Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
17.0 Profile
View unanswered posts
View posts from last 24 hours

Goto page Previous  1, 2, 3  Next  
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo
View previous topic :: View next topic  
Author Message
lekto
Apprentice
Apprentice


Joined: 20 Sep 2014
Posts: 170
Location: Ancient Rome

PostPosted: Fri Oct 06, 2017 4:51 pm    Post subject: Reply with quote

I temporary use my old tp-link router, so now I have PC and gentoo router connected to tp-link, and old laptop connected to gentoo router.

https://pastebin.com/AJpWWP8G

ap0 - access point
br0 - bridge
enp2s4f0, endp2s4f1 - lan
wan0 - I got Internet from there
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54098
Location: 56N 3W

PostPosted: Fri Oct 06, 2017 5:02 pm    Post subject: Reply with quote

lekto,

Put your network back into its not working configuration and capture the route and ifconfig in its faulty state.
Post that.

Which interface(s) are donated to the bridge?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
lekto
Apprentice
Apprentice


Joined: 20 Sep 2014
Posts: 170
Location: Ancient Rome

PostPosted: Fri Oct 06, 2017 5:15 pm    Post subject: Reply with quote

https://pastebin.com/U78UXP3S

NeddySeagoon wrote:
Which interface(s) are donated to the bridge?

ap0, enp2s4f0 and enp2s4f1
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54098
Location: 56N 3W

PostPosted: Fri Oct 06, 2017 5:28 pm    Post subject: Reply with quote

lekto,

All the hard bits are in place. I guess you have a firewall on your router?
Has it started or are there errors in dmesg.

Tell us about your firewall and its rules.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
lekto
Apprentice
Apprentice


Joined: 20 Sep 2014
Posts: 170
Location: Ancient Rome

PostPosted: Fri Oct 06, 2017 5:42 pm    Post subject: Reply with quote

I use iptables to make nat work, I set it up about 6 months ago, using tutorial found somewhere in Internet.

dmesg | grep iptables
Code:
[  799.962705] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.


grep "Oct 6" /var/log/messages | grep iptables
Code:
Oct  6 17:44:28 dedyk kernel: nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based  firewall rule not found. Use the iptables CT target to attach helpers instead.


iptables-save
Code:
# Generated by iptables-save v1.6.1 on Fri Oct  6 19:36:11 2017
*nat
:PREROUTING ACCEPT [682017:44447423]
:INPUT ACCEPT [371191:25193329]
:OUTPUT ACCEPT [50831205:5053465896]
:POSTROUTING ACCEPT [105510:7498546]
-A POSTROUTING -o wan0 -j MASQUERADE
COMMIT
# Completed on Fri Oct  6 19:36:11 2017
# Generated by iptables-save v1.6.1 on Fri Oct  6 19:36:11 2017
*mangle
:PREROUTING ACCEPT [628234106:567781251156]
:INPUT ACCEPT [447052303:385339186390]
:FORWARD ACCEPT [181175557:182441530072]
:OUTPUT ACCEPT [458436233:854435237106]
:POSTROUTING ACCEPT [639639199:1036882777840]
COMMIT
# Completed on Fri Oct  6 19:36:11 2017
# Generated by iptables-save v1.6.1 on Fri Oct  6 19:36:11 2017
*filter
:INPUT ACCEPT [446749966:385302804821]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [458063575:854258015030]
-A FORWARD -d 192.168.0.0/24 -i br0 -j DROP
-A FORWARD -s 192.168.0.0/24 -i br0 -j ACCEPT
-A FORWARD -d 192.168.0.0/24 -i wan0 -j ACCEPT
COMMIT
# Completed on Fri Oct  6 19:36:11 2017


rc-service iptables status
Code:
 * status: started
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54098
Location: 56N 3W

PostPosted: Fri Oct 06, 2017 7:33 pm    Post subject: Reply with quote

lekto,

That looks promising too but I cant read that format.

What does
Code:
iptables -L -t nat
show?
and
Code:
iptables -L


What is the value from
Code:
less /proc/sys/net/ipv4/ip_forward

It should be 1, which turns on packet forwarding for ipv4.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
lekto
Apprentice
Apprentice


Joined: 20 Sep 2014
Posts: 170
Location: Ancient Rome

PostPosted: Fri Oct 06, 2017 8:24 pm    Post subject: Reply with quote

Finally router works again, thanks! I had 0 in ip_forward, so I set it to 1 and Internet start working again. After a little search I found that /etc/sysctl.conf was reseted to original state. I wonder why and what was changed in /etc too.
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54098
Location: 56N 3W

PostPosted: Fri Oct 06, 2017 9:33 pm    Post subject: Reply with quote

lekto,

/etc should be in CONFIG_PROTECT= check your
Code:
emerge --info

If it is, it will have been changed by dispatch-conf or etc-update ... under your control.

Code:
$ equery b /etc/sysctl.conf
 * Searching for /etc/sysctl.conf ...
sys-apps/baselayout-2.4.1-r2 (/etc/sysctl.conf)
you got a baselayout update and accepted the changes to /etc/sysctl.conf when you ran etc-update or whatever.

The changed /etc/sysctl.conf was not reread atthe time, so everything 'just worked' until you rebooted.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
bstaletic
Apprentice
Apprentice


Joined: 05 Apr 2014
Posts: 233

PostPosted: Sat Oct 07, 2017 4:56 pm    Post subject: Reply with quote

I'm on the latest portage tree snapshot and the latest unstable portage, but I don't see profile 17.
Could it be because I'm using git instead of rsync for portage tree syncing?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54098
Location: 56N 3W

PostPosted: Sat Oct 07, 2017 5:02 pm    Post subject: Reply with quote

bstaletic,

It does not appear in profiles.desc yet so you need to know where to look.
It won't be in eselect.

Code:
ls /etc/portage/* -l
-rw-r--r--  1 root root 1145 Sep 29 15:48 /etc/portage/categories
-rw-r--r--  1 root root 5160 Aug 19 15:33 /etc/portage/make.conf
-rw-r--r--  1 root root 5940 Dec 16  2014 /etc/portage/make.conf~
lrwxrwxrwx  1 root root   63 Jun 11 19:18 /etc/portage/make.profile -> ../../usr/portage/profiles/default/linux/amd64/17.0/no-multilib


Like the good old days, set the symlink manually,
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
bstaletic
Apprentice
Apprentice


Joined: 05 Apr 2014
Posts: 233

PostPosted: Sat Oct 07, 2017 5:08 pm    Post subject: Reply with quote

Thanks, I forgot that profile is just a symlink, as I've always relied on eselect.
Back to top
View user's profile Send private message
bunder
Bodhisattva
Bodhisattva


Joined: 10 Apr 2004
Posts: 5934

PostPosted: Sat Oct 07, 2017 11:10 pm    Post subject: Reply with quote

17? what happened to 14,15,16? :lol:
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54098
Location: 56N 3W

PostPosted: Sat Oct 07, 2017 11:21 pm    Post subject: Reply with quote

bunder,

The profile is the two digit year, followed by an incrementing number for the profile number that year.

There we no new profiles in 20[14,15,16]. 17.0 may not be out until 2018 :)
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20054

PostPosted: Sun Oct 08, 2017 3:04 am    Post subject: Reply with quote

NeddySeagoon wrote:
17.0 may not be out until 2018 :)
What are the major trouble spots remaining?

I've been thinking about upgrading from GCC 5 to 7 and possibly the 17.0 profile.
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54098
Location: 56N 3W

PostPosted: Sun Oct 08, 2017 9:22 am    Post subject: Reply with quote

pjp,

gcc-6.x needs to be stable. That's the long pole.
It also introduces PIE by default. I don't think thats a big issue as hardened has had that for a long time.
There are some other odds and ends, like unmasking things (versions) that need a later C++ standard, which is the default in gcc-6.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
bstaletic
Apprentice
Apprentice


Joined: 05 Apr 2014
Posts: 233

PostPosted: Sun Oct 08, 2017 1:13 pm    Post subject: Reply with quote

Some questions before getting my hands dirty.

How do I know what packages need rebuilding?
Since cross-arm-linux-eabi/gcc doesn't support -fPIE, will recompiling that toolchain fail?
Back to top
View user's profile Send private message
bstaletic
Apprentice
Apprentice


Joined: 05 Apr 2014
Posts: 233

PostPosted: Mon Oct 09, 2017 4:36 pm    Post subject: Reply with quote

I've relinked make.profile, but have not yet rebuilt anything.

emerge -avUD @world does not detect any USE flag changes. Do I need to add "pie" to gcc USE flags myself?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54098
Location: 56N 3W

PostPosted: Mon Oct 09, 2017 4:53 pm    Post subject: Reply with quote

bstaletic,

Code:
$ ls /usr/portage/profiles/default/linux/arm/
13.0/             eapi              package.use.mask  parent


I don't have a 17.0 profile for arm yet. Am I reading too much into your cross-arm-linux-eabi/gcc ?
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
bstaletic
Apprentice
Apprentice


Joined: 05 Apr 2014
Posts: 233

PostPosted: Mon Oct 09, 2017 5:10 pm    Post subject: Reply with quote

My host arch is amd64.
Code:
bstaletic@gentoo portage % ls /usr/portage/profiles/default/linux/
13.0  17.0  dev  eapi  package.use.mask  parent


Let me try to explain my question.

cross-arm-linux-eabihf/gcc doesn't support -fPIE and emits warnings if -fPIE is supplied.
sys-devel/gcc does support PIE, as it is an amd64 architecture.

