| 12 Jun 2021 |
 Mic92 | I rage quitted debugging k8s firewall rules. They go beyond my understanding :) | 17:41:39 |
 rager | I'm not far from there | 17:42:03 |
| Mic92 | I guess that's why people just put k8s in another container | 17:42:04 |
| rager | put it in a VM, and I can see that making sense | 17:42:17 |
| rager | else, it's all the same kernel | 17:42:23 |
| rager | or is namespace enough to make the rules happen when you "want" them to? | 17:43:12 |
| Mic92 | I now how to write network drivers or extend systemd-networkd but I don't understand k8s firewall rules :) | 17:43:24 |
| Mic92 | In reply to @rager:synapse.lickmy.app
or is namespace enough to make the rules happen when you "want" them to? yes, a network namespace should be sufficient. | 17:43:42 |
| rager | I think my iptables issue comes down to these two snippets:
-N nixos-nat-pre
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A PREROUTING -j nixos-nat-pre
and
-A nixos-nat-pre -i eno1 -p tcp -m tcp --dport 6666 -j DNAT --to-destination 10.10.142.1:22
-A nixos-nat-pre -i eno1 -j DNAT --to-destination 10.0.0.75
(context: https://hastebin.com/ijusozofeb.yaml)
| 22:49:47 |
| rager | though I'm not sure what happens after a packet gets dnat'd to an ip that corresponds to an device on the same host | 22:50:33 |
| rager | because I'm real bad at iptables | 22:50:44 |
 casey © | the thing i missed most going from a bsd universe to linux, lack of pf. | 23:14:56 |
| rager | ok... I got it to work | 23:38:48 |
| rager | step 1: don't configure anything from nixos any more | 23:39:03 |
| rager | step 2: add an externalIP to my traefik service | 23:39:16 |
| rager | now everything is everything | 23:39:26 |
| 13 Jun 2021 |
| Mic92 | * I know how to write network drivers or extend systemd-networkd but I don't understand k8s firewall rules :) | 06:49:01 |
| Mic92 | In reply to @rager:synapse.lickmy.app
now everything is everything wise words :) | 06:50:01 |
| Mic92 | In reply to @casey:hubns.net
the thing i missed most going from a bsd universe to linux, lack of pf. nftables with nflog devices goes at least partially in this direction. The only issue is the poor adoption at the moment. But this might change this year. | 06:51:19 |
 eyJhb | In reply to @joerg:bethselamin.de
nftables with nflog devices goes at least partially in this direction. The only issue is the poor adoption at the moment. But this might change this year. What happens this year? | 07:01:26 |
| Mic92 | In reply to @eyjhb:eyjhb.dk
What happens this year? Debian has adopted iptables-nftables. We had a similar PR, but systemd support for nftables was not finished. This is now the case. So we could make the jump unless other blockers are found. | 07:02:26 |
| rager | meanwhile, other people are trying to replace both with a new bpf setup | 08:19:22 |
| Mic92 | Yeah. I saw that. How are these efforts going? | 09:26:42 |
| Mic92 | I just saw that there discussions to remove bpfilter again. | 09:28:45 |
 keithy | on reboot network-setup is failing with Error: Nexthop has invalid gateway. any ideas? | 13:54:00 |
 hexa | Redacted or Malformed Event | 13:56:09 |
| hexa | many ideas | 13:57:01 |
| hexa | nexthop (gateway) address could be on a) network or b) broadcast address | 13:57:17 |
| hexa | it could be outside of the L3 domain | 13:57:47 |
| hexa | and you always need L2 access to use a gateway | 13:57:57 |
