James Gettys}
+\coltoctitle{The (Re)Architecture of the X Window System}
+\label{art21}
+\import{gettys}
+
+% email=ibrahim.haddad@ericsson.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=51
+\coltocauthor{Ibrahim Haddad}
+\coltoctitle{Towards Linux-based Open Telecom Platforms}
+\label{art22}
+\import{haddad}
+
+% email=linuxsymposium.org@halcrow.us
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=55
+\coltocauthor{Michael Austin Halcrow}
+\coltoctitle{Demands, Solutions, and Improvements for Linux Filesystem Security}
+\label{art23}
+\import{halcrow}
+
+% email=haveblue@us.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=131
+\coltocauthor{Dave Hansen}
+\coltoctitle{Hotplug Memory and the Linux VM}
+\label{art24}
+\import{hansen}
+
+% email=greg@kroah.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=168
+\coltocauthor{Greg Kroah-Hartman}
+\coltoctitle{kobjects and krefs: lockless reference counting for kernel structures}
+\label{art25}
+\import{kroahhartman}
+
+% email=ricklind@us.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=82
+\coltocauthor{Rick Lindsley}
+\coltoctitle{The Cursor Wiggles Faster: Measuring Scheduler Performance}
+\label{art26}
+\import{lindsley}
+
+% email=rml@ximian.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=122
+\coltocauthor{Robert Love}
+\coltoctitle{On a Kernel Events Layer and User-space Message Bus System}
+\label{art27}
+\import{love}
+
+% email=mpm@selenic.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=30
+\coltocauthor{Matt Mackall}
+\coltoctitle{Linux-tiny and directions for small systems}
+\label{art28}
+\import{mackall}
+
+% email=dan.magenheimer@hp.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=68
+\coltocauthor{Dan Magenheimer}
+\coltoctitle{Xen and the Art of Open Source Virtualization}
+\label{art29}
+\import{magenheimer}
+
+% email=jon.maloy@ericsson.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=52
+\coltocauthor{Jon Paul Maloy}
+\coltoctitle{TIPC: Providing Communication for Linux Clusters}
+\label{art30}
+\import{maloy}
+
+% email=dmccr@us.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=109
+\coltocauthor{Dave McCracken}
+\coltoctitle{Object-based reverse mapping}
+\label{art31}
+\import{mccracken}
+
+% email=michael@ximian.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=145
+\coltocauthor{Michael Meeks}
+\coltoctitle{The World of OpenOffice}
+\label{art32}
+\import{meeks}
+
+% email=~
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=130
+\coltocauthor{Arnaldo Carvalho de Melo}
+\coltoctitle{TCPfying the Poor Cousins}
+\label{art33}
+\import{melo}
+
+% email=kazunori@miyazawa.org
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=119
+\coltocauthor{Kazunori Miyazawa}
+\coltoctitle{IPv6 IPsec and Mobile IPv6 implementation of Linux}
+\label{art34}
+\import{miyazawa}
+
+% email=~
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=0
+\coltocauthor{Keith Packard}
+\coltoctitle{Getting X off the hardware}
+\label{art35}
+\import{packard}
+
+% email=linuxram@us.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=54
+\coltocauthor{Ram Pai}
+\coltoctitle{Linux 2.6 performance improvement through readahead optimization}
+\label{art36}
+\import{pai}
+
+% email=inaky.perez-gonzalez@intel.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=10
+\coltocauthor{Inaky Perez-Gonzalez}
+\coltoctitle{I would hate user space locking if it weren't that sexy\ldots}
+\label{art37}
+\import{perezgonzalez}
+
+% email=slpratt@us.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=58
+\coltocauthor{Steven L.\ Pratt}
+\coltoctitle{Workload Dependent Performance Evaluation of the 2.6 I/O Schedulers}
+\label{art38}
+\import{pratt}
+
+% email=sam.robb@timesys.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=104
+\coltocauthor{Sam Robb}
+\coltoctitle{Creating Cross-Compile Friendly Software}
+\label{art39}
+\import{robb}
+
+% email=john.ronciak@intel.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=46
+\coltocauthor{John A.\ Ronciak}
+\coltoctitle{Page-Flip Technology for use within the Linux Networking Stack}
+\label{art40}
+\import{ronciak}
+
+% email=rusty@rustcorp.com.au
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=16
+\coltocauthor{Rusty Russell}
+\coltoctitle{Linux Kernel Hotplug CPU Support}
+\label{art41}
+\import{russell}
+
+% email=dipankar@in.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=156
+\coltocauthor{Dipankar Sarma}
+\coltoctitle{Issues with Selected Scalability Features of the 2.6 Kernel}
+\label{art42}
+\import{sarma}
+
+% email=dshankar@us.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=72
+\coltocauthor{Kittur (Doc) S.\ Shankar}
+\coltoctitle{Achieving CAPP/EAL3+ Security Certification for Linux}
+\label{art43}
+\import{shankar}
+
+% email=riel@redhat.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=125
+\coltocauthor{Rik van Riel}
+\coltoctitle{Improving Linux resource control using CKRM}
+\label{art44}
+\import{riel}
+
+% email=avolmat@src.ricoh.co.jp
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=110
+\coltocauthor{Alain Volmat}
+\coltoctitle{Linux on a Digital Camera}
+\label{art45}
+\import{volmat}
+
+% email=~
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=0
+\coltocauthor{John A.\ Walicki}
+\coltoctitle{The Linux Client at IBM: Enterprise Enabling the Linux Desktop}
+\label{art46}
+\import{walicki}
+
+% email=laforge@gnumonks.org
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=86
+\coltocauthor{Harald Marc Welte}
+\coltoctitle{ct\_sync: state replication of ip\_conntrack}
+\label{art47}
+\import{welte}
+
+% email=mats.d.wichmann@intel.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=175
+\coltocauthor{Mats Wichmann}
+\coltoctitle{Increasing the appeal of Open Source projects}
+\label{art48}
+\import{wichmann}
+
+% email=~
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=0
+\coltocauthor{Matthew S.\ Wilson}
+\coltoctitle{New approaches in software provisioning and system maintenance}
+\label{art49}
+\import{wilson}
+
+% email=cworth@east.isi.edu
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=70
+\coltocauthor{Carl D.\ Worth}
+\coltoctitle{``On-demand'' Linux in a Power-aware Microsensor}
+\label{art50}
+\import{worth}
+
+% email=~
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=0
+\coltocauthor{Chris Wright}
+\coltoctitle{Linux Virtualization}
+\label{art51}
+\import{wright}
+
+
+\end{papers}
+\clearpage
+\end{document}
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/MasterOLS.html b/2004/netfilter-failover-ols2004/OLS2004-proceedings/MasterOLS.html
new file mode 100644
index 0000000..be1ecaa
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/MasterOLS.html
@@ -0,0 +1,671 @@
+<!-- global defines -->
+
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
+"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en">
+<head><title>
+2004 Linux Symposium --
+</title>
+<style type="text/css">
+body {
+ background: #ffffff;
+ font-family: sans-serif;
+ font-size: 11pt;
+ }
+.content
+ {
+ font-size: 12pt;
+ font-family: sans-serif;
+ }
+a
+ {
+ text-decoration: underline;
+ color: #14265B;
+ }
+a:visited
+ {
+ text-decoration : underline;
+ color : #14265B;
+ }
+a:hover.nav
+ {
+ text-decoration: none;
+ font-weight: bold;
+ }
+a:hover
+ {
+ text-decoration:none;
+ }
+h1
+ {
+ font-size: 12pt;
+ text-decoration: none;
+ color: #E6B531;
+ margin-top: 10px;
+ margin-bottom: 5px;
+ }
+h2
+ {
+ font-size: 12pt;
+ text-decoration: none;
+ color: #14265B;
+ margin-top: 6px;
+ margin-bottom: 3px;
+ }
+h3 {
+ font-size: 10pt;
+ margin-top: 6px;
+ margin-bottom: 3px;
+ }
+p {
+ margin-top: 6px;
+ margin-bottom: 8px;
+ }
+
+.right {
+ margin-top: 50px;
+ margin-left: 0px;
+ padding-right: 0px;
+ }
+.bold {
+ font-weight: bold;
+ }
+.blue
+ {
+ background: #14265B;
+ }
+td.leftmenu {
+ text-align: left;
+ width: 135px;
+ }
+
+td.rightmenu
+ {
+ text-align: right;
+ width: 135px;
+ }
+img
+ {
+ border: 0px;
+ }
+
+</style>
+</head>
+<body>
+<table width="100%" class="blue">
+<tr>
+<td rowspan="2">
+<img src="images/title_left.gif" alt=">linuxsymposium"></img>
+</td>
+</tr>
+<tr>
+<td align="right">
+<img class="right" src="images/title_right.gif" alt="July 21-24th, 2004, Ottawa, Canada"></img>
+</td>
+</tr>
+</table>
+<div class="main">
+<table border="0" width="100%">
+ <tr>
+<td class="leftmenu" valign="top">
+<h1>Content</h1>
+<a href="https://www.linuxsymposium.org/2004/login.php">Register/Login</a><br />
+<a href="http://www.linuxsymposium.org/2004/speakers.php?types=talk">Paper Presentations</a><br />
+<a href="http://www.linuxsymposium.org/2004/speakers.php?types=tutorial">Tutorials</a><br />
+<a href="http://www.linuxsymposium.org/2004/speakers.php?types=bofs">BOFS/Meetings</a><br />
+<a href="http://www.linuxsymposium.org/2004/sponsors.php">Sponsors</a><br />
+
+<h1>Contacts</h1>
+<a href="mailto:ajh@linuxsymposium.org">Information</a><br />
+
+<br />
+<a href="http://www.linuxsymposium.org/2004">Home</a><br />
+
+</td>
+
+<td class="content" valign="top">
+<h1></h1>
+<!-- talk -->
+<h1>Paper Presentations</h1>
+<p>
+ <table>
+ <tr>
+ <td rowspan="2"><img src="images/flags/AR.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=werner@almesberger.net'>Werner Almesberger</a></td>
+ <td>&nbsp;</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=24'> TCP Connection Passing</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/IL.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=da-x@colinux.org'>Dan Aloni</a></td>
+ <td>&nbsp;</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=14'> Cooperative Linux</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=andersen@codepoet.org'>Erik Andersen</a></td>
+ <td>Codepoet Consulting</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ Build your own Embedded Linux Wireless Access Point
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=anderson@netsweng.com'>Stuart Anderson</a></td>
+ <td>netSwweng, LLC</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ Run-time testing of LSB Applications
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/DK.gif" alt=''></img></td>
+ <td>Jens Axboe</td>
+ <td>SUSE</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ Linux Block IO - present and future
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/IN.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=suparna@in.ibm.com'>Suparna Bhattacharya</a></td>
+ <td>IBM</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=64'> Linux AIO Performance and Robustness for Enterprise Workloads</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/1.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=tim.bird@am.sony.com'>Tim R Bird</a></td>
+ <td>Sony Electronics</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=132'> Methods to Improve Bootup Time in Linux</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/UK.gif" alt=''></img></td>
+ <td>Martin J Bligh</td>
+ <td>&nbsp;</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=153'> Linux on NUMA</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/UK.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=jejb@steeleye.com'>James Bottomley</a></td>
+ <td><a href='http://www.steeleye.com'>SteelEye Technology, Inc.</a></td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=27'> Improving Kernel Performance by Unmapping the Page Cache</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/CA.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=boutcher@us.ibm.com'>Dave Boutcher</a></td>
+ <td><a href='http://www.ibm.com'>IBM</a></td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=26'> Linux Virtualization on IBM Power5 Systems</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td>Len Brown</td>
+ <td>Intel</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ ACPI -- Advanced Configuration and Power Management Interface
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=raybry@sgi.com'>Ray Bryant</a></td>
+ <td>Silicon Graphics</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=147'> Scaling Linux to the Extreme</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/AU.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=peterc@gelato.unsw.edu.au'>Peter Chubb</a></td>
+ <td>NICTA</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=100'> Get More Device Drivers out of the Kernel!</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/01.gif" alt=''></img></td>
+ <td>Wim A Coekaerts</td>
+ <td>Oracle</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ 2.6 kernel for big servers compared to 2.4
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=corbet@lwn.net'>Jonathan Corbet</a></td>
+ <td>LWN.net</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=127'> Where 2.7 is going</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/TX.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=paul.devriendt@amd.com'>Paul Devriendt</a></td>
+ <td>AMD</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=22'> SMP and frequency scaling</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=scott.feldman@intel.com'>Scott Feldman</a></td>
+ <td>Intel</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=177'> e100 weight reduction program</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=bfields@umich.edu'>James Bruce Fields</a></td>
+ <td>University of Michigan</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=76'> NFSv4 and rpcsec_gss for linux</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/1.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=lgammo@cs.uwaterloo.ca'>Louay Gammo</a></td>
+ <td>University of Waterloo</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ Comparing and Evaluating epoll(), select(), and poll()
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=jim.gettys@hp.com'>James Gettys</a></td>
+ <td>HP</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ The (Re)Architecture of the X Window System
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/CA.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=ibrahim.haddad@ericsson.com'>Ibrahim Haddad</a></td>
+ <td>Ericsson Research</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=51'> Towards Linux-based Open Telecom Platforms</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=linuxsymposium.org@halcrow.us'>Michael Austin Halcrow</a></td>
+ <td>International Business Machines, Inc.</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=55'> Demands, Solutions, and Improvements for Linux Filesystem Security</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td>David Christopher Hansen</td>
+ <td>IBM</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ Hotplug Memory and the Linux VM
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/USA.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=greg@kroah.com'>Greg Kroah-Hartman</a></td>
+ <td>&nbsp;</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=168'> kobjects and krefs - lockless reference counting for kernel structures</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=ricklind@us.ibm.com'>Rick Lindsley</a></td>
+ <td><a href='http://www.ibm.com/linux/ltc'>IBM Linux Technology Center</a></td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=82'> The Cursor Wiggles Faster: Measuring Scheduler Performance</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=rml@ximian.com'>Robert Love</a></td>
+ <td>Novell</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=122'> On a Kernel Events Layer and User-space Message Bus System</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=mpm@selenic.com'>Matt Mackall</a></td>
+ <td>Selenic Consulting</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=30'> Linux-tiny and directions for small systems</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=dan.magenheimer@hp.com'>Dan Magenheimer</a></td>
+ <td><a href='http://hpl.hp.com'>Hewlett Packard Co</a></td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=68'> Xen and the Art of Open Source Virtualization</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/CA.gif" alt=''></img></td>
+ <td>Jon Paul Maloy</td>
+ <td>Ericsson</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ TIPC: Providing Communication for Linux Clusters
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td>Dave McCracken</td>
+ <td>IBM</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ Object-based reverse mapping
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/GB.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=michael@ximian.com'>Michael Meeks</a></td>
+ <td>Novell, Inc.</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=145'> The world of OpenOffice </a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/55.gif" alt=''></img></td>
+ <td>Arnaldo Carvalho de Melo</td>
+ <td><a href='http://www.conectiva.com.br'>Conectiva S.A.</a></td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ TCPfying the Poor Cousins
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/JP.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=kazunori@miyazawa.org'>Kazunori Miyazawa</a></td>
+ <td>USAGI Project</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=119'> IPv6 IPsec and Mobile IPv6 implementation of Linux</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td>Andrew Morton</td>
+ <td>OSDL</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ keynote
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td>Keith Packard</td>
+ <td>HP</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ Getting X off the hardware
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/IN.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=linuxram@us.ibm.com'>Ram Pai</a></td>
+ <td>IBM Corporation</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=54'> Linux 2.6 performance improvement through readahead optimization</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/SP.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=inaky.perez-gonzalez@intel.com'>Inaky Perez-Gonzalez</a></td>
+ <td>&nbsp;</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=10'> I would hate user space locking if it weren&amp;#039;t that sexy...</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=slpratt@us.ibm.com'>Steven L. Pratt</a></td>
+ <td>IBM</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=58'> Workload Dependant Performance Evaluation of the 2.6 I/O Schedulers</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td>Sam Robb</td>
+ <td>TimeSys</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ Creating Cross-Compile Friendly Software
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/1.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=john.ronciak@intel.com'>John A Ronciak</a></td>
+ <td>Intel Corp.</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=46'> Page-Flip Technology for use within the Linux Networking Stack</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/AU.gif" alt=''></img></td>
+ <td>Rusty Russell</td>
+ <td>IBM</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=16'> Linux Kernel Hotplug CPU Support</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/IN.gif" alt=''></img></td>
+ <td>Dipankar Sarma</td>
+ <td>IBM Global Services India Private Limited</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ Issues with Selected Scalability Features of the 2.6 Kernel
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=dshankar@us.ibm.com'>Kittur (Doc) S Shankar</a></td>
+ <td>IBM</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=72'> Achieving CAPP/EAL3+ Security Certification for Linux </a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td>Rik van Riel</td>
+ <td>Red Hat Inc</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ Improving Linux resource control using CKRM
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/FR.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=avolmat@src.ricoh.co.jp'>Alain Volmat</a></td>
+ <td><a href='http://www.ricoh.com/src/'>Ricoh Company Ltd.</a></td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=110'> Linux on a Digital Camera</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td>John A Walicki</td>
+ <td>IBM Research</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ The Linux Client at IBM - Enterprise Enabling the Linux Desktop
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/DE.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=laforge@gnumonks.org'>Harald Marc Welte</a></td>
+ <td>netfilter core team</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=86'> ct_sync - state replication of ip_conntrack</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=mats.d.wichmann@intel.com'>Mats Wichmann</a></td>
+ <td>LSB Project / Intel Corporation</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=175'> Increasing the appeal of Open Source projects</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td>Matthew S. Wilson</td>
+ <td>&nbsp;</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ New approaches in software provisioning and system maintenance
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td><a href='view_bio.php?email=cworth@east.isi.edu'>Carl D. Worth</a></td>
+ <td>USC/Information Sciences Institute</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ <a href='view_abstract.php?content_key=70'>&quot;On-demand&quot; Linux in a Power-aware Microsensor</a>
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> <tr>
+ <td rowspan="2"><img src="images/flags/US.gif" alt=''></img></td>
+ <td>Chris Wright</td>
+ <td>OSDL</td>
+ </tr>
+ <tr>
+ <td colspan="2">
+ Linux Virtualization
+ </td>
+ </tr>
+ <tr><td>&nbsp;</td></tr> </table>
+</p>
+</td>
+<td valign="top" class="rightmenu">
+<h1>Related</h1>
+ <a href="http://www.linuxsymposium.org/2004/venue.php">Venue</a><br />
+ <a href="http://www.linuxsymposium.org/2004/travel.php">Travel</a><br />
+ <a href="http://www.linuxsymposium.org/2004/faq.php">FAQ</a><br />
+
+<h1>Archives</h1>
+ <a href="proceedings.php">Proceedings</a><br />
+ <a href="photos.php">Photos</a><br />
+<a class="nav" href="http://www.linuxsymposium.org/2003">2003</a><br />
+<a class="nav" href="http://www.linuxsymposium.org/2002">2002</a><br />
+<a class="nav" href="http://www.linuxsymposium.org/2001">2001</a><br />
+<a class="nav" href="http://www.linuxsymposium.org/2000">2000</a><br />
+<a class="nav" href="http://www.linuxsymposium.org/1999">1999</a><br />
+<br />
+<p>
+<a href="http://validator.w3.org/check/referer">
+<img src="http://www.w3.org/Icons/valid-xhtml10"
+ alt="Valid XHTML 1.0!" height="31" width="88" /></a>
+</p>
+
+</td>
+</tr>
+</table>
+</div>
+</body>
+</html>
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/MasterOLS.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/MasterOLS.tex
new file mode 100644
index 0000000..6cfd765
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/MasterOLS.tex
@@ -0,0 +1,534 @@
+%% First set up a variable that docs can check
+%% to see if we're doing the whole proceedings at once.
+%% This can make a difference in how things are to be
+%% processed, especially in instances where TeX's default
+%% internal memory is insufficient for the whole proceedings,
+%% but would work fine for a single document.
+%%
+%% Mostly it's used to conditionally create substitute commands
+%% for packages like hyperref and html that won't play
+%% nicely with the combine package.
+%%
+
+\newcount\olsmaster
+\olsmaster=1
+
+\documentclass[twocolumn,12pt]{combine}
+\usepackage{ols}
+\ifpdf
+\usepackage[pdftex]{epsfig}
+\else
+\usepackage{epsfig}
+\fi
+\usepackage{rotating}
+
+% Other packages that authors have used...
+% nonstd: lineno
+\usepackage[modulo]{lineno}
+\usepackage{alltt}
+
+\usepackage[T1]{fontenc}
+% \usepackage[dvips]{color,graphics,graphicx}
+% \usepackage{color}
+\ifpdf
+\usepackage[pdftex]{graphicx}
+\else
+\usepackage{graphicx}
+\fi
+
+\usepackage[english]{babel}
+\usepackage[latin1]{inputenc}
+% \usepackage[normalem]{ulem}
+% \usepackage{amsfonts,amsmath,amssymb,latexsym}
+% nonstd:
+%%% \usepackage{ascmac}
+\usepackage{csty}
+%% \usepackage{eclepsf}
+
+\usepackage{enumerate}
+\usepackage{geometry}
+%%%%% html breaks 'combine' rather badly
+% \usepackage{html}
+%%% hyperref is nearly as bad
+% \usepackage{hyperref}
+\usepackage{isolatin1}
+\usepackage{latexsym}
+\usepackage{longtable}
+\usepackage{multicol}
+% nonstd:
+\usepackage{cprog}
+
+\usepackage{float}
+\usepackage{supertabular}
+\usepackage{textcomp}
+%% \usepackage{thumbpdf}
+\usepackage{times}
+\usepackage{url}
+\usepackage[T1,obeyspaces]{zrl}
+% nonstd:
+\usepackage{usenix}
+
+\usepackage{wrapfig}
+% \input{mpss-commands}
+%%% okay, are these evil?
+%%% \newcounter{chapter}
+%%% \setcounter{chapter}{0}
+\usepackage{fancyvrb}
+%%% \usepackage{listings}
+%%% (probably :-(
+
+
+\title{Proceedings of the\\
+Linux Symposium}
+\author{\vspace{4in}}
+\date{July 21st--24th, 2004\\
+ Ottawa, Ontario\\
+ Canada}
+
+% make room for "OLS2004...pagenumber" header
+\setlength{\topmargin}{-0.5in}
+\setlength{\headheight}{0.2in}
+\setlength{\headsep}{0.3in}
+
+%%%%%%%%%%%%%%%%% DOC STARTS HERE %%%%%%%%%%%%%%%%%%%%
+\begin{document}
+\pagestyle{empty}
+\thispagestyle{empty}
+
+
+%%%%%%%%%%%%%% TITLE PAGE %%%%%%%%%%%%%%%%%%%
+\onecolumn
+\thispagestyle{empty}
+\maketitle
+\thispagestyle{empty}
+
+%%%%%%%%%%%%%%% TABLE OF CONTENTS %%%%%%%%%%%%%%
+\onecolumn
+\thispagestyle{empty}
+
+
+\tableofcontents
+
+
+%%%%%%%%%%%%%%%%%%%%% CREDITS PAGE %%%%%%%%%%%%%%%%%%
+\twocolumn[\thispagestyle{empty}
+
+\vspace{2cm}
+
+\textbf{{\Large Conference Organizers}}
+
+\vspace{5mm}
+\begin{large}
+\hspace*{0.5in}Andrew J.\ Hutton, \textit{Steamballoon, Inc.}\\
+\hspace*{0.5in}Stephanie Donovan, \textit{Linux Symposium}\\
+\hspace*{0.5in}C.\ Craig Ross, \textit{Linux Symposium}
+\end{large}
+
+\vspace{1cm}
+\textbf{{\Large Review Committee}}
+
+\vspace{5mm}
+\begin{large}
+\hspace*{0.5in}Jes Sorensen, \textit{Wild Open Source, Inc.}\\
+\hspace*{0.5in}Matt Domsch, \textit{Dell}\\
+\hspace*{0.5in}Gerrit Huizenga, \textit{IBM}\\
+\hspace*{0.5in}Matthew Wilcox, \textit{Hewlett-Packard}\\
+\hspace*{0.5in}Dirk Hohndel, \textit{Intel}\\
+\hspace*{0.5in}Val Henson, \textit{Sun Microsystems}\\
+\hspace*{0.5in}Jamal Hadi Salimi, \textit{Znyx}\\
+\hspace*{0.5in}Andrew Hutton, \textit{Steamballoon, Inc.}
+\end{large}
+
+\vspace{1cm}
+
+\textbf{{\Large Proceedings Formatting Team}}
+
+\vspace{5mm}
+\begin{large}
+\hspace*{0.5in}John W.\ Lockhart, \textit{Red Hat, Inc.}\\
+\end{large}
+
+\vspace{3.4in}
+
+\vspace*{\fill}
+
+\begin{center}
+Authors retain copyright to all submitted papers, but have granted
+unlimited redistribution rights to all as a condition of submission.
+\end{center}]
+
+%%%%%%%% PAGE HEADINGS DEFINITIONS %%%%%%%%%%%%%%%%%%%%
+\pagestyle{myheadings}
+\markright{Linux Symposium\ \hrulefill\ }
+%\markboth{Ottawa Linux Symposium\ \hrulefill\ }{\ \hrulefill\ Ottawa Linux Symposium 2004}
+
+
+%%%%%%%%%%%%%%% PAPERS BEGIN HERE %%%%%%%%%%%%%%%%%%%%%%%%%%
+\begin{papers}
+
+%% \coltocauthor{}
+%% \coltoctitle{}
+%% \label{}
+%% \import{}
+
+% email=werner@almesberger.net
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=24
+\coltocauthor{Werner Almesberger}
+\coltoctitle{TCP Connection Passing}
+\label{art01}
+\import{almesberger}
+
+% email=da-x@colinux.org
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=14
+\coltocauthor{Dan Aloni}
+\coltoctitle{Cooperative Linux}
+\label{art02}
+\import{aloni}
+
+% email=andersen@codepoet.org
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=11
+\coltocauthor{Erik Andersen}
+\coltoctitle{Build your own Embedded Linux Wireless Access Point}
+\label{art03}
+\import{andersen}
+
+% email=anderson@netsweng.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=40
+\coltocauthor{Stuart Anderson}
+\coltoctitle{Run-time testing of LSB Applications}
+\label{art04}
+\import{anderson}
+
+% email=axboe@suse.de
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=152
+\coltocauthor{Jens Axboe}
+\coltoctitle{Linux Block IO: present and future}
+\label{art05}
+\import{axboe}
+
+% email=suparna@in.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=64
+\coltocauthor{Suparna Bhattacharya}
+\coltoctitle{Linux AIO Performance and Robustness for Enterprise Workloads}
+\label{art06}
+\import{bhattacharya}
+
+% email=tim.bird@am.sony.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=132
+\coltocauthor{Tim R.\ Bird}
+\coltoctitle{Methods to Improve Bootup Time in Linux}
+\label{art07}
+\import{bird}
+
+% email=~
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=153
+\coltocauthor{Martin J.\ Bligh}
+\coltoctitle{Linux on NUMA}
+\label{art08}
+\import{bligh}
+
+% email=jejb@steeleye.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=27
+\coltocauthor{James Bottomley}
+\coltoctitle{Improving Kernel Performance by Unmapping the Page Cache}
+\label{art09}
+\import{bottomley}
+
+% email=boutcher@us.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=26
+\coltocauthor{Dave Boutcher}
+\coltoctitle{Linux Virtualization on IBM Power5 Systems}
+\label{art10}
+\import{boutcher}
+
+% email=len.brown@intel.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=9
+\coltocauthor{Len Brown}
+\coltoctitle{ACPI: Advanced Configuration and Power Management Interface}
+\label{art11}
+\import{brown}
+
+% email=raybry@sgi.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=147
+\coltocauthor{Ray Bryant}
+\coltoctitle{Scaling Linux to the Extreme}
+\label{art12}
+\import{bryant}
+
+% email=peterc@gelato.unsw.edu.au
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=100
+\coltocauthor{Peter Chubb}
+\coltoctitle{Get More Device Drivers out of the Kernel!}
+\label{art13}
+\import{chubb}
+
+% email=wim.coekaerts@oracle.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=13
+\coltocauthor{Wim A.\ Coekaerts}
+\coltoctitle{2.6 kernel for big servers compared to 2.4}
+\label{art14}
+\import{coekaerts}
+
+% email=corbet@lwn.net
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=127
+\coltocauthor{Jonathan Corbet}
+\coltoctitle{Where 2.7 is going}
+\label{art15}
+\import{corbet}
+
+% email=paul.devriendt@amd.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=22
+\coltocauthor{Paul Devriendt}
+\coltoctitle{SMP and frequency scaling}
+\label{art16}
+\import{devriendt}
+
+% email=matt_domsch@dell.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=117
+\coltocauthor{Matt Domsch}
+\coltoctitle{Dynamic Kernel Module Support: From Theory to Practice}
+\label{art17}
+\import{domsch}
+
+% email=scott.feldman@intel.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=177
+\coltocauthor{Scott Feldman}
+\coltoctitle{e100 weight reduction program}
+\label{art18}
+\import{feldman}
+
+% email=bfields@umich.edu
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=76
+\coltocauthor{James Bruce Fields}
+\coltoctitle{NFSv4 and rpcsec\_gss for linux}
+\label{art19}
+\import{fields}
+
+% email=lgammo@cs.uwaterloo.ca
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=0
+\coltocauthor{Louay Gammo}
+\coltoctitle{Comparing and Evaluating epoll(), select(), and poll()}
+\label{art20}
+\import{gammo}
+
+% email=jim.gettys@hp.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=0
+\coltocauthor{James Gettys}
+\coltoctitle{The (Re)Architecture of the X Window System}
+\label{art21}
+\import{gettys}
+
+% email=ibrahim.haddad@ericsson.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=51
+\coltocauthor{Ibrahim Haddad}
+\coltoctitle{Towards Linux-based Open Telecom Platforms}
+\label{art22}
+\import{haddad}
+
+% email=linuxsymposium.org@halcrow.us
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=55
+\coltocauthor{Michael Austin Halcrow}
+\coltoctitle{Demands, Solutions, and Improvements for Linux Filesystem Security}
+\label{art23}
+\import{halcrow}
+
+% email=haveblue@us.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=131
+\coltocauthor{Dave Hansen}
+\coltoctitle{Hotplug Memory and the Linux VM}
+\label{art24}
+\import{hansen}
+
+% email=greg@kroah.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=168
+\coltocauthor{Greg Kroah-Hartman}
+\coltoctitle{kobjects and krefs: lockless reference counting for kernel structures}
+\label{art25}
+\import{kroahhartman}
+
+% email=ricklind@us.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=82
+\coltocauthor{Rick Lindsley}
+\coltoctitle{The Cursor Wiggles Faster: Measuring Scheduler Performance}
+\label{art26}
+\import{lindsley}
+
+% email=rml@ximian.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=122
+\coltocauthor{Robert Love}
+\coltoctitle{On a Kernel Events Layer and User-space Message Bus System}
+\label{art27}
+\import{love}
+
+% email=mpm@selenic.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=30
+\coltocauthor{Matt Mackall}
+\coltoctitle{Linux-tiny and directions for small systems}
+\label{art28}
+\import{mackall}
+
+% email=dan.magenheimer@hp.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=68
+\coltocauthor{Dan Magenheimer}
+\coltoctitle{Xen and the Art of Open Source Virtualization}
+\label{art29}
+\import{magenheimer}
+
+% email=jon.maloy@ericsson.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=52
+\coltocauthor{Jon Paul Maloy}
+\coltoctitle{TIPC: Providing Communication for Linux Clusters}
+\label{art30}
+\import{maloy}
+
+% email=dmccr@us.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=109
+\coltocauthor{Dave McCracken}
+\coltoctitle{Object-based reverse mapping}
+\label{art31}
+\import{mccracken}
+
+% email=michael@ximian.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=145
+\coltocauthor{Michael Meeks}
+\coltoctitle{The World of OpenOffice}
+\label{art32}
+\import{meeks}
+
+% email=~
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=130
+\coltocauthor{Arnaldo Carvalho de Melo}
+\coltoctitle{TCPfying the Poor Cousins}
+\label{art33}
+\import{melo}
+
+% email=kazunori@miyazawa.org
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=119
+\coltocauthor{Kazunori Miyazawa}
+\coltoctitle{IPv6 IPsec and Mobile IPv6 implementation of Linux}
+\label{art34}
+\import{miyazawa}
+
+% email=~
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=0
+\coltocauthor{Keith Packard}
+\coltoctitle{Getting X off the hardware}
+\label{art35}
+\import{packard}
+
+% email=linuxram@us.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=54
+\coltocauthor{Ram Pai}
+\coltoctitle{Linux 2.6 performance improvement through readahead optimization}
+\label{art36}
+\import{pai}
+
+% email=inaky.perez-gonzalez@intel.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=10
+\coltocauthor{Inaky Perez-Gonzalez}
+\coltoctitle{I would hate user space locking if it weren't that sexy\ldots}
+\label{art37}
+\import{perezgonzalez}
+
+% email=slpratt@us.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=58
+\coltocauthor{Steven L.\ Pratt}
+\coltoctitle{Workload Dependent Performance Evaluation of the 2.6 I/O Schedulers}
+\label{art38}
+\import{pratt}
+
+% email=sam.robb@timesys.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=104
+\coltocauthor{Sam Robb}
+\coltoctitle{Creating Cross-Compile Friendly Software}
+\label{art39}
+\import{robb}
+
+% email=john.ronciak@intel.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=46
+\coltocauthor{John A.\ Ronciak}
+\coltoctitle{Page-Flip Technology for use within the Linux Networking Stack}
+\label{art40}
+\import{ronciak}
+
+% email=rusty@rustcorp.com.au
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=16
+\coltocauthor{Rusty Russell}
+\coltoctitle{Linux Kernel Hotplug CPU Support}
+\label{art41}
+\import{russell}
+
+% email=dipankar@in.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=156
+\coltocauthor{Dipankar Sarma}
+\coltoctitle{Issues with Selected Scalability Features of the 2.6 Kernel}
+\label{art42}
+\import{sarma}
+
+% email=dshankar@us.ibm.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=72
+\coltocauthor{Kittur (Doc) S.\ Shankar}
+\coltoctitle{Achieving CAPP/EAL3+ Security Certification for Linux}
+\label{art43}
+\import{shankar}
+
+% email=riel@redhat.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=125
+\coltocauthor{Rik van Riel}
+\coltoctitle{Improving Linux resource control using CKRM}
+\label{art44}
+\import{riel}
+
+% email=avolmat@src.ricoh.co.jp
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=110
+\coltocauthor{Alain Volmat}
+\coltoctitle{Linux on a Digital Camera}
+\label{art45}
+\import{volmat}
+
+% email=~
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=0
+\coltocauthor{John A.\ Walicki}
+\coltoctitle{The Linux Client at IBM: Enterprise Enabling the Linux Desktop}
+\label{art46}
+\import{walicki}
+
+% email=laforge@gnumonks.org
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=86
+\coltocauthor{Harald Marc Welte}
+\coltoctitle{ct\_sync: state replication of ip\_conntrack}
+\label{art47}
+\import{welte}
+
+% email=mats.d.wichmann@intel.com
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=175
+\coltocauthor{Mats Wichmann}
+\coltoctitle{Increasing the appeal of Open Source projects}
+\label{art48}
+\import{wichmann}
+
+% email=~
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=0
+\coltocauthor{Matthew S.\ Wilson}
+\coltoctitle{New approaches in software provisioning and system maintenance}
+\label{art49}
+\import{wilson}
+
+% email=cworth@east.isi.edu
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=70
+\coltocauthor{Carl D.\ Worth}
+\coltoctitle{``On-demand'' Linux in a Power-aware Microsensor}
+\label{art50}
+\import{worth}
+
+% email=~
+% url=http://linuxsymposium.org/2004/view_abstract.php?content_key=0
+\coltocauthor{Chris Wright}
+\coltoctitle{Linux Virtualization}
+\label{art51}
+\import{wright}
+
+
+\end{papers}
+\clearpage
+\end{document}
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/Blank.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/Blank.tex
new file mode 100644
index 0000000..ab04992
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/Blank.tex
@@ -0,0 +1,67 @@
+\documentclass[twocolumn,12pt]{article}
+\usepackage{ols}
+\ifpdf
+\usepackage[pdftex]{epsfig}
+\else
+\usepackage{epsfig}
+\fi
+\input{ols-fonts}
+% The section above is required; no edits, please.
+% We are using a 12-point serif font with certain
+% macro packages.
+
+% If you really MUST define additional commands
+% here, please be aware that it's a shared namespace,
+% and the main build will NOT pick up your commands
+% (potentially adding time to the editing process).
+% See the docs for the 'combine' package for details.
+%
+% Please do NOT use \newcommand; use \providecommand instead.
+% The shared namespace will be easier if you use your last
+% name as part of the new command, like so:
+%
+% \providecommand{\lastnameCmd}[1]{\texttt{#1}}
+
+
+\begin{document}
+
+% Required: do not print the date.
+\date{}
+
+\title{__TITLE__ \\
+% {\normalsize Subtitle goes here}
+}
+
+\author{
+__AUTHOR__ \\
+{\em __INSTITUTION__}\\
+{\tt\normalsize __EMAIL__}\\
+% \and
+% Second Author\\
+% {\em Second Institution}\\
+% {\tt\normalsize another@address.for.email.com}\\
+} % end author section
+
+\maketitle
+
+% Required: do not use page numbers on title page.
+\thispagestyle{empty}
+
+\section*{Abstract}
+% Here is how to include text from another file. Use
+% \input rather than \include.
+\input{__ABSTRACT__}
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%% BODY OF PAPER GOES HERE %%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\end{document}
+
+
+
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/ProtoMake b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/ProtoMake
new file mode 100644
index 0000000..916018b
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/ProtoMake
@@ -0,0 +1,41 @@
+
+.SUFFIXES: .tex .dvi .aux .eps .fig .dia .ps .pdf .bib .bbl
+
+TOP=
+TEXFILES=$(TOP).tex
+FIGFILES:=$(wildcard *.fig)
+EPSFILES:=$(wildcard *.eps)
+EPSFILES+=$(FIGFILES:.fig=.eps)
+PDFFILES=$(EPSFILES:.eps=.pdf)
+
+.fig.eps:
+ fig2dev -L eps $< >$@
+
+.fig.pdf:
+ fig2dev -L pdf $< >$@
+
+.eps.pdf:
+ epstopdf $<
+
+all: $(TOP).ps $(TOP).pdf
+
+$(TOP).ps: $(TOP).dvi
+ dvips -o $(TOP).ps $(TOP)
+
+$(TOP).dvi: $(TEXFILES) $(EPSFILES)
+ latex $(TOP) || true
+ bibtex $(TOP) || true
+ latex $(TOP) || true
+ latex $(TOP)
+
+$(TOP).pdf: $(TEXFILES) $(PDFFILES)
+ pdflatex $(TOP) || true
+ bibtex $(TOP) || true
+ pdflatex $(TOP) || true
+ pdflatex $(TOP)
+
+clean:
+ rm -f *.aux *.dvi *.log
+ rm -f $(TOP).ps $(TOP).pdf $(TOP).bbl $(TOP).blg
+
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/README b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/README
new file mode 100644
index 0000000..0386065
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/README
@@ -0,0 +1,4 @@
+If you discover that you require any additional latex bits, please inform
+papers@linuxsymposium.org so that they may be added to this package.
+
+Thank you.
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/cprog.sty b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/cprog.sty
new file mode 100644
index 0000000..a336397
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/cprog.sty
@@ -0,0 +1,249 @@
+% This is CSTY.STY as received by email at december 1990
+%
+% The cprog macros allow programs in C, C++, Pascal, and Modula-2 to be
+% included directly into TeX documents. Program text is set in a Roman
+% font, comments in slanted, and strings in typewriter. Operators such as
+% <= are optionally combined into single symbols like $\le$. Keywords are
+% *not* emphasised---I find this ugly and distracting. (By purest
+% coincidence it would also be very hard to do.)
+%
+% These macros can be \input in plain TeX or used as a style file in LaTeX.
+% They provide a convenient alternative to tgrind, particularly for program
+% fragments embedded in documents. Full instructions for use appear in the
+% macro package itself.
+%
+%
+% \'Eamonn McManus <emcmanus@cs.tcd.ie> <emcmanus%cs.tcd.ie@cunyvm.cuny.edu>
+%
+% ASCII: !"#$%&'()*+,-./09:;<=>?@AZ[\]^_`az{|}~
+%
+
+% BEGIN: cprog.tex (or cprog.sty) - formatting of C programs
+% By \'Eamonn McManus <emcmanus@cs.tcd.ie>. This file is not copyrighted.
+% $Id: cprog.tex,v 1.4 90/09/12 23:21:26 emcmanus Exp $
+
+% This allows C programs to be formatted directly by TeX. It can be
+% invoked by \cprogfile{filename} or (in LaTeX) \begin{cprog} ...
+% \end{cprog} or (in plain TeX) \cprog ... \end{cprog}. In LaTeX, the
+% alternative form \begin{cprog*} is allowed, where spaces in C strings
+% are printed using the `square u' character (like LaTeX {verbatim*}).
+% In plain TeX, you have to use \csname cprog*\endcsname for this (sorry).
+% If you are using \cprogfile, say \cprogttspacetrue beforehand if you
+% want this effect.
+
+% The formatting is (necessarily) simple. C text is set in a normal Roman
+% font, comments in a slanted font, and strings in a typewriter font, with
+% spaces optionally made visible as the `square u' symbol. Tabs are
+% expanded to four spaces (this does not look good when comments are
+% aligned to the right of program text). Some pairs of input characters
+% appear as single output characters: << <= >> >= != -> are respectively
+% TeX's \ll \le \gg \ge \ne \rightarrow. Say \cprogpairsfalse to disable
+% this.
+
+% You can escape to TeX within cprog text by defining an escape character.
+% The character @ is suitable for C and Pascal. I have not tested other
+% characters so they may interact badly with their existing definitions here.
+% To define @ as the escape character, do \cprogescape@. Then within text
+% you can do @ followed by TeX commands. These commands will be in a TeX
+% group with the \catcodes of \{}% as normal. The commands are terminated
+% by a newline, which is not considered part of the program text.
+
+% The fonts below can be changed to alter the setting of the various parts
+% of the program. The \cprogbaselineskip parameter can be altered to
+% change the line spacing. LaTeX's \baselinestretch is taken into account
+% too. The indentation applied to the whole program is \cprogindent,
+% initially 0. Before and after the program there are skips of
+% \beforecprogskip and \aftercprogskip; the default values are \parskip
+% and 0 respectively (since there will often be a \parskip after the
+% program anyway).
+
+% If the source text is Pascal or Modula-2, say \pascaltrue or \modulatrue
+% (respectively) before formatting it. This makes (* *) be recognised for
+% comments instead of /* */. Braces {} are also recognised for Pascal.
+% \pascalfalse or \modulafalse as appropriate restores the default of C.
+
+% This package works by making a large number of characters active. Since
+% even spaces are active, it is possible to examine the next character in
+% a macro by making it a parameter, rather than using \futurelet as one
+% would normally do. This is more convenient, but the coding does mean
+% that if the next character itself wants to examine a character it may
+% look at a token from the macro rather than the input text. I think that
+% all cases that occur in practice have been looked after.
+
+% The macros could still do with some work. For example, the big macro
+% defined with [] taking the place of {} could be recoded to use {} and so
+% be more legible. The internal macros etc should have @ in their names,
+% and should be checked against LaTeX macros for clashes.
+
+% Allow multiple inclusion to go faster.
+
+\ifx\undefined\cprogsetup % The whole file.
+
+% Define the fonts used for program text, comments, and strings.
+% Note that if \it is used for \ccommentfont, something will need to
+% be done about $ signs, which come out as pounds sterling.
+\let\ctextfont=\tt \let\ccommentfont=\sl \let\cstringfont=\tt
+
+% Parameters. Unfortunately \newdimen is \outer (\outerness is a mistake)
+% so we need a subterfuge in case we are skipping the file.
+\csname newdimen\endcsname\cprogbaselineskip \cprogbaselineskip=\baselineskip
+\csname newdimen\endcsname\cprogindent \cprogindent=0pt
+\csname newdimen\endcsname\cprogwidth % Gets default=\hsize when cprog invoked.
+\csname newskip\endcsname\beforecprogskip \beforecprogskip=\parskip
+\csname newskip\endcsname\aftercprogskip \aftercprogskip=0pt
+\csname newif\endcsname\ifcprogttspace
+\csname newif\endcsname\ifcprogpairs \cprogpairstrue
+\csname newif\endcsname\ifpascal
+\csname newif\endcsname\ifmodula % Same as Pascal but no {comments}.
+{\def\junk{\fi\fi\fi\fi}} % If skipping.
+
+\let\cprogesc\relax
+\begingroup \catcode`~=\active
+\gdef\cprogescape#1{%
+ {\catcode`~=\active \uccode`~=`#1 \aftergroup\cprogescont
+ \uppercase{\aftergroup~}}}
+\gdef\cprogescont#1{%
+ \def\cprogesc{%
+ \makeactive#1\def#1{%
+ \begingroup \catcode`\\0 \catcode`{1 \catcode`}2 \catcode`\%14
+ \catcode` 10 \clinegroup{}}}}
+\endgroup
+
+\def\makeactive#1{\catcode`#1=\active} \def\makeother#1{\catcode`#1=12}
+{\obeyspaces\gdef\activespace{ } \obeylines\gdef\activecr{^^M}}
+{\catcode`|=\catcode`\\ \makeactive\\ |gdef|activebackslash{\}}
+{\catcode9=\active \gdef\activetab{^^I}}
+
+% The following group makes many characters active, so that their catcodes
+% in the \cprogchars macro are active, allowing them to be defined. We
+% could alternatively define more stuff like \activebackslash and use
+% \expandafter or (carefully) \edef to expand these in the macro.
+\begingroup
+\catcode`[=\catcode`{ \catcode`]=\catcode`}
+\makeactive! \makeactive" \makeactive' \makeactive( \makeactive* \makeactive-
+\makeactive/ \makeactive< \makeactive> \makeactive? \makeactive^ \makeactive_
+\makeactive\{ \makeactive| \makeactive\}
+\gdef\activestar[*]
+\gdef\cprogchars[%
+ \makeother##\makeother$\makeother&\makeother\%\makeother^%
+ \makeactive"\makeactive'\makeactive*\makeactive?\makeactive{\makeactive}%
+ \makeactive}\makeactive\\\makeactive_\expandafter\makeactive\activetab%
+ \makeactive!\makeactive<\makeactive>\makeactive-\makeactive|%
+ \ifcprogpairs
+ \def!##1[\ifx=##1$\ne$\else\string!\null##1\fi]%
+ \def-##1[\ifx>##1$\rightarrow$\else$\string-$##1\fi]%
+ % We use \aftergroup in < and > to deal with the fact that #1 might
+ % itself examine the following character.
+ \def<##1[[$\ifx<##1\ll$\else\ifx=##1\le$\else
+ \ifx>##1\ifpascal\ne$\else\string<$\aftergroup>\fi
+ \else \string<$\aftergroup##1\fi\fi\fi]]%
+ \def>##1[[$\ifx>##1\gg$\else\ifx=##1\ge$\else
+ \string>$\aftergroup##1\fi\fi]]%
+ \else \def![\string!\null]% Avoid !` ligature.
+ \def-[$\string-$]\def<[$\string<$]\def>[$\string>$]%
+ \fi
+ \def?[\string?\null]% Avoid ?` ligature.
+ \def"[\cquote"[\tt\string"]]\def'[\cquote'[\tt\ttquote]]\def*[$\string*$]%
+ \ifmodula \pascaltrue \fi % Except that {...} is used for sets.
+ \ifpascal
+ \ifmodula \dulllbrace \else
+ \def{[\begingroup \dulllbrace{\ccommentsetup\def}[\/\endgroup }]]%
+ \fi \makeactive(\let(=\pascalcomment \makeactive^\def^[$\uparrow$]%
+ \else \dulllbrace\makeactive/\let/=\ccomment
+ \fi
+ \def}[$\}$]\def|[$\string|$]\def~[$\sim$]\let_\_%
+ \expandafter\def\activebackslash[$\backslash$]%
+ \obeyspaces \expandafter\def\activespace[\leavevmode\space]%
+ \expandafter\def\activetab[\ \ \ \ ]%
+ \obeylines \expandafter\def\activecr[\strut\par]]
+\gdef\cprogarg[\expandafter\def\activebackslash##1[\ifx##1e\let\next\cprogend
+ \else$\backslash$\let\next##1\fi\next]\eatcr]
+\gdef\cprogend nd#1{cprog#2}[\endcprogarg] % #1 can be space, #2 *.
+\gdef\dulllbrace[\def{[$\{$]]
+\endgroup
+
+\chardef\ttquote=13 % Undirected single quote.
+\begingroup \makeactive" \makeactive' \makeactive!
+\gdef\cquote#1#2{% #1 is the quote, " or ', #2 how to set it.
+ \begingroup #2\cstringfont \makeactive\\%
+ \ifpascal \makeother\\\makeother^%
+ \else \expandafter\let\activebackslash\quotebackslash
+ \fi
+ \expandafter\edef\activespace{\ifcprogttspace\char`\ \else\ \fi}%
+ \expandafter\let\activecr=\unclosedstring
+ \def!{\string!\null}% No !` ligature.
+ \makeother*\makeother-\makeother/\makeother<\makeother>%
+ \makeother_\makeother\{\makeother\}\makeother|\makeother~%
+ \ifx"#1\let'\ttquote \else \makeother"\fi
+ \def#1{#2\endgroup}}
+\endgroup
+\csname newhelp\endcsname\cprogunclosedstr{%
+A string or character constant earlier in the line was unclosed.^^JSo
+I'm closing it now.}
+\def\unclosedstring{%
+ \escapechar-1%
+ \errhelp\cprogunclosedstr
+ \errmessage{Unclosed string}%
+ \endgroup}
+\newlinechar=`^^J
+\def\quotebackslash#1{\char`\\%
+ \expandafter\ifx\activecr#1\strut\par
+ \else\if'\noexpand#1\ttquote\else\string#1\fi\fi}
+
+% In a comment, we shrink the width of the opening / to that of a space so
+% that the stars in multiline comments will line up. We also shrink the
+% closing * for symmetry, but not in Pascal where it looks nasty.
+% Note that \end{cprog} is not recognised in strings or comments.
+\def\spacebox#1{\leavevmode \hbox to \spaceskip{#1\hss}}
+
+\begingroup \makeactive* \makeactive! \makeother/
+\gdef\ccommentsetup{\ccommentfont \makeother-\makeother'\makeother"\makeother/%
+ \def!{\string!\null}\expandafter\def\activebackslash{$\backslash$}}
+\gdef\ccomment#1{%
+ \let\next\relax
+ \ifx#1*\bgroup \ccommentsetup
+ \spacebox{\ctextfont\string/}*%
+ \makeactive*\def*{\commentstar/}%
+ \else\if\noexpand#1/\begingroup //\ccommentsetup \clinegroup\activecr
+ \else \string/\let\next#1%
+ \fi\fi\next}
+\gdef\pascalcomment#1{%
+ \ifx#1*\bgroup \ccommentsetup \let\next\dulllbrace \makeother(%
+ \spacebox{\ctextfont\string(}*\makeactive*\def*{\commentstar)}%
+ \else (\let\next#1\fi \next}
+\obeylines \long\gdef\clinegroup#1#2^^M{#2\endgroup#1}%
+\endgroup
+\def\commentstar#1#2{%
+ {\if#1\noexpand#2\egroup \ifpascal\else\aftergroup\spacebox\fi\fi}{$*$}#2}
+
+% We usually have an active ^^M after \cprog or \begin{cprog}.
+\def\eatcr#1{{\expandafter\ifx\activecr#1\else\aftergroup#1\fi}}
+
+% Expand to stretch and shrink (plus and minus) of parameter #1.
+\def\stretchshrink#1{\expandafter\eatdimenpart\the#1 \end}
+\def\eatdimenpart#1 #2\end{#2}
+
+\ifx\undefined\baselinestretch \def\baselinestretch{1}\fi
+
+\def\cprogsetup{\ctextfont \cprogchars \parskip=0pt\stretchshrink\parskip
+ \ifdim \cprogwidth=0pt \else \hsize\cprogwidth \fi
+ \cprogesc \spaceskip\fontdimen2\font \xspaceskip\spaceskip
+ \baselineskip=\baselinestretch\cprogbaselineskip \parindent=\cprogindent
+ \vskip\beforecprogskip}
+\def\endcprog{\endgroup \vskip\aftercprogskip}
+\def\cprogfile#1{\begingroup \cprogsetup \input#1\endcprog}
+\def\cprog{\begingroup \cprogttspacefalse \cprogsetup \cprogarg}
+% Like {verbatim*}, {cprog*} uses `square u' for spaces in quoted strings.
+\expandafter\def\csname cprog*\endcsname{%
+ \begingroup \cprogttspacetrue \cprogsetup \cprogarg}
+\expandafter\let\csname endcprog*\endcsname=\endcprog
+% In LaTeX we need to call \end{cprog} properly to close the environment,
+% whereas in plain TeX this will end the job. The test for LaTeX is not
+% bulletproof, but most plain TeX documents don't refer to the LaTeX logo.
+\ifx\undefined\LaTeX \let\endcprogarg=\endcprog
+\else \def\endcprogarg{\ifcprogttspace\end{cprog*}\else\end{cprog}\fi}
+\fi
+
+\fi % \ifx\undefined\cprogsetup
+
+\endinput
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/csty.sty b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/csty.sty
new file mode 100644
index 0000000..54dff9c
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/csty.sty
@@ -0,0 +1,250 @@
+% This is CSTY.STY as received by email at december 1990
+%
+% The cprog macros allow programs in C, C++, Pascal, and Modula-2 to be
+% included directly into TeX documents. Program text is set in a Roman
+% font, comments in slanted, and strings in typewriter. Operators such as
+% <= are optionally combined into single symbols like $\le$. Keywords are
+% *not* emphasised---I find this ugly and distracting. (By purest
+% coincidence it would also be very hard to do.)
+%
+% These macros can be \input in plain TeX or used as a style file in LaTeX.
+% They provide a convenient alternative to tgrind, particularly for program
+% fragments embedded in documents. Full instructions for use appear in the
+% macro package itself.
+%
+%
+% \'Eamonn McManus <emcmanus@cs.tcd.ie> <emcmanus%cs.tcd.ie@cunyvm.cuny.edu>
+%
+% ASCII: !"#$%&'()*+,-./09:;<=>?@AZ[\]^_`az{|}~
+%
+
+% BEGIN: cprog.tex (or cprog.sty) - formatting of C programs
+% By \'Eamonn McManus <emcmanus@cs.tcd.ie>. This file is not copyrighted.
+% $Id: cprog.tex,v 1.4 90/09/12 23:21:26 emcmanus Exp $
+
+% This allows C programs to be formatted directly by TeX. It can be
+% invoked by \cprogfile{filename} or (in LaTeX) \begin{cprog} ...
+% \end{cprog} or (in plain TeX) \cprog ... \end{cprog}. In LaTeX, the
+% alternative form \begin{cprog*} is allowed, where spaces in C strings
+% are printed using the `square u' character (like LaTeX {verbatim*}).
+% In plain TeX, you have to use \csname cprog*\endcsname for this (sorry).
+% If you are using \cprogfile, say \cprogttspacetrue beforehand if you
+% want this effect.
+
+% The formatting is (necessarily) simple. C text is set in a normal Roman
+% font, comments in a slanted font, and strings in a typewriter font, with
+% spaces optionally made visible as the `square u' symbol. Tabs are
+% expanded to four spaces (this does not look good when comments are
+% aligned to the right of program text). Some pairs of input characters
+% appear as single output characters: << <= >> >= != -> are respectively
+% TeX's \ll \le \gg \ge \ne \rightarrow. Say \cprogpairsfalse to disable
+% this.
+
+% You can escape to TeX within cprog text by defining an escape character.
+% The character @ is suitable for C and Pascal. I have not tested other
+% characters so they may interact badly with their existing definitions here.
+% To define @ as the escape character, do \cprogescape@. Then within text
+% you can do @ followed by TeX commands. These commands will be in a TeX
+% group with the \catcodes of \{}% as normal. The commands are terminated
+% by a newline, which is not considered part of the program text.
+
+% The fonts below can be changed to alter the setting of the various parts
+% of the program. The \cprogbaselineskip parameter can be altered to
+% change the line spacing. LaTeX's \baselinestretch is taken into account
+% too. The indentation applied to the whole program is \cprogindent,
+% initially 0. Before and after the program there are skips of
+% \beforecprogskip and \aftercprogskip; the default values are \parskip
+% and 0 respectively (since there will often be a \parskip after the
+% program anyway).
+
+% If the source text is Pascal or Modula-2, say \pascaltrue or \modulatrue
+% (respectively) before formatting it. This makes (* *) be recognised for
+% comments instead of /* */. Braces {} are also recognised for Pascal.
+% \pascalfalse or \modulafalse as appropriate restores the default of C.
+
+% This package works by making a large number of characters active. Since
+% even spaces are active, it is possible to examine the next character in
+% a macro by making it a parameter, rather than using \futurelet as one
+% would normally do. This is more convenient, but the coding does mean
+% that if the next character itself wants to examine a character it may
+% look at a token from the macro rather than the input text. I think that
+% all cases that occur in practice have been looked after.
+
+% The macros could still do with some work. For example, the big macro
+% defined with [] taking the place of {} could be recoded to use {} and so
+% be more legible. The internal macros etc should have @ in their names,
+% and should be checked against LaTeX macros for clashes.
+
+% Allow multiple inclusion to go faster.
+
+\ifx\undefined\cprogsetup % The whole file.
+
+% Define the fonts used for program text, comments, and strings.
+% Note that if \it is used for \ccommentfont, something will need to
+% be done about $ signs, which come out as pounds sterling.
+\let\ctextfont=\tt \let\ccommentfont=\sl \let\cstringfont=\tt
+
+% Parameters. Unfortunately \newdimen is \outer (\outerness is a mistake)
+% so we need a subterfuge in case we are skipping the file.
+\csname newdimen\endcsname\cprogbaselineskip \cprogbaselineskip=\baselineskip
+\csname newdimen\endcsname\cprogindent \cprogindent=0pt
+\csname newdimen\endcsname\cprogwidth % Gets default=\hsize when cprog invoked.
+\csname newskip\endcsname\beforecprogskip \beforecprogskip=\parskip
+\csname newskip\endcsname\aftercprogskip \aftercprogskip=0pt
+\csname newif\endcsname\ifcprogttspace
+\csname newif\endcsname\ifcprogpairs \cprogpairstrue
+\csname newif\endcsname\ifpascal
+\csname newif\endcsname\ifmodula % Same as Pascal but no {comments}.
+{\def\junk{\fi\fi\fi\fi}} % If skipping.
+
+\let\cprogesc\relax
+\begingroup \catcode`~=\active
+\gdef\cprogescape#1{%
+ {\catcode`~=\active \uccode`~=`#1 \aftergroup\cprogescont
+ \uppercase{\aftergroup~}}}
+\gdef\cprogescont#1{%
+ \def\cprogesc{%
+ \makeactive#1\def#1{%
+ \begingroup \catcode`\\0 \catcode`{1 \catcode`}2 \catcode`\%14
+ \catcode` 10 \clinegroup{}}}}
+\endgroup
+
+\def\makeactive#1{\catcode`#1=\active} \def\makeother#1{\catcode`#1=12}
+{\obeyspaces\gdef\activespace{ } \obeylines\gdef\activecr{^^M}}
+{\catcode`|=\catcode`\\ \makeactive\\ |gdef|activebackslash{\}}
+{\catcode9=\active \gdef\activetab{^^I}}
+
+% The following group makes many characters active, so that their catcodes
+% in the \cprogchars macro are active, allowing them to be defined. We
+% could alternatively define more stuff like \activebackslash and use
+% \expandafter or (carefully) \edef to expand these in the macro.
+\begingroup
+\catcode`[=\catcode`{ \catcode`]=\catcode`}
+\makeactive! \makeactive" \makeactive' \makeactive( \makeactive* \makeactive-
+\makeactive/ \makeactive< \makeactive> \makeactive? \makeactive^ \makeactive_
+\makeactive\{ \makeactive| \makeactive\}
+\gdef\activestar[*]
+\gdef\cprogchars[%
+ \makeother##\makeother$\makeother&\makeother\%\makeother^%
+ \makeactive"\makeactive'\makeactive*\makeactive?\makeactive{\makeactive}%
+ \makeactive}\makeactive\\\makeactive_\expandafter\makeactive\activetab%
+ \makeactive!\makeactive<\makeactive>\makeactive-\makeactive|%
+ \ifcprogpairs
+ \def!##1[\ifx=##1$\ne$\else\string!\null##1\fi]%
+ \def-##1[\ifx>##1$\rightarrow$\else$\string-$##1\fi]%
+ % We use \aftergroup in < and > to deal with the fact that #1 might
+ % itself examine the following character.
+ \def<##1[[$\ifx<##1\ll$\else\ifx=##1\le$\else
+ \ifx>##1\ifpascal\ne$\else\string<$\aftergroup>\fi
+ \else \string<$\aftergroup##1\fi\fi\fi]]%
+ \def>##1[[$\ifx>##1\gg$\else\ifx=##1\ge$\else
+ \string>$\aftergroup##1\fi\fi]]%
+ \else \def![\string!\null]% Avoid !` ligature.
+ \def-[$\string-$]\def<[$\string<$]\def>[$\string>$]%
+ \fi
+ \def?[\string?\null]% Avoid ?` ligature.
+ \def"[\cquote"[\tt\string"]]\def'[\cquote'[\tt\ttquote]]\def*[$\string*$]%
+ \ifmodula \pascaltrue \fi % Except that {...} is used for sets.
+ \ifpascal
+ \ifmodula \dulllbrace \else
+ \def{[\begingroup \dulllbrace{\ccommentsetup\def}[\/\endgroup }]]%
+ \fi \makeactive(\let(=\pascalcomment \makeactive^\def^[$\uparrow$]%
+ \else \dulllbrace\makeactive/\let/=\ccomment
+ \fi
+ \def}[$\}$]\def|[$\string|$]\def~[$\sim$]\let_\_%
+ \expandafter\def\activebackslash[$\backslash$]%
+ \obeyspaces \expandafter\def\activespace[\leavevmode\space]%
+ \expandafter\def\activetab[\ \ \ \ ]%
+ \obeylines \expandafter\def\activecr[\strut\par]]
+\gdef\cprogarg[\expandafter\def\activebackslash##1[\ifx##1e\let\next\cprogend
+ \else$\backslash$\let\next##1\fi\next]\eatcr]
+\gdef\cprogend nd#1{cprog#2}[\endcprogarg] % #1 can be space, #2 *.
+\gdef\dulllbrace[\def{[$\{$]]
+\endgroup
+
+\chardef\ttquote=13 % Undirected single quote.
+\begingroup \makeactive" \makeactive' \makeactive!
+\gdef\cquote#1#2{% #1 is the quote, " or ', #2 how to set it.
+ \begingroup #2\cstringfont \makeactive\\%
+ \ifpascal \makeother\\\makeother^%
+ \else \expandafter\let\activebackslash\quotebackslash
+ \fi
+ \expandafter\edef\activespace{\ifcprogttspace\char`\ \else\ \fi}%
+ \expandafter\let\activecr=\unclosedstring
+ \def!{\string!\null}% No !` ligature.
+ \makeother*\makeother-\makeother/\makeother<\makeother>%
+ \makeother_\makeother\{\makeother\}\makeother|\makeother~%
+ \ifx"#1\let'\ttquote \else \makeother"\fi
+ \def#1{#2\endgroup}}
+\endgroup
+\csname newhelp\endcsname\cprogunclosedstr{%
+A string or character constant earlier in the line was unclosed.^^JSo
+I'm closing it now.}
+\def\unclosedstring{%
+ \escapechar-1%
+ \errhelp\cprogunclosedstr
+ \errmessage{Unclosed string}%
+ \endgroup}
+\newlinechar=`^^J
+\def\quotebackslash#1{\char`\\%
+ \expandafter\ifx\activecr#1\strut\par
+ \else\if'\noexpand#1\ttquote\else\string#1\fi\fi}
+
+% In a comment, we shrink the width of the opening / to that of a space so
+% that the stars in multiline comments will line up. We also shrink the
+% closing * for symmetry, but not in Pascal where it looks nasty.
+% Note that \end{cprog} is not recognised in strings or comments.
+\def\spacebox#1{\leavevmode \hbox to \spaceskip{#1\hss}}
+
+\begingroup \makeactive* \makeactive! \makeother/
+\gdef\ccommentsetup{\ccommentfont \makeother-\makeother'\makeother"\makeother/%
+ \def!{\string!\null}\expandafter\def\activebackslash{$\backslash$}}
+\gdef\ccomment#1{%
+ \let\next\relax
+ \ifx#1*\bgroup \ccommentsetup
+ \spacebox{\ctextfont\string/}*%
+ \makeactive*\def*{\commentstar/}%
+ \else\if\noexpand#1/\begingroup //\ccommentsetup \clinegroup\activecr
+ \else \string/\let\next#1%
+ \fi\fi\next}
+\gdef\pascalcomment#1{%
+ \ifx#1*\bgroup \ccommentsetup \let\next\dulllbrace \makeother(%
+ \spacebox{\ctextfont\string(}*\makeactive*\def*{\commentstar)}%
+ \else (\let\next#1\fi \next}
+\obeylines \long\gdef\clinegroup#1#2^^M{#2\endgroup#1}%
+\endgroup
+\def\commentstar#1#2{%
+ {\if#1\noexpand#2\egroup \ifpascal\else\aftergroup\spacebox\fi\fi}{$*$}#2}
+
+% We usually have an active ^^M after \cprog or \begin{cprog}.
+\def\eatcr#1{{\expandafter\ifx\activecr#1\else\aftergroup#1\fi}}
+
+% Expand to stretch and shrink (plus and minus) of parameter #1.
+\def\stretchshrink#1{\expandafter\eatdimenpart\the#1 \end}
+\def\eatdimenpart#1 #2\end{#2}
+
+\ifx\undefined\baselinestretch \def\baselinestretch{1}\fi
+
+\def\cprogsetup{\ctextfont \cprogchars \parskip=0pt\stretchshrink\parskip
+ \ifdim \cprogwidth=0pt \else \hsize\cprogwidth \fi
+ \cprogesc \spaceskip\fontdimen2\font \xspaceskip\spaceskip
+ \baselineskip=\baselinestretch\cprogbaselineskip \parindent=\cprogindent
+ \vskip\beforecprogskip}
+\def\endcprog{\endgroup \vskip\aftercprogskip}
+\def\cprogfile#1{\begingroup \cprogsetup \input#1\endcprog}
+\def\cprog{\begingroup \cprogttspacefalse \cprogsetup \cprogarg}
+% Like {verbatim*}, {cprog*} uses `square u' for spaces in quoted strings.
+\expandafter\def\csname cprog*\endcsname{%
+ \begingroup \cprogttspacetrue \cprogsetup \cprogarg}
+\expandafter\let\csname endcprog*\endcsname=\endcprog
+% In LaTeX we need to call \end{cprog} properly to close the environment,
+% whereas in plain TeX this will end the job. The test for LaTeX is not
+% bulletproof, but most plain TeX documents don't refer to the LaTeX logo.
+\ifx\undefined\LaTeX \let\endcprogarg=\endcprog
+\else \def\endcprogarg{\ifcprogttspace\end{cprog*}\else\end{cprog}\fi}
+\fi
+
+\fi % \ifx\undefined\cprogsetup
+
+\endinput
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/eclepsf.sty b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/eclepsf.sty
new file mode 100644
index 0000000..3f41d65
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/eclepsf.sty
@@ -0,0 +1,278 @@
+% EPSF macros by Kazuhiro Kazama and modified by Hideki ISOZAKI
+% based on Trevor J. Darrell's psfig.tex
+%
+% All software, documentation, and related files in this distribution of
+% psfig/tex are Copyright (c) 1987 Trevor J. Darrell
+%
+% Permission is granted for use and non-profit distribution of psfig/tex
+% providing that this notice be clearly maintained, but the right to
+% distribute any portion of psfig/tex for profit or as part of any commercial
+% product is specifically reserved for the author.
+\endlinechar=-1
+
+\typeout{EPSF macro package for LaTeX. version 1.5 - Released May 11, 1992}
+\newcount\@arga
+\newcount\@argb
+\newcount\@argc
+\newcount\@ctmpa
+\newcount\@ctmpb
+\newcount\@ctmpc
+\newcount\@ctmpd
+\newcount\@ctmpe
+\newdimen\@darg
+\newdimen\@bblen
+\newif\ifepsfdraft
+\epsfdraftfalse
+
+\def\@setpsfile#1{
+ \def\@psfile{#1}
+ \bb@search
+}
+\def\@setpsheight#1{
+ \@darg=#1\relax
+ \edef\@psheight{\number\@darg}
+}
+\def\@setpswidth#1{
+ \@darg=#1\relax
+ \edef\@pswidth{\number\@darg}
+}
+\def\@setpsscale#1{
+ \def\@pshscale{#1}
+ \def\@psvscale{#1}
+}
+\def\@setpshscale#1{
+ \def\@pshscale{#1}
+}
+
+\def\@setpsvscale#1{
+ \def\@psvscale{#1}
+}
+
+
+
+%
+% Go through the options setting things up.
+%
+\def\parse@ps@parms#1{
+ \def\@bbw{0}\def\@bbh{0}
+ \def\@pshscale{1}\def\@psvscale{1}
+ \def\@psheight{0}\def\@pswidth{0}% in sp
+ \@for\@epsfopt:=#1\do
+ {\expandafter\@setparms\@epsfopt,}}
+
+\def\@setparms#1=#2,{\@nameuse{@setps#1}{#2}}
+
+%
+% Compute %%BoundingBox height and width
+%
+\newif\ifcontinue
+
+\catcode`\%=12\relax
+
+\newread\ps@stream
+\def\bb@search{\continuetrue
+ \typeout{analyzing \@psfile}
+ \openin\ps@stream=\@psfile
+ \catcode`\%=12\relax
+ \ifeof\ps@stream\errmessage{epsf: \@psfile\space not found}\fi
+ \loop
+ \read\ps@stream to \epsf@line
+ \expandafter\epsf@getbb\epsf@line%%BoundingBox:\end@getbb
+ \ifnum\@bbw=\z@\else \continuefalse\fi
+ \ifeof\ps@stream \continuefalse \fi
+ \ifcontinue \repeat
+ \closein\ps@stream
+ \catcode`\%=14
+}
+
+\def\epsf@getbb #1%%BoundingBox:#2\end@getbb{
+ \def\epsf@tmp{#1}\def\epsf@atend{ (atend)}
+ \ifx\epsf@tmp\empty
+ \edef\epsf@tmp{#2}
+ \ifx\epsf@tmp\epsf@atend
+ \errmessage{%%BoundingBox: (atend)}
+ \else
+ \epsf@bbarg #2 0 0 0 0 0 %%BoundingBox\end@getbb
+ \fi
+ \fi}
+
+\def\epsf@bbarg #1 #2 #3 #4 #5%%BoundingBox#6\end@getbb{
+ \def\epsf@tmp{#1}
+ \ifx\epsf@tmp\empty
+ \@darg=#4bp \advance\@darg-#2bp \edef\@bbw{\number\@darg}
+ \@darg=#5bp \advance\@darg-#3bp \edef\@bbh{\number\@darg}
+ \else
+ \@darg=#3bp \advance\@darg-#1bp \edef\@bbw{\number\@darg}
+ \@darg=#4bp \advance\@darg-#2bp \edef\@bbh{\number\@darg}
+ \fi
+ {\@arga=\@bbw \divide\@arga by 186468\relax
+ \@argb=\@bbh \divide\@argb by 186468\relax
+ \message{original: \the\@arga mm x \the\@argb mm}}
+}
+
+\catcode`\%=14\relax
+
+
+% \in@hundreds performs #1 * (#2 / #3) correct to the hundreds,
+% then leaves the result in @result
+%
+
+\def\in@hundreds#1#2#3{\@argb=#2 \@argc=#3
+ \@ctmpa=\@argb % @ctmpa is first digit #2/#3
+ \divide\@ctmpa by \@argc
+ \@ctmpb=\@ctmpa
+ \multiply\@ctmpb by \@argc
+ \advance\@argb by -\@ctmpb
+ \multiply\@argb by 10
+ \@ctmpb=\@argb % @ctmpb is second digit of #2/#3
+ \divide\@ctmpb by \@argc
+ \@ctmpc=\@ctmpb
+ \multiply\@ctmpc by \@argc
+ \advance\@argb by -\@ctmpc
+ \multiply\@argb by 10
+ \@ctmpc=\@argb % @ctmpc is the third digit
+ \divide\@ctmpc by \@argc
+ \@arga=#1\@ctmpe=0
+ \@ctmpd=\@arga
+ \multiply\@ctmpd by \@ctmpa
+ \advance\@ctmpe by \@ctmpd
+ \@ctmpd=\@arga
+ \divide\@ctmpd by 10
+ \multiply\@ctmpd by \@ctmpb
+ \advance\@ctmpe by \@ctmpd
+ %
+ \@ctmpd=\@arga
+ \divide\@ctmpd by 100
+ \multiply\@ctmpd by \@ctmpc
+ \advance\@ctmpe by \@ctmpd
+ %
+ \edef\@result{\number\@ctmpe}
+}
+
+\def\compute@wfromh{
+ \ifnum\@psheight>\z@
+ \in@hundreds{\@psheight}{\@bbw}{\@bbh}
+ \edef\@pswidth{\@result}
+ \else
+ \in@hundreds{-\@psheight}{\@bbw}{\@bbh}
+ \edef\@pswidth{\number-\@result}
+ \fi
+}
+\def\compute@hfromw{
+ % computing : height = width * (bbh / bbw)
+ \ifnum\@pswidth>\z@
+ \in@hundreds{\@pswidth}{\@bbh}{\@bbw}
+ \edef\@psheight{\@result}
+ \else
+ \in@hundreds{-\@pswidth}{\@bbh}{\@bbw}
+ \edef\@psheight{\number-\@result}
+ \fi
+}
+\def\compute@handw{
+ \ifnum\@psheight=\z@
+ \ifnum\@pswidth=\z@
+ \@darg=\@bbh sp \@darg=\@psvscale\@darg
+ \edef\@psheight{\number\@darg}
+ \@darg=\@bbw sp \@darg=\@pshscale\@darg
+ \edef\@pswidth{\number\@darg}
+ \else
+ \compute@hfromw
+ \fi
+ \else
+ \ifnum\@pswidth=\z@
+ \compute@wfromh
+ \fi
+ \fi
+}
+{\catcode`\p=12\catcode`\t=12
+\gdef\remove@dim@frac#1.#2pt{#1}}
+
+%
+% \epsfile
+% usage : \epsfile{file=, height=, width=}
+% usage : \epsfile{file=, scale=}
+% usage : \epsfile{file=, vscale=, hscale=}
+%
+\def\epsfile{\@ifnextchar[{\@epsfile}{\@epsfile[]}}
+\def\@epsfile[#1]#2{{
+ \parse@ps@parms{#2}
+ \compute@handw
+ {\@arga=\@pswidth \divide\@arga by 186468\relax
+ \@argb=\@psheight \divide\@argb by 186468\relax
+ \message{becomes \the\@arga mm x \the\@argb mm}}
+ \@arga=\@psheight \divide\@arga by 65782\relax
+ \edef\@psvsize{\number\@arga}
+ \@arga=\@pswidth \divide\@arga by 65782\relax
+ \edef\@pshsize{\number\@arga}
+ \leavevmode
+ \ifnum\@pswidth>\z@
+ \hbox to \@pswidth sp\bgroup
+ \else
+ \hbox to -\@pswidth sp\bgroup
+ \hfill
+ \fi
+ \ifnum\@psheight>\z@
+ \vrule\@width\z@\@height\@psheight sp \@depth\z@
+ \raise\@psheight sp
+ \else
+ \vrule\@width\z@\@height-\@psheight sp \@depth\z@
+ \fi
+ \hbox to\z@\bgroup
+ \ifnum\@psheight=\z@
+ \ifnum\@pswidth=\z@
+ \edef\epsf@tmpa{\@pshscale,\@psvscale}
+ \edef\epsf@tmp{1,1}
+ \ifx\epsf@tmpa\epsf@tmp
+ \special{epsfile=\@psfile \space}
+ \else
+ \special{epsfile=\@psfile \space
+ vscale=\@psvscale \space hscale=\@pshscale \space}
+ \fi
+ \else
+ \special{epsfile=\@psfile \space hsize=\@pshsize \space}
+ \fi
+ \else
+ \ifnum\@pswidth=\z@
+ \special{epsfile=\@psfile \space vsize=\@psvsize \space}
+ \else
+ \special{epsfile=\@psfile \space
+ hsize=\@pshsize \space vsize=\@psvsize \space}
+ \fi
+ \fi
+ \egroup
+ \ifnum\@psheight>\z@
+ \vrule\@width\z@\@height\@psheight sp \@depth\z@
+ \else
+ \vrule\@width\z@\@height-\@psheight sp \@depth\z@
+ \raise-\@psheight sp
+ \fi
+ \hbox to\z@{#1}\hfil
+ \egroup
+}}
+
+% You can put anything on the original picture.
+% \epsfat puts it on the correct position
+% even if you change the picture size.
+
+\def\epsfat(#1,#2)#3{\@killglue{
+ \@darg=#1 \edef\epsf@atx{\number\@darg}
+ \ifnum\@pswidth>\z@
+ \in@hundreds{\epsf@atx}{\@pswidth}{\@bbw}
+ \edef\epsf@atx{\@result}
+ \else
+ \in@hundreds{\epsf@atx}{-\@pswidth}{\@bbw}
+ \edef\epsf@atx{\number-\@result}
+ \fi
+ \@darg=#2 \edef\epsf@aty{\number\@darg}
+ \ifnum\@psheight>\z@
+ \in@hundreds{\epsf@aty}{\@psheight}{\@bbh}
+ \edef\epsf@aty{\@result}
+ \else
+ \in@hundreds{\epsf@aty}{-\@psheight}{\@bbh}
+ \edef\epsf@aty{\number-\@result}
+ \fi
+ \smash{\raise\epsf@aty sp
+ \hbox to \z@{\kern\epsf@atx sp\relax#3\hss}}}\ignorespaces}
+
+\endlinechar=13\relax
+\endinput
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/lineno.sty b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/lineno.sty
new file mode 100644
index 0000000..dcd6cd8
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/lineno.sty
@@ -0,0 +1,1517 @@
+\iffalse; awk '/S[H]ELL/' lineno.sty|sh;exit;\fi
+%%% To pretty-print this file, feed it to a unix shell!
+%%%
+%%% $Id: lineno.sty,v 1.1 2002/04/29 22:21:32 sjw Exp $
+%%%
+%%% Copyright 1995--2001 Stephan I. B"ottcher <stephan@nevis.columbia.edu>
+%%%
+%%% This program can be redistributed and/or modified under the terms
+%%% of the LaTeX Project Public License Distributed from CTAN
+%%% archives in directory macros/latex/base/lppl.txt; either
+%%% version 1 of the License, or any later version.
+%%%
+% \documentclass[a4paper,12pt]{article}%D
+% \usepackage{lineno}%D
+%
+% \title{
+% \texttt{\itshape
+% lineno.sty \ v3.08b 2002/02/27
+% }\\\ \\
+% A \LaTeX\ package to attach
+% \\ Line numbers to paragraphs
+% }\author{
+% Stephan I. B\"ottcher
+% }\date{
+% stephan@nevis.columbia.edu
+%% \\ Stephan.Boettcher@desy.de
+%% \\ Stephan.Boettcher@cern.ch
+% \\}
+%
+%
+% \def~{\verb~}
+% \catcode`\<\catcode`\~
+% \def<#1>{$\langle${\itshape#1}\/$\rangle$}
+% \catcode`\|\catcode`\~
+% \def|#1{{\ttfamily\string#1}}
+% \newenvironment{code}
+% {\par\runninglinenumbers
+% \modulolinenumbers[1]
+% \linenumbersep.3em
+% \footnotesize
+% \def\linenumberfont
+% {\normalfont\tiny\itshape}}
+% {}
+%
+% \begin{document}%D
+%% \DocInput{lineno.doc}%D
+% \pagewiselinenumbers
+% \maketitle
+% \tableofcontents
+% \sloppy
+%
+%
+%
+% \section{
+% Introduction
+% }
+% This package provides line numbers on paragraphs.
+% After \TeX\ has broken a paragraph into lines there will
+% be line numbers attached to them, with the possibility to
+% make references through the \LaTeX\ ~\ref~, ~\pageref~
+% cross reference mechanism. This includes four issues:
+% \begin{itemize}
+% \item attach a line number on each line,
+% \item create references to a line number,
+% \item control line numbering mode,
+% \item count the lines and print the numbers.
+% \end{itemize}
+% The first two points are implemented through patches to
+% the output routine. The third by redefining ~\par~, ~\@par~
+% and ~\@@par~. The counting is easy, as long as you want
+% the line numbers run through the text. If they shall
+% start over at the top of each page, the aux-file as well
+% as \TeX s memory have to carry a load for each counted line.
+%
+% I wrote this package for my wife Petra, who needs it for
+% transcriptions of interviews. This allows her to
+% precisely refer to passages in the text. It works well
+% together with ~\marginpar~s, but not to well with displaymath.
+% ~\footnote~s are a problem, especially when they
+% are split, but we may get there.
+%
+% lineno.sty works
+% surprisingly well with other packages, for
+% example, ~wrapfig.sty~. So please try if it
+% works with whatever you need, and if it does,
+% please tell me, and if it does not, tell me as
+% well, so I can try to fix it.
+%
+% This style option is written for \LaTeXe, later than November 1994,
+% since we need the ~\protected@write~ macro.
+
+\NeedsTeXFormat{LaTeX2e}[1994/11/04]
+\ProvidesPackage{lineno}
+ [2002/01/27 line numbers on paragraphs v3.08b]
+
+%% v1.00 1995/03/31 SIB: first release for Petras interview transcriptions
+%% v1.01 1995/10/28 SIB: added ~pagewise~ mode
+%% v1.02 1995/11/15 SIB: added ~modulo~ option
+%% v1.03 1995/12/05 SIB: pagewise: try to reduce the hash-size requirements
+%% v2.00 1995/12/06 SIB: .. it works, new user interface
+%% v2.01 1996/09/17 SIB: put into CVS
+%% v2.02 1997/03/17 SIB: add: \@reinserts, for footnotes
+%% v2.04 1998/03/09 SIB: add: linenomath environment
+%% v2.05 1998/04/26 SIB: add: prevgraf test
+%% v2.06 1999/03/02 SIB: LPPL added
+%% v3.00 1999/06/11 SiB: include the extension in the main file
+%% v3.01 1999/08/28 SiB: \@reinserts -> \holdinginserts
+%% v3.02 2000/03/10 SiB: \@LN@output
+%% v3.03 2000/07/01 SiB: \@LN@ExtraLabelItems, hyperref
+%% v3.04 2000/12/17 SiB: longtable compatibility.
+%% v3.05 2001/01/02 SiB: [fleqn] detection.
+%% v3.05a 2001/01/04 SiB: [fleqn] detection reverted for eqnarray.
+%% v3.06 2001/01/17 SiB: [twocolumn] mode support.
+%% v3.07 2001/07/30 SiB: [hyperref] option obsoleted.
+%% v3.08 2001/08/02 SiB: linenomath wrapping for \[ \]
+%% v3.08a 2001/08/04 SiB: linenomath wrapping for \[ \] fixed
+%% v3.08b 2002/01/27 SiB: enquotation typo fix
+%%
+%% Acknowledgements:
+%% v3.06: Donald Arseneau, pointed to mparhack.sty.
+%% v3.07+: Frank Mittelbach, points out inconsistencies in the
+%% user interface.
+%
+% \section{
+% Put the line numbers to the lines
+% }
+% The line numbers have to be attached by the output
+% routine. We simply set the ~\interlinepenalty~ to -100000.
+% The output routine will be called after each line in the
+% paragraph, except the last, where we trigger by ~\par~.
+% The ~\linenopenalty~ is small enough to compensate a bunch of
+% penalties (e.g., with ~\samepage~).
+%
+% (New v3.04) Longtable uses
+% ~\penaly~-30000. The lineno penalty range was
+% shrunk to $-188000 \dots -32000$. (/New v3.04)
+
+\newcount\linenopenalty\linenopenalty=-100000
+\mathchardef\linenopenaltypar=32000
+
+% So let's make a hook to ~\output~, the direct way. The \LaTeX\
+% macro ~\@reinserts~ puts the footnotes back on the page.
+%
+% (New v3.01) ~\@reinserts~ badly
+% screws up split footnotes. The bottom part is
+% still on the recent contributions list, and the
+% top part will be put back there after the bottom
+% part. Thus, since lineno.sty does not play well
+% with ~\inserts~ anyway, we can safely experiment
+% with ~\holdinginserts~, without making things
+% much worse.
+%
+% Or that's what I thought, but: Just activating
+% ~\holdinginserts~ while doing the ~\par~ will
+% not do the trick: The ~\output~ routine may be
+% called for a real page break before all line
+% numbers are done, and how can we get control
+% over ~\holdinginserts~ at that point?
+%
+% Let's try this: When the ~\output~ routine is
+% run with ~\holdinginserts=3~ for a real page
+% break, then we reset ~\holdinginserts~ and
+% restart ~\output~.
+%
+% Then, again, how do we keep the remaining
+% ~\inserts~ while doing further line numbers?
+%
+% If we find ~\holdinginserts~=-3 we activate it again
+% after doing ~\output~. (/New v3.01)
+%
+% (New v3.02) To work with
+% multicol.sty, the original output routine is now
+% called indirectly, instead of being replaced.
+% When multicol.sty changes ~\output~, it is a
+% toks register, not the real thing. (/New v3.02)
+
+\let\@LN@output\output
+\newtoks\output
+\output=\expandafter{\the\@LN@output}
+\@LN@output={%
+ \LineNoTest
+ \if@tempswa
+ \LineNoHoldInsertsTest
+ \if@tempswa
+ \if@twocolumn\let\@makecol\@LN@makecol\fi
+ \the\output
+ \ifnum\holdinginserts=-3
+ \global\holdinginserts 3
+ \fi
+ \else
+ \global\holdinginserts-3
+ \unvbox\@cclv
+ \ifnum\outputpenalty=10000\else
+ \penalty\outputpenalty
+ \fi
+ \fi
+ \else
+ \MakeLineNo
+ \fi
+ }
+
+% The float mechanism inserts ~\interlinepenalty~s during
+% ~\output~. So carefully reset it before going on. Else
+% we get doubled line numbers on every float placed in
+% horizontal mode, e.g, from ~\linelabel~.
+%
+% Sorry, neither a ~\linelabel~ nor a ~\marginpar~ should
+% insert a penalty, else the following linenumber
+% could go to the next page. Nor should any other
+% float. So let us suppress the ~\interlinepenalty~
+% altogether with the ~\@nobreak~ switch.
+%
+% Since (ltspace.dtx, v1.2p)[1996/07/26], the ~\@nobreaktrue~ does
+% it's job globally. We need to do it locally here.
+
+\def\LineNoTest{%
+ \let\@@par\@@@par
+ \ifnum\interlinepenalty<-\linenopenaltypar
+ \advance\interlinepenalty-\linenopenalty
+ \my@nobreaktrue
+ \fi
+ \@tempswatrue
+ \ifnum\outputpenalty>-\linenopenaltypar\else
+ \ifnum\outputpenalty>-188000\relax
+ \@tempswafalse
+ \fi
+ \fi
+ }
+
+\def\my@nobreaktrue{\let\if@nobreak\iftrue}
+
+\def\LineNoHoldInsertsTest{%
+ \ifnum\holdinginserts=3\relax
+ \@tempswafalse
+ \fi
+ }
+
+% We have to return all the page to the current page, and
+% add a box with the line number, without adding
+% breakpoints, glue or space. The depth of our line number
+% should be equal to the previous depth of the page, in
+% case the page breaks here, and the box has to be moved up
+% by that depth.
+%
+% The ~\interlinepenalty~ comes after the ~\vadjust~ from a
+% ~\linelabel~, so we increment the line number \emph{after}
+% printing it. The macro ~\makeLineNumber~ produces the
+% text of the line number, see section \ref{appearance}.
+%
+% Finally we put in the natural ~\interlinepenalty~, except
+% after the last line.
+
+\def\MakeLineNo{\@tempdima\dp\@cclv \unvbox\@cclv
+ \sbox\@tempboxa{\hbox to\z@{\makeLineNumber}}%
+ \stepcounter{linenumber}%
+ \dp\@tempboxa=\@tempdima\ht\@tempboxa=\z@
+ \nointerlineskip\kern-\@tempdima\box\@tempboxa
+ \ifnum\outputpenalty=-\linenopenaltypar\else
+ \@tempcnta\outputpenalty
+ \advance\@tempcnta -\linenopenalty
+ \penalty\@tempcnta
+ \fi
+ }
+
+%
+%
+% \section{
+% Control line numbering
+% }
+% The line numbering is controlled via ~\par~. \LaTeX\
+% saved the \TeX-primitive ~\par~ in ~\@@par~. We push it
+% one level further out, and redefine ~\@@par~ to insert
+% the ~\interlinepenalty~ needed to trigger the
+% line numbering. And we need to allow pagebreaks after a
+% paragraph.
+%
+% New (2.05beta): the prevgraf test. A paragraph that ends with a
+% displayed equation, a ~\noindent\par~ or ~wrapfig.sty~ produce empty
+% paragraphs. These should not get a spurious line number via
+% ~\linenopenaltypar~.
+
+\let\@@@par\@@par
+\newcount\linenoprevgraf
+
+\def\linenumberpar{\ifvmode\@@@par\else\ifinner\@@@par\else
+ \advance\interlinepenalty \linenopenalty
+ \linenoprevgraf\prevgraf
+ \global\holdinginserts3%
+ \@@@par
+ \ifnum\prevgraf>\linenoprevgraf
+ \penalty-\linenopenaltypar
+ \fi
+ \kern\z@
+ \global\holdinginserts0%
+ \advance\interlinepenalty -\linenopenalty
+ \fi\fi
+ }
+
+% The basic commands to enable and disable line numbers.
+% ~\@par~ and ~\par~ are only touched, when they are ~\let~
+% to ~\@@@par~/~\linenumberpar~. The line number may be
+% reset to 1 with the star-form, or set by an optional
+% argument ~[~<number>~]~.
+
+\def\linenumbers{\let\@@par\linenumberpar
+ \ifx\@par\@@@par\let\@par\linenumberpar\fi
+ \ifx\par\@@@par\let\par\linenumberpar\fi
+ \@ifnextchar[{\resetlinenumber}%]
+ {\@ifstar{\resetlinenumber}{}}%
+ }
+
+\def\nolinenumbers{\let\@@par\@@@par
+ \ifx\@par\linenumberpar\let\@par\@@@par\fi
+ \ifx\par\linenumberpar\let\par\@@@par\fi
+ }
+
+% What happens with a display math? Since ~\par~ is not executed,
+% when breaking the lines before a display, they will not get
+% line numbers. Sorry, but I do not dare to change
+% ~\interlinepenalty~ globally, nor do I want to redefine
+% the display math environments here.
+% \begin{displaymath}
+% display \ math
+% \end{displaymath}
+% See the subsection below, for a wrapper enviroment to make
+% it work. But that requires to wrap each and every display
+% in your LaTeX source.
+%
+% The next two commands are provided to turn on line
+% numbering in a specific mode. Please note the difference:
+% for pagewise numbering, ~\linenumbers~ comes first to
+% inhibit it from seeing optional arguments, since
+% re-/presetting the counter is useless.
+
+\def\pagewiselinenumbers{\linenumbers\setpagewiselinenumbers}
+\def\runninglinenumbers{\setrunninglinenumbers\linenumbers}
+
+% Finally, it is a \LaTeX\ style, so we provide for the use
+% of environments, including the suppression of the
+% following paragraph's indentation.
+
+%%% TO DO: add \par to \linenumbers, if called from an environment.
+%%% To DO: add an \@endpe hack if \linenumbers are turned on
+%%% in horizontal mode. {\par\parskip\z@\noindent} or
+%%% something.
+
+\@namedef{linenumbers*}{\par\linenumbers*}
+\@namedef{runninglinenumbers*}{\par\runninglinenumbers*}
+
+\def\endlinenumbers{\par\@endpetrue}
+\let\endrunninglinenumbers\endlinenumbers
+\let\endpagewiselinenumbers\endlinenumbers
+\expandafter\let\csname endlinenumbers*\endcsname\endlinenumbers
+\expandafter\let\csname endrunninglinenumbers*\endcsname\endlinenumbers
+\let\endnolinenumbers\endlinenumbers
+
+%
+% \subsection{
+% Display math
+% }
+%
+% Now we tackle the problem to get display math working.
+% There are different options.
+% \begin{enumerate}\item[
+% 1.] Precede every display math with a ~\par~.
+% Not too good.
+% \item[
+% 2.] Change ~\interlinepenalty~ and associates globally.
