Tiny Core 17.0 Alpha 1 Testing

[Juanito]

I didn't find anything that I thought looked like it would have the same affect as --disable-static would.

In those cases I build with lto and keep the result in a safe place, discarding the static libs, then rebuild without lto and keep only the static libs

[andyj]

Sometimes loading glibc_apps/glibc_gconv/glibc_i18n_locale has solved the problem and once I removed the test for iconv in a configure script and the resulting app worked...

This is what I have now:

Code: [Select]

tc@box:/mnt/sdb1/lamp$ tce-status -i|grep glibc
glibc_add_lib
glibc_apps
glibc_base-dev
glibc_gconv
glibc_i18n_locale

I also have this:

Code: [Select]

tc@box:/mnt/sdb1/lamp$ tce-status -i|grep icu
icu67
icu70
icu74
icu74-bin
icu74-dev
Maybe this is the problem. I just have to find out why I'm getting icu67 and icu70 pulled in since I'm not doing it in a script.

I just have to look in here:

Code: [Select]

tc@box:/mnt/sdb1/lamp$ tce-status -i|wc -l
490


[andyj]

I feel like I'm doing the first part, what does the second part do?

In those cases I build with lto and keep the result in a safe place, discarding the static libs, then rebuild without lto and keep only the static libs

Code: [Select]

export CC="gcc -flto -fuse-linker-plugin -mtune=generic -Os -pipe -fno-strict-aliasing -I/usr/local/include/ncursesw"                                         
export CXX="g++ -flto -fuse-linker-plugin -mtune=generic -Os -pipe -fno-strict-aliasing -I/usr/local/include/ncursesw -fpermissive"                           

The static libraries get put in the -dev extension. How does this compare to what the second part above does?

[Juanito]

What I mean to say is that I compile the source once using -flto, but discard the static libs (which can be up to 10x larger than the static libs compiled without -flto).

I then compile the source again without using -flto and keep only the static libs -i.e. using you example:

Code: [Select]

export CC="gcc -mtune=generic -Os -pipe -fno-strict-aliasing -I/usr/local/include/ncursesw"                                         
export CXX="g++ -mtune=generic -Os -pipe -fno-strict-aliasing -I/usr/local/include/ncursesw -fpermissive"

[Zhe]

Hi there, I've encountered issues running iptables (1.8.11 legacy) on Core x86 (Tiny Core 17.0 Alpha).

Is there anything I'm missing?
"sudo depmod -a" has no effect.

Should I recompile iptables to be compatible with kernel 6.18.2?

Code: [Select]

tc@box:~$ sudo modprobe ip_tables
modprobe: module ip_tables not found in modules.dep
tc@box:~$ sudo modprobe ip6_tables
modprobe: module ip6_tables not found in modules.dep
tc@box:~$ sudo iptables -L -n
modprobe: module ip_tables not found in modules.dep
iptables v1.8.11 (legacy): can't initialize iptables table `filter': Table does not exist (do you need to insmod?)
Perhaps iptables or your kernel needs to be upgraded.
tc@box:~$ uname -r
6.18.2-tinycore

[aus9]

Zhe
Until you get a better repy I see that repo has both the 32 bit and the 64 bit modules
http://tinycorelinux.net/17.x/x86/tcz/
ipv6-netfilter-6.18.2-tinycore64.tcz......ipv6-netfilter-6.18.2-tinycore.tcz

try this

Code: [Select]

tce-load -w ipv6-netfilter-KERNELyou may have accidently downloaded the 64 bit module?
Hmm the dep looks right
http://tinycorelinux.net/17.x/x86/tcz/iptables.tcz.dep

Did you check for updates in Apps?

[Zhe]

Hi, aus9

I checked, this is my tcz list.

/mnt/sda1/tce/optional/ipv6-netfilter-6.18.2-tinycore.tcz
/mnt/sda1/tce/optional/net-sched-6.18.2-tinycore.tcz

I've checked the TCZs available for update, but it seems that there aren't any related to iptables.

[Rich]

Hi Zhe
TC16 had  ip6_tables.ko.gz  in  ipv6-netfilter-6.12.11-tinycore.tcz.
It does not exist in TC17  ipv6-netfilter-6.18.2-tinycore.tcz.

Searching  provides.db  all the way back to TC10 showed no sign
of  ip_tables.ko  ever existing.

[Zhe]

Hi Rich.

Thanks for your time. It seems like it's time to switch from iptables to nftables.

The ip_tables.ko module does exist in kernel 6.12.11—I was able to use it normally before.

Until I figure things out, I'll stick with using nftables for now.

I just have a bit of concern about the memory spike that occurs when nftables handles large tables with over 100,000 records—though I may not end up needing tables that large.

Besides, what do other people think about enabling full eBPF support in the kernel?

For example

Code: [Select]

CONFIG_BPF=y
CONFIG_BPF_SYSCALL=y
CONFIG_BPF_JIT=y
CONFIG_CGROUPS=y
CONFIG_KPROBES=y
CONFIG_NET_INGRESS=y
CONFIG_NET_EGRESS=y
CONFIG_NET_SCH_INGRESS=m
CONFIG_NET_CLS_BPF=m
CONFIG_NET_CLS_ACT=y
CONFIG_BPF_STREAM_PARSER=y
CONFIG_DEBUG_INFO=y
# CONFIG_DEBUG_INFO_REDUCED is not set
CONFIG_DEBUG_INFO_BTF=y
CONFIG_KPROBE_EVENTS=y
CONFIG_BPF_EVENTS=y

[Rich]

Hi Zhe

... The ip_tables.ko module does exist in kernel 6.12.11—I was able to use it normally before. ...

