Applying a recursive function to a list to get another list

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP

up vote
2
down vote

favorite

Here is code:

x2={1539.91, 5.05, -2.82, 0, 19, 135.93, 117.78, 11.61, 8.17, 13.76, 
1.5, 36.75, 137.77, -16.18, 4.18, -2.82, 0, 18.42, 53.19, 5.91, 
-16.18, 3.24, -2.82, 0, 53.19, 518.6, -16.18, 1.61, -2.82, 23, 0, 
70.92, 58.89, 13.08, 42.32, 57.67, -15.32, 1.76, -2.68, 18.42, 0, 
53.19, 6.33, -15.32, 2.01, -2.68, 0, 53.19, -15.32, 2.17, -2.68, 0,
-1000, 76.83, 27.18, 0.02, 8.88, 13.08, 30, 48.72, 16.02, -15.32, 
1.69, -2.68, 0, 0.7, 53.19, 1128.85, 11.49, 53.19, 16.61, 209.84,
1243.2, 23, 1.08}   

I want to create a new list called balancelist using a recursive function (or any other way so I learn) such that I end up with a list with something like this:

{1539.91,1539.91-5.05,1539.91-5.05-(-2.82),......} 

I have tried the following code but it doesn’t work:

balancefinal = {} 
For[i = 1, i <= Length[x2], i++, x2[[i]] - x2[[i + 1]]; 
Append[balancefinal]]

share|improve this question

    up vote
    2
    down vote

    favorite

    Here is code:

    x2={1539.91, 5.05, -2.82, 0, 19, 135.93, 117.78, 11.61, 8.17, 13.76, 
    1.5, 36.75, 137.77, -16.18, 4.18, -2.82, 0, 18.42, 53.19, 5.91, 
    -16.18, 3.24, -2.82, 0, 53.19, 518.6, -16.18, 1.61, -2.82, 23, 0, 
    70.92, 58.89, 13.08, 42.32, 57.67, -15.32, 1.76, -2.68, 18.42, 0, 
    53.19, 6.33, -15.32, 2.01, -2.68, 0, 53.19, -15.32, 2.17, -2.68, 0,
    -1000, 76.83, 27.18, 0.02, 8.88, 13.08, 30, 48.72, 16.02, -15.32, 
    1.69, -2.68, 0, 0.7, 53.19, 1128.85, 11.49, 53.19, 16.61, 209.84,
    1243.2, 23, 1.08}   
    

    I want to create a new list called balancelist using a recursive function (or any other way so I learn) such that I end up with a list with something like this:

    {1539.91,1539.91-5.05,1539.91-5.05-(-2.82),......} 
    

    I have tried the following code but it doesn’t work:

    balancefinal = {} 
    For[i = 1, i <= Length[x2], i++, x2[[i]] - x2[[i + 1]]; 
    Append[balancefinal]]
    

    share|improve this question

      up vote
      2
      down vote

      favorite

      up vote
      2
      down vote

      favorite

      Here is code:

      x2={1539.91, 5.05, -2.82, 0, 19, 135.93, 117.78, 11.61, 8.17, 13.76, 
      1.5, 36.75, 137.77, -16.18, 4.18, -2.82, 0, 18.42, 53.19, 5.91, 
      -16.18, 3.24, -2.82, 0, 53.19, 518.6, -16.18, 1.61, -2.82, 23, 0, 
      70.92, 58.89, 13.08, 42.32, 57.67, -15.32, 1.76, -2.68, 18.42, 0, 
      53.19, 6.33, -15.32, 2.01, -2.68, 0, 53.19, -15.32, 2.17, -2.68, 0,
      -1000, 76.83, 27.18, 0.02, 8.88, 13.08, 30, 48.72, 16.02, -15.32, 
      1.69, -2.68, 0, 0.7, 53.19, 1128.85, 11.49, 53.19, 16.61, 209.84,
      1243.2, 23, 1.08}   
      

      I want to create a new list called balancelist using a recursive function (or any other way so I learn) such that I end up with a list with something like this:

      {1539.91,1539.91-5.05,1539.91-5.05-(-2.82),......} 
      

      I have tried the following code but it doesn’t work:

      balancefinal = {} 
      For[i = 1, i <= Length[x2], i++, x2[[i]] - x2[[i + 1]]; 
      Append[balancefinal]]
      

      share|improve this question

      Here is code:

      x2={1539.91, 5.05, -2.82, 0, 19, 135.93, 117.78, 11.61, 8.17, 13.76, 
      1.5, 36.75, 137.77, -16.18, 4.18, -2.82, 0, 18.42, 53.19, 5.91, 
      -16.18, 3.24, -2.82, 0, 53.19, 518.6, -16.18, 1.61, -2.82, 23, 0, 
      70.92, 58.89, 13.08, 42.32, 57.67, -15.32, 1.76, -2.68, 18.42, 0, 
      53.19, 6.33, -15.32, 2.01, -2.68, 0, 53.19, -15.32, 2.17, -2.68, 0,
      -1000, 76.83, 27.18, 0.02, 8.88, 13.08, 30, 48.72, 16.02, -15.32, 
      1.69, -2.68, 0, 0.7, 53.19, 1128.85, 11.49, 53.19, 16.61, 209.84,
      1243.2, 23, 1.08}   
      

      I want to create a new list called balancelist using a recursive function (or any other way so I learn) such that I end up with a list with something like this:

      {1539.91,1539.91-5.05,1539.91-5.05-(-2.82),......} 
      

      I have tried the following code but it doesn’t work:

      balancefinal = {} 
      For[i = 1, i <= Length[x2], i++, x2[[i]] - x2[[i + 1]]; 
      Append[balancefinal]]
      

      webmathematica mathematica-online

      share|improve this question

      share|improve this question

      share|improve this question

      share|improve this question

      edited 12 mins ago

      kglr

      169k8192395

      169k8192395

      asked 1 hour ago

      beemen

      462

      462

          2 Answers
          2

          active

          oldest

          votes

          up vote
          7
          down vote

          If you consider Accumulate a recursive function, then you could do:

          2 x2[[1]] - Accumulate[x2]
          

          This is much faster than using something like FoldList. For example:

          x2 = RandomReal[{-10, 10}, 10^6];
          
          r1 = 2 x2[[1]] - Accumulate[x2]; //AbsoluteTiming
          r2 = FoldList[Subtract, x2]; //AbsoluteTiming
          
          MinMax[r1 - r2]
          

          {0.005461, Null}

          {0.161103, Null}

          {-3.86535*10^-12, 1.65983*10^-11}

          share|improve this answer

            up vote
            4
            down vote

            You can Fold Subtract on x2:

            FoldList[Subtract, x2]
            

            {1539.91,1534.86,1537.68,1537.68,1518.68,1382.75,1264.97,1253.36,1245.19,1231.43,1229.93,1193.18,1055.41,1071.59,1067.41,1070.23,1070.23,1051.81,998.62,992.71,1008.89,1005.65,1008.47,1008.47,955.28,436.68,452.86,451.25,454.07,431.07,431.07,360.15,301.26,288.18,245.86,188.19,203.51,201.75,204.43,186.01,186.01,132.82,126.49,141.81,139.8,142.48,142.48,89.29,104.61,102.44,105.12,105.12,1105.12,1028.29,1001.11,1001.09,992.21,979.13,949.13,900.41,884.39,899.71,898.02,900.7,900.7,900.,846.81,-282.04,-293.53,-346.72,-363.33,-573.17,-1816.37,-1839.37,-1840.45}

            If you have to use For here is a modification of your code that gives the correct result:

            balancefinal = {x2[[1]]};
            For[i = 1, i < Length[x2], i++, AppendTo[balancefinal, balancefinal[[-1]] - x2[[i + 1]]]]
            
            balancefinal == FoldList[Subtract, x2]
            

            True

            share|improve this answer

              Your Answer

              StackExchange.ifUsing(“editor”, function () {
              return StackExchange.using(“mathjaxEditing”, function () {
              StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
              StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [[“$”, “$”], [“\\(“,”\\)”]]);
              });
              });
              }, “mathjax-editing”);

              StackExchange.ready(function() {
              var channelOptions = {
              tags: “”.split(” “),
              id: “387”
              };
              initTagRenderer(“”.split(” “), “”.split(” “), channelOptions);

              StackExchange.using(“externalEditor”, function() {
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled) {
              StackExchange.using(“snippets”, function() {
              createEditor();
              });
              }
              else {
              createEditor();
              }
              });

              function createEditor() {
              StackExchange.prepareEditor({
              heartbeatType: ‘answer’,
              convertImagesToLinks: false,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: “”,
              imageUploader: {
              brandingHtml: “Powered by u003ca class=”icon-imgur-white” href=”https://imgur.com/”u003eu003c/au003e”,
              contentPolicyHtml: “User contributions licensed under u003ca href=”https://creativecommons.org/licenses/by-sa/3.0/”u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href=”https://stackoverflow.com/legal/content-policy”u003e(content policy)u003c/au003e”,
              allowUrls: true
              },
              onDemand: true,
              discardSelector: “.discard-answer”
              ,immediatelyShowMarkdownHelp:true
              });

              }
              });

               
              draft saved
              draft discarded

              StackExchange.ready(
              function () {
              StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2fmathematica.stackexchange.com%2fquestions%2f185044%2fapplying-a-recursive-function-to-a-list-to-get-another-list%23new-answer’, ‘question_page’);
              }
              );

              Post as a guest

              2 Answers
              2

              active

              oldest

              votes

              2 Answers
              2

              active

              oldest

              votes

              active

              oldest

              votes

              active

              oldest

              votes

              up vote
              7
              down vote

              If you consider Accumulate a recursive function, then you could do:

              2 x2[[1]] - Accumulate[x2]
              

              This is much faster than using something like FoldList. For example:

              x2 = RandomReal[{-10, 10}, 10^6];
              
              r1 = 2 x2[[1]] - Accumulate[x2]; //AbsoluteTiming
              r2 = FoldList[Subtract, x2]; //AbsoluteTiming
              
              MinMax[r1 - r2]
              

              {0.005461, Null}

              {0.161103, Null}

              {-3.86535*10^-12, 1.65983*10^-11}

              share|improve this answer

                up vote
                7
                down vote

                If you consider Accumulate a recursive function, then you could do:

                2 x2[[1]] - Accumulate[x2]
                

                This is much faster than using something like FoldList. For example:

                x2 = RandomReal[{-10, 10}, 10^6];
                
                r1 = 2 x2[[1]] - Accumulate[x2]; //AbsoluteTiming
                r2 = FoldList[Subtract, x2]; //AbsoluteTiming
                
                MinMax[r1 - r2]
                

                {0.005461, Null}

                {0.161103, Null}

                {-3.86535*10^-12, 1.65983*10^-11}

                share|improve this answer

                  up vote
                  7
                  down vote

                  up vote
                  7
                  down vote

                  If you consider Accumulate a recursive function, then you could do:

                  2 x2[[1]] - Accumulate[x2]
                  

                  This is much faster than using something like FoldList. For example:

                  x2 = RandomReal[{-10, 10}, 10^6];
                  
                  r1 = 2 x2[[1]] - Accumulate[x2]; //AbsoluteTiming
                  r2 = FoldList[Subtract, x2]; //AbsoluteTiming
                  
                  MinMax[r1 - r2]
                  

                  {0.005461, Null}

                  {0.161103, Null}

                  {-3.86535*10^-12, 1.65983*10^-11}

                  share|improve this answer

                  If you consider Accumulate a recursive function, then you could do:

                  2 x2[[1]] - Accumulate[x2]
                  

                  This is much faster than using something like FoldList. For example:

                  x2 = RandomReal[{-10, 10}, 10^6];
                  
                  r1 = 2 x2[[1]] - Accumulate[x2]; //AbsoluteTiming
                  r2 = FoldList[Subtract, x2]; //AbsoluteTiming
                  
                  MinMax[r1 - r2]
                  

                  {0.005461, Null}

                  {0.161103, Null}

                  {-3.86535*10^-12, 1.65983*10^-11}

                  share|improve this answer

                  share|improve this answer

                  share|improve this answer

                  answered 1 hour ago

                  Carl Woll

                  63.4k282163

                  63.4k282163

                      up vote
                      4
                      down vote

                      You can Fold Subtract on x2:

                      FoldList[Subtract, x2]
                      