+% Unstable.
+% \item[
+% 3.] Wrap each display math with a ~{linenomath}~
+% environment.
+% \end{enumerate}
+% We'll go for option 3. See if it works:
+% \begin{linenomath}
+% \begin{equation}
+% display \ math
+% \end{equation}
+% \end{linenomath}
+% The star form ~{linenomath*}~ should also number the lines
+% of the display itself,
+% \begin{linenomath*}
+% \begin{eqnarray}
+% multi && line \\
+% display && math \\
+% &
+% \begin{array}{c}
+% with \\
+% array
+% \end{array}
+% &
+% \end{eqnarray}
+% \end{linenomath*}
+% including multline displays.
+%
+% First, here are two macros to turn
+% on linenumbering on paragraphs preceeding displays, with
+% numbering the lines of the display itself, or without.
+% The ~\ifx..~ tests if line numbering is turned on. It
+% does not harm to add these wrappers in sections that are
+% not numbered. Nor does it harm to wrap a display
+% twice, e.q, in case you have some ~{equation}~s wrapped
+% explicitely, and later you redefine ~\equation~ to do it
+% automatically.
+
+\newcommand\linenomathNonumbers{%
+ \ifx\@@par\@@@par\else
+ \ifnum\interlinepenalty>-\linenopenaltypar
+ \global\holdinginserts3%
+ \advance\interlinepenalty \linenopenalty
+ \advance\predisplaypenalty \linenopenalty
+ \fi
+ \fi
+ \ignorespaces
+ }
+
+\newcommand\linenomathWithnumbers{%
+ \ifx\@@par\@@@par\else
+ \ifnum\interlinepenalty>-\linenopenaltypar
+ \global\holdinginserts3%
+ \advance\interlinepenalty \linenopenalty
+ \advance\predisplaypenalty \linenopenalty
+ \advance\postdisplaypenalty \linenopenalty
+ \advance\interdisplaylinepenalty \linenopenalty
+ \fi
+ \fi
+ \ignorespaces
+ }
+
+% The ~{linenomath}~ environment has two forms, with and
+% without a star. The following two macros define the
+% environment, where the stared/non-stared form does/doesn't number the
+% lines of the display or vice versa.
+
+\newcommand\linenumberdisplaymath{%
+ \def\linenomath{\linenomathWithnumbers}%
+ \@namedef{linenomath*}{\linenomathNonumbers}%
+ }
+
+\newcommand\nolinenumberdisplaymath{%
+ \def\linenomath{\linenomathNonumbers}%
+ \@namedef{linenomath*}{\linenomathWithnumbers}%
+ }
+
+\def\endlinenomath{%
+ \global\holdinginserts0
+ \@ignoretrue
+}
+\expandafter\let\csname endlinenomath*\endcsname\endlinenomath
+
+% The default is not to number the lines of a display. But
+% the package option ~mathlines~ may be used to switch
+% that behavior.
+
+\nolinenumberdisplaymath
+
+%
+%
+% \section{
+% Line number references
+% }
+% The only way to get a label to a line number in a
+% paragraph is to ask the output routine to mark it.
+%
+% We use the marginpar mechanism to hook to ~\output~ for a
+% second time. Marginpars are floats with number $-1$, we
+% fake marginpars with No $-2$. Originally, every negative
+% numbered float was considered to be a marginpar.
+%
+% The float box number ~\@currbox~ is used to transfer the
+% label name in a macro called ~\@LNL@~<box-number>.
+%
+% A ~\newlabel~ is written to the aux-file. The reference
+% is to ~\theLineNumber~, \emph{not} ~\thelinenumber~.
+% This allows to hook in, as done below for pagewise line
+% numbering.
+%
+% (New v3.03) The ~\@LN@ExtraLabelItems~ are added for a hook
+% to keep packages like ~{hyperref}~ happy. (/New v3.03)
+
+\let\@LN@addmarginpar\@addmarginpar
+\def\@addmarginpar{%
+ \ifnum\count\@currbox>-2\relax
+ \expandafter\@LN@addmarginpar
+ \else
+ \@cons\@freelist\@currbox
+ \protected@write\@auxout{}{%
+ \string\newlabel
+ {\csname @LNL@\the\@currbox\endcsname}%
+ {{\theLineNumber}{\thepage}\@LN@ExtraLabelItems}}%
+ \fi}
+
+\let\@LN@ExtraLabelItems\@empty
+
+% \subsection{
+% The linelabel command
+% }
+% To refer to a place in line ~\ref{~<foo>~}~ at page
+% ~\pageref{~<foo>~}~ you place a ~\linelabel{~<foo>~}~ at
+% that place.
+%
+% \linelabel{demo}
+% \marginpar{\tiny\raggedright
+% See if it works: This paragraph
+% starts on page \pageref{demo}, line
+% \ref{demo}.
+% }%
+% If you use this command outside a ~\linenumbers~
+% paragraph, you will get references to some bogus
+% line numbers, sorry. But we don't disable the command,
+% because only the ~\par~ at the end of a paragraph may
+% decides whether to print line numbers on this paragraph
+% or not. A ~\linelabel~ may legally appear earlier than
+% ~\linenumbers~.
+%
+% ~\linelabel~, via a fake float number $-2$, puts a
+% ~\penalty~ into a ~\vadjust~, which triggers the
+% pagebuilder after putting the current line to the main
+% vertical list. A ~\write~ is placed on the main vertical
+% list, which prints a reference to the current value of
+% ~\thelinenumber~ and ~\thepage~ at the time of the
+% ~\shipout~.
+%
+% A ~\linelabel~ is allowed only in outer horizontal mode.
+% In outer vertical mode we start a paragraph, and ignore
+% trailing spaces (by fooling ~\@esphack~).
+%
+% The argument of ~\linelabel~ is put into a macro with a
+% name derived from the number of the allocated float box.
+% Much of the rest is dummy float setup.
+
+\def\linelabel#1{%
+ \ifvmode
+ \ifinner \else
+ \leavevmode \@bsphack \@savsk\p@
+ \fi
+ \else
+ \@bsphack
+ \fi
+ \ifhmode
+ \ifinner
+ \@parmoderr
+ \else
+ \@floatpenalty -\@Mii
+ \@next\@currbox\@freelist
+ {\global\count\@currbox-2%
+ \expandafter\gdef\csname @LNL@\the\@currbox\endcsname{#1}}%
+ {\@floatpenalty\z@ \@fltovf \def\@currbox{\@tempboxa}}%
+ \begingroup
+ \setbox\@currbox \color@vbox \vbox \bgroup \end@float
+ \endgroup
+ \@ignorefalse \@esphack
+ \fi
+ \else
+ \@parmoderr
+ \fi
+ }
+
+% \modulolinenumbers[3]
+% \section{
+% The appearance of the line numbers
+% }\label{appearance}
+% The line numbers are set as ~\tiny\sffamily\arabic{linenumber}~,
+% $10pt$ left of the text. With options to place it
+% right of the text, or . . .
+%
+% . . . here are the hooks:
+
+\def\makeLineNumberLeft{\hss\linenumberfont\LineNumber\hskip\linenumbersep}
+
+\def\makeLineNumberRight{\linenumberfont\hskip\linenumbersep\hskip\columnwidth
+ \hbox to\linenumberwidth{\hss\LineNumber}\hss}
+
+\def\linenumberfont{\normalfont\tiny\sffamily}
+
+\newdimen\linenumbersep
+\newdimen\linenumberwidth
+
+\linenumberwidth=10pt
+\linenumbersep=10pt
+
+% Margin switching requires ~pagewise~ numbering mode, but
+% choosing the left or right margin for the numbers always
+% works.
+
+\def\switchlinenumbers{\@ifstar
+ {\let\makeLineNumberOdd\makeLineNumberRight
+ \let\makeLineNumberEven\makeLineNumberLeft}%
+ {\let\makeLineNumberOdd\makeLineNumberLeft
+ \let\makeLineNumberEven\makeLineNumberRight}%
+ }
+
+\def\setmakelinenumbers#1{\@ifstar
+ {\let\makeLineNumberRunning#1%
+ \let\makeLineNumberOdd#1%
+ \let\makeLineNumberEven#1}%
+ {\ifx\c@linenumber\c@runninglinenumber
+ \let\makeLineNumberRunning#1%
+ \else
+ \let\makeLineNumberOdd#1%
+ \let\makeLineNumberEven#1%
+ \fi}%
+ }
+
+\def\leftlinenumbers{\setmakelinenumbers\makeLineNumberLeft}
+\def\rightlinenumbers{\setmakelinenumbers\makeLineNumberRight}
+
+\leftlinenumbers*
+
+% ~\LineNumber~ is a hook which is used for the modulo stuff.
+% It is the command to use for the line number, when you
+% customizes ~\makeLineNumber~. Use ~\thelinenumber~ to
+% change the outfit of the digits.
+%
+%
+% We will implement two modes of operation:
+% \begin{itemize}
+% \item numbers ~running~ through (parts of) the text
+% \item ~pagewise~ numbers starting over with one on top of
+% each page.
+% \end{itemize}
+% Both modes have their own count register, but only one is
+% allocated as a \LaTeX\ counter, with the attached
+% facilities serving both.
+
+\newcounter{linenumber}
+\newcount\c@pagewiselinenumber
+\let\c@runninglinenumber\c@linenumber
+
+% Only the running mode counter may be reset, or preset,
+% for individual paragraphs. The pagewise counter must
+% give a unique anonymous number for each line.
+
+\newcommand\resetlinenumber[1][1]{\c@runninglinenumber#1}
+
+% \subsection{
+% Running line numbers
+% }
+% Running mode is easy, ~\LineNumber~ and ~\theLineNumber~
+% produce ~\thelinenumber~, which defaults to
+% ~\arabic{linenumber}~, using the ~\c@runninglinenumber~
+% counter. This is the default mode of operation.
+
+\def\makeRunningLineNumber{\makeLineNumberRunning}
+
+\def\setrunninglinenumbers{%
+ \def\theLineNumber{\thelinenumber}%
+ \let\c@linenumber\c@runninglinenumber
+ \let\makeLineNumber\makeRunningLineNumber
+ }
+
+\setrunninglinenumbers\resetlinenumber
+
+%
+%
+% \subsection{
+% Pagewise line numbers
+% }
+% Difficult, if you think about it. The number has to be
+% printed when there is no means to know on which page it
+% will end up, except through the aux-file. My solution
+% is really expensive, but quite robust.
+%
+% With version ~v2.00~ the hashsize requirements are
+% reduced, because we do not need one controlsequence for
+% each line any more. But this costs some computation time
+% to find out on which page we are.
+%
+% ~\makeLineNumber~ gets a hook to log the line and page
+% number to the aux-file. Another hook tries to find out
+% what the page offset is, and subtracts it from the counter
+% ~\c@linenumber~. Additionally, the switch
+% ~\ifoddNumberedPage~ is set true for odd numbered pages,
+% false otherwise.
+
+\def\setpagewiselinenumbers{%
+ \let\theLineNumber\thePagewiseLineNumber
+ \let\c@linenumber\c@pagewiselinenumber
+ \let\makeLineNumber\makePagewiseLineNumber
+ }
+
+\def\makePagewiseLineNumber{\logtheLineNumber\getLineNumber
+ \ifoddNumberedPage
+ \makeLineNumberOdd
+ \else
+ \makeLineNumberEven
+ \fi
+ }
+
+% Each numbered line gives a line to the aux file
+% \begin{verse}
+% ~\@LN{~<line>~}{~<page>~}~
+% \end{verse}
+% very similar to the ~\newlabel~ business, except that we need
+% an arabic representation of the page number, not what
+% there might else be in ~\thepage~.
+
+\def\logtheLineNumber{\protected@write\@auxout{}{%
+ \string\@LN{\the\c@linenumber}{\noexpand\the\c@page}}}
+
+% From the aux-file we get one macro ~\LN@P~<page> for each
+% page with line numbers on it. This macro calls four other
+% macros with one argument each. These macros are
+% dynamically defined to do tests and actions, to find out
+% on which page the current line number is located.
+%
+% We need sort of a pointer to the first page with line
+% numbers, initiallized to point to nothing:
+
+\def\LastNumberedPage{first}
+\def\LN@Pfirst{\nextLN\relax}
+
+% The four dynamic macros are initiallized to reproduce
+% themselves in an ~\xdef~
+
+\let\lastLN\relax % compare to last line on this page
+\let\firstLN\relax % compare to first line on this page
+\let\pageLN\relax % get the page number, compute the linenumber
+\let\nextLN\relax % move to the next page
+
+% During the end-document run through the aux-files, we
+% disable ~\@LN~. I may put in a check here later, to give
+% a rerun recommendation.
+
+\AtEndDocument{\let\@LN\@gobbletwo}
+
+% Now, this is the tricky part. First of all, the whole
+% definition of ~\@LN~ is grouped, to avoid accumulation
+% on the save stack. Somehow ~\csname~<cs>~\endcsname~ pushes
+% an entry, which stays after an ~\xdef~ to that <cs>.
+%
+% If ~\LN@P~<page> is undefined, initialize it with the
+% current page and line number, with the
+% \emph{pointer-to-the-next-page} pointing to nothing. And
+% the macro for the previous page will be redefined to point
+% to the current one.
+%
+% If the macro for the current page already exists, just
+% redefine the \emph{last-line-number} entry.
+%
+% Finally, save the current page number, to get the pointer to the
+% following page later.
+
+\def\@LN#1#2{{\expandafter\@@LN
+ \csname LN@P#2C\@LN@column\expandafter\endcsname
+ \csname LN@PO#2\endcsname
+ {#1}{#2}}}
+
+\def\@@LN#1#2#3#4{\ifx#1\relax
+ \ifx#2\relax\gdef#2{#3}\fi
+ \expandafter\@@@LN\csname LN@P\LastNumberedPage\endcsname#1
+ \xdef#1{\lastLN{#3}\firstLN{#3}\pageLN{#4}{\@LN@column}{#2}\nextLN\relax}%
+ \else
+ \def\lastLN##1{\noexpand\lastLN{#3}}%
+ \xdef#1{#1}%
+ \fi
+ \xdef\LastNumberedPage{#4C\@LN@column}}
+
+% The previous page macro gets its pointer to the
+% current one, replacing the ~\relax~ with the cs-token
+% ~\LN@P~<page>.
+
+\def\@@@LN#1#2{{\def\nextLN##1{\noexpand\nextLN\noexpand#2}%
+ \xdef#1{#1}}}
+
+% Now, to print a line number, we need to find the page,
+% where it resides. This will most probably be the page where
+% the last one came from, or maybe the next page. However, it can
+% be a completely different one. We maintain a cache,
+% which is ~\let~ to the last page's macro. But for now
+% it is initialized to expand ~\LN@first~, where the poiner
+% to the first numbered page has been stored in.
+
+\def\NumberedPageCache{\LN@Pfirst}
+
+% To find out on which page the current ~\c@linenumber~ is,
+% we define the four dynamic macros to do something usefull
+% and execute the current cache macro. ~\lastLN~ is run
+% first, testing if the line number in question may be on a
+% later page. If so, disable ~\firstLN~, and go on to the
+% next page via ~\nextLN~.
+
+\def\testLastNumberedPage#1{\ifnum#1<\c@linenumber
+ \let\firstLN\@gobble
+ \fi}
+
+% Else, if ~\firstLN~ finds out that we need an earlier
+% page, we start over from the beginning. Else, ~\nextLN~
+% will be disabled, and ~\pageLN~ will run
+% ~\gotNumberedPage~ with four arguments: the first line
+% number on this column, the page number, the column
+% number, and the first line on the page.
+
+\def\testFirstNumberedPage#1{\ifnum#1>\c@linenumber
+ \def\nextLN##1{\testNextNumberedPage\LN@Pfirst}%
+ \else
+ \let\nextLN\@gobble
+ \def\pageLN{\gotNumberedPage{#1}}%
+ \fi}
+
+% We start with ~\pageLN~ disabled and ~\nextLN~ defined to
+% continue the search with the next page.
+
+\long\def \@gobblethree #1#2#3{}
+
+\def\testNumberedPage{%
+ \let\lastLN\testLastNumberedPage
+ \let\firstLN\testFirstNumberedPage
+ \let\pageLN\@gobblethree
+ \let\nextLN\testNextNumberedPage
+ \NumberedPageCache
+ }
+
+% When we switch to another page, we first have to make
+% sure that it is there. If we are done with the last
+% page, we probably need to run \TeX\ again, but for the
+% rest of this run, the cache macro will just return four
+% zeros. This saves a lot of time, for example if you have
+% half of an aux-file from an aborted run, in the next run
+% the whole page-list would be searched in vain again and
+% again for the second half of the document.
+%
+% If there is another page, we iterate the search.
+
+\def\testNextNumberedPage#1{\ifx#1\relax
+ \global\def\NumberedPageCache{\gotNumberedPage0000}%
+ \PackageWarningNoLine{lineno}%
+ {Linenumber reference failed,
+ \MessageBreak rerun to get it right}%
+ \else
+ \global\let\NumberedPageCache#1%
+ \fi
+ \testNumberedPage
+ }
+
+% \linelabel{demo2}
+% \marginpar{\tiny\raggedright
+% Let's see if it finds the label
+% on page \pageref{demo},
+% line \ref{demo}, and back here
+% on page \pageref{demo2}, line
+% \ref{demo2}.
+% }%
+% To separate the official hooks from the internals there is
+% this equivalence, to hook in later for whatever purpose:
+
+\let\getLineNumber\testNumberedPage
+
+% So, now we got the page where the number is on. We
+% establish if we are on an odd or even page, and calculate
+% the final line number to be printed.
+
+\newif\ifoddNumberedPage
+\newif\ifcolumnwiselinenumbers
+\columnwiselinenumbersfalse
+
+\def\gotNumberedPage#1#2#3#4{\oddNumberedPagefalse
+ \ifodd \if@twocolumn #3\else #2\fi\relax\oddNumberedPagetrue\fi
+ \advance\c@linenumber 1\relax
+ \ifcolumnwiselinenumbers
+ \subtractlinenumberoffset{#1}%
+ \else
+ \subtractlinenumberoffset{#4}%
+ \fi
+ }
+
+% You might want to run the pagewise mode with running line
+% numbers, or you might not. It's your choice:
+
+\def\runningpagewiselinenumbers{%
+ \let\subtractlinenumberoffset\@gobble
+ }
+
+\def\realpagewiselinenumbers{%
+ \def\subtractlinenumberoffset##1{\advance\c@linenumber-##1\relax}%
+ }
+
+\realpagewiselinenumbers
+
+% For line number references, we need a protected call to
+% the whole procedure, with the requested line number stored
+% in the ~\c@linenumber~ counter. This is what gets printed
+% to the aux-file to make a label:
+
+\def\thePagewiseLineNumber{\protect
+ \getpagewiselinenumber{\the\c@linenumber}}%
+
+% And here is what happens when the label is refered to:
+
+\def\getpagewiselinenumber#1{{%
+ \c@linenumber #1\relax\testNumberedPage
+ \thelinenumber
+ }}
+
+% %
+% A summary of all per line expenses:
+% \begin{description}\item
+% [CPU:] The ~\output~ routine is called for each line,
+% and the page-search is done.
+% \item
+% [DISK:] One line of output to the aux-file for each
+% numbered line
+% \item
+% [MEM:] One macro per page. Great improvement over v1.02,
+% which had one control sequence per line in
+% addition. It blew the hash table after some five
+% thousand lines.
+% \end{description}
+%
+%
+%
+% \subsection{
+% Twocolumn mode (New v3.06)
+% }
+%
+% Twocolumn mode requires another patch to the ~\output~
+% routine, in order to print a column tag to the .aux
+% file.
+
+\let\@LN@orig@makecol\@makecol
+\def\@LN@makecol{%
+ \@LN@orig@makecol
+ \setbox\@outputbox \vbox{%
+ \boxmaxdepth \@maxdepth
+ \protected@write\@auxout{}{%
+ \string\@LN@col{\if@firstcolumn1\else2\fi}%
+ }%
+ \box\@outputbox
+ }% \vbox
+}
+
+\def\@LN@col#1{\def\@LN@column{#1}}
+\@LN@col{1}
+
+%
+%
+%
+% \subsection{
+% Numbering modulo 5
+% }
+% Most users want to have only one in five lines numbered.
+% ~\LineNumber~ is supposed to produce the outfit of the
+% line number attached to the line, while ~\thelinenumber~
+% is used also for references, which should appear even if
+% they are not multiples of five.
+
+\newcount\c@linenumbermodulo
+
+\def\themodulolinenumber{{\@tempcnta\c@linenumber
+ \divide\@tempcnta\c@linenumbermodulo
+ \multiply\@tempcnta\c@linenumbermodulo
+ \ifnum\@tempcnta=\c@linenumber\thelinenumber\fi
+ }}
+
+% The user command to set the modulo counter:
+
+\newcommand\modulolinenumbers[1][0]{%
+ \let\LineNumber\themodulolinenumber
+ \ifnum#1>1\relax
+ \c@linenumbermodulo#1\relax
+ \else\ifnum#1=1\relax
+ \def\LineNumber{\thelinenumber}%
+ \fi\fi
+ }
+
+\setcounter{linenumbermodulo}{5}
+\modulolinenumbers[1]
+
+%
+% \switchlinenumbers
+% \modulolinenumbers[1]
+% \section{
+% Package options
+% }
+% There is a bunch of package options, all of them
+% executing only user commands (see below).
+%
+% Options ~left~ (~right~) put the line numbers on the left
+% (right) margin. This works in all modes. ~left~ is the
+% default.
+
+\DeclareOption{left}{\leftlinenumbers*}
+
+\DeclareOption{right}{\rightlinenumbers*}
+
+% Option ~switch~ (~switch*~) puts the line numbers on the
+% outer (inner) margin of the text. This requires running
+% the pagewise mode, but we turn off the page offset
+% subtraction, getting sort of running numbers again. The
+% ~pagewise~ option may restore true pagewise mode later.
+
+\DeclareOption{switch}{\setpagewiselinenumbers
+ \switchlinenumbers
+ \runningpagewiselinenumbers}
+
+\DeclareOption{switch*}{\setpagewiselinenumbers
+ \switchlinenumbers*%
+ \runningpagewiselinenumbers}
+
+% In twocolumn mode, we can switch the line numbers to
+% the outer margin, and/or start with number 1 in each
+% column. Margin switching is covered by the ~switch~
+% options.
+
+\DeclareOption{columnwise}{\setpagewiselinenumbers
+ \columnwiselinenumberstrue
+ \realpagewiselinenumbers}
+
+% The options ~pagewise~ and ~running~ select the major
+% linenumber mechanism. ~running~ line numbers refer to a real
+% counter value, which can be reset for any paragraph,
+% even getting multiple paragraphs on one page starting
+% with line number one. ~pagewise~ line numbers get a
+% unique hidden number within the document, but with the
+% opportunity to establish the page on which they finally
+% come to rest. This allows the subtraction of the page
+% offset, getting the numbers starting with 1 on top of each
+% page, and margin switching in twoside formats becomes
+% possible. The default mode is ~running~.
+%
+% The order of declaration of the options is important here
+% ~pagewise~ must come after ~switch~, to overide running
+% pagewise mode. ~running~ comes last, to reset the running
+% line number mode, e.g, after selecting margin switch mode
+% for ~pagewise~ running. Once more, if you specify all
+% three of the options ~[switch,pagewise,running]~, the
+% result is almost nothing, but if you later say
+% ~\pagewiselinenumbers~, you get margin switching, with
+% real pagewise line numbers.
+%
+\DeclareOption{pagewise}{\setpagewiselinenumbers
+ \realpagewiselinenumbers}
+
+\DeclareOption{running}{\setrunninglinenumbers}
+
+% The option ~modulo~ causes only those linenumbers to be
+% printed which are multiples of five.
+
+\DeclareOption{modulo}{\modulolinenumbers\relax}
+
+% The package option ~mathlines~ switches the behavior of
+% the ~{linenomath}~ environment with its star-form.
+% Without this option, the ~{linenomath}~ environment does
+% not number the lines of the display, while the star-form
+% does. With this option, its just the opposite.
+%
+%%% 1999-06-10: renamed ~displaymath~ to ~mathlines~.
+
+\DeclareOption{mathlines}{\linenumberdisplaymath}
+
+% ~displaymath~ now calls for wrappers of the standard
+% LaTeX display math environment. This was previously
+% done by ~mlineno.sty~.
+
+\let\do@mlineno\relax
+\DeclareOption{displaymath}{\let\do@mlineno\@empty}
+
+% The ~hyperref~ package, via ~nameref~, requires three more
+% groups in the second argment of a ~\newlabel~. Well, why
+% shouldn't it get them? (New v3.07) The presencs of the
+% ~nameref~ package is now detected automatically
+% ~\AtBeginDocument~. (/New v3.07)
+
+\DeclareOption{hyperref}{\PackageWarningNoLine{lineno}{%
+ Option [hyperref] is obsolete.
+ \MessageBreak The hyperref package is detected automatically.}}
+
+\AtBeginDocument{%
+ \@ifpackageloaded{nameref}{%
+ \def\@LN@ExtraLabelItems{{}{}{}}}}
+
+\ProcessOptions
+
+% \subsection{
+% Package Extensions
+% }
+%
+% The extensions in this section were previously supplied
+% in seperate ~.sty~ files.
+%
+% \subsubsection{
+% $display math$
+% }
+%
+% The standard \LaTeX\ display math environments are
+% wrapped in a ~{linenomath}~ environment.
+%
+% (New 3.05) The ~[fleqn]~ option of the standard
+% \LaTeX\ classes defines the display math
+% environments such that line numbers appear just
+% fine. Thus, we need not do any tricks when
+% ~[fleqn]~ is loaded, as indicated by presents of
+% the ~\mathindent~ register. (/New 3.05)
+%
+% (New 3.05a) for ~{eqnarray}~s we rather keep the
+% old trick. (/New 3.05a)
+%
+% (New 3.08) Wrap ~\[~ and ~\]~ into ~{linenomath}~,
+% instead of ~{displaymath}~. Also save the definition
+% of ~\equation~, instead of replicating the current
+% \LaTeX\ definition. (/New 3.08)
+
+\ifx\do@mlineno\@empty
+ \@ifundefined{mathindent}{
+
+ \let\LN@displaymath\[
+ \let\LN@enddisplaymath\]
+ \renewcommand\[{\begin{linenomath}\LN@displaymath}
+ \renewcommand\]{\LN@enddisplaymath\end{linenomath}}
+
+ \let\LN@equation\equation
+ \let\LN@endequation\endequation
+ \renewenvironment{equation}
+ {\linenomath\LN@equation}
+ {\LN@endequation\endlinenomath}
+
+ }% \@ifundefined{mathindent}
+
+ \let\LN@eqnarray\eqnarray
+ \let\LN@endeqnarray\endeqnarray
+ \renewenvironment{eqnarray}
+ {\linenomath\LN@eqnarray}
+ {\LN@endeqnarray\endlinenomath}
+
+\fi
+
+% \subsubsection{
+% Line numbers in internal vertical mode
+% }
+%
+% The command ~\internallinenumbers~ adds line numbers in
+% internal vertical mode, but with limitations: we assume
+% fixed baseline skip.
+
+\def\internallinenumbers{\setrunninglinenumbers
+ \let\@@par\internallinenumberpar
+ \ifx\@par\@@@par\let\@par\internallinenumberpar\fi
+ \ifx\par\@@@par\let\par\internallinenumberpar\fi
+ \ifx\@par\linenumberpar\let\@par\internallinenumberpar\fi
+ \ifx\par\linenumberpar\let\par\internallinenumberpar\fi
+ \@ifnextchar[{\resetlinenumber}%]
+ {\@ifstar{\let\c@linenumber\c@internallinenumber
+ \c@linenumber\@ne}{}}%
+ }
+
+\let\endinternallinenumbers\endlinenumbers
+\@namedef{internallinenumbers*}{\internallinenumbers*}
+\expandafter\let\csname endinternallinenumbers*\endcsname\endlinenumbers
+
+\newcount\c@internallinenumber
+\newcount\c@internallinenumbers
+
+\def\internallinenumberpar{\ifvmode\@@@par\else\ifinner\@@@par\else\@@@par
+ \begingroup
+ \c@internallinenumbers\prevgraf
+ \setbox\@tempboxa\hbox{\vbox{\makeinternalLinenumbers}}%
+ \dp\@tempboxa\prevdepth
+ \ht\@tempboxa\z@
+ \nobreak\vskip-\prevdepth
+ \nointerlineskip\box\@tempboxa
+ \endgroup
+ \fi\fi
+ }
+
+\def\makeinternalLinenumbers{\ifnum\c@internallinenumbers>0\relax
+ \hbox to\z@{\makeLineNumber}\global\advance\c@linenumber\@ne
+ \advance\c@internallinenumbers\m@ne
+ \expandafter\makeinternalLinenumbers\fi
+ }
+
+% \subsubsection{
+% Line number references with offset
+% }
+%
+% This extension defines macros to refer to line
+% numbers with an offset, e.g., to refer to a line
+% which cannot be labeled directly (display math).
+% This was formerly knows as ~rlineno.sty~.
+%
+% To refer to a pagewise line number with offset:
+% \begin{quote}
+% ~\linerefp[~<OFFSET>~]{~<LABEL>~}~
+% \end{quote}
+% To refer to a running line number with offset:
+% \begin{quote}
+% ~\linerefr[~<OFFSET>~]{~<LABEL>~}~
+% \end{quote}
+% To refer to a line number labeled in the same mode as currently
+% selected:
+% \begin{quote}
+% ~\lineref[~<OFFSET>~]{~<LABEL>~}~
+% \end{quote}
+
+\newcommand\lineref{%
+ \ifx\c@linenumner\c@runninglinenumner
+ \expandafter\linerefr
+ \else
+ \expandafter\linerefp
+ \fi
+}
+
+\newcommand\linerefp[2][\z@]{{%
+ \let\@thelinenumber\thelinenumber
+ \edef\thelinenumber{\advance\c@linenumber#1\relax\noexpand\@thelinenumber}%
+ \ref{#2}%
+}}
+
+% This goes deep into \LaTeX s internals.
+
+\newcommand\linerefr[2][\z@]{{%
+ \def\@@linerefadd{\advance\c@linenumber#1}%
+ \expandafter\@setref\csname r@#2\endcsname
+ \@linerefadd{#2}%
+}}
+
+\newcommand\@linerefadd[2]{\c@linenumber=#1\@@linerefadd\relax
+ \thelinenumber}
+
+% \subsubsection{
+% Numbered quotation environments
+% }
+%
+% The ~{numquote}~ and ~{numquotation}~
+% environments are like ~{quote}~ and
+% ~{quotation}~, except there will be line
+% numbers.
+%
+% An optional argument gives the number to count
+% from. A star ~*~ (inside or outside the closing
+% ~}~) prevent the reset of the line numbers.
+% Default is to count from one.
+
+\newcommand\quotelinenumbers
+ {\@ifstar\linenumbers{\@ifnextchar[\linenumbers{\linenumbers*}}}
+
+\newdimen\quotelinenumbersep
+\quotelinenumbersep=\linenumbersep
+\let\quotelinenumberfont\linenumberfont
+
+\newcommand\numquotelist
+ {\leftlinenumbers
+ \linenumbersep\quotelinenumbersep
+ \let\linenumberfont\quotelinenumberfont
+ \addtolength{\linenumbersep}{-\@totalleftmargin}%
+ \quotelinenumbers
+ }
+
+\newenvironment{numquote} {\quote\numquotelist}{\endquote}
+\newenvironment{numquotation} {\quotation\numquotelist}{\endquotation}
+\newenvironment{numquote*} {\quote\numquotelist*}{\endquote}
+\newenvironment{numquotation*}{\quotation\numquotelist*}{\endquotation}
+
+% \subsubsection{
+% Frame around a paragraph
+% }
+%
+% The ~{bframe}~ environment draws a frame around
+% some text, across page breaks, if necessary.
+%
+% This works only for plain text paragraphs,
+% without special height lines. All lines must be
+% ~\baselineskip~ apart, no display math.
+
+\newenvironment{bframe}
+ {\par
+ \@tempdima\textwidth
+ \advance\@tempdima 2\bframesep
+ \setbox\bframebox\hbox to\textwidth{%
+ \hskip-\bframesep
+ \vrule\@width\bframerule\@height\baselineskip\@depth\bframesep
+ \advance\@tempdima-2\bframerule
+ \hskip\@tempdima
+ \vrule\@width\bframerule\@height\baselineskip\@depth\bframesep
+ \hskip-\bframesep
+ }%
+ \hbox{\hskip-\bframesep
+ \vrule\@width\@tempdima\@height\bframerule\@depth\z@}%
+ \nointerlineskip
+ \copy\bframebox
+ \nobreak
+ \kern-\baselineskip
+ \runninglinenumbers
+ \def\makeLineNumber{\copy\bframebox\hss}%
+ }
+ {\par
+ \kern-\prevdepth
+ \kern\bframesep
+ \nointerlineskip
+ \@tempdima\textwidth
+ \advance\@tempdima 2\bframesep
+ \hbox{\hskip-\bframesep
+ \vrule\@width\@tempdima\@height\bframerule\@depth\z@}%
+ }
+
+\newdimen\bframerule
+\bframerule=\fboxrule
+
+\newdimen\bframesep
+\bframesep=\fboxsep
+
+\newbox\bframebox
+
+% \section{
+% The final touch
+% }
+% There is one deadcycle for each line number.
+
+\advance\maxdeadcycles 100
+
+\endinput
+
+% \section{
+% The user commands
+% }
+% The user command to turn on and off line numbering
+% are
+% \begin{description}\item
+% [|\linenumbers] \ \par
+% Turn on line numbering in the current mode.
+% \item
+% [|\linenumbers*] \ \par$\qquad$
+% and reset the line number to 1.
+% \def\NL{<number>]}\item
+% [|\linenumbers[\NL] \ \par$\qquad$
+% and start with <number>.
+% \item
+% [|\nolinenumbers] \ \par
+% Turn off line numbering.
+% \item
+% [|\runninglinenumbers*[\NL] \ \par
+% Turn on ~running~ line numbers, with the same optional
+% arguments as ~\linenumbers~. The numbers are running
+% through the text over pagebreaks. When you turn
+% numbering off and on again, the numbers will continue,
+% except, of cause, if you ask to reset or preset the
+% counter.
+% \item
+% [|\pagewiselinenumbers] \ \par
+% Turn on ~pagewise~ line numbers. The lines on each
+% page are numbered beginning with one at the first
+% ~pagewise~ numbered line.
+% \item
+% [|\resetlinenumber[\NL] \ \par
+% Reset ~[~Set~]~ the line number to 1
+% ~[~<number>~]~.
+% \item
+% [|\setrunninglinenumbers] \ \par
+% Switch to ~running~ line number mode. Do \emph{not}
+% turn it on or off.
+% \item
+% [|\setpagewiselinenumbers] \ \par
+% Switch to ~pagewise~ line number mode. Do \emph{not}
+% turn it on or off.
+% \item
+% [|\switchlinenumbers*] \ \par
+% Causes margin switching in pagewise modes. With the
+% star, put the line numbers on the inner margin.
+% \item
+% [|\leftlinenumbers*] \ \par
+% \item
+% [|\rightlinenumbers*] \ \par
+% Set the line numbers in the left/right margin. With the
+% star this works for both modes of operation, without
+% the star only for the currently selected mode.
+% \item
+% [|\runningpagewiselinenumbers] \ \par
+% When using the pagewise line number mode, do not
+% subtract the page offset. This results in running
+% line numbers again, but with the possibility to switch
+% margins. Be careful when doing line number
+% referencing, this mode status must be the same while
+% setting the paragraph and during references.
+% \item
+% [|\realpagewiselinenumbers] \ \par
+% Reverses the effect of ~\runningpagewiselinenumbers~.
+% \item
+% [|\modulolinenumbers[\NL] \ \par
+% Give a number only to lines which are multiples of
+% ~[~<number>~]~. If <number> is not specified, the
+% current value in the counter ~linenumbermodulo~ is
+% retained. <number>=1 turns this off without changing
+% ~linenumbermodulo~. The counter is initialized to 5.
+% \item
+% [|\linenumberdisplaymath] \ \par
+% Number the lines of a display math in a ~{linenomath}~
+% environment, but do not in a ~{linenomath*}~
+% environment. This is used by the package option
+% ~[mathlines]~.
+% \item
+% [|\nolinenumberdisplaymath] \ \par
+% Do not Number the lines of a display math in a
+% ~{linenomath}~ environment, but do in a
+% ~{linenomath*}~ environment. This is the default.
+% \item
+% [|\linelabel] \ \par
+% Set a ~\linelabel{~<foo>~}~ to the line number where
+% this commands is in. Refer to it with the \LaTeX\
+% referencing commands ~\ref{~<foo>~}~ and
+% ~\pageref{~<foo>~}~.
+% \end{description}
+% The commands can be used globally, locally within groups
+% or as environments. It is important to know that they
+% take action only when the ~\par~ is executed. The
+% ~\end{~<mode>~linenumbers}~ commands provide a ~\par~.
+% Examples:
+% \begin{verse}
+% ~{\linenumbers~ <text> ~\par}~ \\
+% \ \\
+% ~\begin{linenumbers}~ \\
+% <text> \\
+% ~\end{linenumbers}~ \\
+% \ \\
+% <paragraph> ~{\linenumbers\par}~ \\
+% \ \\
+% ~\linenumbers~ \\
+% <text> ~\par~ \\
+% ~\nolinenumbers~ \\
+% \ \\
+% ~\linenumbers~ \\
+% <paragraph> ~{\nolinenumbers\par}~ \\
+% \end{verse}
+%
+%
+% \subsection{
+% Customization hooks
+% }
+% There are several hooks to customize the appearance of the
+% line numbers, and some low level hooks for special
+% effects.
+% \begin{description}\item
+% [|\thelinenumber] \ \par
+% This macro should give the representation of the line
+% number in the \LaTeX-counter ~linenumber~. The
+% default is provided by \LaTeX: \par$\qquad$
+% ~\arabic{linenumber}~
+% \item
+% [|\makeLineNumberLeft] \ \par
+% This macro is used to attach a line number to the left
+% of the text page. This macro should fill an ~\hbox to 0pt~
+% which will be placed at the left margin of the
+% page, with the reference point aligned to the line to
+% which it should give a number. Please use the macro
+% ~\LineNumber~ to refer to the line number.
+%
+% The default definition is \par$\qquad$
+% ~\hss\linenumberfont\LineNumber\hskip\linenumbersep~
+% \item
+% [|\makeLineNumberRight] \ \par
+% Like ~\makeLineNumberLeft~, but for line numbers on
+% the right margin.
+%
+% The default definition is \par$\qquad$
+% ~\linenumberfont\hskip\linenumbersep\hskip\textwidth~ \par$\qquad$
+% ~\hbox to\linenumberwidth{\hss\LineNumber}\hss~
+% \item
+% [|\linenumberfont] \ \par
+% This macro is initialized to \par$\qquad$
+% ~\normalfont\tiny\sffamily~
+% \item
+% [|\linenumbersep] \ \par
+% This dimension register sets the separation of the
+% linenumber to the text. Default value is ~10pt~.
+% \item
+% [|\linenumberwidth] \ \par
+% This dimension register sets the width of the line
+% number box on the right margin. The distance of the
+% right edge of the text to the right edge of the line
+% number is ~\linenumbersep~ + ~\linenumberwidth~. The
+% default value is ~10pt~.
+% \item
+% [|\theLineNumber] (for wizards) \ \par
+% This macro is called for printing a ~\newlabel~ entry
+% to the aux-file. Its definition depends on the mode.
+% For running line numbers it's just ~\thelinenumber~,
+% while in pagewise mode, the page offset subtraction
+% is done in here.
+% \item
+% [|\makeLineNumber] (for wizards) \ \par
+% This macro produces the line numbers. The definition
+% depends on the mode. In the running line numbers
+% mode it just expands ~\makeLineNumberLeft~.
+% \item
+% [|\LineNumber] (for wizards) \ \par
+% This macro is called by ~\makeLineNumber~ to typeset
+% the line number. This hook is changed by the modulo
+% mechanism.
+% \end{description}
+% \end{document}%D
+------------------------------------------------------------------------------
+
+echo "expect errors for unknown commands 'iffalse' and 'fi'";# SHELL
+awk '/A[W]K/' lineno.sty | awk -f - lineno.sty >lineno.tex; # SHELL
+latex lineno; latex lineno; latex lineno; latex lineno; # SHELL
+
+awk '/DOC A [W] K/' lineno.sty | awk -f - lineno.sty >lineno.doc; # DOC SH
+
+BEGIN{DOC=-1; # AWK DOC A W K
+ BEGINCODE = "\\begin{code}\\begin{verbatim}"; # AWK
+ ENDCODE = "\\end{verbatim}\n\\end{code}"; } # AWK
+ BEGINCODE = "% \\begin{macrocode}"; # DOC A W K
+ ENDCODE = "% \\end{macrocode}"; } # DOC A W K
+/^[ \t]*$/ { ECNT++; next; } # AWK DOC A W K
+/\\documentclass/{ sub("article","ltxdoc") } # DOC A W K
+/%D$/ { sub("^%* *",""); sub("%D$",""); # DOC A W K
+ print > "lineno.drv"; next } # DOC A W K
+/^%%/ { next; } # AWK DOC A W K
+/^%/ { if (!DOC) { print ENDCODE; } # AWK DOC A W K
+ DOC=1; ECNT=0; # AWK DOC A W K
+ sub("^% *",""); # AWK
+ sub("^% *","% "); # DOC A W K
+ print; next; } # AWK DOC A W K
+DOC<0 { next } # AWK DOC A W K
+/^-+-$/ { if (!DOC) print ENDCODE; exit } # AWK DOC A W K
+{ if (DOC) { ECNT=DOC=0; print BEGINCODE; } # AWK DOC A W K
+ while (ECNT>0) { print " "; ECNT--; } # AWK DOC A W K
+ print $0; } # AWK DOC A W K
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/mpss-commands.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/mpss-commands.tex
new file mode 100644
index 0000000..11faa2f
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/mpss-commands.tex
@@ -0,0 +1,70 @@
+
+\providecommand{\struct}[1]{\texttt{#1}}
+\providecommand{\func}[1]{\texttt{#1}}
+\providecommand{\var}[1]{\texttt{#1}}
+\providecommand{\property}[1]{\texttt{#1}}
+\providecommand{\syscall}[1]{\textbf{\texttt{#1}}}
+
+% Usage: \graphfigure[placement]{graphicx options}{filename}{label}{caption}
+% The \leavevmode is magical
+\providecommand{\graphfigure}[5][{hbt}]{\begin{figure}[#1]%
+ \leavevmode%
+ \begin{center}%
+ \includegraphics[#2]{#3}%
+ \end{center}%
+ \caption{#5}%
+ \label{fig:#4}%
+ \end{figure}}
+
+% The \graphfigurespan command spans 2 columns
+\providecommand{\graphfigurespan}[5][{hbt}]{\begin{figure*}[#1]%
+ \leavevmode%
+ \begin{center}%
+ \includegraphics[#2]{#3}%
+ \end{center}%
+ \caption{#5}%
+ \label{fig:#4}%
+ \end{figure*}}
+
+% The \twographfigurespan contains 2 graphs and spans 2 columns
+\providecommand{\twographfigurespan}[6][{hbt}]{\begin{figure*}[#1]%
+ \leavevmode%
+ \hbox{
+ \includegraphics[#2]{#3}%
+ \hspace{1.5cm}%
+ \includegraphics[#2]{#4}%
+ }%
+ \caption{#6}%
+ \label{fig:#5}%
+ \end{figure*}}
+
+\renewcommand{\struct}[1]{\texttt{#1}}
+\renewcommand{\func}[1]{\texttt{#1}}
+\renewcommand{\var}[1]{\texttt{#1}}
+\renewcommand{\property}[1]{\texttt{#1}}
+\renewcommand{\syscall}[1]{\textbf{\texttt{#1}}}
+
+% Usage: \graphfigure[placement]{graphicx options}{filename}{label}{caption}
+% The \leavevmode is magical
+\renewcommand{\graphfigure}[5][{hbt}]{\begin{figure}[#1]%
+ \leavevmode%
+ \begin{center}%
+ \includegraphics[#2]{#3}%
+ \end{center}%
+ \caption{#5}%
+ \label{fig:#4}%
+ \end{figure}}
+
+% The \graphfigurespan command spans 2 columns
+\renewcommand{\graphfigurespan}[5][{hbt}]{\begin{figure*}[#1]%
+ \leavevmode%
+ \begin{center}%
+ \includegraphics[#2]{#3}%
+ \end{center}%
+ \caption{#5}%
+ \label{fig:#4}%
+ \end{figure*}}
+
+% The \twographfigurespan contains 2 graphs and spans 2 columns
+\renewcommand{\twographfigurespan}[6][{hbt}]{\begin{figure*}[#1]\leavevmode\hbox{\includegraphics[#2]{#3}\hspace{1.5cm}\includegraphics[#2]{#4}}\caption{#6}\label{fig:#5}\end{figure*}}
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/ols-fonts.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/ols-fonts.tex
new file mode 100644
index 0000000..f205e02
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/ols-fonts.tex
@@ -0,0 +1,25 @@
+
+\usepackage{alltt}
+
+\usepackage[T1]{fontenc}
+\usepackage[latin1]{inputenc}
+\usepackage{isolatin1}
+\usepackage{latexsym}
+\usepackage{textcomp}
+\usepackage{times}
+\usepackage{url}
+\usepackage[T1,obeyspaces]{zrl}
+
+% "verbatim" with line breaks, obeying spaces
+\providecommand\code{\begingroup \xrlstyle{tt}\Xrl}
+% as above, but okay to break lines at spaces
+\providecommand\brcode{\begingroup \zrlstyle{tt}\Zrl}
+
+% Same as the pair above, but 'l' for long == small type
+\providecommand\lcode{\begingroup \small\xrlstyle{tt}\Xrl}
+\providecommand\lbrcode{\begingroup \small\zrlstyle{tt}\Zrl}
+
+% For identifiers - "verbatim" with line breaks at punctuation
+\providecommand\ident{\begingroup \urlstyle{tt}\Url}
+\providecommand\lident{\begingroup \small\urlstyle{tt}\Url}
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/ols.sty b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/ols.sty
new file mode 100644
index 0000000..8859da3
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/ols.sty
@@ -0,0 +1,84 @@
+
+% TEMPLATE for Usenix papers, specifically to meet requirements of
+% TCL97 committee.
+% originally a template for producing IEEE-format articles using LaTeX.
+% written by Matthew Ward, CS Department, Worcester Polytechnic Institute.
+% adapted by David Beazley for his excellent SWIG paper in Proceedings,
+% Tcl 96
+% turned into a smartass generic template by De Clarke, with thanks to
+% both the above pioneers
+% use at your own risk. Complaints to /dev/null.
