snork | Would anyone know what kind of timeline I may have to migrate firewalls from iptables to nft? Is dropping support for iptables/ip6tables/ipset strictly a Debian question or is it something Devuan could hold on to after Debian has dumped it? | 01:11 |
---|---|---|
snork | Would Devuan even care to extend iptables support after Debian has dumped it? | 01:12 |
gnarface | snork: stick around, it's a good question, though i suspect we'll be tied to debian's decision that's not always the case | 02:26 |
rrq | is debian dumping iptables? or merely not using it in the default installations? | 02:34 |
brocashelm | https://wiki.debian.org/iptables | 02:59 |
brocashelm | i see nftables has been the default since buster/beowulf, but iftables is still on my repo (unstable) | 02:59 |
rrq | it's unclear hether they talk about what you install or what is available | 03:01 |
brocashelm | all i'm getting from these pages is "stop using iptables and start using nftables because we said so" | 03:02 |
brocashelm | i'm not too familiar with iptables, but i see it is installed on my systems. not having any issues that i'm aware of? what does nftables have to offer? | 03:02 |
rrq | I understand it to be 2 discussions; firstly whether the backend is over netfilter socket or via ioctl, and secondly whether the rule syntax is the traditional or the strange (guess which I like :)) | 03:04 |
rrq | the actual installed "rules" in the kernel are the same and have the same potential, and it's a question how to manipulate them | 03:05 |
rrq | whichever end user syntax you use, you will end up gaining knowledge about, and end up preferring | 03:08 |
snork | When I do "which iptables" on Chimaera I get "/usr/sbin/iptables" which is a link to "/etc/alternatives/iptables" which is a link to "/usr/sbin/iptables-nft" which is a link to "xtables-nft-multi" which is not an absolute path but does exist in my path at "/usr/sbin/xtables-nft-multi" -- which is a ridiculous mess but I am seriously not making this up. | 03:09 |
snork | Someone may be able to confirm on a Beowulf machine, but I believe we are already using nftables in some way even if we are using iptables commands. | 03:10 |
rrq | yes, both iptables and nftables use the netfilter backend | 03:10 |
snork | I also am under the impression that some day those links will dry up and iptables will be a thing of the past. Unfortunately nft has some pretty severe limitations when dealing with large sets. | 03:11 |
gnarface | i'm not sure but that's what i thought, i thought the backend had been nftables for a while already, and it's actually just a question about migrating to the newer command syntax (which is largely similar but just different enough to break all your scripts) | 03:11 |
gnarface | if devuan doesn't keep iptables somehow, i'm probably gonna have to deal with this all too eventually | 03:12 |
gnarface | but so far i haven't seen any material value in the new stuff | 03:12 |
snork | Actually gnarface the syntax is quite different with nft, though there are conversion utilities that can migrate simple rulesets. | 03:12 |
snork | "haven't seen any material value in the new stuff" <-- very much so! | 03:13 |
onefang | My issue is that I'll have to switch from shorewall to something else, coz apparently shorewall isn't moving off iptables. | 03:39 |
onefang | I haven't found a suitable something else yet, and thinking I might just end up scripting nftables directly, but then have to port my scripts- when they next change how it all works. lol | 03:41 |
snork | onefang, I thought Shorewall was a sirt of router-os-distro... AND I thought it was BSD-based. I was double wrong. LAWL | 03:44 |
snork | Do you happen to use any large sets in your Shorewall system(s)? | 03:45 |
onefang | Yep. Mostly just "drop this IP coz they tried to hack my servers, and doesn't look like a disposable IP". BUt I'm also experimenting with getting fail2ban to not fail to ban quite so much so that this sort of thing is more automated. | 03:47 |
onefang | Fail2ban annoys me in that NONE of their built in rules manage to ever match things that actually happen to me, so I have to write my own. | 03:48 |
snork | Heh, I kind of went the other way on that one. I have never used any of the rules that comes with fail2ban. :-) | 03:48 |
* rrq haven't learnt how nft might use ipset for IP set controls | 03:49 | |
snork | I have an ipset that consists of: China, Hong Kong, Russia, Ukraine, Vietnam, Brasil, Alibaba, Bing, CloudWM, Digital Ocean, Serverion, smallwankers (a manual list I manage), and tor exit nodes. | 03:52 |
snork | I don't see a way to reproduce that kind of ipset, and keep it updated, using nftables. | 03:52 |
