IRC Logs for #crux Thursday, 2018-06-14

mayfrostok I think openssl has errors00:02
Worksterrejmerge ?00:02
mayfrostping doesn't work and I can't do ssl certificates00:03
mayfroston a fresh install?00:03
*** john_cephalopoda has joined #crux00:05
*** elderK has joined #crux00:17
ryuomayfrost: do you have certificates package installed?00:17
mayfrostnot sure00:18
mayfrostwhat is the name of the package?00:18
ryuocacertificates? it varies.00:18
mayfrostis installed00:19
mayfrostit indicates the problem is a sslv3 bad record00:20
mayfrostany idea?00:20
ryuofair chance it's a remote problem then.00:21
mayfrostis the same for a lot of packages00:23
*** john_cephalopoda has quit IRC00:59
*** tilman_ has joined #crux01:39
*** j_v has quit IRC01:58
*** brian|lfs has joined #crux02:47
*** _________mavric6 has quit IRC02:49
*** _________mavric6 has joined #crux02:50
*** abenz has joined #crux03:23
*** abenz has quit IRC03:27
*** s-mutin has joined #crux03:51
*** abenz has joined #crux05:01
*** abenz has quit IRC05:10
*** smolboye has joined #crux05:22
*** abenz has joined #crux05:27
*** smolboye has quit IRC05:41
*** smolboye has joined #crux06:03
*** jue has joined #crux06:25
*** jue has quit IRC06:25
*** jue has joined #crux06:25
*** abenz has quit IRC06:50
frinnstping doesnt link with openssl07:47
frinnstoh sorry, had the chat scrolled up07:47
cruxbot[core.git/3.4]: libdevmapper: update to 1.02.14708:05
cruxbot[opt.git/3.4]: [notify] lvm2: update to 2.02.178, new dependency libaio08:06
*** dlcusa has joined #crux08:17
*** abenz has joined #crux08:51
*** abenz has quit IRC08:59
*** abenz has joined #crux09:12
*** Workster has quit IRC09:27
*** smolboye has quit IRC09:30
*** jue has quit IRC09:45
*** abenz has quit IRC09:59
*** abenz has joined #crux10:27
*** parlos has joined #crux10:36
*** abenz has quit IRC10:56
*** john_cephalopoda has joined #crux11:18
*** xor29ah has joined #crux11:41
*** parlos has quit IRC12:46
*** smolboye has joined #crux14:59
*** elderK has quit IRC15:56
crash_evening :)16:13
ryuolmao. another Intel-specific CPU vulnerability...16:29
*** jue has joined #crux16:44
*** jue has quit IRC16:44
*** jue has joined #crux16:44
frinnstfun times17:02
frinnstthats one mighty turnaround17:05
ryuo60% in one month?17:09
ryuofrinnst: it's still quite telling when the insiders aren't holding onto stock. they're just selling it off.17:10
pedjaadd INTC to compare it to Intel17:17
pedjasomeone on r/amd had an interesting theory. VIA is funded by Chinese government, and makes 'low-end' CPU's17:22
*** ryuo has quit IRC17:22
pedjaBaidu and a couple of other giant Chinese corps are buying AMD's Epyc by the truckload17:23
pedjaif that trend continues, Intel might be in trouble in one of the biggest markets in the world17:24
*** ryuo has joined #crux17:26
ryuoamusing. i can tell 'ip' doesn't use getopt.17:28
ryuoOption "-sh" is unknown, try "ip -help".17:28
ryuodoesn't consider this to be the same as ip -s -h17:29
pedjaI sometimes wonder why some apps, when you pass -h,--help, or any variation of it, don't exit with 017:31
ryuopedja: theory: because you wouldn't be doing that from a shell script under normal conditions. ergo, it makes sense to signal an abnormal exit case.17:32
pedjasince, iirc, 0 is 'success'17:32
pedjaryuo, ah. that makes sense17:33
ryuoeither way, the exit code doesn't usually matter to an interactive usage of it.17:34
ryuoBut, it does to scripting.17:34
ryuoit could be said to be an error to use help options in an automation script.17:35
ryuoso, exitting non-zero can detect incorrect usage of the utility.17:35
ryuoor signal it anyway.17:35
pedjaI am curious. is there a POSIX standard for passing options? I've seen single dash, double dash, no dash17:39
