Re: [gentoo-user] Re: Slow network transfers ... lost interrupts because of clocksource?

2013-10-13 Thread Stefan G. Weichinger 
Am 10.10.2013 16:38, schrieb Stefan G. Weichinger:
> I don't plan to stay with 3.8.13, this is just an intermediate step to
> get a working config. For now I don't have any more lost hpet interrupts
> etc and the LAN speed is fine. Emerging packages as well ...
> 
> From this config I will then try 3.10.7-r1 again.

Went back to 3.10.7-r1 yesterday ... performance fine so far.

Today I checked back and found the following in dmesg.
Should I disable some option?

Thanks for any feedback, Stefan



> [20788.258330] NMI backtrace for cpu 16
[20788.258334] CPU: 16 PID: 0 Comm: swapper/16 Not tainted
3.10.7-gentoo-r1 #1
[20788.258336] Hardware name: HP ProLiant DL385p Gen8, BIOS A28 12/10/2012
[20788.258338] task: 88042dcc9fe0 ti: 88042dcd6000 task.ti:
88042dcd6000
[20788.258340] RIP: 0010:[]  []
acpi_idle_enter_simple+0x9e/0xde [processor]
[20788.258346] RSP: 0018:88042dcd7e78  EFLAGS: 0093
[20788.258348] RAX: 12e824917a00 RBX: 880c2d1c78a0 RCX:
b6e8
[20788.258350] RDX: 0ff9 RSI: 88082fc8 RDI:
b6e0
[20788.258352] RBP: 0002 R08:  R09:
0192
[20788.258354] R10: 0001 R11:  R12:
880c2d1c7800
[20788.258356] R13: 12e605db654b R14: a00087d8 R15:

[20788.258358] FS:  7fcbeb7de700() GS:88082fc8()
knlGS:f77556c0
[20788.258360] CS:  0010 DS:  ES:  CR0: 8005003b
[20788.258362] CR2: 7fd4098d2000 CR3: 00042d3a4000 CR4:
000407a0
[20788.258364] DR0: 00a0 DR1:  DR2:
0003
[20788.258365] DR3: 00b0 DR6: 0ff0 DR7:
0400
[20788.258367] Stack:
[20788.258368]  88102ccd4c00 a0008710 0002
8140284b
[20788.258371]   01f6 
81403b11
[20788.258374]  88102ccd4c00 0002 a0008710
88042dcd7fd8
[20788.258378] Call Trace:
[20788.258382]  [] ? cpuidle_enter_state+0x4b/0xe0
[20788.258386]  [] ? ladder_select_state+0x31/0x1e0
[20788.258390]  [] ? cpuidle_idle_call+0x9a/0x140
[20788.258394]  [] ? arch_cpu_idle+0x9/0x30
[20788.258398]  [] ? cpu_startup_entry+0x59/0x130
[20788.258399] Code: 01 03 75 02 0f 09 e8 1f 50 08 e1 8a 43 08 3c 01 75
0a 48 89 df e8 c0 78 04 e1 eb 17 3c 02 75 07 e8 0f f9 ff ff eb 0c 8b 53
04 ec <48> 8b 15 4c e0 81 e1 ed 31 ff e8 90 50 08 e1 80 7b 08 01 74 10
[20788.258440] NMI backtrace for cpu 20
[20788.258444] CPU: 20 PID: 0 Comm: swapper/20 Not tainted
3.10.7-gentoo-r1 #1
[20788.258445] Hardware name: HP ProLiant DL385p Gen8, BIOS A28 12/10/2012
[20788.258447] task: 88042dccb960 ti: 88042dcde000 task.ti:
88042dcde000
[20788.258449] RIP: 0010:[]  []
acpi_idle_enter_simple+0x9e/0xde [processor]
[20788.258456] RSP: 0018:88042dcdfe78  EFLAGS: 0093
[20788.258457] RAX: 12e824919a00 RBX: 880c2d1c50a0 RCX:
b6e8
[20788.258459] RDX: 0ff9 RSI: 88082fd0 RDI:
b6e0
[20788.258461] RBP: 0002 R08:  R09:
0193
[20788.258463] R10: 0001 R11:  R12:
880c2d1c5000
[20788.258464] R13: 12e605db857d R14: a00087d8 R15:

[20788.258467] FS:  7fcbeb7de700() GS:88082fd0()
knlGS:f778d700
[20788.258469] CS:  0010 DS:  ES:  CR0: 8005003b
[20788.258471] CR2: 7fd4098d2000 CR3: 00042d3a4000 CR4:
000407a0
[20788.258473] DR0: 00a0 DR1:  DR2:
0003
[20788.258474] DR3: 00b0 DR6: 0ff0 DR7:
0400
[20788.258476] Stack:
[20788.258477]  880c2d9e0400 a0008710 0002
8140284b
[20788.258480]   01f7 
81403b11
[20788.258484]  880c2d9e0400 0002 a0008710
88042dcdffd8
[20788.258487] Call Trace:
[20788.258491]  [] ? cpuidle_enter_state+0x4b/0xe0
[20788.258495]  [] ? ladder_select_state+0x31/0x1e0
[20788.258498]  [] ? cpuidle_idle_call+0x9a/0x140
[20788.258502]  [] ? arch_cpu_idle+0x9/0x30
[20788.258506]  [] ? cpu_startup_entry+0x59/0x130
[20788.258508] Code: 01 03 75 02 0f 09 e8 1f 50 08 e1 8a 43 08 3c 01 75
0a 48 89 df e8 c0 78 04 e1 eb 17 3c 02 75 07 e8 0f f9 ff ff eb 0c 8b 53
04 ec <48> 8b 15 4c e0 81 e1 ed 31 ff e8 90 50 08 e1 80 7b 08 01 74 10

Re: [gentoo-user] scripted iptables-restore (was: Where to put advanced routing configuration?)

2013-10-13 Thread Pandu Poluan 
On Oct 13, 2013 5:09 PM, "Martin Vaeth" 
wrote:
>
> >> 5. You can't script iptables-restore!
> >
> > Well, actually you can script iptables-restore.
>
> For those who are interested:
> net-firewall/firewall-mv from the mv overlay
> (available over layman) now provides a separate
> firewall-scripted.sh
> which can be conveniently used for such scripting.
>

Thanks, Martin! I was about to create my own preprocessor, but I'll check
out yours first. If it's what I had planned, may I contribute, too?

Rgds,
--

Re: [gentoo-user] scripted iptables-restore

2013-10-13 Thread Pandu Poluan 
On Oct 13, 2013 9:15 PM, "Michael Orlitzky"  wrote:
>
> On 10/13/2013 06:08 AM, Martin Vaeth wrote:
> >>> 5. You can't script iptables-restore!
> >>
> >> Well, actually you can script iptables-restore.
> >
> > For those who are interested:
> > net-firewall/firewall-mv from the mv overlay
> > (available over layman) now provides a separate
> > firewall-scripted.sh
> > which can be conveniently used for such scripting.
> >
>
> You snipped the rest of my point =)
>
> > You can write a bash script that writes an iptables-restore script to
> > accomplish the same thing, but how much complexity are you willing to
> > add for next to no benefit?
>
> If you have a million rules and you need to wipe/reload them all
> frequently you're probably doing something wrong to begin with.
>
> With bash, you can leverage all of the features of bash that everybody
> already knows. You can read files, call shell commands, pipe between
> them, etc. You can write bash functions to avoid repetitive commands.
> You can write inline comments to explain what the rules do.
>
> Something like,
>
>   # A function which sets up a static mapping between an external IP
>   # address and an internal one.
>   #
>   # USAGE: static_nat  
>   #
>   function static_nat() {
>   iptables -t nat -A PREROUTING  -d "${2}" -j DNAT --to "${1}"
>   iptables -t nat -A POSTROUTING -s "${1}" -j SNAT --to "${2}"
>   }
>
> can make your iptables script a lot cleaner, and it conveys your intent
> better when the rule is created:
>
>   # Danny likes to torrent "linux isos" at work so he needs a public ip
>   static_nat 192.168.1.x 1.2.3.x
>
> I'm not saying you can't do all of this with iptables-restore, just that
> you're punishing yourself for little benefit if you do.
>

One benefit of being familiar with iptables-save and iptables-restore : you
can use iptables-apply.

Might save your sanity if you fat-fingered your iptables rule.

Just do `iptables-apply -t 180 <( preprocessor.sh new-rules.conf)`. Changes
are done atomically. After 180 seconds, if you don't indicate to
iptables-apply that the changes are proper, it atomically reverts the whole
netfilter tables.

bash scripts are powerful, but there might be unexpected cases that render
the netfilter tables to be wildly different from what you actually want.

The file format used by iptables-{save,restore,apply} is more like a
domain-specific language; less chance of partial mistakes. And it's atomic:
Either everything gets applied, or none gets applied (without clobbering
existing in-effect rules).

Rgds,
--

Re: [gentoo-user] Re: scripted iptables-restore

2013-10-13 Thread Michael Orlitzky 
On 10/13/2013 04:07 PM, Martin Vaeth wrote:
>>
>> I was just reiterating that there's not much benefit to save/restore if
>> you're doing things properly (pontification alert!).
> 
> For a laptop of a scientist like me this is not true at all - it must
> often be connected in a different environment with different
> local nets etc.

Sure, but do the rules change? Is there a better ruleset that
accomplishes the same thing with fewer (or universal) rules? How many
rules do you have at the location requiring the most rules?

Most laptops should be OK with the following:

  iptables -P INPUT DROP
  iptables -P FORWARD DROP
  iptables -P OUTPUT ACCEPT

  iptables -A INPUT -p ALL -i lo -j ACCEPT
  iptables -A INPUT -p ALL -m conntrack \
--ctstate ESTABLISHED,RELATED -j ACCEPT
  iptables -A INPUT -p ALL -m conntrack \
--ctstate INVALID -j DROP

  ALLOWED_ICMP="0 3 4 8 11 12"
  for icmp_type in $ALLOWED_ICMP; do
iptables -A INPUT -p icmp --icmp-type $icmp_type -j ACCEPT
  done

And creative setups should only require a few more rules. This all takes
under (1/10) of a second on my laptop.


> Also for other things (like portknocking using the recent module)
> you need rather complex rules which are better rewritten by a script,
> especially if the length of a portknocking sequence changes.
> Like passwords, these sequences should better not stay the same for
> too long...

Port knocking is cute, but imparts no extra security. A better, secure
way to achieve the same goal is with OpenVPN. And that doesn't require
you to play games with your firewall.

If you use your laptop at hotels, universities, and conferences, you'll
have a much happier time connecting to OpenVPN on tcp/443 (which nobody
can block) than you will trying to connect directly.


>> Race conditions don't really seem that serious to me.
> 
> Maybe, but I am not sure:
> There might be situations where it might be possible to keep
> a port open even when the rule is rewritten later on; then
> you need an open system only once...
> So, I could imagine that with some clever hacks an attacker
> might keep ports open and then do another attack later on.
> I am not an experienced hacker to know such attacks, but I
> know that races can be very subtle and provide attack vectors
> nobody has ever thought off.

In this case, the absolute worst that could happen is that an attacker
gains access to every open port on your system. While this is bad, it's
not a clever new vulnerability: it's all of the old ones that were
already there.

If there are insecure daemons listening on public addresses, you should
fix them instead of worrying about race conditions on the firewall.
Otherwise, every machine on your LAN becomes an attack vector, and
that's a much greater risk especially if your coworkers/friends use
Windows. And if we're still talking about laptops, the "LAN" is usually
"anybody nearby."

Re: [gentoo-user] Network failed and weird error message

2013-10-13 Thread Dale 
Mick wrote:
> On Sunday 13 Oct 2013 13:26:31 Dale wrote:
>>
>> Memory question.  The mobo I have uses this:  "Support for DDR3
>> 1666(OC)/1333/1066 MHz memory modules"  I have the 1666 on here.  It was
>> what was on sale.  :-D  The new mobo calls for this:  "DDR3
>> 2000(OC)/1866/1600/1333/1066"  Are the two compatible?  Both are DDR3.
>>
>> Thanks.
>>
>> Dale
>>
>> :-)  :-)
>
> They are, although the new MoBo memory can be overclocked higher. 
Bear in
> mind that some MoBos will complain if they are not fitted with identical
> memory modules.  Somehow I happen to come across them each time ...  :-(

So I can buy the mobo and reuse the memory I have now?  That will help a
LOT right now.  The new mobo will support twice the amount of ram but I
can upgrade that and the CPU later on.  The mobo I am looking at is this
one:

http://www.gigabyte.com/products/product-page.aspx?pid=4717#ov

The mobo I currently have is here:

http://www.gigabyte.com/products/product-page.aspx?pid=3320#sp

I don't overclock so I'm not worried about that.  I did it once with a
old Abit mobo with a AMD 2500+ CPU but it just didn't make much difference.

The memory I have is here:

http://www.newegg.com/Product/Product.aspx?Item=N82E16820231313

It appears I looked at something wrong here.  The one I have is the same
as what the mobo calls for.  I think???  I need to sleep more and I got
to much stuff going on.  :/  I wonder where I got the 1666 from??

It appears that I should be good to go with the new mobo.  Use my old
ram, upgrade with 8GB sticks as I can and they go on sale.  In the end,
I can have up to 32GBs of ram.  Talk about putting some stuff on tmpfs. 
O_O  I have always wanted to copy the tree to tmpfs and run "time emerge
-uvaDN world".  Just to see how fast it will go.  lol

If anyone sees anything here that won't work, let me know soon.  I plan
to order this thing pretty soon.  Given the USB issue, the ethernet
having issues, I'm worried something else may start to break as well.  :-(

Thanks to all.  Posting the question got me to see I made a boo boo
somewhere about the memory speed.  I think?

Dale

:-)  :-)

-- 
I am only responsible for what I said ... Not for what you understood or
how you interpreted my words!

Re: [gentoo-user] Re: scripted iptables-restore

2013-10-13 Thread William Kenworthy 
On 14/10/13 04:07, Martin Vaeth wrote:
> Michael Orlitzky  wrote:
 [...]
 If you have a million rules and you need to wipe/reload them all
 frequently you're probably doing something wrong to begin with.
>>>
>>> I don't know how this is related with the discussion.
>>> The main advantage of using iptables-restore is avoidance of
>>> race conditions. A secondary advantage is a speed improvement;
>>> in my case, the machine boots about 2 seconds faster which can
>>> be a considerable advantage if you start virtual machines.
>>>
>>
>> I was just reiterating that there's not much benefit to save/restore if
>> you're doing things properly (pontification alert!).
> 
> For a laptop of a scientist like me this is not true at all - it must
> often be connected in a different environment with different
> local nets etc.
> Also for other things (like portknocking using the recent module)
> you need rather complex rules which are better rewritten by a script,
> especially if the length of a portknocking sequence changes.
> Like passwords, these sequences should better not stay the same for
> too long...
> 

...

If you are going to go to this bother ... why not use shorewall, create
a custom configuration for each site (including any changes to services)
and and have your script just copy them in and restart the various
services including shorewall?  I have a number of networks from hotspots
to places where I need combinations of vpns, web servers and asterisk
available for demonstrations in lecture theatres through to travelling
and using hotel networks.

The iptables save feature gets a bit difficult to use with complex
setups and if you are doing something dynamic with the rules (fail2ban
for instance) it can save inappropriate rules which need manual culling.

I use a simple script with autosetup using network-manager (yuk,
horrible thing!) to detect known gateways and trigger the script with
that argument for either wifi or cable as appropriate  (or setup for
anonymous hotspot for unknown wifi, basic dhcp if unknown cable) - this
is on a macbook air if that matters.

BillK

[gentoo-user] Re: scripted iptables-restore

2013-10-13 Thread Martin Vaeth 
Michael Orlitzky  wrote:
>>> [...]
>>> If you have a million rules and you need to wipe/reload them all
>>> frequently you're probably doing something wrong to begin with.
>>
>> I don't know how this is related with the discussion.
>> The main advantage of using iptables-restore is avoidance of
>> race conditions. A secondary advantage is a speed improvement;
>> in my case, the machine boots about 2 seconds faster which can
>> be a considerable advantage if you start virtual machines.
>>
>
> I was just reiterating that there's not much benefit to save/restore if
> you're doing things properly (pontification alert!).

For a laptop of a scientist like me this is not true at all - it must
often be connected in a different environment with different
local nets etc.
Also for other things (like portknocking using the recent module)
you need rather complex rules which are better rewritten by a script,
especially if the length of a portknocking sequence changes.
Like passwords, these sequences should better not stay the same for
too long...

> Race conditions don't really seem that serious to me.

Maybe, but I am not sure:
There might be situations where it might be possible to keep
a port open even when the rule is rewritten later on; then
you need an open system only once...
So, I could imagine that with some clever hacks an attacker
might keep ports open and then do another attack later on.
I am not an experienced hacker to know such attacks, but I
know that races can be very subtle and provide attack vectors
nobody has ever thought off.

> All of security is a trade-off, and in my opinion, having
> human-friendly, easily-readable rules (with error checking)

It is easy to switch to one method for testing and then back
when everything works: If you write $iptables ...
throughout you just have to set
iptables="iptables"
or
iptables="FvwmTables 4"
respectively. In fact, the firewall-mv script does this
(with a different mechanism) depending on a commandline switch.
Moreover, I observed that the error checking works with
iptables-restore as well as with iptables:
It shows you almost the same errors, including a line number.
So the only difference is that you have to count the lines
in the testing output instead of directly seeing the command...

Re: [gentoo-user] Network failed and weird error message

2013-10-13 Thread Mick 
On Sunday 13 Oct 2013 13:26:31 Dale wrote:
> Dale wrote:
> > Alan McKinnon wrote:
> >> Basically, it looks like you have a once-off event.
> >> 
> >> Until it happens again, very little you can do wrt troubleshooting
> > 
> > I agree.  It ran for days with no problems that I saw.  Sure is weird
> > tho.  I just wonder if something outside the puter happened and
> > triggered something.  Who knows.
> > 
> > Dale
> > 
> > :-)  :-)
> 
> Still no fix on the error message.  Maybe it is hardware and related to
> this?  I started having issues with the network again.  This time, it
> wasn't just browsers.  It would be other stuff like Pidgin and such.
> Generally restarting the network corrected the problem, after restarting
> the other programs too since they would hang up.  Anyway, I got tired of
> this so I pulled a ethernet card from my junk drawer, pulled some hair
> out trying to find the dmfe driver in the kernel and got it working.
> Since moving away from the ethernet that is built into the mobo and to
> this card, not a issue yet.  I have not had a single hiccup.  So, as
> with my last rig, the ethernet port on the mobo just start to suck after
> a while it seems.  :/
> 
> Now I just wish I could figure out this other USB issue.  I suspect it
> could be a hardware issue.  I may have to upgrade my rig after all and I
> don't really want to do that and may not be able to right away.
> 
> Memory question.  The mobo I have uses this:  "Support for DDR3
> 1666(OC)/1333/1066 MHz memory modules"  I have the 1666 on here.  It was
> what was on sale.  :-D  The new mobo calls for this:  "DDR3
> 2000(OC)/1866/1600/1333/1066"  Are the two compatible?  Both are DDR3.
> 
> Thanks.
> 
> Dale
> 
> :-)  :-)

They are, although the new MoBo memory can be overclocked higher.  Bear in 
mind that some MoBos will complain if they are not fitted with identical 
memory modules.  Somehow I happen to come across them each time ...  :-(
-- 
Regards,
Mick


signature.asc
Description: This is a digitally signed message part.

