00:03.56 | *** join/#devuan LtWorf (~LtWorf@h-191-254.A890.priv.bahnhof.se) |
00:05.46 | *** join/#devuan xcm (~xcm@ipa210.225.tellas.gr) |
00:45.00 | *** join/#devuan xes (~xes@unaffiliated/xes) |
00:46.14 | *** join/#devuan highsierra (~Adium@x4d01a4d2.dyn.telefonica.de) |
00:54.35 | *** join/#devuan Sysifoss (Sysifoss@gateway/vpn/protonvpn/sysifoss) |
00:55.58 | *** join/#devuan Sysifoss (Sysifoss@gateway/vpn/protonvpn/sysifoss) |
01:25.23 | *** join/#devuan Xenguy_ (~Xenguy@devuan/community/Xenguy) |
01:34.05 | *** join/#devuan rdav__ (~rd@245.184-26-211.sta.nsw.iprimus.net.au) |
01:35.38 | *** join/#devuan va7lnx (~donovan@69.172.174.181) |
01:56.57 | *** join/#devuan Bjornn (~Bjornn@2604:6000:1503:598:0:3381:f53:861f) |
01:58.33 | *** join/#devuan DonkeyHotei (gTeE9Gsm@april-fools/2014/runnerup/danielg4) |
02:14.36 | *** join/#devuan Sysifoss2 (~Sysifoss@ool-4354e161.dyn.optonline.net) |
02:20.15 | *** join/#devuan D-HUND (~debdog@2a00:79c0:623:5b00:7a24:afff:fe8a:d04d) |
02:50.22 | *** join/#devuan Xenguy (~Xenguy@devuan/community/Xenguy) |
03:05.55 | *** join/#devuan Xenguy_ (~Xenguy@devuan/community/Xenguy) |
03:09.24 | *** join/#devuan furrywolf (~furrywolf@172.58.35.196) |
03:26.34 | *** join/#devuan xcm (~xcm@ipa210.225.tellas.gr) |
03:35.31 | *** join/#devuan xcm (~xcm@ipa210.225.tellas.gr) |
03:37.53 | *** join/#devuan proteusguy (~proteusgu@cm-58-10-208-71.revip7.asianet.co.th) |
03:53.05 | *** join/#devuan cd (~none@gateway/tor-sasl/cd) |
03:54.22 | *** join/#devuan systemdlete (~systemdle@c-73-66-177-57.hsd1.ca.comcast.net) |
03:54.32 | *** join/#devuan highsierra1 (~Adium@x5f74aaa6.dyn.telefonica.de) |
04:16.05 | *** join/#devuan rsx (~rsx@ppp-188-174-146-102.dynamic.mnet-online.de) |
04:19.03 | *** join/#devuan rsx (~rsx@ppp-188-174-146-102.dynamic.mnet-online.de) |
04:19.09 | *** join/#devuan cd (~none@gateway/tor-sasl/cd) |
04:30.24 | *** join/#devuan Clint1 (~clint@177.247.85.16) |
04:31.12 | *** part/#devuan Clint1 (~clint@177.247.85.16) |
05:00.46 | *** join/#devuan LtWorf (~LtWorf@mail.cryptzone.com) |
05:11.58 | *** join/#devuan fsmithred (~fsmithred@devuan/developer/fsmithred) |
06:04.43 | *** join/#devuan Jasjar (Jasjar@gateway/vpn/privateinternetaccess/jasjar) |
06:33.03 | *** join/#devuan LtWorf_ (~LtWorf@2001:9b1:4041:e000:a634:d9ff:fec6:343c) |
06:44.13 | *** join/#devuan AntoFox (~AntoFox@5.91.41.58) |
06:45.00 | *** join/#devuan banisterfiend (~textual@ruby/staff/banisterfiend) |
06:45.39 | *** join/#devuan Stacker (~stacker@gateway/tor-sasl/b616) |
06:51.46 | *** join/#devuan engidea (~damiano@ip-46-141-11-154.rev.wolnext.com) |
07:04.10 | *** join/#devuan xcm (~xcm@ipa210.225.tellas.gr) |
07:28.13 | *** join/#devuan kylese (~kylese@p548352D2.dip0.t-ipconnect.de) |
07:45.08 | *** join/#devuan Pali (~pali@Maemo/community/contributor/Pali) |
07:46.30 | *** join/#devuan booyah (~bb@193.25.1.157) |
08:01.44 | *** join/#devuan D-HUND (~quassel@2a02:8070:41a4:6800:6a17:29ff:fec5:1264) |
08:22.34 | *** join/#devuan alexandros_tab (~quassel@unaffiliated/alexandros-c/x-1684531) |
08:22.34 | *** join/#devuan alexandros_c (~quassel@unaffiliated/alexandros-c/x-1684531) |
08:23.33 | *** join/#devuan LtWorf_ (~LtWorf@2001:9b1:4041:e000:a634:d9ff:fec6:343c) |
08:34.50 | *** join/#devuan earthnative (~nemo@119.18.37.212) |
08:37.19 | *** join/#devuan Human_G33k (~HumanG33k@62.147.242.8) |
08:38.17 | *** join/#devuan banisterfiend (~textual@ruby/staff/banisterfiend) |
08:54.45 | *** join/#devuan cocoadaemon (~foo@2a01:e35:8a99:e90:1202:b5ff:fe91:e4ca) |
09:09.06 | *** join/#devuan Inepu (~Mithrandi@host67-78-static.1-79-b.business.telecomitalia.it) |
09:12.16 | *** join/#devuan Inepu (~Mithrandi@host67-78-static.1-79-b.business.telecomitalia.it) |
09:14.52 | *** join/#devuan amarsh04 (~amarsh04@ppp121-45-107-40.bras2.adl6.internode.on.net) |
09:45.14 | *** join/#devuan banisterfiend (~textual@ruby/staff/banisterfiend) |
09:46.54 | *** join/#devuan mdrights (~user@188.213.165.168) |
10:27.41 | *** join/#devuan sokan (~sokan@unaffiliated/totaloblivion) |
10:37.12 | *** join/#devuan LtWorf_ (~LtWorf@h-191-254.A890.priv.bahnhof.se) |
11:06.26 | *** join/#devuan kelsoo (~kelsoo@dragora/developer/kelsoo) |
11:18.03 | *** join/#devuan t1k326729929 (~t1k3@pool-108-39-238-102.pitbpa.fios.verizon.net) |
11:21.33 | *** join/#devuan banisterfiend (~textual@ruby/staff/banisterfiend) |
11:24.38 | *** join/#devuan Xenguy (~Xenguy@devuan/community/Xenguy) |
11:35.31 | *** join/#devuan engidea (~damiano@ip-46-141-11-154.rev.wolnext.com) |
11:40.22 | *** join/#devuan kelsoo1 (~kelsoo@dragora/developer/kelsoo) |
11:59.28 | *** join/#devuan tradar (~tradar@gateway/tor-sasl/tradar) |
12:12.21 | telmich | timeless: in the best case your ISP should offer IPv6, that is absolutely correct. The VPN offered by ungleich is really for the cases when you cannot get IPv6 otherwise reliable |
12:12.48 | telmich | timeless: I have it for instance on all notebooks/phones, because mobile phone providers don't give you IPv6 in Switzerland (or at least salt) |
12:30.24 | *** join/#devuan Acacia (~Acacia@unaffiliated/acacia) |
12:43.10 | *** join/#devuan LtWorf_ (~LtWorf@2001:9b1:4041:e000:a634:d9ff:fec6:343c) |
13:02.43 | fsmithred | why do I have firefox cookies from places that I last visited in 2016??? |
13:02.59 | fsmithred | I've cleared my cookies hundreds or thousands of times since then |
13:03.14 | fsmithred | and they no longer go away when I close firefox |
13:16.28 | *** join/#devuan t1k326729929 (~t1k3@pool-108-39-238-102.pitbpa.fios.verizon.net) |
13:28.34 | *** join/#devuan g4570n (~g4570n@unaffiliated/g4570n) |
13:32.54 | *** join/#devuan early (~early@68.ip-149-56-14.net) |
13:47.35 | MinceR | maybe the setting to remove cookies on exit was among the many settings they removed |
13:48.01 | MinceR | like the settings to disable javascript or prevent javascript from hijacking right clicks |
13:50.17 | fsmithred | it's very weird. Most of the time it appears that the cookies are all gone, and this time when I closed the browser, some of the cookies went away, but a handful remained, and a few of them were very old. |
14:01.17 | cosurgi | I should someday switch from chromium fo firefox. However this is how I dealt with chromium problems: I added ~/.config/chromium/Default/Bookmarks to git dotfiles. Every couple weeks I rm -rf ~/.config/chromium/, also I have set immutability attribute on file ~/.config/chromium/Default/Preferences, like this: |
14:01.31 | cosurgi | $ lsattr ~/.config/chromium/Default/Preferences |
14:01.34 | cosurgi | ----i---------e---- /home/praca/.config/chromium/Default/Preferences |
14:01.55 | cosurgi | with commant sudo chattr +i .config/chromium/Default/Bookmarks/Preferences |
14:02.37 | cosurgi | And that's it. Chromium is totally wiped out, and doesn't even notice. While I keep using it with exactly the same config all the time. |
14:03.33 | cosurgi | Ah, before wiping it out I copy files Current Session,Current Tabs,Last Session,Last Tabs. So that restaring it after the wipe has exactly the same window sopened. |
14:10.10 | *** join/#devuan furrywolf (~furrywolf@172.58.41.10) |
14:27.17 | *** join/#devuan maurizio_ (~maurizio@host132-35-dynamic.54-79-r.retail.telecomitalia.it) |
14:42.04 | *** join/#devuan engidea (~damiano@ip-46-141-11-154.rev.wolnext.com) |
14:50.36 | *** join/#devuan Inepu (~Mithrandi@host67-78-static.1-79-b.business.telecomitalia.it) |
14:54.16 | *** join/#devuan Achylles (~user@2804:431:d724:2f01:6cc2:f814:71a4:f1b8) |
14:57.02 | *** join/#devuan mith_ (~Mithrandi@host67-78-static.1-79-b.business.telecomitalia.it) |
15:12.22 | *** join/#devuan Inepu (~Mithrandi@host67-78-static.1-79-b.business.telecomitalia.it) |
15:29.44 | *** join/#devuan nckx (~nckx@tobias.gr) |
15:40.32 | *** join/#devuan jack_rabbit (~jack_rabb@2601:240:8100:de20:bb9b:405f:5b0b:e419) |
15:59.40 | *** join/#devuan xcm (~xcm@ipa210.225.tellas.gr) |
16:03.19 | *** join/#devuan AntoFox (~AntoFox@5.91.41.58) |
16:09.13 | *** join/#devuan Uberius (~Uberius@gateway/tor-sasl/uberius) |
16:43.16 | *** join/#devuan jack_rabbit (~jack_rabb@c-73-176-149-17.hsd1.il.comcast.net) |
17:11.13 | *** join/#devuan jack_rabbit (~jack_rabb@2601:240:8100:de20:bb9b:405f:5b0b:e419) |
17:14.10 | *** join/#devuan engidea (~damiano@ip-46-141-11-154.rev.wolnext.com) |
17:16.44 | *** join/#devuan engidea (~damiano@ip-46-141-11-154.rev.wolnext.com) |
17:26.31 | *** join/#devuan Defender1031 (~DeFender1@89-139-28-76.bb.netvision.net.il) |
17:30.59 | xrogaan | firefox 60.6.3 is finally available from ascii-updates; took only one week :P |
17:33.30 | xrogaan | MinceR: for firefox you can disable javascript through the webdev thing https://files.catbox.moe/6lsexp.png |
17:35.05 | MinceR | i know |
17:35.14 | MinceR | but they used to have a setting for it in preferences |
17:44.38 | xrogaan | For ease of use, I have this https://addons.mozilla.org/en-US/firefox/addon/javascript-toggler/ |
17:50.54 | *** join/#devuan milobit (~milobit@unaffiliated/milobit) |
18:06.02 | *** join/#devuan Achylles (~Achylles@2804:431:d724:2f01:6cc2:f814:71a4:f1b8) |
18:07.17 | *** join/#devuan engidea (~damiano@ip-46-141-11-154.rev.wolnext.com) |
18:16.40 | xrogaan | I just noticed that if I block all access to the internet but localhost, chromium still can access google. |
18:16.46 | xrogaan | but nothing else |
18:18.00 | xrogaan | my iptables rules http://dpaste.com/0XR3CD7 |
18:20.03 | gnarface | i don't think changing those settings would kill off existing connections |
18:20.07 | gnarface | try just restarting chromium |
18:20.46 | xrogaan | i start chromium under the "no-internet" group |
18:21.05 | xrogaan | sg no-internet -c 'chromium' |
18:21.32 | xrogaan | so there is no connection made at all |
18:21.48 | xrogaan | chromium cannot reach anything else, just google |
18:22.19 | xrogaan | Can I setup a rule to deny an interface? |
18:27.44 | DocScrutinizer05 | my ISP doesn't really offer decent IPv4 :-/ |
18:30.43 | DocScrutinizer05 | I can switch the damn modemrouter to bridgedmode which gives me a semi-working IPv4 on their damn cgNAT hey use to route their "4over6" cable access to the real world. But then a) my cable TV blows chunks, and b) seems their cgNAT IP range is on several RBL now so fo example I only get "page doesn'T exist" on AliExpress no matter which URL |
18:32.32 | gnarface | xrogaan: set everything to DROP, try that |
18:32.52 | DocScrutinizer05 | hi timeless! |
18:36.06 | *** join/#devuan fsmithred (~fsmithred@devuan/developer/fsmithred) |