rrq | yuk! https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_ipset_to_nftables | 03:54 |
snork | Yeah rrq it is a hot mess. :-( | 03:54 |
onefang | Shorewall is popular, someone might fork it when needed. | 03:55 |
Xenguy | I liked Shorewall, but eventually got lazy and just went with 'ufw' | 03:56 |
snork | Unfortunately the more I read about nftables the more I find myself thinking "How is this better?". AND I feel like Debian will decide for me when I should stop using iptables. | 03:57 |
onefang | To answer your original question, if Debian changes over completely, and Devuan wants to not, then we'll need people to maintain our own kernels. Hard job. | 03:58 |
snork | onefang, I imagine that is also a split Devuan is not considering. | 03:59 |
rrq | no; it's the same kernel - the same backend.. it's a matter of having iptables package(s) availabel in the repository | 03:59 |
snork | I even looked at a couple of BSDs to see what they have but IPF, IPFW and PF are their own hot mess. :-( | 04:00 |
Xenguy | Strategically, I think Devuan wants to deviate as little as possible from Debian, truth be told | 04:00 |
rrq | whether or not a debian installation end up using nftables by default, it's not an issue as long as iptables remain in the repository as an alternative | 04:01 |
Xenguy | Unless an army of enthusiastic developers suddenly appear over the horizon | 04:01 |
snork | rrq, would it really be as minor as maintaining iptables? Don't get we wrong, I don't think it would be trivial... but it isn't maintaining a separate kernel. | 04:01 |
rrq | and I haven't got pointed on anything saying iptables is no longer supported as alternative | 04:01 |
Xenguy | iptables lives, so far | 04:02 |
rrq | currently there are (at least) iptables and nftables as alternatives for operating the netfilter "subsystem" in the kernel | 04:02 |
onefang | Ah they are just different wrappers around the kernel, not in the kernel itself? | 04:03 |
* Xenguy has not investigated nftables, of course ... | 04:03 | |
snork | I have been given the impression that iptables is going to be dropped at some point... but that it is a staged creep. Right now iptables sort of exists in the legacy command availability but that nftables is ultimately what I (running Chimaera) am currently using whether I know it or not. Next will be dumping the legacy commands. | 04:03 |
Xenguy | No idea if iptables will be discontinued | 04:04 |
Xenguy | It's not the future, that's for sure | 04:04 |
snork | I have seen some folks make claims that iptables will be around a long time but without any source to back up the claim. | 04:04 |
onefang | Did they drop whatever it was that iptables replaced? and the one before that, ... | 04:04 |
Xenguy | News would come from the kernel crew? | 04:04 |
Xenguy | Huh, what *was* before that? | 04:05 |
Xenguy | Time flies | 04:05 |
onefang | I lost track. | 04:05 |
Xenguy | I think I did too | 04:05 |
Xenguy | Thankfully we can look all this shite up, unless we're feeling too lazy | 04:06 |
rrq | some people think of debian in terms of its defauult installation, and not as a huge repository of packages | 04:06 |
snork | I can't seem to find anything "before iptables". I can find that iptables seemed to start existing in 1998... could there have been a half decade of no firewall? | 04:07 |
brocashelm | still plenty of packages missing for some reason, even from stable (whereas unstable/testing/oldstable/oldoldstable might have them) | 04:08 |
onefang | I'm still pissed off at Debian for removing JPEG 2000 support from everything. Coz I have lots of those, coz OpenSim uses them. | 04:11 |
snork | Side note: Wikipedia [not a primary source] says that ipchains pre-dates iptables but does not provide a specific date. It also appears to be a netfilter product. | 04:18 |
* snork totally palms his forehead when he sees the name ipchains. | 04:18 | |
onefang | Sounds painful. | 04:25 |
fluffywolf | ipchains was standard when I started using linux. | 04:40 |
fluffywolf | iptables didn't exist yet. | 04:41 |
fluffywolf | compatability with ipchains lasted a _long_ time; I'd imagine the same will happen with iptables when it's deprecated. | 04:42 |
AlexLikeRock | fluffywolf, you are soooo old! XDDDD | 04:45 |
fluffywolf | ... | 04:47 |
fluffywolf | fuck off? | 04:47 |
snork | fluffywolf, the thing is... I think we have been living in that time of compatability since late 2011 when nftables was added to the Linux kernel. How long is long? I don't seem to be able to find a way to put a Windows progress meter on that timeline. :-( | 04:58 |
* fluffywolf knows pretty much nothing about nftables | 04:59 | |
