#dev (ilita) | Обсуждение разработки I2Pd | i2pd development discussion | http://i2pd.website/

caustic оказалась в следующем: библиотеки libboost обновились. С libboost_*.so.1.77.0 на 1.78.0 цыферка поменялась. Наделал ссылок обратно на 1.77.0, роутер снова заработал, однако компилировать уже не даёт, ему очень хочется старый libboost походу

R4SAS какая система то?

caustic Linux Opensuse Tumbleweed

R4SAS так для сусанина же вроде есть сборки

caustic да, даже в офф репах, но там версия 2.38. Вот у меня и вопрос был: насколько критично не ставить последнюю версию

caustic в явовском i2p там роутер прям автообновляется - надо видимо так, а в i2pd фиг знает

R4SAS если учитывать что каждый релиз есть фиксы всяких вещей - критично

R4SAS с 2.38 было много фиксов с памятью

R4SAS надо просто сесть и сделать фиксы для сборки

R4SAS чтобы на федора копр собиралось

R4SAS блин, опять пересобираться

R4SAS ща

R4SAS уж не проделки ли это чьи то, что опять флуд криво публикует

orignal проблема похоже где то длина буфера бьется

orignal публикует кого? reg?

orignal придется профилировщик таки делать

R4SAS да

R4SAS сейчас опять долго пробивалс

R4SAS жду когда туннели сдохнут и перезапускаю рег

orignal только пересобери

orignal скорее всего потому что побилась память

R4SAS уже пересобрал

orignal я думаю брать эти буфера из пула

orignal на флудфиле резко улучшит производительность

R4SAS zzz: btw, I see at my reg.i2p checker that postman's services responds to leaseset lookup

zzz yeah it looked like the router was up but the irc server was down

R4SAS everything is down

zlatinb tracker2 503

exokientic womp womp ):

zlatinb muwire still works :P

R4SAS I think he is running i2p and services in containers, so only network bridge interface is broken

acetone it's give me a hope

zzz irc.echelon.i2p now up

R4SAS перезапустил reg

HidUser0 [21:33:04] <~orignal> проблема похоже где то длина буфера бьется

HidUser0 буфер динамический или статический?

HidUser0 прошу прощения, мне очень интересно

HidUser0 короче в стеке или в куче хранится?

HidUser0 стек еще как то канарейкой защищен, а если это куча, то это фиаско

orignal HidUser0 в куче

orignal динамический для хранения буфера RouterInfo

HidUser0 оххх

orignal да я просто накосячил

orignal уже откатил этот коммит

HidUser0 а, ок

orignal там просто буфер для проверки подписи вылазит за пределы

exokientic well, I think I may have solved my "Error - Symmetric NAT" issue

orignal what was it?

exokientic it had to do with the "source NAT" chain in my mikrotik router

exokientic destination NAT was working just fine allowing thing "in" to the router on the port selected for i2pd UDP/TCP

exokientic but, I had an 'src-nat' rule that was set to "masquerade"

exokientic I dont "fully" understand exactly what 'masquerade' is doing

exokientic but, as I can gather, it is meant to help when you are behind an internet service provider that does NOT assign you a static WAN ip

exokientic essentially, ALL residential ISP plans

exokientic so, my ISP provided WAN ip -can- get updated from the ISP DHCP pool from time to time

exokientic when that happens; and service that is using the now expired WAN IP will report that it is disconnected

exokientic any service*

exokientic so, the "masquerade" src is meant (as I understand it) to "sense" that the the external WAN IP has been changed (ISP lease expired, new IP assigned) and will then use the NEW WAN IP for all currently open NAT's

Словесник-Былинник exokientic : i also has same issue, but if you configure i2pd port to set number and then configure you router to do port forwarding TCP/UDP on that port... it may solve your problem as i did for me.

exokientic Словесник-Былинник> exactly so!

exokientic but the interesting thing:

Словесник-Былинник well :)))

exokientic I set a unique port number un my i2pd config

exokientic and I "forwarded" that using dst-nat

Словесник-Былинник yes that is what i did

exokientic and it works awesome

exokientic for packets coming in

exokientic but

exokientic sometimes

exokientic when packets attempt to "leave" my router from i2pd, my masquerade rules changes the port to some randomly selected port

exokientic unstead of using the same port that it came in on

Словесник-Былинник understoof

Словесник-Былинник is masq. so important that you need it ?

