schwicht has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
schwicht has joined #openwrt-devel
rua has joined #openwrt-devel
Daanct12 has quit [Quit: WeeChat 4.0.4]
FLD is now known as Guest493
FLD has joined #openwrt-devel
<jow>
I would like to extend the x86 default network config generation to cover all ethX interfaces present at board detect time
<jow>
so that they at least end up in /etc/board.json
<jow>
ideally I would've liked to add all but one to the lan bridge and designate one as wan
<jow>
however since x86 historically defaults to eth0=lan and eth1=wan (if present) it would lead to a wird port mapping of eth0,eth2,eth3,...=lan and eth1=wan
<jow>
so I was considering to add the additional ethX devices as proto=none interfaces
dangole has quit [Remote host closed the connection]
dangole has joined #openwrt-devel
swalker has quit [Read error: No route to host]
swalker has joined #openwrt-devel
<f00b4r0>
jow: looks sane-ish. Question is: which fw zone do they end up in? Unassigned?
<schmars[m]>
My hunch would be unassigned. Btw can we do DSA on these vm net interfaces?
dangole has quit [Remote host closed the connection]
dangole has joined #openwrt-devel
goliath has joined #openwrt-devel
rsalvaterra has joined #openwrt-devel
<rsalvaterra>
Quick question… has fw4 reached 100 % feature parity with fw3? (I'm asking this because it fails to parse my fw3 config.)
<rsalvaterra>
I noticed flow offloading was dropped from iptables in 6.1, so I thought "what the hell, might as well migrate to nftables and fw4". I kept clinging to fw3 because I was pretty sure I would run into issues with fw4. I guess I was right. :P
robimarko has quit [Remote host closed the connection]
<rsalvaterra>
Ugh… option extra isn't supported in redirects. Or anywhere, apparently, for that matter.
<rsalvaterra>
Is this by design?
swegener has joined #openwrt-devel
schwicht has quit [Quit: My MacBook has gone to sleep. ZZZzzz…]
<jow>
rsalvaterra: yeah, because option extra contains direct iptables arguments, yiu can integrate those into nftables expressions
<jow>
*you can't
<rsalvaterra>
So… how does one match a TCP set flag (case in point, SYN), in a redirect? :/
<rsalvaterra>
(In /etc/config/fireww
<rsalvaterra>
*firewall
<jow>
why would that be needed?
<rsalvaterra>
jow: To create a transparent bridge for Tor.
<jow>
short answer is you can't
<jow>
if you need stuff not covered by uci you need to write direct nft rules
<jow>
fw4 provides various hooks and places to include custom nft snippets
<rsalvaterra>
That's… what I was trying to avoid. :(
<rsalvaterra>
I thought that 'extra' would be provided in fw4 but, incompatible with fw3 (i.e., if you used it, you would know it would break).
<jow>
why is that syn match needed though?
<jow>
because the stuff you dnat/snat is not conntracked?
<rsalvaterra>
I guess it's an optimisation? It seems you only need to match the SYN, and everything is conntracked just fine.
<jow>
well non-sym packets will never hit that rule
<jow>
... again, once the conntrack entry is up
<rsalvaterra>
Anyway, I was hoping to avoid /etc/nftables.d, but I guess I'll have to use it.
<jow>
for that syn optimization?
<jow>
I mena it should just work without
<rsalvaterra>
It does work without it, yes. :)
<rsalvaterra>
It does, however, require me to specify src_dport 1-65535, which wasn't needed before.