onefang | Windows progress meters often run backwards. | 04:59 |
fluffywolf | lol | 04:59 |
snork | Well I was hoping for specifically a Windows proigress meter because it would get close to the end and just kind of stay there a while. | 04:59 |
fluffywolf | so does the download progress bar on firefox on android, which is idiocy I still can't believe, yet keeps existing after updates... | 04:59 |
fluffywolf | the percentage it shows is correct, but the position of the bar seems essentially random. | 04:59 |
snork | The part that worries me is that we have been spoiled through a dozen years of compatability by the legacy command utilities that hide the fact that we are really using nftables now. | 05:01 |
fluffywolf | speaking of which, do 6.* kernels nicely compile on chimaera? I've been meaning to try, but too many projects. | 05:02 |
onefang | There's two choices, ask Debian how long they'll hold onto iptables, or find someone to keep a hold of it for Devuan. | 05:02 |
onefang | I'm running 6.* backported kernel on chimeara. | 05:03 |
fluffywolf | oh, it's in backports now? wasn't last I checked. | 05:03 |
onefang | 6.0.0-0.deb11.6-rt-amd64 #1 SMP PREEMPT_RT Debian 6.0.12-1~bpo11+1 (2022-12-19) | 05:03 |
onefang | Has been backported for some time. | 05:04 |
onefang | As for being old, well some of us are Veteran Unix Admins. I've earned my greybeard. | 05:10 |
drbeco | Hey guys. I was looking for distros without systemd today, and I bumped into an article (that I do not have the link now, it was a quick read) that Debian is (now?) easy to remove systemd. I think this is not correct. Do you guys know something about it? | 05:11 |
fluffywolf | if that were true, onefang would have a lot more spare time. :P | 05:13 |
drbeco | lol | 05:14 |
snork | Why people continue to devalue age/experience I don't know. | 05:14 |
snork | drbeco, I feel like I had read something similar not-too-long ago but feel like that is a backpeddling move rather than a spirit of software freedom. My three cents™ | 05:15 |
onefang | In order to make Devuan, we have stripped systemd out of Debian, which also required us to remove systemd dependencies from some packages, and outright ban some packages coz they are to tied into systemd. Some packages we added to to avoid systemd dependencies. | 05:18 |
onefang | And some of those "to"s should be "too". lol | 05:18 |
drbeco | If it was that easy, right onefang .... | 05:20 |
gnarface | does anyone happen to know if "update-initramfs" magically bundles and loads any modules currently loaded when you run it? | 05:21 |
gnarface | i'm trying to figure out why the zram module is loading at boot on one system but not another, when i'm not calling it from /etc/modules in either | 05:22 |
drbeco | It was a sad sad move at the time. I regret not entering the discussion at the time. I was afraid my english would not fit into that heated conversation (or stone-throwing, I should say) | 05:22 |
drbeco | I would argue just one thing, that I regret not saying, and today i need to spit out (january 2023)... The ones that wanted systemd should have created a new distro, not Devuan. | 05:23 |
drbeco | I don't understand how/why we lost that battle till this day. | 05:23 |
drbeco | It was clear to me that that piece of crapware was being imposed against the will of a lot of users | 05:24 |
drbeco | Sorry about that. I guess I was with this in my throat till today. I was (am still, for one single server) a long term user of Debian | 05:25 |
fluffywolf | I used debian for a very, very long time. | 05:25 |
drbeco | I tried Devuan in the early days, it didn't worked at the time (too early versions, some bugs, etc). I kept following Devuan to see the improvements | 05:25 |
drbeco | Today I have 1 Devuan, 1 Debian and 4 Slackwares around me. | 05:26 |
brocashelm | i never really used debian until lmde and devuan came along | 05:27 |
brocashelm | beowulf imo was the turning point | 05:28 |
rrq | gnarface: check /etc/initramfs-tools/modules | 05:29 |
drbeco | In 1998 I started with Slackware, first distro. It took me some many years, usualy sets of 4 or 5 years hopping from distro to distro, to make a final choice for Debian. I experienced the Red Hat move to commercial, the Suse move to Microsoft, and the Gnome/Unity fiasco in Ubuntu... All deal breakers | 05:29 |
drbeco | and finally the systemd deal breaker for Debian | 05:30 |
gnarface | rrq: yea, i did and it's not in there either. no way it could have grabbed it on its own though? | 05:30 |
drbeco | (and others olders that I can't recall exactly the order...) | 05:30 |
rrq | gnarface: some people might have edited /usr/share/initramfs-tools/modules | 05:31 |