exokientic that is a GREAT question

exokientic I am not sure yet :D

exokientic But

exokientic as a test

exokientic I put a new rule BEFORE the masquerade

exokientic that is just a basic standard src-nat

Словесник-Былинник i have no experience with masq. so im not sure

exokientic I set the external WAN IP to be static

exokientic and I manually set it to "point" to my current ISP provided WAN IP

exokientic as soon as I put those rules in my NAT list, and moved them ABOVE my masquerade rule:

exokientic traffic instantly started flowing over those rules

exokientic I went to the i2pd web console page

exokientic ran a peer test

exokientic and the Error - Symmetric NAT went away, Network Status: OK

Словесник-Былинник ok this is logical ... rules are applied in sequence

exokientic exactly so

exokientic and, by defualt in my router, there is only -one- src-nat rule -the masquerade

exokientic so, the way the firewall rules work, as I undertand it;

exokientic this src-nat is going to work perfect, so long as my public wan IP doesnt change

exokientic as soon as my ISP lease expires and I get a new one, the rule will stop working

Xeha using masq for src is only useful if you want to change the IP of the outside world.

exokientic BUT, that is why I left the masquerade rules at the bottom of the list

exokientic if for some reason my new rules "brakes itself" traffic will flow down the list to the masquerade rule

Xeha typical you only need or want masquerading in DNAT

Словесник-Былинник basicvallu having static IP will resolve your issue for good, right ?

exokientic Xeha> very intersting! thank you for the input, I have a VERY rudimentary understanding of it at this point

Словесник-Былинник basically

exokientic does it seem odd that MikroTik ship their RouterOS operating system with a defualt configuration with a masqueraded src-nat?

Xeha masquerading in SNAT replaces the IP of the server you get the paket from, to a local mappen one. Your client will no longer see the servers IP but a local one

exokientic Словесник-Былинник> basicvallu having static IP will resolve your issue for good, right ? -> essentially, exactly so, a static WAN IP would absolutely fix this for good

exokientic "masquerading in SNAT replaces the IP of the server you get the paket from, to a local mappen one. Your client will no longer see the servers IP but a local one" -THANK YOU!

Xeha masquerading in DNAT is neccessary for most people. If you talk to a server 1.2.3.4 on port 80, the server sees your official IP and not your local LAN one.

Xeha Masquerading replaces the official IP with your local one, so traffic flows to your PC and dosnt "stop" at your router.

exokientic interesting indeed

exokientic because I dont have any DNAT masquerade rules at all in my routers NAT config page

Словесник-Былинник static ip's are not that expensive i guess .. a few bucks

Xeha well you can do SNAT with masq too, but thats silly

exokientic but, oviously, all my 'local' devices inside my LAN are getting packets through my router :D

Xeha yes they get the pakets through, but to them all servers are on the same local net

Xeha since the outside IPs get masqueraded to a local one

exokientic "Xeha> well you can do SNAT with masq too, but thats silly" -MikroTik does a LOT of 'silly' things when it comes to network configuration implementation!

Xeha mikrotik has excellent HW, but i'd only use them as switches, ie l2 mode

exokientic this is kind of what I am discovering, that is why I selected the mikrotik, best bang for the buck on the hardware end

exokientic I am about "this" close to flashing this thing with OpenWRT

exokientic my model is fully supported in openwrt

Xeha the most rudimentary router that does NAT for a typical net is just 2 iptables rules:

Xeha iptables -A FORWARD -i ${WAN} -o ${LAN} -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

Xeha iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE

Xeha #1 says allow all trafic from WAN if "we" initiated the connection.

Xeha #2 says replace the local IP with the routers official one

Xeha official being the WAN interface

exokientic well now, I recognize those two rules

exokientic those are the two defualt rules in OpenWRT

Xeha when you open a port for i2pd, you specify a DNAT (destination NAT, you want to NAT something to destination X)

exokientic *following along*

Xeha now if you use a SNAT with masq, i2pd will see all servers having the same IP (your routers one)

exokientic bingo!

Xeha the DNAT changes the destination (destination was orriginally your official IP)

exokientic it seems like i2pd wouldnt like that ver much...?

Xeha SNAT changes the source (the server/outside that sent you the paket)

Xeha i saw an example with symmetric NAT and i2pd still worked, since it relies on the netDb

exokientic well, technically it was still "working"

exokientic when my console reported error - symmetric nat, I was still connected to the i2p network

exokientic services still worked

Xeha symmetric NAT means you have a DNAT+SNAT with (optional) masquerading

exokientic my router "build" just got shot in the dick

Xeha :D

exokientic # of tunnels crashes to a very low number

Xeha networking isnt that complex ;) understading the basics gives you a lot of insight and power

exokientic "symmetric NAT means you have a DNAT+SNAT with (optional) masquerading" -dude, thank you so much for explaining this to me

exokientic okay

exokientic so if I am understanding this correctly;

exokientic I started my configuration (pre-i2pd) with a defualt SNAT with masquerading

exokientic following online guides, I added the DNAT for TCP/UDP on my super secret listen port

exokientic well look at that

exokientic now I have DNAT + SNAT -with- optional masquerading :D

Xeha you likely had masquerading on both interfaces

exokientic that makes the most sense to me

Xeha it might have been a typo too when you started, since S is just left of D

exokientic I have a feeling the MikroTik is (obviously) runnning masquerade on the DNAT

