| 4 Aug 2025 |
 hexa | also boo, we're still using iptables | 18:57:17 |
| 5 Aug 2025 |
 @emma:rory.gay | or youre using the nftables wrapper lol | 02:59:30 |
| hexa | the nixos default 🤷 | 03:00:29 |
| hexa | quite a bit of technical debt in there | 03:00:51 |
| @emma:rory.gay | yeah, thats the nftables wraper | 03:02:10 |
| @emma:rory.gay | iptables v1.8.11 (nf_tables) | 03:02:18 |
| @emma:rory.gay | glad that still exists because i have no clue how to manage nftables | 03:02:46 |
| hexa | systemd.services.nft-update-tor-exits = {
wantedBy = [ "nftables.service" ];
after = [ "nftables.service" ];
startAt = "hourly";
script = ''
curl -sSL "https://check.torproject.org/cgi-bin/TorBulkExitList.py?exit" | sed '/^#/d' | while read IP; do
nft add element inet filter torexits { $IP }
done
'';
path = with pkgs; [
curl
nftables
];
};
| 03:10:29 |
| hexa | set torexits {
type ipv4_addr;
flags dynamic, timeout;
timeout 6h;
}
| 03:11:00 |
| hexa | basically you can create a datatype, e.g. a set | 03:11:06 |
| hexa | and add to it, and have entries timeout automatically | 03:11:14 |
| hexa | and then match on that set | 03:11:31 |
| hexa | ip saddr @torexits counter drop
| 03:11:38 |
|  sinan changed their profile picture. | 03:58:54 |
| sinan | 03:58:56 |
 Arian | I love nftables so much | 07:00:42 |
| Arian | Systemd also creates a set for each cgroup automatically which is nice | 07:01:01 |
 Janne | In reply to @arianvp:matrix.org
Systemd also creates a set for each cgroup automatically which is nice With what in it? 😳 | 07:54:47 |
|  isabel changed their profile picture. | 09:49:48 |
| Arian | The cgroup id | 19:38:42 |
| Arian | But means you can refer to cgroups by name in nft rules | 19:39:16 |
| Arian | (as opposed to having to use the unstable cgroup id) | 19:39:27 |
| 6 Aug 2025 |
| Janne | In reply to @arianvp:matrix.org
The cgroup id Do I need to enable something for this to work? Or do I have to use the latest version? Because I don't see anything like this in my ruleset | 09:05:56 |
| Arian | https://www.freedesktop.org/software/systemd/man/latest/systemd.resource-control.html#NFTSet=family:table:set | 18:19:19 |
 j-k | Is discourse.nixos.org down? I'm getting 502 errors from nginx and isitdownrightnow.com seems to get the same result | 19:21:03 |
 sorrel | mhm, also seems very slow to me when it responds at all | 19:24:20 |
 [0x4A6F] | Still up here. | 19:27:49 |
| [0x4A6F] | * Still up here. With banner: Due to extreme load, this is temporarily being shown to everyone as a logged out user would see it. | 19:28:29 |
 Christian Theune | yeah, we got hit by the same ceph bug as yesterday. i've found a trigger that we can stop from triggering for now so this shouldn't become a regular thing ... -_- | 19:36:50 |
| Christian Theune | things should be back to normal | 19:37:07 |
