<Mangix>
after writing that I found the setting in UEFI
<Mangix>
no more tools/xxd. Cool.
MaxSoniX has joined #openwrt-devel
robimarko has joined #openwrt-devel
cbeznea has quit [Quit: Leaving.]
cbeznea has joined #openwrt-devel
<f00b4r0>
well my ignorance of ipv6 is immense. It seems some ports must be opened on the router for ipv6 traffic to be forwarded between lan hosts and wan, because if I set the lan interface input rule to "reject", it no longer works
<PaulFertser>
Probably it's not about forwarding but about answering "router advertisement" RA packets?
<f00b4r0>
i'm looking at tcpdump and that makes sense yes
borek has quit [Ping timeout: 480 seconds]
cbeznea has quit [Quit: Leaving.]
<f00b4r0>
hmm it seems I can't get it right :(
<PaulFertser>
If lan client can use "rdisc6" then it should be enough to get proper routes.
<PaulFertser>
If it also provides a prefix for SLAAC then it should be enough to get connectivity. Else you'd need to additionally enable DHCPv6.
<f00b4r0>
it's a static ipv6 client. Seems that allowing icmp6 on router fixes it.
<f00b4r0>
(it's a dmz scenario, I don't want the client to have broad access to the router)
rua has quit [Ping timeout: 480 seconds]
<f00b4r0>
icmp6 input (on dmz iface)
<PaulFertser>
I could never find a solid reference on what DMZ really is.
<PaulFertser>
f00b4r0: well, it talks about some different things, doesn't mention any standards or university textbooks etc. The description as it is seems kinda vague.
<f00b4r0>
the second sentence of the first paragraph seems rather clear to me though :)
rua has joined #openwrt-devel
<PaulFertser>
The article seems to imply some threat model but I can't really see what it is exactly.
cbeznea has joined #openwrt-devel
<f00b4r0>
external facing host compromised; compromission is contained to the dmz since the external facing host cannot access the actual LAN.
Tapper has quit [Ping timeout: 480 seconds]
<PaulFertser>
It talks about having proxies which have "limited access" to a server in LAN, so why can't that server be compromised via the proxy?
<f00b4r0>
i don't know about this proxy explanation, my reading of the article stopped at the abstract :)
<PaulFertser>
Also, that external facing host is likely to need some LAN resources to do any meaningful work anyway, e.g. access to database.
<f00b4r0>
not in my case
<PaulFertser>
I'm not trying to argue for the sake of arguing, it's just that I really am confused by this DMZ thing that people mention every now and then.
<f00b4r0>
in my case I'm treating the openwrt buildbot as "potentially compromised". I don't want it to have access to my LAN. It needs access to WAN, period.
<f00b4r0>
I hope this gives you a clearer example.
<stintel>
the fact that DMZ is used differently in many consumer devices, where configuring a DMZ host results in all incoming traffic on wan is forwarded to that DMZ host probably only adds to the confusion :)
<PaulFertser>
That's pretty clear but seems to contradict the idea outlined in that wiki article :)
<f00b4r0>
stintel: oh yeah; that's indeed a misnomer imho
Tapper has joined #openwrt-devel
Ansuel has joined #openwrt-devel
<Ansuel>
guess who encounter rate limit for github actions?
<Ansuel>
API rate limit exceeded for installation ID 16402925.
<ynezz>
Ansuel: pong, what do you need with docker images?
<Ansuel>
ynezz i'm doing some progress with including precompiled stuff in a docker image... wanted to know if you had some info on how to push a docker image from a openwrt github action... currently on my testing repo i have to login to my docker.io and push the image... wonder if you know how it works with ghcr.io and pushing it from openwrt repo
<Ansuel>
ok so if i'm not wrong we have to make the login and add the token just like I do in my action... will search other info about it... currently i'm still trying to understand why the host package are rebuild even if i provide dl build_dir and staging_dir...
minimal has left #openwrt-devel [Leaving]
dangole has joined #openwrt-devel
Lechu has quit [Ping timeout: 480 seconds]
* jow
puts the gloves on and carefully opens the miniupnpd can of worms
* jow
... screams in terror, drops the lid and runs away
<stintel>
jow: :D
soxrok2212 has quit [Read error: Connection reset by peer]
<stintel>
yeah the PR was also merged without proper review, I pinged you but I understand you were busy
indy_ has joined #openwrt-devel
<stintel>
but my xbox has open nat so I'm just gonna ignore all other problems with it
<stintel>
it's the only thing I'm using it for
<jow>
well the conceptional problem of using a different table is unsolved
<jow>
traffic accepted in the miniupnpd table might still get dropped in the fw4 one
indy has quit [Ping timeout: 480 seconds]
<stintel>
ah yes I read something about that
<jow>
so we need to add a chain to the fw4 table
<jow>
and dro pthe extra tabe approach
<jow>
problem is then that a firewall restart will clear out the upnp port mappings
<stintel>
I've said it before, we should probably consider a from scratch upnp implementation
<jow>
but so it would do soon anyway because people already demand that "fw4 restart" clears all tables, not just fw4
<stintel>
but yeah nih, reinventing the wheel, yada yada
soxrok2212 has joined #openwrt-devel
<jow>
so I think we can live with the fact that a firewall restart clears mappings
<jow>
maybe the rules could be even restored, have to see
<stintel>
in other news, I flashed back OpenWrt to my rpiz2w and the camera magically works ¯\_(ツ)_/¯
<stintel>
maybe some kind of signal to upnp that tells it to redo its magic
<stintel>
dunno just thinking out loud
<jow>
yeah, thought the same
<jow>
ideally just killall -HUP miniupnpd and it simply resncs the firewall
<Ansuel>
jow in theory the rules are in a txt file so they can be restored
<jow>
Ansuel: yep, that would be my fallback solution
<jow>
not ideal but might work as stop gap
<jow>
or use something like upnpc to instruct miniupnpd to stage the rules
<jow>
my main worry is that eventually miniupnpd constructs other rules than what we implement in the shell script
<jow>
using other matches or so
<jow>
hmm
<jow>
Error: Could not process rule: No such file or directory
<jow>
root@er-x:~# /etc/init.d/miniupnpd restart
<jow>
delete table inet miniupnpd
<jow>
that went south fast
indy_ has quit [Ping timeout: 480 seconds]
valku has joined #openwrt-devel
borek has quit [Ping timeout: 480 seconds]
Piraty has quit [Quit: --]
Piraty has joined #openwrt-devel
Lechu has joined #openwrt-devel
aleksander has quit [Quit: Leaving]
<Ansuel>
wall text incoming... sorry...
<Ansuel>
I finally found the reason... it's all in how the stamp is generated...
<Ansuel>
in short the stamp is generated from the function $(call find_md5,${CURDIR} $(PKG_FILE_DEPENDS),)
<Ansuel>
problem is in CURDIR that contains the absolute path... for this reason with the same files in /tools/flock (for example)
<Ansuel>
2 different md5 hash are generated if the absolute path is
<Ansuel>
ok jow ynezz nbd i need some help... i'm investigating why host package are rebuilt using AUTOREMOVE when they are used on a different buildroot
<Ansuel>
/home/ansuel/openwrt-todel/openwrt/tools/flock (ab2d01de90c44022191633e65299d383) and
<jow>
stintel: the only wart is the need to register a script include in uci to restart miniupnpd after firewall restarts. But that's a convenience thing and not mission criticial imho
<stintel>
jow: nice, I'll try to have a go at it this week still
<stintel>
if I'm not summonned to mpk :P
<jow>
maybe we should reitnrodcue hotplug events in fw4
<jow>
fw3 emitted hotplug events for certain events
<jow>
could use the same here to hook upnp restart without the need to expose any includes in uci
* stintel
currently fighting V4L2 in the kernel
<stintel>
what a config symbol mess
<jow>
what's the maintainer situation for miniupnpd?
<jow>
may I simply push or will that upset anyone?
<stintel>
rsalvaterra: it's not really supported in OpenWrt right now, the related kmod packages are ancient and need a major overhaul, but the dependency of config symbols is a horrific mess
<stintel>
I've had a few attempts already, but every time it's a wasted day with nothing achieved
<rsalvaterra>
Hm. That's unfortunate, years ago I thought of running tvheadend in OpenWrt with an USB DVB tuner.
<rsalvaterra>
Fortunately that plan went nowhere.
<stintel>
:P
<stintel>
I have a PCIe DVB-C tuner in Belgium to watch the FTA channels
<stintel>
since Telenet ditched the first generation of STBs, there is no illegal decrypting anymore
<Slimey>
stintel i miss the days of HU "football" cards with DirecTV heh
<Slimey>
still have that programmer somewhere
<stintel>
Package kmod-video-videobuf2 is missing dependencies for the following libraries:
<stintel>
mc.ko
<stintel>
videodev.ko
<stintel>
aaargh ffs, it fucking depends on kmod-video-core which has those modules
goliath has quit [Quit: SIGSEGV]
<stintel>
probably time for systemctl poweroff
<Ansuel>
plug everything off is a better approach sir
<rsalvaterra>
Kill it with fire.
<rsalvaterra>
Or nuke it from orbit.
<blocktrron>
rsalvaterra: well, there was a commercial product in germany that combined a wifi repeater with a DVB tuner to stream TV
<rsalvaterra>
Streaming over Wi-Fi? Ugh…
<blocktrron>
so if you want a second shot, the board is supported in OpenWrt (w/o the DVB tuner)
<rsalvaterra>
Heh… if it's unicast, it will probably work, but that would defeat the whole point of having a central tuner and multicasting to several clients.