<slh>
I'm not sure how sensible it would be to set eth0 as wan, if there are at least two ethernet cards present at the time 02_network gets executed (and then bridging the rest to lan by default) on x86, it shouldn't affect existing systems
<jow>
slh: yeah, but I will change the default behaviour
<jow>
s/I/it/
<jow>
imagine having some kind of automated testup bringing up VMs with two nics and suddenly their roles are swapped
<jow>
it's one of those things that should've been thought out from the beginning, now we're stuck with past decisions
<slh>
well, without any kind of state, that's a bit optimistic
<dwfreed>
your fist nic may not always be eth0 depending on probe order
<jow>
I am aware of all that
<jow>
but given the same kernel, same image, same circumstances
<slh>
that part (probe order, especially with usb being popular for USSF systems) is more of a concern
<slh>
s/USSF/USFF/
<jow>
I abandoned the idea now and added a hack for my use case
schwicht has joined #openwrt-devel
<stintel>
Mangix: feel free to report issue and assign to me but will not look at it before September
tidalf has quit [Remote host closed the connection]
tidalf has joined #openwrt-devel
minimal has quit [charon.oftc.net kinetic.oftc.net]
FLD has quit [charon.oftc.net kinetic.oftc.net]
neocturne has quit [charon.oftc.net kinetic.oftc.net]
bookworm has quit [charon.oftc.net kinetic.oftc.net]
fakuivan has quit [charon.oftc.net kinetic.oftc.net]
schmars[m] has quit [charon.oftc.net kinetic.oftc.net]
ldir has quit [charon.oftc.net kinetic.oftc.net]
KanjiMonster has quit [charon.oftc.net kinetic.oftc.net]
owrt-images-builds has quit [charon.oftc.net kinetic.oftc.net]
takimata has quit [charon.oftc.net kinetic.oftc.net]
nbd has quit [charon.oftc.net kinetic.oftc.net]
rsalvaterra has quit [charon.oftc.net kinetic.oftc.net]
stintel has quit [charon.oftc.net kinetic.oftc.net]
zkrx has quit [charon.oftc.net kinetic.oftc.net]
zer0def has quit [charon.oftc.net kinetic.oftc.net]
xdarklight has quit [charon.oftc.net kinetic.oftc.net]
colo has quit [charon.oftc.net kinetic.oftc.net]
KGB-0 has quit [charon.oftc.net kinetic.oftc.net]
DLange has quit [charon.oftc.net kinetic.oftc.net]
Shados has quit [charon.oftc.net kinetic.oftc.net]
rua has quit [charon.oftc.net helix.oftc.net]
tidalf has quit [charon.oftc.net helix.oftc.net]
dgcampea has quit [charon.oftc.net helix.oftc.net]
tmn505 has quit [charon.oftc.net kinetic.oftc.net]
Obi-Wan has quit [charon.oftc.net helix.oftc.net]
robje has quit [charon.oftc.net helix.oftc.net]
tom- has quit [charon.oftc.net helix.oftc.net]
jow has quit [charon.oftc.net helix.oftc.net]
PaulFertser has quit [charon.oftc.net helix.oftc.net]
lucenera has quit [charon.oftc.net helix.oftc.net]
ahf has quit [charon.oftc.net helix.oftc.net]
lynxis has quit [charon.oftc.net helix.oftc.net]
KGB-2 has quit [charon.oftc.net helix.oftc.net]
slh has quit [charon.oftc.net helix.oftc.net]
djfe has quit [charon.oftc.net helix.oftc.net]
minimal has joined #openwrt-devel
neocturne has joined #openwrt-devel
Obi-Wan has joined #openwrt-devel
bookworm_ has joined #openwrt-devel
xdarklight has joined #openwrt-devel
KanjiMonster has joined #openwrt-devel
DLange has joined #openwrt-devel
ldir has joined #openwrt-devel
minimal is now known as Guest565
fakuivan has joined #openwrt-devel
zkrx has joined #openwrt-devel
KGB-2 has joined #openwrt-devel
KGB-0 has joined #openwrt-devel
tidalf has joined #openwrt-devel
takimata has joined #openwrt-devel
stintel has joined #openwrt-devel
tmn505 has joined #openwrt-devel
Tapper has quit [Read error: Connection reset by peer]
danitool has quit [Remote host closed the connection]