Blog

EthTV June development update

EthTV SVN has some exciting new features introduced since the last development update. Last month's goal was to advance the integration with Windows Forms and GTK. This was initially prototyped with the Tao and SDL.NET Form control implementations but was subsequently abandoned due to a lack of hardware acceleration. A transition of the underlying AV frameworks from SDL to OpenTK, a managed library not unlike Tao with support for OpenGL and OpenAL, was undertaken to resolve this problem.

OpenGL brings some other benefits, too. Image rescaling and YCbCr to RGB colourspace conversion is now delegated to the GPU through OpenGL shaders, lowering CPU consumption to about 10% on Windows Vista with .NET 3.5 on an E6600 Core 2 Duo. As a comparison, WinTV, a native TV client written by Hauppauge, consumes about 25% CPU. OpenAL has a pleasantly familiar interface, allowing simplification of the audio buffering system that was complicated by SDL's callback paradigm.

The results are now integrated into a Windows Form with a menu and a status bar. Further integration of GUI elements can proceed in the standard Visual Studio designer. This technology has not been tested on Linux, yet, but upstream developers claim that the Forms code will emulate correctly under Mono.

When 24″ just won’t do

Dell's 2407WFP 24 inch LCD monitor running at 1920x1200 is a sight to behold. Two of them running at 3840x1200 is an even better one. Such was my motivation for wiring up a second monitor in some newly created space on my desk. The result is powered by a GeForce 8800 GTX with NVIDIA's TwinView technology, allowing free movement across monitors with sensible management of fullscreen applications.

Vista SP1 and GRUB

Yesterday I ran into a tricky problem whilst reinstalling Windows Vista onto a larger hard disk for my gaming system. The service pack spent about forty minutes installing and then failed with the message "Service Pack did not install. Reverting changes." The error code in the Windows Update log was fairly generic and not indicative of a specific problem. Repeated attempts to install all failed with this error.

The problem turned out to be quite odd. I stumbled upon a solution during a somewhat desperate Google crawl. SP1 will apparently fail to install if the Vista installation is not set as the primary hard disk in the BIOS. I have GRUB on another drive to chainload Vista, for dual-booting Linux, which works fine in normal use. However, in order to install SP1 I had to temporarily set the Vista drive as the primary hard disk and then put it back after installation.

I guess it's a little much to expect Microsoft to test their software's compatibility with bootloaders associated with competing operating systems.

Core Image: a curious beast

This week provided me with the opportunity to experiment with Apple's Core Image processing framework. Core Image's selling point is its native support for GPU acceleration. Image data is uploaded and maintained in fast graphics memory for the duration of a sequence of processing operations. Adjustments to the processing operation may be made without any data movement to or from the graphics card, giving exceptional interactive performance. Final renders still require data transfer to and from graphics memory in order to reach the backing store but can benefit from the faster computational performance.

Processing operations are written in a subset of the OpenGL Shading Language (GLSL). These are parallel expressions of image processing algorithms which can prove difficult to formulate from more advanced sequential algorithms. Some features of the GLSL language are notably missing, including support for control flow statements and multiple render targets. When a suitable GPU is not available the language can be compiled on the fly to SSE for CPU execution.

The framework is tied together with Objective C. This is perhaps the most contentious aspect of Core Image; and indeed of many of Mac OS X's software technologies. I am not a fan of the language, nor do I see its purpose in a modern development environment. The syntax is deliberately awkward to maintain backwards compatibility with C. C++ fills the modern object-oriented role, whilst managed languages such as C# and Java provide reflection along with other advanced language features. Obj C seems misplaced and it's unfortunate that one is forced to use it to interact with Apple's innovative technologies.

In the space of last week I put together a complete visual effect within the Core Image framework. Its performance was outstanding: real-time for 720p HD images and a respectable 15 FPS at 1080p HD. This is certainly the future of the industry; perhaps not Core Image specifically but there is certainly a place for accelerator-enhanced frameworks in solving the processing needs of increasingly data hungry industries.