+% make it two column with no page numbering, default is 10 point
+
+% adapted for Ottawa Linux Symposium
+
+% include following in document.
+%\documentclass[twocolumn]{article}
+%\usepackage{usits,epsfig}
+\pagestyle{empty}
+
+%set dimensions of columns, gap between columns, and space between paragraphs
+%\setlength{\textheight}{8.75in}
+\setlength{\textheight}{9.0in}
+\setlength{\columnsep}{0.25in}
+\setlength{\textwidth}{6.45in}
+\setlength{\footskip}{0.0in}
+\setlength{\topmargin}{0.0in}
+\setlength{\headheight}{0.0in}
+\setlength{\headsep}{0.0in}
+\setlength{\oddsidemargin}{0in}
+%\setlength{\oddsidemargin}{-.065in}
+%\setlength{\oddsidemargin}{-.17in}
+\setlength{\parindent}{0pc}
+% \setlength{\parskip}{\baselineskip}
+\setlength{\parskip}{12pt plus3pt minus3pt}
+
+% started out with art10.sty and modified params to conform to IEEE format
+% further mods to conform to Usenix standard
+
+\makeatletter
+%as Latex considers descenders in its calculation of interline spacing,
+%to get 12 point spacing for normalsize text, must set it to 10 points
+\def\@normalsize{\@setsize\normalsize{12pt}\xpt\@xpt
+\abovedisplayskip 10pt plus2pt minus5pt\belowdisplayskip \abovedisplayskip
+\abovedisplayshortskip \z@ plus3pt\belowdisplayshortskip 6pt plus3pt
+minus3pt\let\@listi\@listI}
+
+%need a 12 pt font size for subsection and abstract headings
+\def\subsize{\@setsize\subsize{12pt}\xipt\@xipt}
+
+%make section titles bold and 12 point, 2 blank lines before, 1 after
+\def\section{\@startsection {section}{1}{\z@}{24pt plus 2pt minus 2pt}
+{12pt plus 2pt minus 2pt}{\large\bf}}
+
+%make subsection titles bold and 11 point, 1 blank line before, 1 after
+\def\subsection{\@startsection {subsection}{2}{\z@}{12pt plus 2pt minus 2pt}
+{12pt plus 2pt minus 2pt}{\subsize\bf}}
+\makeatother
+
+% \let\fx=\footnoterule
+% \usepackage{ftnright}
+% \def\footnoterule{\fx}
+
+
+% set up an if so writers can tell if the whole proceedings are
+% being processed together
+\newif\ifols
+\ifx\olsmaster\undefined
+\olsfalse
+\else
+\olsmaster=1
+\olstrue
+\fi
+
+% set up an if so writers (and the proceedings) can tell if
+% latex or pdflatex is being used, and include the proper
+% packages as a result...
+\newif\ifpdf
+\ifx\pdfoutput\undefined
+\pdffalse
+\else
+\pdfoutput=1
+\pdftrue
+\fi
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/twocolumn.sty b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/twocolumn.sty
new file mode 100644
index 0000000..9ece2d5
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/twocolumn.sty
@@ -0,0 +1,13 @@
+% twocolumn.sty 27 Jan 85
+\twocolumn
+\sloppy
+\flushbottom
+\parindent 1em
+\leftmargini 2em
+\leftmarginv .5em
+\leftmarginvi .5em
+\oddsidemargin 30pt
+\evensidemargin 30pt
+\marginparwidth 48pt
+\marginparsep 10pt
+\textwidth 410pt
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/usenix.sty b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/usenix.sty
new file mode 100644
index 0000000..ed79714
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/usenix.sty
@@ -0,0 +1,55 @@
+
+% TEMPLATE for Usenix papers, specifically to meet requirements of
+% TCL97 committee.
+% originally a template for producing IEEE-format articles using LaTeX.
+% written by Matthew Ward, CS Department, Worcester Polytechnic Institute.
+% adapted by David Beazley for his excellent SWIG paper in Proceedings,
+% Tcl 96
+% turned into a smartass generic template by De Clarke, with thanks to
+% both the above pioneers
+% use at your own risk. Complaints to /dev/null.
+% make it two column with no page numbering, default is 10 point
+
+% include following in document.
+%\documentclass{article}
+%\usepackage{usits,epsfig,twocolumn}
+\pagestyle{empty}
+
+%set dimensions of columns, gap between columns, and space between paragraphs
+%\setlength{\textheight}{8.75in}
+\setlength{\textheight}{9.0in}
+\setlength{\columnsep}{0.25in}
+\setlength{\textwidth}{6.45in}
+\setlength{\footskip}{0.0in}
+\setlength{\topmargin}{0.0in}
+\setlength{\headheight}{0.0in}
+\setlength{\headsep}{0.0in}
+\setlength{\oddsidemargin}{0in}
+%\setlength{\oddsidemargin}{-.065in}
+%\setlength{\oddsidemargin}{-.17in}
+\setlength{\parindent}{0pc}
+%\setlength{\parskip}{\baselineskip}
+\setlength{\parskip}{10pt}
+
+% started out with art10.sty and modified params to conform to IEEE format
+% further mods to conform to Usenix standard
+
+\makeatletter
+%as Latex considers descenders in its calculation of interline spacing,
+%to get 12 point spacing for normalsize text, must set it to 10 points
+\def\@normalsize{\@setsize\normalsize{12pt}\xpt\@xpt
+\abovedisplayskip 10pt plus2pt minus5pt\belowdisplayskip \abovedisplayskip
+\abovedisplayshortskip \z@ plus3pt\belowdisplayshortskip 6pt plus3pt
+minus3pt\let\@listi\@listI}
+
+%need a 12 pt font size for subsection and abstract headings
+\def\subsize{\@setsize\subsize{12pt}\xipt\@xipt}
+
+%make section titles bold and 12 point, 1 blank lines before, 1 after
+\def\section{\@startsection {section}{1}{\z@}{10pt plus 2pt minus 2pt}
+{10pt plus 2pt minus 2pt}{\large\bf}}
+
+%make subsection titles bold and 11 point, 1 blank line before, 1 after
+\def\subsection{\@startsection {subsection}{2}{\z@}{8pt plus 2pt minus 2pt}
+{8pt plus 2pt minus 2pt}{\subsize\bf}}
+\makeatother
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/zrl.sty b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/zrl.sty
new file mode 100644
index 0000000..fb97b03
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/TEMPLATES/zrl.sty
@@ -0,0 +1,432 @@
+
+%%%%% This file is a kludge until such time as I learn to do it elegantly. Sorry.
+%% url - external. Intended for items which do not contain spaces, and
+%% containing global options for obeying & breaking at spaces. But
+%% we need to do change those things on the fly, so we're making a copy
+%% of url.sty and defining two extra groups, zrl and xrl, that
+%% permit handling these options on the fly.
+
+%% Thus you can mix url without obeyspaces and/or spaces with the following:
+%% zrl - url with obeyspaces,spaces turned on
+%% xrl - url with obeyspaces turned on
+
+% zrl.sty ver 1.4 02-Mar-1999 Donald Arseneau asnd@triumf.ca
+% Copyright 1996-1999 Donald Arseneau, Vancouver, Canada.
+% This program can be used, distributed, and modified under the terms
+% of the LaTeX Project Public License.
+%
+% A form of \verb that allows linebreaks at certain characters or
+% combinations of characters, accepts reconfiguration, and can usually
+% be used in the argument to another command. It is intended for email
+% addresses, hypertext links, directories/paths, etc., which normally
+% have no spaces. The font may be selected using the \zrlstyle command,
+% and new zrl-like commands can be defined using \zrldef.
+%
+% Usage: Conditions:
+% \zrl{ } If the argument contains any "%", "#", or "^^", or ends with
+% "\", it can't be used in the argument to another command.
+% The argument must not contain unbalanced braces.
+% \zrl| | ...where "|" is any character not used in the argument and not
+% "{" or a space. The same restrictions as above except that the
+% argument may contain unbalanced braces.
+% \xyz for "\xyz" a defined-zrl; this can be used anywhere, no matter
+% what characters it contains.
+%
+% See further instructions after "\endinput"
+%
+\def\Zrl@ttdo{% style assignments for tt fonts or T1 encoding
+\def\ZrlBreaks{\do\.\do\@\do\\\do\/\do\!\do\_\do\|\do\%\do\;\do\>\do\]%
+ \do\)\do\,\do\?\do\'\do\+\do\=}%
+\def\ZrlBigBreaks{\do\:\do@zrl@hyp}%
+\def\ZrlNoBreaks{\do\(\do\[\do\{\do\<}% (unnecessary)
+\def\ZrlSpecials{\do\ {\ }}%
+\def\ZrlOrds{\do\*\do\-\do\~}% any ordinary characters that aren't usually
+}
+
+\def\Xrl@ttdo{% style assignments for tt fonts or T1 encoding
+\def\XrlBreaks{\do\.\do\@\do\\\do\/\do\!\do\_\do\|\do\%\do\;\do\>\do\]%
+ \do\)\do\,\do\?\do\'\do\+\do\=}%
+\def\XrlBigBreaks{\do\:\do@xrl@hyp}%
+\def\XrlNoBreaks{\do\(\do\[\do\{\do\<}% (unnecessary)
+\def\XrlSpecials{\do\ {\ }}%
+\def\XrlOrds{\do\*\do\-\do\~}% any ordinary characters that aren't usually
+}
+
+\def\Zrl@do{% style assignments for OT1 fonts except tt
+\def\ZrlBreaks{\do\.\do\@\do\/\do\!\do\%\do\;\do\]\do\)\do\,\do\?\do\+\do\=}%
+\def\ZrlBigBreaks{\do\:\do@zrl@hyp}%
+\def\ZrlNoBreaks{\do\(\do\[\do\{}% prevents breaks after *next* character
+\def\ZrlSpecials{\do\<{\langle}\do\>{\mathbin{\rangle}}\do\_{\_%
+ \penalty\@m}\do\|{\mid}\do\{{\lbrace}\do\}{\mathbin{\rbrace}}\do
+ \\{\mathbin{\backslash}}\do\~{\raise.6ex\hbox{\m@th$\scriptstyle\sim$}}\do
+ \ {\ }}%
+\def\ZrlOrds{\do\'\do\"\do\-}%
+}
+\def\Xrl@do{% style assignments for OT1 fonts except tt
+\def\XrlBreaks{\do\.\do\@\do\/\do\!\do\%\do\;\do\]\do\)\do\,\do\?\do\+\do\=}%
+\def\XrlBigBreaks{\do\:\do@xrl@hyp}%
+\def\XrlNoBreaks{\do\(\do\[\do\{}% prevents breaks after *next* character
+\def\XrlSpecials{\do\<{\langle}\do\>{\mathbin{\rangle}}\do\_{\_%
+ \penalty\@m}\do\|{\mid}\do\{{\lbrace}\do\}{\mathbin{\rbrace}}\do
+ \\{\mathbin{\backslash}}\do\~{\raise.6ex\hbox{\m@th$\scriptstyle\sim$}}\do
+ \ {\ }}%
+\def\XrlOrds{\do\'\do\"\do\-}%
+}
+
+
+\def\zrl@ttstyle{%
+\@ifundefined{selectfont}{\def\ZrlFont{\tt}}{\def\ZrlFont{\ttfamily}}\Zrl@ttdo
+}
+\def\xrl@ttstyle{%
+\@ifundefined{selectfont}{\def\XrlFont{\tt}}{\def\XrlFont{\ttfamily}}\Xrl@ttdo
+}
+
+
+\def\zrl@rmstyle{%
+\@ifundefined{selectfont}{\def\ZrlFont{\rm}}{\def\ZrlFont{\rmfamily}}\Zrl@do
+}
+\def\xrl@rmstyle{%
+\@ifundefined{selectfont}{\def\XrlFont{\rm}}{\def\XrlFont{\rmfamily}}\Xrl@do
+}
+
+
+\def\zrl@sfstyle{%
+\@ifundefined{selectfont}{\def\ZrlFont{\sf}}{\def\ZrlFont{\sffamily}}\Zrl@do
+}
+\def\xrl@sfstyle{%
+\@ifundefined{selectfont}{\def\XrlFont{\sf}}{\def\XrlFont{\sffamily}}\Xrl@do
+}
+
+
+\def\zrl@samestyle{\ifdim\fontdimen\thr@@\font=\z@ \zrl@ttstyle \else
+ \zrl@rmstyle \fi \def\ZrlFont{}}
+\def\xrl@samestyle{\ifdim\fontdimen\thr@@\font=\z@ \xrl@ttstyle \else
+ \xrl@rmstyle \fi \def\XrlFont{}}
+
+\@ifundefined{strip@prefix}{\def\strip@prefix#1>{}}{}
+\@ifundefined{verbatim@nolig@list}{\def\verbatim@nolig@list{\do\`}}{}
+
+\def\Zrl{%
+ \begingroup \let\zrl@moving\relax\relax \endgroup
+ \ifmmode\@nomatherr$\fi
+ \ZrlFont $\fam\z@ \textfont\z@\font
+ \let\do\@makeother \dospecials % verbatim catcodes
+ \catcode`{\@ne \catcode`}\tw@ \catcode`\ 10 % except braces and spaces
+ \medmuskip0mu \thickmuskip\medmuskip \thinmuskip\medmuskip
+ \@tempcnta\fam\multiply\@tempcnta\@cclvi
+ \let\do\set@mathcode \ZrlOrds % ordinary characters that were special
+ \advance\@tempcnta 8192 \ZrlBreaks % bin
+ \advance\@tempcnta 4096 \ZrlBigBreaks % rel
+ \advance\@tempcnta 4096 \ZrlNoBreaks % open
+ \let\do\set@mathact \ZrlSpecials % active
+ \let\do\set@mathnolig \verbatim@nolig@list % prevent ligatures
+ \@ifnextchar\bgroup\Zrl@z\Zrl@y}
+
+\def\Zrl@y#1{\catcode`{11 \catcode`}11
+ \def\@tempa##1#1{\Zrl@z{##1}}\@tempa}
+\def\Zrl@z#1{\def\@tempa{#1}\expandafter\expandafter\expandafter\Zrl@Hook
+ \expandafter\strip@prefix\meaning\@tempa\ZrlRight\m@th$\endgroup}
+\def\Zrl@Hook{\ZrlLeft}
+\let\ZrlRight\@empty
+\let\ZrlLeft\@empty
+
+\def\Xrl{%
+ \begingroup \let\xrl@moving\relax\relax \endgroup
+ \ifmmode\@nomatherr$\fi
+ \XrlFont $\fam\z@ \textfont\z@\font
+ \let\do\@makeother \dospecials % verbatim catcodes
+ \catcode`{\@ne \catcode`}\tw@ \catcode`\ 10 % except braces and spaces
+ \medmuskip0mu \thickmuskip\medmuskip \thinmuskip\medmuskip
+ \@tempcnta\fam\multiply\@tempcnta\@cclvi
+ \let\do\set@mathcode \XrlOrds % ordinary characters that were special
+ \advance\@tempcnta 8192 \XrlBreaks % bin
+ \advance\@tempcnta 4096 \XrlBigBreaks % rel
+ \advance\@tempcnta 4096 \XrlNoBreaks % open
+ \let\do\set@mathact \XrlSpecials % active
+ \let\do\set@mathnolig \verbatim@nolig@list % prevent ligatures
+ \@ifnextchar\bgroup\Xrl@z\Xrl@y}
+
+\def\Xrl@y#1{\catcode`{11 \catcode`}11
+ \def\@tempa##1#1{\Xrl@z{##1}}\@tempa}
+\def\Xrl@z#1{\def\@tempa{#1}\expandafter\expandafter\expandafter\Xrl@Hook
+ \expandafter\strip@prefix\meaning\@tempa\XrlRight\m@th$\endgroup}
+\def\Xrl@Hook{\XrlLeft}
+\let\XrlRight\@empty
+\let\XrlLeft\@empty
+
+
+\def\set@mathcode#1{\count@`#1\advance\count@\@tempcnta\mathcode`#1\count@}
+\def\set@mathact#1#2{\mathcode`#132768 \lccode`\~`#1\lowercase{\def~{#2}}}
+\def\set@mathnolig#1{\ifnum\mathcode`#1<32768
+ \lccode`\~`#1\lowercase{\edef~{\mathchar\number\mathcode`#1_{\/}}}%
+ \mathcode`#132768 \fi}
+
+\def\zrldef#1#2{\begingroup \setbox\z@\hbox\bgroup
+ \def\Zrl@z{\Zrl@def{#1}{#2}}#2}
+\expandafter\ifx\csname DeclareRobustCommand\endcsname\relax
+ \def\Zrl@def#1#2#3{\m@th$\endgroup\egroup\endgroup
+ \def#1{#2{#3}}}
+\else
+ \def\Zrl@def#1#2#3{\m@th$\endgroup\egroup\endgroup
+ \DeclareRobustCommand{#1}{#2{#3}}}
+\fi
+
+\def\xrldef#1#2{\begingroup \setbox\z@\hbox\bgroup
+ \def\Xrl@z{\Xrl@def{#1}{#2}}#2}
+\expandafter\ifx\csname DeclareRobustCommand\endcsname\relax
+ \def\Xrl@def#1#2#3{\m@th$\endgroup\egroup\endgroup
+ \def#1{#2{#3}}}
+\else
+ \def\Xrl@def#1#2#3{\m@th$\endgroup\egroup\endgroup
+ \DeclareRobustCommand{#1}{#2{#3}}}
+\fi
+
+\def\zrlstyle#1{\csname zrl@#1style\endcsname}
+\def\xrlstyle#1{\csname xrl@#1style\endcsname}
+
+% Sample (and default) configuration:
+%
+\newcommand\zrl{\begingroup \Zrl}
+\newcommand\xrl{\begingroup \Xrl}
+%
+% picTeX defines \path, so declare it optionally:
+\@ifundefined{path}{\newcommand\path{\begingroup \zrlstyle{tt}\Zrl}}{}
+\@ifundefined{path}{\newcommand\path{\begingroup \xrlstyle{tt}\Xrl}}{}
+%
+% too many styles define \email like \address, so I will not define it.
+% \newcommand\email{\begingroup \zrlstyle{rm}\Zrl}
+
+% Process LaTeX \package options
+%
+\zrlstyle{tt}
+%\let\Zrl@sppen\@M
+\def\do@zrl@hyp{}% by default, no breaks after hyphens
+%%%%%
+\let\Zrl@sppen\relpenalty
+\let\Zrl@Hook\relax
+\xrlstyle{tt}
+\let\Xrl@sppen\@M
+\def\do@xrl@hyp{}% by default, no breaks after hyphens
+\let\Xrl@Hook\relax
+%%%%%
+\@ifundefined{ProvidesPackage}{}{
+ \ProvidesPackage{zrl}[1999/03/02 \space ver 1.4 \space
+ Verb mode for zrls, email addresses, and file names]
+ \DeclareOption{hyphens}{\def\do@zrl@hyp{\do\-}\def\do@xrl@hyp{\do\-}}% allow breaks after hyphens
+ \DeclareOption{obeyspaces}{\let\Zrl@Hook\relax\let\Xrl@Hook\relax}% a flag for later
+ \DeclareOption{spaces}{\let\Zrl@sppen\relpenalty}
+ \DeclareOption{T1}{\let\Zrl@do\Zrl@ttdo\let\Xrl@do\Xrl@ttdo}
+ \ProcessOptions
+\ifx\Zrl@Hook\relax % [obeyspaces] was declared
+ \def\Zrl@Hook#1\ZrlRight\m@th{\edef\@tempa{\noexpand\ZrlLeft
+ \Zrl@retain#1\Zrl@nosp\, }\@tempa\ZrlRight\m@th}
+ \def\Zrl@retain#1 {#1\penalty\Zrl@sppen\ \Zrl@retain}
+ \def\Zrl@nosp\,#1\Zrl@retain{}
+\fi
+\ifx\Xrl@Hook\relax % [obeyspaces] was declared
+ \def\Xrl@Hook#1\XrlRight\m@th{\edef\@tempa{\noexpand\XrlLeft
+ \Xrl@retain#1\Xrl@nosp\, }\@tempa\XrlRight\m@th}
+ \def\Xrl@retain#1 {#1\penalty\Xrl@sppen\ \Xrl@retain}
+ \def\Xrl@nosp\,#1\Xrl@retain{}
+\fi
+}
+
+\edef\zrl@moving{\csname Zrl Error\endcsname}
+\expandafter\edef\zrl@moving
+ {\csname zrl used in a moving argument.\endcsname}
+\expandafter\expandafter\expandafter \let \zrl@moving\undefined
+
+\edef\xrl@moving{\csname Xrl Error\endcsname}
+\expandafter\edef\xrl@moving
+ {\csname xrl used in a moving argument.\endcsname}
+\expandafter\expandafter\expandafter \let \xrl@moving\undefined
+
+\endinput
+%
+% zrl.sty ver 1.4 02-Mar-1999 Donald Arseneau asnd@reg.triumf.ca
+%
+% This package defines "\zrl", a form of "\verb" that allows linebreaks,
+% and can often be used in the argument to another command. It can be
+% configured to print in different formats, and is particularly useful for
+% hypertext links, email addresses, directories/paths, etc. The font may
+% be selected using the "\zrlstyle" command and pre-defined text can be
+% stored with the "\zrldef" command. New zrl-like commands can be defined,
+% and a "\path" command is provided this way.
+%
+% Usage: Conditions:
+% \zrl{ } If the argument contains any "%", "#", or "^^", or ends with
+% "\", it can't be used in the argument to another command.
+% The argument must not contain unbalanced braces.
+% \zrl| | ...where "|" is any character not used in the argument and not
+% "{" or a space. The same restrictions as above except that the
+% argument may contain unbalanced braces.
+% \xyz for "\xyz" a defined-zrl; this can be used anywhere, no matter
+% what characters it contains.
+%
+% The "\zrl" command is fragile, and its argument is likely to be very
+% fragile, but a defined-zrl is robust.
+%
+% Package Option: obeyspaces
+% Ordinarily, all spaces are ignored in the zrl-text. The "[obeyspaces]"
+% option allows spaces, but may introduce spurious spaces when a zrl
+% containing "\" characters is given in the argument to another command.
+% So if you need to obey spaces you can say "\usepackage[obeyspaces]{zrl}",
+% and if you need both spaces and backslashes, use a `defined-zrl' for
+% anything with "\".
+%
+% Package Option: hyphens
+% Ordinarily, breaks are not allowed after "-" characters because this
+% leads to confusion. (Is the "-" part of the address or just a hyphen?)
+% The package option "[hyphens]" allows breaks after explicit hyphen
+% characters. The "\zrl" command will *never ever* hyphenate words.
+%
+% Package Option: spaces
+% Likewise, breaks are not usually allowed after spaces under the
+% "[obeyspaces]" option, but giving the options "[obeyspaces,spaces]"
+% will allow breaks at those spaces.
+%
+% Package Option: T1
+% This signifies that you will be using T1-encoded fonts which contain
+% some characters missing from most older (OT1) encoded TeX fonts. This
+% changes the default definition for "\zrlstyle{rm}".
+%
+% Defining a defined-zrl:
+% Take for example the email address "myself%node@gateway.net" which could
+% not be given (using "\zrl" or "\verb") in a caption or parbox due to the
+% percent sign. This address can be predefined with
+% \zrldef{\myself}\zrl{myself%node@gateway.net} or
+% \zrldef{\myself}\zrl|myself%node@gateway.net|
+% and then you may use "\myself" instead of "\zrl{myself%node@gateway.net}"
+% in an argument, and even in a moving argument like a caption because a
+% defined-zrl is robust.
+%
+% Style:
+% You can switch the style of printing using "\zrlstyle{tt}", where "tt"
+% can be any defined style. The pre-defined styles are "tt", "rm", "sf",
+% and "same" which all allow the same linebreaks but different fonts --
+% the first three select a specific font and the "same" style uses the
+% current text font. You can define your own styles with different fonts
+% and/or line-breaking by following the explanations below. The "\zrl"
+% command follows whatever the currently-set style dictates.
+%
+% Alternate commands:
+% It may be desireable to have different things treated differently, each
+% in a predefined style; e.g., if you want directory paths to always be
+% in tt and email addresses to be rm, then you would define new zrl-like
+% commands as follows:
+%
+% \newcommand\email{\begingroup \zrlstyle{rm}\Zrl}
+% \newcommand\directory{\begingroup \zrlstyle{tt}\Zrl}
+%
+% You must follow this format closely, and NOTE that the final command is
+% "\Zrl", not "\zrl". In fact, the "\directory" example is exactly the
+% "\path" definition which is pre-defined in the package. If you look
+% above, you will see that "\zrl" is defined with
+% \newcommand\zrl{\begingroup \Zrl}
+% I.e., using whatever zrl-style has been selected.
+%
+% You can make a defined-zrl for these other styles, using the usual
+% "\zrldef" command as in this example:
+%
+% \zrldef{\myself}{\email}{myself%node.domain@gateway.net}
+%
+% which makes "\myself" act like "\email{myself%node.domain@gateway.net}",
+% if the "\email" command is defined as above. The "\myself" command
+% would then be robust.
+%
+% Defining styles:
+% Before describing how to customize the printing style, it is best to
+% mention something about the unusual implementation of "\zrl". Although
+% the material is textual in nature, and the font specification required
+% is a text-font command, the text is actually typeset in *math* mode.
+% This allows the context-sensitive linebreaking, but also accounts for
+% the default behavior of ignoring spaces. Now on to defining styles.
+%
+% To change the font or the list of characters that allow linebreaks, you
+% could redefine the commands "\ZrlFont", "\ZrlBreaks", "\ZrlSpecials" etc.
+% directly in the document, but it is better to define a new `zrl-style'
+% (following the example of "\zrl@ttstyle" and "\zrl@rmstyle") which defines
+% all of "\ZrlBigbreaks", "\ZrlNoBreaks", "\ZrlBreaks", "\ZrlSpecials", and
+% "\ZrlFont".
+%
+% Changing font:
+% The "\ZrlFont" command selects the font. The definition of "\ZrlFont"
+% done by the pre-defined styles varies to cope with a variety of LaTeX
+% font selection schemes, but it could be as simple as "\def\ZrlFont{\tt}".
+% Depending on the font selected, some characters may need to be defined
+% in the "\ZrlSpecials" list because many fonts don't contain all the
+% standard input characters.
+%
+% Changing linebreaks:
+% The list of characters that allow line-breaks is given by "\ZrlBreaks"
+% and "\ZrlBigBreaks", which have the format "\do\c" for character "c".
+% The differences are that `BigBreaks' have a lower penalty and have
+% different breakpoints when in sequence (as in "http://"): `BigBreaks'
+% are treated as mathrels while `Breaks' are mathbins (see The TeXbook,
+% p.170). In particular, a series of `BigBreak' characters will break at
+% the end and only at the end; a series of `Break' characters will break
+% after the first and after every following *pair*; there will be no
+% break after a `Break' character if a `BigBreak' follows. In the case
+% of "http://" it doesn't matter whether ":" is a `Break' or `BigBreak' --
+% the breaks are the same in either case; but for DECnet nodes with "::"
+% it is important to prevent breaks *between* the colons, and that is why
+% colons are `BigBreaks'.
+%
+% It is possible for characters to prevent breaks after the next following
+% character (I use this for parentheses). Specify these in "\ZrlNoBreaks".
+%
+% You can do arbitrarily complex things with characters by making them
+% active in math mode (mathcode hex-8000) and specifying the definition(s)
+% in "\ZrlSpecials". This is used in the rm and sf styles for OT1 font
+% encoding to handle several characters that are not present in those
+% computer-modern style fonts. See the definition of "\Zrl@do", which
+% is used by both "\zrl@rmstyle" and "\zrl@sfstyle"; it handles missing
+% characters via "\ZrlSpecials". The nominal format for setting each
+% special character "c" is: "\do\c{<definition>}", but you can include
+% other definitions too.
+%
+%
+% If all this sounds confusing ... well, it is! But I hope you won't need
+% to redefine breakpoints -- the default assignments seem to work well for
+% a wide variety of applications. If you do need to make changes, you can
+% test for breakpoints using regular math mode and the characters "+=(a".
+%
+% Yet more flexibility:
+% You can also customize the verbatim text by defining "\ZrlRight" and/or
+% "\ZrlLeft", e.g., for ISO formatting of zrls surrounded by "< >", define
+%
+% \renewcommand\zrl{\begingroup \def\ZrlLeft{<zrl: }\def\ZrlRight{>}%
+% \zrlstyle{tt}\Zrl}
+%
+% The meanings of "\ZrlLeft" and "\ZrlRight" are *not* reproduced verbatim.
+% This lets you use formatting commands there, but you must be careful not
+% to use TeX's special characters ("\^_%~#$&{}" etc.) improperly.
+% You can also define "\ZrlLeft" to reprocess the verbatim text, but the
+% format of the definition is special:
+%
+% \def\ZrlLeft#1\ZrlRight{ ... do things with #1 ... }
+%
+% Yes, that is "#1" followed by "\ZrlRight" then the definition. For
+% example, to put a hyperTeX hypertext link in the DVI file:
+%
+% \def\ZrlLeft#1\ZrlRight{\special{html:<a href="#1">}#1\special{html:</a>}}
+%
+% Using this technique, zrl.sty can provide a convenient interface for
+% performing various operations on verbatim text. You don't even need
+% to print out the argument! For greatest efficiency in such obscure
+% applications, you can define a null zrl-style where all the lists like
+% "\ZrlBreaks" are empty.
+%
+% Revision History:
+% ver 1.1 6-Feb-1996:
+% Fix hyphens that wouldn't break and ligatures that weren't suppressed.
+% ver 1.2 19-Oct-1996:
+% Package option for T1 encoding; Hooks: "\ZrlLeft" and "\ZrlRight".
+% ver 1.3 21-Jul-1997:
+% Prohibit spaces as delimiter characters; change ascii tilde in OT1.
+% ver 1.4 02-Mar-1999
+% LaTeX license; moving-argument-error
+% The End
+
+Test file integrity: ASCII 32-57, 58-126: !"#$%&'()*+,-./0123456789
+:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/all.txt b/2004/netfilter-failover-ols2004/OLS2004-proceedings/all.txt
new file mode 100644
index 0000000..1e8bbe0
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/all.txt
@@ -0,0 +1,306 @@
+A=Werner Almesberger
+I=none
+T=TCP Connection Passing
+N=24
+E=werner@almesberger.net
+
+A=Dan Aloni
+I=none
+T=Cooperative Linux
+N=14
+E=da-x@colinux.org
+
+A=Erik Andersen
+I=Codepoet Consulting
+T=Build your own Embedded Linux Wireless Access Point
+N=11
+E=andersen@codepoet.org
+
+A=Stuart Anderson
+I=netSweng, LLC
+T=Run-time testing of LSB Applications
+N=40
+E=anderson@netsweng.com
+
+A=Jens Axboe
+I=SUSE
+T=Linux Block IO - present and future
+N=152
+E=axboe@suse.de
+
+A=Suparna Bhattacharya
+I=IBM
+T=Linux AIO Performance and Robustness for Enterprise Workloads
+N=64
+E=suparna@in.ibm.com
+
+A=Tim R. Bird
+I=Sony Electronics
+T=Methods to Improve Bootup Time in Linux
+N=132
+E=tim.bird@am.sony.com
+
+A=Martin J. Bligh
+I=none
+T=Linux on NUMA
+N=153
+E=none
+
+A=James Bottomley
+I=SteelEye Technology, Inc.
+T=Improving Kernel Performance by Unmapping the Page Cache
+N=27
+E=jejb@steeleye.com
+
+A=Dave Boutcher
+I=IBM
+T=Linux Virtualization on IBM Power5 Systems
+N=26
+E=boutcher@us.ibm.com
+
+A=Len Brown
+I=Intel
+T=ACPI -- Advanced Configuration and Power Management Interface
+N=9
+E=len.brown@intel.com
+
+A=Ray Bryant
+I=Silicon Graphics
+T=Scaling Linux to the Extreme
+N=147
+E=raybry@sgi.com
+
+A=Peter Chubb
+I=NICTA
+T=Get More Device Drivers out of the Kernel!
+N=100
+E=peterc@gelato.unsw.edu.au
+
+A=Wim A. Coekaerts
+I=Oracle
+T=2.6 kernel for big servers compared to 2.4
+N=13
+E=wim.coekaerts@oracle.com
+
+A=Jonathan Corbet
+I=LWN.net
+T=Where 2.7 is going
+N=127
+E=corbet@lwn.net
+
+A=Paul Devriendt
+I=AMD
+T=SMP and frequency scaling
+N=22
+E=paul.devriendt@amd.com
+
+A=Matt Domsch
+I=Dell
+T=Dynamic Kernel Module Support: From Theory to Practice
+N=117
+E=matt_domsch@dell.com
+
+A=Scott Feldman
+I=Intel
+T=e100 weight reduction program
+N=177
+E=scott.feldman@intel.com
+
+A=James Bruce Fields
+I=University of Michigan
+T=NFSv4 and rpcsec_gss for linux
+N=76
+E=bfields@umich.edu
+
+A=Louay Gammo
+I=University of Waterloo
+T=Comparing and Evaluating epoll(), select(), and poll()
+N=0
+E=lgammo@cs.uwaterloo.ca
+
+A=James Gettys
+I=HP
+T=The (Re)Architecture of the X Window System
+N=0
+E=jim.gettys@hp.com
+
+A=Ibrahim Haddad
+I=Ericsson Research
+T=Towards Linux-based Open Telecom Platforms
+N=51
+E=ibrahim.haddad@ericsson.com
+
+A=Michael Austin Halcrow
+I=International Business Machines, Inc.
+T=Demands, Solutions, and Improvements for Linux Filesystem Security
+N=55
+E=linuxsymposium.org@halcrow.us
+
+A=Dave Hansen
+I=IBM
+T=Hotplug Memory and the Linux VM
+N=131
+E=haveblue@us.ibm.com
+
+A=Greg Kroah-Hartman
+I=none
+T=kobjects and krefs - lockless reference counting for kernel structures
+N=168
+E=greg@kroah.com
+
+A=Rick Lindsley
+I=IBM Linux Technology Center
+T=The Cursor Wiggles Faster: Measuring Scheduler Performance
+N=82
+E=ricklind@us.ibm.com
+
+A=Robert Love
+I=Novell
+T=On a Kernel Events Layer and User-space Message Bus System
+N=122
+E=rml@ximian.com
+
+A=Matt Mackall
+I=Selenic Consulting
+T=Linux-tiny and directions for small systems
+N=30
+E=mpm@selenic.com
+
+A=Dan Magenheimer
+I=Hewlett Packard Co
+T=Xen and the Art of Open Source Virtualization
+N=68
+E=dan.magenheimer@hp.com
+
+A=Jon Paul Maloy
+I=Ericsson
+T=TIPC: Providing Communication for Linux Clusters
+N=52
+E=jon.maloy@ericsson.com
+
+A=Dave McCracken
+I=IBM
+T=Object-based reverse mapping
+N=109
+E=dmccr@us.ibm.com
+
+A=Michael Meeks
+I=Novell, Inc.
+T=The World of OpenOffice
+N=145
+E=michael@ximian.com
+
+A=Arnaldo Carvalho de Melo
+I=Conectiva S.A.
+T=TCPfying the Poor Cousins
+N=130
+E=none
+
+A=Kazunori Miyazawa
+I=USAGI Project
+T=IPv6 IPsec and Mobile IPv6 implementation of Linux
+N=119
+E=kazunori@miyazawa.org
+
+A=Keith Packard
+I=HP
+T=Getting X off the hardware
+N=0
+E=none
+
+A=Ram Pai
+I=IBM Corporation
+T=Linux 2.6 performance improvement through readahead optimization
+N=54
+E=linuxram@us.ibm.com
+
+A=Inaky Perez-Gonzalez
+I=Intel Corporation
+T=I would hate user space locking if it weren't that sexy...
+N=10
+E=inaky.perez-gonzalez@intel.com
+
+A=Steven L. Pratt
+I=IBM
+T=Workload Dependent Performance Evaluation of the 2.6 I/O Schedulers
+N=58
+E=slpratt@us.ibm.com
+
+A=Sam Robb
+I=TimeSys
+T=Creating Cross-Compile Friendly Software
+N=104
+E=sam.robb@timesys.com
+
+A=John A. Ronciak
+I=Intel Corp.
+T=Page-Flip Technology for use within the Linux Networking Stack
+N=46
+E=john.ronciak@intel.com
+
+A=Rusty Russell
+I=IBM
+T=Linux Kernel Hotplug CPU Support
+N=16
+E=rusty@rustcorp.com.au
+
+A=Dipankar Sarma
+I=IBM
+T=Issues with Selected Scalability Features of the 2.6 Kernel
+N=156
+E=dipankar@in.ibm.com
+
+A=Kittur (Doc) S. Shankar
+I=IBM
+T=Achieving CAPP/EAL3+ Security Certification for Linux
+N=72
+E=dshankar@us.ibm.com
+
+A=Rik van Riel
+I=Red Hat, Inc.
+T=Improving Linux resource control using CKRM
+N=125
+E=riel@redhat.com
+
+A=Alain Volmat
+I=Ricoh Company Ltd.
+T=Linux on a Digital Camera
+N=110
+E=avolmat@src.ricoh.co.jp
+
+A=John A. Walicki
+I=IBM Research
+T=The Linux Client at IBM - Enterprise Enabling the Linux Desktop
+N=0
+E=none
+
+A=Harald Marc Welte
+I=netfilter core team
+T=ct_sync - state replication of ip_conntrack
+N=86
+E=laforge@gnumonks.org
+
+A=Mats Wichmann
+I=LSB Project / Intel Corporation
+T=Increasing the appeal of Open Source projects
+N=175
+E=mats.d.wichmann@intel.com
+
+A=Matthew S. Wilson
+I=none
+T=New approaches in software provisioning and system maintenance
+N=0
+E=none
+
+A=Carl D. Worth
+I=USC/Information Sciences Institute
+T="On-demand" Linux in a Power-aware Microsensor
+N=70
+E=cworth@east.isi.edu
+
+A=Chris Wright
+I=OSDL
+T=Linux Virtualization
+N=0
+E=none
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/bin/CreateIndiv.pl b/2004/netfilter-failover-ols2004/OLS2004-proceedings/bin/CreateIndiv.pl
new file mode 100755
index 0000000..5905008
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/bin/CreateIndiv.pl
@@ -0,0 +1,222 @@
+#!/usr/bin/perl -w
+
+$preface = q{\newcount\olsmaster
+\olsmaster=1
+
+\documentclass[twocolumn,twoside,12pt]{combine}
+\usepackage{ols}
+\ifpdf
+\usepackage[pdftex]{epsfig}
+\else
+\usepackage{epsfig}
+\fi
+\usepackage{rotating}
+
+% Other packages that authors have used...
+\usepackage[modulo]{lineno}
+\usepackage{alltt}
+
+\usepackage[T1]{fontenc}
+\ifpdf
+\usepackage[pdftex]{graphicx}
+\else
+\usepackage{graphicx}
+\fi
+\usepackage[english]{babel}
+\usepackage[latin1]{inputenc}
+\usepackage{csty}
+
+\usepackage{enumerate}
+\usepackage{geometry}
+%%%%% html breaks 'combine' rather badly
+% \usepackage{html}
+%%% hyperref is nearly as bad
+% \usepackage{hyperref}
+\usepackage{isolatin1}
+\usepackage{latexsym}
+\usepackage{longtable}
+\usepackage{multicol}
+\usepackage{cprog}
+\usepackage{float}
+\usepackage{supertabular}
+\usepackage{textcomp}
+\usepackage{times}
+\usepackage{url}
+\usepackage{usenix}
+\usepackage{wrapfig}
+\usepackage{fancyvrb}
+
+\title{{\em\normalsize Reprinted from the}\\\\
+Proceedings of the\\\\
+Linux Symposium}
+\author{\vspace{4in}}
+\date{July 21th--24th, 2004\\\\
+ Ottawa, Ontario\\\\
+ Canada}
+
+% make room for "OLS2004...pagenumber" header
+\setlength{\topmargin}{-0.5in}
+\setlength{\headheight}{0.2in}
+\setlength{\headsep}{0.3in}
+
+\thispagestyle{empty}
+\pagestyle{empty}
+%%%%%%%%%%%%%%%%% DOC STARTS HERE %%%%%%%%%%%%%%%%%%%%
+\begin{document}
+\pagestyle{empty}
+\thispagestyle{empty}
+
+
+%%%%%%%%%%%%%% TITLE PAGE %%%%%%%%%%%%%%%%%%%
+\twocolumn[\pagestyle{empty}\thispagestyle{empty} \maketitle ]
+
+
+%%%%%%%%%%%%%%%%%%%%% CREDITS PAGE %%%%%%%%%%%%%%%%%%
+\thispagestyle{empty}
+\twocolumn
+\thispagestyle{empty}
+%%% \thispagestyle{empty}
+\begin{minipage}[t][0.95\textheight]{\textwidth}
+\thispagestyle{empty}
+
+\vspace{2cm}
+
+\textbf{{\Large Conference Organizers}}
+
+\vspace{5mm}
+\begin{large}
+\hspace*{0.5in}Andrew J.\ Hutton, \textit{Steamballoon, Inc.}\\\\
+\hspace*{0.5in}Stephanie Donovan, \textit{Linux Symposium}\\\\
+\hspace*{0.5in}C.\ Craig Ross, \textit{Linux Symposium}
+\end{large}
+
+\vspace{1cm}
+\textbf{{\Large Review Committee}}
+
+\vspace{5mm}
+\begin{large}
+\hspace*{0.5in}Jes Sorensen, \textit{Wild Open Source, Inc.}\\\\
+\hspace*{0.5in}Matt Domsch, \textit{Dell}\\\\
+\hspace*{0.5in}Gerrit Huizenga, \textit{IBM}\\\\
+\hspace*{0.5in}Matthew Wilcox, \textit{Hewlett-Packard}\\\\
+\hspace*{0.5in}Dirk Hohndel, \textit{Intel}\\\\
+\hspace*{0.5in}Val Henson, \textit{Sun Microsystems}\\\\
+\hspace*{0.5in}Jamal Hadi Salimi, \textit{Znyx}\\\\
+\hspace*{0.5in}Andrew Hutton, \textit{Steamballoon, Inc.}
+\end{large}
+
+\vspace{1cm}
+
+\textbf{{\Large Proceedings Formatting Team}}
+
+\vspace{5mm}
+\begin{large}
+\hspace*{0.5in}John W.\ Lockhart, \textit{Red Hat, Inc.}\\\\
+\end{large}
+
+
+% \vspace*{\fill}
+
+\begin{center}
+\vspace{2.5in}
+Authors retain copyright to all submitted papers, but have granted
+unlimited redistribution rights to all as a condition of submission.
+\end{center}
+\end{minipage}
+
+%%%%%%%% PAGE HEADINGS DEFINITIONS %%%%%%%%%%%%%%%%%%%%
+\pagestyle{myheadings}
+\markboth{~~{\textbullet}~~Linux Symposium\ ~\hrulefill\ }{\ \hrulefill\ Linux Symposium 2004~~{\textbullet}~~}
+
+%%%%%%%%%%%%%%% PAPERS BEGIN HERE %%%%%%%%%%%%%%%%%%%%%%%%%%
+};
+
+###### THIS IS THE SORT OF STUFF THAT MAKES UP THE MIDDLE...
+### \setcounter{page}{176}
+### \begin{papers}
+### \coltocauthor{Kai Germaschewski} % { University of Iowa}
+### \coltoctitle{Kernel configuration and building in Linux 2.5}
+### \label{art16}
+### \import{kbuild}
+
+$ender = q{\end{papers}
+\clearpage
+\end{document}
+};
+
+# print "hey, the quotes worked\n";
+@authors = ( );
+@titles = ( );
+@imports = ( );
+@pagenos = ( );
+
+open(AUTHORS, "grep coltocauthor ./MasterOLS.tex|") or die "nogrep";
+while (defined($ln = <AUTHORS>)) {
+ chomp $ln;
+ push(@authors, $ln);
+}
+close(AUTHORS);
+
+open(TITLES, "grep coltoctitle ./MasterOLS.tex|") or die "nogrep2";
+while (defined($ln = <TITLES>)) {
+ chomp $ln;
+ push @titles, $ln;
+}
+close(TITLES);
+
+open(IMPORTS, "grep import ./MasterOLS.tex|") or die "nogrep3";
+while (defined($ln = <IMPORTS>)) {
+ chomp $ln;
+ push @imports, $ln;
+}
+close(IMPORTS);
+
+open(PAGENO, "grep coltocauthor ./MasterOLS-2side.toc|") or die "nogrep4";
+while (defined($ln = <PAGENO>)) {
+ chomp $ln;
+ push @pagenos, $ln;
+}
+close(PAGENO);
+
+$i = 0;
+foreach my $author (@authors) {
+ if (!defined($author) or !$author) {
+ print STDERR "Hey, undef author!\n";
+ exit 1;
+ }
+ $title = $titles[$i];
+ $import = $imports[$i];
+ $pageno = $pagenos[$i];
+ if ($author =~ /coltocauthor{(.*)}/) {
+ $a = $1;
+ if ($a =~ /(\S+ )*(\S+)/) {
+ $lastName = $2;
+ $fileName = "Reprint-${lastName}-OLS2004.tex";
+ $fileName =~ s/\'//;
+ ### \setcounter{page}{176}
+ ### \begin{papers}
+ if ($pageno =~ /{.*}{(\d+)}$/) {
+ open(OUT, ">$fileName") or die "cannot open $fileName";
+ $p = $1 - 1;
+ # print "$fileName\n";
+ print OUT "$preface\n";
+ print OUT '\setcounter{page}{' . $p . '}', "\n";
+ print OUT '\begin{papers}[\clearpage]', "\n";
+ print OUT "$author\n";
+ print OUT "$title\n";
+ print OUT "$import\n\n";
+ print OUT "$ender\n";
+ close(OUT);
+ # print " pageno: $p\n\n";
+ } else {
+ print STDERR "Hey, no pageno: $pageno\n";
+ }
+ }
+ # print STDERR "Got author: $a\n lastname: $lastName\n";
+ } else {
+ print STDERR "Hey, no author here: $author\n";
+ }
+ $i++;
+}
+
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/bin/cleanurl.pl b/2004/netfilter-failover-ols2004/OLS2004-proceedings/bin/cleanurl.pl
new file mode 100755
index 0000000..d5a13da
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/bin/cleanurl.pl
@@ -0,0 +1,61 @@
+#!/usr/bin/perl -w
+my $ln;
+
+
+while (defined($ln = <STDIN>)) {
+ chomp $ln;
+ next if ($ln =~m/^\s*>linuxsymposium\s+/);
+ next if (($ln =~ m/^\s*Content\s+/) && ($ln =~ m/\s+Related\s*$/));
+ next if (($ln =~ m|^\s*Register/Login\s+|) && ($ln =~ m/\s+Venue\s*$/));
+ next if (($ln =~ m/^\s*Paper\s+/) && ($ln =~ m/\s+Travel\s*$/));
+
+ if (($ln =~ m/^\s*Presentations\s+/) && ($ln =~ m/\s+FAQ\s*$/)) {
+ $ln =~ s/^\s*Presentations\s+//;
+ $ln =~ s/\s+FAQ\s*$//;
+ }
+ $ln =~ s/^\s*Tutorials\s+//;
+ if (($ln =~ m|^\s*BOFS/Meetings\s+|) && ($ln =~ m/\s+Archives\s*$/)) {
+ $ln =~ s|^\s*BOFS/Meetings\s+||;
+ $ln =~ s/\s+Archives\s*$//;
+ }
+ $ln =~ s/^\s*Sponsors\s+//;
+ if (($ln =~ m/^\s*Contacts\s+/) && ($ln =~ m/\s+Photos\s*$/)) {
+ $ln =~ s/^\s*Contacts\s+//;
+ $ln =~ s/\s+Photos\s*$//;
+ }
+ if (($ln =~ m/^\s*Information\s+/) && ($ln =~ m/\s+200\d\s*$/)) {
+ $ln =~ s/^\s*Information\s+//;
+ $ln =~ s/\s+200\d\s*$//;
+ }
+ if (($ln =~ m/^\s*Home\s+/) && ($ln =~ m/\s+200\d\s*$/)) {
+ $ln =~ s/^\s*Home\s+//;
+ $ln =~ s/\s+200\d\s*$//;
+ }
+ $ln =~ s/^\s+200\d\s*$//;
+ $ln =~ s/^\s+199\d\s*$//;
+ $ln =~ s/\s+200\d\s*$//;
+ $ln =~ s/\s+199\d\s*$//;
+ $ln =~ s/\s+Proceedings\s*$//;
+ $ln =~ s/\s+Valid\sXHTML\s*$//;
+ $ln =~ s/\s+1\.0!\s*$//;
+ $ln =~ s/^\s+//g;
+ $ln =~ s/\s+$//g;
+
+ print '% ' if ($ln =~ m/^http:/i);
+ print "$ln\n";
+
+ # if (($ln =~ m/^\s*\s+/) && ($ln =~ m/\s+\s*$/));
+ # if (($ln =~ m/^\s*\s+/) && ($ln =~ m/\s+\s*$/));
+
+ # next if (($ln =~ m/^\s*\s+/) && ($ln =~ m/\s+\s*$/));
+ # next if (($ln =~ m/^\s*\s+/) && ($ln =~ m/\s+\s*$/));
+ # next if (($ln =~ m/^\s*\s+/) && ($ln =~ m/\s+\s*$/));
+ # next if (($ln =~ m/^\s*\s+/) && ($ln =~ m/\s+\s*$/));
+ # next if (($ln =~ m/^\s*\s+/) && ($ln =~ m/\s+\s*$/));
+ # next if (($ln =~ m/^\s*\s+/) && ($ln =~ m/\s+\s*$/));
+ # next if (($ln =~ m/^\s*\s+/) && ($ln =~ m/\s+\s*$/));
+ # next if (($ln =~ m/^\s*\s+/) && ($ln =~ m/\s+\s*$/));
+ # next if ($ln =~ m/\s+\s*$/);
+ # next if ($ln =~ m//);
+
+}
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/bin/makeMainPaper.pl b/2004/netfilter-failover-ols2004/OLS2004-proceedings/bin/makeMainPaper.pl
new file mode 100755
index 0000000..60f3782
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/bin/makeMainPaper.pl
@@ -0,0 +1,81 @@
+#!/usr/bin/perl -w
+
+#
+# Creates all papers with minimal content. Caution: clobbers existing papers!
+# Run from top-level directory (GCC2004 or OLS2004), and relies on the
+# Master.tex file being correct.
+#
+# It's probably easier to make a copy of TEMPLATES/Blank.tex and edit
+# it by hand than to mess with this script. But it's included anyway,
+# just in case it's handy.
+
+open(IN,'<MasterOLS.tex') || die 'Cannot open MasterOLS.tex';
+my $inEntry = 0;
+my $author = '';
+my $instit = '';
+my $title = '';
+my $dirName = '';
+my @hrefs;
+my $paperCount = 0;
+my @keyNames = qw(__TITLE__ __AUTHOR__ __INSTITUTION__ __EMAIL__ __ABSTRACT__);
+
+while (defined($ln = <IN>)) {
+ chomp $ln;
+ next if ($ln =~ m/^\s*%*\s*$/); # skip blanks/comments
+ if (($ln =~ m/coltocauthor/) || (1 == $inEntry)) {
+ if ($ln =~ m/coltocauthor{(.*?)}\s+%\s+(.*)/) {
+ $author = $1;
+ $instit = $2;
+ $inEntry = 1;
+ $instit =~ s/\s+$//g;
+ } elsif ($ln =~ m/coltoctitle{(.*?)}/) {
+ $title = $1;
+ } elsif ($ln =~ m/import{([^}]+)}/) {
+ $dirName = $1;
+ push @hrefs, {
+ __AUTHOR__ => $author,
+ __INSTITUTION__ => $instit,
+ __TITLE__ => $title,
+ __EMAIL__ => 'your@email.address',
+ dirName => $dirName,
+ __ABSTRACT__ => ($dirName . '-abstract')};
+ $author = '';
+ $instit = '';
+ $title = '';
+ $dirName = '';
+ $inEntry = 0;
+ } elsif ($ln =~ m/label{gccart/) {
+ $paperCount++;
+ }
+ }
+}
+close(IN);
+
+print "found: count: $paperCount with ", (1 + $#hrefs), " entries\n";
+my $i = 1;
+for my $h (@hrefs) {
+ my $paper = $h->{dirName} . '/' . $h->{dirName} . '.tex';
+ printf "%02d: %s: %s | %s | %s | %s\n", $i, $paper,
+ $h->{__AUTHOR__},
+ $h->{__INSTITUTION__},
+ $h->{__TITLE__},
+ $h->{dirName};
+ $i++;
+
+ open(OUT, ">$paper") || die "Cannot open $paper for writing";
+ open(IN, '<TEMPLATES/Blank.tex') || die 'Cannot open TEMPLATES/Blank.tex for reading';
+ while (defined($ln = <IN>)) {
+ chomp $ln;
+ for my $r (@keyNames) {
+ my $v = $h->{$r};
+ $ln =~ s/$r/$v/;
+ }
+ print OUT "$ln\n";
+ }
+ print OUT "\n";
+ close(IN);
+ close(OUT);
+}
+
+
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/bin/masterToHtml.pl b/2004/netfilter-failover-ols2004/OLS2004-proceedings/bin/masterToHtml.pl
new file mode 100755
index 0000000..85be495
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/bin/masterToHtml.pl
@@ -0,0 +1,32 @@
+#!/usr/bin/perl
+
+# An abject hack, but produces something that can be tidied up by hand.
+
+$in = 0;
+print "<html>\n<title></title>\n<body>\n<table>";
+while (defined($ln = <STDIN>)) {
+ chomp $ln;
+ next if ($ln =~ /^\s*$/);
+ next if ($ln =~ /^\s*%/);
+
+ if ($ln =~ /coltocauthor{(.*?)}/) {
+ $foo = $1;
+ $foo =~ s/\\//g;
+ print "<tr>\n <td>$foo</td>\n";
+ $in = 1;
+ }
+ if ($ln =~ /coltoctitle{(.*?)}/) {
+ $title = $1;
+ }
+ if ($ln =~ /import{(.*)}/) {
+ $fyle = $1;
+ if ($fyle ne 'missing') {
+ print " <td><a href=\"${fyle}.pdf\">${title}</a></td>\n</tr>\n";
+ } else {
+ print " <td>${title}</td>\n</tr>\n";
+ }
+ $in = 0;
+ }
+}
+print "</table>\n</body>\n</html>\n";
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/bin/parseall.pl b/2004/netfilter-failover-ols2004/OLS2004-proceedings/bin/parseall.pl
new file mode 100755
index 0000000..f00a7c2
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/bin/parseall.pl
@@ -0,0 +1,126 @@
+#!/usr/bin/perl -w
+
+open(IN,'<all.txt') || die 'cannot open all.txt for read';
+my @recs;
+my $ref;
+# http://www.linuxsymposium.org/2004/view_abstract.php?content_key=24
+my $aurl='http://linuxsymposium.org/2004/view_abstract.php?content_key=';
+my %fields=(A=>1,I=>1,T=>1,E=>1,N=>1,);
+my @keyNames = qw(__TITLE__ __AUTHOR__ __INSTITUTION__ __EMAIL__ __ABSTRACT__);
+
+sub newrec {
+ my $r = {};
+ for my $i qw(A I T E dname abstract) {
+ $r->{$i} = '';
+ }
+ $r->{'N'} = 0;
+ for my $i (@keyNames) {
+ $r->{$i} = 'BUG';
+ }
+ return $r;
+}
+sub doItem {
+ my ($r, $l) = @_;
+ my ($f, $rest) = split /=/,$l;
+ die "bad record: $l" if (!exists($fields{$f}));
+ $rest =~ s/\s+$//g;
+ $rest =~ s/^none$/~/;
+ $r->{$f} = $rest;
+ if ($f eq 'A') {
+ my @fname = split /\s+/,lc($rest);
+ my $aname = pop(@fname);
+ $aname =~ s/[[:punct:]]//g;
+ $r->{dname} = $aname;
+ $r->{__AUTHOR__} = $r->{A};
+ $r->{__ABSTRACT__} = ($r->{dname} . '-abstract');
+ } elsif ($f eq 'N') {
+ $r->{abstract} = ($aurl . $rest);
+ } elsif ($f eq 'T') {
+ $r->{__TITLE__} = $r->{T};
+ } elsif ($f eq 'I') {
+ $r->{__INSTITUTION__} = $r->{I};
+ } elsif ($f eq 'E') {
+ $r->{__EMAIL__} = $r->{E};
+ }
+}
+
+$ref = newrec();
+while (defined($ln = <IN>)) {
+ chomp $ln;
+ if ($ln =~ m/^\s*$/) {
+ push @recs, $ref if ($ref);
+ $ref = newrec();
+ } else {
+ doItem($ref, $ln);
+ }
+}
+close(IN);
+
+# print "got $#recs records\n";
+my $cnt = 1;
+open(OUT,'>Authors.tex') || die "cannot open Authors.tex for write";
+open(CLEAN,'>Cleanup.sh') || die "cannot open Cleanup.sh for write";
+print CLEAN '#!/bin/bash', "\n\n";
+for my $r (@recs) {
+ print OUT '% email=';
+ print OUT $r->{E}, "\n";
+ print OUT '% url=', $r->{abstract}, "\n";
+
+ print OUT '\coltocauthor{';
+ $r->{A} =~ s/\./.\\/g;
+ print OUT $r->{A};
+ print OUT '}', "\n";
+
+ print OUT '\coltoctitle{';
+ print OUT $r->{T};
+ print OUT '}', "\n";
+
+ print OUT '\label{';
+ printf OUT "art%02d", $cnt;
+ print OUT '}', "\n";
+
+ print OUT '\import{';
+ print OUT $r->{dname};
+ print OUT '}', "\n";
+ print OUT "\n";
+ print CLEAN 'rm -rf ', $r->{dname}, "\n";
+
+ my $paper = $r->{dname} . '/' . $r->{dname} . '.tex';
+ my $setup = $r->{dname} . '/setup.sh';
+ if (! -d $r->{dname}) {
+ mkdir($r->{dname});
+ if (! -f $paper) {
+ open(OWT, ">$paper") || die "Cannot open $paper for writing";
+ open(INN, '<TEMPLATES/Blank.tex') || die 'Cannot open TEMPLATES/Blank.tex for reading';
+ my $ln;
+ while (defined($ln = <INN>)) {
+ chomp $ln;
+ for my $x (@keyNames) {
+ my $v = $r->{$x};
+
+ $ln =~ s/$x/$v/;
+ }
+ print OWT "$ln\n";
+ }
+ print OWT "\n";
+ close(INN);
+ close(OWT);
+ }
+ if (! -f $setup) {
+ open(OWT, ">$setup") || die "Cannot open $setup for writing";
+ print OWT '#!/bin/bash', "\n\n";
+ for my $i qw(ols-fonts.tex ols.sty zrl.sty) {
+ print OWT 'ln -s ../TEMPLATES/', $i, ' . || /bin/true', "\n";
+ }
+ print OWT 'cat ../TEMPLATES/ProtoMake | sed -e ', "'s/TOP=/TOP=",
+ $r->{dname}, "/' > Makefile\n";
+ print OWT 'echo -n ', "'%'", '> ', "'", $r->{__ABSTRACT__}, ".tex'", "\n";
+ print OWT "links -dump '", $r->{abstract}, "' | ../bin/cleanurl.pl >> ",
+ $r->{__ABSTRACT__}, '.tex', "\n";
+ close(OWT);
+ }
+ }
+ $cnt++;
+}
+close(OUT);
+close(CLEAN);
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/texmf/ls-R b/2004/netfilter-failover-ols2004/OLS2004-proceedings/texmf/ls-R
new file mode 100644
index 0000000..0f43613
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/texmf/ls-R
@@ -0,0 +1,16 @@
+% ls-R -- filename database for kpathsea; do not change this line.
+./:
+ls-R
+tex
+
+./tex:
+latex
+
+./tex/latex:
+combine
+
+./tex/latex/combine:
+combcite.sty
+combine.cls
+combinet.sty
+combnat.sty
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/texmf/tex/latex/combine/combcite.sty b/2004/netfilter-failover-ols2004/OLS2004-proceedings/texmf/tex/latex/combine/combcite.sty
new file mode 100644
index 0000000..12e4800
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/texmf/tex/latex/combine/combcite.sty
@@ -0,0 +1,109 @@
+%%
+%% This is file `combcite.sty',
+%% generated with the docstrip utility.
+%%
+%% The original source files were:
+%%
+%% combine.dtx (with options: `citepack')
+%%
+%% Author: Peter Wilson (CUA) now at peter.r.wilson@boeing.com
+%% (or at: pandgwilson at earthlink dot net)
+%% Copyright 2000, 2001, 2002, 2003 Peter R. Wilson
+%%
+%% This work may be distributed and/or modified under the
+%% conditions of the LaTeX Project Public License, either
+%% version 1.3 of this license or (at your option) any
+%% later version.
+%% The latest version of the license is in
+%% http://www.latex-project.org/lppl.txt
+%% and version 1.3 or later is part of all distributions of
+%% LaTeX version 2003/06/01 or later.
+%%
+%% This work has the LPPL maintenance status "author-maintained".
+%%
+%% This work consists of the files listed in the README file.
+%%
+\NeedsTeXFormat{LaTeX2e}
+\ProvidesPackage{combcite}[2003/11/09 v1.0 combine version of cite package]
+\@ifclassloaded{combine}{}{%
+ \PackageError{combcite}{The `combine' class is expected}{\@ehc}}
+
+\newif\ifc@lbsuperopt
+ \c@lbsuperoptfalse
+\DeclareOption{super}{\ExecuteOptions{superscript}}
+\DeclareOption{superscript}{\c@lbsuperopttrue
+ \PassOptionsToClass{superscript}{cite}}
+\ProcessOptions
+\RequirePackageWithOptions{cite}[2003/11/04]
+
+\DeclareRobustCommand\c@lbciten[1]{%
+ \begingroup
+ \let\@safe@activesfalse\@empty
+%% \c@lb@nocite{#1}% ignores spaces, writes to .aux file, returns #1 in \@no@sparg
+ \@nocite{#1}% ignores spaces, writes to .aux file, returns #1 in \@no@sparg
+ \@tempcntb\m@ne % \@tempcntb tracks highest number
+ \let\@h@ld\@empty % nothing held from list yet
+ \let\@citea\@empty % no punctuation preceding first
+ \let\@celt\delimiter % an unexpandable, but identifiable, token
+ \def\@cite@list{}% % empty list to start
+ \@for \@citeb:=\@no@sparg\do{\c@lb@make@cite@list}% make a sorted list of numbers
+ % After sorted citelist is made, execute it to compress citation ranges.
+ \@tempcnta\m@ne % no previous number
+ \let\@celt\@compress@cite \@cite@list % output number list with compression
+ \@h@ld % output anything held over
+ \endgroup
+ \@restore@auxhandle
+ }
+
+\def\c@lb@make@cite@list{%
+ \expandafter\let \expandafter\@B@citeB
+ \csname B?\jobname?@\@citeb\@extra@b@citeb \endcsname
+ \ifx\@B@citeB\relax % undefined: output ? and warning
+ \@citea {\bfseries ?}\let\@citea\citepunct \G@refundefinedtrue
+ \@warning {Citation `\@citeb' on page \thepage\space undefined}%
+ \oc@verbo \global\@namedef{B?\jobname?@\@citeb\@extra@b@citeb}{?}%
+ \else % defined % remove previous line to repeat warnings
+ \ifcat _\ifnum\z@<0\@B@citeB _\else A\fi % a positive number, put in list
+ \@addto@cite@list
+ \else % citation is not a number, output immediately
+ \@citea \citeform{\@B@citeB}\let\@citea\citepunct
+ \fi\fi}
+
+\ifc@lbsuperopt
+ \DeclareRobustCommand{\c@lbcite}{%
+ \@ifnextchar[{\@tempswatrue\c@lb@citex}{\@tempswafalse\c@lb@citew}}
+\else
+ \DeclareRobustCommand{\c@lbcite}{%
+ \@ifnextchar[{\@tempswatrue\c@lb@citex}{\@tempswafalse\c@lb@citex[]}}
+\fi
+
+\def\c@lb@citex[#1]#2{\@cite{\c@lbciten{#2}}{#1}}
+
+\def\c@lb@citew#1{\begingroup \leavevmode
+ \@if@fillglue \lastskip \relax \unskip
+ \def\@tempa{\@tempcnta\spacefactor
+ \/% this allows the last word to be hyphenated, and it looks better.
+ \@citess{\c@lbciten{#1}}\spacefactor\@tempcnta
+ \endgroup \@restore@auxhandle}%
+ \oc@movep\relax}% check for following punctuation (depending on options)
+
+\DeclareRobustCommand\c@lbnocite[1]{%
+ \@bsphack \@nocite{#1}%
+ \@for \@citeb:=\@no@sparg\do{\@ifundefined{B?\jobname?@\@citeb\@extra@b@citeb}%
+ {\G@refundefinedtrue\@warning{Citation `\@citeb' undefined}%
+ \oc@verbo \global\@namedef{B?\jobname?@\@citeb\@extra@b@citeb}{?}}{}}%
+ \@esphack}
+
+\def\@nocite#1{\begingroup\let\protect\string% normalize active chars
+ \xdef\@no@sparg{\expandafter\@ignsp#1 \: }\endgroup% and remove ALL spaces
+ \if@filesw \immediate\write\@newciteauxhandle % = \@auxout, except with multibib
+ {\string\citation {\@no@sparg}}\fi
+ }
+
+\g@addto@macro{\setuppapers}{\let\cite\c@lbcite}
+\g@addto@macro{\setuppapers}{\let\citenum\c@lbciten}
+\g@addto@macro{\setuppapers}{\let\citeonline\c@lbciten}
+
+\endinput
+%%
+%% End of file `combcite.sty'.
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/texmf/tex/latex/combine/combine.cls b/2004/netfilter-failover-ols2004/OLS2004-proceedings/texmf/tex/latex/combine/combine.cls
new file mode 100644
index 0000000..b8f2e8a
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/texmf/tex/latex/combine/combine.cls
@@ -0,0 +1,1009 @@
+%%
+%% This is file `combine.cls',
+%% generated with the docstrip utility.
+%%
+%% The original source files were:
+%%
+%% combine.dtx (with options: `usc')
+%%
+%% Author: Peter Wilson (CUA) now at peter.r.wilson@boeing.com
+%% (or at: pandgwilson at earthlink dot net)
+%% Copyright 2000, 2001, 2002, 2003 Peter R. Wilson
+%%
+%% This work may be distributed and/or modified under the
+%% conditions of the LaTeX Project Public License, either
+%% version 1.3 of this license or (at your option) any
+%% later version.
+%% The latest version of the license is in
+%% http://www.latex-project.org/lppl.txt
+%% and version 1.3 or later is part of all distributions of
+%% LaTeX version 2003/06/01 or later.
+%%
+%% This work has the LPPL maintenance status "author-maintained".
+%%
+%% This work consists of the files listed in the README file.
+%%
+\NeedsTeXFormat{LaTeX2e}
+\ProvidesClass{combine}[2003/11/09 v0.52 collection of documents]
+\RequirePackage{keyval}
+
+\newcommand{\c@lclass}{article}
+\define@key{COLCLASS}{colclass}[article]%
+ {\renewcommand{\c@lclass}{#1}
+ \ClassWarningNoLine{combine}
+ {Expect warnings like:\MessageBreak
+ \space\space LaTeX Warning: Unused global option(s):\MessageBreak
+ \space\space\space\space [colclass=#1]}}
+\let\c@l@tempa\@empty
+\def\c@l@getoptionname#1=#2\@nil{#1}
+\@for\CurrentOption:=\@classoptionslist\do{%
+ \@ifundefined{%
+ KV@COLCLASS@\expandafter\c@l@getoptionname\CurrentOption=\@nil
+ }%
+ {% other options
+ }{%
+ \edef\c@l@tempa{\c@l@tempa,\CurrentOption,}%
+ }%
+}%
+\edef\c@l@tempa{%
+ \noexpand\setkeys{COLCLASS}{\c@l@tempa}%
+}
+\c@l@tempa
+
+\newif\ifc@lclasses
+ \c@lclassesfalse
+\newif\ifc@lpackages
+ \c@lpackagesfalse
+\newif\ifc@llayouts
+ \c@llayoutsfalse
+\newif\ifc@lfolios
+ \c@lfoliosfalse
+\newif\ifc@lnotoc
+ \c@lnotocfalse
+\newif\ifc@lnolof
+ \c@lnoloffalse
+\newif\ifc@lnolot
+ \c@lnolotfalse
+\newif\ifc@lmaintoc
+ \c@lmaintocfalse
+\newif\ifc@lnodate
+ \c@lnodatetrue
+\newif\ifc@lnoauthor
+ \c@lnoauthorfalse
+\newif\ifc@lnotitle
+ \c@lnotitlefalse
+\newif\ifc@lnomaketitle
+ \c@lnomaketitlefalse
+\newif\ifc@lnopubindoc
+ \c@lnopubindocfalse
+\newif\ifc@lnopubintoc
+ \c@lnopubintocfalse
+\newif\ifc@lonebib
+ \c@lonebibfalse
+\newif\ifc@lcombib
+ \c@lcombibfalse
+
+\DeclareOption{book}{\def\c@lclass{book}}
+\DeclareOption{report}{\def\c@lclass{report}}
+\DeclareOption{letter}{\def\c@lclass{letter}}
+\DeclareOption{memoir}{\def\c@lclass{memoir}}
+\DeclareOption{classes}{\c@lclassestrue}
+\DeclareOption{packages}{\c@lpackagestrue}
+\DeclareOption{layouts}{\c@llayoutstrue}
+\DeclareOption{folios}{\c@lfoliostrue}
+\DeclareOption{notoc}{\c@lnotoctrue}
+\DeclareOption{nolof}{\c@lnoloftrue}
+\DeclareOption{nolot}{\c@lnolottrue}
+\DeclareOption{maintoc}{\c@lmaintoctrue}
+\DeclareOption{date}{\c@lnodatefalse}
+\DeclareOption{noauthor}{\c@lnoauthortrue}
+\DeclareOption{notitle}{\c@lnotitletrue}
+\DeclareOption{nomaketitle}{\c@lnomaketitletrue}
+\DeclareOption{nopubindoc}{\c@lnopubindoctrue}
+\DeclareOption{nopubintoc}{\c@lnopubintoctrue}
+\DeclareOption{onebib}{\c@lonebibtrue}
+\DeclareOption{combinedbib}{\c@lcombibtrue}
+\DeclareOption*{\PassOptionsToClass{\CurrentOption}{\c@lclass}}
+\ProcessOptions\relax
+\ifc@lcombib
+ \c@lonebibtrue
+\fi
+
+\LoadClass{\c@lclass}
+
+\newif\ifc@lhaschapter
+ \c@lhaschapterfalse
+\@ifundefined{chapter}{}{\c@lhaschaptertrue}
+
+\@ifundefined{if@titlepage}{\newif\if@titlepage\@titlepagefalse}{}
+\newif\ifc@ltoctitle
+ \c@ltoctitlefalse
+\newif\ifc@ltocauthor
+ \c@ltocauthorfalse
+\newif\ifc@lpub
+ \c@lpubfalse
+
+\newcounter{colpage} \setcounter{colpage}{1}
+ \renewcommand{\thecolpage}{\arabic{colpage}}
+\newcounter{c@lctr}
+\@ifundefined{c@section}{\newcounter{section}}{}
+
+\newwrite\c@ltocfnum
+\newwrite\c@lloffnum
+\newwrite\c@llotfnum
+
+\def\provideenvironment{%
+ \@star@or@long\c@lprovide@environment}
+\def\c@lprovide@environment#1{%
+ \@ifundefined{#1}{%
+ \expandafter\let\csname#1\endcsname\relax
+ \expandafter\let\csname end#1\endcsname\relax
+ \new@environment{#1}}{\c@lenvironment{#1}}
+}
+\def\c@lenvironment#1{%
+ \@testopt{\c@lenva#1}0}
+\def\c@lenva#1[#2]{%
+ \@ifnextchar [{\c@lenvb#1[#2]}{\c@lthrowenv{#1}{[#2]}}}
+\def\c@lenvb#1[#2][#3]{\c@lthrowenv{#1}{[#2][#3]}}
+\def\c@lthrowenv#1#2#3#4{}
+
+\@ifundefined{newtheorem}{}{%
+ \newcommand{\c@lnamethm}[3]{%
+ \@namedef{#1}{\@thm{#2}{#3}}%
+ \@namedef{end#1}{\@endtheorem}}
+ \def\@xnthm#1#2[#3]{%
+ \expandafter\@ifdefinable\csname #1\endcsname
+ {\@definecounter{#1}\@newctr{#1}[#3]%
+ \expandafter\xdef\csname the#1\endcsname{%
+ \expandafter\noexpand\csname the#3\endcsname \@thmcountersep
+ \@thmcounter{#1}}%
+ \c@lnamethm{#1}{#1}{#2}}}
+ \def\@ynthm#1#2{%
+ \expandafter\@ifdefinable\csname #1\endcsname
+ {\@definecounter{#1}%
+ \expandafter\xdef\csname the#1\endcsname{\@thmcounter{#1}}%
+ \c@lnamethm{#1}{#1}{#2}}}
+ \def\@othm#1[#2]#3{%
+ \@ifundefined{c@#2}{\@nocounterr{#2}}%
+ {\expandafter\@ifdefinable\csname #1\endcsname
+ {\@namedef{the#1}{\@nameuse{the#2}}
+ \c@lnamethm{#1}{#2}{#3}}}}
+}
+
+\providecommand{\providelength}[1]{%
+ \ifx #1\undefined
+ \newlength{#1}
+ \fi
+}
+\providecommand{\providecounter}[1]{%
+ \expandafter\ifx \csname c@#1\endcsname \undefined
+ {\@definecounter{#1}}%
+ \@ifnextchar[{\@newctr{#1}}{}
+ \else
+ \@ifnextchar[{\c@l@gobbleoptarg}{}
+ \fi
+}
+
+\def\c@l@gobbleoptarg[#1]{}
+
+\providecommand{\appendiargdef}[2]{\begingroup
+ \toks@\expandafter{#1{##1}#2}%
+ \edef\@bsx{\endgroup \def\noexpand#1####1{\the\toks@}}%
+ \@bsx}
+
+\ifc@lclasses
+ \newcommand\c@lbdocumentclass{%
+ \makeatletter %% added
+ \let\newcommand\providecommand %% added
+ \let\newenvironment\provideenvironment %% added
+%% \let\documentclass\@twoclasseserror
+%% \if@compatability\else\let\usepackage\RequirePackage\fi
+ \@fileswithoptions\@clsextension
+ }
+\else
+ \newcommand{\c@lbdocumentclass}[2][\@empty]{%
+ \makeatletter
+ }
+\fi
+
+\ifc@lpackages\else
+ \newcommand{\c@lbusepackage}[2][\@empty]{}
+\fi
+
+\newcommand{\c@lbLoadClass}{%
+ \ifx\@currext\@pkgextension
+ \@latex@error{\noexpand\LoadClass in package file}%
+ {You may only use \noexpand\LoadClass in a class file.}%
+ \fi
+ \@fileswithoptions\@clsextension}
+
+\newcommand{\c@ltextblock}{%
+ \@colht\textheight
+ \@colroom\textheight \vsize\textheight
+ \columnwidth\textwidth
+ \@clubpenalty\clubpenalty
+ \if@twocolumn
+ \advance\columnwidth -\columnsep
+ \divide\columnwidth\tw@ \hsize\columnwidth \@firstcolumntrue
+ \fi
+ \hsize\columnwidth \linewidth\hsize
+}
+
+\newcommand{\c@ladocument}{%
+ \endgroup
+ \let\mainjobname\jobname %% added
+ \def\c@lmainauxfile{\jobname.aux} %% added
+ \ifx\@unusedoptionlist\@empty\else
+ \@latex@warning@no@line{Unused global option(s):^^J%
+ \@spaces[\@unusedoptionlist]}%
+ \fi
+ \c@ltextblock %% a replacement
+ \begingroup\@floatplacement\@dblfloatplacement
+ \makeatletter\let\@writefile\@gobbletwo
+ \global \let \@multiplelabels \relax
+ \@input{\c@lmainauxfile}% %% changed
+ \endgroup
+ \if@filesw
+ \immediate\openout\@mainaux\c@lmainauxfile %% changed
+ \immediate\write\@mainaux{\relax}%
+ \fi
+ \process@table
+ \let\glb@currsize\@empty
+ \normalsize
+ \everypar{}%
+ \ifx\normalsfcodes\@empty
+ \ifnum\sfcode`\.=\@m
+ \let\normalsfcodes\frenchspacing
+ \else
+ \let\normalsfcodes\nonfrenchspacing
+ \fi
+ \fi
+ \@noskipsecfalse
+ \g@addto@macro{\@outputpage}{\stepcounter{colpage}} %% added
+ \let\maketitle\c@lamaketitle %% added
+ \@ifundefined{c@chapter}% %% added
+ {\@ifundefined{c@section}{}{\let\c@lthesec\thesection}}%
+ {\let\c@lthechap\thechapter}
+ \let \@refundefined \relax
+ \let\AtBeginDocument\@firstofone
+ \@begindocumenthook
+ \ifdim\topskip<1sp\global\topskip 1sp\relax\fi
+ \global\@maxdepth\maxdepth
+%% \global\let\@begindocumenthook\@undefined
+ \ifx\@listfiles\@undefined
+ \global\let\@filelist\relax
+ \global\let\@addtofilelist\@gobble
+ \fi
+%% \gdef\do##1{\global\let ##1\@notprerr}%
+%% \@preamblecmds
+ \global\let \@nodocument \relax
+ \global\let\do\noexpand
+ \ignorespaces}
+
+\newcommand{\c@lbdocument}{%
+%% \endgroup
+%% \ifx\@unusedoptionlist\@empty\else
+%% \@latex@warning@no@line{Unused global option(s):^^J%
+%% \@spaces[\@unusedoptionlist]}%
+%% \fi
+ \ifc@llayouts %% layouts option
+ \c@ltextblock
+ \fi
+ \begingroup\@floatplacement\@dblfloatplacement
+ \makeatletter \let\@writefile\@gobbletwo
+%% \global \let \@multiplelabels \relax
+ \@input{\c@lauxfile}%
+ \endgroup
+ \if@filesw
+ \immediate\openout\@partaux\c@lauxfile
+ \immediate\write\@partaux{\relax}%
+ \fi
+ \process@table
+ \let\glb@currsize\@empty
+ \normalsize
+ \everypar{}%
+ \@noskipsecfalse
+%% \let \@refundefined \relax
+ \let\AtBeginDocument\@firstofone
+ \@begindocumenthook
+ \ifdim\topskip<1sp\global\topskip 1sp\relax\fi
+ \global\@maxdepth\maxdepth
+%% \global\let\@begindocumenthook\@undefined
+ \ifx\@listfiles\@undefined
+ \global\let\@filelist\relax
+ \global\let\@addtofilelist\@gobble
+ \fi
+%% \gdef\do##1{\global\let ##1\@notprerr}%
+%% \@preamblecmds
+ \global\let \@nodocument \relax
+ \global\let\do\noexpand
+ \let\ps@plain\c@lbps@plain %% set pagestyle
+%% \pagestyle{plain}
+ \ifc@lfolios %% folios option initialises page number
+ \setcounter{page}{1}
+ \fi
+ \ifc@lhaschapter %% set chapter/section number
+ \setcounter{c@lctr}{\value{chapter}}
+ \setcounter{chapter}{0}
+ \else
+ \setcounter{c@lctr}{\value{section}}
+ \setcounter{section}{0}
+ \fi
+ \c@lresetcounters %% added
+ \makeatother %% added
+ \ignorespaces}
+
+\newcommand{\c@lresetcounters}{%
+ \@ifundefined{c@figure}{}{\setcounter{figure}{0}}
+ \@ifundefined{c@table}{}{\setcounter{table}{0}}
+ \@ifundefined{c@equation}{}{\setcounter{equation}{0}}
+ \@ifundefined{c@footnote}{}{\setcounter{footnote}{0}}
+ \@ifundefined{c@chapter}%
+ {\@ifundefined{c@section}{}{\renewcommand{\thesection}{\c@lthesec}}}%
+ {\renewcommand{\thechapter}{\c@lthechap}}
+ \zeroextracounters
+}
+\newcommand{\zeroextracounters}{}
+
+\newcommand{\c@lenddoca}{%
+ \@dofilelist
+ \ifdim \font@submax >\fontsubfuzz\relax
+ \@font@warning{Size substitutions with differences\MessageBreak
+ up to \font@submax\space have occured.\@gobbletwo}%
+ \fi
+ \@defaultsubs
+%% \@refundefined
+ \if@filesw
+ \ifx \@multiplelabels \relax
+ \if@tempswa
+ \@latex@warning@no@line{Label(s) may have changed.