                      {1539.91,1534.86,1537.68,1537.68,1518.68,1382.75,1264.97,1253.36,1245.19,1231.43,1229.93,1193.18,1055.41,1071.59,1067.41,1070.23,1070.23,1051.81,998.62,992.71,1008.89,1005.65,1008.47,1008.47,955.28,436.68,452.86,451.25,454.07,431.07,431.07,360.15,301.26,288.18,245.86,188.19,203.51,201.75,204.43,186.01,186.01,132.82,126.49,141.81,139.8,142.48,142.48,89.29,104.61,102.44,105.12,105.12,1105.12,1028.29,1001.11,1001.09,992.21,979.13,949.13,900.41,884.39,899.71,898.02,900.7,900.7,900.,846.81,-282.04,-293.53,-346.72,-363.33,-573.17,-1816.37,-1839.37,-1840.45}

                      If you have to use For here is a modification of your code that gives the correct result:

                      balancefinal = {x2[[1]]};
                      For[i = 1, i < Length[x2], i++, AppendTo[balancefinal, balancefinal[[-1]] - x2[[i + 1]]]]
                      
                      balancefinal == FoldList[Subtract, x2]
                      

                      True

                      share|improve this answer

                        up vote
                        4
                        down vote

                        You can Fold Subtract on x2:

                        FoldList[Subtract, x2]
                        

                        {1539.91,1534.86,1537.68,1537.68,1518.68,1382.75,1264.97,1253.36,1245.19,1231.43,1229.93,1193.18,1055.41,1071.59,1067.41,1070.23,1070.23,1051.81,998.62,992.71,1008.89,1005.65,1008.47,1008.47,955.28,436.68,452.86,451.25,454.07,431.07,431.07,360.15,301.26,288.18,245.86,188.19,203.51,201.75,204.43,186.01,186.01,132.82,126.49,141.81,139.8,142.48,142.48,89.29,104.61,102.44,105.12,105.12,1105.12,1028.29,1001.11,1001.09,992.21,979.13,949.13,900.41,884.39,899.71,898.02,900.7,900.7,900.,846.81,-282.04,-293.53,-346.72,-363.33,-573.17,-1816.37,-1839.37,-1840.45}

                        If you have to use For here is a modification of your code that gives the correct result:

                        balancefinal = {x2[[1]]};
                        For[i = 1, i < Length[x2], i++, AppendTo[balancefinal, balancefinal[[-1]] - x2[[i + 1]]]]
                        
                        balancefinal == FoldList[Subtract, x2]
                        

                        True

                        share|improve this answer

                          up vote
                          4
                          down vote

                          up vote
                          4
                          down vote

                          You can Fold Subtract on x2:

                          FoldList[Subtract, x2]
                          

                          {1539.91,1534.86,1537.68,1537.68,1518.68,1382.75,1264.97,1253.36,1245.19,1231.43,1229.93,1193.18,1055.41,1071.59,1067.41,1070.23,1070.23,1051.81,998.62,992.71,1008.89,1005.65,1008.47,1008.47,955.28,436.68,452.86,451.25,454.07,431.07,431.07,360.15,301.26,288.18,245.86,188.19,203.51,201.75,204.43,186.01,186.01,132.82,126.49,141.81,139.8,142.48,142.48,89.29,104.61,102.44,105.12,105.12,1105.12,1028.29,1001.11,1001.09,992.21,979.13,949.13,900.41,884.39,899.71,898.02,900.7,900.7,900.,846.81,-282.04,-293.53,-346.72,-363.33,-573.17,-1816.37,-1839.37,-1840.45}

                          If you have to use For here is a modification of your code that gives the correct result:

                          balancefinal = {x2[[1]]};
                          For[i = 1, i < Length[x2], i++, AppendTo[balancefinal, balancefinal[[-1]] - x2[[i + 1]]]]
                          
                          balancefinal == FoldList[Subtract, x2]
                          

                          True

                          share|improve this answer

                          You can Fold Subtract on x2:

                          FoldList[Subtract, x2]
                          

                          {1539.91,1534.86,1537.68,1537.68,1518.68,1382.75,1264.97,1253.36,1245.19,1231.43,1229.93,1193.18,1055.41,1071.59,1067.41,1070.23,1070.23,1051.81,998.62,992.71,1008.89,1005.65,1008.47,1008.47,955.28,436.68,452.86,451.25,454.07,431.07,431.07,360.15,301.26,288.18,245.86,188.19,203.51,201.75,204.43,186.01,186.01,132.82,126.49,141.81,139.8,142.48,142.48,89.29,104.61,102.44,105.12,105.12,1105.12,1028.29,1001.11,1001.09,992.21,979.13,949.13,900.41,884.39,899.71,898.02,900.7,900.7,900.,846.81,-282.04,-293.53,-346.72,-363.33,-573.17,-1816.37,-1839.37,-1840.45}

                          If you have to use For here is a modification of your code that gives the correct result:

                          balancefinal = {x2[[1]]};
                          For[i = 1, i < Length[x2], i++, AppendTo[balancefinal, balancefinal[[-1]] - x2[[i + 1]]]]
                          
                          balancefinal == FoldList[Subtract, x2]
                          

                          True

                          share|improve this answer

                          share|improve this answer

                          share|improve this answer

                          edited 5 mins ago

                          answered 1 hour ago

                          kglr

                          169k8192395

                          169k8192395

                               
                              draft saved
                              draft discarded

                               

                              draft saved

                              draft discarded

                              StackExchange.ready(
                              function () {
                              StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2fmathematica.stackexchange.com%2fquestions%2f185044%2fapplying-a-recursive-function-to-a-list-to-get-another-list%23new-answer’, ‘question_page’);
                              }
                              );

                              Post as a guest

                              Does the Boon of Spell Mastery benefit someone with Magic Initiate but no spell slots?

                              The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP

                              up vote
                              2
                              down vote

                              favorite

                              As a Fighter with an above-average Intelligence score, I’ve chosen to take the Magic Initiate feat (PHB, p. 168), and as my 1st-level wizard spell, I’ve chosen to learn burning hands, which I’m now able to cast once per day as if I were a Wizard. This fulfills the requirements specified by the Boon of Spell Mastery (DMG, p. 232), which reads:

                              Choose one 1st-level sorcerer, warlock, or wizard spell that you can cast. You can now cast that spell at its lowest level without expending a spell slot.

                              But there’s a snag, in the fact that this fighter does not have spell slots to begin with—they are not an Eldritch Knight, and no part of the Magic Initiate feat specifies that they gain any spell slots. They weren’t casting burning hands using a spell slot in the first place, so saying they “can now cast burning hands without a spell slot” doesn’t mean anything.

                              Does this Boon benefit this character at all or is it useless to them?

                              share|improve this question

                                up vote
                                2
                                down vote

                                favorite

                                As a Fighter with an above-average Intelligence score, I’ve chosen to take the Magic Initiate feat (PHB, p. 168), and as my 1st-level wizard spell, I’ve chosen to learn burning hands, which I’m now able to cast once per day as if I were a Wizard. This fulfills the requirements specified by the Boon of Spell Mastery (DMG, p. 232), which reads:

                                Choose one 1st-level sorcerer, warlock, or wizard spell that you can cast. You can now cast that spell at its lowest level without expending a spell slot.

                                But there’s a snag, in the fact that this fighter does not have spell slots to begin with—they are not an Eldritch Knight, and no part of the Magic Initiate feat specifies that they gain any spell slots. They weren’t casting burning hands using a spell slot in the first place, so saying they “can now cast burning hands without a spell slot” doesn’t mean anything.

                                Does this Boon benefit this character at all or is it useless to them?

                                share|improve this question

                                  up vote
                                  2
                                  down vote

                                  favorite

                                  up vote
                                  2
                                  down vote

                                  favorite

                                  As a Fighter with an above-average Intelligence score, I’ve chosen to take the Magic Initiate feat (PHB, p. 168), and as my 1st-level wizard spell, I’ve chosen to learn burning hands, which I’m now able to cast once per day as if I were a Wizard. This fulfills the requirements specified by the Boon of Spell Mastery (DMG, p. 232), which reads:

                                  Choose one 1st-level sorcerer, warlock, or wizard spell that you can cast. You can now cast that spell at its lowest level without expending a spell slot.

                                  But there’s a snag, in the fact that this fighter does not have spell slots to begin with—they are not an Eldritch Knight, and no part of the Magic Initiate feat specifies that they gain any spell slots. They weren’t casting burning hands using a spell slot in the first place, so saying they “can now cast burning hands without a spell slot” doesn’t mean anything.

                                  Does this Boon benefit this character at all or is it useless to them?

                                  share|improve this question

                                  As a Fighter with an above-average Intelligence score, I’ve chosen to take the Magic Initiate feat (PHB, p. 168), and as my 1st-level wizard spell, I’ve chosen to learn burning hands, which I’m now able to cast once per day as if I were a Wizard. This fulfills the requirements specified by the Boon of Spell Mastery (DMG, p. 232), which reads:

                                  Choose one 1st-level sorcerer, warlock, or wizard spell that you can cast. You can now cast that spell at its lowest level without expending a spell slot.

                                  But there’s a snag, in the fact that this fighter does not have spell slots to begin with—they are not an Eldritch Knight, and no part of the Magic Initiate feat specifies that they gain any spell slots. They weren’t casting burning hands using a spell slot in the first place, so saying they “can now cast burning hands without a spell slot” doesn’t mean anything.

                                  Does this Boon benefit this character at all or is it useless to them?

                                  dnd-5e spells feats epic-tier

                                  share|improve this question

                                  share|improve this question

                                  share|improve this question

                                  share|improve this question

                                  edited 8 mins ago

                                  V2Blast

                                  17.5k246110

                                  17.5k246110

                                  asked 4 hours ago

                                  Xirema

                                  10k3168

                                  10k3168

                                      2 Answers
                                      2

                                      active

                                      oldest

                                      votes

                                      up vote
                                      7
                                      down vote

                                      The character would benefit from the boon

                                      Magic Initiate says:

                                      [C]hoose one 1st-level spell from the [class’s] spell list. You learn that spell and can cast it at its lowest level. Once you cast it, you must finish a long rest before you can cast it again using this feat.

                                      As you correctly say, Magic Initiate does not grant you spell slots, only (from this bullit) the ability to cast a single spell. So, you are already casting this spell without using up a spell slot. However, Magic Initiate only allows you to cast the spell once per long rest. Upon receiving the boon, you would be able to cast it as many times as you wanted. So there would be a benefit there.

                                      share|improve this answer

                                      • @Ruse it isn’t a requirement at all (I didn’t address requirements at all on my answer since it wasn’t part of the question). The DM is free to bestow it on the fighter. My point is though that the fighter will receive no benefit from it at all. Does that make sense? If I can make it clearer please let me know.
                                        – Rubiksmoose
                                        2 hours ago

                                      • It’s unclear to me why there is no benefit. Being able to a spell without spellslots (with the boon) is way more beneficial than being able to cast a spell without spellslots once per day (with just the feat).
                                        – Ruse
                                        2 hours ago

                                      • @Ruse Very good point! That was because I had overlooked that. I have updated my answer.
                                        – Rubiksmoose
                                        1 hour ago

                                      up vote
                                      1
                                      down vote

                                      Epic Boons – like the Boon of Spell Mastery – do not have any more complicated requirements than are indicated in each boon. Your Fighter’s ability to cast Burning Hands is sufficient that they should then be able to qualify to take Boon of Spell Mastery upon exceeding 20th level by 3,000 XP.

                                      All that said, Epic Boons are very directly to be given to a character at the DM’s discretion and only with their approval, should the DM allow you to choose which Epic Boon you want. If the boon does not fit thematically (can you really be a Spell Master without having spell slots?) they are well within their rights to assign you a different boon, perhaps something like Combat Prowess more fitting for the character.

                                      share|improve this answer

                                      • 3

                                        The question isn’t about whether they “qualify” to take the boon, nor whether it’s a good idea for them to take it (or for a DM to offer it), it’s about examining whether said character can actually benefit from said boon, even if it has been granted to them.
                                        – Xirema
                                        3 hours ago

                                      • This doesn’t answer the question at all. Check it now that the wording has been tweaked to see if it makes more sense to you.
                                        – Rubiksmoose
                                        2 hours ago

                                      Your Answer

                                      StackExchange.ifUsing(“editor”, function () {
                                      return StackExchange.using(“mathjaxEditing”, function () {
                                      StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
                                      StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [[“\$”, “\$”]]);
                                      });
                                      });
                                      }, “mathjax-editing”);

                                      StackExchange.ready(function() {
                                      var channelOptions = {
                                      tags: “”.split(” “),
                                      id: “122”
                                      };
                                      initTagRenderer(“”.split(” “), “”.split(” “), channelOptions);

                                      StackExchange.using(“externalEditor”, function() {
                                      // Have to fire editor after snippets, if snippets enabled
                                      if (StackExchange.settings.snippets.snippetsEnabled) {
                                      StackExchange.using(“snippets”, function() {
                                      createEditor();
                                      });
                                      }
                                      else {
                                      createEditor();
                                      }
                                      });

                                      function createEditor() {
                                      StackExchange.prepareEditor({
                                      heartbeatType: ‘answer’,
                                      convertImagesToLinks: false,
                                      noModals: true,
                                      showLowRepImageUploadWarning: true,
                                      reputationToPostImages: null,
                                      bindNavPrevention: true,
                                      postfix: “”,
                                      imageUploader: {
                                      brandingHtml: “Powered by u003ca class=”icon-imgur-white” href=”https://imgur.com/”u003eu003c/au003e”,
                                      contentPolicyHtml: “User contributions licensed under u003ca href=”https://creativecommons.org/licenses/by-sa/3.0/”u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href=”https://stackoverflow.com/legal/content-policy”u003e(content policy)u003c/au003e”,
                                      allowUrls: true
                                      },
                                      noCode: true, onDemand: true,
                                      discardSelector: “.discard-answer”
                                      ,immediatelyShowMarkdownHelp:true
                                      });

                                      }
                                      });

                                       
                                      draft saved
                                      draft discarded

                                      StackExchange.ready(
                                      function () {
                                      StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2frpg.stackexchange.com%2fquestions%2f134714%2fdoes-the-boon-of-spell-mastery-benefit-someone-with-magic-initiate-but-no-spell%23new-answer’, ‘question_page’);
                                      }
                                      );

                                      Post as a guest

                                      2 Answers
                                      2

                                      active

                                      oldest

                                      votes

                                      2 Answers
                                      2

                                      active

                                      oldest

                                      votes

                                      active

                                      oldest

                                      votes

                                      active

                                      oldest

                                      votes

                                      up vote
                                      7
                                      down vote

                                      The character would benefit from the boon

                                      Magic Initiate says:

                                      [C]hoose one 1st-level spell from the [class’s] spell list. You learn that spell and can cast it at its lowest level. Once you cast it, you must finish a long rest before you can cast it again using this feat.

                                      As you correctly say, Magic Initiate does not grant you spell slots, only (from this bullit) the ability to cast a single spell. So, you are already casting this spell without using up a spell slot. However, Magic Initiate only allows you to cast the spell once per long rest. Upon receiving the boon, you would be able to cast it as many times as you wanted. So there would be a benefit there.

                                      share|improve this answer

                                      • @Ruse it isn’t a requirement at all (I didn’t address requirements at all on my answer since it wasn’t part of the question). The DM is free to bestow it on the fighter. My point is though that the fighter will receive no benefit from it at all. Does that make sense? If I can make it clearer please let me know.
                                        – Rubiksmoose
                                        2 hours ago

                                      • It’s unclear to me why there is no benefit. Being able to a spell without spellslots (with the boon) is way more beneficial than being able to cast a spell without spellslots once per day (with just the feat).
                                        – Ruse
                                        2 hours ago

                                      • @Ruse Very good point! That was because I had overlooked that. I have updated my answer.
                                        – Rubiksmoose
                                        1 hour ago

                                      up vote
                                      7
                                      down vote

                                      The character would benefit from the boon

                                      Magic Initiate says:

                                      [C]hoose one 1st-level spell from the [class’s] spell list. You learn that spell and can cast it at its lowest level. Once you cast it, you must finish a long rest before you can cast it again using this feat.

                                      As you correctly say, Magic Initiate does not grant you spell slots, only (from this bullit) the ability to cast a single spell. So, you are already casting this spell without using up a spell slot. However, Magic Initiate only allows you to cast the spell once per long rest. Upon receiving the boon, you would be able to cast it as many times as you wanted. So there would be a benefit there.

                                      share|improve this answer

                                      • @Ruse it isn’t a requirement at all (I didn’t address requirements at all on my answer since it wasn’t part of the question). The DM is free to bestow it on the fighter. My point is though that the fighter will receive no benefit from it at all. Does that make sense? If I can make it clearer please let me know.
                                        – Rubiksmoose
                                        2 hours ago

                                      • It’s unclear to me why there is no benefit. Being able to a spell without spellslots (with the boon) is way more beneficial than being able to cast a spell without spellslots once per day (with just the feat).
                                        – Ruse
                                        2 hours ago

                                      • @Ruse Very good point! That was because I had overlooked that. I have updated my answer.
                                        – Rubiksmoose
                                        1 hour ago

                                      up vote
                                      7
                                      down vote

                                      up vote
                                      7
                                      down vote

                                      The character would benefit from the boon

                                      Magic Initiate says:

                                      [C]hoose one 1st-level spell from the [class’s] spell list. You learn that spell and can cast it at its lowest level. Once you cast it, you must finish a long rest before you can cast it again using this feat.

                                      As you correctly say, Magic Initiate does not grant you spell slots, only (from this bullit) the ability to cast a single spell. So, you are already casting this spell without using up a spell slot. However, Magic Initiate only allows you to cast the spell once per long rest. Upon receiving the boon, you would be able to cast it as many times as you wanted. So there would be a benefit there.

                                      share|improve this answer

                                      The character would benefit from the boon

                                      Magic Initiate says:

                                      [C]hoose one 1st-level spell from the [class’s] spell list. You learn that spell and can cast it at its lowest level. Once you cast it, you must finish a long rest before you can cast it again using this feat.

                                      As you correctly say, Magic Initiate does not grant you spell slots, only (from this bullit) the ability to cast a single spell. So, you are already casting this spell without using up a spell slot. However, Magic Initiate only allows you to cast the spell once per long rest. Upon receiving the boon, you would be able to cast it as many times as you wanted. So there would be a benefit there.

                                      share|improve this answer

                                      share|improve this answer

                                      share|improve this answer

                                      edited 1 hour ago

                                      answered 2 hours ago

                                      Rubiksmoose

                                      40.9k5203310

                                      40.9k5203310

                                      • @Ruse it isn’t a requirement at all (I didn’t address requirements at all on my answer since it wasn’t part of the question). The DM is free to bestow it on the fighter. My point is though that the fighter will receive no benefit from it at all. Does that make sense? If I can make it clearer please let me know.
                                        – Rubiksmoose
                                        2 hours ago

                                      • It’s unclear to me why there is no benefit. Being able to a spell without spellslots (with the boon) is way more beneficial than being able to cast a spell without spellslots once per day (with just the feat).
                                        – Ruse
                                        2 hours ago

                                      • @Ruse Very good point! That was because I had overlooked that. I have updated my answer.
                                        – Rubiksmoose
                                        1 hour ago

                                      • @Ruse it isn’t a requirement at all (I didn’t address requirements at all on my answer since it wasn’t part of the question). The DM is free to bestow it on the fighter. My point is though that the fighter will receive no benefit from it at all. Does that make sense? If I can make it clearer please let me know.
                                        – Rubiksmoose
                                        2 hours ago

                                      • It’s unclear to me why there is no benefit. Being able to a spell without spellslots (with the boon) is way more beneficial than being able to cast a spell without spellslots once per day (with just the feat).
                                        – Ruse
                                        2 hours ago

                                      • @Ruse Very good point! That was because I had overlooked that. I have updated my answer.
                                        – Rubiksmoose
                                        1 hour ago

                                      @Ruse it isn’t a requirement at all (I didn’t address requirements at all on my answer since it wasn’t part of the question). The DM is free to bestow it on the fighter. My point is though that the fighter will receive no benefit from it at all. Does that make sense? If I can make it clearer please let me know.
                                      – Rubiksmoose
                                      2 hours ago

                                      @Ruse it isn’t a requirement at all (I didn’t address requirements at all on my answer since it wasn’t part of the question). The DM is free to bestow it on the fighter. My point is though that the fighter will receive no benefit from it at all. Does that make sense? If I can make it clearer please let me know.
                                      – Rubiksmoose
                                      2 hours ago

                                      It’s unclear to me why there is no benefit. Being able to a spell without spellslots (with the boon) is way more beneficial than being able to cast a spell without spellslots once per day (with just the feat).
                                      – Ruse
                                      2 hours ago

                                      It’s unclear to me why there is no benefit. Being able to a spell without spellslots (with the boon) is way more beneficial than being able to cast a spell without spellslots once per day (with just the feat).
                                      – Ruse
                                      2 hours ago

                                      @Ruse Very good point! That was because I had overlooked that. I have updated my answer.
                                      – Rubiksmoose
                                      1 hour ago

                                      @Ruse Very good point! That was because I had overlooked that. I have updated my answer.
                                      – Rubiksmoose
                                      1 hour ago

                                      up vote
                                      1
                                      down vote

                                      Epic Boons – like the Boon of Spell Mastery – do not have any more complicated requirements than are indicated in each boon. Your Fighter’s ability to cast Burning Hands is sufficient that they should then be able to qualify to take Boon of Spell Mastery upon exceeding 20th level by 3,000 XP.

                                      All that said, Epic Boons are very directly to be given to a character at the DM’s discretion and only with their approval, should the DM allow you to choose which Epic Boon you want. If the boon does not fit thematically (can you really be a Spell Master without having spell slots?) they are well within their rights to assign you a different boon, perhaps something like Combat Prowess more fitting for the character.

                                      share|improve this answer

                                      • 3

                                        The question isn’t about whether they “qualify” to take the boon, nor whether it’s a good idea for them to take it (or for a DM to offer it), it’s about examining whether said character can actually benefit from said boon, even if it has been granted to them.
                                        – Xirema
                                        3 hours ago

                                      • This doesn’t answer the question at all. Check it now that the wording has been tweaked to see if it makes more sense to you.
                                        – Rubiksmoose
                                        2 hours ago

                                      up vote
                                      1
                                      down vote

                                      Epic Boons – like the Boon of Spell Mastery – do not have any more complicated requirements than are indicated in each boon. Your Fighter’s ability to cast Burning Hands is sufficient that they should then be able to qualify to take Boon of Spell Mastery upon exceeding 20th level by 3,000 XP.

                                      All that said, Epic Boons are very directly to be given to a character at the DM’s discretion and only with their approval, should the DM allow you to choose which Epic Boon you want. If the boon does not fit thematically (can you really be a Spell Master without having spell slots?) they are well within their rights to assign you a different boon, perhaps something like Combat Prowess more fitting for the character.

                                      share|improve this answer

                                      • 3

                                        The question isn’t about whether they “qualify” to take the boon, nor whether it’s a good idea for them to take it (or for a DM to offer it), it’s about examining whether said character can actually benefit from said boon, even if it has been granted to them.
                                        – Xirema
                                        3 hours ago

                                      • This doesn’t answer the question at all. Check it now that the wording has been tweaked to see if it makes more sense to you.
                                        – Rubiksmoose
                                        2 hours ago

                                      up vote
                                      1
                                      down vote

                                      up vote
                                      1
                                      down vote

                                      Epic Boons – like the Boon of Spell Mastery – do not have any more complicated requirements than are indicated in each boon. Your Fighter’s ability to cast Burning Hands is sufficient that they should then be able to qualify to take Boon of Spell Mastery upon exceeding 20th level by 3,000 XP.

                                      All that said, Epic Boons are very directly to be given to a character at the DM’s discretion and only with their approval, should the DM allow you to choose which Epic Boon you want. If the boon does not fit thematically (can you really be a Spell Master without having spell slots?) they are well within their rights to assign you a different boon, perhaps something like Combat Prowess more fitting for the character.

                                      share|improve this answer

                                      Epic Boons – like the Boon of Spell Mastery – do not have any more complicated requirements than are indicated in each boon. Your Fighter’s ability to cast Burning Hands is sufficient that they should then be able to qualify to take Boon of Spell Mastery upon exceeding 20th level by 3,000 XP.

                                      All that said, Epic Boons are very directly to be given to a character at the DM’s discretion and only with their approval, should the DM allow you to choose which Epic Boon you want. If the boon does not fit thematically (can you really be a Spell Master without having spell slots?) they are well within their rights to assign you a different boon, perhaps something like Combat Prowess more fitting for the character.