18:38.06 | gnarface | xrogaan: try it like this, just as a test: http://paste.debian.net/1082050/ |
18:43.09 | Wonka | DocScrutinizer05: funny, aliexpress is on akamai - is akamai not fully DS already? why would they? |
18:44.28 | xrogaan | gnarface: I should have said it before, but this works: `DROP all -- anywhere anywhere owner GID match no-internet` |
18:44.44 | xrogaan | just the drop all anywhere if the gid matches |
18:45.10 | xrogaan | chromium manages to get to the google servers if localhost isn't blocked |
18:45.39 | MinceR | does it actually make a connection or does it just render a page? |
18:46.27 | xrogaan | i can search the web |
18:49.40 | xrogaan | and I can watch youtube video |
18:49.44 | MinceR | sounds like the network blocking doesn't work |
18:49.53 | MinceR | maybe it's using a different protocol, like SPDY? |
18:49.55 | xrogaan | listens to 224.0.0.251:5353 in udp |
18:53.25 | xrogaan | I don't filter on protocol, I just drop everything |
19:03.32 | *** join/#devuan Inepu (~Mithrandi@host67-78-static.1-79-b.business.telecomitalia.it) |
19:04.07 | xrogaan | apparently, -owner only works for OUTPUT and POSTROUTING. I can't have that. |
19:04.46 | MinceR | have you tried running chromium in a namespace that had no network access instead? |
19:04.47 | *** join/#devuan Ryushin (chris@2001:470:4b:38f:777::8642) |
19:09.04 | xrogaan | how? |
19:09.29 | xrogaan | what do you mean by namespace? |
19:10.22 | MinceR | the linux kernel feature |
19:10.55 | MinceR | i can't find the command line to do it before, though |
19:14.20 | *** join/#devuan xcm (~xcm@ipa210.225.tellas.gr) |
19:33.55 | xrogaan | what a pain in the ass |
19:57.18 | *** join/#devuan rebag (~rebag___@204.44.112.121) |
19:57.46 | rebag | hey. How to have the same *same* environment with #root user and crontab root user please ? |
20:00.22 | xrogaan | crontab uses the system environment |
20:01.04 | xrogaan | check /etc/default/cron and /etc/init.d/cron |
20:01.08 | rebag | yes |
20:01.34 | rebag | the software that need cron (bup), fails because of the differences between the 2 environments ... |
20:02.02 | xrogaan | no, really, read /etc/default/cron |
20:02.52 | xrogaan | maybe I can highlight the relevant part: `This has no effect on tasks running under cron; their environment can only be changed via PAM or from within the crontab; see crontab(5).' |
20:03.35 | rebag | yes and : READ_ENV="yes" |
20:03.48 | xrogaan | maybe I can **really** highlight the relevant part: `This has no effect on tasks running under cron; their environment can only be changed via PAM or from within the crontab; see crontab(5).' |
20:04.12 | xrogaan | I don't know bup though, so I might be wrong. |
20:05.42 | rebag | heh yes ok. But I dunno pam, i understand PAM is the onlyway to get the same env as root isn't it ? |
20:06.05 | gnarface | xrogaan: uh... you allowed localhost/8 to pass through, right? |
20:06.08 | rebag | "or within the corntab" |
20:06.12 | rebag | crontab |
20:06.27 | gnarface | xrogaan: i'm not sure you want to allow all those ip's through. i'm not sure they're actually all localhost |
20:07.33 | xrogaan | gnarface: I don't understand |
20:08.12 | gnarface | well, i might be wrong here, but the fundamental thing i'm worried about is that localhost is 127.0.0.1, and you're actually passing everything from 127.0.0.0 to 127.255.255.255 |
20:08.19 | gnarface | and i've never seen that before |
20:08.20 | gnarface | that's all |
20:08.52 | gnarface | also i'm not sure you're blocking ipv6 at all |
20:08.57 | rebag | really I don't understand what I have to do. I have this problem for months now I tried various things including adding source in the crontab. I dunno PAM at all. Then any help appreciated |
20:09.03 | xrogaan | gnarface: I don't know what you are talking about. I drop everything if the gid matches the rule. |
20:09.24 | xrogaan | rebag: my guess is ask the bup people |
20:09.30 | rebag | we have tried in the bup chan to figure out which variables were missing, without success :( |
20:09.35 | gnarface | xrogaan: eh, nevermind. you know what? just put google's ips in your /etc/hosts file and point them back to localhost |
20:10.02 | rebag | but it's asolutely shure that it's related to the cron env because with the root env all fine |
20:11.23 | xrogaan | gnarface: what do I not catch with the "anything" rule? |
20:12.17 | xrogaan | any protocol, anywhere except if the destination is local. |
20:13.19 | gnarface | xrogaan: well you said it blocks everything correctly unless you pass localhost traffic, right? |
20:14.02 | gnarface | my hypothesis is that you've made a mistake there and that's how its sneaking out |
20:14.02 | xrogaan | `iptables -A OUTPUT -m owner --gid-owner no-internet -o lo -j ACCEPT' |
20:14.27 | gnarface | but it's not beyond the realm of possibility that chromium is doing something sneaky |
20:14.43 | xrogaan | and then: `iptables -A OUTPUT -m owner --gid-owner no-internet -j DROP' |
20:15.02 | *** join/#devuan DonkeyHotei (MwjUM8V@april-fools/2014/runnerup/danielg4) |
20:15.31 | xrogaan | well, yeah, because chromium *doesn't* have access to the internet, just to google services. |
20:15.52 | xrogaan | which is the internet, but apparently not from google's point of view. |
20:16.18 | xrogaan | something something chromebook, something something eating data. |
20:16.59 | gnarface | so, iptables has INPUT, FORWARD, OUTPUT, PREROUTING, POSTROUTING, MANGLE, and ... maybe some others. if you let it through on any of those, it can sometimes use pre/postrouting or mangle to sneak it through a crack in the armor |
20:17.17 | gnarface | i'm foggy on the specifics, and i think they're crap |
20:17.32 | gnarface | and i largely suspect this is a common view, because it's already being replaced (again) |
20:18.01 | gnarface | so you gotta figure out what it's doing with the packets on a lower level, or you gotta just plug all the holes more explicitly |
20:18.58 | gnarface | i don't think there's anything to say that once you've allowed it to access localhost it can't mangle the packets to get them out and back even if "input" and "output" are being dropped if you don't also drop "forward" "prerouting" and "postrouting" and "mangle" ... understand? |
20:19.57 | gnarface | so it really might be easier to just block their traffic by ip explicitly, or use the hosts file override if it's doing it by DNS |
20:21.36 | gnarface | also... don't forget about ipv6, i'm not sure you've even touched the ipv6 traffic, and chromium might be smart enough to try both ipv4 and ipv6 |
20:22.26 | gnarface | if it's actually generating traffic under some other uid/gid than what you're running it as... that would be an extremely dirty trick, but not beyond the realm of possibility |
20:22.44 | *** join/#devuan tocsa (~csaba@2601:204:0:717a:b66b:fcff:fe53:2000) |
20:22.46 | xrogaan | I understand they can do sneaky stuff, yeah, but I can't match by owner on other hooks than POSTROUTING and OUTPUT. |
20:23.14 | gnarface | i'm sorry this is not as specific of information as you want, i'm just trying to outline how many blind spots there are here in your setup |
20:23.56 | gnarface | personally i prefer BSD for this part |
20:24.17 | gnarface | packetfilter is no less complex, but makes a lot more sense in the end |
20:24.50 | gnarface | i think there is an implementation for linux these days. i haven't tried it, but it might be worth it for you |
20:24.55 | xrogaan | oh, right, another cli for ipv6 |
20:25.05 | xrogaan | I might be that dumb |
20:25.44 | gnarface | my hosts file here calls the ipv6 localhost "ip6-localhost", it's distinct from the regular ipv4 localhost. that could also be the culprit, yes |
20:26.05 | gnarface | or something related to that |
20:27.33 | xrogaan | Yeah, so, for some reason the iptables rule to drop everything based on owner works. If I suddenly allow localhost, chromium has access to google services. But if I then apply the same rule with ip6tables (drop anything based on owner, without the localhost exception), chromium is stuck yet again. |
20:28.46 | xrogaan | My question is: "Why?!" |
20:29.05 | gnarface | seems like expected behavior in that case |
20:29.18 | gnarface | chromium tries ipv4 first then falls back on ipv6 so you have to block them both |
20:29.28 | gnarface | doesn't that seem logical? |
20:30.11 | gnarface | you should be happy it doesn't try to establish a new network connection to your neighbor's wifi when ipv6 fails, and then start trying ad-hoc routes through nearby bluetooth devices |
20:30.13 | xrogaan | Well, I had the DROP rule for everything for a while, but without anything related to ipv6 and chromium never could reach google |
20:30.36 | gnarface | oh, hmm |
20:30.46 | xrogaan | Today I setup the exception, and suddenly chromium could reach google but nothing else |
20:30.56 | gnarface | something a little weird there maybe still |
20:31.08 | gnarface | if you do BLOCK instead of DROP does it change anything? |
20:31.35 | gnarface | DROP won't bounce the packets, it will just pretend it didn't get them. if you BLOCK instead, the IP stack gets the packets returned as errors |
20:31.56 | gnarface | that might trigger different behavior |
20:34.15 | xrogaan | How do I do that? -j BLOCK? |
20:34.20 | gnarface | yea. while you're testing this, you should run some tcpdumps on all these interfaces, that will tell you exactly where the packets are going, and what ip addreses they're going to |
20:34.48 | xrogaan | -j REJECT probably |
20:35.25 | gnarface | oh, maybe |
20:35.54 | gnarface | though, as i consult the man page, it says it is RETURN |
20:36.02 | xrogaan | there are 3 states only: accepted, dropped and rejected |
20:36.25 | gnarface | nevermind, RETURN looks like something different |
20:36.44 | gnarface | though there's very little information about it on the man page |
20:38.02 | xrogaan | so this is working: http://dpaste.com/34MREA4 |
20:38.33 | xrogaan | without the last line, chromium has access to the google space. With the first line alone chromium doesn't reach the google space. |
20:38.37 | xrogaan | (just to be clear) |
20:38.44 | xrogaan | err sorry |
20:38.49 | xrogaan | with the second line alone* |
20:39.00 | xrogaan | brb coffee |
20:44.05 | *** join/#devuan Acacia (~Acacia@unaffiliated/acacia) |
20:44.13 | xrogaan | rebag: bup seems to need specific things, I don't know the software so I can't help you. You will have a better support with the software authors. |