fluffywolf | I started with... hamm? slink? I don't remember. mid-late '90s, my 33mhz 486 was nice and shiny... | 05:32 |
drbeco | At the time of the systemd imposition, I was wondering if the maintainers of Debian would gladly move to Slackware. But Devuan was created, I guess for many reasons (apt and deb package being one, and Patrick Volkerding hard to deal with management being other). Of course the maintainers would prefer a fork with all the environment alike | 05:33 |
drbeco | I don't remember hamm or slink, fluffywolf | 05:33 |
fluffywolf | I seem to remember upgrading to slink at some point... | 05:34 |
drbeco | I used some rpm based (notably opensuse and before that conectiva that was bought by mandrake to become mandriva) | 05:34 |
* fluffywolf doesn't remember well that far back | 05:34 | |
fluffywolf | heh | 05:34 |
drbeco | but it was only in 2001 when I finally removed dual boot! It was under the opensuse era! What a great feeling, what a courage at the time. | 05:35 |
gnarface | rrq: good tip but that's not it either | 05:36 |
fluffywolf | I kept doing dual-boot with dos and then windows, and kept never booting it... | 05:36 |
rrq | hmm, then it must be the initramfs-tools scripts doing it | 05:36 |
drbeco | that is the way to go! When you feel confident you are not using it anymore, it is time to remove it for good and use the full HD | 05:37 |
fluffywolf | I haven't had a dual-boot box in a long time now. heh. | 05:37 |
fluffywolf | wine runs the one windows application I use routinely. | 05:38 |
drbeco | during dualboot time, I remember linux could read windows partition but not the other way around. Then the ntfs of the windows became my "HOME", so I could use the HD anyways | 05:38 |
drbeco | which one is that? | 05:38 |
fluffywolf | although I want to do more with CAD soon, which might mean a working windows install. | 05:38 |
fluffywolf | alldata | 05:38 |
drbeco | never used | 05:38 |
fluffywolf | (automotive service software) | 05:38 |
drbeco | I had trouble using matlab during the phd. But then I got this version for linux that worked as a charm. It was the only one I remember I used. | 05:39 |
drbeco | winamp became amarok | 05:39 |
fluffywolf | it's a >100GB blob of service info. enter year, make, model, pulls up specs and repair procedures. | 05:39 |
drbeco | Oh, I remember missing the EUDORA email client! That was sooo coool! The sounds, it was amazing. Do you remember Eudora? | 05:40 |
fluffywolf | yep, but I never used it much. | 05:41 |
fluffywolf | anyway, stop making me feel old. :P | 05:41 |
snork | fluffywolf, is that strictly lookup or does it connect to cars [with ODB2 for example]? | 05:42 |
onefang | Think you have wandered off into #devuan-offtopic now. | 05:42 |
drbeco | :) | 05:42 |
snork | I mean OBD2... I'm just wondering how well wine can manage the connection. | 05:43 |
drbeco | https://tedium.co/2017/09/28/eudora-email-history/ | 05:43 |
fluffywolf | snork: it's strictly lookup. it's mostly scans of factory service manuals and a bunch of indexing. | 05:44 |
fluffywolf | for odb2, I have an original snap-on MODIS... which runs windows. heh. | 05:44 |
fluffywolf | obd2 | 05:45 |
fluffywolf | or the windows-like shit that is CE. | 05:45 |
onefang | Win-CE was well named. | 05:46 |
snork | Okay, that statement took me too long to "get". I'm goin' to bed. :-) | 05:47 |
snork | Thanks folks! | 05:47 |
fluffywolf | lol | 05:47 |
fluffywolf | 'night! | 05:47 |
fluffywolf | onefang: how do I make my compactflash wifi card work on it? :P | 05:48 |
* fluffywolf hasn't figured out drivers | 05:48 | |
onefang | This is why we have #devuan-offtopic, so I don't have to trawl through a few pages of off topic chatter to figure out "it" might mean Kernel 6.*? | 05:50 |
fluffywolf | I was joking you must have experience with CE, since you knew the well-named joke, and thus could figure out how to make drivers on it work... | 05:52 |
* fluffywolf didn't actually expect onefang was a win-ce expert | 05:52 | |
onefang | My programming and admin career spans 4 decades, and covers a LOT of ground. But nope, not a win-ce expert. I have been paid in the past to work with Microsoft stuff, just not that particular one. | 05:53 |
fluffywolf | you're way too sane to have been a ce expert. :P | 06:00 |
fluffywolf | bbl | 06:10 |
gnarface | rrq: the plot thickens! i just realized i'm not even using intramfs on either of these machines | 07:38 |
gnarface | rrq: ah! nevermind, i just remembered i had to actually write the init.d script for the one that's working and i forgot to copy it over | 07:40 |
Guest48 | Hello, I tried to register to the forums, but keep getting "Unfortunately it looks like your request is spam." May I receive some help with that? | 13:45 |
buZz | oh right, there's a forum | 13:45 |
buZz | Guest48: have you read https://dev1galaxy.org/viewtopic.php?pid=1736#p1736 | 13:46 |
buZz | > How to make sure that you aren't accidentally classified as spam | 13:46 |
buZz | and > What to do if your registration attempt is classified as spam | 13:46 |
Guest48 | I haven't yet | 13:46 |
buZz | so you didnt read | 13:46 |
Guest48 | Will do it now, thx | 13:46 |
buZz | its literally on the register page > What to do if your registration attempt is classified as spam | 13:46 |
buZz | eh What to do if your registration attempt is classified as spam | 13:46 |
buZz | dangit | 13:46 |
buZz | nevermind | 13:46 |
devuser | Looking for best how to: For Compiling Devuan from scratch so I can take out kernel code not needed. | 17:36 |
devuser | https://www.devuan.org/ - does not seem to have any help. | 17:38 |
clemens3 | if you find something i am also interested, or for debian as well.. | 18:07 |
u-amarsh04 | after getting the git kernel source, the packages required by build-essential and whatever else is needed, running "make -j5 menuconfig bindeb-pkg" from /usr/src/linux works | 18:33 |
u-amarsh04 | that at least gets you the kernel | 18:34 |
brocashelm | just found out non-free-firmware is a thing in debian/devuan now | 22:49 |
brocashelm | so i added it to my sources.list | 22:49 |
devuser | Thank you so much USER: [ u-amarsh04 ] Very helpful.... | 22:54 |
rwp | brocashelm, Hasn't the non-free repository suite always been a thing? Hasn't it always been needed for various reasons? Debian decided recently to add non-free drivers to the installer image though. | 22:59 |
golinux | YEA! Back on IRC! | 23:01 |
brocashelm | rwp: i meant the addition of non-free-firmware (e.g. main contrib non-free non-free-firmware) | 23:02 |
brocashelm | although i think that's only for testing/unstable right now? | 23:02 |
rwp | "non-free-firmware"? (eyes wide) That's a thing now? | 23:03 |
brocashelm | yup | 23:03 |
brocashelm | https://dev1galaxy.org/viewtopic.php?id=5512 | 23:03 |
rwp | Hmm... I guess I should research through debian-* lists and figure out why this happened... Thanks for the heads-up about it1 | 23:05 |
onefang | Certain things like video cards and WiFi needs non free firmware, coz the company making the hardware hasn't released the source, and eitheer no one has reverse engineered it to write an open source version, or they did but it doesn't work as well. | 23:05 |
rwp | You are preaching to the choir onefang! But why did they move it from non-free to a new directory non-free-firmware? That's the question. | 23:07 |
rwp | Also onefang I am trying to debug down through apt-cacher-ng mirror failure that eventually happened again to me today. Tedious! | 23:08 |
brocashelm | i guess this is something to prepare for come the release of daedalus | 23:08 |
brocashelm | afaik, it hasn't entered chimaera | 23:08 |
brocashelm | so you still get the same three | 23:08 |
rwp | Maybe it was a compromise. To allow required blobs in without allowing other non-free software in? I don't know. Just guessing. | 23:09 |
rwp | (I have a strong opinion that blobs are different from non-free software and should be treated like hardware not software.) | 23:10 |
brocashelm | i guess we'll see. i have downgraded all of my ceres packages to daedalus and kept local deb files for anything i use that's not on daedalus | 23:10 |
* onefang wishes I could apt upgrade my video card's hardware. | 23:10 | |
brocashelm | i was on ceres for three years straight since switching to devuan, so now i will take a break from shiny new shit syndrome and stay on daedalus while it's stabilizing | 23:12 |
brocashelm | kinda surprised about the fourth addition, nonetheless | 23:12 |
Jjp137 | ah there's a notice about the non-free-firmware component on the top here: https://wiki.debian.org/Firmware | 23:39 |
gnarface | will the non-free firmware all be moved to "non-free-firmware" or will it merely be duplicated there? | 23:48 |
fsmithred_ | gnarface, so far, I still see firmware-linux-free and firmware-amd-graphics in sid non-free | 23:52 |
fsmithred_ | quick skimming of the debian wiki page, I don't see an answer. They do say things are changing rapidly as the implement the new repo. | 23:54 |
rolfh | On devuan when adding non-free-firmware apt works flawlessly, but I can't find the firmware-amd-graphics, apt list does not show this package. The merge isn't prepared for such a change ... | 23:58 |
rolfh | Valid for Daedalus = testing. | 23:59 |
Generated by irclog2html.py 2.17.0 by Marius Gedminas - find it at https://mg.pov.lt/irclog2html/!