Xeha but masquerading dosnt need typing dnat/snat

Xeha you run masquerading on a interface

Xeha iptables -t nat -A POSTROUTING -o ${WAN} -j MASQUERADE # this means everything after your done with routing that is going via the outside interface should be masqueraded

Xeha you very likely had two of those, one for the LAN and another for the WAN

exokientic okay, interesting

exokientic this may be some trickery with how mikrotik labels and names things

exokientic if I go into this defualt 'masquerade' rules on my tik:

exokientic it is applied to the chain: srcnat

exokientic it is applied to the "out" interface 'WAN'

exokientic ipsec policy-out = none

Xeha then "srcnat" is either wrong or misleadingly labeld? i dont know how their labels and things work

exokientic action = masquerade

exokientic it is HIGHLY likely it is a misleading label

exokientic I have found a LOT of this in mikrotik

Xeha i was fed up early with ugly home routers so i've never used one again

exokientic they like to call the switch a "bridge" even though that switch WONT be doing "bridging" -as an unrelated example

Xeha most of these routers and their NAT/FW rules just confuse people and make things more complicated or broken :(

exokientic so fucking true

exokientic coming from ASUS land myself

Xeha a bridge is usually if you add 2 PHYs as one interface

exokientic they try to make things "easy" on the user, but all it really does is hide what is actually happening

Xeha of course that would act as a switch too ;)

Xeha indeed

Xeha but sadly, this is what the moronic user demand :(

exokientic exactly! hence the confusion on the nomenclature

exokientic "The customer is -ALWAYS- right."

exokientic right?

Xeha good thing this dosnt work in tech. im so happy a computer dosnt care about my feelings and only hard facts

Xeha and the "tech" stuff you can buy that tries to do it, ugh.. no thanks for me

exokientic hahahahaha

exokientic sudo : PERMISSION DENIED -user is in a bad mood right now :: please try again later

Xeha sudo insults people, but most distros turn it off by default

Xeha eg:

Xeha Password:

Xeha What, what, what, what, what, what, what, what, what, what?

Xeha Password:

Xeha Your mind just hasn't been the same since the electro-shock, has it?

exokientic bahahahaha

exokientic tell your therapist about how the linux shell has been gaslighting you

Xeha enter visudo and add "insults" to the Defaults

Xeha if the distro didnt disable at build time, you'll have it :)

exokientic thats too good not to enable

exokientic so, to recap, if I am understandning this all correctly, I should be able to nuke the SNAT rules in my NAT table

exokientic if, after I "disable" the SNAT - Masquerade rule: all service/ internet access from the LAN still works as intended...

Xeha you will need masquerading for stuff going out on the wan interface

Xeha but SNAT masquerading replaces the servers IP, not your non-routeable LAN IP

Xeha but it depends on which interface its applied to

exokientic then I can assume that rule was not required for the DNAT masquerade that directs packets through my router to my internal devices

exokientic hmmm

Xeha DNAT is needed to change the destination (destination from official IP (your router) to your LAN IPs computer)

exokientic perhaps I change the masquerade rule

exokientic leave it applying to the "out" 'WAN' interface

exokientic but change it from the SNAT to the DNAT chain?

Xeha yes, masquerade should be for the wan interface

Xeha cant help you much with that, since i dont know how these things map to actual iptables rules

exokientic understood

exokientic you have been a MASSIVE help for me already!

Xeha nice :)

exokientic going to need to spend some time digesting the basics that have been laid out

exokientic and then I can figure out how to apply them to mikrotiks implementation of iptables

exokientic I "believe" this mikrotik gui is merely being used to create an iptable markup

Xeha of course, do you think the kernel knows mikrotik labels. hahaha

exokientic so perhaps it will make more sense if I work from the command line

exokientic lol, thank you for helping me "walk" (crawl?) through this ;)

Xeha most home router things flush all rules and create a own set. ie, if you use a manual iptables command it likely wont be persistent and flushed soon after.