20:49.54 | *** join/#devuan systemdlete (~systemdle@c-73-66-177-57.hsd1.ca.comcast.net) |
20:52.35 | *** join/#devuan banisterfiend (~textual@ruby/staff/banisterfiend) |
20:52.35 | *** join/#devuan t1k326729929 (~t1k3@pool-71-112-152-67.pitbpa.fios.verizon.net) |
21:00.13 | *** join/#devuan t1k326729929 (~t1k3@pool-71-112-152-67.pitbpa.fios.verizon.net) |
21:03.36 | *** join/#devuan banisterfiend (~textual@ruby/staff/banisterfiend) |
21:04.02 | systemdlete | Is setting /proc/sys/net/ipv4/ip_forward to 1 sufficient to make ip forwarding work? I am having a problem on a different system, but maybe devuan runs into this also? |
21:04.35 | systemdlete | I can't find an answer by googling. There are smart and HELPFUL :) people here, so... |
21:05.12 | systemdlete | I have this working on my CentOS system, and I am currently working on hyperbola (the problem system atm) and shortly, devuan ascii. |
21:06.24 | systemdlete | I have 2 physical interfaces, which I want to allow to forward packets to a virtualbox interface |
21:06.44 | systemdlete | This exact same config (sans anything I forgot to do, obviously) on CentOS and it works. |
21:07.07 | systemdlete | istm, all I did was echo 1 > /proc/sys/net/ipv4/ip_forward and voila! it worked. |
21:07.40 | systemdlete | Trying this on devuan will be instructive, to say the least... |
21:07.59 | systemdlete | (that's CentOS 6.10, btw, the last of the Mohicans...) |
21:11.05 | *** join/#devuan banisterfiend (~textual@ruby/staff/banisterfiend) |
21:16.25 | xrogaan | systemdlete: sysctl seems to be used to do those thingy |
21:17.17 | xrogaan | or in /etc/sysctl.conf |
21:17.27 | systemdlete | true, but that's just to ensure that the setting is saved across reboots. I see that using sysctl to do this is reflected in the contents of the /proc file |
21:17.50 | systemdlete | Yes, sysctl.conf is where sysctl will get its persistence data |
21:18.18 | systemdlete | I tried it all different ways. No love |
21:18.55 | systemdlete | xrogaan, keep in mind this is hyperbola, not devuan, but that shouldn't make any difference. |
21:19.20 | xrogaan | well, I don't know who hyperbola is |
21:19.39 | gnarface | <PROTECTED> |
21:19.49 | gnarface | more or less |
21:19.59 | systemdlete | They are an arch distro, but they have removed systemd and they are going to a fixed-release approach based on "stable" snapshots of arch |
21:20.14 | gnarface | if you have a custom kernel you might have omitted ip forwarding inadvertently though... |
21:20.17 | systemdlete | gnarface: hi, and yes, I agree. |
21:20.20 | xrogaan | why no artix linux? |
21:20.24 | systemdlete | no custom kernel |
21:21.05 | *** join/#devuan Clint1 (~clint@177.247.84.208) |
21:21.08 | systemdlete | I have artix linux also, but I am seeking a fixed release (LTS) which at this point is only alpine, devuan, hyperbola. |
21:21.11 | xrogaan | also, you might want to ask the hyperbola people |
21:21.29 | systemdlete | Alpine would be great for xen, but I also need virtualbox |
21:21.46 | *** part/#devuan Clint1 (~clint@177.247.84.208) |
21:21.50 | systemdlete | I've queried them, but because they are a small community, and rather tight, it can be hard to get help. |
21:22.05 | systemdlete | And I am not even sure I have a bug. More likeyly something I overlooked I think |
21:22.23 | systemdlete | these linux kernels are more or less the same, or should be |
21:23.03 | gnarface | are you also using ipv6? is this a virtualized guest of some sort? |
21:23.20 | systemdlete | I'm thinking I might move on to installing and configuring devuan for this, and returning to hyperbola later. |
21:24.18 | systemdlete | gnarface: ipv6 does seem to be enabled on hyperbola, but I did nothing to effect that. No, not a VM. The only VM is one of the interfaces, as I stated above. But that should not matter. |
21:25.31 | systemdlete | gnarface: The only thing I am wondering is that the VM is configured for a paravirtualized interface. If there is a problem with the driver on the host (hyperbola) side, then maybe there is an issue. But,again, all I have done is made the same VMs available on hyperbola as I had on CentOS. There should, in theory, be no difference. |
21:26.24 | KatolaZ | systemdlete: echo 1> /proc/... and sysctl have the same effect |
21:26.42 | systemdlete | Yes, KatolaZ. Exactly. |
21:27.15 | systemdlete | The point is, even though the /proc/... device is set to 1, still packets do not forward. |
21:27.59 | KatolaZ | systemdlete: is that ipv4 forward of ipv6 forward? |
21:28.01 | systemdlete | Also, I am starting to see DUPs when I ping 8.8.8.8 from hyperbola (local Internet does work through the virtual interface, just not other machines on the LAN) |
21:28.44 | KatolaZ | systemdlete: you have a messed-up routing table |
21:28.45 | systemdlete | ipv4 forward. There is no similar ipv6 device, but there is /proc/sys/net/ipv6/all/ip_forward |
21:28.46 | KatolaZ | most probably |
21:29.15 | KatolaZ | that's why I was asking systemdlete |
21:29.32 | systemdlete | Maybe. But it really is pretty simple. And almost identical to the one on CentOS |
21:29.33 | KatolaZ | for ipv6 the procfiles are arranged differently |
21:29.42 | systemdlete | yes, I noticed! |
21:29.43 | KatolaZ | systemdlete: almost identical is not identical :P |
21:29.54 | KatolaZ | please past your ruoting table |
21:29.58 | KatolaZ | ~paste |
21:30.06 | KatolaZ | but not here, or the bot will ban you |
21:30.15 | systemdlete | different names for the interfaces. eth? on CentOS, enp?s? on hyperbola |
21:30.40 | KatolaZ | o_O |
21:30.53 | KatolaZ | systemdlete: I thought you were talking of a devuan install |
21:31.05 | systemdlete | https://pastebin.com/fBHkru4j |
21:31.16 | systemdlete | (no, I did mention early on, see above) |
21:31.29 | systemdlete | but as gnarface said, it should be the same |
21:31.49 | systemdlete | kernel is 4.9.155 |
21:32.22 | KatolaZ | are you sure your vbox config is all right? |
21:32.28 | KatolaZ | (meaning, it allows network routing?) |
21:33.46 | systemdlete | Yes, because (1) the VM is the same as the one used on CentOS (shared drive) and (2) I am on IRC with you via this very VM |
21:34.36 | gnarface | i wonder if it could be some module that just needs to be manually loaded... |
21:34.49 | systemdlete | if vbox were not configured properly it would not have worked under CentOS and I'd not be chatting with you here |
21:35.24 | systemdlete | gnarface: I thought of that. I did a sweep of everything under /lib/modules and found nothing looking like ip_forward or similar |
21:35.50 | systemdlete | see, I really did my homework before coming here to ask. |
21:36.04 | gnarface | just making sure |
21:36.18 | systemdlete | np. and thanks for asking |
21:38.31 | systemdlete | hmmm. Just wondering. Is there a way to easily disable ipv6? |
21:38.44 | systemdlete | Just to test, get some data points... |
21:39.34 | systemdlete | I don't think I have much ipv6 going on on CentOS. For one thing, the kernel is old, and I think there were some issues with ipv6 on 2.6.32 or so |
21:39.49 | fsmithred | there is a way to do that, but I don't remember the exact words |
21:39.58 | systemdlete | (hi fsmithred) |
21:40.01 | fsmithred | hi |
21:40.26 | systemdlete | https://www.techrepublic.com/article/how-to-disable-ipv6-on-linux/ |
21:40.27 | fsmithred | search for 'blacklist ipv6' at forums.debian.net and you'll find the answer a bunch of times |
21:41.40 | fsmithred | yeah, do it the debian way |
21:41.48 | fsmithred | in /etc/sysctl.conf |
21:41.57 | systemdlete | done |
21:42.03 | systemdlete | now lets see... |
21:43.03 | systemdlete | nope. still nothing. |
21:43.36 | systemdlete | well, I guess it is time to stop wasting time -- esp the time of the valiant heroes on #devuan -- |
21:44.09 | systemdlete | and move on to configuring my devuan domain (same hardware, different partition) |
21:44.10 | Evilham | systemdlete: sysctl net.ipv6.conf.all.disable_ipv6 1 |
21:44.46 | systemdlete | Evilham: thanks. Got it. Did it. Got the t-shirt. But still no love. no forwarding |
21:45.33 | systemdlete | first question, when I bring up devuan graphical, there is a dark border all around the screen. and there does not seem to be a place to change the monitor settings |
21:46.05 | systemdlete | when I go into the monitor settings dialog, I am already set for the largest size monitor |
21:46.18 | systemdlete | missing driver? |
21:46.28 | gnarface | maybe missing or just picked the wrong one by default. hard to say. i'd check the Xorg log first, to make sure the detected resolution and refresh settings match the display |
21:46.46 | gnarface | sometimes it's just bad EDID data |
21:46.56 | systemdlete | mounts the devuan partition to look at that. Good idea, gnarface |
21:47.58 | gnarface | "overscan" can be a graphics card setting too... it's usually not on by default but i vaguely recall some weird cases where it might be |
21:48.05 | fsmithred | guest additions? |
21:48.21 | systemdlete | hardware this time, fsmithred, hardware. :) |
21:48.24 | systemdlete | (finally!) |
21:48.31 | fsmithred | oh |
21:49.22 | systemdlete | Yes, well, this is the result of having put up long enough with C6 as my host and needing to find a solution before 2020, when support for C6 totally runs out |
21:50.16 | systemdlete | I'd like to have Devuan or something solid in place and soon |
21:50.42 | systemdlete | oh, and this is Ascii, not Jessie or Beowulf or any other future release. |
21:50.53 | systemdlete | It's a fresh install, from about 3 days ago. |
21:52.04 | systemdlete | looks like ATI VESA... |
21:52.23 | systemdlete | RS780 |
21:53.19 | gnarface | Vega you mean? |
21:53.27 | systemdlete | Xorg.0.log: VBESetVBEMode failed, mode set without customized refresh. |
21:53.31 | systemdlete | no, VESA |
21:53.41 | gnarface | definitely the wrong driver then |
21:54.30 | gnarface | VESA is a generic driver |
21:54.41 | gnarface | something it falls back on if it can't figure out what to use |
21:55.06 | *** join/#devuan bpmedley (~bpm@108-70-12-197.lightspeed.clmasc.sbcglobal.net) |
21:55.13 | gnarface | at that point it's just trying to get any working display even if the feature support is severely limited |
21:56.35 | systemdlete | this MB is from at least a generation ago. (AMD 3M) |
21:56.43 | systemdlete | 3AM, sorry |
21:56.48 | gnarface | VESA is a lot older than that |
21:56.49 | systemdlete | AM3 rather |