                                      share|improve this answer

                                      share|improve this answer

                                      share|improve this answer

                                      answered 3 hours ago

                                      Weaveworker89

                                      2,09821425

                                      2,09821425

                                      • 3

                                        The question isn’t about whether they “qualify” to take the boon, nor whether it’s a good idea for them to take it (or for a DM to offer it), it’s about examining whether said character can actually benefit from said boon, even if it has been granted to them.
                                        – Xirema
                                        3 hours ago

                                      • This doesn’t answer the question at all. Check it now that the wording has been tweaked to see if it makes more sense to you.
                                        – Rubiksmoose
                                        2 hours ago

                                      • 3

                                        The question isn’t about whether they “qualify” to take the boon, nor whether it’s a good idea for them to take it (or for a DM to offer it), it’s about examining whether said character can actually benefit from said boon, even if it has been granted to them.
                                        – Xirema
                                        3 hours ago

                                      • This doesn’t answer the question at all. Check it now that the wording has been tweaked to see if it makes more sense to you.
                                        – Rubiksmoose
                                        2 hours ago

                                      3

                                      3

                                      The question isn’t about whether they “qualify” to take the boon, nor whether it’s a good idea for them to take it (or for a DM to offer it), it’s about examining whether said character can actually benefit from said boon, even if it has been granted to them.
                                      – Xirema
                                      3 hours ago

                                      The question isn’t about whether they “qualify” to take the boon, nor whether it’s a good idea for them to take it (or for a DM to offer it), it’s about examining whether said character can actually benefit from said boon, even if it has been granted to them.
                                      – Xirema
                                      3 hours ago

                                      This doesn’t answer the question at all. Check it now that the wording has been tweaked to see if it makes more sense to you.
                                      – Rubiksmoose
                                      2 hours ago

                                      This doesn’t answer the question at all. Check it now that the wording has been tweaked to see if it makes more sense to you.
                                      – Rubiksmoose
                                      2 hours ago

                                       
                                      draft saved
                                      draft discarded

                                       

                                      draft saved

                                      draft discarded

                                      StackExchange.ready(
                                      function () {
                                      StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2frpg.stackexchange.com%2fquestions%2f134714%2fdoes-the-boon-of-spell-mastery-benefit-someone-with-magic-initiate-but-no-spell%23new-answer’, ‘question_page’);
                                      }
                                      );

                                      Post as a guest

                                      Use playerctl or dbus to get the latest active media player

                                      The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP

                                      up vote
                                      1
                                      down vote

                                      favorite

                                      1

                                      Before I switched to bspwm, I used KDE/Plasma 5. In KDE, I could use my media keys to play/pause, etc in vlc, spotify and even in Firefox with an addon (youtube, netflix, pretty much everything worked). When both VLC, Firefox and Spotify were open, the media keys controlled the last used player, regardless if the window is open or not.

                                      I’d like to get the same functionality in bspwm.

                                      Right now I’m using playerctl -p spotify play-pause to control spotify, which is bound to XF86AudioPlay in sxhkdrc. I’d also like to do this with VLC, but playerctl needs to know which player to play/pause, if both are open.

                                      Is there a way to get the same KDE/Plasma functionality for both VLC, Firefox and Spotify? If not, is there a way to determine which player was last active? That way I could write a script to play/pause only the last active player.


                                      EDIT:

                                      Looks like the Plasma Integration add-on for firefox still works with playerctl and bspwm, so sites like Youtube still respond to controls, great!

                                      What I only need now is a way to get the latest active player, so when Spotify happens to be open in the background and I’m watching something on VLC, it knows to control VLC and not Spotify when I press media keys.

                                      playerctl -l when multiple media players are open shows me that Plasma Browser Integration is always on top, meaning that will always have top priority with media keys. Second is VLC, third is Spotify.

                                      share|improve this question

                                        up vote
                                        1
                                        down vote

                                        favorite

                                        1

                                        Before I switched to bspwm, I used KDE/Plasma 5. In KDE, I could use my media keys to play/pause, etc in vlc, spotify and even in Firefox with an addon (youtube, netflix, pretty much everything worked). When both VLC, Firefox and Spotify were open, the media keys controlled the last used player, regardless if the window is open or not.

                                        I’d like to get the same functionality in bspwm.

                                        Right now I’m using playerctl -p spotify play-pause to control spotify, which is bound to XF86AudioPlay in sxhkdrc. I’d also like to do this with VLC, but playerctl needs to know which player to play/pause, if both are open.

                                        Is there a way to get the same KDE/Plasma functionality for both VLC, Firefox and Spotify? If not, is there a way to determine which player was last active? That way I could write a script to play/pause only the last active player.


                                        EDIT:

                                        Looks like the Plasma Integration add-on for firefox still works with playerctl and bspwm, so sites like Youtube still respond to controls, great!

                                        What I only need now is a way to get the latest active player, so when Spotify happens to be open in the background and I’m watching something on VLC, it knows to control VLC and not Spotify when I press media keys.

                                        playerctl -l when multiple media players are open shows me that Plasma Browser Integration is always on top, meaning that will always have top priority with media keys. Second is VLC, third is Spotify.

                                        share|improve this question

                                          up vote
                                          1
                                          down vote

                                          favorite

                                          1

                                          up vote
                                          1
                                          down vote

                                          favorite

                                          1
                                          1

                                          Before I switched to bspwm, I used KDE/Plasma 5. In KDE, I could use my media keys to play/pause, etc in vlc, spotify and even in Firefox with an addon (youtube, netflix, pretty much everything worked). When both VLC, Firefox and Spotify were open, the media keys controlled the last used player, regardless if the window is open or not.

                                          I’d like to get the same functionality in bspwm.

                                          Right now I’m using playerctl -p spotify play-pause to control spotify, which is bound to XF86AudioPlay in sxhkdrc. I’d also like to do this with VLC, but playerctl needs to know which player to play/pause, if both are open.

                                          Is there a way to get the same KDE/Plasma functionality for both VLC, Firefox and Spotify? If not, is there a way to determine which player was last active? That way I could write a script to play/pause only the last active player.


                                          EDIT:

                                          Looks like the Plasma Integration add-on for firefox still works with playerctl and bspwm, so sites like Youtube still respond to controls, great!

                                          What I only need now is a way to get the latest active player, so when Spotify happens to be open in the background and I’m watching something on VLC, it knows to control VLC and not Spotify when I press media keys.

                                          playerctl -l when multiple media players are open shows me that Plasma Browser Integration is always on top, meaning that will always have top priority with media keys. Second is VLC, third is Spotify.

                                          share|improve this question

                                          Before I switched to bspwm, I used KDE/Plasma 5. In KDE, I could use my media keys to play/pause, etc in vlc, spotify and even in Firefox with an addon (youtube, netflix, pretty much everything worked). When both VLC, Firefox and Spotify were open, the media keys controlled the last used player, regardless if the window is open or not.

                                          I’d like to get the same functionality in bspwm.

                                          Right now I’m using playerctl -p spotify play-pause to control spotify, which is bound to XF86AudioPlay in sxhkdrc. I’d also like to do this with VLC, but playerctl needs to know which player to play/pause, if both are open.

                                          Is there a way to get the same KDE/Plasma functionality for both VLC, Firefox and Spotify? If not, is there a way to determine which player was last active? That way I could write a script to play/pause only the last active player.


                                          EDIT:

                                          Looks like the Plasma Integration add-on for firefox still works with playerctl and bspwm, so sites like Youtube still respond to controls, great!

                                          What I only need now is a way to get the latest active player, so when Spotify happens to be open in the background and I’m watching something on VLC, it knows to control VLC and not Spotify when I press media keys.

                                          playerctl -l when multiple media players are open shows me that Plasma Browser Integration is always on top, meaning that will always have top priority with media keys. Second is VLC, third is Spotify.

                                          d-bus vlc mediaplayer bspwm

                                          share|improve this question

                                          share|improve this question

                                          share|improve this question

                                          share|improve this question

                                          edited 8 mins ago

                                          asked Oct 25 at 19:33

                                          zjeffer

                                          336

                                          336

                                              active

                                              oldest

                                              votes

                                              Your Answer

                                              StackExchange.ready(function() {
                                              var channelOptions = {
                                              tags: “”.split(” “),
                                              id: “106”
                                              };
                                              initTagRenderer(“”.split(” “), “”.split(” “), channelOptions);

                                              StackExchange.using(“externalEditor”, function() {
                                              // Have to fire editor after snippets, if snippets enabled
                                              if (StackExchange.settings.snippets.snippetsEnabled) {
                                              StackExchange.using(“snippets”, function() {
                                              createEditor();
                                              });
                                              }
                                              else {
                                              createEditor();
                                              }
                                              });

                                              function createEditor() {
                                              StackExchange.prepareEditor({
                                              heartbeatType: ‘answer’,
                                              convertImagesToLinks: false,
                                              noModals: true,
                                              showLowRepImageUploadWarning: true,
                                              reputationToPostImages: null,
                                              bindNavPrevention: true,
                                              postfix: “”,
                                              imageUploader: {
                                              brandingHtml: “Powered by u003ca class=”icon-imgur-white” href=”https://imgur.com/”u003eu003c/au003e”,
                                              contentPolicyHtml: “User contributions licensed under u003ca href=”https://creativecommons.org/licenses/by-sa/3.0/”u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href=”https://stackoverflow.com/legal/content-policy”u003e(content policy)u003c/au003e”,
                                              allowUrls: true
                                              },
                                              onDemand: true,
                                              discardSelector: “.discard-answer”
                                              ,immediatelyShowMarkdownHelp:true
                                              });

                                              }
                                              });

                                               
                                              draft saved
                                              draft discarded

                                              StackExchange.ready(
                                              function () {
                                              StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2funix.stackexchange.com%2fquestions%2f477823%2fuse-playerctl-or-dbus-to-get-the-latest-active-media-player%23new-answer’, ‘question_page’);
                                              }
                                              );

                                              Post as a guest

                                              active

                                              oldest

                                              votes

                                              active

                                              oldest

                                              votes

                                              active

                                              oldest

                                              votes

                                              active

                                              oldest

                                              votes

                                               
                                              draft saved
                                              draft discarded

                                               

                                              draft saved

                                              draft discarded

                                              StackExchange.ready(
                                              function () {
                                              StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2funix.stackexchange.com%2fquestions%2f477823%2fuse-playerctl-or-dbus-to-get-the-latest-active-media-player%23new-answer’, ‘question_page’);
                                              }
                                              );

                                              Post as a guest

                                              Does the Brute fighter’s extra damage die get added to the monk’s Martial Arts and Flurry of Blows attacks?

                                              The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP

                                              up vote
                                              3
                                              down vote

                                              favorite

                                              1

                                              I am considering a build that would start with monk, then multiclass to fighter up to level 3 to get the Brute archetype (from Unearthed Arcana: Three Subclasses).

                                              Would the extra damage die from the Brute subclass still get added to the monk’s Martial Arts and Flurry of Blows attacks?

                                              share|improve this question

                                              New contributor
                                              Eternallord66 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                              Check out our Code of Conduct.

                                              • Where is this fighter subclass from? UA?
                                                – Szega
                                                6 hours ago

                                              • @Szega Yes
                                                – NathanS
                                                6 hours ago

                                              • 2

                                                Please note that Unearthed Arcana is not tuned for Multiclassing.
                                                – NautArch
                                                6 hours ago

                                              • in a home campaign I can multiclass with unearthed arcana features if I wish or am I wrong?
                                                – Eternallord66
                                                6 hours ago

                                              • 1

                                                Yes, my apologies if that came off as a You Can Not Do This At All 🙂 But did want to let it be known that there may be unknown interactions that can make multiclassing with UA problematic at times.
                                                – NautArch
                                                5 hours ago

                                              up vote
                                              3
                                              down vote

                                              favorite

                                              1

                                              I am considering a build that would start with monk, then multiclass to fighter up to level 3 to get the Brute archetype (from Unearthed Arcana: Three Subclasses).

                                              Would the extra damage die from the Brute subclass still get added to the monk’s Martial Arts and Flurry of Blows attacks?

                                              share|improve this question

                                              New contributor
                                              Eternallord66 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                              Check out our Code of Conduct.

                                              • Where is this fighter subclass from? UA?
                                                – Szega
                                                6 hours ago

                                              • @Szega Yes
                                                – NathanS
                                                6 hours ago

                                              • 2

                                                Please note that Unearthed Arcana is not tuned for Multiclassing.
                                                – NautArch
                                                6 hours ago

                                              • in a home campaign I can multiclass with unearthed arcana features if I wish or am I wrong?
                                                – Eternallord66
                                                6 hours ago

                                              • 1

                                                Yes, my apologies if that came off as a You Can Not Do This At All 🙂 But did want to let it be known that there may be unknown interactions that can make multiclassing with UA problematic at times.
                                                – NautArch
                                                5 hours ago

                                              up vote
                                              3
                                              down vote

                                              favorite

                                              1

                                              up vote
                                              3
                                              down vote

                                              favorite

                                              1
                                              1

                                              I am considering a build that would start with monk, then multiclass to fighter up to level 3 to get the Brute archetype (from Unearthed Arcana: Three Subclasses).

