SOLVED

The following works !

I guess one of my others rules was blocking

table ip Tip {
        chain prerouting {
                type nat hook prerouting priority -100; policy accept;
                ip daddr 192.168.y.2 log prefix "forwarded " dnat to 192.168.y.3
        }
        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
                masquerade
        }
        chain INPUT {
                type filter hook input priority filter; policy accept;
        }
        chain FORWARD {
                type filter hook forward priority filter; policy accept;
        }
        chain OUTPUT {
                type filter hook output priority filter; policy accept;
        }
}

Hi, Thank to all of you.

I made a test environment with the following.

• Machine A: 192.168.Y.1
• Machine B: 192.168.Y.2
• Machine C: 192.168.Y.3

The goal is to send a ping A to B, B forward to C

So ping -4c 1 192.168.y.2 from A, should ping B fw C

I’ve set the following rule in /etc/nftables.conf

table ip Tip {
        chain prerouting {
                type nat hook prerouting priority dstnat; policy accept;
                iif "eth0" ip protocol icmp dnat to 192.168.y.3
        }
        chain postrouting {
                type nat hook postrouting priority 100; policy accept;
                ip saddr 192.168.y.3 masquerade
        }
}

but is not working :'(

I see B receive the package

preroute: IN=eth0 OUT= MAC=▒▒ SRC=192.168.y.1 DST=192.168.y.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=21398 DF PROTO=ICMP TYPE=8 CODE=0 ID=17950 SEQ=1

but it seem C receive nothing…

Any ideas ?

As I want the system to be quite ( not sending data ) I was suspected the output hook to be the one. what are you suggesting ?

Obviously, but I’m anyway wondering why it doesn’t blocking like it should
I hope nftables do not let other pass like this…

Thank you very much all, for your inputs !

I’ve did

root: file /boot/broadcom/initrd.gz
initrd.gz: Zstandard compressed data ....

root: unmkinitramfs /boot/broadcom/initrd.gz Extracted/
# data where extracted to Extracted/
# but I go few error like:
# cpio: cannot link usr/sbin/vconfig to usr/sbin/watchdog: Operation not permitted

Extracted//
|-- conf/
|   |-- arch.conf*
|   |-- conf.d/
|   `-- initramfs.conf*
|-- etc/
|   |-- fstab*
|   |-- ld.so.cache*
|   |-- ld.so.conf*
|   |-- ld.so.conf.d/
|   |-- modprobe.d/
|   `-- udev/
|-- init*
|-- run/
|-- scripts/
|   |-- functions*
|   |-- init-bottom/
|   |-- init-top/
|   |-- local*
|   |-- local-bottom/
|   |-- local-premount/
|   `-- nfs*
`-- usr/
    |-- bin/
    |-- lib/
    `-- sbin/

So it tend to confirm that even if the file is named initrd.gz it’s actually an initramfs method… ( damn this is so misleading )

So I guess I can follow preparing-linux from the guide and overwrite the initrd.gz ?

Thanks @SteveTech@programming.dev

I suppose the file linux/arch/Kconfig is the base the menuconfig to know which option is available ? right ?

Thanks.

Thanks, how can we verify this ?

I’m using Devuan ( systemd free ! ) :)

I believe my initramfs do not support luks encryption, but the link of @DrDystopia@lemy.lol might work… 🤞

Thanks @DrDystopia@lemy.lol ! indeed https://github.com/gitbls/sdm/blob/master/Docs/Disk-Encryption.md#the-sdm-cryptconfig-script seem what I need. I’ll try

ohh ! great ! I’ll see if I manage to install it on Devuan Thanks.

🤩 Woo I didn’t know nix. It seem a better way to handle package !!! but so if I have already apt that handle my packages, is it compatible to use both on the same system !?

Nix stores all packages in isolation from each other; as a result there are no /bin, /sbin, /lib or /usr directories and all packages are kept in /nix/store instead.

Yes, but it’s not reliable. because even if you use a bare linux vm to download the packages and dependency, you never know if the online will have already a dependence that the offline system do not have.

no, the only way is to force the dw of the already downloaded package.

Thank you very much @connaisseur@feddit.org

I have tried

apt-get -o Dir::Cache::archives="/to/path" install --download-only apt-offline

But it downloaded only the .deb of apt-offline and not all the dependence tree. Most probably because this machine have them already.

now, remain to force to download also all the dependency tree even if already installed…

indeed .appimage are an amazing thing as they do not require any special runtime or installation process !
I guess I will have to do my own .appimage of software that do not provide them