ryuopedja: probably, as posix defines getopt.17:39
pedjathanks, ryuo, that was an interesting read :)17:43
pedjaI didn't know that 9 was/is the limit for command name17:45
pedjaso 'openMVG_main_geodesy_registration_to_gps_position' is 40 chars over limit17:51
*** onodera has joined #crux18:02
jaegerhrmm.. I wonder if there's a limit on the number of iptables rules in a chain18:04
jaegersome quick searching makes it sound like "not one about which I need to worry"18:05
ryuoi wonder when nftables will take over.18:09
ryuoit's starting to look like iptables is too entrenched to dislodge.18:10
ryuoif anyone's into this kind of thing.18:11
*** jue has quit IRC18:28
joacimhope you guys still have your 486 machines18:46
jaegerstill got dosbox :)18:49
*** smolboye has quit IRC19:10
*** smolboye has joined #crux19:10
*** zorgun has quit IRC19:32
*** zorgun has joined #crux19:32
darfojaeger: i was taught to worry more about cpu load than the number of chains. iirc they are encoded very small in the kernel but the time it takes to traverse them can be onerous if not contructed to avoid repeating the same value test20:03
darfoie: separate TCP from UDP to separate chains and do not repeat the -p in the chains20:04
darfolikewise for any test being repeated to classify traffic20:05
darfoalso put the most likely cases in the start of each chain20:06
darfotweak by using iptable -L -vn, check the numbers qualified and reorder the rules in the chain accordingly20:06
*** onodera has quit IRC20:32
*** jue has joined #crux20:45
*** jue has quit IRC20:45
*** jue has joined #crux20:45
*** jue has quit IRC20:49
jaegerdarfo: it was just a curiosity, I've worked on a system with 113k rules in the past20:50
frinnsthow long did it take to load it?20:50
jaegerNot long, I don't recall any particularly noticeable delays20:51
jaegerThat was years ago, though, I might be misremembering20:51
jaegerIt was a 24-core system with 96GB RAM20:51
darfoyow. i hope those rules were generated. wouldn't want to maintain that manually.20:55
jaegeryeah, they were automatic20:55
jaegerstupid as hell but automatic20:55
jaegerLet's say, for example, you need to block a /16 space20:56
jaegerwhat do you do? iptables -A INPUT -s whatever/16 -j REJECT ?20:56
jaegeror do you write a program (not a script, a full blown program) that generates 65536 individual rules with a single IP in each?20:56
jaegerGuess which approach they used20:56
darfoi'd guess individual rules20:56
jaegerso you block a /16 and a few other stupid setups and you're at 113k rules :P20:57
Anselmohumans are amazing20:57
jaegerI tried really hard to teach them that iptables new CIDR notation but at that point they couldn't grok redoing it20:57
darfothey must not have any low-latency requirements20:57
jaegerThey didn't do anything particularly sensitive to the rule-parsing time required20:58
jaegerfortunately for them20:58
ryuoACTION facepalms.20:58
Anselmowell, presumably if they cared. . . .theyd have made effort to keep things well. . . .20:58
jaegerWe ended up replacing that system with a pfsense box and showing them how to do it right20:58
Anselmobut maybe I amnt cynical enough yet x-x20:58
jaegerthey were impressed by how awesome freebsd and pf were and "why can't linux do this /16 thing?" etc.20:59
darfoscore: jaeger 1, them 020:59
ryuothat's like using a C switch statement to check for all possible values of a range of X instead of just checking the range.20:59
jaegerThere's not enough facepalm but it worked out in the end20:59
ryuocase 0: case 1: ...20:59
ryuoinstead of21:00
ryuo(x >= 0 && x <= ...)21:00
jaegeryeah, it's dumb but that's what they did21:00
darfoand cidr tests are just boolean tests, get a any size subnet with very little setup code21:00
ryuoAnd far simpler to maintain.21:01