Re: [gentoo-user] Re: scripted iptables-restore

2013-10-13 Thread Michael Orlitzky 
On 10/13/2013 11:19 AM, Martin Vaeth wrote:
>>>
>> [...]
>> If you have a million rules and you need to wipe/reload them all
>> frequently you're probably doing something wrong to begin with.
> 
> I don't know how this is related with the discussion.
> The main advantage of using iptables-restore is avoidance of
> race conditions. A secondary advantage is a speed improvement;
> in my case, the machine boots about 2 seconds faster which can
> be a considerable advantage if you start virtual machines.
> 

I was just reiterating that there's not much benefit to save/restore if
you're doing things properly (pontification alert!). I should say first
of all that save/restore is perfect for reboots. If you're not
*changing* anything, of course save/restore is better, and suffers none
of the problems that I mentioned: you don't read it, the output is fed
directly as input, no errors should occur...

The bash script is used a couple times a year, and really is there to
serve as the specification for what your firewall should do.

For example, I'm rebuilding our MX today. I checked the config out of
git, ran iptables-config (our script), ran /etc/init.d/iptables save,
and the firewall is up and running. When will I run the script again?
The next time I rebuild the server? That's certainly the last time I ran
it. We have firewalls that change more often, but not so frequently that
the speed would be a problem if it were 1000x slower.

The MX firewall is actually updated many times per day and accumulates
many rules, but they're inserted/deleted in-place by fail2ban, so a full
wipe/reload doesn't occur. If you have frequently-changing permanent
rules -- say, lots of static NAT entries going in/out for new employees
-- then you should be doing insert/delete instead of a full reload just
the same. But, add the rule to your iptables script (with a comment!) so
that you have it on the record. Once every six months or so, run the
thing to make sure nobody made a copy/paste error.

Race conditions don't really seem that serious to me. Of course, if
you're using iptables for both authorization and authentication, then
you're already doing something wrong, and you should fix that instead of
trying to make the broken thing run faster. But if not, who cares if
you're vulnerable to a brute force attack for 2 seconds? If you're
worried about that, implement a password policy. The firewall is the
last layer of defense-in-depth; if the absence of a firewall gives you
nightmares, the absence of a firewall is not your problem.

All of security is a trade-off, and in my opinion, having
human-friendly, easily-readable rules (with error checking) will prevent
more problems over time than does eliminating the race condition.

Re: [gentoo-user] using lvm without a partition of type linux LVM

2013-10-13 Thread gottlieb 
On Sat, Oct 12 2013, thana...@asyr.hopto.org wrote:

> on 10/12/2013 05:40 PM gottl...@nyu.edu wrote the following:
>> copy the lvm partitions to directories on an external disk (ext3)
>
> What command did you use for copying?

cp -ax

rsync not is on the minimal install.

allan

Re: [gentoo-user] Gnat Compile Error

2013-10-13 Thread Frank Steinmetzger 
On Sun, Oct 13, 2013 at 03:02:48PM +0200, Silvio Siefke wrote:
> Hello,
> 
> i try to install dev-lang/gnat-gcc but the configure phase break with 
> the msg:

> [...]

>  * ERROR: dev-lang/gnat-gcc-4.5.4::gentoo failed (compile phase):
--^

> [...]

> Portage 2.2.1 (default/linux/amd64/13.0/desktop, gcc-4.6.3, glibc-2.15-r3, 
> 3.11.3 x86_64)
---^
> =
> System Settings
> =
> System uname: 
> Linux-3.11.3-x86_64-Intel-R-_Atom-TM-_CPU_N550_@_1.50GHz-with-gentoo-2.2

> [...]

> sys-devel/gcc:4.6.3, 4.7.3-r1
^^^

> [...]

> [14:10:56][ Akku: 99% ][root@gentoomobile:/home/siefke]# emerge -pqv 
> =dev-lang/gnat-gcc-4.5.4::gentoo
> [ebuild  N] dev-lang/gnat-gcc-4.5.4  USE="nls"
---^^

You want to install gnat-gcc for a gcc version you don't have. You have
gcc 4.6.3 and 4.7.3 installed (with 4.6.3 active). Unfortunately, my eix
doesn't report me any gnat-gcc newer than 4.5. So I'm not sure how to
proceed here apart from installing gcc-4.5.4, which is still in portage,
but then of course you only have gnat in that old version.
-- 
Gruß | Greetings | Qapla’
Please do not share anything from, with or about me with any Facebook service.