I searched the TC16 repo and  ip_tables.ko  does not show up anywhere.

I booted up TC16 and searched /lib/modules/... to see if it was included in base.
It was not.

I checked http://tinycorelinux.net/16.x/x86/release/src/kernel/config-6.12.11-tinycore
and found this:

Code: [Select]

# IP: Netfilter Configuration
CONFIG_IP_NF_IPTABLES_LEGACY=y
 ----- Snip -----
CONFIG_IP_NF_IPTABLES=yThis shows both versions of iptables were built into the kernel. That means no
loadable modules were created.

I then checked http://tinycorelinux.net/17.x/x86/release/src/kernel/config-6.18.2-tinycore
and found this:

Code: [Select]

# IP: Netfilter Configuration
CONFIG_IP_NF_IPTABLES=yIt appears the legacy version may have been dropped. Maybe that's what caused your issue.

[Rich]

Hi Zhe
One more thing,  IP6_NF_IPTABLES_LEGACY  also disappeared from:
http://tinycorelinux.net/17.x/x86/release/src/kernel/config-6.18.2-tinycore

[aus9]

Hi Rich
I am on x86_64. I built a software firewall called iptables-nft.....and can remember that it worked on the release I built it on 15x....just tested and it fails on 16x and 17x  with a similar module issue. It has v4 ruleset and an empty v6 as I had no-one to cheat off. I will try to build my TC64 TCE on 17x and report if I can get around this module issue. We can then look at v6 ruleset. Then we can look at  TC32/TC64 build script that Zhe might be able to build for x86

[aus9]

Rich
I think someone may need to look at our K modules based on this wiki
https://wiki.nftables.org/wiki-nftables/index.php/Building_and_installing_nftables_from_sources
section=Validating your installation

Code: [Select]

tce-load -i ipv6-netfilter-KERNEL
ipv6-netfilter-6.18.2-tinycore64 is already installed!
sudo modprobe nf_tables
lsmod | grep nf_tables
nf_tables             200704  0
sudo modprobe nf_tables_ipv4
modprobe: module nf_tables_ipv4 not found in modules.depand last line stops me from going any further

IMHO we need some extra modules. I do not have the 17x config but 16x config does not appear to have all same modules as proposed by wiki

CONFIG_NFT_EXTHDR=m
CONFIG_NFT_META=m
CONFIG_NFT_CT=m
CONFIG_NFT_RBTREE=m
CONFIG_NFT_HASH=m
CONFIG_NFT_COUNTER=m
CONFIG_NFT_LOG=m
CONFIG_NFT_LIMIT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_QUEUE=m
CONFIG_NFT_REJECT=m
CONFIG_NFT_REJECT_INET=m
CONFIG_NFT_COMPAT=m
CONFIG_NFT_CHAIN_ROUTE_IPV4=m
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_CHAIN_NAT_IPV4=m
CONFIG_NFT_MASQ_IPV4=m
# CONFIG_NFT_REDIR_IPV4 is not set
CONFIG_NFT_CHAIN_ROUTE_IPV6=m
CONFIG_NFT_REJECT_IPV6=m
CONFIG_NFT_CHAIN_NAT_IPV6=m
CONFIG_NFT_MASQ_IPV6=m
# CONFIG_NFT_REDIR_IPV6 is not set
CONFIG_NFT_BRIDGE_META=m
CONFIG_NFT_BRIDGE_REJECT=m

for example I searched for CHAIN_NAT_IPV4 and CHAIN_NAT_IPV6 on 16x config with no hits

[aus9]

It looks like iptables is replaced by nftables

@GNUser
I have just spotted you have nftables on x86_64. Does that need any kernel modules?
I have no experience at using it...does it work on 17x?

I cheated off debian wiki does this look Ok to you? I became full root to save typing sudo

Code: [Select]

root@box:/# nft add table inet filter
root@box:/# nft add chain inet filter input { type filter hook input priority 0\; }
root@box:/# nft add rule inet filter input counter accept
root@box:/# nft list table inet filter
table inet filter {
chain input {
type filter hook input priority filter; policy accept;
counter packets 3 bytes 214 accept
}
}
root@box:/# nft list tables
table inet filter
I have a router firewall so using an external firewall checker will hit against that and any firewall my network provider has too

[GNUser]

@GNUser
I have just spotted you have nftables on x86_64. Does that need any kernel modules?

Yes, nftables needs several kernel modules. The modules are provided by ipv6-netfilter-KERNEL.tcz, which is a dependency of nftables.tcz.

nftables.tcz is the only extension you need to load. It provides the  nft  command line tool you need to configure the firewall.

I have no experience at using it...does it work on 17x?

Yes, it's been working perfectly for me since I first tried it with TCL12 Pure64, up until now with TCL17 Pure64.

My wireless router is running TCL17 Pure64, with nftables for firewall. I switched from iptables to nftables back in 2021 and have never looked back: Since the switch, my firewall has been much easier to understand and customize. The only downside is that there still seems to be more documentation/how-tos for iptables than for nftables, but nft is easier to understand and has cleaner syntax than iptables, so that compensates for the relatively scanty online documentation.