| 12 Jun 2021 |
 rager | or is namespace enough to make the rules happen when you "want" them to? | 17:43:12 |
 Mic92 (Old) | I now how to write network drivers or extend systemd-networkd but I don't understand k8s firewall rules :) | 17:43:24 |
| Mic92 (Old) | In reply to @rager:synapse.lickmy.app
or is namespace enough to make the rules happen when you "want" them to? yes, a network namespace should be sufficient. | 17:43:42 |
| rager | I think my iptables issue comes down to these two snippets:
-N nixos-nat-pre
-A PREROUTING -m comment --comment "kubernetes service portals" -j KUBE-SERVICES
-A PREROUTING -j nixos-nat-pre
and
-A nixos-nat-pre -i eno1 -p tcp -m tcp --dport 6666 -j DNAT --to-destination 10.10.142.1:22
-A nixos-nat-pre -i eno1 -j DNAT --to-destination 10.0.0.75
(context: https://hastebin.com/ijusozofeb.yaml)
| 22:49:47 |
| rager | though I'm not sure what happens after a packet gets dnat'd to an ip that corresponds to an device on the same host | 22:50:33 |
| rager | because I'm real bad at iptables | 22:50:44 |
 casey © | the thing i missed most going from a bsd universe to linux, lack of pf. | 23:14:56 |
| rager | ok... I got it to work | 23:38:48 |
| rager | step 1: don't configure anything from nixos any more | 23:39:03 |
| rager | step 2: add an externalIP to my traefik service | 23:39:16 |
| rager | now everything is everything | 23:39:26 |
| 13 Jun 2021 |
| Mic92 (Old) | * I know how to write network drivers or extend systemd-networkd but I don't understand k8s firewall rules :) | 06:49:01 |
| Mic92 (Old) | In reply to @rager:synapse.lickmy.app
now everything is everything wise words :) | 06:50:01 |
| Mic92 (Old) | In reply to @casey:hubns.net
the thing i missed most going from a bsd universe to linux, lack of pf. nftables with nflog devices goes at least partially in this direction. The only issue is the poor adoption at the moment. But this might change this year. | 06:51:19 |
 eyJhb | In reply to @joerg:bethselamin.de
nftables with nflog devices goes at least partially in this direction. The only issue is the poor adoption at the moment. But this might change this year. What happens this year? | 07:01:26 |
| Mic92 (Old) | In reply to @eyjhb:eyjhb.dk
What happens this year? Debian has adopted iptables-nftables. We had a similar PR, but systemd support for nftables was not finished. This is now the case. So we could make the jump unless other blockers are found. | 07:02:26 |
| rager | meanwhile, other people are trying to replace both with a new bpf setup | 08:19:22 |
| Mic92 (Old) | Yeah. I saw that. How are these efforts going? | 09:26:42 |
| Mic92 (Old) | I just saw that there discussions to remove bpfilter again. | 09:28:45 |
 keithy | on reboot network-setup is failing with Error: Nexthop has invalid gateway. any ideas? | 13:54:00 |
 hexa | Redacted or Malformed Event | 13:56:09 |
| hexa | many ideas | 13:57:01 |
| hexa | nexthop (gateway) address could be on a) network or b) broadcast address | 13:57:17 |
| hexa | it could be outside of the L3 domain | 13:57:47 |
| hexa | and you always need L2 access to use a gateway | 13:57:57 |
| hexa | not sure who throws that error | 13:58:03 |
|  Kritnich joined the room. | 13:59:34 |
| keithy | how do I find out what it thinks is configured as the gateway? | 14:05:56 |
| keithy | $ ip route
default via 10.11.12.1 dev enp0s10 src 10.11.12.2 metric 202
10.11.12.0/24 dev enp0s10 scope link src 10.11.12.2 metric 202 | 14:06:35 |
| Mic92 (Old) | keithy: 10.11.12.1 is your default gateway | 14:10:50 |