Sent from my toilet.


signature.asc
Description: Digital signature

[gentoo-user] Re: scripted iptables-restore

2013-10-13 Thread Martin Vaeth 
Michael Orlitzky  wrote:
> On 10/13/2013 06:08 AM, Martin Vaeth wrote:
 5. You can't script iptables-restore!
>>>
>>> Well, actually you can script iptables-restore.
>>
>> For those who are interested:
>> net-firewall/firewall-mv from the mv overlay
>> (available over layman) now provides a separate
>> firewall-scripted.sh
>> which can be conveniently used for such scripting.
>>
> [...]
> If you have a million rules and you need to wipe/reload them all
> frequently you're probably doing something wrong to begin with.

I don't know how this is related with the discussion.
The main advantage of using iptables-restore is avoidance of
race conditions. A secondary advantage is a speed improvement;
in my case, the machine boots about 2 seconds faster which can
be a considerable advantage if you start virtual machines.

> With bash [...]

(I would use a POSIX shell because it is considerably faster,
but this need not be discussed here.)

That's why I said that it can be scripted
(which was my motivation to write firewall-scripted.sh):

firewall-scripted.sh (or some similar script) gives you exactly
the same advantages, but without races, and faster.
In your example:

> function static_nat() {
>iptables -t nat -A PREROUTING  -d "${2}" -j DNAT --to "${1}"
>iptables -t nat -A POSTROUTING -s "${1}" -j SNAT --to "${2}"
> }

Essentially, you just have to replace "iptables" by "FwmvTables 4".
If you are too lazy to use a text editor or to replace "iptables"
by a variable (like $iptables) you can do this even by
defining the function:

iptables() {
  FwmvTables 4 "${@}"
}

Then you just put in front of your script the line

. firewall-scripted.sh

and in the end (or before you call exit):

FwmvSet 4

That's it...

> I'm not saying you can't do all of this with iptables-restore, just that
> you're punishing yourself for little benefit if you do.

*Using* firewall-scripted.sh is as convenient as using iptables directly
(you just replace one command and add two lines to your script).
Of course, the disadvantage is that some day firewall-scripted.sh might
break with iptables (and that maybe the script still has bugs...).
As I said, it would be better if something similar would be provided
by iptables itself. But the advantages are clear.

[gentoo-user] {OT} proper way to submit a kernel crash bug report?

2013-10-13 Thread Grant 
I have a vmcore file from a kernel crash and I'm trying to figure out
how to turn it into a bug report on kernel.org.  What do they want to
see?  I've installed 'crash' but I get:

# crash vmcore
crash: namelist argument required

or:

crash /boot/kernel-3.10.15 vmcore
crash: /boot/kernel-3.10.15: not a supported file format

I'm not even sure they'll accept 'crash' analysis.

- Grant

Re: [gentoo-user] scripted iptables-restore

2013-10-13 Thread Michael Orlitzky 
On 10/13/2013 06:08 AM, Martin Vaeth wrote:
>>> 5. You can't script iptables-restore!
>>
>> Well, actually you can script iptables-restore.
> 
> For those who are interested:
> net-firewall/firewall-mv from the mv overlay
> (available over layman) now provides a separate
> firewall-scripted.sh
> which can be conveniently used for such scripting.
> 

You snipped the rest of my point =)

> You can write a bash script that writes an iptables-restore script to
> accomplish the same thing, but how much complexity are you willing to
> add for next to no benefit?

If you have a million rules and you need to wipe/reload them all
frequently you're probably doing something wrong to begin with.

With bash, you can leverage all of the features of bash that everybody
already knows. You can read files, call shell commands, pipe between
them, etc. You can write bash functions to avoid repetitive commands.
You can write inline comments to explain what the rules do.

Something like,

  # A function which sets up a static mapping between an external IP
  # address and an internal one.
  #
  # USAGE: static_nat  
  #
  function static_nat() {
  iptables -t nat -A PREROUTING  -d "${2}" -j DNAT --to "${1}"
  iptables -t nat -A POSTROUTING -s "${1}" -j SNAT --to "${2}"
  }

can make your iptables script a lot cleaner, and it conveys your intent
better when the rule is created:

  # Danny likes to torrent "linux isos" at work so he needs a public ip
  static_nat 192.168.1.x 1.2.3.x

I'm not saying you can't do all of this with iptables-restore, just that
you're punishing yourself for little benefit if you do.

[gentoo-user] Re: Where to put advanced routing configuration?

2013-10-13 Thread Martin Vaeth 
shawn wilson  wrote:
> On Fri, Oct 4, 2013 at 5:58 PM, Michael Orlitzky  wrote:
>
>>
>> 1. The iptables-restore syntax is uglier and harder to read.
>
> I don't get this - the syntax is [...]
> What am I missing or how is this uglier?