darfowhy use a ball-peen hammer when there's a sledge hammer available.21:01
ryuoGreat idea.21:01
darfoonly advantage to how they did it was you could get counts for each offending IP21:01
ryuoACTION takes a sledge hammer to darfo's balls.21:01
jaegerwhich they didn't need :D21:01
darfoACTION faints21:01
ryuojaeger: even then, that sounds like it'd be more easily solved with a lookup table.21:02
ryuocheck it once, then map the host address to some table.21:03
jaegerThey were pretty low on technical people21:03
jaegerwhich is why we ended up working on that system at all, we came in to consult21:03
ryuothese places exist? how sad.21:03
darfoat the edge i run all input and output through cidr range tests to block any private addresses. Didn't cost squat.21:03
ryuothese aren't even complicated concepts.21:03
darfodidn't get a good netizen award but felt good21:04
jaegerthey seem like magic to people who don't know any networking21:04
ryuomost IT concepts i've run into don't rely on much more than some elementary discrete mathematics.21:05
ryuoincluding networking basics...21:05
ryuosubnets... basically tests for a range of bit values.21:05
darfoipv6 will break some bad habits. generate separate rules for those...21:05
ryuoi'm hoping nftables takes over. i found it far easier to work with.21:06
darfodoes nftable use bpf?21:06
ryuoit integrates iptables, ip6tables, ebtables, and some other utilities into one set of rules.21:06
ryuoor rather, one system.21:06
ryuobpf? don't think so.21:06
ryuobut it seemed similar.21:07
ryuoand it supports programming to some degree.21:07
ryuofor example, you can setup variables and the compiler will resolve them into the final version of the rule set.21:08
ryuoso, it needs 3rd party automation less than iptables does.21:09
ryuoand more of it is in userspace.21:09
ryuoand, some magic numbers have symbolic constants predefined.21:09
ryuothe main differences i saw for ipv4 vs ipv6 in nftables was21:10
ryuowhen you needed to define NAT rules, or ICMP stuff.21:10
ryuoanything that wasn't ipv4 or ipv6 specific was shared.21:10
ryuohonestly i think CRUX should gradually replace iptables with nftables.21:11
darfoiirc iptables is scheduled to be deprecated21:12
ryuoyes, and i don't know what programs like ufw intend to do when that happens.21:12
ryuoin theory they should be portable to nftables21:13
ryuobut it probably will require a rewrite.21:13
darfolikely it will still be supported for a long time after deprecation but the call of new features in the supported path will win them over21:14
ryuodarfo: for example, iirc, nftables can resolve symbolic names for ports defined under /etc/services21:14
ryuoso you can define them by service name instead of their port #.21:15
ryuoand nftables will do the actual replacement itself.21:15
darfowell, I won't get to practice my beautiful prose in the comments ;)21:16
ryuoisn't that for the best? i'd hope less magic numbers would help with maintaining such rule sets.21:16
darfoyes, it will be, i was just being smart*ss. i've stared at rules and wondered why they didn't work then realized the comment said some port and the rule use the wrong number21:18
darfo"Tip: The iptables-translate utility translates iptables rules to nftables format."21:20
darfothanks for the url21:21
*** smolboye has quit IRC21:46
cruxbot[contrib.git/3.4]: [notify] password-store: updated to 1.7.2. Fix for CVE-2018-1235622:00
*** brian|lfs has quit IRC22:20
*** brian|lfs has joined #crux22:32
*** hil has joined #crux22:34
*** hil has quit IRC22:35
*** hil has joined #crux22:36
frinnstbetter hurry up and sleep before the seagulls get started22:37
*** hil has quit IRC23:29
*** john_cephalopoda has quit IRC23:51

Generated by 2.14.0 by Marius Gedminas - find it at!