+ Rerun to get cross-references right}%
+ \fi
+ \else
+ \@multiplelabels
+ \fi
+ \fi
+}
+
+\newcommand{\c@laenddocument}{%
+ \@enddocumenthook
+ \@checkend{document}%
+ \clearpage
+ \begingroup
+ \if@filesw
+ \immediate\closeout\@mainaux
+ \immediate\closeout\@partaux
+ \let\@setckpt\@gobbletwo
+ \let\@newl@bel\@testdef
+ \@tempswafalse
+ \makeatletter \input\c@lmainauxfile %% change here
+ \fi
+ \c@lenddoca %% a replacement
+ \@refundefined
+ \endgroup
+ \deadcycles\z@\@@end}
+
+\newcommand{\c@lbenddocument}{%
+ \@enddocumenthook
+ \@checkend{document}%
+ \clearpage
+ \begingroup
+ \if@filesw
+ \immediate\closeout\@partaux %% change here
+ \let\@setckpt\@gobbletwo
+ \let\@newl@bel\@testdef
+ \@tempswafalse
+ \makeatletter \input\c@lauxfile %% change here
+ \fi
+ \c@lenddoca %% a replacement
+%% \@refundefined
+ \endgroup
+ \deadcycles\z@ %%\@@end %% \@@end will close *all* files
+ \c@lclosetocs %% close local files
+ \ifc@lhaschapter %% reset chap/sec and page numbering
+ \setcounter{chapter}{\value{c@lctr}}
+ \gdef\thechapter{\c@lthechap}
+ \gdef\@chapapp{\chaptername}
+ \else
+ \setcounter{section}{\value{c@lctr}}
+ \gdef\thesection{\c@lthesec}
+ \fi
+ \setcounter{page}{\value{colpage}}
+ \pagestyle{\c@lastyle}
+ \erasetitling %% no \coltoc... or \published commands defined
+%% \let\@auxout\@mainaux
+ \gdef\jobname{\mainjobname} %% swap back to main document file name
+ \endinput %% ignore any text after \end{document}
+}
+
+\newcommand{\maintitlefont}{\begin{center}\LARGE}
+\newcommand{\postmaintitle}{\par\end{center}\vskip 0.5em}
+\newcommand{\mainauthorfont}{\begin{center}
+ \large \lineskip .5em%
+ \begin{tabular}[t]{c}}
+\newcommand{\postmainauthor}{\end{tabular}\par\end{center}}
+\newcommand{\maindatefont}{\begin{center}\large}
+\newcommand{\postmaindate}{\par\end{center}}
+
+\if@titlepage
+ \newcommand{\c@lamaketitle}{\begin{titlepage}%
+ \let\footnotesize\small
+ \let\footnoterule\relax
+ \let \footnote \thanks
+ \null\vfil
+ \vskip 60\p@
+ {\maintitlefont \@title \postmaintitle}
+ {\mainauthorfont \@author \postmainauthor}
+ {\maindatefont \@date \postmaindate}
+ \par
+ \@thanks
+ \vfil\null
+ \end{titlepage}%
+ \setcounter{footnote}{0}%
+ \c@lmtitlempty %% change here
+ } % end titlepage defs
+\else
+ \newcommand{\c@lamaketitle}{\par
+ \begingroup
+ \c@lmtitle %% change here
+ \endgroup
+ \setcounter{footnote}{0}%
+ \c@lmtitlempty %% change here
+ } % end non-titlepage
+
+
+ \def\@maketitle{%
+ \newpage
+ \null
+ \vskip 2em%
+ {\maintitlefont \@title \postmaintitle}
+ {\mainauthorfont \@author \postmainauthor}
+ {\maindatefont \@date \postmaindate}
+ \par
+ \vskip 1.5em}
+\fi % end mod A of titling
+
+\newcommand{\c@lmtitle}{%
+ \renewcommand\thefootnote{\@fnsymbol\c@footnote}%
+ \def\@makefnmark{\rlap{\@textsuperscript{\normalfont\@thefnmark}}}%
+ \long\def\@makefntext##1{\parindent 1em\noindent
+ \hb@xt@1.8em{%
+ \hss\@textsuperscript{\normalfont\@thefnmark}}##1}%
+ \if@twocolumn
+ \ifnum \col@number=\@ne
+ \@maketitle
+ \else
+ \twocolumn[\@maketitle]%
+ \fi
+ \else
+ \newpage
+ \global\@topnum\z@
+ \@maketitle
+ \fi
+ \thispagestyle{plain}\@thanks
+}
+
+ \newcommand{\c@lbmaketitle}{\par
+ \begingroup
+ \let\newpage\relax
+ \let\@maketitle\c@lb@maketitle
+ \c@lmtitle
+ \endgroup
+ \setcounter{footnote}{0}%
+ \c@lmtitlempty
+ }
+
+\newcommand{\c@lmtitlempty}{%
+ \global\let\@thanks\@empty
+ \global\let\@author\@empty
+ \global\let\@date\@empty
+ \global\let\@title\@empty
+}
+\newcommand{\importtitlefont}{\begin{center}\LARGE\bfseries}
+\newcommand{\postimporttitle}{\par\end{center}}
+\newcommand{\importauthorfont}{\begin{center}
+ \large\itshape \lineskip .5em%
+ \begin{tabular}[t]{c}}
+\newcommand{\postimportauthor}{\end{tabular}\par\end{center}}
+\newcommand{\importdatefont}{\begin{center}\large}
+\newcommand{\postimportdate}{\par\end{center}}
+
+\newcommand{\c@lb@maketitle}{%
+%% \newpage
+ \begingroup
+ \let\footnote\thanks
+ \null
+ \vskip 2em%
+ \ifc@lnotitle\else
+ {\importtitlefont \@title \postimporttitle}
+ \fi
+ \ifc@lnoauthor\else
+ {\importauthorfont \@author \postimportauthor}
+ \fi
+ \ifc@lnodate\else
+ {\importdatefont \@date \postimportdate}%
+ \fi
+ \par
+ \endgroup
+}
+
+\newcommand{\c@lb@starttoc}[1]{%
+ \begingroup
+ \makeatletter
+ \def\tocfname{\jobname.#1}
+ \@input{\tocfname}%
+ \if@filesw
+ \def\c@ltempa{#1} \def\c@ltempb{toc}
+ \ifx \c@ltempa \c@ltempb
+ \immediate\openout\c@ltocfnum \tocfname\relax
+ \else
+ \def\c@ltempb{lof}
+ \ifx \c@tempa \c@ltempb
+ \immediate\openout\c@lloffnum \tocfname\relax
+ \else
+ \def\c@ltempb{lot}
+ \ifx \c@tempa \c@ltempb
+ \immediate\openout\c@llotfnum \tocfname\relax
+ \else
+ \expandafter\newwrite\csname c@l#1fnum\endcsname
+ \immediate\openout\csname c@l#1fnum\endcsname \tocfname\relax
+ \fi
+ \fi
+ \fi
+ \fi
+ \@nobreakfalse
+ \endgroup}
+
+\newcommand{\c@lb@writefile}[2]{%
+ \def\tocfname{\jobname.#1}
+ \IfFileExists{\tocfname}
+ {\@temptokena{#2}%
+ \immediate\write\csname c@l#1fnum\endcsname{\the\@temptokena}}
+ {}
+}
+
+\newcommand{\c@lclosetocs}{%
+ \immediate\closeout\c@ltocfnum
+ \immediate\closeout\c@lloffnum
+ \immediate\closeout\c@llotfnum
+}
+
+\newcommand{\c@ltocgobble}{%
+ \let\label\@gobble \let\index\@gobble \let\glossary\@gobble}
+
+\newcommand{\c@laaddtocontents}[2]{%
+ \protected@write\@mainaux
+ {\c@ltocgobble}%
+ {\string\@writefile{#1}{#2}}
+}
+\newcommand{\c@laaddcontentsline}[3]{%
+ \c@laaddtocontents{#1}{\protect\contentsline{#2}{#3}{\thecolpage}}
+}
+
+\ifc@lmaintoc
+ \newcommand{\c@lbaddtocontents}[2]{%
+ \protected@write\@auxout
+ {\c@ltocgobble}%
+ {\string\@writefile{#1}{#2}}
+ \ifx\@mainaux\@auxout\else %% prevent writing twice to mainaux
+ \protected@write\@mainaux
+ {\c@ltocgobble}%
+ {\string\@writefile{#1}{\protect\begin{tocindent}{\toctocindent}}}
+ \protected@write\@mainaux
+ {\c@ltocgobble}%
+ {\string\@writefile{#1}{#2}}
+ \protected@write\@mainaux
+ {\c@ltocgobble}%
+ {\string\@writefile{#1}{\protect\end{tocindent}}}
+ \fi
+ }
+\fi
+
+\newcommand{\c@lblabel}[1]{\@bsphack
+ \protected@write\@auxout{}%
+ {\string\newlabel{#1}{{\@currentlabel}{\thecolpage}}}%
+ \@esphack}
+\newcommand{\c@lb@setref}[3]{%
+ \ifx#1\relax
+ \protect\G@refundefinedtrue
+ \nfss@text{\reset@font\bfseries ??}%
+ \@latex@warning{Reference `#3' on page \thecolpage \space
+ undefined}%
+ \else
+ \expandafter#2#1\null
+ \fi}
+
+\newcommand{\c@lbnewlabel}{\@newl@bel{R?\jobname?}}
+\newcommand{\c@lbref}[1]{\expandafter\@setref\csname R?\jobname?@#1\endcsname
+ \@firstoftwo{#1}}
+\newcommand{\c@lbpageref}[1]{\expandafter\@setref\csname R?\jobname?@#1\endcsname
+ \@secondoftwo{#1}}
+
+\newcommand{\c@lwritemainbib}{%
+ \if@filesw\immediate\write\@mainaux{\string\citation{\@citeb}}\fi
+ \@ifundefined{b@\@citeb}{\mbox{\reset@font\bfseries ?}%
+ \G@refundefinedtrue
+ \@latex@warning
+ {Citation `\@citeb' on page \thecolpage \space undefined}}%
+ {\hbox{\csname b@\@citeb\endcsname}}}
+\newcommand{\c@lwritelocalbib}{%
+ \if@filesw\immediate\write\@auxout{\string\citation{\@citeb}}\fi
+ \@ifundefined{B?\jobname?@\@citeb}{\mbox{\reset@font\bfseries ?}%
+ \G@refundefinedtrue
+ \@latex@warning
+ {Citation `\@citeb' on page \thecolpage \space undefined}}%
+ {\hbox{\csname B?\jobname?@\@citeb\endcsname}}}
+
+\newcommand{\c@lanocite}[1]{\@bsphack
+ \@for\@citeb:=#1\do{%
+ \edef\@citeb{\expandafter\@firstofone\@citeb}%
+ \if@filesw\immediate\write\@mainaux{\string\citation{\@citeb}}\fi
+ \@ifundefined{b@\@citeb}{\G@refundefinedtrue
+ \@latex@warning{Citation `\@citeb' undefined}}{}}%
+ \@esphack}
+\let\nocite\c@lanocite
+
+\newcommand{\c@lbnocite}[1]{\@bsphack
+ \@for\@citeb:=#1\do{%
+ \edef\@citeb{\expandafter\@firstofone\@citeb}%
+ \if@filesw\immediate\write\@auxout{\string\citation{\@citeb}}\fi
+ \@ifundefined{B?\jobname?@\@citeb}{\G@refundefinedtrue
+ \@latex@warning{Citation `\@citeb' undefined}}{}}%
+ \@esphack}
+
+\def\c@lb@citex[#1]#2{%
+ \ifc@lcombib
+ \c@lanocite{#2}%
+ \fi
+ \let\@citea\@empty
+ \@cite{\@for\@citeb:=#2\do
+ {\@citea\def\@citea{,\penalty\@m\ }%
+ \edef\@citeb{\expandafter\@firstofone\@citeb\@empty}%
+ \ifc@lcombib
+ \c@lwritelocalbib
+ \else
+ \ifc@lonebib
+ \c@lwritemainbib
+ \else
+ \c@lwritelocalbib
+ \fi
+ \fi}}{#1}}
+
+\ifc@lonebib
+ \newcommand{\c@lbbibcite}{\@newl@bel b}
+ \ifc@lcombib
+ \renewcommand{\c@lbbibcite}{\@newl@bel{B?\jobname?}}
+ \fi
+\else
+ \newcommand{\c@lbbibcite}{\@newl@bel{B?\jobname?}}
+\fi
+
+\newcommand{\c@lapagestyle}[1]{%
+ \gdef\c@lastyle{#1}
+ \@ifundefined{ps@#1}{}{\@nameuse{ps@#1}}
+}
+\newcommand{\c@lbpagestyle}[1]{%
+ \@ifundefined{ps@#1}{}{\@nameuse{ps@#1}}
+}
+
+\ifc@lfolios
+ \newcommand{\c@lbpagenumbering}[1]{%
+ \global\c@page \@ne \gdef\thepage{\csname @#1\endcsname
+ \c@page}}
+\else
+ \newcommand{\c@lbpagenumbering}[1]{}
+\fi
+
+\if@twoside
+ \newcommand{\c@laps@plain}{%
+ \let\@mkboth\@gobbletwo
+ \let\@oddhead\@empty \let\@evenhead\@empty
+ \def\@oddfoot{\reset@font\hfil\thepage}%
+ \def\@evenfoot{\reset@font\thepage\hfil}%
+ }
+ \ifc@lfolios
+ \newcommand{\c@lbps@plain}{%
+ \let\@mkboth\@gobbletwo
+ \let\@oddhead\@empty \let\@evenhead\@empty
+ \def\@oddfoot{\reset@font(\thepage)\hfil\thecolpage}%
+ \def\@evenfoot{\reset@font\thecolpage\hfil(\thepage)}%
+ }
+ \else
+ \newcommand{\c@lbps@plain}{%
+ \let\@mkboth\@gobbletwo
+ \let\@oddhead\@empty \let\@evenhead\@empty
+ \def\@oddfoot{\reset@font\hfil\thecolpage}%
+ \def\@evenfoot{\reset@font\thecolpage\hfil}%
+ }
+ \fi
+\else
+ \newcommand{\c@laps@plain}{%
+ \let\@mkboth\@gobbletwo
+ \let\@oddhead\@empty \let\@evenhead\@empty
+ \def\@oddfoot{\reset@font\hfil\thepage}%
+ \let\@evenfoot\@oddfoot
+ }
+ \ifc@lfolios
+ \newcommand{\c@lbps@plain}{%
+ \let\@mkboth\@gobbletwo
+ \let\@oddhead\@empty \let\@evenhead\@empty
+ \def\@oddfoot{\reset@font(\thepage)\hfil\thecolpage}%
+ \let\@evenfoot\@oddfoot
+ }
+ \else
+ \newcommand{\c@lbps@plain}{%
+ \let\@mkboth\@gobbletwo
+ \let\@oddhead\@empty \let\@evenhead\@empty
+ \def\@oddfoot{\reset@font\hfil\thecolpage}%
+ \let\@evenfoot\@oddfoot
+ }
+ \fi
+\fi
+
+\if@twoside
+ \newcommand{\ps@combine}{%
+ \let\@mkboth\@gobbletwo
+ \let\@oddhead\@empty \let\@evenhead\@empty
+ \def\@oddfoot{\reset@font\hfil\thepage}%
+ \def\@evenfoot{\reset@font\thepage\hfil}%
+ \let\ps@plain\c@laps@plain
+ }
+\else
+ \newcommand{\ps@combine}{%
+ \let\@mkboth\@gobbletwo
+ \let\@oddhead\@empty \let\@evenhead\@empty
+ \def\@oddfoot{\reset@font\hfil\thepage}%
+ \let\@evenfoot\@oddfoot
+ \let\ps@plain\c@laps@plain
+ }
+\fi
+
+\newcommand{\import}[1]{%
+ \ifc@ltoctitle
+ \addtocontents{toc}{\protect\contentsline{coltoctitle}%
+ {\protect\numberline{}\savec@ltoctitle}{\thecolpage}}
+ \c@ltoctitlefalse
+ \fi
+ \ifc@ltocauthor
+ \addcontentsline{toc}{coltocauthor}{\protect\numberline{}\savec@ltocauthor}
+ \c@ltocauthorfalse
+ \fi
+ \ifc@lpub
+ \addcontentsline{toc}{published}{\protect\numberline{}\savec@lpublished}
+ \c@lpubfalse
+ \fi
+ \gdef\jobname{#1}
+ \expandafter\let\csname B?\jobname?@*\endcsname\@empty
+ \gdef\c@lauxfile{#1.aux}
+ \@tempswatrue
+ \let\@auxout\@partaux
+ \@input@{#1.tex}%
+%% \@writeckpt{#1}%
+ \let\@auxout\@mainaux
+}
+
+\newcommand*\bodytitlemark[1]{}
+\newcounter{bodytitle}
+\renewcommand{\thebodytitle}{\@arabic\c@bodytitle}
+\ifc@lhaschapter
+ \newcommand{\bodytitle}{\@startsection{bodytitle}{0}{\z@}%
+ {-3.5ex \@plus -1ex \@minus -.2ex}%
+ {2.3ex \@plus.2ex}%
+ {\normalfont\Huge\bfseries}}
+\else
+ \newcommand{\bodytitle}{\@startsection{bodytitle}{1}{\z@}%
+ {-3.5ex \@plus -1ex \@minus -.2ex}%
+ {2.3ex \@plus.2ex}%
+ {\normalfont\Large\bfseries}}
+\fi
+
+\newcommand{\c@ll@chapseci}{%
+ \setlength\@tempdima{0em}%
+ \begingroup
+ \parindent \z@ \rightskip \@pnumwidth
+ \parfillskip -\@pnumwidth
+ \leavevmode
+}
+\newcommand{\c@ll@chapsecii}[2]{%
+ \advance\leftskip\@tempdima
+ \hskip -\leftskip
+ #1\nobreak\hfil \nobreak\hb@xt@\@pnumwidth{\hss #2}\par
+}
+
+\ifc@lhaschapter
+ \newcommand*\l@bodytitle[2]{% % as per chapter
+ \ifnum \c@tocdepth >\m@ne
+ \addpenalty{-\@highpenalty}%
+ \addvspace{1.0em \@plus\p@}%
+ \c@ll@chapseci
+ \bfseries %% bold ToC entry
+ \c@ll@chapsecii{#1}{#2}
+ \penalty\@highpenalty
+ \endgroup
+ \fi}
+\else
+ \newcommand*\l@bodytitle[2]{% % as per section
+ \ifnum \c@tocdepth >\z@
+ \addpenalty\@secpenalty
+ \addvspace{1.0em \@plus\p@}%
+ \c@ll@chapseci
+ \bfseries %% bold ToC entry
+ \c@ll@chapsecii{#1}{#2}
+ \endgroup
+ \fi}
+\fi
+
+\newlength{\toctitleindent}\setlength{\toctitleindent}{0pt}
+\newlength{\tocauthorindent}\setlength{\tocauthorindent}{1.5em}
+\newlength{\tocpubindent}\setlength{\tocpubindent}{1.5em}
+\newlength{\toctocindent}\setlength{\toctocindent}{1.5em}
+
+\newenvironment{tocindent}[1]{%
+ \hangindent #1 \hangafter -100\relax}{}
+
+\newcommand{\toctitlefont}{\bfseries}
+\newcommand{\tocauthorfont}{\itshape}
+\newcommand{\tocpubfont}{\normalfont}
+
+\newcommand*{\coltoctitle}[1]{%
+ \c@ltoctitletrue%
+ \gdef\savec@ltoctitle{#1}
+}
+
+\ifc@lhaschapter
+ \newcommand*\l@coltoctitle[2]{% % as per chapter
+ \ifnum \c@tocdepth >\m@ne
+ \addpenalty{-\@highpenalty}% encourage page break
+ \addvspace{1.0em \@plus\p@}%
+ \c@ll@chapseci
+ \setlength{\@tempdima}{\toctitleindent}% eliminate any spaces here
+ \toctitlefont %% bold ToC entry
+ \c@ll@chapsecii{#1}{#2}
+ \penalty\@highpenalty % discourage page break
+ \endgroup
+ \fi}
+\else
+ \newcommand*\l@coltoctitle[2]{% % as per section
+ \ifnum \c@tocdepth >\z@
+ \addpenalty\@secpenalty
+ \addvspace{1.0em \@plus\p@}%
+ \c@ll@chapseci
+ \setlength{\@tempdima}{\toctitleindent}% eliminate any spaces here
+ \toctitlefont %% bold ToC entry
+ \c@ll@chapsecii{#1}{#2}
+ \penalty\@highpenalty % discourage page break
+ \endgroup
+ \fi}
+\fi
+
+\newcommand*{\coltocauthor}[1]{%
+ \c@ltocauthortrue%
+ \gdef\savec@ltocauthor{#1}
+}
+
+\ifc@lhaschapter
+ \newcommand*\l@coltocauthor[2]{% % similar to chapter
+ \ifnum \c@tocdepth >\m@ne
+ \c@ll@chapseci
+ \setlength{\@tempdima}{\tocauthorindent}% eliminate any spaces here
+ \tocauthorfont %% italic ToC entry
+ \c@ll@chapsecii{#1}{}
+ \penalty\@highpenalty % discourage page break
+ \endgroup
+ \fi}
+\else
+ \newcommand*\l@coltocauthor[2]{% % similar to section
+ \ifnum \c@tocdepth >\z@
+ \c@ll@chapseci
+ \setlength{\@tempdima}{\tocauthorindent}% eliminate any spaces here
+ \tocauthorfont %% italic ToC entry
+ \c@ll@chapsecii{#1}{}
+ \penalty\@highpenalty % discourage page break
+ \endgroup
+ \fi}
+\fi
+
+\newcommand{\published}[2][\@empty]{%
+ \c@lpubtrue
+ \ifc@lnopubintoc\else
+ \ifx #1\@empty
+ \gdef\savec@lpublished{#2}
+ \else
+ \gdef\savec@lpublished{#1}
+ \fi
+ \fi
+ \ifc@lnopubindoc\else
+ {\parindent \z@ \pubfont #2\par\nobreak}
+ \fi
+}
+\newcommand{\pubfont}{\normalfont\centering}
+
+\ifc@lhaschapter
+ \newcommand*\l@published[2]{% % similar to chapter
+ \ifnum \c@tocdepth >\m@ne
+ \c@ll@chapseci
+ \setlength{\@tempdima}{\tocpubindent}% eliminate any spaces here
+ \tocpubfont %% normal font ToC entry
+ \c@ll@chapsecii{#1}{}
+ \endgroup
+ \fi}
+\else
+ \newcommand*\l@published[2]{% % similar to section
+ \ifnum \c@tocdepth >\z@
+ \c@ll@chapseci
+ \setlength{\@tempdima}{\tocpubindent}% eliminate any spaces here
+ \tocpubfont %% normal font ToC entry
+ \c@ll@chapsecii{#1}{}
+ \endgroup
+ \fi}
+\fi
+
+\newcommand{\erasetitling}{\c@ltoctitlefalse\c@ltocauthorfalse\c@lpubfalse}
+
+\newenvironment{papers}[1][\cleardoublepage]{%
+#1
+\setuppapers
+}{%
+\takedownpapers
+}
+
+\newcommand{\setuppapers}{%
+\let\documentclass\c@lbdocumentclass
+\ifc@lpackages\else \let\usepackage\c@lbusepackage \fi
+\let\document\c@lbdocument
+\let\enddocument\c@lbenddocument
+\let\LoadClass\c@lbLoadClass
+%% \let\maketitle\c@lbmaketitle
+\def\maketitle{\c@lbmaketitle}
+\let\@writefile\c@lb@writefile
+\let\@starttoc\c@lb@starttoc
+\ifc@lnomaketitle \let\maketitle\relax \fi
+\ifc@lnotoc \let\tableofcontents\relax \fi
+\ifc@lnolof \let\listoffigures\relax \fi
+\ifc@lnolot \let\listoftables\relax \fi
+\ifc@lmaintoc \let\addtocontents\c@lbaddtocontents \fi
+\let\label\c@lblabel
+\let\@setref\c@lb@setref
+\let\newlabel\c@lbnewlabel
+\let\ref\c@lbref
+\let\pageref\c@lbpageref
+%%% \renewcommand{\bibliographystyle}[1]{}
+\ifc@lcombib
+\else
+ \ifc@lonebib
+ \renewcommand{\bibliography}[1]{}
+ \fi
+\fi
+\let\@citex\c@lb@citex
+\let\bibcite\c@lbbibcite
+\let\nocite\c@lbnocite
+\ifc@lhaschapter
+ \renewcommand{\chapter}{\@startsection{chapter}{0}{\z@}%
+ {-3.5ex \@plus -1ex \@minus -.2ex}%
+ {2.3ex \@plus.2ex}%
+ {\normalfont\Large\bfseries}}
+\fi
+\c@ltoctitlefalse
+\c@ltocauthorfalse
+\c@lpubfalse
+\let\pagenumbering\c@lbpagenumbering
+\setcounter{colpage}{\value{page}}
+\let\pagestyle\c@lbpagestyle
+\pagestyle{\c@lastyle}
+\let\include\input
+}
+
+\newcommand{\takedownpapers}{%
+}
+
+\newcommand{\emptyAtBeginDocument}{\let\@begindocumenthook\@empty}
+
+\let\document\c@ladocument
+\let\enddocument\c@laenddocument
+%%\let\maketitle\c@lamaketitle
+\let\pagestyle\c@lapagestyle
+\pagestyle{combine}
+
+\endinput
+%%
+%% End of file `combine.cls'.
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/texmf/tex/latex/combine/combinet.sty b/2004/netfilter-failover-ols2004/OLS2004-proceedings/texmf/tex/latex/combine/combinet.sty
new file mode 100644
index 0000000..5b1858b
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/texmf/tex/latex/combine/combinet.sty
@@ -0,0 +1,138 @@
+%%
+%% This is file `combinet.sty',
+%% generated with the docstrip utility.
+%%
+%% The original source files were:
+%%
+%% combine.dtx (with options: `pck')
+%%
+%% Author: Peter Wilson (CUA) now at peter.r.wilson@boeing.com
+%% (or at: pandgwilson at earthlink dot net)
+%% Copyright 2000, 2001, 2002, 2003 Peter R. Wilson
+%%
+%% This work may be distributed and/or modified under the
+%% conditions of the LaTeX Project Public License, either
+%% version 1.3 of this license or (at your option) any
+%% later version.
+%% The latest version of the license is in
+%% http://www.latex-project.org/lppl.txt
+%% and version 1.3 or later is part of all distributions of
+%% LaTeX version 2003/06/01 or later.
+%%
+%% This work has the LPPL maintenance status "author-maintained".
+%%
+%% This work consists of the files listed in the README file.
+%%
+\NeedsTeXFormat{LaTeX2e}
+\ProvidesPackage{combinet}[2004/03/06 v0.2a document titles in ToC]
+\@ifclassloaded{combine}{}{%
+ \PackageError{combinet}{The `combine' class is expected}{\@ehc}%
+}
+
+\newif\ifc@lnomtitle
+ \c@lnomtitlefalse
+\newif\ifc@lnomauthor
+ \c@lnomauthorfalse
+\newif\ifc@lnothanks
+ \c@lnothanksfalse
+\newif\ifc@lpubopt
+ \c@lpuboptfalse
+\newif\ifc@lpubtop
+ \c@lpubtopfalse
+\newif\ifc@lpubs
+ \c@lpubsfalse
+
+\DeclareOption{nomtitle}{\c@lnomtitletrue}
+\DeclareOption{nomauthor}{\c@lnomauthortrue}
+\DeclareOption{nothanks}{\c@lnothankstrue}
+\DeclareOption{pub}{\c@lpubopttrue\c@lpubtopfalse\c@lpubstrue}
+\DeclareOption{pubtop}{\c@lpubtoptrue\c@lpuboptfalse\c@lpubstrue}
+\ProcessOptions\relax
+
+\ifc@lpubs
+ \renewcommand{\published}[2][\@empty]{%
+ \c@lpubtrue
+ \ifx #1\@empty
+ \gdef\c@lpubtoc{#2}
+ \else
+ \gdef\c@lpubtoc{#1}
+ \fi
+ \gdef\c@lpubbody{#2}
+ }
+\fi
+
+\appendiargdef{\title}{%
+ \begingroup
+ \renewcommand{\thanks}[1]{}
+ \protected@xdef\c@l@title{#1}
+ \endgroup
+}
+\appendiargdef{\author}{%
+ \begingroup
+ \renewcommand{\thanks}[1]{}
+ \renewcommand{\and}{\unskip, }
+ \protected@xdef\c@l@author{#1}
+ \endgroup
+}
+
+\def\c@lbmaketitle{\par
+ \begingroup
+ \let\newpage\relax
+ \let\@maketitle\c@lb@maketitle
+ \ifc@lpub
+ \ifc@lpubtop
+ \ifc@lnopubindoc\else
+ {\parindent\z@ \pubfont \c@lpubbody\par\nobreak}
+ \fi
+ \fi
+ \fi
+ \c@lmtitle %% typeset the title block
+ \endgroup
+ \setcounter{footnote}{0}
+ \begingroup
+ \let\thanks\@empty
+ \ifc@ltoctitle\else
+ \ifc@lnomtitle\else
+ \ifx\@title\@empty\else
+ \ifc@lnothanks
+ \c@laaddcontentsline{toc}%
+ {coltoctitle}{\protect\numberline{}\c@l@title}%
+ \else
+ \c@laaddcontentsline{toc}%
+ {coltoctitle}{\protect\numberline{}\@title}%
+ \fi
+ \fi
+ \fi
+ \fi
+ \ifc@ltocauthor\else
+ \ifc@lnomauthor\else
+ \ifx\@author\@empty\else
+ \ifc@lnothanks
+ \c@laaddcontentsline{toc}%
+ {coltocauthor}{\protect\numberline{}\c@l@author}
+ \else
+ \c@laaddcontentsline{toc}%
+ {coltocauthor}{\protect\numberline{}\@author}
+ \fi
+ \fi
+ \fi
+ \fi
+ \endgroup
+ \ifc@lpub
+ \ifc@lpubopt
+ \ifc@lnopubindoc\else
+ {\parindent\z@ \pubfont \c@lpubbody\par\nobreak}
+ \fi
+ \fi
+ \ifc@lpubs
+ \ifc@lnopubintoc\else
+ \c@laaddcontentsline{toc}{published}{\protect\numberline{}\c@lpubtoc}
+ \fi
+ \fi
+ \fi
+ \c@lmtitlempty
+}
+
+\endinput
+%%
+%% End of file `combinet.sty'.
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/texmf/tex/latex/combine/combnat.sty b/2004/netfilter-failover-ols2004/OLS2004-proceedings/texmf/tex/latex/combine/combnat.sty
new file mode 100644
index 0000000..53ef889
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/texmf/tex/latex/combine/combnat.sty
@@ -0,0 +1,543 @@
+%%
+%% This is file `combnat.sty',
+%% generated with the docstrip utility.
+%%
+%% The original source files were:
+%%
+%% combine.dtx (with options: `natpack')
+%%
+%% Author: Peter Wilson (CUA) now at peter.r.wilson@boeing.com
+%% (or at: pandgwilson at earthlink dot net)
+%% Copyright 2000, 2001, 2002, 2003 Peter R. Wilson
+%%
+%% This work may be distributed and/or modified under the
+%% conditions of the LaTeX Project Public License, either
+%% version 1.3 of this license or (at your option) any
+%% later version.
+%% The latest version of the license is in
+%% http://www.latex-project.org/lppl.txt
+%% and version 1.3 or later is part of all distributions of
+%% LaTeX version 2003/06/01 or later.
+%%
+%% This work has the LPPL maintenance status "author-maintained".
+%%
+%% This work consists of the files listed in the README file.
+%%
+\NeedsTeXFormat{LaTeX2e}
+\ProvidesPackage{combnat}[2003/05/22 v0.21 combined natbib package]
+\@ifclassloaded{combine}{}{%
+ \PackageError{combnat}{The `combine' class is expected}{\@ehc}}
+\RequirePackageWithOptions{natbib}
+
+\newcommand{\c@lNATwritemainbib}{%
+ \if@filesw\immediate\write\@mainaux{\string\citation{\@citeb}}\fi
+ \@ifundefined{b@\@citeb\@extra@b@citeb}{%
+ {\reset@font\bfseries?}
+ \NAT@citeundefined\PackageWarning{natbib}%
+ {Citation `\@citeb' on page \thepage \space undefined}}}
+
+\newcommand{\c@lNATwritemainbibdate}{%
+ \if@filesw\immediate\write\@mainaux{\string\citation{\@citeb}}\fi
+ \@ifundefined{b@\@citeb\@extra@b@citeb}{\@citea%
+ {\reset@font\bfseries ?}\NAT@citeundefined
+ \PackageWarning{natbib}%
+ {Citation `\@citeb' on page \thepage \space undefined}
+ \def\NAT@date{}}}
+
+\newcommand{\c@lNATwritelocalbib}{%
+ \if@filesw\immediate\write\@auxout{\string\citation{\@citeb}}\fi
+ \@ifundefined{B?\jobname?@\@citeb\@extra@b@citeb}{%
+ {\reset@font\bfseries?}
+ \NAT@citeundefined\PackageWarning{natbib}%
+ {Citation `\@citeb' on page \thepage \space undefined}}}
+
+\newcommand{\c@lNATwritelocalbibdate}{%
+ \if@filesw\immediate\write\@auxout{\string\citation{\@citeb}}\fi
+ \@ifundefined{B?\jobname?@\@citeb\@extra@b@citeb}{\@citea%
+ {\reset@font\bfseries ?}\NAT@citeundefined
+ \PackageWarning{natbib}%
+ {Citation `\@citeb' on page \thepage \space undefined}
+ \def\NAT@date{}}}
+
+\newcommand{\c@lNAT@citexnum@swatrue}{%
+ \ifnum\NAT@ctype>1\relax\@citea
+ \hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ \ifnum\NAT@ctype=2\relax\NAT@test{\NAT@ctype}%
+ \else\NAT@alias
+ \fi\hyper@natlinkend\else
+ \ifnum\NAT@sort>1\relax
+ \begingroup\catcode`\_=8
+ \ifcat _\ifnum\z@<0\NAT@num _\else A\fi
+ \global\let\NAT@nm=\NAT@num \else \gdef\NAT@nm{-2}\fi
+ \ifcat _\ifnum\z@<0\NAT@last@num _\else A\fi
+ \global\@tempcnta=\NAT@last@num \global\advance\@tempcnta by\@ne
+ \else \global\@tempcnta\m@ne\fi
+ \endgroup
+ \ifnum\NAT@nm=\@tempcnta
+ \ifx\NAT@last@yr\relax
+ \edef\NAT@last@yr{\@citea \mbox{\noexpand\citenumfont\NAT@num}}%
+ \else
+ \edef\NAT@last@yr{--\penalty\@m\mbox{\noexpand\citenumfont\NAT@num}}%
+ \fi
+ \else
+ \NAT@last@yr \@citea \mbox{\citenumfont\NAT@num}%
+ \let\NAT@last@yr\relax
+ \fi
+ \else
+ \@citea \mbox{\hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ {\citenumfont\NAT@num}\hyper@natlinkend}%
+ \fi
+ \fi
+ \def\@citea{\NAT@sep\penalty\@m\NAT@space}%
+}
+
+\def\NAT@citexnum[#1][#2]#3{%
+ \NAT@sort@cites{#3}%
+ \let\@citea\@empty
+ \@cite{\def\NAT@num{-1}\let\NAT@last@yr\relax\let\NAT@nm\@empty
+ \@for\@citeb:=\NAT@cite@list\do
+ {\edef\@citeb{\expandafter\@firstofone\@citeb}%
+ \c@lNATwritemainbib %%% change here
+ {\let\NAT@last@num\NAT@num\let\NAT@last@nm\NAT@nm
+ \NAT@parse{\@citeb}%
+ \ifNAT@longnames\@ifundefined{bv@\@citeb\@extra@b@citeb}{%
+ \let\NAT@name=\NAT@all@names
+ \global\@namedef{bv@\@citeb\@extra@b@citeb}{}}{}%
+ \fi
+ \ifNAT@full\let\NAT@nm\NAT@all@names\else
+ \let\NAT@nm\NAT@name
+ \fi
+ \ifNAT@swa
+ \c@lNAT@citexnum@swatrue
+ \else
+ \ifcase\NAT@ctype\relax
+ \ifx\NAT@last@nm\NAT@nm \NAT@yrsep\penalty\@m\NAT@space\else
+ \@citea \NAT@test{1}\ \NAT@@open
+ \if*#1*\else#1\ \fi\fi \NAT@mbox{%
+ \hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ {\citenumfont\NAT@num}\hyper@natlinkend}%
+ \def\@citea{\NAT@@close\NAT@sep\penalty\@m\ }%
+ \or\@citea
+ \hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ \NAT@test{\NAT@ctype}\hyper@natlinkend
+ \def\@citea{\NAT@sep\penalty\@m\ }%
+ \or\@citea
+ \hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ \NAT@test{\NAT@ctype}\hyper@natlinkend
+ \def\@citea{\NAT@sep\penalty\@m\ }%
+ \or\@citea
+ \hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ \NAT@alias\hyper@natlinkend
+ \def\@citea{\NAT@sep\penalty\@m\ }%
+ \fi
+ \fi
+ }}%
+ \ifnum\NAT@sort>1\relax\NAT@last@yr\fi
+ \ifNAT@swa\else\ifnum\NAT@ctype=0\if*#2*\else
+ \NAT@cmt#2\fi \NAT@@close\fi\fi}{#1}{#2}}
+
+\def\c@lbNAT@citexnum[#1][#2]#3{%
+ \ifc@lcombib\c@laNATnocite{#3}\fi %%% change here
+ \NAT@sort@cites{#3}%
+ \let\@citea\@empty
+ \@cite{\def\NAT@num{-1}\let\NAT@last@yr\relax\let\NAT@nm\@empty
+ \@for\@citeb:=\NAT@cite@list\do
+ {\edef\@citeb{\expandafter\@firstofone\@citeb}%
+ \c@lNATwritelocalbib %%% change here
+ {\let\NAT@last@num\NAT@num\let\NAT@last@nm\NAT@nm
+ \NAT@parse{\@citeb}%
+ \ifNAT@longnames\@ifundefined{bv@\@citeb\@extra@b@citeb}{%
+ \let\NAT@name=\NAT@all@names
+ \global\@namedef{bv@\@citeb\@extra@b@citeb}{}}{}%
+ \fi
+ \ifNAT@full\let\NAT@nm\NAT@all@names\else
+ \let\NAT@nm\NAT@name\fi
+ \ifNAT@swa
+ \c@lNAT@citexnum@swatrue
+ \else
+ \ifcase\NAT@ctype\relax
+ \ifx\NAT@last@nm\NAT@nm \NAT@yrsep\penalty\@m\NAT@space\else
+ \@citea \NAT@test{1}\ \NAT@@open
+ \if*#1*\else#1\ \fi\fi \NAT@mbox{%
+ \hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ {\citenumfont\NAT@num}\hyper@natlinkend}%
+ \def\@citea{\NAT@@close\NAT@sep\penalty\@m\ }%
+ \or\@citea
+ \hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ \NAT@test{\NAT@ctype}\hyper@natlinkend
+ \def\@citea{\NAT@sep\penalty\@m\ }%
+ \or\@citea
+ \hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ \NAT@test{\NAT@ctype}\hyper@natlinkend
+ \def\@citea{\NAT@sep\penalty\@m\ }%
+ \or\@citea
+ \hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ \NAT@alias\hyper@natlinkend
+ \def\@citea{\NAT@sep\penalty\@m\ }%
+ \fi\fi
+ }}%
+ \ifnum\NAT@sort>1\relax\NAT@last@yr\fi
+ \ifNAT@swa\else\ifnum\NAT@ctype=0\if*#2*\else
+ \NAT@cmt#2\fi \NAT@@close\fi\fi}{#1}{#2}}
+
+\newcommand{\c@lNAT@citex@swatrue}{%
+ \ifcase\NAT@ctype
+ \if\relax\NAT@date\relax
+ \@citea\hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ \NAT@nmfmt{\NAT@nm}\NAT@date\hyper@natlinkend
+ \else
+ \ifx\NAT@last@nm\NAT@nm\NAT@yrsep
+ \ifx\NAT@last@yr\NAT@year
+ \hyper@natlinkstart{\@citeb\@extra@b@citeb}\NAT@exlab
+ \hyper@natlinkend
+ \else
+ \unskip\
+ \hyper@natlinkstart{\@citeb\@extra@b@citeb}\NAT@date
+ \hyper@natlinkend
+ \fi
+ \else\@citea\hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ \NAT@nmfmt{\NAT@nm}%
+ \hyper@natlinkbreak{\NAT@aysep\ }{\@citeb\@extra@b@citeb}%
+ \NAT@date\hyper@natlinkend
+ \fi
+ \fi
+ \or\@citea\hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ \NAT@nmfmt{\NAT@nm}\hyper@natlinkend
+ \or\@citea\hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ \NAT@date\hyper@natlinkend
+ \or\@citea\hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ \NAT@alias\hyper@natlinkend
+ \fi \def\@citea{\NAT@sep\ }%
+}
+
+\def\NAT@citex%
+ [#1][#2]#3{%
+ \NAT@sort@cites{#3}%
+ \let\@citea\@empty
+ \@cite{\let\NAT@nm\@empty\let\NAT@year\@empty
+ \@for\@citeb:=\NAT@cite@list\do
+ {\edef\@citeb{\expandafter\@firstofone\@citeb}%
+ \c@lNATwritemainbibdate %%%% change here
+ {\let\NAT@last@nm=\NAT@nm\let\NAT@last@yr=\NAT@year
+ \NAT@parse{\@citeb}%
+ \ifNAT@longnames\@ifundefined{bv@\@citeb\@extra@b@citeb}{%
+ \let\NAT@name=\NAT@all@names
+ \global\@namedef{bv@\@citeb\@extra@b@citeb}{}}{}%
+ \fi
+ \ifNAT@full\let\NAT@nm\NAT@all@names\else
+ \let\NAT@nm\NAT@name\fi
+ \ifNAT@swa
+ \c@lNAT@citex@swatrue
+ \else
+ \ifcase\NAT@ctype
+ \if\relax\NAT@date\relax
+ \@citea\hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ \NAT@nmfmt{\NAT@nm}\hyper@natlinkend
+ \else
+ \ifx\NAT@last@nm\NAT@nm\NAT@yrsep
+ \ifx\NAT@last@yr\NAT@year
+ \hyper@natlinkstart{\@citeb\@extra@b@citeb}\NAT@exlab
+ \hyper@natlinkend
+ \else\unskip\
+ \hyper@natlinkstart{\@citeb\@extra@b@citeb}\NAT@date
+ \hyper@natlinkend
+ \fi
+ \else\@citea\hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ \NAT@nmfmt{\NAT@nm}%
+ \hyper@natlinkbreak{\ \NAT@@open\if*#1*\else#1\ \fi}%
+ {\@citeb\@extra@b@citeb}%
+ \NAT@date\hyper@natlinkend\fi
+ \fi
+ \or\@citea\hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ \NAT@nmfmt{\NAT@nm}\hyper@natlinkend
+ \or\@citea\hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ \NAT@date\hyper@natlinkend
+ \or\@citea\hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ \NAT@alias\hyper@natlinkend
+ \fi \if\relax\NAT@date\relax\def\@citea{\NAT@sep\ }%
+ \else\def\@citea{\NAT@@close\NAT@sep\ }\fi
+ \fi
+ }}\ifNAT@swa\else\if*#2*\else\NAT@cmt#2\fi
+ \if\relax\NAT@date\relax\else\NAT@@close\fi\fi}{#1}{#2}}
+
+\def\c@lbNAT@citex[#1][#2]#3{%
+ \ifc@lcombib \c@laNATnocite{#3} \fi %%%% change here
+ \NAT@sort@cites{#3}%
+ \let\@citea\@empty
+ \@cite{\let\NAT@nm\@empty\let\NAT@year\@empty
+ \@for\@citeb:=\NAT@cite@list\do
+ {\edef\@citeb{\expandafter\@firstofone\@citeb}%
+ \c@lNATwritelocalbibdate %%%% change here
+ {\let\NAT@last@nm=\NAT@nm\let\NAT@last@yr=\NAT@year
+ \NAT@parse{\@citeb}%
+ \ifNAT@longnames\@ifundefined{bv@\@citeb\@extra@b@citeb}{%
+ \let\NAT@name=\NAT@all@names
+ \global\@namedef{bv@\@citeb\@extra@b@citeb}{}}{}%
+ \fi
+ \ifNAT@full\let\NAT@nm\NAT@all@names\else
+ \let\NAT@nm\NAT@name\fi
+ \ifNAT@swa
+ \c@lNAT@citex@swatrue
+ \else
+ \ifcase\NAT@ctype
+ \if\relax\NAT@date\relax
+ \@citea\hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ \NAT@nmfmt{\NAT@nm}\hyper@natlinkend
+ \else
+ \ifx\NAT@last@nm\NAT@nm\NAT@yrsep
+ \ifx\NAT@last@yr\NAT@year
+ \hyper@natlinkstart{\@citeb\@extra@b@citeb}\NAT@exlab
+ \hyper@natlinkend
+ \else\unskip\
+ \hyper@natlinkstart{\@citeb\@extra@b@citeb}\NAT@date
+ \hyper@natlinkend
+ \fi
+ \else\@citea\hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ \NAT@nmfmt{\NAT@nm}%
+ \hyper@natlinkbreak{\ \NAT@@open\if*#1*\else#1\ \fi}%
+ {\@citeb\@extra@b@citeb}%
+ \NAT@date\hyper@natlinkend\fi
+ \fi
+ \or\@citea\hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ \NAT@nmfmt{\NAT@nm}\hyper@natlinkend
+ \or\@citea\hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ \NAT@date\hyper@natlinkend
+ \or\@citea\hyper@natlinkstart{\@citeb\@extra@b@citeb}%
+ \NAT@alias\hyper@natlinkend
+ \fi \if\relax\NAT@date\relax\def\@citea{\NAT@sep\ }%
+ \else\def\@citea{\NAT@@close\NAT@sep\ }\fi
+ \fi
+ }}\ifNAT@swa\else\if*#2*\else\NAT@cmt#2\fi
+ \if\relax\NAT@date\relax\else\NAT@@close\fi\fi}{#1}{#2}}
+
+\newcommand\c@laNATnocite[1]{\@bsphack
+ \@for\@citeb:=#1\do{%
+ \edef\@citeb{\expandafter\@firstofone\@citeb}%
+ \if@filesw\immediate\write\@mainaux{\string\citation{\@citeb}}\fi
+ \if*\@citeb\else
+ \@ifundefined{b@\@citeb\@extra@b@citeb}{%
+ \NAT@citeundefined \PackageWarning{natbib}%
+ {Citation `\@citeb' undefined}}{}\fi}%
+ \@esphack}
+\renewcommand{\nocite}[1]{\c@laNATnocite{#1}}
+
+\newcommand\c@lbNATnocite[1]{\@bsphack
+ \@for\@citeb:=#1\do{%
+ \edef\@citeb{\expandafter\@firstofone\@citeb}%
+ \if@filesw\immediate\write\@auxout{\string\citation{\@citeb}}\fi
+ \if*\@citeb\else
+ \@ifundefined{B?\jobname?@\@citeb\@extra@b@citeb}{%
+ \NAT@citeundefined \PackageWarning{natbib}%
+ {Citation `\@citeb' undefined}}{}\fi}%
+ \@esphack}
+
+\renewcommand{\NAT@wrout}[5]{%
+ \if@filesw
+ {\let\protect\noexpand\let~\relax
+ \immediate
+ \write\@mainaux{\string\bibcite{#5}{{#1}{#2}{{#3}}{{#4}}}}}\fi
+\ignorespaces}
+
+\newcommand{\c@lbNAT@wrout}[5]{%
+ \if@filesw
+ {\let\protect\noexpand\let~\relax
+ \immediate
+ \write\@auxout{\string\bibcite{#5}{{#1}{#2}{{#3}}{{#4}}}}}\fi
+\ignorespaces}
+
+\newcommand\c@laNAT@parse[1]{{%
+ \let\protect=\@unexpandable@protect\let~\relax
+ \let\active@prefix=\@gobble
+ \xdef\NAT@temp{\csname b@#1\@extra@b@citeb\endcsname}}%
+ \expandafter\NAT@split\NAT@temp
+ \expandafter\NAT@parse@date\NAT@date??????@@%
+ \ifciteindex\NAT@index\fi}
+
+\newcommand\c@lbNAT@parse[1]{{%
+ \let\protect=\@unexpandable@protect\let~\relax
+ \let\active@prefix=\@gobble
+ \xdef\NAT@temp{\csname B?\jobname?@#1\@extra@b@citeb\endcsname}}%
+ \expandafter\NAT@split\NAT@temp
+ \expandafter\NAT@parse@date\NAT@date??????@@%
+ \ifciteindex\NAT@index\fi}
+
+\def\c@laNAT@lbibitem[#1]#2{%
+ \if\relax\@extra@b@citeb\relax\else
+ \@ifundefined{br@#2\@extra@b@citeb}{}{%
+ \@namedef{br@#2}{\@nameuse{br@#2\@extra@b@citeb}}}\fi
+ \@ifundefined{b@#2\@extra@b@citeb}{\def\NAT@num{}}{\NAT@parse{#2}}%
+ \item[\hfil\hyper@natanchorstart{#2\@extra@b@citeb}\@biblabel{\NAT@num}%
+ \hyper@natanchorend]%
+ \NAT@ifcmd#1(@)(@)\@nil{#2}}
+
+\def\c@lbNAT@lbibitem[#1]#2{%
+ \if\relax\@extra@b@citeb\relax\else
+ \@ifundefined{br@#2\@extra@b@citeb}{}{%
+ \@namedef{br@#2}{\@nameuse{br@#2\@extra@b@citeb}}}\fi
+ \@ifundefined{B?\jobname?@#2\@extra@b@citeb}{\def\NAT@num{}}{\NAT@parse{#2}}%
+ \item[\hfil\hyper@natanchorstart{#2\@extra@b@citeb}\@biblabel{\NAT@num}%
+ \hyper@natanchorend]%
+ \NAT@ifcmd#1(@)(@)\@nil{#2}}
+
+\newcommand\c@laNATbibcite[2]{\@ifundefined{b@#1\@extra@binfo}\relax
+ {\NAT@citemultiple
+ \PackageWarningNoLine{natbib}{Citation `#1' multiply defined}}%
+ \global\@namedef{b@#1\@extra@binfo}{#2}}
+
+\newcommand\c@lbNATbibcite[2]{\@ifundefined{B?\jobname?@#1\@extra@binfo}\relax
+ {\NAT@citemultiple
+ \PackageWarningNoLine{natbib}{Citation `#1' multiply defined}}%
+ \global\@namedef{B?\jobname?@#1\@extra@binfo}{#2}}
+
+\ifc@lonebib
+ \ifc@lcombib
+ \else
+ \renewcommand\c@lbNATbibcite[2]{\@ifundefined{b@#1\@extra@binfo}\relax
+ {\NAT@citemultiple
+ \PackageWarningNoLine{natbib}{Citation `#1' multiply defined}}%
+ \global\@namedef{B?\jobname?@#1\@extra@binfo}{#2}}
+ \fi
+\fi
+
+\newcommand\c@laNAT@testdef[2]{%
+ \def\NAT@temp{#2}\expandafter \ifx \csname b@#1\@extra@binfo\endcsname
+ \NAT@temp \else \ifNAT@swa \NAT@swafalse
+ \PackageWarningNoLine{natbib}{Citation(s) may have
+ changed.\MessageBreak
+ Rerun to get citations correct}\fi\fi}
+
+\newcommand\c@lbNAT@testdef[2]{%
+ \def\NAT@temp{#2}\expandafter \ifx \csname B?\jobname?@#1\@extra@binfo\endcsname
+ \NAT@temp \else \ifNAT@swa \NAT@swafalse
+ \PackageWarningNoLine{natbib}{Citation(s) may have
+ changed.\MessageBreak
+ Rerun to get citations correct}\fi\fi}
+
+\ifnum\NAT@sort>0
+ \begingroup \catcode`\_=8
+ \gdef\c@laNAT@make@cite@list{%
+ \edef\@citeb{\expandafter\@firstofone\@citeb}%
+ \@ifundefined{b@\@citeb\@extra@b@citeb}{\def\NAT@num{A}}%
+ {\NAT@parse{\@citeb}}%
+ \ifcat _\ifnum\z@<0\NAT@num _\else A\fi
+ \@tempcnta\NAT@num \relax
+ \ifnum \@tempcnta>\@tempcntb
+ \edef\NAT@num@list{\NAT@num@list \@celt{\NAT@num}}%
+ \edef\NAT@cite@list{\NAT@cite@list\@citeb,}%
+ \@tempcntb\@tempcnta
+ \else
+ \let\NAT@@cite@list=\NAT@cite@list \def\NAT@cite@list{}%
+ \edef\NAT@num@list{\expandafter\NAT@num@celt \NAT@num@list \@gobble @}%
+ {\let\@celt=\NAT@celt\NAT@num@list}%
+ \fi
+ \else
+ \edef\NAT@nonsort@list{\NAT@nonsort@list\@citeb,}%
+ \fi}
+ \endgroup
+
+ \begingroup \catcode`\_=8
+ \gdef\c@lbNAT@make@cite@list{%
+ \edef\@citeb{\expandafter\@firstofone\@citeb}%
+ \@ifundefined{B?\jobname?@\@citeb\@extra@b@citeb}{\def\NAT@num{A}}%
+ {\NAT@parse{\@citeb}}%
+ \ifcat _\ifnum\z@<0\NAT@num _\else A\fi
+ \@tempcnta\NAT@num \relax
+ \ifnum \@tempcnta>\@tempcntb
+ \edef\NAT@num@list{\NAT@num@list \@celt{\NAT@num}}%
+ \edef\NAT@cite@list{\NAT@cite@list\@citeb,}%
+ \@tempcntb\@tempcnta
+ \else
+ \let\NAT@@cite@list=\NAT@cite@list \def\NAT@cite@list{}%
+ \edef\NAT@num@list{\expandafter\NAT@num@celt \NAT@num@list \@gobble @}%
+ {\let\@celt=\NAT@celt\NAT@num@list}%
+ \fi
+ \else
+ \edef\NAT@nonsort@list{\NAT@nonsort@list\@citeb,}%
+ \fi}
+ \endgroup
+\fi
+
+\AtEndDocument{%
+ \ifNAT@stdbst\if@filesw\immediate\write
+ \@mainaux{\string\global\string\NAT@numberstrue}\fi\fi
+ }
+
+\AtEndDocument{\NAT@swatrue\let\bibcite\NAT@testdef}
+
+\newcommand{\c@laNAT@set@cites}{\ifNAT@numbers
+ \ifNAT@super \let\@cite\NAT@citesuper
+ \def\NAT@mbox##1{\unskip\nobreak\hspace{1\p@}\textsuperscript{##1}}%
+ \let\citeyearpar=\citeyear
+ \let\NAT@space\relax\else
+ \let\NAT@mbox=\mbox
+ \let\@cite\NAT@citenum \def\NAT@space{ }\fi
+ \let\@citex\NAT@citexnum
+ \ifx\@biblabel\@empty\let\@biblabel\NAT@biblabelnum\fi
+ \let\@bibsetup\NAT@bibsetnum
+ \def\natexlab##1{}%
+ \else
+ \let\@cite\NAT@cite
+ \let\@citex\NAT@citex
+ \let\@biblabel\NAT@biblabel
+ \let\@bibsetup\NAT@bibsetup
+ \def\natexlab##1{##1}%
+ \fi}
+
+\newcommand{\c@lbNAT@set@cites}{\ifNAT@numbers
+ \ifNAT@super \let\@cite\NAT@citesuper
+ \def\NAT@mbox##1{\unskip\nobreak\hspace{1\p@}\textsuperscript{##1}}%
+ \let\citeyearpar=\citeyear
+ \let\NAT@space\relax\else
+ \let\NAT@mbox=\mbox
+ \let\@cite\NAT@citenum \def\NAT@space{ }\fi
+ \let\@citex\NAT@citexnum
+ \ifx\@biblabel\@empty\let\@biblabel\NAT@biblabelnum\fi
+ \let\@bibsetup\NAT@bibsetnum
+ \def\natexlab##1{}%
+ \else
+ \let\@cite\NAT@cite
+ \let\@citex\NAT@citex
+ \let\@biblabel\NAT@biblabel
+ \let\@bibsetup\NAT@bibsetup
+ \def\natexlab##1{##1}%
+ \fi}
+
+\let\NAT@parse\c@laNAT@parse
+%%\let\nocite\c@laNATnocite
+%%\let\NAT@wrout\c@laNAT@wrout
+\let\@lbibitem\c@laNAT@lbibitem
+\let\bibcite\c@laNATbibcite
+\let\NAT@testdef\c@laNAT@testdef
+%%\let\NAT@make@cite@list\c@laNAT@make@cite@list
+%%\let\NAT@citexnum\c@laNAT@citexnum
+%%\let\NAT@citex\c@laNAT@citex
+
+\let\c@loldsetuppapers\setuppapers
+\newcommand{\c@lNATsetuplocal}{%
+ \let\NAT@parse\c@lbNAT@parse
+ \let\nocite\c@lbNATnocite
+ \let\NAT@wrout\c@lbNAT@wrout
+ \let\@lbibitem\c@lbNAT@lbibitem
+ \let\bibcite\c@lbNATbibcite
+ \let\NAT@testdef\c@lbNAT@testdef
+ \let\NAT@make@cite@list\c@lbNAT@make@cite@list
+ \let\NAT@citexnum\c@lbNAT@citexnum
+ \let\NAT@citex\c@lbNAT@citex
+ \let\NAT@set@cites\c@lbNAT@set@cites
+ \c@lbNAT@set@cites
+}
+\renewcommand{\setuppapers}{%
+ \c@loldsetuppapers
+ \ifc@lcombib
+ \c@lNATsetuplocal
+ \else
+ \ifc@lonebib
+ \else
+ \c@lNATsetuplocal
+ \fi
+ \fi
+}
+
+\endinput
+%%
+%% End of file `combnat.sty'.
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/Makefile b/2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/Makefile
new file mode 100644
index 0000000..a7d9d31
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/Makefile
@@ -0,0 +1,41 @@
+
+.SUFFIXES: .tex .dvi .aux .eps .fig .dia .ps .pdf .bib .bbl
+
+TOP=welte
+TEXFILES=$(TOP).tex
+FIGFILES:=$(wildcard *.fig)
+EPSFILES:=$(wildcard *.eps)
+EPSFILES+=$(FIGFILES:.fig=.eps)
+PDFFILES=$(EPSFILES:.eps=.pdf)
+
+.fig.eps:
+ fig2dev -L eps $< >$@
+
+.fig.pdf:
+ fig2dev -L pdf $< >$@
+
+.eps.pdf:
+ epstopdf $<
+
+all: $(TOP).ps $(TOP).pdf
+
+$(TOP).ps: $(TOP).dvi
+ dvips -o $(TOP).ps $(TOP)
+
+$(TOP).dvi: $(TEXFILES) $(EPSFILES)
+ latex $(TOP) || true
+ bibtex $(TOP) || true
+ latex $(TOP) || true
+ latex $(TOP)
+
+$(TOP).pdf: $(TEXFILES) $(PDFFILES)
+ pdflatex $(TOP) || true
+ bibtex $(TOP) || true
+ pdflatex $(TOP) || true
+ pdflatex $(TOP)
+
+clean:
+ rm -f *.aux *.dvi *.log
+ rm -f $(TOP).ps $(TOP).pdf $(TOP).bbl $(TOP).blg
+
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/Record.ols b/2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/Record.ols
new file mode 100644
index 0000000..17fdd46
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/Record.ols
@@ -0,0 +1,6 @@
+art='art47'
+adr='laforge@gnumonks.org'
+nam='Harald Welte'
+tit='ct_sync: state replication of ip_conntrack'
+dir='welte'
+key='kxowR10740'
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/netfilter-failover-ols2002.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/netfilter-failover-ols2002.tex
new file mode 100644
index 0000000..bf8d142
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/netfilter-failover-ols2002.tex
@@ -0,0 +1,504 @@
+\documentclass[twocolumn]{article}
+\usepackage{ols}
+\begin{document}
+
+\date{}
+
+\title{\Large \bf How to replicate the fire - HA for netfilter based firewalls}
+
+\author{
+Harald Welte\\
+{\em Netfilter Core Team + Astaro AG}\\
+{\normalsize laforge@gnumonks.org/laforge@astaro.com, http://www.gnumonks.org/}
+}
+
+\maketitle
+
+\thispagestyle{empty}
+
+\subsection*{Abstract}
+ With traditional, stateless firewalling (such as ipfwadm, ipchains) there is
+no need for special HA support in the firewalling subsystem. As long as all
+packet filtering rules and routing table entries are configured in exactly the
+same way, one can use any available tool for IP-Address takeover to accomplish
+the goal of failing over from one node to the other.
+
+ With Linux 2.4.x netfilter/iptables, the Linux firewalling code moves beyond
+traditional packet filtering. Netfilter provides a modular connection tracking
+susbsystem which can be employed for stateful firewalling. The connection
+tracking subsystem gathers information about the state of all current network
+flows (connections). Packet filtering decisions and NAT information is
+associated with this state information.
+
+ In a high availability scenario, this connection tracking state needs to be
+replicated from the currently active firewall node to all standby slave
+firewall nodes. Only when all connection tracking state is replicated, the
+slave node will have all necessarry state information at the time a failover
+event occurs.
+
+ The netfilter/iptables does currently not have any functionality for
+replicating connection tracking state accross multiple nodes. However,
+the author of this presentation, Harald Welte, has started a project for
+connection tracking state replication with netfilter/iptables.
+
+ The presentation will cover the architectural design and implementation
+of the connection tracking failover sytem. With respect to the date of
+the conference, it is to be expected that the project is still a
+work-in-progress at that time.
+
+\section{Failover of stateless firewalls}
+
+There are no special precautions when installing a highly available
+stateless packet filter. Since there is no state kept, all information
+needed for filtering is the ruleset and the individual, seperate packets.
+
+Building a set of highly available stateless packet filters can thus be
+achieved by using any traditional means of IP-address takeover, such
+as Hartbeat or VRRPd.
+
+The only remaining issue is to make sure the firewalling ruleset is
+exactly the same on both machines. This should be ensured by the firewall
+administrator every time he updates the ruleset.
+
+If this is not applicable, because a very dynamic ruleset is employed, one
+can build a very easy solution using iptables-supplied tools iptables-save
+and iptables-restore. The output of iptables-save can be piped over ssh
+to iptables-restore on a different host.
+
+Limitations
+\begin{itemize}
+\item
+no state tracking
+\item
+not possible in combination with NAT
+\item
+no counter consistency of per-rule packet/byte counters
+\end{itemize}
+
+\section{Failover of stateful firewalls}
+
+Modern firewalls implement state tracking (aka connection tracking) in order
+to keep some state about the currently active sessions. The amount of
+per-connection state kept at the firewall depends on the particular
+implementation.
+
+As soon as {\bf any} state is kept at the packet filter, this state information
+needs to be replicated to the slave/backup nodes within the failover setup.
+
+In Linux 2.4.x, all relevant state is kept within the {\it connection tracking
+subsystem}. In order to understand how this state could possibly be
+replicated, we need to understand the architecture of this conntrack subsystem.
+
+\subsection{Architecture of the Linux Connection Tracking Subsystem}
+
+Connection tracking within Linux is implemented as a netfilter module, called
+ip\_conntrack.o.
+
+Before describing the connection tracking subsystem, we need to describe a
+couple of definitions and primitives used throughout the conntrack code.
+
+A connection is represented within the conntrack subsystem using {\it struct
+ip\_conntrack}, also called {\it connection tracking entry}.
+
+Connection tracking is utilizing {\it conntrack tuples}, which are tuples
+consisting out of (srcip, srcport, dstip, dstport, l4prot). A connection is
+uniquely identified by two tuples: The tuple in the original direction
+(IP\_CT\_DIR\_ORIGINAL) and the tuple for the reply direction
+(IP\_CT\_DIR\_REPLY).
+
+Connection tracking itself does not drop packets\footnote{well, in some rare
+cases in combination with NAT it needs to drop. But don't tell anyone, this is
+secret.} or impose any policy. It just associates every packet with a
+connection tracking entry, which in turn has a particular state. All other
+kernel code can use this state information\footnote{state information is
+internally represented via the {\it struct sk\_buff.nfct} structure member of a
+packet.}.
+
+\subsubsection{Integration of conntrack with netfilter}
+
+If the ip\_conntrack.o module is registered with netfilter, it attaches to the
+NF\_IP\_PRE\_ROUTING, NF\_IP\_POST\_ROUTING, NF\_IP\_LOCAL\_IN and
+NF\_IP\_LOCAL\_OUT hooks.
+
+Because forwarded packets are the most common case on firewalls, I will only
+describe how connection tracking works for forwarded packets. The two relevant
+hooks for forwarded packets are NF\_IP\_PRE\_ROUTING and NF\_IP\_POST\_ROUTING.
+
+Every time a packet arrives at the NF\_IP\_PRE\_ROUTING hook, connection
+tracking creates a conntrack tuple from the packet. It then compares this
+tuple to the original and reply tuples of all already-seen connections
+\footnote{Of course this is not implemented as a linear search over all existing connections.} to find out if this just-arrived packet belongs to any existing
+connection. If there is no match, a new conntrack table entry (struct
+ip\_conntrack) is created.
+
+Let's assume the case where we have already existing connections but are
+starting from scratch.
+
+The first packet comes in, we derive the tuple from the packet headers, look up
+the conntrack hash table, don't find any matching entry. As a result, we
+create a new struct ip\_conntrack. This struct ip\_conntrack is filled with
+all necessarry data, like the original and reply tuple of the connection.
+How do we know the reply tuple? By inverting the source and destination
+parts of the original tuple.\footnote{So why do we need two tuples, if they can
+be derived from each other? Wait until we discuss NAT.}
+Please note that this new struct ip\_conntrack is {\bf not} yet placed
+into the conntrack hash table.
+
+The packet is now passed on to other callback functions which have registered
+with a lower priority at NF\_IP\_PRE\_ROUTING. It then continues traversal of
+the network stack as usual, including all respective netfilter hooks.
+
+If the packet survives (i.e. is not dropped by the routing code, network stack,
+firewall ruleset, ...), it re-appears at NF\_IP\_POST\_ROUTING. In this case,
+we can now safely assume that this packet will be sent off on the outgoing
+interface, and thus put the connection tracking entry which we created at
+NF\_IP\_PRE\_ROUTING into the conntrack hash table. This process is called
+{\it confirming the conntrack}.
+
+The connection tracking code itself is not monolithic, but consists out of a
+couple of seperate modules\footnote{They don't actually have to be seperate
+kernel modules; e.g. TCP, UDP and ICMP tracking modules are all part of
+the linux kernel module ip\_conntrack.o}. Besides the conntrack core, there
+are two important kind of modules: Protocol helpers and application helpers.
+
+Protocol helpers implement the layer-4-protocol specific parts. They currently
+exist for TCP, UDP and ICMP (an experimental helper for GRE exists).
+
+\subsubsection{TCP connection tracking}
+
+As TCP is a connection oriented protocol, it is not very difficult to imagine
+how conntection tracking for this protocol could work. There are well-defined
+state transitions possible, and conntrack can decide which state transitions
+are valid within the TCP specification. In reality it's not all that easy,
+since we cannot assume that all packets that pass the packet filter actually
+arrive at the receiving end, ...
+
+It is noteworthy that the standard connection tracking code does {\bf not}
+do TCP sequence number and window tracking. A well-maintained patch to add
+this feature exists almost as long as connection tracking itself. It will
+be integrated with the 2.5.x kernel. The problem with window tracking is
+it's bad interaction with connection pickup. The TCP conntrack code is able to
+pick up already existing connections, e.g. in case your firewall was rebooted.
+However, connection pickup is conflicting with TCP window tracking: The TCP
+window scaling option is only transferred at connection setup time, and we
+don't know about it in case of pickup...
+
+\subsubsection{ICMP tracking}
+
+ICMP is not really a connection oriented protocol. So how is it possible to
+do connection tracking for ICMP?
+
+The ICMP protocol can be split in two groups of messages
+
+\begin{itemize}
+\item
+ICMP error messages, which sort-of belong to a different connection
+ICMP error messages are associated {\it RELATED} to a different connection.
+(ICMP\_DEST\_UNREACH, ICMP\_SOURCE\_QUENCH, ICMP\_TIME\_EXCEEDED,
+ICMP\_PARAMETERPROB, ICMP\_REDIRECT).
+\item
+ICMP queries, which have a request->reply character. So what the conntrack
+code does, is let the request have a state of {\it NEW}, and the reply
+{\it ESTABLISHED}. The reply closes the connection immediately.
+(ICMP\_ECHO, ICMP\_TIMESTAMP, ICMP\_INFO\_REQUEST, ICMP\_ADDRESS)
+\end{itemize}
+
+\subsubsection{UDP connection tracking}
+
+UDP is designed as a connectionless datagram protocol. But most common
+protocols using UDP as layer 4 protocol have bi-directional UDP communication.
+Imagine a DNS query, where the client sends an UDP frame to port 53 of the
+nameserver, and the nameserver sends back a DNS reply packet from it's UDP
+port 53 to the client.
+
+Netfilter trats this as a connection. The first packet (the DNS request) is
+assigned a state of {\it NEW}, because the packet is expected to create a new
+'connection'. The dns servers' reply packet is marked as {\it ESTABLISHED}.
+
+\subsubsection{conntrack application helpers}
+
+More complex application protocols involving multiple connections need special
+support by a so-called ``conntrack application helper module''. Modules in
+the stock kernel come for FTP and IRC(DCC). Netfilter CVS currently contains
+patches for PPTP, H.323, Eggdrop botnet, tftp ald talk. We're still lacking
+a lot of protocols (e.g. SIP, SMB/CIFS) - but they are unlikely to appear
+until somebody really needs them and either develops them on his own or
+funds development.
+
+\subsubsection{Integration of connection tracking with iptables}
+
+As stated earlier, conntrack doesn't impose any policy on packets. It just
+determines the relation of a packet to already existing connections. To base
+packet filtering decision on this sate information, the iptables {\it state}
+match can be used. Every packet is within one of the following categories:
+
+\begin{itemize}
+\item
+{\bf NEW}: packet would create a new connection, if it survives
+\item
+{\bf ESTABLISHED}: packet is part of an already established connection
+(either direction)
+\item
+{\bf RELATED}: packet is in some way related to an already established connection, e.g. ICMP errors or FTP data sessions
+\item
+{\bf INVALID}: conntrack is unable to derive conntrack information from this packet. Please note that all multicast or broadcast packets fall in this category.
+\end{itemize}
+
+
+\subsection{Poor man's conntrack failover}
+
+When thinking about failover of stateful firewalls, one usually thinks about
+replication of state. This presumes that the state is gathered at one
+firewalling node (the currently active node), and replicated to several other
+passive standby nodes. There is, howeve, a very different approach to
+replication: concurrent state tracking on all firewalling nodes.
+
+The basic assumption of this approach is: In a setup where all firewalling
+nodes receive exactly the same traffic, all nodes will deduct the same state
+information.
+
+The implementability of this approach is totally dependent on fulfillment of
+this assumption.
+
+\begin{itemize}
+\item
+{\it All packets need to be seen by all nodes}. This is not always true, but
+can be achieved by using shared media like traditional ethernet (no switches!!)
+and promiscuous mode on all ethernet interfaces.
+\item
+{\it All nodes need to be able to process all packets}. This cannot be
+universally guaranteed. Even if the hardware (CPU, RAM, Chipset, NIC's) and
+software (Linux kernel) are exactly the same, they might behave different,
+especially under high load. To avoid those effects, the hardware should be
+able to deal with way more traffic than seen during operation. Also, there
+should be no userspace processes (like proxes, etc.) running on the firewalling
+nodes at all. WARNING: Nobody guarantees this behaviour. However, the poor
+man is usually not interested in scientific proof but in usability in his
+particular practical setup.
+\end{itemize}
+
+However, even if those conditions are fulfilled, ther are remaining issues:
+\begin{itemize}
+\item
+{\it No resynchronization after reboot}. If a node is rebooted (because of
+a hardware fault, software bug, software update, ..) it will loose all state
+information until the event of the reboot. This means, the state information
+of this node after reboot will not contain any old state, gathered before the
+reboot. The effect depend on the traffic. Generally, it is only assured that
+state information about all connections initiated after the reboot will be
+present. If there are short-lived connections (like http), the state
+information on the just rebooted node will approximate the state information of
+an older node. Only after all sessions active at the time of reboot have
+terminated, state information is guaranteed to be resynchronized.
+\item
+{\it Only possible with shared medium}. The practical implication is that no
+switched ethernet (and thus no full duplex) can be used.
+\end{itemize}
+
+The major advantage of the poor man's approach is implementation simplicity.
+No state transfer mechanism needs to be developed. Only very little changes
+to the existing conntrack code would be needed in order to be able to
+do tracking based on packets received from promiscuous interfaces. The active
+node would have packet forwarding turned on, the passive nodes off.
+
+I'm not proposing this as a real solution to the failover problem. It's
+hackish, buggy and likely to break very easily. But considering it can be
+implemented in very little programming time, it could be an option for very
+small installations with low reliability criteria.
+
+\subsection{Conntrack state replication}
+
+The preferred solution to the failover problem is, without any doubt,
+replication of the connection tracking state.
+
+The proposed conntrack state replication soltution consists out of several
+parts:
+\begin{itemize}
+\item
+A connection tracking state replication protocol
+\item
+An event interface generating event messages as soon as state information
+changes on the active node
+\item
+An interface for explicit generation of connection tracking table entries on
+the standby slaves
+\item
+Some code (preferrably a kernel thread) running on the active node, receiving
+state updates by the event interface and generating conntrack state replication
+protocol messages
+\item
+Some code (preferrably a kernel thread) running on the slave node(s), receiving
+conntrack state replication protocol messages and updating the local conntrack
+table accordingly
+\end{itemize}
+
+Flow of events in chronological order:
+\begin{itemize}
+\item
+{\it on active node, inside the network RX softirq}
+\begin{itemize}
+\item
+ connection tracking code is analyzing a forwarded packet
+\item
+ connection tracking gathers some new state information
+\item
+ connection tracking updates local connection tracking database
+\item
+ connection tracking sends event message to event API
+\end{itemize}
+\item
+{\it on active node, inside the conntrack-sync kernel thread}
+ \begin{itemize}
+ \item
+ conntrack sync daemon receives event through event API
+ \item
+ conntrack sync daemon aggregates multiple event messages into a state replication protocol message, removing possible redundancy
+ \item
+ conntrack sync daemon generates state replication protocol message
+ \item
+ conntrack sync daemon sends state replication protocol message
+(private network between firewall nodes)
+ \end{itemize}
+\item
+{\it on slave node(s), inside network RX softirq}
+ \begin{itemize}
+ \item
+ connection tracking code ignores packets coming from the interface attached to the private conntrac sync network
+ \item
+ state replication protocol messages is appended to socket receive queue of conntrack-sync kernel thread
+ \end{itemize}
+\item
+{\it on slave node(s), inside conntrack-sync kernel thread}
+ \begin{itemize}
+ \item
+ conntrack sync daemon receives state replication message
+ \item
+ conntrack sync daemon creates/updates conntrack entry
+ \end{itemize}
+\end{itemize}
+
+
+\subsubsection{Connection tracking state replication protocol}
+
+
+ In order to be able to replicate the state between two or more firewalls, a
+state replication protocol is needed. This protocol is used over a private
+network segment shared by all nodes for state replication. It is designed to
+work over IP unicast and IP multicast transport. IP unicast will be used for
+direct point-to-point communication between one active firewall and one
+standby firewall. IP multicast will be used when the state needs to be
+replicated to more than one standby firewall.
+
+
+ The principle design criteria of this protocol are:
+\begin{itemize}
+\item
+ {\bf reliable against data loss}, as the underlying UDP layer does only
+ provide checksumming against data corruption, but doesn't employ any
+ means against data loss
+\item
+ {\bf lightweight}, since generating the state update messages is
+ already a very expensive process for the sender, eating additional CPU,
+ memory and IO bandwith.
+\item
+ {\bf easy to parse}, to minimize overhead at the receiver(s)
+\end{itemize}
+
+The protocol does not employ any security mechanism like encryption,
+authentication or reliability against spoofing attacks. It is
+assumed that the private conntrack sync network is a secure communications
+channel, not accessible to any malicious 3rd party.
+
+To achieve the reliability against data loss, an easy sequence numbering
+scheme is used. All protocol messages are prefixed by a seuqence number,
+determined by the sender. If the slave detects packet loss by discontinuous
+sequence numbers, it can request the retransmission of the missing packets
+by stating the missing sequence number(s). Since there is no acknowledgement
+for sucessfully received packets, the sender has to keep a reasonably-sized
+backlog of recently-sent packets in order to be able to fulfill retransmission
+requests.
+
+The different state replication protocol messages types are:
+\begin{itemize}
+\item
+{\bf NF\_CTSRP\_NEW}: New conntrack entry has been created (and
+confirmed\footnote{See the above description of the conntrack code for what is
+meant by {\it confirming} a conntrack entry})
+\item
+{\bf NF\_CTSRP\_UPDATE}: State information of existing conntrack entry has
+changed
+\item
+{\bf NF\_CTSRP\_EXPIRE}: Existing conntrack entry has been expired
+\end{itemize}
+
+To uniquely identify (and later reference) a conntrack entry, a
+{\it conntrack\_id} is assigned to every conntrack entry transferred
+using a NF\_CTSRP\_NEW message. This conntrack\_id must be saved at the
+receiver(s) together with the conntrack entry, since it is used by the sender
+for subsequent NF\_CTSRP\_UPDATE and NF\_CTSRP\_EXPIRE messages.
+
+The protocol itself does not care about the source of this conntrack\_id,
+but since the current netfilter connection tracking implementation does never
+change the addres of a conntrack entry, the memory address of the entry can be
+used, since it comes for free.
+
+
+\subsubsection{Connection tracking state syncronization sender}
+
+Maximum care needs to be taken for the implementation of the ctsyncd sender.
+
+The normal workload of the active firewall node is likely to be already very
+high, so generating and sending the conntrack state replication messages needs
+to be highly efficient.
+
+\begin{itemize}
+\item
+ {\bf NF\_CTSRP\_NEW} will be generated at the NF\_IP\_POST\_ROUTING
+ hook, at the time ip\_conntrack\_confirm() is called. Delaying
+ this message until conntrack confirmation happens saves us from
+ replicating otherwise unneeded state information.
+\item
+ {\bf NF\_CTSRP\_UPDATE} need to be created automagically by the
+ conntrack core. It is not possible to have any failover-specific
+ code within conntrack protocol and/or application helpers.
+ The easiest way involving the least changes to the conntrack core
+ code is to copy parts of the conntrack entry before calling any
+ helper functions, and then use memcmp() to find out if the helper
+ has changed any information.
+\item
+ {\bf NF\_CTSRP\_EXPIRE} can be added very easily to the existing
+ conntrack destroy function.
+\end{itemize}
+
+
+\subsubsection{Connection tracking state syncronization receiver}
+
+Impmentation of the receiver is very straightforward.
+
+Apart from dealing with lost CTSRP packets, it just needs to call the
+respective conntrack add/modify/delete functions offered by the core.
+
+
+\subsubsection{Necessary changes within netfilter conntrack core}
+
+To be able to implement the described conntrack state replication mechanism,
+the following changes to the conntrack core are needed:
+\begin{itemize}
+\item
+ Ability to exclude certain packets from being tracked. This is a
+ long-wanted feature on the TODO list of the netfilter project and will
+ be implemented by having a ``prestate'' table in combination with a
+ ``NOTRACK'' target.
+\item
+ Ability to register callback functions to be called every time a new
+ conntrack entry is created or an existing entry modified.
+\item
+ Export an API to add externally add, modify and remove conntrack
+ entries. Since the needed ip\_conntrack\_lock is exported,
+ implementation could even reside outside the conntrack core code.
+\end{itemize}
+
+Since the number of changes is very low, it is very likely that the
+modifications will go into the mainstream kernel without any big hazzle.
+
+\end{document}
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/welte-abstract.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/welte-abstract.tex
new file mode 100644
index 0000000..e7ddcfc
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/welte-abstract.tex
@@ -0,0 +1,10 @@
+%
+
+With traditional, stateless firewalling (such as ipfwadm, ipchains) there is no need for special HA support in the firewalling subsystem. As long as all packet filtering rules and routing table entries are configured in exactly the same way, one can use any available tool for IP-Address takeover to accomplish the goal of failing over from one node to the other.
+
+With Linux 2.4/2.6 netfilter/iptables, the Linux firewalling code moves beyond traditional packet filtering. Netfilter provides a modular connection tracking susbsystem which can be employed for stateful firewalling. The connection tracking subsystem gathers information about the state of all current network flows (connections). Packet filtering decisions and NAT information is associated with this state information.
+
+In a high availability scenario, this connection tracking state needs to be replicated from the currently active firewall node to all standby slave firewall nodes. Only when all connection tracking state is replicated, the slave node will have all necessarry state information at the time a failover event occurs.
+
+Due to funding by Astaro AG, the netfilter/iptables project now offers a ct\_sync kernel module for replicating connection tracking state accross multiple nodes. The presentation will cover the architectural design and implementation of the connection tracking failover sytem.
+
diff --git a/2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/welte.tex b/2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/welte.tex
new file mode 100644
index 0000000..2a27e11
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/OLS2004-proceedings/welte/welte.tex
@@ -0,0 +1,652 @@
+\documentclass[twocolumn,12pt]{article}
+\usepackage{ols}
+\ifpdf
+\usepackage[pdftex]{epsfig}
+\else
+\usepackage{epsfig}
+\fi
+\input{ols-fonts}
+% The section above is required; no edits, please.
+% We are using a 12-point serif font with certain
+% macro packages.
+
+% If you really MUST define additional commands
+% here, please be aware that it's a shared namespace,
+% and the main build will NOT pick up your commands
+% (potentially adding time to the editing process).
+% See the docs for the 'combine' package for details.
+%
+% Please do NOT use \newcommand; use \providecommand instead.
+% The shared namespace will be easier if you use your last
+% name as part of the new command, like so:
+%
+% \providecommand{\lastnameCmd}[1]{\texttt{#1}}
+
+
+\begin{document}
+
+% Required: do not print the date.
+\date{}
+
+\title{\texttt{ct\_sync}: state replication of \texttt{ip\_conntrack}\\
+% {\normalsize Subtitle goes here}
+}
+
+\author{
+Harald Welte \\
+{\em netfilter core team / Astaro AG / hmw-consulting.de}\\
+{\tt\normalsize laforge@gnumonks.org}\\
+% \and
+% Second Author\\
+% {\em Second Institution}\\
+% {\tt\normalsize another@address.for.email.com}\\
+} % end author section
+
+\maketitle
+
+% Required: do not use page numbers on title page.
+\thispagestyle{empty}
+
+\section*{Abstract}
+
+With traditional, stateless firewalling (such as ipfwadm, ipchains)
+there is no need for special HA support in the firewalling
+subsystem. As long as all packet filtering rules and routing table
+entries are configured in exactly the same way, one can use any
+available tool for IP-Address takeover to accomplish the goal of
+failing over from one node to the other.
+
+With Linux 2.4/2.6 netfilter/iptables, the Linux firewalling code
+moves beyond traditional packet filtering. Netfilter provides a
+modular connection tracking susbsystem which can be employed for
+stateful firewalling. The connection tracking subsystem gathers
+information about the state of all current network flows
+(connections). Packet filtering decisions and NAT information is
+associated with this state information.
+
+In a high availability scenario, this connection tracking state needs
+to be replicated from the currently active firewall node to all
+standby slave firewall nodes. Only when all connection tracking state
+is replicated, the slave node will have all necessary state
+information at the time a failover event occurs.
+
+Due to funding by Astaro AG, the netfilter/iptables project now offers
+a \ident{ct_sync} kernel module for replicating connection tracking state
+accross multiple nodes. The presentation will cover the architectural
+design and implementation of the connection tracking failover sytem.
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%%% BODY OF PAPER GOES HERE %%%
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+
+\section{Failover of stateless firewalls}
+
+There are no special precautions when installing a highly available
+stateless packet filter. Since there is no state kept, all information
+needed for filtering is the ruleset and the individual, separate packets.
+
+Building a set of highly available stateless packet filters can thus be
+achieved by using any traditional means of IP-address takeover, such
+as Heartbeat or VRRPd.
+
+The only remaining issue is to make sure the firewalling ruleset is
+exactly the same on both machines. This should be ensured by the firewall
+administrator every time he updates the ruleset and can be optionally managed
+by some scripts utilizing scp or rsync.
+
+If this is not applicable, because a very dynamic ruleset is employed, one can
+build a very easy solution using iptables-supplied tools iptables-save and
+iptables-restore. The output of iptables-save can be piped over ssh to
+iptables-restore on a different host.
+
+Limitations
+\begin{itemize}
+\item
+no state tracking
+\item
+not possible in combination with iptables stateful NAT
+\item
+no counter consistency of per-rule packet/byte counters
+\end{itemize}
+
+\section{Failover of stateful firewalls}
+
+Modern firewalls implement state tracking (a.k.a.\ connection tracking) in order
+to keep some state about the currently active sessions. The amount of
+per-connection state kept at the firewall depends on the particular
+configuration and networking protocols used.
+
+As soon as \texttt{any} state is kept at the packet filter, this state
+information needs to be replicated to the slave/backup nodes within the
+failover setup.
+
+Since Linux 2.4.x, all relevant state is kept within the \textit{connection
+tracking subsystem}. In order to understand how this state could possibly be
+replicated, we need to understand the architecture of this conntrack subsystem.
+
+\subsection{Architecture of the Linux Connection Tracking Subsystem}
+
+Connection tracking within Linux is implemented as a netfilter module, called
+\ident{ip_conntrack.o} (\ident{ip_conntrack.ko} in 2.6.x kernels).
+
+Before describing the connection tracking subsystem, we need to describe a
+couple of definitions and primitives used throughout the conntrack code.
+
+A connection is represented within the conntrack subsystem using
+\brcode{struct ip_conntrack}, also called \textit{connection tracking entry}.
+
+Connection tracking is utilizing \textit{conntrack tuples}, which are tuples
+consisting of
+\begin{itemize}
+\item
+ source IP address
+\item
+ source port (or icmp type/code, gre key, ...)
+\item
+ destination IP address
+\item
+ destination port
+\item
+ layer 4 protocol number
+\end{itemize}
+
+A connection is uniquely identified by two tuples: The tuple in the original
+direction (\lident{IP_CT_DIR_ORIGINAL}) and the tuple for the reply direction
+(\lident{IP_CT_DIR_REPLY}).
+
+Connection tracking itself does not drop packets\footnote{well, in some rare
+cases in combination with NAT it needs to drop. But don't tell anyone, this is
+secret.} or impose any policy. It just associates every packet with a
+connection tracking entry, which in turn has a particular state. All other
+kernel code can use this state information\footnote{State information is
+referenced via the \brcode{struct sk_buff.nfct} structure member of a
+packet.}.
+
+\subsubsection{Integration of conntrack with netfilter}
+
+If the \ident{ip_conntrack.[k]o} module is registered with netfilter, it
+attaches to the \lident{NF_IP_PRE_ROUTING}, \lident{NF_IP_POST_ROUTING}, \lident{NF_IP_LOCAL_IN},
+and \lident{NF_IP_LOCAL_OUT} hooks.
+
+Because forwarded packets are the most common case on firewalls, I will only
+describe how connection tracking works for forwarded packets. The two relevant
+hooks for forwarded packets are \lident{NF_IP_PRE_ROUTING} and \lident{NF_IP_POST_ROUTING}.
+
+Every time a packet arrives at the \lident{NF_IP_PRE_ROUTING} hook, connection
+tracking creates a conntrack tuple from the packet. It then compares this
+tuple to the original and reply tuples of all already-seen
+connections
+\footnote{Of course this is not implemented as a linear
+search over all existing connections.} to find out if this
+just-arrived packet belongs to any existing
+connection. If there is no match, a new conntrack table entry
+(\brcode{struct ip_conntrack}) is created.
+
+Let's assume the case where we have already existing connections but are
+starting from scratch.
+
+The first packet comes in, we derive the tuple from the packet headers, look up
+the conntrack hash table, don't find any matching entry. As a result, we
+create a new \brcode{struct ip_conntrack}. This \brcode{struct ip_conntrack} is filled with
+all necessarry data, like the original and reply tuple of the connection.
+How do we know the reply tuple? By inverting the source and destination
+parts of the original tuple.\footnote{So why do we need two tuples, if they can
+be derived from each other? Wait until we discuss NAT.}
+Please note that this new \brcode{struct ip_conntrack} is \textbf{not} yet placed
+into the conntrack hash table.
+
+The packet is now passed on to other callback functions which have registered
+with a lower priority at \lident{NF_IP_PRE_ROUTING}. It then continues traversal of
+the network stack as usual, including all respective netfilter hooks.
+
+If the packet survives (i.e., is not dropped by the routing code, network stack,
+firewall ruleset, \ldots), it re-appears at \lident{NF_IP_POST_ROUTING}. In this case,
+we can now safely assume that this packet will be sent off on the outgoing
+interface, and thus put the connection tracking entry which we created at
+\lident{NF_IP_PRE_ROUTING} into the conntrack hash table. This process is called
+\textit{confirming the conntrack}.
+
+The connection tracking code itself is not monolithic, but consists of a
+couple of separate modules\footnote{They don't actually have to be separate
+kernel modules; e.g.\ TCP, UDP, and ICMP tracking modules are all part of
+the linux kernel module \ident{ip_conntrack.o}.}. Besides the conntrack core,
+there are two important kind of modules: Protocol helpers and application
+helpers.
+
+Protocol helpers implement the layer-4-protocol specific parts. They currently
+exist for TCP, UDP, and ICMP (an experimental helper for GRE exists).
+
+\subsubsection{TCP connection tracking}
+
+As TCP is a connection oriented protocol, it is not very difficult to imagine
+how conntection tracking for this protocol could work. There are well-defined
+state transitions possible, and conntrack can decide which state transitions
+are valid within the TCP specification. In reality it's not all that easy,
+since we cannot assume that all packets that pass the packet filter actually
+arrive at the receiving end\ldots
+
+It is noteworthy that the standard connection tracking code does \textbf{not}
+do TCP sequence number and window tracking. A well-maintained patch to add
+this feature has existed for almost as long as connection tracking itself. It
+will be integrated with the 2.5.x kernel. The problem with window tracking is
+its bad interaction with connection pickup. The TCP conntrack code is able to
+pick up already existing connections, e.g.\ in case your firewall was rebooted.
+However, connection pickup is conflicting with TCP window tracking: The TCP
+window scaling option is only transferred at connection setup time, and we
+don't know about it in case of pickup\ldots
+
+\subsubsection{ICMP tracking}
+
+ICMP is not really a connection oriented protocol. So how is it possible to
+do connection tracking for ICMP?
+
+The ICMP protocol can be split in two groups of messages:
+
+\begin{itemize}
+\item
+ICMP error messages, which sort-of belong to a different connection
+ICMP error messages are associated \textit{RELATED} to a different connection.
+(\lident{ICMP_DEST_UNREACH}, \lident{ICMP_SOURCE_QUENCH},
+\lident{ICMP_TIME_EXCEEDED},
+\lident{ICMP_PARAMETERPROB}, \lident{ICMP_REDIRECT}).
+\item
+ICMP queries, which have a \ident{request-reply} character. So what
+the conntrack
+code does, is let the request have a state of \textit{NEW}, and the reply
+\textit{ESTABLISHED}. The reply closes the connection immediately.
+(\lident{ICMP_ECHO}, \lident{ICMP_TIMESTAMP}, \lident{ICMP_INFO_REQUEST}, \lident{ICMP_ADDRESS})
+\end{itemize}
+
+\subsubsection{UDP connection tracking}
+
+UDP is designed as a connectionless datagram protocol. But most common
+protocols using UDP as layer 4 protocol have bi-directional UDP communication.
+Imagine a DNS query, where the client sends an UDP frame to port 53 of the
+nameserver, and the nameserver sends back a DNS reply packet from its UDP
+port 53 to the client.
+
+Netfilter treats this as a connection. The first packet (the DNS request) is
+assigned a state of \textit{NEW}, because the packet is expected to create a new
+`connection.' The DNS server's reply packet is marked as \textit{ESTABLISHED}.
+
+\subsubsection{conntrack application helpers}
+
+More complex application protocols involving multiple connections need special
+support by a so-called ``conntrack application helper module.'' Modules in
+the stock kernel come for FTP, IRC (DCC), TFTP and Amanda. Netfilter CVS currently contains
+%%% orig: ``tftp ald talk'' -- um, 'tftp and talk'? Yes, that's correct. It refers
+%%% to the talk protocol.
+patches for PPTP, H.323, Eggdrop botnet, mms, DirectX, RTSP and talk/ntalk. We're still lacking
+a lot of protocols (e.g.\ SIP, SMB/CIFS)---but they are unlikely to appear
+until somebody really needs them and either develops them on his own or
+funds development.
+
+\subsubsection{Integration of connection tracking with iptables}
+
+As stated earlier, conntrack doesn't impose any policy on packets. It just
+determines the relation of a packet to already existing connections.
+To base
+packet filtering decision on this state information, the iptables \textit{state}
+match can be used. Every packet is within one of the following categories:
+
+\begin{itemize}
+\item
+\textbf{NEW}: packet would create a new connection, if it survives
+\item
+\textbf{ESTABLISHED}: packet is part of an already established connection
+(either direction)
+\item
+\textbf{RELATED}: packet is in some way related to an already established
+connection, e.g.\ ICMP errors or FTP data sessions
+\item
+\textbf{INVALID}: conntrack is unable to derive conntrack information
+from this packet. Please note that all multicast or broadcast packets
+fall in this category.
+\end{itemize}
+
+
+\subsection{Poor man's conntrack failover}
+
+When thinking about failover of stateful firewalls, one usually thinks about
+replication of state. This presumes that the state is gathered at one
+firewalling node (the currently active node), and replicated to several other
+passive standby nodes. There is, however, a very different approach to
+replication: concurrent state tracking on all firewalling nodes.
+
+While this scheme has not been implemented within \ident{ct_sync}, the author
+still thinks it is worth an explanation in this paper.
+
+The basic assumption of this approach is: In a setup where all firewalling
+%%% deduct or deduce? I'd guess the latter, but I don't know, so I'm
+%%% leaving it...
+nodes receive exactly the same traffic, all nodes will deduct the same state
+information.
+
+The implementability of this approach is totally dependent on fulfillment of
+this assumption.
+
+\begin{itemize}
+\item
+\textit{All packets need to be seen by all nodes}. This is not always true, but
+can be achieved by using shared media like traditional ethernet (no switches!!)
+and promiscuous mode on all ethernet interfaces.
+\item
+\textit{All nodes need to be able to process all packets}. This cannot be
+universally guaranteed. Even if the hardware (CPU, RAM, Chipset, NICs) and
+software (Linux kernel) are exactly the same, they might behave different,
+especially under high load. To avoid those effects, the hardware should be
+able to deal with way more traffic than seen during operation. Also, there
+should be no userspace processes (like proxies, etc.) running on the firewalling
+nodes at all. WARNING: Nobody guarantees this behaviour. However, the poor
+man is usually not interested in scientific proof but in usability in his
+particular practical setup.
+\end{itemize}
+
+However, even if those conditions are fulfilled, there are remaining issues:
+\begin{itemize}
+\item
+\textit{No resynchronization after reboot}. If a node is rebooted (because of
+a hardware fault, software bug, software update, etc.) it will lose all state
+information until the event of the reboot. This means, the state information
+of this node after reboot will not contain any old state, gathered before the
+reboot. The effects depend on the traffic. Generally, it is only assured that
+state information about all connections initiated after the reboot will be
+present. If there are short-lived connections (like http), the state
+information on the just rebooted node will approximate the state information of
+an older node. Only after all sessions active at the time of reboot have
+terminated, state information is guaranteed to be resynchronized.
+\item
+\textit{Only possible with shared medium}. The practical implication is that no
+switched ethernet (and thus no full duplex) can be used.
+\end{itemize}
+
+The major advantage of the poor man's approach is implementation simplicity.
+No state transfer mechanism needs to be developed. Only very little changes
+to the existing conntrack code would be needed in order to be able to
+do tracking based on packets received from promiscuous interfaces. The active
+node would have packet forwarding turned on, the passive nodes, off.
+
+I'm not proposing this as a real solution to the failover problem. It's
+hackish, buggy, and likely to break very easily. But considering it can be
+implemented in very little programming time, it could be an option for very
+small installations with low reliability criteria.
+
+\subsection{Conntrack state replication}
+
+The preferred solution to the failover problem is, without any doubt,
+replication of the connection tracking state.
+
+The proposed conntrack state replication soltution consists of several
+parts:
+\begin{itemize}
+\item
+A connection tracking state replication protocol
+\item
+An event interface generating event messages as soon as state information
+changes on the active node
+\item
+An interface for explicit generation of connection tracking table entries on
+the standby slaves
+\item
+Some code (preferrably a kernel thread) running on the active node, receiving
+state updates by the event interface and generating conntrack state replication
+protocol messages
+\item
+Some code (preferrably a kernel thread) running on the slave node(s), receiving
+conntrack state replication protocol messages and updating the local conntrack
+table accordingly
+\end{itemize}
+
+Flow of events in chronological order:
+\begin{itemize}
+\item
+\textit{on active node, inside the network RX softirq}
+\begin{itemize}
+\item
+ \ident{ip_conntrack} analyzes a forwarded packet
+\item
+ \ident{ip_conntrack} gathers some new state information
+\item
+ \ident{ip_conntrack} updates conntrack hash table
+\item
+ \ident{ip_conntrack} calls event API
+\item
+ function registered to event API builds and enqueues message to send ring
+\end{itemize}
+\item
+\textit{on active node, inside the conntrack-sync sender kernel thread}
+ \begin{itemize}
+ \item
+ \ident{ct_sync_send} aggregates multiple messages into one packet
+ \item
+ \ident{ct_sync_send} dequeues packet from ring
+ \item
+ \ident{ct_sync_send} sends packet via in-kernel sockets API
+ \end{itemize}
+\item
+\textit{on slave node(s), inside network RX softirq}
+ \begin{itemize}
+ \item
+ \ident{ip_conntrack} ignores packets coming from the \ident{ct_sync} interface via NOTRACK mechanism
+ \item
+ UDP stack appends packet to socket receive queue of \ident{ct_sync_recv} kernel thread
+ \end{itemize}
+\item
+\textit{on slave node(s), inside conntrack-sync receive kernel thread}
+ \begin{itemize}
+ \item
+ \ident{ct_sync_recv} thread receives state replication packet
+ \item
+ \ident{ct_sync_recv} thread parses packet into individual messages
+ \item
+ \ident{ct_sync_recv} thread creates/updates local \ident{ip_conntrack} entry
+ \end{itemize}
+\end{itemize}
+
+
+\subsubsection{Connection tracking state replication protocol}
+
+
+ In order to be able to replicate the state between two or more firewalls, a
+state replication protocol is needed. This protocol is used over a private
+network segment shared by all nodes for state replication. It is designed to
+work over IP unicast and IP multicast transport. IP unicast will be used for
+direct point-to-point communication between one active firewall and one
+standby firewall. IP multicast will be used when the state needs to be
+replicated to more than one standby firewall.
+
+
+ The principal design criteria of this protocol are:
+\begin{itemize}
+\item
+ \textbf{reliable against data loss}, as the underlying UDP layer only
+ provides checksumming against data corruption, but doesn't employ any
+ means against data loss
+\item
+ \textbf{lightweight}, since generating the state update messages is
+ already a very expensive process for the sender, eating additional CPU,
+ memory, and IO bandwith.
+\item
+ \textbf{easy to parse}, to minimize overhead at the receiver(s)
+\end{itemize}
+
+The protocol does not employ any security mechanism like encryption,
+authentication, or reliability against spoofing attacks. It is
+assumed that the private conntrack sync network is a secure communications
+channel, not accessible to any malicious third party.
+
+To achieve the reliability against data loss, an easy sequence numbering
+scheme is used. All protocol messages are prefixed by a sequence number,
+determined by the sender. If the slave detects packet loss by discontinuous
+sequence numbers, it can request the retransmission of the missing packets
+by stating the missing sequence number(s). Since there is no acknowledgement
+for sucessfully received packets, the sender has to keep a
+reasonably-sized\footnote{\textit{reasonable size} must be large enough for the
+round-trip time between master and slowest slave.} backlog of recently-sent
+packets in order to be able to fulfill retransmission
+requests.
+
+The different state replication protocol packet types are:
+\begin{itemize}
+\item
+\textbf{\ident{CT_SYNC_PKT_MASTER_ANNOUNCE}}: A new master announces itself.
+Any still existing master will downgrade itself to slave upon
+reception of this packet.
+\item
+\textbf{\ident{CT_SYNC_PKT_SLAVE_INITSYNC}}: A slave requests initial
+synchronization from the master (after reboot or loss of sync).
+\item
+\textbf{\ident{CT_SYNC_PKT_SYNC}}: A packet containing synchronization data
+from master to slaves
+\item
+\textbf{\ident{CT_SYNC_PKT_NACK}}: A slave indicates packet loss of a
+particular sequence number
+\end{itemize}
+
+The messages within a \lident{CT_SYNC_PKT_SYNC} packet always refer to a particular
+\textit{resource} (currently \lident{CT_SYNC_RES_CONNTRACK} and \lident{CT_SYNC_RES_EXPECT},
+although support for the latter has not been fully implemented yet).
+
+For every resource, there are several message types. So far, only
+\lident{CT_SYNC_MSG_UPDATE} and \lident{CT_SYNC_MSG_DELETE} have been implemented. This
+means a new connection as well as state changes to an existing connection will
+always be encapsulated in a \lident{CT_SYNC_MSG_UDPATE} message and therefore contain
+the full conntrack entry.
+
+To uniquely identify (and later reference) a conntrack entry, the only unique
+criteria is used: \ident{ip_conntrack_tuple}.
+
+\subsubsection{\texttt{ct\_sync} sender thread}
+
+Maximum care needs to be taken for the implementation of the ctsyncd sender.
+
+The normal workload of the active firewall node is likely to be already very
+high, so generating and sending the conntrack state replication messages needs
+to be highly efficient.
+
+It was therefore decided to use a pre-allocated ringbuffer for outbound
+\ident{ct_sync} packets. New messages are appended to individual buffers in this
+ring, and pointers into this ring are passed to the in-kernel sockets API to
+ensure a minimum number of copies and memory allocations.
+
+\subsubsection{\texttt{ct\_sync} initsync sender thread}
+
+In order to facilitate ongoing state synchronization at the same time as
+responding to initial sync requests of an individual slave, the sender has a
+separate kernel thread for initial state synchronization (and \ident{ct_sync_initsync}).
+
+At the moment it iterates over the state table and transmits packets with a
+fixed rate of about 1000 packets per second, resulting in about 4000
+connections per second, averaging to about 1.5 Mbps of bandwith consumed.
+
+The speed of this initial sync should be configurable by the system
+administrator, especially since there is no flow control mechanism, and the
+slave node(s) will have to deal with the packets or otherwise lose sync again.
+
+This is certainly an area of future improvement and development---but first we
+want to see practical problems with this primitive scheme.
+
+\subsubsection{\texttt{ct\_sync} receiver thread}
+
+Implementation of the receiver is very straightforward.
+
+For performance reasons, and to facilitate code-reuse, the receiver uses the
+same pre-allocated ring buffer structure as the sender. Incoming packets are
+written into ring members and then successively parsed into their individual
+messages.
+
+Apart from dealing with lost packets, it just needs to call the
+respective conntrack add/modify/delete functions.
+
+\subsubsection{Necessary changes within netfilter conntrack core}
+
+To be able to achieve the described conntrack state replication mechanism,
+the following changes to the conntrack core were implemented:
+\begin{itemize}
+\item
+ Ability to exclude certain packets from being tracked. This was a
+ long-wanted feature on the TODO list of the netfilter project and is
+ implemented by having a ``raw'' table in combination with a
+ ``NOTRACK'' target.
+\item
+ Ability to register callback functions to be called every time a new
+ conntrack entry is created or an existing entry modified. This is
+ part of the nfnetlink-ctnetlink patch, since the ctnetlink event
+ interface also uses this API.
+\item
+ Export an API to externally add, modify, and remove conntrack entries.
+\end{itemize}
+
+Since the number of changes is very low, their inclusion into the mainline
+kernel is not a problem and can happen during the 2.6.x stable kernel series.
+
+
+\subsubsection{Layer 2 dropping and \texttt{ct\_sync}}
+
+In most cases, netfilter/iptables-based firewalls will not only function as
+packet filter but also run local processes such as proxies, dns relays, smtp
+relays, etc.
+
+In order to minimize failover time, it is helpful if the full startup and
+configuration of all network interfaces and all of those userspace processes
+can happen at system bootup time rather then in the instance of a failover.
+
+l2drop provides a convenient way for this goal: It hooks into layer 2
+netfilter hooks (immediately attached to \ident{netif_rx()} and
+\ident{dev_queue_xmit}) and blocks all incoming and outgoing network packets at this
+very low layer. Even kernel-generated messages such as ARP replies, IPv6
+neighbour discovery, IGMP, \dots are blocked this way.
+
+Of course there has to be an exemption for the state synchronization messages
+themselves. In order to still facilitate remote administration via SSH and
+other communication between the cluster nodes, the whole network
+interface used for synchronization is subject to this exemption from
+l2drop.
+
+As soon as a node is propagated to master state, l2drop is disabled and the
+system becomes visible to the network.
+
+
+\subsubsection{Configuration}
+
+All configuration happens via module parameters.
+
+\begin{itemize}
+\item
+ \texttt{syncdev}: Name of the multicast-capable network device
+ used for state synchronization among the nodes
+\item
+ \texttt{state}: Initial state of the node (0=slave, 1=master)
+\item
+ \texttt{id}: Unique Node ID (0..255)
+\item
+ \texttt{l2drop}: Enable (1) or disable (0) the l2drop functionality
+\end{itemize}
+
+\subsubsection{Interfacing with the cluster manager}
+
+As indicated in the beginning of this paper, \ident{ct_sync} itself does not provide
+any mechanism to determine outage of the master node within a cluster. This
+job is left to a cluster manager software running in userspace.
+
+Once an outage of the master is detected, the cluster manager needs to elect
+one of the remaining (slave) nodes to become new master. On this elected node,
+the cluster manager will write the ascii character \texttt{1} into the
+\ident{/proc/net/ct_sync} file. Reading from this file will return the current state
+of the local node.
+
+\section{Acknowledgements}
+
+The author would like to thank his fellow netfilter developers for their
+help. Particularly important to \ident{ct_sync} is Krisztian KOVACS
+\ident{<hidden@balabit.hu>}, who did a proof-of-concept implementation based on my
+first paper on \ident{ct_sync} at OLS2002.
+
+Without the financial support of Astaro AG, I would not have been able to spend any
+time on \ident{ct_sync} at all.
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+\end{document}
+
diff --git a/2004/netfilter-failover-ols2004/netfilter-failover-ols2004.mgp b/2004/netfilter-failover-ols2004/netfilter-failover-ols2004.mgp
new file mode 100644
index 0000000..76a9206
--- /dev/null
+++ b/2004/netfilter-failover-ols2004/netfilter-failover-ols2004.mgp
@@ -0,0 +1,369 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+How to replicate the fire
+HA for netfilter-based firewalls
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@netfilter.org>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Contents
+
+
+ Introduction
+ Connection Tracking Subsystem
+ Packet selection based on IP Tables
+ The Connection Tracking Subsystem
+ The NAT Subsystem
+ Poor man's failover
+ Real state replication
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Introduction
+
+What is special about firewall failover?
+
+ Nothing, in case of the stateless packet filter
+ Common IP takeover solutions can be used
+ VRRP
+ Heartbeat
+ Distribution of packet filtering ruleset no problem
+ can be done manually
+ or implemented with simple userspace process
+ Problems arise with stateful packet filters
+ Connection state only on active node
+ NAT mappings only on active node
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Connection Tracking Subsystem
+
+Connection tracking...
+ enables stateful filtering
+ implementation
+ hooks into netfilter to track packets
+ protocol modules (currently TCP/UDP/ICMP)
+ application helpers currently (FTP,IRC,H.323,talk,SNMP)
+ divides packets in the following four categories
+ NEW - would establish new connection
+ ESTABLISHED - part of already established connection
+ RELATED - is related to established connection
+ INVALID - (multicast, errors...)
+ does _NOT_ filter packets itself
+ can be utilized by iptables using the 'state' match
+ is used by NAT Subsystem
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Connection Tracking Subsystem
+
+Common structures
+ struct ip_conntrack_tuple, representing unidirectional flow
+ layer 3 src + dst
+ layer 4 protocol
+ layer 4 src + dst
+
+ connections represented as struct ip_conntrack
+ original tuple
+ reply tuple
+ timeout
+ l4 state private data
+ app helper
+ app helper private data
+ expected connections
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Connection Tracking Subsystem
+
+Flow of events for new packet
+ packet enters NF_IP_PRE_ROUTING
+ tuple is derived from packet
+ lookup conntrack hash table with hash(tuple) -> fails
+ new ip_conntrack is allocated
+ fill in original and reply == inverted(original) tuple
+ initialize timer
+ assign app helper if applicable
+ see if we've been expected -> fails
+ call layer 4 helper 'new' function
+ ...
+ packet enters NF_IP_POST_ROUTING
+ do hashtable lookup for packet -> fails
+ place struct ip_conntrack in hashtable
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Connection Tracking Subsystem
+
+Flow of events for packet part of existing connection
+ packet enters NF_IP_PRE_ROUTING
+ tuple is derived from packet
+ lookup conntrack hash table with hash(tuple)
+ associate conntrack entry with skb->nfct
+ call l4 protocol helper 'packet' function
+ do l4 state tracking
+ update timeouts as needed [i.e. TCP TIME_WAIT,...]
+ ...
+ packet enters NF_IP_POST_ROUTING
+ do hashtable lookup for packet -> succeds
+ do nothing else
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Network Address Translation
+
+Overview
+ Previous Linux Kernels only implemented one special case of NAT: Masquerading
+ Linux 2.4.x can do any kind of NAT.
+ NAT subsystem implemented on top of netfilter, iptables and conntrack
+ NAT subsystem registers with all five netfilter hooks
+ 'nat' Table registers chains PREROUTING, POSTROUTING and OUTPUT
+ Following targets available within 'nat' Table
+ SNAT changes the packet's source while passing NF_IP_POST_ROUTING
+ DNAT changes the packet's destination while passing NF_IP_PRE_ROUTING
+ MASQUERADE is a special case of SNAT
+ REDIRECT is a special case of DNAT
+ NAT bindings determined only for NEW packet and saved in ip_conntrack
+ Further packets within connection NATed according NAT bindings
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Poor man's failover
+
+Poor man's failover
+ principle
+ let every node do its own tracking rather than replicating state
+ two possible implementations
+ connect every node to shared media (i.e. real ethernet)
+ forwarding only turned on on active node
+ slave nodes use promiscuous mode to sniff packets
+ copy all traffic to slave nodes
+ active master needs to copy all traffic to other nodes
+ disadvantage: high load, sync traffic == payload traffic
+ IMHO stupid way of solving the problem
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Poor man's failover
+
+Poor man's failover
+ advantages
+ very easy implementation
+ only addition of sniffing mode to conntrack needed
+ existing means of address takeover can be used
+ same load on active master and slave nodes
+ no additional load on active master
+ disadvantages
+ can only be used with real shared media (no switches, ...)
+ can not be used with NAT
+ remaining problem
+ no initial state sync after reboot of slave node!
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Real state replication (ct_sync)
+
+Real state replication (ct_sync)
+ characteristics
+ replicates state changes from active master to slave(s)
+ seperate shared ethernet segment for sync
+ advantages
+ can be used with any network media
+ works with NAT
+ initial sync after new slave is introduced
+ problems
+ complex implementation
+ current limitations
+ no replication of connection relations (ftp/h.323/...)
+ current problems
+ bugs, bugs, bugs
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Real state replication (ct_sync)
+
+Required parts
+ state replication protocol
+ multicast based
+ sequence numbers for detection of packet loss
+ NACK-based retransmission
+ no security, since private ethernet segment to be used
+ event interface on active node
+ calling out to callback function at all state changes
+ exported interface to manipulate conntrack hash table
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Real state replication (ct_sync)
+
+Required parts
+ kernel thread for sending conntrack state protocol messages
+ registers with event interface
+ creates and accumulates state replication packets
+ sends them via in-kernel sockets api
+ kernel thread for receiving conntrack state replication messages
+ receives state replication packets via in-kernel sockets
+ uses conntrack hashtable manipulation interface
+ kernel thread for initial or full re-sync
+ sends full conntrack table with fixed speed
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Real state replication
+
+Flow of events in chronological order:
+ on active node, inside the network RX softirq
+ connection tracking code is analyzing a forwarded packet
+ connection tracking gathers some new state information
+ connection tracking updates local connection tracking database
+ connection tracking sends event message to event API
+ function registered at event API enqueues message to send ring
+ on active node, inside the conntrack-sync kernel thread
+ conntrack sync daemon aggregates multiple event messages into a state replication protocol message, removing possible redundancy
+ conntrack sync daemon dequeues packets from ring
+ conntrack sync daemon sends state replication protocol packet via in-kernel sockets
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Real state replication
+
+Flow of events in chronological order:
+ on slave node(s), inside network RX softirq
+ connection tracking code ignores packets coming from the interface attached to the private conntrac sync network
+ state replication protocol messages is appended to socket receive queue of conntrack-sync kernel thread
+ on slave node(s), inside conntrack-sync kernel thread
+ conntrack sync daemon receives state replication message
+ conntrack sync daemon creates/updates conntrack entry
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Real state replication
+
+Neccessary changes to conntrack core
+ event generation (callback functions) for all state changes
+ is needed (and already implemented) for 'ctnetlink' API
+ conntrack hashtable manipulation API
+ is needed (and already implemented) for 'ctnetlink' API
+ conntrack exemptions
+ needed to _not_ track conntrack state replication packets
+ is needed for other cases as well (raw table / NOTRACK target)
+ works by
+ layer two packet drop (l2netfilter hooks)
+ disables any incoming or outgoing packets on other than the sync device on slave nodes
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Usage
+
+To set up a conntrack cluster you need
+
+ hardware
+ two firewalls with identical iptables rulesets
+ all ethernet interfaces (internal, dmz, external) connected to both nodes
+ seperate network segment for conntrack sync device
+ software
+ configure any working ip address range/subnet to sync device
+ assign every node a unique node id (0..255)
+ decide which of the nodes is master, which slave
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Usage
+
+To set up a conntrack cluster you need
+
+ configuration on master
+ first: modprobe ct_sync syncdev=ethX state=1 id=1 l2drop=1
+ second: configure your 'real' devices (internal, external)
+ configuration on slave
+ modprobe ct_sync syncdev=ethX state=0 id=2 l2drop=1
+ second: configure your 'real' devices (internal, external)
+
+ after loading ct_sync with l2drop=1, a slave node will be invisible on the 'real' networks. ssh access is only possible via sync device
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Usage
+
+ Cluster manager
+ set up a cluster manager with some heartbeat mechanism
+ configure it to run the following command on a slave that is to be propagated to master:
+ echo "1" > /proc/net/ct_sync
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Thanks
+
+ Thanks to
+ the BBS scenee, Z-Netz, FIDO, ...
+ for heavily increasing my computer usage in 1992
+ KNF
+ for bringing me in touch with the internet as early as 1994
+ for providing a playground for technical people
+ for introducing me to the existance of Linux!
+ Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+ for implementing (one of?) the world's best TCP/IP stacks
+ Paul 'Rusty' Russell
+ for starting the netfilter/iptables project
+ for trusting me to maintain it today
+ Astaro AG
+ for sponsoring my netfilter failover work
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+HA for netfilter/iptables
+Availability of slides / Links
+
+The code
+ http://cvs.netfilter.org/netfilter-ha/ct_sync
+
+The slides
+ http://www.gnumonks.org/
+
+The netfilter homepage
+ http://www.netfilter.org/
+
+Astaro AG
+ http://www.astaro.com/
diff --git a/2004/netfilter-programming-lwe2004/ipt_workshop.c b/2004/netfilter-programming-lwe2004/ipt_workshop.c
new file mode 100644
index 0000000..ce00aa4
--- /dev/null
+++ b/2004/netfilter-programming-lwe2004/ipt_workshop.c
@@ -0,0 +1,54 @@
+#include <linux/module.h>
+#include <linux/sk_buff.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_workshop.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
+MODULE_DESCRIPTION("LWE2004 workshop iptables module");
+
+static int ws_match(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const void *matchinfo,
+ int offset, const void *hdr, u_int16_t datalen,
+ int *hotdrop)
+{
+ const struct ipt_ws_info *info = matchinfo;
+ const struct iphdr *iph = skb->nh.iph;
+
+ if (iph->ttl == info->ttl)
+ return 1;
+
+ return 0;
+}
+
+static int ws_checkentry(const char *tablename, const struct ipt_ip *ip,
+ void *matchinfo, unsigned int matchsize,
+ unsigned int hook_mask)
+{
+ if (matchsize != IPT_ALIGN(sizeof(struct ipt_ws_info)))
+ return 0;
+
+ return 1;
+}
+
+static struct ipt_match ws_match = {
+ .list = { .prev = NULL, .next = NULL },
+ .name = "workshop",
+ .match = &ws_match,
+ .checkentry = &ws_checkentry,
+ .destroy = NULL,
+ .me = THIS_MODULE
+};
+
+static int __init init(void)
+{
+ return ipt_register_match(&ws_match);
+}
+
+static void __exit fini(void)
+{
+ ipt_unregister_match(&ws_match);
+}
+
+module_init(init);
+module_exit(fini);
diff --git a/2004/netfilter-programming-lwe2004/ipt_workshop.h b/2004/netfilter-programming-lwe2004/ipt_workshop.h
new file mode 100644
index 0000000..f707703
--- /dev/null
+++ b/2004/netfilter-programming-lwe2004/ipt_workshop.h
@@ -0,0 +1,6 @@
+#ifndef _IPT_WORKSHOP_H
+#define _IPT_WORKSHOP_H
+struct ipt_ws_info {
+ u_int8_t ttl;
+};
+#endif
diff --git a/2004/netfilter-programming-lwe2004/libipt_workshop.c b/2004/netfilter-programming-lwe2004/libipt_workshop.c
new file mode 100644
index 0000000..c0e7242
--- /dev/null
+++ b/2004/netfilter-programming-lwe2004/libipt_workshop.c
@@ -0,0 +1,102 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <getopt.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ipt_workshop.h>
+
+static void help(void)
+{
+ printf(
+"workshop match v%s options:\n"
+" --ttl TTL value\n"
+, IPTABLES_VERSION);
+}
+
+static void init(struct ipt_entry_match *m, unsigned int *nfcache)
+{
+ /* caching not implemented yet */
+ *nfcache |= NFC_UNKNOWN;
+}
+
+static int parse(int c, char **argv, int invert, unsigned int *flags,
+ const struct ipt_entry *entry, unsigned int *nfcache,
+ struct ipt_entry_match **match)
+{
+ struct ipt_ws_info *info = (struct ipt_ws_info *) (*match)->data;
+
+ check_inverse(optarg, &invert, &optind, 0);
+
+ if (invert)
+ exit_error(PARAMETER_PROBLEM, "invert not supported");
+
+ if (*flags)
+ exit_error(PARAMETER_PROBLEM,
+ "workshop: can't specify parameter twice");
+
+ if (!optarg)
+ exit_error(PARAMETER_PROBLEM,
+ "workshop: you must specify a value");
+
+ switch (c) {
+ case 'z':
+ info->ttl = atoi(optarg);
+ /* FIXME: check range 0-255 */
+ *flags = 1;
+ break;
+ default:
+ return 0;
+ }
+
+ return 1;
+}
+
+static void final_check(unsigned int flags)
+{
+ if (!flags)
+ exit_error(PARAMETER_PROBLEM,
+ "workshop match: you must specify ttl");
+}
+
+static void print(const struct ipt_ip *ip,
+ const struct ipt_entry_match *match,
+ int numeric)
+{
+ const struct ipt_ws_info *info = (struct ipt_ws_info *) match->data;
+
+ printf("workshop match TTL=%u ", info->ttl);
+
+}
+
+static void save(const struct ipt_ip *ip,
+ const struct ipt_entry_match *match)
+{
+ const struct ipt_ws_info *info = (struct ipt_ws_info *) match->data;
+
+ printf("--ttl %u ", info->ttl);
+}
+
+static struct option opts[] = {
+ { "ttl", 1, 0, 'z' },
+ { 0 }
+};
+
+static struct iptables_match ws = {
+ .next = NULL,
+ .name = "workshop",
+ .version = IPTABLES_VERSION,
+ .size = IPT_ALIGN(sizeof(struct ipt_ws_info)),
+ .userspacesize = IPT_ALIGN(sizeof(struct ipt_ws_info)),
+ .help = &help,
+ .init = &init,
+ .parse = &parse,
+ .final_check = &final_check,
+ .print = &print,
+ .save = &save,
+ .extra_opts = opts
+};
+
+void _init(void)
+{
+ register_match(&ws);
+}
diff --git a/2004/netfilter-programming-lwe2004/netfilter-programming-lwe2004.mgp b/2004/netfilter-programming-lwe2004/netfilter-programming-lwe2004.mgp
new file mode 100644
index 0000000..8a26370
--- /dev/null
+++ b/2004/netfilter-programming-lwe2004/netfilter-programming-lwe2004.mgp
@@ -0,0 +1,628 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+#%deffont "typewriter" tfont "MONOTYPE.TTF"
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+Developing netfilter/iptables
+extensions
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@netfilter.org>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables architecture
+Contents
+
+
+ Introduction
+ The netfilter/iptables architecture
+ Netfilter hooks in protocol stacks
+ Packet selection based on IP Tables
+ The Connection Tracking Subsystem
+ The NAT Subsystem based on netfilter + iptables
+ Packet filtering using the 'filter' table
+ Packet mangling using the 'mangle' table
+ Advanced netfilter concepts
+ Current development and Future
+ Developing a netfilter module
+ Developing a new iptables match
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables architecture
+Netfilter Hooks
+
+What is netfilter?
+
+ System of callback functions within network stack
+ Callback function to be called for every packet traversing certain point (hook) within network stack
+ Protocol independent framework
+ Hooks in layer 3 stacks (IPv4, IPv6, DECnet, ARP)
+ Multiple kernel modules can register with each of the hooks
+ Asynchronous packet handling in userspace (ip_queue)
+
+Traditional packet filtering, NAT, ... is implemented on top of this framework
+
+Can be used for other stuff interfacing with the core network stack, like DECnet routing daemon.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables architecture
+Netfilter Hooks
+
+Netfilter architecture in IPv4
+
+%font "typewriter"
+%size 3
+ --->[1]--->[ROUTE]--->[3]--->[4]--->
+ | ^
+ | |
+ | [ROUTE]
+ v |
+ [2] [5]
+ | ^
+ | |
+ v |
+
+%font "standard"
+1=NF_IP_PRE_ROUTING
+2=NF_IP_LOCAL_IN
+3=NF_IP_FORWARD
+4=NF_IP_POST_ROUTING
+5=NF_IP_LOCAL_OUT
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables architecture
+Netfilter Hooks
+
+Netfilter Hooks
+
+ Any kernel module may register a callback function at any of the hooks
+
+ The module has to return one of the following constants
+
+ NF_ACCEPT continue traversal as normal
+ NF_DROP drop the packet, do not continue
+ NF_STOLEN I've taken over the packet do not continue
+ NF_QUEUE enqueue packet to userspace
+ NF_REPEAT call this hook again
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Developing netfilter/iptables extensions
+Developing a netfilter module
+
+ Netfilter modules are very low-layer
+ Get called for every packet passing the hook in this l3prot
+ Examples of netfilter modules are: ip_tables, ip_conntrack, iptable_nat
+%font "typewriter"
+%size 3
+ #include <linux/netfilter.h>
+%size 3
+ nf_register_hook(struct nf_hook_ops *reg)
+%size 3
+ nf_unregister_hook(struct nf_hook_ops *reg)
+%size 3
+ struct nf_hook_ops:
+%size 3
+ struct list_head list; /* list header */
+%size 3
+ nf_hookfn *hook; /* the callback function */
+%size 3
+ int pf; /* protocol family */
+%size 3
+ int hooknum; /* hook to register with */
+%size 3
+ int priority; /* priority (ordering) */
+%font "standard"
+ Example code see "nf_workshop.c"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables architecture
+IP Tables
+
+Packet selection using IP tables
+
+ The kernel provides generic IP tables support
+
+ Each kernel module may create it's own IP table
+
+ The three major parts of 2.4 firewalling subsystem are implemented using IP tables
+ Packet filtering table 'filter'
+ NAT table 'nat'
+ Packet mangling table 'mangle'
+
+ Could potentially be used for other stuff, i.e. IPsec SPDB
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables architecture
+IP Tables
+
+Managing chains and tables
+
+ An IP table consists out of multiple chains
+ A chain consists out of a list of rules
+ Every single rule in a chain consists out of
+ match[es] (rule executed if all matches true)
+ target (what to do if the rule is matched)
+
+%size 4
+matches and targets can either be builtin or implemented as kernel modules
+
+%size 5
+ The userspace tool iptables is used to control IP tables
+ handles all different kinds of IP tables
+ supports a plugin/shlib interface for target/match specific options
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables architecture
+IP Tables
+
+Basic iptables commands
+
+ To build a complete iptables command, we must specify
+ which table to work with
+ which chain in this table to use
+ an operation (insert, add, delete, modify)
+ one or more matches (optional)
+ a target
+
+The syntax is
+%font "typewriter"
+%size 3
+iptables -t table -Operation chain -j target match(es)
+%font "standard"
+%size 5
+
+Example:
+%font "typewriter"
+%size 3
+iptables -t filter -A INPUT -j ACCEPT -p tcp --dport smtp
+%font "standard"
+%size 5
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables architecture
+IP Tables
+
+Matches
+ Basic matches
+ -p protocol (tcp/udp/icmp/...)
+ -s source address (ip/mask)
+ -d destination address (ip/mask)
+ -i incoming interface
+ -o outgoing interface
+
+ Match extensions (examples)
+ tcp/udp TCP/udp source/destination port
+ icmp ICMP code/type
+ ah/esp AH/ESP SPID match
+ mac source MAC address
+ mark nfmark
+ length match on length of packet
+ limit rate limiting (n packets per timeframe)
+ owner owner uid of the socket sending the packet
+ tos TOS field of IP header
+ ttl TTL field of IP header
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables architecture
+IP Tables
+
+Targets
+ very dependent on the particular table.
+
+ Table specific targets will be discussed later
+
+ Generic Targets, always available
+ ACCEPT accept packet within chain
+ DROP silently drop packet
+ QUEUE enqueue packet to userspace
+ LOG log packet via syslog
+ ULOG log packet via ulogd
+ RETURN return to previous (calling) chain
+ foobar jump to user defined chain
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables architecture
+Packet Filtering
+
+Overview
+
+ Implemented as 'filter' table
+ Registers with three netfilter hooks
+
+ NF_IP_LOCAL_IN (packets destined for the local host)
+ NF_IP_FORWARD (packets forwarded by local host)
+ NF_IP_LOCAL_OUT (packets from the local host)
+
+Each of the three hooks has attached one chain (INPUT, FORWARD, OUTPUT)
+
+Every packet passes exactly one of the three chains. Note that this is very different compared to the old 2.2.x ipchains behaviour.
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables architecture
+Packet Filtering
+
+Targets available within 'filter' table
+
+ Builtin Targets to be used in filter table
+ ACCEPT accept the packet
+ DROP silently drop the packet
+ QUEUE enqueue packet to userspace
+ RETURN return to previous (calling) chain
+ foobar user defined chain
+
+ Targets implemented as loadable modules
+ REJECT drop the packet but inform sender
+ MIRROR change source/destination IP and resend
+ LOG log via syslog
+ ULOG log via userspace
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Developing netfilter/iptables extensions
+Developing an ip_tables match module
+
+ ip_tables modules are at a high layer
+ Get called for every packet iterating a rule with this match
+ Examples of iptables modules are: ipt_ttl, ipt_tos, ipt_tcpmss
+%font "typewriter"
+%size 3
+ #include <linux/netfilter_ipv4/ip_tables.h>
+%size 3
+ ipt_register_match(struct ipt_match *match)
+%size 3
+ ipt_unregister_match(struct ipt_match *match)
+%size 3
+ struct ipt_match:
+%size 3
+ struct list_head list; /* list header */
+%size 3
+ const char name[]; /* name of the match */
+%size 3
+ int (*match); /* called to match */
+%size 3
+ int (*checkentry); /* called when inserted */
+%size 3
+ void (*destroy); /* called when deleted */
+%size 3
+ struct module *me; /* set to THIS_MODULE */
+%font "standard"
+ Example code see "ipt_workshop.c"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Developing netfilter/iptables extensions
+Developing an iptables match module
+
+ Something has to parse the commandline options for ipt_workshop.c
+ Solution: libpt_workshop.c as iptables plugin
+%font "typewriter"
+%size 3
+ #include <iptables.h>:
+%size 3
+ register_match(struct iptables_match)
+%size 3
+ struct iptables_match:
+%size 3
+ struct iptables_match *next; /* next one */
+%size 3
+ ipt_chainlabel name; /* name */
+%size 3
+ const char *version; /* version */
+%size 3
+ size_t size; /* size/kernel */
+%size 3
+ size_t userspacesize; /* size/userspace */
+%size 3
+ void (*help); /* print help */
+%size 3
+ void (*init); /* init matchinfo */
+%size 3
+ int (*parse); /* parse getopt */
+%size 3
+ void (*final_check); /* final check */
+%size 3
+ void (*print); /* (iptables -L) */
+%size 3
+ void (*save); /* iptables-save */
+%size 3
+ struct option extra_opts; /* getopt opts */
+%font "typewriter"
+ Example code see "libipt_workshop.c"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables architecture
+Connection Tracking Subsystem
+
+ Connection tracking...
+ implemented seperately from NAT
+ enables stateful filtering
+ implementation
+ hooks into NF_IP_PRE_ROUTING to track packets
+ hooks into NF_IP_POST_ROUTING and NF_IP_LOCAL_IN to see if packet passed filtering rules
+ protocol modules (currently TCP/UDP/ICMP)
+ application helpers currently (FTP,IRC,H.323,talk,SNMP)
+ divides packets in the following four categories
+ NEW - would establish new connection
+ ESTABLISHED - part of already established connection
+ RELATED - is related to established connection
+ INVALID - (multicast, errors...)
+ does _NOT_ filter packets itself
+ can be utilized by iptables using the 'state' match
+ is used by NAT Subsystem
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables architecture
+Connection Tracking Subsystem
+
+Common structures
+ struct ip_conntrack_tuple, representing unidirectional flow
+ layer 3 src + dst
+ layer 4 protocol
+ layer 4 src + dst
+ connetions represented as struct ip_conntrack
+ original tuple
+ reply tuple
+ timeout
+ l4 state private data
+ app helper
+ app helper private data
+ expected connections
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables architecture
+Connection Tracking Subsystem
+
+Flow of events for new packet
+ packet enters NF_IP_PRE_ROUTING
+ tuple is derived from packet
+ lookup conntrack hash table with hash(tuple) -> fails
+ new ip_conntrack is allocated
+ fill in original and reply == inverted(original) tuple
+ initialize timer
+ assign app helper if applicable
+ see if we've been expected -> fails
+ call layer 4 helper 'new' function
+ ...
+ packet enters NF_IP_POST_ROUTING
+ do hashtable lookup for packet -> fails
+ place struct ip_conntrack in hashtable
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables architecture
+Connection Tracking Subsystem
+
+Flow of events for packet part of existing connection
+ packet enters NF_IP_PRE_ROUTING
+ tuple is derived from packet
+ lookup conntrack hash table with hash(tuple)
+ assosiate conntrack entry with skb->nfct
+ call l4 protocol helper 'packet' function
+ do l4 state tracking
+ update timeouts as needed [i.e. TCP TIME_WAIT,...]
+ ...
+ packet enters NF_IP_POST_ROUTING
+ do hashtable lookup for packet -> succeds
+ do nothing else
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables architecture
+Developing conntrack extensions
+
+
+ new l4 protocol modules are very rare
+ more common: application helpers for ftp,irc,h.323,quake,mms,...
+ API for conntrack helper modules:
+
+%font "typewriter"
+%size 3
+ #include <linux/netfilter_ipv4/ip_conntrack_helper.h>
+%size 3
+ struct ip_conntrack_helper
+%size 3
+ struct list_head *list;
+%size 3
+ const char *name;
+%size 3
+ unsigned char flags;
+%size 3
+ struct module *me;
+%size 3
+ unsigned int max_expected;
+%size 3
+ unsigned int timeout;
+%size 3
+ struct ip_conntrack_tuple tuple;
+%size 3
+ struct ip_conntrack_mask mask;
+%size 3
+ int (*help)(const struct iphdr *iph, size_t, struct ip_conntrack, enum ip_conntrack_info);
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables architecture
+Developing conntrack extensions
+
+ API for conntrack helper modules (continued):
+
+%font "typewriter"
+%size 3
+ int ip_conntrack_helper_register(struct ip_conntrack_helper);
+%size 3
+ void ip_conntrack_helper_unregister(struct ip_conntrack_helper);
+%size 3
+ int ip_conntrack_expect_related(struct ip_conntrack, struct ip_conntrack_expect);
+%size 3
+ int ip_conntrack_change_expect(struct ip_conntrack_expect, struct ip_conntrack_tuple);
+%size 3
+ void ip_conntrack_unexpect_related(struct ip_conntrack_expect);
+%font "standard"
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables architecture
+Network Address Translation
+
+Overview
+
+ Previous Linux Kernels only implemented one special case of NAT: Masquerading
+ Linux 2.4.x can do any kind of NAT.
+ NAT subsystem implemented on top of netfilter, iptables and conntrack
+ NAT subsystem registers with all five netfilter hooks
+ 'nat' Table registers chains PREROUTING, POSTROUTING and OUTPUT
+ Following targets available within 'nat' Table
+ SNAT changes the packet's source whille passing NF_IP_POST_ROUTING
+ DNAT changes the packet's destination while passing NF_IP_PRE_ROUTING
+ MASQUERADE is a special case of SNAT
+ REDIRECT is a special case of DNAT
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables architecture
+Network Address Translation
+
+flow of events for NEW packet:
+ packet enters NF_IP_PRE_ROUTING after conntrack
+ resolve conntrack entry for packet
+ if (expectfn of helper) call it
+ else iterate over rules in PREROUTING chain of nat table
+ save respective NAT mappings in conntrack
+ apply the NAT mappings to the packet
+ call NAT helper function, if there is one for this proto
+ ...
+ packet enters NF_IP_POST_ROUTING
+ resolve conntrack entry for packet
+ iterate over rules in POSTROUTING chain of nat table
+ save respectiva NAT mappings in conntrack
+ apply the NAT mappings to the packet
+ call NAT helper function, if there is one for this proto
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables architecture
+Network Address Translation
+
+flow of events for ESTABLISHED packets:
+ packet enters NF_IP_PRE_ROUTING after conntrack
+ reseolve conntrack entry for packet
+ apply the NAT mappings (read from conntrack entry) to the packet
+ call NAT helper function, if there is one for this proto
+ ...
+ packet enters NF_IP_POST_ROUTING
+ resolve conntrack entry for packet
+ apply the NAT mappings (read from conntrack entry) to the packet
+ call NAT helper function, if there is one for this proto
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Developing NAT extensions
+Network Address Translation
+
+ API for NAT helper modules:
+
+%font "typewriter"
+%size 3
+ #include <linux/netfilter_ipv4/ip_nat_helper.h>
+%size 3
+ struct ip_nat_helper
+%size 3
+ struct list_head list;
+%size 3
+ const char *name;
+%size 3
+ unsigned char *flags;
+%size 3
+ struct module *me;
+%size 3
+ struct ip_conntrack_tuple tuple;
+%size 3
+ struct ip_conntrack_tuple mask;
+%size 3
+ unsigned int (*help)(struct ip_conntrack *, struct ip_conntrack_expect *, struct ip_nat_info *, enum ip_conntrack_info, unsigned int hooknum, struct sk_buff **)
+%size 3
+ unsigned int (*expect)(struct sk_buff **, unsigned int hooknum, struct ip_conntrack, struct ip_nat_info *)
+%size 3
+ int ip_nat_helper_register(struct ip_nat_helper *);
+%size 3
+ void ip_nat_helper_unregister(struct ip_nat_helper *);
+%size 3
+ int ip_nat_mangle_tcp_packet();
+%size 3
+ int ip_nat_mangle_udp_packet();
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+The netfilter/iptables architecture
+Advanced Netfilter concepts
+
+%size 4
+ Userspace logging
+ flexible replacement for old syslog-based logging
+ packets to userspace via multicast netlink sockets
+ easy-to-use library (libipulog)
+ plugin-extensible userspace logging daemon (ulogd)
+ Can even be used to directly log into MySQL
+
+ Queuing
+ reliable asynchronous packet handling
+ packets to userspace via unicast netlink socket
+ easy-to-use library (libipq)
+ provides Perl bindings
+ experimental queue multiplex daemon (ipqmpd)
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+Developing netfilter/iptables extensions
+Thanks
+
+ The slides are available at http://www.gnumonks.org/
+ The netfilter homepage: http://www.netfilter.org/
+ Thanks to
+ the BBS people, Z-Netz, FIDO, ...
+ for heavily increasing my computer usage in 1992
+ KNF
+ for bringing me in touch with the internet as early as 1994
+ for providing a playground for technical people
+ for telling me about the existance of Linux!
+ Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+ for implementing (one of?) the world's best TCP/IP stacks
+ Paul 'Rusty' Russell
+ for starting the netfilter/iptables project
+ for trusting me to maintain it today
+ Astaro AG (http://www.astaro.com/)
+ for sponsoring parts of my netfilter work
+ for sponsoring my travel cost to LWE
+
diff --git a/2004/netfilter-programming-lwe2004/nf_workshop.c b/2004/netfilter-programming-lwe2004/nf_workshop.c
new file mode 100644
index 0000000..ceb15ef
--- /dev/null
+++ b/2004/netfilter-programming-lwe2004/nf_workshop.c
@@ -0,0 +1,57 @@
+#include <linux/module.h>
+#include <linux/config.h>
+#include <linux/skbuff.h>
+#include <linux/ip.h>
+
+#include <linux/netfilter.h>
+#include <linux/netfilter_ipv4.h>
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
+MODULE_DESCRIPTION("LWE2004 workshop module");
+
+static unsigned int
+workshop_fn(unsigned int hooknum,
+ struct sk_buff **pskb,
+ const struct net_device *in,
+ const struct net_device *out,
+ int (*okfn)(struct sk_buff *))
+{
+ struct iphdr *iph = (*pskb)->nh.iph;
+ /* do whatever we want to do */
+
+ printk(KERN_NOTICE "packet from %u.%u.%u.%u received\n",
+ NIPQUAD(iph->saddr));
+
+ return NF_ACCEPT;
+}
+
+static struct nf_hook_ops workshop_ops = {
+ .list = { .prev = NULL, .next = NULL },
+ .hook = &workshop_fn,
+ .pf = PF_INET,
+ .hooknum = NF_IP_PRE_ROUTING,
+ .priority = NF_IP_PRI_LAST-1
+};
+
+static int __init init(void)
+{
+ int ret = 0;
+
+ ret = nf_register_hook(&workshop_ops);
+ if (ret < 0) {
+ printk(KERN_ERR "something went wrong while registering\n");
+ return ret;
+ }
+
+ printk(KERN_DEBUG "workshop netfilter module successfully loaded\n");
+ return ret;
+}
+
+static void __exit fini(void)
+{
+ nf_unregister_hook(&workshop_ops);
+}
+
+module_init(init);
+module_exit(fini);
diff --git a/2004/relation-community-lb2004/abstract b/2004/relation-community-lb2004/abstract
new file mode 100644
index 0000000..a52578c
--- /dev/null
+++ b/2004/relation-community-lb2004/abstract
@@ -0,0 +1,27 @@
+How to establish a 'business relationship' with the free software community
+
+If you're coming from a traditional business perspective, the Linux and Free
+Software development community might still seem quite a bit strange.
+
+However, it is the authors' belief that it is very important for vendors of
+linux-based products and solutions to establish a healthy relationship with the
+free software community.
+
+Both parties can greatly benefit from such a relationship: The businesses can
+reduce their maintainance cost by submitting their changes back into the free
+software project. They also profit from new features developed within the
+community.
+
+The community benefits by increased number of users, more supported hardware
+and feedback about the real needs of the users.
+
+The author is a respected member of the Free Software development community,
+and at the same time working as technical consultant to a number of
+corporations working on Linux-Kernel related development. From his past
+experience, very few businesses have managed to establish this 'healthy'
+relationship, simply because they didn't understand how free software
+developmen works, and how they fit into that development model.
+
+This presentation tries to explain the Free Software development model and give
+guidelines how businesses should interact with Free Software projects.
+
diff --git a/2004/relation-community-lb2004/interact-community-lb2004.mgp b/2004/relation-community-lb2004/interact-community-lb2004.mgp
new file mode 100644
index 0000000..62fce2c
--- /dev/null
+++ b/2004/relation-community-lb2004/interact-community-lb2004.mgp
@@ -0,0 +1,275 @@
+%include "default.mgp"
+%default 1 bgrad
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+%nodefault
+%back "blue"
+
+%center
+%size 7
+
+
+How to interact with the
+Free Software Community
+
+
+%center
+%size 4
+by
+
+Harald Welte <laforge@hmw-consulting.de>
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+How to interact with the Free Software Community
+Contents
+
+ Introduction
+ What is Free Software?
+ What is the FOSS Community?
+ People / Groups involved
+ Development Process
+ Motivations
+ FOSS likes
+ FOSS disliks
+ Weak Points
+ Practical Rules
+ Thanks
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+How to interact with the Free Software Community
+Introduction
+
+Who is speaking to you?
+
+ an independent Free Software developer, consultant and trainer
+ who is a member of the free software community for 10 years
+ who has a background in both the community and the corporate crowd
+ who will therefore not have fancy animated slides ;)
+
+Why is he speaking to you?
+
+ because every working day he suffers the lack of understanding between the community and the business world
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+How to interact with the Free Software Community
+What is Free Software?
+
+ Software that is
+ available in source code
+ is licensed in a way to allow unlimited distribution
+ allows modifications, and distribution of modifications
+ is not freeware, but copyrighted work
+ subject to license conditions, like any proprietary software
+ READ THE LICENSE
+
+What is Open Source?
+ Practically speaking, not much difference
+ Remainder of this presentation will use the term FOSS (Free and Open Source Software)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+How to interact with the Free Software Community
+What is the FOSS Community?
+
+ Diverse
+ any individual can contribute
+ no formal membership required
+ every project has it's own culture, rules, ...
+ International
+ the internet boasted FOSS development
+ very common to have developers from all continents closely working together
+ Evolutionary
+ developers come and go, as their time permits
+ projects evolve over time, based on individual contributions
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+How to interact with the Free Software Community
+People / Groups involved
+
+ Really depends on size of projects
+ Small projects often a one-man show
+ Bigger project have groups / subgroups
+ Common Terms / Definitions
+ Maintainer
+ The person who formally maintains a project
+ Core Team / Steering Committee
+ A group of skilled developers who make important decisions
+ Subsystem Maintainer
+ Somebody who is responsible for a particular sub-project
+ Developer Community
+ All developers involved with a project
+ User Community
+ Users of the software who often share their experience with others
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+How to interact with the Free Software Community
+Development Process
+
+ "Rough concensus and running code"
+ Decisions made by technically most skilled people
+ Reputaion based hierarchy
+ Direct Communication between developers
+ Not driven by size of a target market
+ Release early, release often
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+How to interact with the Free Software Community
+Motivations
+
+ gaining reputation (like in the scientific community)
+ gaining development experience with real-world software
+ solving problems that the author encounters on his computer
+ fighting for free software as ideology
+ work in creative environment with skilled people and no managers ;)
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+How to interact with the Free Software Community
+FOSS Community likes
+
+ generic solutions
+ portable code
+ vendor-independent architecture
+ clean code (coding style!)
+ open standards
+ good technical documentation
+ raw hardware, no bundle of hardware and software sold as solution
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+How to interact with the Free Software Community
+FOSS Community dislikes
+
+ monopolistic structures
+ e.g. intel-centrism
+ closed 'industry forums' with rediculous fees
+ e.g. Infiniband, SD Card Association
+ standard documents that cost rediculous fees
+ NDA's, if they prevent development of FOSS
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+How to interact with the Free Software Community
+Weak Ponts of FOSS
+
+ often way behind schedule (if there is any)
+ already too late when projects start
+ started when there already is a real need
+ often a lack of (good) documentation
+ programmers write code, not enduser docs...
+ strong in infrastructure, weak in applications
+ traditionally developers interested in very technical stuff
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+How to interact with the Free Software Community
+Practical Rules
+
+ 1. Much more communication
+ It's not a consumer/producer model, but cooperative!
+ Before you start implementation, talk to project maintainers
+ It's likely that someone has tried a similar thing before
+ It's likely that project maintainers have already an idea how to proceed with implementation
+ Avoid later hazzles when you want your code merged upstream
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+How to interact with the Free Software Community
+Practical Rules
+
+ 2. Interfaces
+ If there is a standard interface, use it
+ Don't invent new interfaces, try to extend existing ones
+ If there is an existing interface in a later (e.g. development) release upstream, backport that interface
+ Don't be afraid to touch API's if they're inefficient
+ Remember, you have the source and _can_ change them
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+How to interact with the Free Software Community
+Practical Rules
+
+ 3. Merge your code upstream
+ Initially you basically create a fork
+ Development of upsteram project continues sometimes at high speed
+ If you keep it out of tree for too long time, conflicts arise
+ Submissions might get rejected in the first round
+ Cleanups needed, in coordination with upstream project
+ Code will eventually get merged
+ No further maintainance needed for synchronization between your contribution and the ongoing upstream development
+ Don't be surprised if your code won't be accepted if you didn't discuss it with maintainers upfront and they don't like your implementation
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+How to interact with the Free Software Community
+Practical Rules
+
+ 4. Write portable code
+ don't assume you're on 32bit cpu
+ don't assume you're on little endian
+ if you use assembly optimized code, put it in a plugin
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+How to interact with the Free Software Community
+Practical Rules
+
+ 5. Binary-only software will not be accepted
+ yes, there are corner cases like FTC regulation on softradios
+ but as a general rule of thumb, the community will not consider object code as a solution to any problem
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+How to interact with the Free Software Community
+Practical Rules
+
+ 6. Avoid fancy business models
+ If you ship the same hardware with two different drivers (half featured and full-featured), any free software will likely make full features available on that hardware.
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+How to interact with the Free Software Community
+Practical Rules
+
+ 7. Show your support for the Community
+ By visibly contributing to the project
+ discussions
+ code
+ equipment
+ By funding developer meetings
+ By making cheap hardware offers to developers
+ By contracting / sponsoring / hiring developers from the community
+
+
+%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
+%page
+GNU GPL - Copyright helps Copyleft
+Thanks
+
+ Thanks to
+ Alan Cox, Alexey Kuznetsov, David Miller, Andi Kleen
+ for implementing (one of?) the world's best TCP/IP stacks
+ Paul 'Rusty' Russell
+ for starting the netfilter/iptables project
+ for trusting me to maintain it today
+ Astaro AG
+ for sponsoring parts of my netfilter work
+ Free Software Foundation
+ for the GNU Project
+ for the GNU General Public License
+
+%size 3
+ The slides of this presentation are available at http://www.gnumonks.org/
+
+
diff --git a/2004/relation-community-lb2004/notes b/2004/relation-community-lb2004/notes
new file mode 100644
index 0000000..4d2b2d3
--- /dev/null
+++ b/2004/relation-community-lb2004/notes
@@ -0,0 +1,107 @@
+- free software community
+ - definition of free software
+ - requires source code access
+ - everybody can make modifications
+ - everybody can redistribute
+ - diverse
+ - any individual can contribute
+ - no formal membership
+ - international
+ - the internet boosted free software development
+ - very common to have developers from all continents in one project
+
+ - development process
+ - rough concensus and running code
+ - decisions made by technical most skilled people
+ - reputation-based
+ - important to have good reputation as business
+ - direct communication between developers, no manager-meets-manager situation
+ - email
+ - mailing lists
+ - not driven by size of a target market (yes, I'm running GNU/Linux on Apple/PPC and Sun/Ultrasparc hardware, of course!)
+ - release often, release early
+
+ - people / groups involved
+ - depends on size of project
+ - small projects often one-man show
+ - bigger projects have groups/subgroups
+ - maintainer
+ - core team / steering committee
+ - subsystem maintainers
+ - developer community
+ - user community
+
+ - motivations for developers to participate
+ - gaining development experience
+ - solving problems they encounter on their systems
+ - fighting for free software as ideology (religion?)
+ - gaining reputation (much like scientific community)
+ - work in a creative environment with skilled people and no managers ;)
+ - FOSS community likes
+ - generic solutions
+ - portable code
+ - vendor-indepent architecture
+ - clean code (coding style!)
+ - open standards
+ - technical documentation
+ (remember the times where a 9-dot-matrix printer came with 300pages of documentation?)
+ - raw hardware, no bundle of hardware and application sold as solution
+ - FOSS community dislikes
+ - monopolistic structures
+ - intel-centrism
+ - closed 'industry forums' with rediculous fees
+ - Infiniband
+ - SD Card Association
+ - standard documents that cost redicolous fees
+ - see above
+ - NDA's, if they prevent free software
+ - solutions, like 'e-mail buttons' at scanners
+
+ - weak points
+ - often way behind schedule (if there is any)
+ - always too late (development starts when there is a need, rather when marketing predicts a requirement)
+ - often a lack of (good) documentation
+ - strong in infrastructure (operating system, networking), but weak in end-user apps
+
+practical issues:
+
+- modification to existing project _need to be submitted upstream_
+ - if you develop something out of tree, you create a fork
+ - development of your upstream tree proceeds at high speed
+ - at some point, they can get too out-of-sync to make an easy merge
+ - submission may be rejected in first round
+ - cleanups needed, coordination with upstream project
+ - code finally gets included
+ - no further maintainance, kernel developers will modify it in case
+ API's change
+
+- binary-only linux applications / drivers DON'T COUNT!
+ - you will never cover all platforms
+ - different cpu architecture / endianness
+ - different kernel versions
+ - different distibutions
+ - different library environment
+ - what about FreeBSD, OpenBSD, NetBSD, and all the other free OS's?
+ - the community lives by source code modification
+ - either publish source code or documentation, but no binary crap
+
+- offload at least part of your support to the community
+ - have support staff use public mailinglist where
+
+
+- much more communication
+ - it's not a producer/consumer model, but cooperative!
+ - you don't have to work
+ - before you start implementation, talk to project maintainers
+ - it's likely that someone has tried a similar thing before
+ - it's likely that project maintainers have already an idea how to implement your feature
+ - avoid hazzles when later merging the code back upstream
+ - if there is a standard interface, use it instead of inventing your own
+ - if the standard interface is insufficient, you can actually change the API, rather than working around it
+
+- show your support for the community
+ - by visibly contributing to the project (discussion on lists, code, ..)
+ - by funding developer meetings
+ - by making cheap hardware offers for developers
+ - by contracting or even hiring developers from the community
+
personal git repositories of Harald Welte. Your mileage may vary