Xeha if you can run some commands directly, take a look at: iptables -L -n -v && iptables -L -n -v -t nat

exokientic hey, look at that, some iptable rules :D

exokientic starting from the top...

exokientic Chain INPUT (policy ACCEPT 29597 packets, 9291K bytes)

Xeha dont paste 100 lines here pls :D

exokientic directly under that line

exokientic hahahaha

exokientic no, just looking at the first one

exokientic the line directly under that rule has a bunch of headers

exokientic "pkts bytes target prot opt in out source destination"

exokientic but there are no values under those headers

Xeha that means the input chain has no rules, which makes sense since the policy is ACCEPT

Xeha take a look at the nat table, -t nat

exokientic 4 rules

exokientic 1. prerouting

exokientic 2 input

exokientic 3 output

exokientic 4 postrouting

exokientic all set to policy = accept

exokientic all counters at 0

Xeha find the MASQUERADE

exokientic (packets/ bytes)

Xeha its in POSTROUTING

exokientic hmm, doesnt appear to be displayed by the command, this what I see in the 'postrouting' string

exokientic sting 1: Chain POSTROUTING (policy ACCEPT 0 packets, 0 bytes)

exokientic string 2: pkts bytes target prot opt in out source destination

Xeha no rules?! that dosnt sound right.

exokientic ohh god damnit

exokientic this is funny

exokientic I am in the wrong console

Xeha did you run it on your local one?

exokientic bahahahahaha

Xeha thought so!

exokientic that would be the iptables for my ASUS that is running OpenWRT

exokientic which has its firewall disabled

exokientic ROFL

exokientic oaky then

exokientic one more time...

Xeha just search all masquerade lines

Xeha iptables -L -n -v -t nat | grep -i masq

Xeha FYI; if theres DNAT rules for I2Pd, dont post them (due to the port)! Same goes if theres public IPs in there.

exokientic okay

exokientic so yeah, mikrotiks self baked linux kernel doesnt use "iptables"

exokientic womp womp

Xeha they just might not have installed the binary

Xeha does nftables exist?

Xeha or ebtables

exokientic negative

Xeha rubish

exokientic getting even closer to flashing this thing with OpenWRT

Xeha if its supported, do it

exokientic I dont have any desire to learn mikrotiks flavor of linux firewall implementation

exokientic its fully supported in OpenWRT

Xeha then gogo :)

exokientic hw offloading works

exokientic yeah

exokientic OpenWRT is happening

exokientic it will be SO MUCH easier to set this thing up proper

exokientic R4SAS it seems is also running an OpenWRT router

exokientic when I was discussing some of these issues with R4SAS yesterday, we discovered that his router uses the exact same chipset as my mikrotik router

exokientic MediaTek MT7621AT

Xeha i got into mikrotik HW due to wanting 10G SFP+. now i have it in two of my DCs and at home :)

exokientic Okay, well then; I will be back once I have OpenWRT flashed on this thing

exokientic yeah, I was pretty close to getting the MikroTik hEX S router instead of the basic hEX (rb750gr3) that I got

Xeha im quite sure you can set it up yourself. you should understand what DNAT/SNAT is and what masquerading does

exokientic hEX S router has one SFP+ port

exokientic :) I am pretty confident I can get OpenWRT running properly with the understanding you have provided for me today!

exokientic thank you again Zeha!

exokientic Xeha**

exokientic well, I have some seemingly related information to report.... it might not be "useful" to anyone because it might be mikrotik specific...... but, here it goes:

exokientic I am browsing through mikrotiks documentation about the implementation of NAT and firewall rules

exokientic and I notice this:

exokientic "Whenever NAT rules are changed or added, the connection tracking table should be cleared otherwise NAT rules may seem to be not functioning correctly until connection entry expires."

Xeha exokientic: connection tracking is usually refered as conntrack which also has a userspace binary conntrack

exokientic hmmm, I have been changing NAT rules all over the place

exokientic so I found mikrotiks command for clearing that

exokientic */ip firewall connection remove [find]

exokientic I run it

exokientic and whoa look at that

Xeha ugh, thats the actual command?

exokientic i2pd web console says its firewalled now

exokientic I run a peer test

exokientic now it says error - symetric NAT

exokientic lol, yep

exokientic thats how you do it on the mikrotik

exokientic run a peer test again

exokientic now it says testing

exokientic run a few more peer test

Xeha seriously, ditch that thing lol

exokientic network status = ok

exokientic !!!

exokientic ditching imminently

Xeha yes i had that too, only to later return to symmetric NAT

Xeha but it was actually a symmetric NAT, was a weird k8s deployment of a friend of mine

exokientic so, it kind of seems like my router might be doing some kind of automatic flush of the connection tracker

exokientic like periodically on a timer?

exokientic and when that happens

exokientic i2pd gets upset

Xeha they have a timeout

Xeha no

exokientic reports firewalled or symmetric nat

Xeha your issue is with wrong masquerading or with a shitty SNAT rule

Xeha on your openwrt, type conntrack -L

Xeha you'll see which things are active (ESTABLISHED) and which are timing out

Xeha there you also see the mapping, if thats of interest to you

exokientic "your issue is with wrong masquerading or with a shitty SNAT rule"

exokientic agreed