forked from DGNum/liminix
deep thoughts
This commit is contained in:
parent
3851698d35
commit
8578a554c7
1 changed files with 89 additions and 0 deletions
89
THOUGHTS.txt
89
THOUGHTS.txt
|
@ -3952,3 +3952,92 @@ I can actually use it as a CPE. This means
|
||||||
|
|
||||||
- would be quite cool to run sniproxy instead of forwarding to
|
- would be quite cool to run sniproxy instead of forwarding to
|
||||||
loaclhost (extra credit)
|
loaclhost (extra credit)
|
||||||
|
|
||||||
|
Sat Feb 10 18:23:54 GMT 2024
|
||||||
|
|
||||||
|
ARGH KERNEL
|
||||||
|
|
||||||
|
You can't define CONFIG_NETFILTER=y in a monolithic kernel and expect
|
||||||
|
later to separately build some modules that use it, because there are
|
||||||
|
a bunch of symbols that only get defined if certain other CONFIG
|
||||||
|
options are set at the time that the monolithic kernel is built.
|
||||||
|
|
||||||
|
https://github.com/torvalds/linux/blob/master/net/netfilter/core.c#L689
|
||||||
|
|
||||||
|
Another example is
|
||||||
|
https://github.com/torvalds/linux/blob/master/include/linux/netdevice.h#L160
|
||||||
|
- if you decide after building the kernel that you're going to build
|
||||||
|
some wireless modules, you can't do that without rebuilding the kernel
|
||||||
|
so that it knows to expect them
|
||||||
|
|
||||||
|
The moral of the story seems to be: if you have a compiled Linux kernel source tree and you change some symbol from "is not set" to m and then run make modules, you cannot in general expect that newly compiled module to work.
|
||||||
|
|
||||||
|
AP advertised VHT without HT, disabling HT/VHT/HE
|
||||||
|
|
||||||
|
TODO
|
||||||
|
|
||||||
|
- support kernel version as parameter to builder pkgs/kernel/default.nix
|
||||||
|
- extract the change in how module loading works from omnia device config,
|
||||||
|
and fix the other thing that uses it
|
||||||
|
- wlan module to take 'backported' as a parameter
|
||||||
|
half of the omnia conditionalConfig can go into the module
|
||||||
|
- upgrade omnia to kernel v6
|
||||||
|
- figure out what mdns we need for local hostname resolution
|
||||||
|
(maybe bridging lan/wlan)?
|
||||||
|
- [DONE] slow wifi because "AP advertised VHT without HT, disabling HT/VHT/HE"
|
||||||
|
- [DONE] add local domain to secrets
|
||||||
|
- run sniproxy instead of forwarding
|
||||||
|
- forward some port to loaclhost 22 for inbound ipv4 ssh
|
||||||
|
|
||||||
|
|
||||||
|
Mon Feb 12 21:50:35 GMT 2024
|
||||||
|
|
||||||
|
# find /run/service-state/dhcp6c.wan.link.pppoe/address/
|
||||||
|
/run/service-state/dhcp6c.wan.link.pppoe/address/
|
||||||
|
/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM
|
||||||
|
/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM/valid
|
||||||
|
/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM/preferred
|
||||||
|
/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM/len
|
||||||
|
/run/service-state/dhcp6c.wan.link.pppoe/address/2001-8b0-1111-1111-0-ffff-51bb-4cf2_LFoo015bSsM/address
|
||||||
|
#
|
||||||
|
|
||||||
|
valid 7199 preferred 3599
|
||||||
|
|
||||||
|
Tue Feb 13 19:44:57 GMT 2024
|
||||||
|
|
||||||
|
Before we put this back live, would be good to
|
||||||
|
|
||||||
|
1) move the leases file into /persist
|
||||||
|
|
||||||
|
I think we'll do /persist/service/<name>/ and change ssh to use the same
|
||||||
|
scheme.
|
||||||
|
|
||||||
|
we could put mkpersist() in serviceFns which would check for /persist
|
||||||
|
and return a directory in /persist/service/ or /run/service-state
|
||||||
|
|
||||||
|
(will something bad happen if we use /run/service-state? it will also
|
||||||
|
expose the thingy as an output, but whether it's accessible that way
|
||||||
|
will depend on whether there's a writable fs or not, which is unexpected)
|
||||||
|
|
||||||
|
: rename service-state to /run/services/outputs
|
||||||
|
: on boot
|
||||||
|
: if /persist
|
||||||
|
: create /persist/services/state and symlink /run/services/state to it
|
||||||
|
: else create /run/services/state
|
||||||
|
|
||||||
|
|
||||||
|
2) maybe change the local domain back to .lan? setting up
|
||||||
|
systemd-networkd with search domains is an awful faff
|
||||||
|
|
||||||
|
3) work out what to do with incoming ssh from wan
|
||||||
|
|
||||||
|
- For noetbook and thinkpad we have a vpn anyway so can expect to
|
||||||
|
reach loaclhost directly using ipv6
|
||||||
|
|
||||||
|
- stop ssh from ever trying to get to our ipv4 address.
|
||||||
|
- we could get rid of A record for loaclhost.telent.net but
|
||||||
|
there are a bunch of CNAMES pointing at it for web servers.
|
||||||
|
- we could reject incoming connections to tcp4 port 22 in firewall
|
||||||
|
and then there is a clear signal to Dont Do That Then
|
||||||
|
|
||||||
|
- for emergency use, dnat ipv4 2200 and 2201 to rotuer and loaclhost
|
||||||
|
|
Loading…
Reference in a new issue