| 20 Jan 2025 |
|  abyxcos set a profile picture. | 18:01:03 |
|  @snaki:kescher.at changed their display name from emily 🐾 to zemily 🐾. | 20:45:43 |
| @snaki:kescher.at changed their display name from zemily 🐾 to emily 🐾. | 20:50:32 |
| 21 Jan 2025 |
|  emily 🐾 joined the room. | 00:42:43 |
| @snaki:kescher.at left the room. | 00:43:18 |
 magic_rb | What would be the best way to send a packet back to userspace from nftables when said packet matches some rule? I specifically need to know when a service sends a packet to any dst:port unless the src:sport-dst:dport combination is already in a set | 07:38:40 |
| magic_rb | I can think of using the connmark for that somehow, or logging the packet | 07:39:11 |
| magic_rb | I want to implement a wireguard multiplexer, specifically my idea is that for a source which is unknown, send it to all wireguard servers and then for whichever responds create a dnat | 07:41:18 |
| magic_rb | So essentially have a nftables rule which duplicates all packets to all wireguard servers. Before that have a set of known "connections" and whenever a wireguard server send a packet out to some destination add that src dst pair into the set of know connections | 07:45:19 |
|  Joel joined the room. | 12:11:25 |
 AngryAnt | Has anyone here managed to get nixos container port forwarding going? I have tried a bunch of different bridging methods, but while both ends get established and can ping through, I have not at any point seen a port actually open on the host. All I need is for the host to be able to reach the container service.
This is my approach: https://gist.github.com/AngryAnt/c93aa189e60cb91b2343e5b696e87628
And this has been my basis: https://github.com/NixOS/nixpkgs/blob/master/nixos/tests/containers-portforward.nix | 15:05:58 |
| AngryAnt | Aside from pings and just connecting to the service, I have also tested via netstat -tuplen on host and from inside the container. | 15:07:15 |
| AngryAnt | hostIP is 127.0.0.2, containerIP 127.0.0.3, and serviceIP 0.0.0.0. | 15:08:36 |
| magic_rb | @angryant:envs.net a few thoughts:
- You wont see the port on the host via netstat, the port isnt technically open, iptables does dnat instead
- Using local ip ranges for containers is weird, idk if it can have an impact on the thing working, but if try with different IPs if i were you
- Run
tcpdump in and outside the container to gather information about the packet flow
| 15:30:32 |
| magic_rb |
- Are you running any kind of firewall except the normal nixos firewall on the host?
| 15:31:04 |
| magic_rb | * @angryant:envs.net a few thoughts:
- You wont see the port on the host via netstat, the port isnt technically open, iptables does dnat instead
- Using local ip ranges for containers is weird, idk if it can have an impact on the thing working, but id try with different IPs if i were you
- Run
tcpdump in and outside the container to gather information about the packet flow
| 15:33:31 |
| AngryAnt | No other firewalls. Good tip about IPs and tools - will give those a go when back on the machine in an hour or two. Thanks! | 16:37:46 |
| AngryAnt | Excellent call on those IPs. Swapping them out instantly made mapping available. Just working on having the outgoing connections from the proxy run properly now and then it's all wrapped up! Thanks again :) | 17:32:34 |
| AngryAnt | It's almost perfect. I'm only left wondering if it is possible to not have to specify the default gateway by IP, given that the corresponding interface is using DHCP: https://gist.github.com/AngryAnt/c93aa189e60cb91b2343e5b696e87628#file-proxy-nix-L19 | 18:33:06 |
|  @rootname:matrix.org removed their display name rootname. | 19:55:51 |
| @rootname:matrix.org left the room. | 20:00:17 |
| 22 Jan 2025 |
| emily 🐾 changed their profile picture. | 12:34:10 |
| 23 Jan 2025 |
|  TheDragon changed their profile picture. | 23:45:10 |
| TheDragon changed their profile picture. | 23:51:34 |
| 24 Jan 2025 |
| TheDragon changed their profile picture. | 01:18:39 |
| 26 Jan 2025 |
 alina🏳️⚧️🐾 | what is everyone's opinion on the tinc vpn? | 13:59:39 |
| alina🏳️⚧️🐾 | i'm thinking about using it instead of wireguard for my mesh network | 13:59:55 |
 hexa | outdated | 14:03:29 |
| hexa | wants too many things at once | 14:03:49 |
| hexa | binds raw to an interface, which makes it use many cpu cycles on busy links | 14:04:06 |