So is switching to profile 17.0 advised in my case?
Back to top
View user's profile Send private message
pjp
Administrator
Administrator


Joined: 16 Apr 2002
Posts: 20054

PostPosted: Mon Oct 09, 2017 5:26 pm    Post subject: Reply with quote

NeddySeagoon wrote:
pjp,

gcc-6.x needs to be stable. That's the long pole.
It also introduces PIE by default. I don't think thats a big issue as hardened has had that for a long time.
There are some other odds and ends, like unmasking things (versions) that need a later C++ standard, which is the default in gcc-6.
Thanks. They've made quite a bit of progress. I happened to check back in early September when I counted 83 open issues. Looks like it is down to 29 (and v7 from 16 to 15).
_________________
Quis separabit? Quo animo?
Back to top
View user's profile Send private message
NeddySeagoon
Administrator
Administrator


Joined: 05 Jul 2003
Posts: 54098
Location: 56N 3W

PostPosted: Mon Oct 09, 2017 7:33 pm    Post subject: Reply with quote

bstaletic,

I don't see any problems but I use the aarch64-unknown-linux-gnu cross compiler and switched my amd64 host under it.

Also people run cross compilers of all sorts on hardened hosts. In effect, you are moving your build host towards hardened.
When PIE was added to hardened, there was some fallout because some things didn't work.
Fixes have already been pushed upstream.

Gentoo is one of the last distros to make PIE the default.
_________________
Regards,

NeddySeagoon

Computer users fall into two groups:-
those that do backups
those that have never had a hard drive fail.
Back to top
View user's profile Send private message
qjim
n00b
n00b


Joined: 10 May 2008
Posts: 23

PostPosted: Thu Nov 16, 2017 8:24 pm    Post subject: Reply with quote

Does it mean that USE="hardened" flag is now effectively meaningless on gentoo with gcc-7, because all these techniques like
CFLAGS+="-Wformat -Wformat-security -Werror=format-security -D_FORTIFY_SOURCE=2 -fstack-protector-strong -fPIE -pie" and LDFLAGS+="-z relro -z now" are default now on new v17 profile?
Back to top
View user's profile Send private message
Tom_
Guru
Guru


Joined: 20 May 2004
Posts: 444
Location: France

PostPosted: Fri Nov 17, 2017 9:36 am    Post subject: Reply with quote

For me there is still a difference between a standalone profile and an hardened profile. The hardened useflag is also different from the hardened profile.

The new 17 profile enables PIE and SSP. The latest versions of glibc also bring fstack-protector-all and stack guard randomization, please see : https://forums.gentoo.org/viewtopic-t-1069826-highlight-.html

"-z, relro" has been enabled for a long time in Gentoo whereas "-z, now" is still not enabled by default, see my recent discussion : https://forums.gentoo.org/viewtopic-t-1071770-highlight-.html

The hardened useflag enables some additionnal hardening features. For ie, it enables "-z, now" for firefox.
Back to top
View user's profile Send private message
bandreabis
Advocate
Advocate


Joined: 18 Feb 2005
Posts: 2489
Location: イタリアのロディで

PostPosted: Mon Nov 20, 2017 12:47 pm    Post subject: Reply with quote

gcc-6 is stable now.
_________________
Il numero di post non fa di me un esperto! Anzi!
Back to top
View user's profile Send private message
pcmaster
Advocate
Advocate


Joined: 04 Dec 2003
Posts: 2219
Location: Barcelona

PostPosted: Sat Dec 02, 2017 7:42 am    Post subject: Reply with quote

I'm trying to do the upgrade, and when I do the emerge -e @world, klibc produces an error:

kernel/bounds.c:1:0: error: el modelo de código kernel no admite el modo PIC
_________________
pcmaster
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Other Things Gentoo All times are GMT
Goto page Previous  1, 2, 3  Next
Page 2 of 3

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum