[SOLVED] Login screen appear after 4 min after setting nftable rules.

SpongeBOB · 2022-02-09 07:06:23

Hi everyone,

I just installed nftable on my system (thanks to Head_on_a_Stick )

Now,when I edit the

default /etc/nftables.conf

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
         chain input {
                   type filter hook input priority 0;
         }
         chain forward {
                   type filter hook forward priority 0;
         }
         chain output{
                   type filter hook output priority 0;
         }
}

to

#!/usr/sbin/nft -f

flush ruleset

table inet filter {
         chain input {
                   type filter hook input priority 0; policy drop;
         }
         chain output{
                   type filter hook output priority 0; policy drop;
         }
}

I reboot then my screen is black for 4Min 24Sec before I finally see the login screen.
When I do a /user/sbin/nft -f /etc/nftables.conf the rule apply with no delay.

so I guess something at boot is conflicting with this ruleset, but what ?

Thanks.

Last edited by SpongeBOB (2022-02-09 20:01:55)

SpongeBOB · 2022-02-10 05:41:09

Same behavior when I logout, ~4min before I can see the login screen 😭

SpongeBOB · 2022-02-10 06:12:31

I made few test and this issue occur if

chain input {
             type filter hook input priority 0; policy drop;
}

or / and

chain output{
             type filter hook output priority 0; policy drop;
}

has/have policy set to drop...

Last edited by SpongeBOB (2022-02-10 06:13:21)

SpongeBOB · 2022-02-10 06:35:50

/var/log/slim.log wrote:

slim: waiting for X server to shut down
slim: waiting for x server to begin accepting connection
slim: Consolekit::open_session: unable to open session: The name org.freedesktop.ConsoleKit was not provided by any .service
slim: falling back to PAM session

hevidevi · 2022-02-10 10:11:17

maybe just copy over the worksation.nft to /etc/nftables.conf from /usr/share/doc/nftables/examples/workstation.nft

backup your original nftables.conf before you do this.

Last edited by hevidevi (2022-02-10 10:11:33)

Head_on_a_Stick · 2022-02-10 16:02:03

^ +1

@OP: what are you trying to achieve with that configuration? It will not be possible to connect to the internet unless you allow tracked connections, like this:

    ct state {established, related} accept

And the loopback device will also be blocked without

    iifname lo accept

I suspect the delay is due to either the loopback or internet block, check /var/log/messages for anything relevant.

Last edited by Head_on_a_Stick (2022-02-10 18:12:57)

SpongeBOB · 2022-02-11 05:18:52

Hi HOAS,

Thanks for your reply,

Head_on_a_Stick wrote:

... @OP: what are you trying to achieve with that configuration?

This is not my final config, but the start. Excluding everythings then make some exceptions. (opening only the necessary)
indeed I plan to add something like ct state {established, related} accept

Head_on_a_Stick wrote:

And the loopback device will also be blocked without
    iifname lo accept

Hoo that I didn't think about it !! thx !

Head_on_a_Stick wrote:

I suspect the delay is due to either the loopback or internet block, check /var/log/messages for anything relevant.

I will make make some tests and I will update this topics in the following hours.

Thanks again.👍

Last edited by SpongeBOB (2022-02-11 07:24:28)

SpongeBOB · 2022-02-11 07:53:15

Still the same issue with

nft list ruleset

table ip6 Tip6 {
         chain chPR{
                   type filter hook prerouting priority filter; policy drop;
         }
}
table ip Tip {
         chain chIN{
                   type filter hook input priority filter; policy drop;
                   ct state established,related accept
                   iifname "lo" accept
         }
}

on the other hand

table ip Tip {
         chain chIN{
                   type filter hook input priority filter; policy drop;
                   ct state established,related accept
                   iifname "lo" accept
         }
}

work !, but WHY slim would require IPv6 🤨 ?

I've cleared /var/log/messages before testing, and nothing generate new messages.

Last edited by SpongeBOB (2022-02-11 07:53:56)

Head_on_a_Stick · 2022-02-11 17:38:40

SLiM is ancient, unmaintained and it doesn't support login sessions correctly. It probably has several other bugs as well thanks to 8 years of code rot.

Do you still experience the delay with (for example) GDM? How about a plain console login?

SpongeBOB · 2022-02-14 05:49:05

Thanks HOAS,

Head_on_a_Stick wrote:

SLiM is ancient, unmaintained and it doesn't support login sessions correctly. It probably has several other bugs as well thanks to 8 years of code rot.
Do you still experience the delay with (for example) GDM?

I didn't tried yet, talking about display manager aka login manager, does someone have any recommendation for one that work well with devuan ? That is gpl ? and lightweight ?

Head_on_a_Stick wrote:

How about a plain console login?

I edited the grub command at boot with key e ->

and added 3 at the end of the line Linux /boot/vmlinuz..... but this is not working -> it launch slim still.

So I tried with the option: Advanced options for devuan GNU/Linux then (recovery mode) that option have no delay to login with console. But I guess in that mode a lot of services are down ?

How can I login (normally 5) in console without Slim ?

SpongeBOB · 2022-02-14 06:03:48

To be able to boot in console I have just done a apt purge slim

So I can confirm the delay problem was coming indeed from Slim.

rolfie · 2022-02-14 17:32:24

I am using lightdm with Mate or Cinnamon, no issues, uses elogind.

Head_on_a_Stick · 2022-02-14 17:48:22

LightDM runs X under the root user but GDM or console logins run X under the normal user, which is *much* better.

To start the graphical desktop automatically after login at TTY1 add this line to the end of ~/.profile:

[ "$(tty)" = /dev/tty1 ] && exec startx

We don't need no stinkin' display manager...

golinux · 2022-02-14 18:55:49

Head_on_a_Stick wrote:

We don't need no stinkin' display manager...

There is comfort and beauty (sometimes) in a display manager. Art matters . . .

The officially official Devuan Forum!

#1 2022-02-09 07:06:23

[SOLVED] Login screen appear after 4 min after setting nftable rules.

#2 2022-02-10 05:41:09

Re: [SOLVED] Login screen appear after 4 min after setting nftable rules.

#3 2022-02-10 06:12:31

Re: [SOLVED] Login screen appear after 4 min after setting nftable rules.

#4 2022-02-10 06:35:50

Re: [SOLVED] Login screen appear after 4 min after setting nftable rules.

#5 2022-02-10 10:11:17

Re: [SOLVED] Login screen appear after 4 min after setting nftable rules.

#6 2022-02-10 16:02:03

Re: [SOLVED] Login screen appear after 4 min after setting nftable rules.

#7 2022-02-11 05:18:52

Re: [SOLVED] Login screen appear after 4 min after setting nftable rules.

#8 2022-02-11 07:53:15

Re: [SOLVED] Login screen appear after 4 min after setting nftable rules.

#9 2022-02-11 17:38:40

Re: [SOLVED] Login screen appear after 4 min after setting nftable rules.

#10 2022-02-14 05:49:05

Re: [SOLVED] Login screen appear after 4 min after setting nftable rules.

#11 2022-02-14 06:03:48

Re: [SOLVED] Login screen appear after 4 min after setting nftable rules.

#12 2022-02-14 17:32:24

Re: [SOLVED] Login screen appear after 4 min after setting nftable rules.

#13 2022-02-14 17:48:22

Re: [SOLVED] Login screen appear after 4 min after setting nftable rules.

#14 2022-02-14 18:55:49

Re: [SOLVED] Login screen appear after 4 min after setting nftable rules.

Board footer