21:57.46 | gnarface | VESA isn't your best driver unless the video card is either completely unsupported, or... from the early 1990's |
21:57.53 | systemdlete | It is loading a driver, a long list of ATI Radeon (and some others) |
21:58.02 | gnarface | pastebin the xorg log? |
21:59.23 | gnarface | by default if you haven't specified in the xorg.conf, it will actually try to load several drivers all at once to see what sticks |
22:00.49 | systemdlete | https://pastebin.com/AwP0UiLN |
22:02.30 | gnarface | these lines are pretty telling: (EE) open /dev/dri/card0: No such file or directory |
22:02.35 | gnarface | missing kernel module |
22:02.43 | systemdlete | what I figured |
22:03.09 | systemdlete | but why wouldn't that be installed with the installation? |
22:03.26 | systemdlete | Do I have a mucked-up install of Ascii? |
22:03.38 | systemdlete | Should I re-install? |
22:03.51 | gnarface | it's probably installed but just not being loaded by default |
22:04.05 | gnarface | find it and add it to /etc/modules |
22:04.11 | systemdlete | is dri generic? or is it a specific manufacturer? |
22:04.21 | gnarface | though, check dmesg... maybe there's cases where you need to add firmware instead |
22:04.32 | systemdlete | oh |
22:04.49 | gnarface | the dri interface is generic, but the drivers that make it are vendor specific |
22:04.58 | systemdlete | got it. |
22:05.10 | systemdlete | So this is some ATI driver? |
22:05.20 | gnarface | or, actually that might be an oversimplification - the dri part might be itself generic but relying on a vendor-specific module |
22:05.22 | gnarface | yes, some ATI driver |
22:06.38 | systemdlete | So I want to look for... what did I say... RS780? |
22:06.56 | gnarface | check dmesg first for complaints about missing firmware |
22:07.31 | gnarface | i don't think this is supposed to be happening > [ 1101.370] (EE) AIGLX: reverting to software rendering |
22:07.39 | systemdlete | [drm:radeon_pci_probe [radeon]] *ERROR* radeon kernel modesetting for R600 or later requires firmware-amd-graphics. |
22:07.48 | gnarface | bingo |
22:07.50 | systemdlete | I see that on hyperbola boot also |
22:07.55 | systemdlete | bingo |
22:08.18 | *** join/#devuan gattuso (~gattuso@pompel.me) |
22:08.24 | systemdlete | and this wuld be the non-free part |
22:08.31 | systemdlete | or one of them |
22:08.36 | gnarface | yea it is in non-free, which is why it is not installed by default for you |
22:08.48 | systemdlete | so enable it in repos and install? |
22:08.53 | gnarface | yea |
22:09.00 | DocScrutinizer05 | \o/ /msg alis LIST netfilter |
22:09.57 | gnarface | so this is how AMD claims they have an open-source driver. they just cripple it if you don't add the non-free firmware |
22:10.14 | gnarface | i think that's dirty pool but it's a half step better than NVidia's middle finger |
22:10.21 | systemdlete | clever. Looks like non-free is already enabled (I did nothing, btw) |
22:10.25 | DocScrutinizer05 | slightly late, sorry. anyway xrogaan ^^^ |
22:10.42 | gnarface | systemdlete: if you install in expert mode, it asks you |
22:10.59 | gnarface | i'm not sure what the situation is otherwise |
22:11.03 | systemdlete | don't recall how I installed |
22:13.05 | systemdlete | gnarface: Should I be installing in expert mode for this? Do I need to re-install? |
22:13.05 | DocScrutinizer05 | indeed iptables / netfilters is a power monster but completely unmanageable at least for me. A highly intriguing example how you could create a system of almost infinite complexity from only half a dozen simple rules |
22:13.27 | gnarface | systemdlete: no no, don't worry about that now. next time you do an install try it out though, the questions are a lot more verbose, and i suspect you will like it more |
22:14.00 | systemdlete | actually, now that I think of it, you guys advised me to do expert mode the first time I installed to hardware on my testbox |
22:14.10 | gnarface | systemdlete: for now just add that firmware package and reboot. maybe it'll magically fix it, no guarantees some more configuration isn't necessary, but i'm sure it won't work without it. |
22:15.16 | DocScrutinizer05 | Wonka: >>aliexpress is on akamai - is akamai not fully DS already?<< what's DS? |
22:16.11 | systemdlete | ok, that means rebooting this box,so give me a few minutes. I'll try to bring up IRC on Devuan |
22:16.21 | systemdlete | bbs/bbl who knows |
22:16.28 | gnarface | good luck |
22:16.31 | systemdlete | thanks |
22:18.05 | systemdlete | I am looking for something like RS780, or just RS600 (like a generic name covering many versions?) |
22:20.36 | *** join/#devuan Achylles (~Achylles@2804:431:d724:de99:2640:2b1f:e57a:cac9) |
22:21.16 | gnarface | looking for where now? |
22:21.21 | gnarface | dmesg |grep firmware -i |
22:21.38 | gnarface | or just check the Xorg log for lines with (EE) |
22:21.50 | gnarface | several of them should have disappeared now |
22:22.01 | systemdlete | when I get devuan rebooted, I call apt install |
22:22.19 | systemdlete | I mean, what is the convention for package names for these? |
22:22.34 | systemdlete | (I've always wondered about package names for hardware... mysterious many times) |
22:22.48 | gnarface | it looks like you already have the right driver |
22:22.50 | systemdlete | is still on hyperbola |
22:22.57 | gnarface | oh |
22:23.00 | systemdlete | Rs780 |
22:23.09 | gnarface | no it won't be that specific |
22:23.17 | gnarface | the firmware for all of them is in one package |
22:24.08 | gnarface | all the xorg packages start with "xserver-xorg-" but by default it should have included them all |
22:24.25 | systemdlete | is this one with "xf86" in the name? |
22:24.34 | gnarface | no |
22:25.09 | gnarface | xserver-xorg-video-r128, xserver-xorg-video-ati, xserver-xorg-video-radeon |
22:25.26 | systemdlete | ok, got it. thnx |
22:26.06 | gnarface | it's supposed to just load the regular "ati" driver, which that Xorg log showed it doing. and that "ati" driver is supposed to be smart enough to chain-load r128 or radeon as necessary |
22:26.39 | gnarface | though it wasn't always that way |
22:27.52 | gnarface | your card is probably supported by the radeon one, but i'm not sure. almost nothing actually uses the r128 one |
22:28.16 | gnarface | most the cards in the wild are the radeon one these days, only very ancient stuff just uses the base "ati" driver |
22:28.26 | systemdlete | Yeah, I'm thinking radeon also. That's the error message I see here on Hyperbola linux also |
22:29.00 | systemdlete | Will I need to modify any config files before launching X11? |
22:29.26 | gnarface | probably not |
22:29.42 | gnarface | we won't know what to change until we see the updated xorg.log anyway |
22:29.51 | gnarface | Xorg.0.log or whatever |
22:29.58 | systemdlete | ok |
22:30.06 | systemdlete | let's hope that it "just works" |
22:30.23 | gnarface | that's what is supposed to happen. they've got it up to about 80% accuracy :) |
22:30.38 | systemdlete | bb... thanks again for everyone's help |
22:30.44 | gnarface | no problem |
22:30.47 | systemdlete | later |
22:39.08 | *** join/#devuan Human_G33k (~HumanG33k@62.147.242.8) |
22:41.45 | *** join/#devuan Jjp137 (~Jjp137@cpe-75-83-16-81.socal.res.rr.com) |
22:45.13 | *** join/#devuan Hund (~Hund@ubuntu/member/hund) |
22:50.37 | *** join/#devuan systemdlete (~systemdle@c-73-66-177-57.hsd1.ca.comcast.net) |
22:52.49 | systemdlete | gnarface: I had radeon installed, but not ati128. That was the only thing left to install. I did, and restarted X (actually, rebooted, a bit overkill), but still border and the same error message on boot |
22:53.18 | systemdlete | The Xorg log is at 1082107 on the debian pastebin |
22:53.26 | systemdlete | (I forget the url) |
22:53.46 | gnarface | stand by, i'm looking |
22:54.07 | systemdlete | paste.debian.net/1082107 |
22:54.44 | gnarface | hmm. disturbing |
22:54.54 | systemdlete | see anything new? |
22:55.06 | gnarface | no, nothing new in the Xorg log, but that's not a conclusion yet. did the firmware error disappear from dmesg at least? |
22:56.10 | systemdlete | Sorry. No. It is still there. |
22:56.47 | gnarface | oh, hmmm |
22:56.53 | gnarface | well that's ... werid |
22:56.57 | gnarface | on the host or the guest? |
22:57.14 | gnarface | i don't see any material change in the xorg log either |
22:57.20 | systemdlete | no guests. This is all hardware this time |
22:57.45 | gnarface | dpkg -l |grep firmware |
22:57.46 | gnarface | ? |
22:58.00 | systemdlete | guess what. The package they want is "firmware-and-graphics" (literally), as per: https://joshtronic.com/2017/11/06/fixed-radeon-kernel-modesetting-for-r600-or-later-requires-firmware-amd-graphics |
22:58.20 | gnarface | uh, oh not firmware-amd-graphics? |
22:58.30 | gnarface | hmmm |
22:59.07 | gnarface | because i was wondering if you also need firmware-linux-free and/or firmware-linux-nonfree |
22:59.37 | systemdlete | typo, sorry |
22:59.53 | systemdlete | I could try those |
23:00.10 | gnarface | oh, well i thought i was clear about that already, that you should install firmware-amd-graphics.... i'm sorry if that wasn't clear |
23:01.28 | systemdlete | np. Glad we are getting this sorted out. |
23:01.31 | systemdlete | later |
23:09.15 | *** join/#devuan banisterfiend (~textual@ruby/staff/banisterfiend) |
23:25.36 | *** join/#devuan Kizano (markizano@2600:3c00::f03c:91ff:fec8:382d) |
23:32.12 | *** join/#devuan systemdlete (~systemdle@73.116.44.121) |
23:33.16 | systemdlete | gnarface: Thanks, that did it. I have a very pretty display now |
23:33.30 | gnarface | cool, you're welcome |
23:33.35 | systemdlete | it was really looking ugly before. |
23:33.47 | gnarface | i believe you |
23:34.02 | systemdlete | now, on to re-create the config I was telling you about before that I have on CentOS and Hyperbola linuxes. |
23:34.12 | systemdlete | This will take me some time |
23:34.19 | systemdlete | I'll leave this up for now |
23:44.27 | *** join/#devuan xcm (~xcm@ipa210.225.tellas.gr) |
23:45.51 | *** part/#devuan banisterfiend (~textual@ruby/staff/banisterfiend) |
23:46.28 | *** join/#devuan Oldmoss (~oldmoss@2001:67c:1350:106::2) |
23:54.05 | *** join/#devuan xcm (~xcm@ipa210.225.tellas.gr) |
23:54.46 | *** join/#devuan LtWorf_ (~LtWorf@2001:9b1:4041:e000:a634:d9ff:fec6:343c) |
23:55.49 | systemdlete | virtualbox does not seem to be in the repos. I installed it to my testbox, but that was months ago. I'm keeping notes these days. Sorry, how do I install it? From virtualbox.org? or is there a standard way in devuan? |