EthTV May development update

The development version of EthTV can now stream live TV from the server to the client and reproduce it with audiovisual synchronisation. There are some technical challenges remaining in the core architecture which must be resolved before integration with a GUI proceeds. I can now successfully demonstrate the client running under both Linux, with Mono 1.9.1, and Windows, with .NET 3.5. The amount of platform-specific code in the client is very small, a testament to the powerful combination of C# and the Tao Framework.

Rhythmbox’s media key support

Rhythmbox, an excellent Linux audio player for the GNOME desktop, has supported the media keys for quite some time. A recent change to the mmkeys plugin gave the stop button correct functionality instead of simply pausing, which previously caused problems with radio streams.

The patch wasn't quite right, however. It caused critical warnings in the terminal and broke streaming radio titles after the stop button had been pressed. I've put together a patch to resolve this and it's now being tracked in this bug report.

Hardy Heron and the blinkin’ terminal

Ubuntu Hardy Heron 8.04 RC1 has just made its way onto my laptop. As I was setting it up I noticed something odd: the 'cursor blink' option in GNOME Terminal had been removed. A little Googling suggests that this feature was now tied to the global cursor blink settings in Preferences -> Keyboard. But who in their right mind wants to choose between an ugly great, blinking cursor block in the terminal or a non-blinking thin line cursor in all other text boxes?

This madness has been picked up in a bug report, but it looks like Hardy has been snapshotted at an unfortunate moment. So I've put together a patch to forcibly disable blinking in the GNOME Terminal. I've uploaded AMD64 and i386 binaries to save people having to rebuild their software. I chose not to create a whole package because it is likely that Ubuntu will release their own update later down the line and my package would conflict with theirs.

Source patch:

• gnome-terminal-2.22.1-noblink.patch (patch -p0 inside source directory)

Pre-patched binary, copy to /usr/bin/gnome-terminal:

• gnome-terminal for AMD64 and i386

A FreeBSD filtering, NATing bridge

I've been experimenting with a FreeBSD firewall in a somewhat obscure configuration. My home network needs a mix of bridging, selective NAT and packet filtering. This is all implemented on my ALIX firewall for convenience. The following diagram explains why:

Computers on the LAN have a mix of private and publicly routable IP addresses. The public /29 subnet is not large enough to cover them all. Thus, those with private IPs must be NAT'd to one of the public addresses whilst the others are routed as-is. In addition the firewall has two network interfaces (one to the LAN and one to the modem) that must be bridged to avoid introducing a further subnet. Finally the firewall must perform packet filtering duties for security.

This all proved very difficult to implement in FreeBSD. In spite of its reputation as a solid networking OS, the interaction of these features is not well-documented and the mailing list support is equally sparse. However, with some assistance I did manage to build a working setup with all the features that I needed. My experiences are documented here in the hope that it might help others.

The best configuration I have found binds IPs associated with the bridge (its own, NAT-to and a private subnet communication IP) to one of the two interfaces constituting the bridge. Assigning IPs directly to the bridge interface causes odd packet duplication problems when routing between the public and private subnets. Notice how I bind a private subnet IP here: this is necessary to make DHCP serve leases for that subnet, even though the IP is not used for direct communication. These are the relevant lines of my /etc/rc.conf:

cloned_interfaces="bridge0"
ifconfig_bridge0="addm vr0 addm vr1 up"
ifconfig_vr0="inet XX.XX.XXX.20 netmask 255.255.255.248"
ifconfig_vr0_alias0="inet XX.XX.XXX.21 netmask 255.255.255.255"
ifconfig_vr0_alias1="inet 192.168.1.30 netmask 255.255.255.0"
ifconfig_vr1="up"

IPFW seems to override PF by default and must be disabled at startup. Filtering on the bridge must be disabled to handle incoming connections correctly. Both of these are set in /etc/sysctl.conf:

net.inet.ip.fw.enable=0
net.inet6.ip6.fw.enable=0
net.link.bridge.pfil_bridge=0

And this is the complete PF configuration:

# === Macros ===

int_if = "vr0"
ext_if = "vr1"
bridge_if = "bridge0"

lan_ips = "{192.168.1.0/24 XX.XX.XXX.16/29}"
nat_from_ips = "192.168.1.0/24"
nat_to_ip = "XX.XX.XXX.21"

bittorrent_ips = "XX.XX.XXX.19"
gateway_ip = "XX.XX.XXX.20"
ident_ips = "XX.XX.XXX.19"
ssh_ips = "{XX.XX.XXX.17 XX.XX.XXX.18 XX.XX.XXX.19}"

bittorrent_ports = "6881:6889"

# === Tables ===

table <ssh-bruteforce> persist

# === Options ===

# Don't filter on loopback. (Not necessary and would collide with antispoof.)
set skip on lo0

# === Scrub ===

# Clean incoming packets on all interfaces. Scrubbing outbound packets would
# be redundant, save for those originating from the firewall itself. We
# assume the firewall machine is secure.
scrub in all

# === Queueing ===

# === Translation ===

# NAT through the bridge interface from a private subnet to a specific IP
# bound to the bridge interface. This IP may be an alias. Note that because
# we are bridging the internal and external interfaces we must do NAT here
# and not on the external interface.

no nat on $int_if from $nat_from_ips to $lan_ips
nat on $int_if from $nat_from_ips to any -> $nat_to_ip

# === Filter rules ===

# Deny inbound traffic only. Assume all outbound traffic is legimitate.
block in all

# Deny hosts that have been banned for connection overloading.
block in quick on $ext_if from <ssh-bruteforce>

# Disallow spoofing of LAN IPs from the external interface.
block in quick on $ext_if from $lan_ips

# Protect the loopback interface from spoofing.
antispoof quick for { lo0 }

# Allow free inbound traffic on the LAN interface from local IPs. We will do
# all external-to-LAN filtering on the external interface.
pass in quick on $int_if from $lan_ips

# Maintain outbound state on all interfaces.
pass out quick

# Open holes for external packets destined for LAN services. This does *not*
# cover the firewall host itself.
pass in quick on $ext_if proto tcp from any to $bittorrent_ips port $bittorrent_ports
pass in quick on $ext_if proto tcp from any to $ident_ips port auth
pass in quick on $ext_if proto tcp from any to $ssh_ips port ssh \
  flags S/SA synproxy state \
  (max-src-conn-rate 5/20, overload <ssh-bruteforce> flush global)

# Open holes for external packets destined for the bridge.
pass in quick on $int_if proto tcp from any to $gateway_ip port ssh \
  flags S/SA synproxy state \
  (max-src-conn-rate 5/20, overload <ssh-bruteforce> flush global)

Finally, to keep the connection throttling tables clear you will need to install expiretable (from ports or source). Then add a line like this to /etc/crontab to expire entries after, for example, 5 minutes:

*/5 * * * * /usr/local/sbin/expiretable -t 300 ssh-bruteforce

24th May 2008 - I've rewritten this post to incorporate a redesigned configuration which alleviates some minor problems.

1st June 2008 - Updated sysctls with disabled bridge filtering to allow inbound connections to proceed correctly.

My first Oblivion mod

Slof's Battlemage Robes for Exnem is my first stab at a simple Oblivion mod. My goal was to modify the Battlemage Robes from the popular Slof's Oblivion Robe Trader mod in a manner more appropriate for Exnem's replacement mesh. This required a whirdwhind tour of some modding tools, including Blender and NifTools, and some assistance from the Bethesda Forums to deal with the rather steep learning curve.

The results are simple, but represent my first steps into the modding world.

EthTV April development update

Development on the EthTV project progressed steadily throughout March. I rewrote the communications server to support continuous streaming and SOAP proxying. The server now delivers live TV over HTTP. As the screenshot shows below, it can even serve standard web clients.

The EthTV client adopted the SDL and FFmpeg C# wrappers of the Tao Framework project. Video playback currently works correctly with aspect correction and deinterlacing. Audio playback and audiovisual synchronisation are under development and on track to deliver a usable client in the near future.