Closed Andrei-Pozolotin closed 4 years ago
@vvl-rulez please review and test on live system #56
I've checked the code, seems all is okay. To test in on system I need actual PKGBUILD - do you have it? https://aur.archlinux.org/mkinitcpio-systemd-tool.git is so old.
I've checked the code, seems all is okay.
thank you
I need actual PKGBUILD
you did review, right? :-) well, then you missed it: PKGBUILD
usage:
cd /tmp
git clone git@github.com:random-archer/mkinitcpio-systemd-tool.git
cd mkinitcpio-systemd-tool
git fetch origin pull/56/head:vvl-nftables
git checkout vvl-nftables
ls -las
makepkg -e
sudo pacman -U *.pkg.tar.xz
well, then you missed it: PKGBUILD
Oh, really, sorry.
Package compiling successfull, but service at boot have some problems:
First, Error: Could not process rule: Operation not supported
I solved it by editing
InitrdCall=add_all_modules /netfilter/nft_*
to InitrdCall=add_all_modules /netfilter/nf_tables*
Now left errors like Could not process rule: No such file or directory
Trying to solve it. Will commit all fixes later
By the way...
systemd-networkd[595]: Configuration file /etc/systemd/network/initrd-network.network is marked executable. Please remove executable permission bits. Proceeding anyway. systemd-networkd[595]: Configuration file /etc/systemd/network/initrd-network.network is marked world-writable. Please remove world writability permission bits. Proceeding anyway.
I solved it by editing
InitrdCall=add_all_modules /netfilter/nft_*
toInitrdCall=add_all_modules /netfilter/nf_tables*
Need both nftables* and nft. When I'm edited file to `InitrdCall=add_all_modules /netfilter/nf`, all works fine. What we should do, this way or 2 lines?
What we should do, this way or 2 lines?
I applied your review, thank you
initrd-network.network is marked executable initrd-network.network is marked world-writable
I can not reproduce, please try to trace the origin of this bug
really, sorry
no problem, I understand
please review again, test again:
* positive check: remote ssh allowed
Works
* negative check: remote port scan denied
Works
All seems good and working. Dont forget to add /etc/mkinitcpio-systemd-tool/config/initrd-nftables.conf to backup section of PKGBUILD (and for package maintainer too) :)
firewall inside initramfs:
initrd-nftables.service
many thanks to @vvl-rulez Vladislav, see: #53 #55