'Re: [leaf-user] Notes on upgrading to version 7.3.0'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       leaf-user
Subject:    Re: [leaf-user] Notes on upgrading to version 7.3.0
From:       John Sager <john () sager ! me ! uk>
Date:       2024-04-18 19:07:50
Message-ID: 8df9abf3-7768-48d8-9b67-8881c6caabc6 () sager ! me ! uk
[Download RAW message or body]

kp,

I am glad it builds for other architectures. I have rebuilt it with your 
mods successfully. I haven't yet tested it on my firewall but the nft and 
libnftables binaries are the same size as I would expect.

The nftables documentation is deficient for the libnftables API though 
Debian has a man page for it so, yes, the separation of the library makes sense.

regards,

John

On 18/04/2024 16:31, KP.Kirchdoerfer wrote:
> Hi John;
> 
> Am Montag, 15. April 2024, 16:57:59 CEST schrieb John Sager:
>> kp,
>>
>> I have just  pushed a new branch 'nftables-test' to the repository. This has
>> the commit for the nftables stuff - conf/sources.d/nftables.cfg and
>> repo/nftables/.
>>
>> Sorry it has taken so long to do but I have been busy with other things. I
>> have only tested it on x86-64 as that is my only test environment.
> 
> Thx a lot for the contribution!
> 
> It builds fine for all architectures.
> 
> I've committed a change in your branch seperating the libs in their own
> package.
> It was an early design decison for LEAF Bering-uClibc to seperate tools from
> libs wherever possible - that way a user can use the libs with other tools if
> wanted/needed without installing unwanted binaries.
> nftables.lrp will install libnftables.lrp - so it works as you expect.
> 
> Pls have a look and (hopefully) confirm it works.
> 
> kp
> 
> 
> 
> 
>> regards,
>>
>> John
>>
>> On 08/03/2024 23:02, KP.Kirchdoerfer wrote:
>>> Hi;
>>>
>>> Am Freitag, 8. März 2024, 11:21:12 CET schrieb John Sager:
>>>> KP,
>>>>
>>>> Ok I'll commit nftables to the git repository but it will be a week or
>>>> two
>>>> before I can do so. Which branch should I use for the commit?
>>>
>>> I think best would be to branch from master and create a new repository
>>> which can be merged after a bit of testing builds.
>>>
>>> kp
>>>
>>>> regards,
>>>>
>>>> John
>>>>
>>>> On 6 March 2024 16:20:36 GMT, "KP.Kirchdoerfer" <kapeka@bering-uclibc.de>
>>>
>>> wrote:
>>>>> H John;
>>>>>
>>>>> sorry for late reply.
>>>>>
>>>>> Am Dienstag, 6. Februar 2024, 11:45:27 CET schrieb John Sager:
>>>>>> I've been using version 7.0.2 on a PC Engines APU2C2 as my border
>>>>>> router/firewall for a couple of years and I decided to upgrade to
>>>>>> version
>>>>>> 7.3.0, it being the latest release. I don't use the 'upgrade' tool but
>>>>>> instead I have three partitions on the SD card - a vfat boot partition
>>>>>> and
>>>>>> two ext4 partitions for old and new versions. This makes it easy to
>>>>>> just
>>>>>> reboot the old version if the new one misbehaves.
>>>>>
>>>>> Honestly, ido the same - having three versions on my router - old and
>>>>> ultrastable, if everything goes wrong, stable with a current version
>>>>> having
>>>>> usual updates and testing for cutting edge.
>>>>>
>>>>>> Additionally I had moved to using nftables on 7.0.2 to create the
>>>>>> firewall
>>>>>> rules and packet marking rules for traffic control. I wanted to try it
>>>>>> out
>>>>>> in a real environment. Previously I used hand-crafted iptables rules
>>>>>> rather
>>>>>> than shorewall anyway for more flexibility.
>>>>>>
>>>>>> I like nftables so I am sticking with it. For this release I cloned the
>>>>>> bering development git repository on sourceforge to build nftables. I
>>>>>> had
>>>>>> to use version 1.0.6 of nftables rather than the latest version (1.0.9)
>>>>>> as it has to work with the release version (1.2.5) of libnftnl. Besides
>>>>>> libnftnl it also needs libmnl (already in initrd, as I eventually
>>>>>> realised), libedit, libgmp and libjansson. Those libraries and all the
>>>>>> other packages are from
>>>>>> Bering-uClibc_7.3.0_x86_64_syslinux_serial115200.tar.gz.
>>>>>>
>>>>>> On first booting into the new version I got errors. nftables didn't
>>>>>> work
>>>>>> as
>>>>>> I had made a small build error but that was easily fixed. However a
>>>>>> couple
>>>>>> of other applications also failed:
>>>>>>
>>>>>> ntpd requires libcap though it isn't listed in ntpd.deplrp, so libcap
>>>>>> needs
>>>>>> to go in the list of packages to load in leaf.cfg. This was also raised
>>>>>> by
>>>>>> Robert K Coffman jr on leaf-user in August 2023.
>>>>>
>>>>> Yeap, for got to commit the fix previously, done.
>>>>>
>>>>>> tc requires libxtables. When using iptables, that library would
>>>>>> normally
>>>>>> get loaded automatically but I don't use iptables, so libiptbl (where
>>>>>> libxtables lives) goes in the package list in leaf.cfg.
>>>>>
>>>>> It most probably won't  do any harm if libiptbl would be added to tc.lrp
>>>>> as
>>>>> requirement.
>>>>>
>>>>>> So far the new version has been working for over 24 hours with no
>>>>>> obvious
>>>>>> issues.
>>>>>>
>>>>>> If there is a demand for nftables perhaps it could be added to the
>>>>>> distro? I can supply the config and the repo that I have used
>>>>>> successfully now in two versions of Bering-uClibc as a template.
>>>>>
>>>>> Please do - it will be welcome.
>>>>> As nothing has changed in the git permissions since you've committed the
>>>>> first wireguard packages years ago, you should be able to do so for
>>>>> nftables as well.
>>>>>
>>>>> regards kp
>>>>>
>>>>>> regards,
>>>>>>
>>>>>> John Sager
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> -----------------------------------------------------------------------
>>>>>> -
>>>>>> leaf-user mailing list: leaf-user@lists.sourceforge.net
>>>>>> https://lists.sourceforge.net/lists/listinfo/leaf-user
>>>>>> Support Request -- http://leaf-project.org/
>>>>>
>>>>> ------------------------------------------------------------------------
>>>>> leaf-user mailing list: leaf-user@lists.sourceforge.net
>>>>> https://lists.sourceforge.net/lists/listinfo/leaf-user
>>>>> Support Request -- http://leaf-project.org/
>>>
>>> ------------------------------------------------------------------------
>>> leaf-user mailing list: leaf-user@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/leaf-user
>>> Support Request -- http://leaf-project.org/
>>
>> ------------------------------------------------------------------------
>> leaf-user mailing list: leaf-user@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/leaf-user
>> Support Request -- http://leaf-project.org/
> 
> 
> 
> 
> 
> 
> ------------------------------------------------------------------------
> leaf-user mailing list: leaf-user@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/leaf-user
> Support Request -- http://leaf-project.org/


------------------------------------------------------------------------
leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic