Re: [gentoo-user] Re: Slow network transfers ... lost interrupts because of clocksource?
Am 10.10.2013 16:38, schrieb Stefan G. Weichinger: > I don't plan to stay with 3.8.13, this is just an intermediate step to > get a working config. For now I don't have any more lost hpet interrupts > etc and the LAN speed is fine. Emerging packages as well ... > > From this config I will then try 3.10.7-r1 again. Went back to 3.10.7-r1 yesterday ... performance fine so far. Today I checked back and found the following in dmesg. Should I disable some option? Thanks for any feedback, Stefan > [20788.258330] NMI backtrace for cpu 16 [20788.258334] CPU: 16 PID: 0 Comm: swapper/16 Not tainted 3.10.7-gentoo-r1 #1 [20788.258336] Hardware name: HP ProLiant DL385p Gen8, BIOS A28 12/10/2012 [20788.258338] task: 88042dcc9fe0 ti: 88042dcd6000 task.ti: 88042dcd6000 [20788.258340] RIP: 0010:[] [] acpi_idle_enter_simple+0x9e/0xde [processor] [20788.258346] RSP: 0018:88042dcd7e78 EFLAGS: 0093 [20788.258348] RAX: 12e824917a00 RBX: 880c2d1c78a0 RCX: b6e8 [20788.258350] RDX: 0ff9 RSI: 88082fc8 RDI: b6e0 [20788.258352] RBP: 0002 R08: R09: 0192 [20788.258354] R10: 0001 R11: R12: 880c2d1c7800 [20788.258356] R13: 12e605db654b R14: a00087d8 R15: [20788.258358] FS: 7fcbeb7de700() GS:88082fc8() knlGS:f77556c0 [20788.258360] CS: 0010 DS: ES: CR0: 8005003b [20788.258362] CR2: 7fd4098d2000 CR3: 00042d3a4000 CR4: 000407a0 [20788.258364] DR0: 00a0 DR1: DR2: 0003 [20788.258365] DR3: 00b0 DR6: 0ff0 DR7: 0400 [20788.258367] Stack: [20788.258368] 88102ccd4c00 a0008710 0002 8140284b [20788.258371] 01f6 81403b11 [20788.258374] 88102ccd4c00 0002 a0008710 88042dcd7fd8 [20788.258378] Call Trace: [20788.258382] [] ? cpuidle_enter_state+0x4b/0xe0 [20788.258386] [] ? ladder_select_state+0x31/0x1e0 [20788.258390] [] ? cpuidle_idle_call+0x9a/0x140 [20788.258394] [] ? arch_cpu_idle+0x9/0x30 [20788.258398] [] ? cpu_startup_entry+0x59/0x130 [20788.258399] Code: 01 03 75 02 0f 09 e8 1f 50 08 e1 8a 43 08 3c 01 75 0a 48 89 df e8 c0 78 04 e1 eb 17 3c 02 75 07 e8 0f f9 ff ff eb 0c 8b 53 04 ec <48> 8b 15 4c e0 81 e1 ed 31 ff e8 90 50 08 e1 80 7b 08 01 74 10 [20788.258440] NMI backtrace for cpu 20 [20788.258444] CPU: 20 PID: 0 Comm: swapper/20 Not tainted 3.10.7-gentoo-r1 #1 [20788.258445] Hardware name: HP ProLiant DL385p Gen8, BIOS A28 12/10/2012 [20788.258447] task: 88042dccb960 ti: 88042dcde000 task.ti: 88042dcde000 [20788.258449] RIP: 0010:[] [] acpi_idle_enter_simple+0x9e/0xde [processor] [20788.258456] RSP: 0018:88042dcdfe78 EFLAGS: 0093 [20788.258457] RAX: 12e824919a00 RBX: 880c2d1c50a0 RCX: b6e8 [20788.258459] RDX: 0ff9 RSI: 88082fd0 RDI: b6e0 [20788.258461] RBP: 0002 R08: R09: 0193 [20788.258463] R10: 0001 R11: R12: 880c2d1c5000 [20788.258464] R13: 12e605db857d R14: a00087d8 R15: [20788.258467] FS: 7fcbeb7de700() GS:88082fd0() knlGS:f778d700 [20788.258469] CS: 0010 DS: ES: CR0: 8005003b [20788.258471] CR2: 7fd4098d2000 CR3: 00042d3a4000 CR4: 000407a0 [20788.258473] DR0: 00a0 DR1: DR2: 0003 [20788.258474] DR3: 00b0 DR6: 0ff0 DR7: 0400 [20788.258476] Stack: [20788.258477] 880c2d9e0400 a0008710 0002 8140284b [20788.258480] 01f7 81403b11 [20788.258484] 880c2d9e0400 0002 a0008710 88042dcdffd8 [20788.258487] Call Trace: [20788.258491] [] ? cpuidle_enter_state+0x4b/0xe0 [20788.258495] [] ? ladder_select_state+0x31/0x1e0 [20788.258498] [] ? cpuidle_idle_call+0x9a/0x140 [20788.258502] [] ? arch_cpu_idle+0x9/0x30 [20788.258506] [] ? cpu_startup_entry+0x59/0x130 [20788.258508] Code: 01 03 75 02 0f 09 e8 1f 50 08 e1 8a 43 08 3c 01 75 0a 48 89 df e8 c0 78 04 e1 eb 17 3c 02 75 07 e8 0f f9 ff ff eb 0c 8b 53 04 ec <48> 8b 15 4c e0 81 e1 ed 31 ff e8 90 50 08 e1 80 7b 08 01 74 10
Re: [gentoo-user] scripted iptables-restore (was: Where to put advanced routing configuration?)
On Oct 13, 2013 5:09 PM, "Martin Vaeth" wrote: > > >> 5. You can't script iptables-restore! > > > > Well, actually you can script iptables-restore. > > For those who are interested: > net-firewall/firewall-mv from the mv overlay > (available over layman) now provides a separate > firewall-scripted.sh > which can be conveniently used for such scripting. > Thanks, Martin! I was about to create my own preprocessor, but I'll check out yours first. If it's what I had planned, may I contribute, too? Rgds, --
Re: [gentoo-user] scripted iptables-restore
On Oct 13, 2013 9:15 PM, "Michael Orlitzky" wrote: > > On 10/13/2013 06:08 AM, Martin Vaeth wrote: > >>> 5. You can't script iptables-restore! > >> > >> Well, actually you can script iptables-restore. > > > > For those who are interested: > > net-firewall/firewall-mv from the mv overlay > > (available over layman) now provides a separate > > firewall-scripted.sh > > which can be conveniently used for such scripting. > > > > You snipped the rest of my point =) > > > You can write a bash script that writes an iptables-restore script to > > accomplish the same thing, but how much complexity are you willing to > > add for next to no benefit? > > If you have a million rules and you need to wipe/reload them all > frequently you're probably doing something wrong to begin with. > > With bash, you can leverage all of the features of bash that everybody > already knows. You can read files, call shell commands, pipe between > them, etc. You can write bash functions to avoid repetitive commands. > You can write inline comments to explain what the rules do. > > Something like, > > # A function which sets up a static mapping between an external IP > # address and an internal one. > # > # USAGE: static_nat > # > function static_nat() { > iptables -t nat -A PREROUTING -d "${2}" -j DNAT --to "${1}" > iptables -t nat -A POSTROUTING -s "${1}" -j SNAT --to "${2}" > } > > can make your iptables script a lot cleaner, and it conveys your intent > better when the rule is created: > > # Danny likes to torrent "linux isos" at work so he needs a public ip > static_nat 192.168.1.x 1.2.3.x > > I'm not saying you can't do all of this with iptables-restore, just that > you're punishing yourself for little benefit if you do. > One benefit of being familiar with iptables-save and iptables-restore : you can use iptables-apply. Might save your sanity if you fat-fingered your iptables rule. Just do `iptables-apply -t 180 <( preprocessor.sh new-rules.conf)`. Changes are done atomically. After 180 seconds, if you don't indicate to iptables-apply that the changes are proper, it atomically reverts the whole netfilter tables. bash scripts are powerful, but there might be unexpected cases that render the netfilter tables to be wildly different from what you actually want. The file format used by iptables-{save,restore,apply} is more like a domain-specific language; less chance of partial mistakes. And it's atomic: Either everything gets applied, or none gets applied (without clobbering existing in-effect rules). Rgds, --
Re: [gentoo-user] Re: scripted iptables-restore
On 10/13/2013 04:07 PM, Martin Vaeth wrote: >> >> I was just reiterating that there's not much benefit to save/restore if >> you're doing things properly (pontification alert!). > > For a laptop of a scientist like me this is not true at all - it must > often be connected in a different environment with different > local nets etc. Sure, but do the rules change? Is there a better ruleset that accomplishes the same thing with fewer (or universal) rules? How many rules do you have at the location requiring the most rules? Most laptops should be OK with the following: iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -p ALL -i lo -j ACCEPT iptables -A INPUT -p ALL -m conntrack \ --ctstate ESTABLISHED,RELATED -j ACCEPT iptables -A INPUT -p ALL -m conntrack \ --ctstate INVALID -j DROP ALLOWED_ICMP="0 3 4 8 11 12" for icmp_type in $ALLOWED_ICMP; do iptables -A INPUT -p icmp --icmp-type $icmp_type -j ACCEPT done And creative setups should only require a few more rules. This all takes under (1/10) of a second on my laptop. > Also for other things (like portknocking using the recent module) > you need rather complex rules which are better rewritten by a script, > especially if the length of a portknocking sequence changes. > Like passwords, these sequences should better not stay the same for > too long... Port knocking is cute, but imparts no extra security. A better, secure way to achieve the same goal is with OpenVPN. And that doesn't require you to play games with your firewall. If you use your laptop at hotels, universities, and conferences, you'll have a much happier time connecting to OpenVPN on tcp/443 (which nobody can block) than you will trying to connect directly. >> Race conditions don't really seem that serious to me. > > Maybe, but I am not sure: > There might be situations where it might be possible to keep > a port open even when the rule is rewritten later on; then > you need an open system only once... > So, I could imagine that with some clever hacks an attacker > might keep ports open and then do another attack later on. > I am not an experienced hacker to know such attacks, but I > know that races can be very subtle and provide attack vectors > nobody has ever thought off. In this case, the absolute worst that could happen is that an attacker gains access to every open port on your system. While this is bad, it's not a clever new vulnerability: it's all of the old ones that were already there. If there are insecure daemons listening on public addresses, you should fix them instead of worrying about race conditions on the firewall. Otherwise, every machine on your LAN becomes an attack vector, and that's a much greater risk especially if your coworkers/friends use Windows. And if we're still talking about laptops, the "LAN" is usually "anybody nearby."
Re: [gentoo-user] Network failed and weird error message
Mick wrote: > On Sunday 13 Oct 2013 13:26:31 Dale wrote: >> >> Memory question. The mobo I have uses this: "Support for DDR3 >> 1666(OC)/1333/1066 MHz memory modules" I have the 1666 on here. It was >> what was on sale. :-D The new mobo calls for this: "DDR3 >> 2000(OC)/1866/1600/1333/1066" Are the two compatible? Both are DDR3. >> >> Thanks. >> >> Dale >> >> :-) :-) > > They are, although the new MoBo memory can be overclocked higher. Bear in > mind that some MoBos will complain if they are not fitted with identical > memory modules. Somehow I happen to come across them each time ... :-( So I can buy the mobo and reuse the memory I have now? That will help a LOT right now. The new mobo will support twice the amount of ram but I can upgrade that and the CPU later on. The mobo I am looking at is this one: http://www.gigabyte.com/products/product-page.aspx?pid=4717#ov The mobo I currently have is here: http://www.gigabyte.com/products/product-page.aspx?pid=3320#sp I don't overclock so I'm not worried about that. I did it once with a old Abit mobo with a AMD 2500+ CPU but it just didn't make much difference. The memory I have is here: http://www.newegg.com/Product/Product.aspx?Item=N82E16820231313 It appears I looked at something wrong here. The one I have is the same as what the mobo calls for. I think??? I need to sleep more and I got to much stuff going on. :/ I wonder where I got the 1666 from?? It appears that I should be good to go with the new mobo. Use my old ram, upgrade with 8GB sticks as I can and they go on sale. In the end, I can have up to 32GBs of ram. Talk about putting some stuff on tmpfs. O_O I have always wanted to copy the tree to tmpfs and run "time emerge -uvaDN world". Just to see how fast it will go. lol If anyone sees anything here that won't work, let me know soon. I plan to order this thing pretty soon. Given the USB issue, the ethernet having issues, I'm worried something else may start to break as well. :-( Thanks to all. Posting the question got me to see I made a boo boo somewhere about the memory speed. I think? Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Re: [gentoo-user] Re: scripted iptables-restore
On 14/10/13 04:07, Martin Vaeth wrote: > Michael Orlitzky wrote: [...] If you have a million rules and you need to wipe/reload them all frequently you're probably doing something wrong to begin with. >>> >>> I don't know how this is related with the discussion. >>> The main advantage of using iptables-restore is avoidance of >>> race conditions. A secondary advantage is a speed improvement; >>> in my case, the machine boots about 2 seconds faster which can >>> be a considerable advantage if you start virtual machines. >>> >> >> I was just reiterating that there's not much benefit to save/restore if >> you're doing things properly (pontification alert!). > > For a laptop of a scientist like me this is not true at all - it must > often be connected in a different environment with different > local nets etc. > Also for other things (like portknocking using the recent module) > you need rather complex rules which are better rewritten by a script, > especially if the length of a portknocking sequence changes. > Like passwords, these sequences should better not stay the same for > too long... > ... If you are going to go to this bother ... why not use shorewall, create a custom configuration for each site (including any changes to services) and and have your script just copy them in and restart the various services including shorewall? I have a number of networks from hotspots to places where I need combinations of vpns, web servers and asterisk available for demonstrations in lecture theatres through to travelling and using hotel networks. The iptables save feature gets a bit difficult to use with complex setups and if you are doing something dynamic with the rules (fail2ban for instance) it can save inappropriate rules which need manual culling. I use a simple script with autosetup using network-manager (yuk, horrible thing!) to detect known gateways and trigger the script with that argument for either wifi or cable as appropriate (or setup for anonymous hotspot for unknown wifi, basic dhcp if unknown cable) - this is on a macbook air if that matters. BillK
[gentoo-user] Re: scripted iptables-restore
Michael Orlitzky wrote: >>> [...] >>> If you have a million rules and you need to wipe/reload them all >>> frequently you're probably doing something wrong to begin with. >> >> I don't know how this is related with the discussion. >> The main advantage of using iptables-restore is avoidance of >> race conditions. A secondary advantage is a speed improvement; >> in my case, the machine boots about 2 seconds faster which can >> be a considerable advantage if you start virtual machines. >> > > I was just reiterating that there's not much benefit to save/restore if > you're doing things properly (pontification alert!). For a laptop of a scientist like me this is not true at all - it must often be connected in a different environment with different local nets etc. Also for other things (like portknocking using the recent module) you need rather complex rules which are better rewritten by a script, especially if the length of a portknocking sequence changes. Like passwords, these sequences should better not stay the same for too long... > Race conditions don't really seem that serious to me. Maybe, but I am not sure: There might be situations where it might be possible to keep a port open even when the rule is rewritten later on; then you need an open system only once... So, I could imagine that with some clever hacks an attacker might keep ports open and then do another attack later on. I am not an experienced hacker to know such attacks, but I know that races can be very subtle and provide attack vectors nobody has ever thought off. > All of security is a trade-off, and in my opinion, having > human-friendly, easily-readable rules (with error checking) It is easy to switch to one method for testing and then back when everything works: If you write $iptables ... throughout you just have to set iptables="iptables" or iptables="FvwmTables 4" respectively. In fact, the firewall-mv script does this (with a different mechanism) depending on a commandline switch. Moreover, I observed that the error checking works with iptables-restore as well as with iptables: It shows you almost the same errors, including a line number. So the only difference is that you have to count the lines in the testing output instead of directly seeing the command...
Re: [gentoo-user] Network failed and weird error message
On Sunday 13 Oct 2013 13:26:31 Dale wrote: > Dale wrote: > > Alan McKinnon wrote: > >> Basically, it looks like you have a once-off event. > >> > >> Until it happens again, very little you can do wrt troubleshooting > > > > I agree. It ran for days with no problems that I saw. Sure is weird > > tho. I just wonder if something outside the puter happened and > > triggered something. Who knows. > > > > Dale > > > > :-) :-) > > Still no fix on the error message. Maybe it is hardware and related to > this? I started having issues with the network again. This time, it > wasn't just browsers. It would be other stuff like Pidgin and such. > Generally restarting the network corrected the problem, after restarting > the other programs too since they would hang up. Anyway, I got tired of > this so I pulled a ethernet card from my junk drawer, pulled some hair > out trying to find the dmfe driver in the kernel and got it working. > Since moving away from the ethernet that is built into the mobo and to > this card, not a issue yet. I have not had a single hiccup. So, as > with my last rig, the ethernet port on the mobo just start to suck after > a while it seems. :/ > > Now I just wish I could figure out this other USB issue. I suspect it > could be a hardware issue. I may have to upgrade my rig after all and I > don't really want to do that and may not be able to right away. > > Memory question. The mobo I have uses this: "Support for DDR3 > 1666(OC)/1333/1066 MHz memory modules" I have the 1666 on here. It was > what was on sale. :-D The new mobo calls for this: "DDR3 > 2000(OC)/1866/1600/1333/1066" Are the two compatible? Both are DDR3. > > Thanks. > > Dale > > :-) :-) They are, although the new MoBo memory can be overclocked higher. Bear in mind that some MoBos will complain if they are not fitted with identical memory modules. Somehow I happen to come across them each time ... :-( -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Re: scripted iptables-restore
On 10/13/2013 11:19 AM, Martin Vaeth wrote: >>> >> [...] >> If you have a million rules and you need to wipe/reload them all >> frequently you're probably doing something wrong to begin with. > > I don't know how this is related with the discussion. > The main advantage of using iptables-restore is avoidance of > race conditions. A secondary advantage is a speed improvement; > in my case, the machine boots about 2 seconds faster which can > be a considerable advantage if you start virtual machines. > I was just reiterating that there's not much benefit to save/restore if you're doing things properly (pontification alert!). I should say first of all that save/restore is perfect for reboots. If you're not *changing* anything, of course save/restore is better, and suffers none of the problems that I mentioned: you don't read it, the output is fed directly as input, no errors should occur... The bash script is used a couple times a year, and really is there to serve as the specification for what your firewall should do. For example, I'm rebuilding our MX today. I checked the config out of git, ran iptables-config (our script), ran /etc/init.d/iptables save, and the firewall is up and running. When will I run the script again? The next time I rebuild the server? That's certainly the last time I ran it. We have firewalls that change more often, but not so frequently that the speed would be a problem if it were 1000x slower. The MX firewall is actually updated many times per day and accumulates many rules, but they're inserted/deleted in-place by fail2ban, so a full wipe/reload doesn't occur. If you have frequently-changing permanent rules -- say, lots of static NAT entries going in/out for new employees -- then you should be doing insert/delete instead of a full reload just the same. But, add the rule to your iptables script (with a comment!) so that you have it on the record. Once every six months or so, run the thing to make sure nobody made a copy/paste error. Race conditions don't really seem that serious to me. Of course, if you're using iptables for both authorization and authentication, then you're already doing something wrong, and you should fix that instead of trying to make the broken thing run faster. But if not, who cares if you're vulnerable to a brute force attack for 2 seconds? If you're worried about that, implement a password policy. The firewall is the last layer of defense-in-depth; if the absence of a firewall gives you nightmares, the absence of a firewall is not your problem. All of security is a trade-off, and in my opinion, having human-friendly, easily-readable rules (with error checking) will prevent more problems over time than does eliminating the race condition.
Re: [gentoo-user] using lvm without a partition of type linux LVM
On Sat, Oct 12 2013, thana...@asyr.hopto.org wrote: > on 10/12/2013 05:40 PM gottl...@nyu.edu wrote the following: >> copy the lvm partitions to directories on an external disk (ext3) > > What command did you use for copying? cp -ax rsync not is on the minimal install. allan
Re: [gentoo-user] Gnat Compile Error