Argument separation (e.g. if you have arguments with spaces);
it seems to work most of the time if you quote into "..."
and escape backslash and doublequote signs inside with
backslash (this is what the mentioned script of firewall-mv
does), but there are cases where this is not accepted;
e.g. quoting every word was not accepted.
Since the format is undocumented, this is all ugly
trial-and-error, and only the iptable maintainers know
whether it remains the same in the next iptables release.

Re: [gentoo-user] Where to put advanced routing configuration?

2013-10-13 Thread Michael Orlitzky 
On 10/13/2013 06:26 AM, shawn wilson wrote:
> On Fri, Oct 4, 2013 at 5:58 PM, Michael Orlitzky  wrote:
> 
>>
>> 1. The iptables-restore syntax is uglier and harder to read.
> 
> I don't get this - the syntax is *chain and then :tables (with
> optional counters) instead of -N, and then a bunch of rules, and then
> a COMMIT command (the only thing you don't get on the command line.
> What am I missing or how is this uglier?
> 

That's not the syntax, because there is no syntax, but let's forget that
point anyway because it's subjective.

[gentoo-user] Gnat Compile Error

2013-10-13 Thread Silvio Siefke 
Hello,

i try to install dev-lang/gnat-gcc but the configure phase break with 
the msg:

checking for x86_64-pc-linux-gnu-gcc... 
/var/tmp/portage/dev-lang/gnat-gcc-4.5.4/work/usr/bin/gnatgcc
checking for C compiler default output file name... 
configure: error: in `/var/tmp/portage/dev-lang/gnat-gcc-4.5.4/work/build':
configure: error: C compiler cannot create executables
See `config.log' for more details.
 * ERROR: dev-lang/gnat-gcc-4.5.4::gentoo failed (compile phase):
 *   configure failed

I try with diffrent Version and i try with dev-lang/gnat-gpl come the same. 
Other Programms can compile without error. 

Thanks for help & Greetings
Silvio

[14:10:56][ Akku: 99% ][root@gentoomobile:/home/siefke]# emerge --info 
=dev-lang/gnat-gcc-4.5.4::gentoo
Portage 2.2.1 (default/linux/amd64/13.0/desktop, gcc-4.6.3, glibc-2.15-r3, 
3.11.3 x86_64)
=
System Settings
=
System uname: 
Linux-3.11.3-x86_64-Intel-R-_Atom-TM-_CPU_N550_@_1.50GHz-with-gentoo-2.2
KiB Mem: 1003604 total, 86348 free
KiB Swap:2047996 total,   1963324 free
Timestamp of tree: Sun, 13 Oct 2013 11:00:01 +
ld GNU ld (GNU Binutils) 2.23.1
app-shells/bash:  4.2_p45
dev-java/java-config: 2.1.12-r1
dev-lang/python:  2.7.5-r2, 3.2.5-r2
dev-util/cmake:   2.8.10.2-r2
dev-util/pkgconfig:   0.28
sys-apps/baselayout:  2.2
sys-apps/openrc:  0.11.8
sys-apps/sandbox: 2.6-r1
sys-devel/autoconf:   2.13, 2.69
sys-devel/automake:   1.10.3, 1.11.6, 1.13.4
sys-devel/binutils:   2.23.1
sys-devel/gcc:4.6.3, 4.7.3-r1
sys-devel/gcc-config: 1.7.3
sys-devel/libtool:2.4.2
sys-devel/make:   3.82-r4
sys-kernel/linux-headers: 3.9 (virtual/os-headers)
sys-libs/glibc:   2.15-r3
Repositories: gentoo multimedia sabayon hardened-dev pentoo
ACCEPT_KEYWORDS="amd64"
ACCEPT_LICENSE="* -@EULA"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-O2 -march=atom -mtune=atom -mssse3 -mfpmath=sse -fomit-frame-pointer 
-pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"
CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d 
/etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release 
/etc/php/apache2-php5.5/ext-active/ /etc/php/cgi-php5.5/ext-active/ 
/etc/php/cli-php5.5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d 
/etc/terminfo"
CXXFLAGS="-O2 -march=atom -mtune=atom -mssse3 -mfpmath=sse -fomit-frame-pointer 
-pipe"
DISTDIR="/usr/portage/distfiles"
FCFLAGS="-O2 -pipe"
FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks 
ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox 
sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch 
userpriv usersandbox usersync"
FFLAGS="-O2 -pipe"
GENTOO_MIRRORS="http://ftp.halifax.rwth-aachen.de/gentoo/";
LANG="de_DE.UTF-8"
LDFLAGS="-Wl,-O1 -Wl,--as-needed"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_CONFIGROOT="/"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times 
--omit-dir-times --compress --force --whole-file --delete --stats 
--human-readable --timeout=180 --exclude=/distfiles --exclude=/local 
--exclude=/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/var/lib/layman/multimedia /var/lib/layman/sabayon 
/var/lib/layman/hardened-development /var/lib/layman/pentoo"
USE="X a52 aac acl acpi alsa amd64 berkdb bindist bluetooth branding bzip2 
cairo cdda cdr cli consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr 
emboss encode exif fam firefox flac fortran gdbm gif gpm gtk iconv ipv6 jpeg 
lcms libnotify mad mmx mng modules mp3 mp4 mpeg mudflap multilib ncurses nls 
nptl ogg opengl openmp pam pango pcre pdf png policykit ppds python qt3support 
qt4 readline sdl session spell sse sse2 ssl startup-notification svg tcpd tiff 
truetype udev udisks unicode upower usb vaapi vorbis wxwidgets x264 xcb xml xv 
xvid zlib" ABI_X86="64" ALSA_CARDS="intel_hda" APACHE2_MODULES="authn_core 
authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon 
authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile 
authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock 
deflate dir disk_cache env expires ext_filter file_cache filter headers include 
info log_config logio mem_cache mime mime_magic negotiation rewrite 
 setenvif speling status unique_id userdir usertrack vhost_alias" 
CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon 
braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory 
rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate 
evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom 
oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip 
tripmate tnt ubx" INPUT_DEVICES="evdev vo

Re: [gentoo-user] Network failed and weird error message

2013-10-13 Thread Dale 
Dale wrote:
> Alan McKinnon wrote:
>>
>> Basically, it looks like you have a once-off event.
>>
>> Until it happens again, very little you can do wrt troubleshooting
>>
>>
>>
> I agree.  It ran for days with no problems that I saw.  Sure is weird
> tho.  I just wonder if something outside the puter happened and
> triggered something.  Who knows. 
>
> Dale
>
> :-)  :-) 
>

Still no fix on the error message.  Maybe it is hardware and related to
this?  I started having issues with the network again.  This time, it
wasn't just browsers.  It would be other stuff like Pidgin and such. 
Generally restarting the network corrected the problem, after restarting
the other programs too since they would hang up.  Anyway, I got tired of
this so I pulled a ethernet card from my junk drawer, pulled some hair
out trying to find the dmfe driver in the kernel and got it working. 
Since moving away from the ethernet that is built into the mobo and to
this card, not a issue yet.  I have not had a single hiccup.  So, as
with my last rig, the ethernet port on the mobo just start to suck after
a while it seems.  :/ 

Now I just wish I could figure out this other USB issue.  I suspect it
could be a hardware issue.  I may have to upgrade my rig after all and I
don't really want to do that and may not be able to right away. 

Memory question.  The mobo I have uses this:  "Support for DDR3
1666(OC)/1333/1066 MHz memory modules"  I have the 1666 on here.  It was
what was on sale.  :-D  The new mobo calls for this:  "DDR3
2000(OC)/1866/1600/1333/1066"  Are the two compatible?  Both are DDR3. 

Thanks. 

Dale

:-)  :-) 

-- 
I am only responsible for what I said ... Not for what you understood or how 
you interpreted my words!

Re: [gentoo-user] Where to put advanced routing configuration?

2013-10-13 Thread shawn wilson 
On Fri, Oct 4, 2013 at 5:58 PM, Michael Orlitzky  wrote:

>
> 1. The iptables-restore syntax is uglier and harder to read.

I don't get this - the syntax is *chain and then :tables (with
optional counters) instead of -N, and then a bunch of rules, and then
a COMMIT command (the only thing you don't get on the command line.
What am I missing or how is this uglier?

[gentoo-user] scripted iptables-restore (was: Where to put advanced routing configuration?)

2013-10-13 Thread Martin Vaeth 
>> 5. You can't script iptables-restore!
>
> Well, actually you can script iptables-restore.

For those who are interested:
net-firewall/firewall-mv from the mv overlay
(available over layman) now provides a separate
firewall-scripted.sh
which can be conveniently used for such scripting.

Re: [gentoo-user] using lvm without a partition of type linux LVM

2013-10-13 Thread Dale 
Mick wrote:
> On Sunday 13 Oct 2013 00:07:56 Thanasis wrote:
>> on 10/12/2013 05:40 PM gottl...@nyu.edu wrote the following:
>>> copy the lvm partitions to directories on an external disk (ext3)
>>
>> What command did you use for copying?
>
> You can use rsync, scp or (s)tar.
>
> Personally I prefer star with the copy option.
>
> Word of warning:  check that the attributes and mod times are as you want
> them, especially with rsync which with the -a parameter preserves the
source
> directory/machine ownership, rather than the expected destination
defaults.

When I do a copy on a setup like this, I just use cp -a.  Add the v if
you want to see what it is doing.  I have used it many times and it
works just fine.  Clean and simple.  If over a network or something tho,
gets complicated pretty quick.

Dale

:-)  :-)

-- 
I am only responsible for what I said ... Not for what you understood or
how you interpreted my words!