From 8578a554c76dd8e293591910e2ed9f3ceb4f5eb5 Mon Sep 17 00:00:00 2001 From: Daniel Barlow <dan@telent.net> Date: Tue, 13 Feb 2024 21:11:30 +0000 Subject: [PATCH] deep thoughts --- THOUGHTS.txt | 89 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 89 insertions(+) diff --git a/THOUGHTS.txt b/THOUGHTS.txt index ebb26338..cf42c171 100644 --- a/THOUGHTS.txt +++ b/THOUGHTS.txt @@ -3952,3 +3952,92 @@ I can actually use it as a CPE. This means - would be quite cool to run sniproxy instead of forwarding to loaclhost (extra credit) + +Sat Feb 10 18:23:54 GMT 2024 + +ARGH KERNEL + +You can't define CONFIG_NETFILTER=y in a monolithic kernel and expect +later to separately build some modules that use it, because there are +a bunch of symbols that only get defined if certain other CONFIG +options are set at the time that the monolithic kernel is built. + +https://github.com/torvalds/linux/blob/master/net/netfilter/core.c#L689 + +Another example is +https://github.com/torvalds/linux/blob/master/include/linux/netdevice.h#L160 +- if you decide after building the kernel that you're going to build +some wireless modules, you can't do that without rebuilding the kernel +so that it knows to expect them + +The moral of the story seems to be: if you have a compiled Linux kernel source tree and you change some symbol from "is not set" to m and then run make modules, you cannot in general expect that newly compiled module to work. + +AP advertised VHT without HT, disabling HT/VHT/HE + +TODO + +- support kernel version as parameter to builder pkgs/kernel/default.nix +- extract the change in how module loading works from omnia device config, + and fix the other thing that uses it +- wlan module to take 'backported' as a parameter + half of the omnia conditionalConfig can go into the module +- upgrade omnia to kernel v6 +- figure out what mdns we need for local hostname resolution + (maybe bridging lan/wlan)? +- [DONE] slow wifi because "AP advertised VHT without HT, disabling HT/VHT/HE" +- [DONE] add local domain to secrets +- run sniproxy instead of forwarding +- forward some port to loaclhost 22 for inbound ipv4 ssh + + +Mon Feb 12 21:50:35 GMT 2024 + +# find /run/service-state/dhcp6c.wan.link.pppoe/address/ +/run/service-state/dhcp6c.wan.link.pppoe/address/ +/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM +/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM/valid +/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM/preferred +/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM/len +/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM/address +# + +valid 7199 preferred 3599 + +Tue Feb 13 19:44:57 GMT 2024 + +Before we put this back live, would be good to + +1) move the leases file into /persist + +I think we'll do /persist/service/<name>/ and change ssh to use the same +scheme. + +we could put mkpersist() in serviceFns which would check for /persist +and return a directory in /persist/service/ or /run/service-state + +(will something bad happen if we use /run/service-state? it will also +expose the thingy as an output, but whether it's accessible that way +will depend on whether there's a writable fs or not, which is unexpected) + +: rename service-state to /run/services/outputs +: on boot +: if /persist +: create /persist/services/state and symlink /run/services/state to it +: else create /run/services/state + + +2) maybe change the local domain back to .lan? setting up + systemd-networkd with search domains is an awful faff + +3) work out what to do with incoming ssh from wan + +- For noetbook and thinkpad we have a vpn anyway so can expect to + reach loaclhost directly using ipv6 + +- stop ssh from ever trying to get to our ipv4 address. + - we could get rid of A record for loaclhost.telent.net but + there are a bunch of CNAMES pointing at it for web servers. + - we could reject incoming connections to tcp4 port 22 in firewall + and then there is a clear signal to Dont Do That Then + +- for emergency use, dnat ipv4 2200 and 2201 to rotuer and loaclhost