On Sun, Oct 13, 2013 at 03:02:48PM +0200, Silvio Siefke wrote: > Hello, > > i try to install dev-lang/gnat-gcc but the configure phase break with > the msg: > [...] > * ERROR: dev-lang/gnat-gcc-4.5.4::gentoo failed (compile phase): --^ > [...] > Portage 2.2.1 (default/linux/amd64/13.0/desktop, gcc-4.6.3, glibc-2.15-r3, > 3.11.3 x86_64) ---^ > = > System Settings > = > System uname: > Linux-3.11.3-x86_64-Intel-R-_Atom-TM-_CPU_N550_@_1.50GHz-with-gentoo-2.2 > [...] > sys-devel/gcc:4.6.3, 4.7.3-r1 ^^^ > [...] > [14:10:56][ Akku: 99% ][root@gentoomobile:/home/siefke]# emerge -pqv > =dev-lang/gnat-gcc-4.5.4::gentoo > [ebuild N] dev-lang/gnat-gcc-4.5.4 USE="nls" ---^^ You want to install gnat-gcc for a gcc version you don't have. You have gcc 4.6.3 and 4.7.3 installed (with 4.6.3 active). Unfortunately, my eix doesn't report me any gnat-gcc newer than 4.5. So I'm not sure how to proceed here apart from installing gcc-4.5.4, which is still in portage, but then of course you only have gnat in that old version. -- Gruß | Greetings | Qapla’ Please do not share anything from, with or about me with any Facebook service. Sent from my toilet. signature.asc Description: Digital signature
[gentoo-user] Re: scripted iptables-restore
Michael Orlitzky wrote: > On 10/13/2013 06:08 AM, Martin Vaeth wrote: 5. You can't script iptables-restore! >>> >>> Well, actually you can script iptables-restore. >> >> For those who are interested: >> net-firewall/firewall-mv from the mv overlay >> (available over layman) now provides a separate >> firewall-scripted.sh >> which can be conveniently used for such scripting. >> > [...] > If you have a million rules and you need to wipe/reload them all > frequently you're probably doing something wrong to begin with. I don't know how this is related with the discussion. The main advantage of using iptables-restore is avoidance of race conditions. A secondary advantage is a speed improvement; in my case, the machine boots about 2 seconds faster which can be a considerable advantage if you start virtual machines. > With bash [...] (I would use a POSIX shell because it is considerably faster, but this need not be discussed here.) That's why I said that it can be scripted (which was my motivation to write firewall-scripted.sh): firewall-scripted.sh (or some similar script) gives you exactly the same advantages, but without races, and faster. In your example: > function static_nat() { >iptables -t nat -A PREROUTING -d "${2}" -j DNAT --to "${1}" >iptables -t nat -A POSTROUTING -s "${1}" -j SNAT --to "${2}" > } Essentially, you just have to replace "iptables" by "FwmvTables 4". If you are too lazy to use a text editor or to replace "iptables" by a variable (like $iptables) you can do this even by defining the function: iptables() { FwmvTables 4 "${@}" } Then you just put in front of your script the line . firewall-scripted.sh and in the end (or before you call exit): FwmvSet 4 That's it... > I'm not saying you can't do all of this with iptables-restore, just that > you're punishing yourself for little benefit if you do. *Using* firewall-scripted.sh is as convenient as using iptables directly (you just replace one command and add two lines to your script). Of course, the disadvantage is that some day firewall-scripted.sh might break with iptables (and that maybe the script still has bugs...). As I said, it would be better if something similar would be provided by iptables itself. But the advantages are clear.
[gentoo-user] {OT} proper way to submit a kernel crash bug report?
I have a vmcore file from a kernel crash and I'm trying to figure out how to turn it into a bug report on kernel.org. What do they want to see? I've installed 'crash' but I get: # crash vmcore crash: namelist argument required or: crash /boot/kernel-3.10.15 vmcore crash: /boot/kernel-3.10.15: not a supported file format I'm not even sure they'll accept 'crash' analysis. - Grant
Re: [gentoo-user] scripted iptables-restore
On 10/13/2013 06:08 AM, Martin Vaeth wrote: >>> 5. You can't script iptables-restore! >> >> Well, actually you can script iptables-restore. > > For those who are interested: > net-firewall/firewall-mv from the mv overlay > (available over layman) now provides a separate > firewall-scripted.sh > which can be conveniently used for such scripting. > You snipped the rest of my point =) > You can write a bash script that writes an iptables-restore script to > accomplish the same thing, but how much complexity are you willing to > add for next to no benefit? If you have a million rules and you need to wipe/reload them all frequently you're probably doing something wrong to begin with. With bash, you can leverage all of the features of bash that everybody already knows. You can read files, call shell commands, pipe between them, etc. You can write bash functions to avoid repetitive commands. You can write inline comments to explain what the rules do. Something like, # A function which sets up a static mapping between an external IP # address and an internal one. # # USAGE: static_nat # function static_nat() { iptables -t nat -A PREROUTING -d "${2}" -j DNAT --to "${1}" iptables -t nat -A POSTROUTING -s "${1}" -j SNAT --to "${2}" } can make your iptables script a lot cleaner, and it conveys your intent better when the rule is created: # Danny likes to torrent "linux isos" at work so he needs a public ip static_nat 192.168.1.x 1.2.3.x I'm not saying you can't do all of this with iptables-restore, just that you're punishing yourself for little benefit if you do.
[gentoo-user] Re: Where to put advanced routing configuration?
shawn wilson wrote: > On Fri, Oct 4, 2013 at 5:58 PM, Michael Orlitzky wrote: > >> >> 1. The iptables-restore syntax is uglier and harder to read. > > I don't get this - the syntax is [...] > What am I missing or how is this uglier? Argument separation (e.g. if you have arguments with spaces); it seems to work most of the time if you quote into "..." and escape backslash and doublequote signs inside with backslash (this is what the mentioned script of firewall-mv does), but there are cases where this is not accepted; e.g. quoting every word was not accepted. Since the format is undocumented, this is all ugly trial-and-error, and only the iptable maintainers know whether it remains the same in the next iptables release.
Re: [gentoo-user] Where to put advanced routing configuration?
On 10/13/2013 06:26 AM, shawn wilson wrote: > On Fri, Oct 4, 2013 at 5:58 PM, Michael Orlitzky wrote: > >> >> 1. The iptables-restore syntax is uglier and harder to read. > > I don't get this - the syntax is *chain and then :tables (with > optional counters) instead of -N, and then a bunch of rules, and then > a COMMIT command (the only thing you don't get on the command line. > What am I missing or how is this uglier? > That's not the syntax, because there is no syntax, but let's forget that point anyway because it's subjective.
[gentoo-user] Gnat Compile Error
Hello, i try to install dev-lang/gnat-gcc but the configure phase break with the msg: checking for x86_64-pc-linux-gnu-gcc... /var/tmp/portage/dev-lang/gnat-gcc-4.5.4/work/usr/bin/gnatgcc checking for C compiler default output file name... configure: error: in `/var/tmp/portage/dev-lang/gnat-gcc-4.5.4/work/build': configure: error: C compiler cannot create executables See `config.log' for more details. * ERROR: dev-lang/gnat-gcc-4.5.4::gentoo failed (compile phase): * configure failed I try with diffrent Version and i try with dev-lang/gnat-gpl come the same. Other Programms can compile without error. Thanks for help & Greetings Silvio [14:10:56][ Akku: 99% ][root@gentoomobile:/home/siefke]# emerge --info =dev-lang/gnat-gcc-4.5.4::gentoo Portage 2.2.1 (default/linux/amd64/13.0/desktop, gcc-4.6.3, glibc-2.15-r3, 3.11.3 x86_64) = System Settings = System uname: Linux-3.11.3-x86_64-Intel-R-_Atom-TM-_CPU_N550_@_1.50GHz-with-gentoo-2.2 KiB Mem: 1003604 total, 86348 free KiB Swap:2047996 total, 1963324 free Timestamp of tree: Sun, 13 Oct 2013 11:00:01 + ld GNU ld (GNU Binutils) 2.23.1 app-shells/bash: 4.2_p45 dev-java/java-config: 2.1.12-r1 dev-lang/python: 2.7.5-r2, 3.2.5-r2 dev-util/cmake: 2.8.10.2-r2 dev-util/pkgconfig: 0.28 sys-apps/baselayout: 2.2 sys-apps/openrc: 0.11.8 sys-apps/sandbox: 2.6-r1 sys-devel/autoconf: 2.13, 2.69 sys-devel/automake: 1.10.3, 1.11.6, 1.13.4 sys-devel/binutils: 2.23.1 sys-devel/gcc:4.6.3, 4.7.3-r1 sys-devel/gcc-config: 1.7.3 sys-devel/libtool:2.4.2 sys-devel/make: 3.82-r4 sys-kernel/linux-headers: 3.9 (virtual/os-headers) sys-libs/glibc: 2.15-r3 Repositories: gentoo multimedia sabayon hardened-dev pentoo ACCEPT_KEYWORDS="amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=atom -mtune=atom -mssse3 -mfpmath=sse -fomit-frame-pointer -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/php/apache2-php5.5/ext-active/ /etc/php/cgi-php5.5/ext-active/ /etc/php/cli-php5.5/ext-active/ /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=atom -mtune=atom -mssse3 -mfpmath=sse -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FCFLAGS="-O2 -pipe" FEATURES="assume-digests binpkg-logs config-protect-if-modified distlocks ebuild-locks fixlafiles merge-sync news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox usersync" FFLAGS="-O2 -pipe" GENTOO_MIRRORS="http://ftp.halifax.rwth-aachen.de/gentoo/"; LANG="de_DE.UTF-8" LDFLAGS="-Wl,-O1 -Wl,--as-needed" MAKEOPTS="-j3" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --omit-dir-times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/var/lib/layman/multimedia /var/lib/layman/sabayon /var/lib/layman/hardened-development /var/lib/layman/pentoo" USE="X a52 aac acl acpi alsa amd64 berkdb bindist bluetooth branding bzip2 cairo cdda cdr cli consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr emboss encode exif fam firefox flac fortran gdbm gif gpm gtk iconv ipv6 jpeg lcms libnotify mad mmx mng modules mp3 mp4 mpeg mudflap multilib ncurses nls nptl ogg opengl openmp pam pango pcre pdf png policykit ppds python qt3support qt4 readline sdl session spell sse sse2 ssl startup-notification svg tcpd tiff truetype udev udisks unicode upower usb vaapi vorbis wxwidgets x264 xcb xml xv xvid zlib" ABI_X86="64" ALSA_CARDS="intel_hda" APACHE2_MODULES="authn_core authz_core socache_shmcb unixd actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan sheets stage tables krita karbon braindump author" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev vo
Re: [gentoo-user] Network failed and weird error message
Dale wrote: > Alan McKinnon wrote: >> >> Basically, it looks like you have a once-off event. >> >> Until it happens again, very little you can do wrt troubleshooting >> >> >> > I agree. It ran for days with no problems that I saw. Sure is weird > tho. I just wonder if something outside the puter happened and > triggered something. Who knows. > > Dale > > :-) :-) > Still no fix on the error message. Maybe it is hardware and related to this? I started having issues with the network again. This time, it wasn't just browsers. It would be other stuff like Pidgin and such. Generally restarting the network corrected the problem, after restarting the other programs too since they would hang up. Anyway, I got tired of this so I pulled a ethernet card from my junk drawer, pulled some hair out trying to find the dmfe driver in the kernel and got it working. Since moving away from the ethernet that is built into the mobo and to this card, not a issue yet. I have not had a single hiccup. So, as with my last rig, the ethernet port on the mobo just start to suck after a while it seems. :/ Now I just wish I could figure out this other USB issue. I suspect it could be a hardware issue. I may have to upgrade my rig after all and I don't really want to do that and may not be able to right away. Memory question. The mobo I have uses this: "Support for DDR3 1666(OC)/1333/1066 MHz memory modules" I have the 1666 on here. It was what was on sale. :-D The new mobo calls for this: "DDR3 2000(OC)/1866/1600/1333/1066" Are the two compatible? Both are DDR3. Thanks. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!
Re: [gentoo-user] Where to put advanced routing configuration?
On Fri, Oct 4, 2013 at 5:58 PM, Michael Orlitzky wrote: > > 1. The iptables-restore syntax is uglier and harder to read. I don't get this - the syntax is *chain and then :tables (with optional counters) instead of -N, and then a bunch of rules, and then a COMMIT command (the only thing you don't get on the command line. What am I missing or how is this uglier?
[gentoo-user] scripted iptables-restore (was: Where to put advanced routing configuration?)
>> 5. You can't script iptables-restore! > > Well, actually you can script iptables-restore. For those who are interested: net-firewall/firewall-mv from the mv overlay (available over layman) now provides a separate firewall-scripted.sh which can be conveniently used for such scripting.
Re: [gentoo-user] using lvm without a partition of type linux LVM
Mick wrote: > On Sunday 13 Oct 2013 00:07:56 Thanasis wrote: >> on 10/12/2013 05:40 PM gottl...@nyu.edu wrote the following: >>> copy the lvm partitions to directories on an external disk (ext3) >> >> What command did you use for copying? > > You can use rsync, scp or (s)tar. > > Personally I prefer star with the copy option. > > Word of warning: check that the attributes and mod times are as you want > them, especially with rsync which with the -a parameter preserves the source > directory/machine ownership, rather than the expected destination defaults. When I do a copy on a setup like this, I just use cp -a. Add the v if you want to see what it is doing. I have used it many times and it works just fine. Clean and simple. If over a network or something tho, gets complicated pretty quick. Dale :-) :-) -- I am only responsible for what I said ... Not for what you understood or how you interpreted my words!