                                              Would the extra damage die from the Brute subclass still get added to the monk’s Martial Arts and Flurry of Blows attacks?

                                              share|improve this question

                                              New contributor
                                              Eternallord66 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                              Check out our Code of Conduct.

                                              I am considering a build that would start with monk, then multiclass to fighter up to level 3 to get the Brute archetype (from Unearthed Arcana: Three Subclasses).

                                              Would the extra damage die from the Brute subclass still get added to the monk’s Martial Arts and Flurry of Blows attacks?

                                              dnd-5e monk damage fighter unearthed-arcana

                                              share|improve this question

                                              New contributor
                                              Eternallord66 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                              Check out our Code of Conduct.

                                              share|improve this question

                                              New contributor
                                              Eternallord66 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                              Check out our Code of Conduct.

                                              share|improve this question

                                              share|improve this question

                                              edited 20 mins ago

                                              V2Blast

                                              17.5k246110

                                              17.5k246110

                                              New contributor
                                              Eternallord66 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                              Check out our Code of Conduct.

                                              asked 6 hours ago

                                              Eternallord66

                                              384

                                              384

                                              New contributor
                                              Eternallord66 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                              Check out our Code of Conduct.

                                              New contributor

                                              Eternallord66 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                              Check out our Code of Conduct.

                                              Eternallord66 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                              Check out our Code of Conduct.

                                              • Where is this fighter subclass from? UA?
                                                – Szega
                                                6 hours ago

                                              • @Szega Yes
                                                – NathanS
                                                6 hours ago

                                              • 2

                                                Please note that Unearthed Arcana is not tuned for Multiclassing.
                                                – NautArch
                                                6 hours ago

                                              • in a home campaign I can multiclass with unearthed arcana features if I wish or am I wrong?
                                                – Eternallord66
                                                6 hours ago

                                              • 1

                                                Yes, my apologies if that came off as a You Can Not Do This At All 🙂 But did want to let it be known that there may be unknown interactions that can make multiclassing with UA problematic at times.
                                                – NautArch
                                                5 hours ago

                                              • Where is this fighter subclass from? UA?
                                                – Szega
                                                6 hours ago

                                              • @Szega Yes
                                                – NathanS
                                                6 hours ago

                                              • 2

                                                Please note that Unearthed Arcana is not tuned for Multiclassing.
                                                – NautArch
                                                6 hours ago

                                              • in a home campaign I can multiclass with unearthed arcana features if I wish or am I wrong?
                                                – Eternallord66
                                                6 hours ago

                                              • 1

                                                Yes, my apologies if that came off as a You Can Not Do This At All 🙂 But did want to let it be known that there may be unknown interactions that can make multiclassing with UA problematic at times.
                                                – NautArch
                                                5 hours ago

                                              Where is this fighter subclass from? UA?
                                              – Szega
                                              6 hours ago

                                              Where is this fighter subclass from? UA?
                                              – Szega
                                              6 hours ago

                                              @Szega Yes
                                              – NathanS
                                              6 hours ago

                                              @Szega Yes
                                              – NathanS
                                              6 hours ago

                                              2

                                              2

                                              Please note that Unearthed Arcana is not tuned for Multiclassing.
                                              – NautArch
                                              6 hours ago

                                              Please note that Unearthed Arcana is not tuned for Multiclassing.
                                              – NautArch
                                              6 hours ago

                                              in a home campaign I can multiclass with unearthed arcana features if I wish or am I wrong?
                                              – Eternallord66
                                              6 hours ago

                                              in a home campaign I can multiclass with unearthed arcana features if I wish or am I wrong?
                                              – Eternallord66
                                              6 hours ago

                                              1

                                              1

                                              Yes, my apologies if that came off as a You Can Not Do This At All 🙂 But did want to let it be known that there may be unknown interactions that can make multiclassing with UA problematic at times.
                                              – NautArch
                                              5 hours ago

                                              Yes, my apologies if that came off as a You Can Not Do This At All 🙂 But did want to let it be known that there may be unknown interactions that can make multiclassing with UA problematic at times.
                                              – NautArch
                                              5 hours ago

                                              2 Answers
                                              2

                                              active

                                              oldest

                                              votes

                                              up vote
                                              9
                                              down vote

                                              Not with unarmed strikes

                                              As of the first Player’s Handbook errata unarmed strikes no longer count as weapons.

                                              Instead of using a weapon to make a melee weapon attack, you can use an un-armed [sic] strike: a punch, kick, head-butt, or similar forceful blow (none of which count as weapons).

                                              The Brute Damage requires a weapon:

                                              Whenever you hit with a weapon that you’re proficient with and deal damage, the weapon’s damage increases

                                              This means that Flurry of Blows can not use Brute Damage as it only uses unarmed strikes (emphasis mine):

                                              Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.

                                              You could use a Monk Weapon with Martial Arts

                                              Martial Arts affects certain weapons in addition to unarmed strikes (emphasis mine):

                                              • You can use Dexterity instead of Strength for the attack and damage rolls of your unarmed strikes and monk weapons.

                                              • You can roll a d4 in place of the normal damage of your unarmed strike or monk weapon.

                                              If using a monk weapon, the Brute Damage would apply.

                                              share|improve this answer

                                              • 1

                                                Since the question specifically calls it out, you should mention that “Flurry of Blows” does NOT use monk weapons, only unarmed strikes so those would not stack. “Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.”
                                                – MivaScott
                                                5 hours ago

                                              • @MivaScott added. Thanks
                                                – David Coffron
                                                5 hours ago

                                              up vote
                                              5
                                              down vote

                                              The Brute’s Damage is not added to unarmed strikes

                                              The Brute archetype says:

                                              Brute Force

                                              Starting at 3rd level, you’re able to strike with your weapons with especially brutal force. Whenever you hit with a weapon that you’re proficient with and deal damage, the weapon’s damage increases by an amount based on your level in this class, as shown on the Brute Bonus Damage table.

                                              Even though unarmed strike is considered a weapon attack, it is not considered a weapon, so the extra damage from Brute Force would not be added to it as it specifically says “hit with a weapon” rather than “make a melee weapon attack” like most features do, although it would of course still be added to any weapon attacks you make with a weapon.

                                              share|improve this answer

                                                Your Answer

                                                StackExchange.ifUsing(“editor”, function () {
                                                return StackExchange.using(“mathjaxEditing”, function () {
                                                StackExchange.MarkdownEditor.creationCallbacks.add(function (editor, postfix) {
                                                StackExchange.mathjaxEditing.prepareWmdForMathJax(editor, postfix, [[“\$”, “\$”]]);
                                                });
                                                });
                                                }, “mathjax-editing”);

                                                StackExchange.ready(function() {
                                                var channelOptions = {
                                                tags: “”.split(” “),
                                                id: “122”
                                                };
                                                initTagRenderer(“”.split(” “), “”.split(” “), channelOptions);

                                                StackExchange.using(“externalEditor”, function() {
                                                // Have to fire editor after snippets, if snippets enabled
                                                if (StackExchange.settings.snippets.snippetsEnabled) {
                                                StackExchange.using(“snippets”, function() {
                                                createEditor();
                                                });
                                                }
                                                else {
                                                createEditor();
                                                }
                                                });

                                                function createEditor() {
                                                StackExchange.prepareEditor({
                                                heartbeatType: ‘answer’,
                                                convertImagesToLinks: false,
                                                noModals: true,
                                                showLowRepImageUploadWarning: true,
                                                reputationToPostImages: null,
                                                bindNavPrevention: true,
                                                postfix: “”,
                                                imageUploader: {
                                                brandingHtml: “Powered by u003ca class=”icon-imgur-white” href=”https://imgur.com/”u003eu003c/au003e”,
                                                contentPolicyHtml: “User contributions licensed under u003ca href=”https://creativecommons.org/licenses/by-sa/3.0/”u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href=”https://stackoverflow.com/legal/content-policy”u003e(content policy)u003c/au003e”,
                                                allowUrls: true
                                                },
                                                noCode: true, onDemand: true,
                                                discardSelector: “.discard-answer”
                                                ,immediatelyShowMarkdownHelp:true
                                                });

                                                }
                                                });

                                                Eternallord66 is a new contributor. Be nice, and check out our Code of Conduct.

                                                 
                                                draft saved
                                                draft discarded

                                                StackExchange.ready(
                                                function () {
                                                StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2frpg.stackexchange.com%2fquestions%2f134700%2fdoes-the-brute-fighters-extra-damage-die-get-added-to-the-monks-martial-arts-a%23new-answer’, ‘question_page’);
                                                }
                                                );

                                                Post as a guest

                                                2 Answers
                                                2

                                                active

                                                oldest

                                                votes

                                                2 Answers
                                                2

                                                active

                                                oldest

                                                votes

                                                active

                                                oldest

                                                votes

                                                active

                                                oldest

                                                votes

                                                up vote
                                                9
                                                down vote

                                                Not with unarmed strikes

                                                As of the first Player’s Handbook errata unarmed strikes no longer count as weapons.

                                                Instead of using a weapon to make a melee weapon attack, you can use an un-armed [sic] strike: a punch, kick, head-butt, or similar forceful blow (none of which count as weapons).

                                                The Brute Damage requires a weapon:

                                                Whenever you hit with a weapon that you’re proficient with and deal damage, the weapon’s damage increases

                                                This means that Flurry of Blows can not use Brute Damage as it only uses unarmed strikes (emphasis mine):

                                                Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.

                                                You could use a Monk Weapon with Martial Arts

                                                Martial Arts affects certain weapons in addition to unarmed strikes (emphasis mine):

                                                • You can use Dexterity instead of Strength for the attack and damage rolls of your unarmed strikes and monk weapons.

                                                • You can roll a d4 in place of the normal damage of your unarmed strike or monk weapon.

                                                If using a monk weapon, the Brute Damage would apply.

                                                share|improve this answer

                                                • 1

                                                  Since the question specifically calls it out, you should mention that “Flurry of Blows” does NOT use monk weapons, only unarmed strikes so those would not stack. “Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.”
                                                  – MivaScott
                                                  5 hours ago

                                                • @MivaScott added. Thanks
                                                  – David Coffron
                                                  5 hours ago

                                                up vote
                                                9
                                                down vote

                                                Not with unarmed strikes

                                                As of the first Player’s Handbook errata unarmed strikes no longer count as weapons.

                                                Instead of using a weapon to make a melee weapon attack, you can use an un-armed [sic] strike: a punch, kick, head-butt, or similar forceful blow (none of which count as weapons).

                                                The Brute Damage requires a weapon:

                                                Whenever you hit with a weapon that you’re proficient with and deal damage, the weapon’s damage increases

                                                This means that Flurry of Blows can not use Brute Damage as it only uses unarmed strikes (emphasis mine):

                                                Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.

                                                You could use a Monk Weapon with Martial Arts

                                                Martial Arts affects certain weapons in addition to unarmed strikes (emphasis mine):

                                                • You can use Dexterity instead of Strength for the attack and damage rolls of your unarmed strikes and monk weapons.

                                                • You can roll a d4 in place of the normal damage of your unarmed strike or monk weapon.

                                                If using a monk weapon, the Brute Damage would apply.

                                                share|improve this answer

                                                • 1

                                                  Since the question specifically calls it out, you should mention that “Flurry of Blows” does NOT use monk weapons, only unarmed strikes so those would not stack. “Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.”
                                                  – MivaScott
                                                  5 hours ago

                                                • @MivaScott added. Thanks
                                                  – David Coffron
                                                  5 hours ago

                                                up vote
                                                9
                                                down vote

                                                up vote
                                                9
                                                down vote

                                                Not with unarmed strikes

                                                As of the first Player’s Handbook errata unarmed strikes no longer count as weapons.

                                                Instead of using a weapon to make a melee weapon attack, you can use an un-armed [sic] strike: a punch, kick, head-butt, or similar forceful blow (none of which count as weapons).

                                                The Brute Damage requires a weapon:

                                                Whenever you hit with a weapon that you’re proficient with and deal damage, the weapon’s damage increases

                                                This means that Flurry of Blows can not use Brute Damage as it only uses unarmed strikes (emphasis mine):

                                                Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.

                                                You could use a Monk Weapon with Martial Arts

                                                Martial Arts affects certain weapons in addition to unarmed strikes (emphasis mine):

                                                • You can use Dexterity instead of Strength for the attack and damage rolls of your unarmed strikes and monk weapons.

                                                • You can roll a d4 in place of the normal damage of your unarmed strike or monk weapon.

                                                If using a monk weapon, the Brute Damage would apply.

                                                share|improve this answer

                                                Not with unarmed strikes

                                                As of the first Player’s Handbook errata unarmed strikes no longer count as weapons.

                                                Instead of using a weapon to make a melee weapon attack, you can use an un-armed [sic] strike: a punch, kick, head-butt, or similar forceful blow (none of which count as weapons).

                                                The Brute Damage requires a weapon:

                                                Whenever you hit with a weapon that you’re proficient with and deal damage, the weapon’s damage increases

                                                This means that Flurry of Blows can not use Brute Damage as it only uses unarmed strikes (emphasis mine):

                                                Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.

                                                You could use a Monk Weapon with Martial Arts

                                                Martial Arts affects certain weapons in addition to unarmed strikes (emphasis mine):

                                                • You can use Dexterity instead of Strength for the attack and damage rolls of your unarmed strikes and monk weapons.

                                                • You can roll a d4 in place of the normal damage of your unarmed strike or monk weapon.

                                                If using a monk weapon, the Brute Damage would apply.

                                                share|improve this answer

                                                share|improve this answer

                                                share|improve this answer

                                                edited 4 hours ago

                                                answered 6 hours ago

                                                David Coffron

                                                30k2103204

                                                30k2103204

                                                • 1

                                                  Since the question specifically calls it out, you should mention that “Flurry of Blows” does NOT use monk weapons, only unarmed strikes so those would not stack. “Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.”
                                                  – MivaScott
                                                  5 hours ago

                                                • @MivaScott added. Thanks
                                                  – David Coffron
                                                  5 hours ago

                                                • 1

                                                  Since the question specifically calls it out, you should mention that “Flurry of Blows” does NOT use monk weapons, only unarmed strikes so those would not stack. “Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.”
                                                  – MivaScott
                                                  5 hours ago

                                                • @MivaScott added. Thanks
                                                  – David Coffron
                                                  5 hours ago

                                                1

                                                1

                                                Since the question specifically calls it out, you should mention that “Flurry of Blows” does NOT use monk weapons, only unarmed strikes so those would not stack. “Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.”
                                                – MivaScott
                                                5 hours ago

                                                Since the question specifically calls it out, you should mention that “Flurry of Blows” does NOT use monk weapons, only unarmed strikes so those would not stack. “Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.”
                                                – MivaScott
                                                5 hours ago

                                                @MivaScott added. Thanks
                                                – David Coffron
                                                5 hours ago

                                                @MivaScott added. Thanks
                                                – David Coffron
                                                5 hours ago

                                                up vote
                                                5
                                                down vote

                                                The Brute’s Damage is not added to unarmed strikes

                                                The Brute archetype says:

                                                Brute Force

                                                Starting at 3rd level, you’re able to strike with your weapons with especially brutal force. Whenever you hit with a weapon that you’re proficient with and deal damage, the weapon’s damage increases by an amount based on your level in this class, as shown on the Brute Bonus Damage table.

                                                Even though unarmed strike is considered a weapon attack, it is not considered a weapon, so the extra damage from Brute Force would not be added to it as it specifically says “hit with a weapon” rather than “make a melee weapon attack” like most features do, although it would of course still be added to any weapon attacks you make with a weapon.

                                                share|improve this answer

                                                  up vote
                                                  5
                                                  down vote

                                                  The Brute’s Damage is not added to unarmed strikes

                                                  The Brute archetype says:

                                                  Brute Force

                                                  Starting at 3rd level, you’re able to strike with your weapons with especially brutal force. Whenever you hit with a weapon that you’re proficient with and deal damage, the weapon’s damage increases by an amount based on your level in this class, as shown on the Brute Bonus Damage table.

                                                  Even though unarmed strike is considered a weapon attack, it is not considered a weapon, so the extra damage from Brute Force would not be added to it as it specifically says “hit with a weapon” rather than “make a melee weapon attack” like most features do, although it would of course still be added to any weapon attacks you make with a weapon.

                                                  share|improve this answer

                                                    up vote
                                                    5
                                                    down vote

                                                    up vote
                                                    5
                                                    down vote

                                                    The Brute’s Damage is not added to unarmed strikes

                                                    The Brute archetype says:

                                                    Brute Force

                                                    Starting at 3rd level, you’re able to strike with your weapons with especially brutal force. Whenever you hit with a weapon that you’re proficient with and deal damage, the weapon’s damage increases by an amount based on your level in this class, as shown on the Brute Bonus Damage table.

                                                    Even though unarmed strike is considered a weapon attack, it is not considered a weapon, so the extra damage from Brute Force would not be added to it as it specifically says “hit with a weapon” rather than “make a melee weapon attack” like most features do, although it would of course still be added to any weapon attacks you make with a weapon.

                                                    share|improve this answer

                                                    The Brute’s Damage is not added to unarmed strikes

                                                    The Brute archetype says:

                                                    Brute Force

                                                    Starting at 3rd level, you’re able to strike with your weapons with especially brutal force. Whenever you hit with a weapon that you’re proficient with and deal damage, the weapon’s damage increases by an amount based on your level in this class, as shown on the Brute Bonus Damage table.

                                                    Even though unarmed strike is considered a weapon attack, it is not considered a weapon, so the extra damage from Brute Force would not be added to it as it specifically says “hit with a weapon” rather than “make a melee weapon attack” like most features do, although it would of course still be added to any weapon attacks you make with a weapon.

                                                    share|improve this answer

                                                    share|improve this answer

                                                    share|improve this answer

                                                    answered 6 hours ago

                                                    NathanS

                                                    18.3k675194

                                                    18.3k675194

                                                        Eternallord66 is a new contributor. Be nice, and check out our Code of Conduct.

                                                         
                                                        draft saved
                                                        draft discarded
                                                        Eternallord66 is a new contributor. Be nice, and check out our Code of Conduct.

                                                        Eternallord66 is a new contributor. Be nice, and check out our Code of Conduct.

                                                        Eternallord66 is a new contributor. Be nice, and check out our Code of Conduct.

                                                         

                                                        draft saved

                                                        draft discarded

                                                        StackExchange.ready(
                                                        function () {
                                                        StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2frpg.stackexchange.com%2fquestions%2f134700%2fdoes-the-brute-fighters-extra-damage-die-get-added-to-the-monks-martial-arts-a%23new-answer’, ‘question_page’);
                                                        }
                                                        );

                                                        Post as a guest

                                                        Can Certificate be validated locally

                                                        The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP

                                                        up vote
                                                        2
                                                        down vote

                                                        favorite

                                                        When I establish TLS/SSL with some server he sends me the certificate in the process. The certificate is signed by a certificate authority.

                                                        In my PC/browser I have a list of trusted certificate authorities.

                                                        Do I send the certificate to the authority or I validate it locally (checking the certificate’s signature using data stored within the certificate authority list)?

                                                        (note: if needed take the browser for the example TLS/SSL client)

                                                        share|improve this question

                                                          up vote
                                                          2
                                                          down vote

                                                          favorite

                                                          When I establish TLS/SSL with some server he sends me the certificate in the process. The certificate is signed by a certificate authority.

                                                          In my PC/browser I have a list of trusted certificate authorities.

                                                          Do I send the certificate to the authority or I validate it locally (checking the certificate’s signature using data stored within the certificate authority list)?

                                                          (note: if needed take the browser for the example TLS/SSL client)

                                                          share|improve this question

                                                            up vote
                                                            2
                                                            down vote

                                                            favorite

                                                            up vote
                                                            2
                                                            down vote

                                                            favorite

                                                            When I establish TLS/SSL with some server he sends me the certificate in the process. The certificate is signed by a certificate authority.

                                                            In my PC/browser I have a list of trusted certificate authorities.

                                                            Do I send the certificate to the authority or I validate it locally (checking the certificate’s signature using data stored within the certificate authority list)?

                                                            (note: if needed take the browser for the example TLS/SSL client)

                                                            share|improve this question

                                                            When I establish TLS/SSL with some server he sends me the certificate in the process. The certificate is signed by a certificate authority.

                                                            In my PC/browser I have a list of trusted certificate authorities.

                                                            Do I send the certificate to the authority or I validate it locally (checking the certificate’s signature using data stored within the certificate authority list)?

                                                            (note: if needed take the browser for the example TLS/SSL client)

                                                            tls certificates certificate-authority

                                                            share|improve this question

                                                            share|improve this question

                                                            share|improve this question

                                                            share|improve this question

                                                            asked 3 hours ago

                                                            croraf

                                                            1165

                                                            1165

                                                                2 Answers
                                                                2

                                                                active

                                                                oldest

                                                                votes

                                                                up vote
                                                                3
                                                                down vote

                                                                Certificates are validated locally. However, the client may contact the CA repository if some pieces of information are missing. For example, if an intermediate CA certificate is missing from the local store and the web server didn’t return it during the handshake, the client may download the missing certificate from the CA repository. Additionally, the client can check certificate revocation by contacting the CA via OCSP or by downloding a CRL from the CA repository when no up-to-date revocation information is stored in the local cache.

                                                                Signature and chain validations are always performed locally.

                                                                share|improve this answer

                                                                • 1

                                                                  +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
                                                                  – Mike Ounsworth
                                                                  2 hours ago

                                                                • I mentioned that client contacts CA-managed OCSP/CRL servers.
                                                                  – Crypt32
                                                                  2 hours ago

                                                                • Yup! Hence why it’s a “+1 TL;DR”, not a correction.
                                                                  – Mike Ounsworth
                                                                  2 hours ago

                                                                up vote
                                                                1
                                                                down vote

                                                                Does checking the certificate chain require connecting to external servers?

                                                                Not necessarily, if the chain is complete from a trusted CA to the leaf certificate (the site’s certificate) then no requests are needed. Each cert is either trusted, or signed by a cert higher in the chain. For example.com this would look like this:

                                                                • Root CA (trusted as it is installed in the browser)
                                                                  • Intermediate A (trusted as it is signed by Root CA)
                                                                    • Intermediate B (trusted as it is signed by Intermediate A)
                                                                      • Site cert (trusted as it is signed by Intermediate B)

                                                                Does checking expiry require connecting to external sources?

                                                                Using a CRL, or normal OCSP requires making an external request to check if the certificate has been invalidated since being issued, this can be a privacy issue as it allows a third party (the one running the OCSP responder) to track users.

                                                                To work around this issue, OCSP stapling can be used, where the server requests the OCSP response and returns it while it is valid to clients, before having to get a fresh response, preventing stale responses being used forever.

                                                                What happens when the chain is incomplete?

                                                                If the chain is incomplete then an AIA Extention can be used to point to the issuer of a certificate, allowing the client to repair the gap in the chain, but client support for this is not ensured, so it is better to present a full chain when possible.

                                                                share|improve this answer

                                                                  Your Answer

                                                                  StackExchange.ready(function() {
                                                                  var channelOptions = {
                                                                  tags: “”.split(” “),
                                                                  id: “162”
                                                                  };
                                                                  initTagRenderer(“”.split(” “), “”.split(” “), channelOptions);

                                                                  StackExchange.using(“externalEditor”, function() {
                                                                  // Have to fire editor after snippets, if snippets enabled
                                                                  if (StackExchange.settings.snippets.snippetsEnabled) {
                                                                  StackExchange.using(“snippets”, function() {
                                                                  createEditor();
                                                                  });
                                                                  }
                                                                  else {
                                                                  createEditor();
                                                                  }
                                                                  });

                                                                  function createEditor() {
                                                                  StackExchange.prepareEditor({
                                                                  heartbeatType: ‘answer’,
                                                                  convertImagesToLinks: false,
                                                                  noModals: true,
                                                                  showLowRepImageUploadWarning: true,
                                                                  reputationToPostImages: null,
                                                                  bindNavPrevention: true,
                                                                  postfix: “”,
                                                                  imageUploader: {
                                                                  brandingHtml: “Powered by u003ca class=”icon-imgur-white” href=”https://imgur.com/”u003eu003c/au003e”,
                                                                  contentPolicyHtml: “User contributions licensed under u003ca href=”https://creativecommons.org/licenses/by-sa/3.0/”u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href=”https://stackoverflow.com/legal/content-policy”u003e(content policy)u003c/au003e”,
                                                                  allowUrls: true
                                                                  },
                                                                  noCode: true, onDemand: true,
                                                                  discardSelector: “.discard-answer”
                                                                  ,immediatelyShowMarkdownHelp:true
                                                                  });

                                                                  }
                                                                  });

                                                                   
                                                                  draft saved
                                                                  draft discarded

                                                                  StackExchange.ready(
                                                                  function () {
                                                                  StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f196792%2fcan-certificate-be-validated-locally%23new-answer’, ‘question_page’);
                                                                  }
                                                                  );

                                                                  Post as a guest

                                                                  2 Answers
                                                                  2

                                                                  active

                                                                  oldest

                                                                  votes

                                                                  2 Answers
                                                                  2

                                                                  active

                                                                  oldest

                                                                  votes

                                                                  active

                                                                  oldest

                                                                  votes

                                                                  active

                                                                  oldest

                                                                  votes

                                                                  up vote
                                                                  3
                                                                  down vote

                                                                  Certificates are validated locally. However, the client may contact the CA repository if some pieces of information are missing. For example, if an intermediate CA certificate is missing from the local store and the web server didn’t return it during the handshake, the client may download the missing certificate from the CA repository. Additionally, the client can check certificate revocation by contacting the CA via OCSP or by downloding a CRL from the CA repository when no up-to-date revocation information is stored in the local cache.

                                                                  Signature and chain validations are always performed locally.

                                                                  share|improve this answer

                                                                  • 1

                                                                    +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
                                                                    – Mike Ounsworth
                                                                    2 hours ago

                                                                  • I mentioned that client contacts CA-managed OCSP/CRL servers.
                                                                    – Crypt32
                                                                    2 hours ago

                                                                  • Yup! Hence why it’s a “+1 TL;DR”, not a correction.
                                                                    – Mike Ounsworth
                                                                    2 hours ago

                                                                  up vote
                                                                  3
                                                                  down vote

                                                                  Certificates are validated locally. However, the client may contact the CA repository if some pieces of information are missing. For example, if an intermediate CA certificate is missing from the local store and the web server didn’t return it during the handshake, the client may download the missing certificate from the CA repository. Additionally, the client can check certificate revocation by contacting the CA via OCSP or by downloding a CRL from the CA repository when no up-to-date revocation information is stored in the local cache.

                                                                  Signature and chain validations are always performed locally.

                                                                  share|improve this answer

                                                                  • 1

                                                                    +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
                                                                    – Mike Ounsworth
                                                                    2 hours ago

                                                                  • I mentioned that client contacts CA-managed OCSP/CRL servers.
                                                                    – Crypt32
                                                                    2 hours ago

                                                                  • Yup! Hence why it’s a “+1 TL;DR”, not a correction.
                                                                    – Mike Ounsworth
                                                                    2 hours ago

                                                                  up vote
                                                                  3
                                                                  down vote

                                                                  up vote
                                                                  3
                                                                  down vote

                                                                  Certificates are validated locally. However, the client may contact the CA repository if some pieces of information are missing. For example, if an intermediate CA certificate is missing from the local store and the web server didn’t return it during the handshake, the client may download the missing certificate from the CA repository. Additionally, the client can check certificate revocation by contacting the CA via OCSP or by downloding a CRL from the CA repository when no up-to-date revocation information is stored in the local cache.

                                                                  Signature and chain validations are always performed locally.

                                                                  share|improve this answer

                                                                  Certificates are validated locally. However, the client may contact the CA repository if some pieces of information are missing. For example, if an intermediate CA certificate is missing from the local store and the web server didn’t return it during the handshake, the client may download the missing certificate from the CA repository. Additionally, the client can check certificate revocation by contacting the CA via OCSP or by downloding a CRL from the CA repository when no up-to-date revocation information is stored in the local cache.

                                                                  Signature and chain validations are always performed locally.

                                                                  share|improve this answer

                                                                  share|improve this answer

                                                                  share|improve this answer

                                                                  edited 2 hours ago

                                                                  Οurous

                                                                  1075

                                                                  1075

                                                                  answered 2 hours ago

                                                                  Crypt32

                                                                  2,138511

                                                                  2,138511

                                                                  • 1

                                                                    +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
                                                                    – Mike Ounsworth
                                                                    2 hours ago

                                                                  • I mentioned that client contacts CA-managed OCSP/CRL servers.
                                                                    – Crypt32
                                                                    2 hours ago

                                                                  • Yup! Hence why it’s a “+1 TL;DR”, not a correction.
                                                                    – Mike Ounsworth
                                                                    2 hours ago

                                                                  • 1

                                                                    +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
                                                                    – Mike Ounsworth
                                                                    2 hours ago

                                                                  • I mentioned that client contacts CA-managed OCSP/CRL servers.
                                                                    – Crypt32
                                                                    2 hours ago

                                                                  • Yup! Hence why it’s a “+1 TL;DR”, not a correction.
                                                                    – Mike Ounsworth
                                                                    2 hours ago

                                                                  1

                                                                  1

                                                                  +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
                                                                  – Mike Ounsworth
                                                                  2 hours ago

                                                                  +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
                                                                  – Mike Ounsworth
                                                                  2 hours ago

                                                                  I mentioned that client contacts CA-managed OCSP/CRL servers.
                                                                  – Crypt32
                                                                  2 hours ago

                                                                  I mentioned that client contacts CA-managed OCSP/CRL servers.
                                                                  – Crypt32
                                                                  2 hours ago

                                                                  Yup! Hence why it’s a “+1 TL;DR”, not a correction.
                                                                  – Mike Ounsworth
                                                                  2 hours ago

                                                                  Yup! Hence why it’s a “+1 TL;DR”, not a correction.
                                                                  – Mike Ounsworth
                                                                  2 hours ago

                                                                  up vote
                                                                  1
                                                                  down vote

                                                                  Does checking the certificate chain require connecting to external servers?

                                                                  Not necessarily, if the chain is complete from a trusted CA to the leaf certificate (the site’s certificate) then no requests are needed. Each cert is either trusted, or signed by a cert higher in the chain. For example.com this would look like this:

                                                                  • Root CA (trusted as it is installed in the browser)
                                                                    • Intermediate A (trusted as it is signed by Root CA)
                                                                      • Intermediate B (trusted as it is signed by Intermediate A)
                                                                        • Site cert (trusted as it is signed by Intermediate B)

                                                                  Does checking expiry require connecting to external sources?

                                                                  Using a CRL, or normal OCSP requires making an external request to check if the certificate has been invalidated since being issued, this can be a privacy issue as it allows a third party (the one running the OCSP responder) to track users.

                                                                  To work around this issue, OCSP stapling can be used, where the server requests the OCSP response and returns it while it is valid to clients, before having to get a fresh response, preventing stale responses being used forever.

                                                                  What happens when the chain is incomplete?

                                                                  If the chain is incomplete then an AIA Extention can be used to point to the issuer of a certificate, allowing the client to repair the gap in the chain, but client support for this is not ensured, so it is better to present a full chain when possible.

                                                                  share|improve this answer

                                                                    up vote
                                                                    1
                                                                    down vote

                                                                    Does checking the certificate chain require connecting to external servers?

                                                                    Not necessarily, if the chain is complete from a trusted CA to the leaf certificate (the site’s certificate) then no requests are needed. Each cert is either trusted, or signed by a cert higher in the chain. For example.com this would look like this:

                                                                    • Root CA (trusted as it is installed in the browser)
                                                                      • Intermediate A (trusted as it is signed by Root CA)
                                                                        • Intermediate B (trusted as it is signed by Intermediate A)
                                                                          • Site cert (trusted as it is signed by Intermediate B)

                                                                    Does checking expiry require connecting to external sources?

                                                                    Using a CRL, or normal OCSP requires making an external request to check if the certificate has been invalidated since being issued, this can be a privacy issue as it allows a third party (the one running the OCSP responder) to track users.

                                                                    To work around this issue, OCSP stapling can be used, where the server requests the OCSP response and returns it while it is valid to clients, before having to get a fresh response, preventing stale responses being used forever.

                                                                    What happens when the chain is incomplete?

                                                                    If the chain is incomplete then an AIA Extention can be used to point to the issuer of a certificate, allowing the client to repair the gap in the chain, but client support for this is not ensured, so it is better to present a full chain when possible.

                                                                    share|improve this answer

                                                                      up vote
                                                                      1
                                                                      down vote

                                                                      up vote
                                                                      1
                                                                      down vote

                                                                      Does checking the certificate chain require connecting to external servers?

                                                                      Not necessarily, if the chain is complete from a trusted CA to the leaf certificate (the site’s certificate) then no requests are needed. Each cert is either trusted, or signed by a cert higher in the chain. For example.com this would look like this:

                                                                      • Root CA (trusted as it is installed in the browser)
                                                                        • Intermediate A (trusted as it is signed by Root CA)
                                                                          • Intermediate B (trusted as it is signed by Intermediate A)
                                                                            • Site cert (trusted as it is signed by Intermediate B)

                                                                      Does checking expiry require connecting to external sources?

                                                                      Using a CRL, or normal OCSP requires making an external request to check if the certificate has been invalidated since being issued, this can be a privacy issue as it allows a third party (the one running the OCSP responder) to track users.

                                                                      To work around this issue, OCSP stapling can be used, where the server requests the OCSP response and returns it while it is valid to clients, before having to get a fresh response, preventing stale responses being used forever.

                                                                      What happens when the chain is incomplete?

                                                                      If the chain is incomplete then an AIA Extention can be used to point to the issuer of a certificate, allowing the client to repair the gap in the chain, but client support for this is not ensured, so it is better to present a full chain when possible.

                                                                      share|improve this answer

                                                                      Does checking the certificate chain require connecting to external servers?

                                                                      Not necessarily, if the chain is complete from a trusted CA to the leaf certificate (the site’s certificate) then no requests are needed. Each cert is either trusted, or signed by a cert higher in the chain. For example.com this would look like this:

                                                                      • Root CA (trusted as it is installed in the browser)
                                                                        • Intermediate A (trusted as it is signed by Root CA)
                                                                          • Intermediate B (trusted as it is signed by Intermediate A)
                                                                            • Site cert (trusted as it is signed by Intermediate B)

                                                                      Does checking expiry require connecting to external sources?

                                                                      Using a CRL, or normal OCSP requires making an external request to check if the certificate has been invalidated since being issued, this can be a privacy issue as it allows a third party (the one running the OCSP responder) to track users.

                                                                      To work around this issue, OCSP stapling can be used, where the server requests the OCSP response and returns it while it is valid to clients, before having to get a fresh response, preventing stale responses being used forever.

                                                                      What happens when the chain is incomplete?

                                                                      If the chain is incomplete then an AIA Extention can be used to point to the issuer of a certificate, allowing the client to repair the gap in the chain, but client support for this is not ensured, so it is better to present a full chain when possible.

                                                                      share|improve this answer

                                                                      share|improve this answer

                                                                      share|improve this answer

                                                                      answered 2 hours ago

                                                                      jrtapsell

                                                                      2,805924

                                                                      2,805924

                                                                           
                                                                          draft saved
                                                                          draft discarded

                                                                           

                                                                          draft saved

                                                                          draft discarded

                                                                          StackExchange.ready(
                                                                          function () {
                                                                          StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2fsecurity.stackexchange.com%2fquestions%2f196792%2fcan-certificate-be-validated-locally%23new-answer’, ‘question_page’);
                                                                          }
                                                                          );

                                                                          Post as a guest

                                                                          port forwarding to application in network namespace with vpn

                                                                          The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP

                                                                          up vote
                                                                          12
                                                                          down vote

                                                                          favorite

                                                                          4

                                                                          I was able to set up a network namespace, establish a tunnel with openvpn and start an application that uses this tunnel inside the namespace. So far so good, but this application can be accessed via a web interface and I cant’t figure out how to route requests to the web interface inside my LAN.

                                                                          I followed a guide from @schnouki explaining how to set up a network namespace and run OpenVPN inside of it

                                                                          ip netns add myvpn
                                                                          ip netns exec myvpn ip addr add 127.0.0.1/8 dev lo
                                                                          ip netns exec myvpn ip link set lo up
                                                                          ip link add vpn0 type veth peer name vpn1
                                                                          ip link set vpn0 up
                                                                          ip link set vpn1 netns myvpn up
                                                                          ip addr add 10.200.200.1/24 dev vpn0
                                                                          ip netns exec myvpn ip addr add 10.200.200.2/24 dev vpn1
                                                                          ip netns exec myvpn ip route add default via 10.200.200.1 dev vpn1
                                                                          iptables -A INPUT ! -i vpn0 -s 10.200.200.0/24 -j DROP
                                                                          iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o en+ -j MASQUERADE
                                                                          sysctl -q net.ipv4.ip_forward=1
                                                                          mkdir -p /etc/netns/myvpn
                                                                          echo 'nameserver 8.8.8.8' > /etc/netns/myvpn/resolv.conf
                                                                          

                                                                          After that, I can check my external ip and get different results inside and outside of the namespace, just as intended:

                                                                          curl -s ipv4.icanhazip.com
                                                                          <my-isp-ip>
                                                                          ip netns exec myvpn curl -s ipv4.icanhazip.com
                                                                          <my-vpn-ip>
                                                                          

                                                                          The application is started, I’m using deluge for this example. I tried several applications with a web interface to make sure it’s not a deluge specific problem.

                                                                          ip netns exec myvpn sudo -u <my-user> /usr/bin/deluged
                                                                          ip netns exec myvpn sudo -u <my-user> /usr/bin/deluge-web -f
                                                                          ps $(ip netns pids myvpn)
                                                                           PID TTY      STAT   TIME COMMAND
                                                                          1468 ?        Ss     0:13 openvpn --config /etc/openvpn/myvpn/myvpn.conf
                                                                          9302 ?        Sl    10:10 /usr/bin/python /usr/bin/deluged
                                                                          9707 ?        S      0:37 /usr/bin/python /usr/bin/deluge-web -f
                                                                          

                                                                          I’m able to access the web interface on port 8112 from within the namespace and from outside if I specify the ip of veth vpn1.

                                                                          ip netns exec myvpn curl -Is localhost:8112 | head -1
                                                                          HTTP/1.1 200 OK
                                                                          ip netns exec myvpn curl -Is 10.200.200.2:8112 | head -1
                                                                          HTTP/1.1 200 OK
                                                                          curl -Is 10.200.200.2:8112 | head -1
                                                                          HTTP/1.1 200 OK
                                                                          

                                                                          But I do want to redirect port 8112 from my server to the application in the namespace. The goal is to open a browser on a computer inside my LAN and get the web interface with http://my-server-ip:8112 (my-server-ip being the static ip of the server that instantiated the network interface)

                                                                          EDIT: I removed my attempts to create iptables rules. What I’m trying to do is explained above and the following commands should output a HTTP 200:

                                                                          curl -I localhost:8112
                                                                          curl: (7) Failed to connect to localhost port 8112: Connection refused
                                                                          curl -I <my-server-ip>:8112
                                                                          curl: (7) Failed to connect to <my-server-ip> port 8112: Connection refused
                                                                          

                                                                          I tried DNAT and SNAT rules and threw in a MASQUERADE for good measure, but since I don’t know what I’m doing, my attempts are futile. Perhaps someone can help me put together this construct.

                                                                          EDIT: The tcpdump output of tcpdump -nn -q tcp port 8112. Unsurprisingly, the first command returns a HTTP 200 and the second command terminates with a refused connection.

                                                                          curl -Is 10.200.200.2:8112 | head -1
                                                                          listening on vpn0, link-type EN10MB (Ethernet), capture size 262144 bytes
                                                                          IP 10.200.200.1.36208 > 10.200.200.2.8112: tcp 82
                                                                          IP 10.200.200.2.8112 > 10.200.200.1.36208: tcp 145
                                                                          
                                                                          curl -Is <my-server-ip>:8112 | head -1
                                                                          listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
                                                                          IP <my-server-ip>.58228 > <my-server-ip>.8112: tcp 0
                                                                          IP <my-server-ip>.8112 > <my-server-ip>.58228: tcp 0
                                                                          

                                                                          EDIT: @schnouki himself pointed me to a Debian Administration article explaining a generic iptables TCP proxy. Applied to the problem at hand, their script would look like this:

                                                                          YourIP=<my-server-ip>
                                                                          YourPort=8112
                                                                          TargetIP=10.200.200.2
                                                                          TargetPort=8112
                                                                          
                                                                          iptables -t nat -A PREROUTING --dst $YourIP -p tcp --dport $YourPort -j DNAT 
                                                                          --to-destination $TargetIP:$TargetPort
                                                                          iptables -t nat -A POSTROUTING -p tcp --dst $TargetIP --dport $TargetPort -j SNAT 
                                                                          --to-source $YourIP
                                                                          iptables -t nat -A OUTPUT --dst $YourIP -p tcp --dport $YourPort -j DNAT 
                                                                          --to-destination $TargetIP:$TargetPort
                                                                          

                                                                          Unfortunately, traffic between the veth interfaces seized and nothing else happened. However, @schnouki also suggested the use of socat as a TCP proxy and this is working perfectly.

                                                                          curl -Is <my-server-ip>:8112 | head -1
                                                                          IP 10.200.200.1.43384 > 10.200.200.2.8112: tcp 913
                                                                          IP 10.200.200.2.8112 > 10.200.200.1.43384: tcp 1495
                                                                          

                                                                          I have yet to understand the strange port shuffling while traffic is traversing through the veth interfaces, but my problem is solved now.

                                                                          share|improve this question

                                                                          • Disclaimer: I have no experience with veth devices at all (find this very interesting, though… 😉 ). Have you used tcpdump for checking how far the incoming packets get? If tcpdump -i veth0 doesn’t show anything then tcpdumo -i lo may be necessary.
                                                                            – Hauke Laging
                                                                            Jan 25 ’16 at 23:04

                                                                          • I added the non-verbose output of tcpdump
                                                                            – pskiebe
                                                                            Jan 26 ’16 at 16:41

                                                                          up vote
                                                                          12
                                                                          down vote

                                                                          favorite

                                                                          4

                                                                          I was able to set up a network namespace, establish a tunnel with openvpn and start an application that uses this tunnel inside the namespace. So far so good, but this application can be accessed via a web interface and I cant’t figure out how to route requests to the web interface inside my LAN.

                                                                          I followed a guide from @schnouki explaining how to set up a network namespace and run OpenVPN inside of it

                                                                          ip netns add myvpn
                                                                          ip netns exec myvpn ip addr add 127.0.0.1/8 dev lo
                                                                          ip netns exec myvpn ip link set lo up
                                                                          ip link add vpn0 type veth peer name vpn1
                                                                          ip link set vpn0 up
                                                                          ip link set vpn1 netns myvpn up
                                                                          ip addr add 10.200.200.1/24 dev vpn0
                                                                          ip netns exec myvpn ip addr add 10.200.200.2/24 dev vpn1
                                                                          ip netns exec myvpn ip route add default via 10.200.200.1 dev vpn1
                                                                          iptables -A INPUT ! -i vpn0 -s 10.200.200.0/24 -j DROP
                                                                          iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o en+ -j MASQUERADE
                                                                          sysctl -q net.ipv4.ip_forward=1
                                                                          mkdir -p /etc/netns/myvpn
                                                                          echo 'nameserver 8.8.8.8' > /etc/netns/myvpn/resolv.conf
                                                                          

                                                                          After that, I can check my external ip and get different results inside and outside of the namespace, just as intended:

                                                                          curl -s ipv4.icanhazip.com
                                                                          <my-isp-ip>
                                                                          ip netns exec myvpn curl -s ipv4.icanhazip.com
                                                                          <my-vpn-ip>
                                                                          

                                                                          The application is started, I’m using deluge for this example. I tried several applications with a web interface to make sure it’s not a deluge specific problem.

                                                                          ip netns exec myvpn sudo -u <my-user> /usr/bin/deluged
                                                                          ip netns exec myvpn sudo -u <my-user> /usr/bin/deluge-web -f
                                                                          ps $(ip netns pids myvpn)
                                                                           PID TTY      STAT   TIME COMMAND
                                                                          1468 ?        Ss     0:13 openvpn --config /etc/openvpn/myvpn/myvpn.conf
                                                                          9302 ?        Sl    10:10 /usr/bin/python /usr/bin/deluged
                                                                          9707 ?        S      0:37 /usr/bin/python /usr/bin/deluge-web -f
                                                                          

                                                                          I’m able to access the web interface on port 8112 from within the namespace and from outside if I specify the ip of veth vpn1.

                                                                          ip netns exec myvpn curl -Is localhost:8112 | head -1
                                                                          HTTP/1.1 200 OK
                                                                          ip netns exec myvpn curl -Is 10.200.200.2:8112 | head -1
                                                                          HTTP/1.1 200 OK
                                                                          curl -Is 10.200.200.2:8112 | head -1
                                                                          HTTP/1.1 200 OK
                                                                          

                                                                          But I do want to redirect port 8112 from my server to the application in the namespace. The goal is to open a browser on a computer inside my LAN and get the web interface with http://my-server-ip:8112 (my-server-ip being the static ip of the server that instantiated the network interface)

                                                                          EDIT: I removed my attempts to create iptables rules. What I’m trying to do is explained above and the following commands should output a HTTP 200:

                                                                          curl -I localhost:8112
                                                                          curl: (7) Failed to connect to localhost port 8112: Connection refused
                                                                          curl -I <my-server-ip>:8112
                                                                          curl: (7) Failed to connect to <my-server-ip> port 8112: Connection refused
                                                                          

                                                                          I tried DNAT and SNAT rules and threw in a MASQUERADE for good measure, but since I don’t know what I’m doing, my attempts are futile. Perhaps someone can help me put together this construct.

                                                                          EDIT: The tcpdump output of tcpdump -nn -q tcp port 8112. Unsurprisingly, the first command returns a HTTP 200 and the second command terminates with a refused connection.

                                                                          curl -Is 10.200.200.2:8112 | head -1
                                                                          listening on vpn0, link-type EN10MB (Ethernet), capture size 262144 bytes
                                                                          IP 10.200.200.1.36208 > 10.200.200.2.8112: tcp 82
                                                                          IP 10.200.200.2.8112 > 10.200.200.1.36208: tcp 145
                                                                          
                                                                          curl -Is <my-server-ip>:8112 | head -1
                                                                          listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
                                                                          IP <my-server-ip>.58228 > <my-server-ip>.8112: tcp 0
                                                                          IP <my-server-ip>.8112 > <my-server-ip>.58228: tcp 0
                                                                          

                                                                          EDIT: @schnouki himself pointed me to a Debian Administration article explaining a generic iptables TCP proxy. Applied to the problem at hand, their script would look like this:

                                                                          YourIP=<my-server-ip>
                                                                          YourPort=8112
                                                                          TargetIP=10.200.200.2
                                                                          TargetPort=8112
                                                                          
                                                                          iptables -t nat -A PREROUTING --dst $YourIP -p tcp --dport $YourPort -j DNAT 
                                                                          --to-destination $TargetIP:$TargetPort
                                                                          iptables -t nat -A POSTROUTING -p tcp --dst $TargetIP --dport $TargetPort -j SNAT 
                                                                          --to-source $YourIP
                                                                          iptables -t nat -A OUTPUT --dst $YourIP -p tcp --dport $YourPort -j DNAT 
                                                                          --to-destination $TargetIP:$TargetPort
                                                                          

                                                                          Unfortunately, traffic between the veth interfaces seized and nothing else happened. However, @schnouki also suggested the use of socat as a TCP proxy and this is working perfectly.

                                                                          curl -Is <my-server-ip>:8112 | head -1
                                                                          IP 10.200.200.1.43384 > 10.200.200.2.8112: tcp 913
                                                                          IP 10.200.200.2.8112 > 10.200.200.1.43384: tcp 1495
                                                                          

                                                                          I have yet to understand the strange port shuffling while traffic is traversing through the veth interfaces, but my problem is solved now.

                                                                          share|improve this question

                                                                          • Disclaimer: I have no experience with veth devices at all (find this very interesting, though… 😉 ). Have you used tcpdump for checking how far the incoming packets get? If tcpdump -i veth0 doesn’t show anything then tcpdumo -i lo may be necessary.
                                                                            – Hauke Laging
                                                                            Jan 25 ’16 at 23:04

                                                                          • I added the non-verbose output of tcpdump
                                                                            – pskiebe
                                                                            Jan 26 ’16 at 16:41

                                                                          up vote
                                                                          12
                                                                          down vote

                                                                          favorite

                                                                          4

                                                                          up vote
                                                                          12
                                                                          down vote

                                                                          favorite

                                                                          4
                                                                          4

                                                                          I was able to set up a network namespace, establish a tunnel with openvpn and start an application that uses this tunnel inside the namespace. So far so good, but this application can be accessed via a web interface and I cant’t figure out how to route requests to the web interface inside my LAN.

                                                                          I followed a guide from @schnouki explaining how to set up a network namespace and run OpenVPN inside of it

                                                                          ip netns add myvpn
                                                                          ip netns exec myvpn ip addr add 127.0.0.1/8 dev lo
                                                                          ip netns exec myvpn ip link set lo up
                                                                          ip link add vpn0 type veth peer name vpn1
                                                                          ip link set vpn0 up
                                                                          ip link set vpn1 netns myvpn up
                                                                          ip addr add 10.200.200.1/24 dev vpn0
                                                                          ip netns exec myvpn ip addr add 10.200.200.2/24 dev vpn1
                                                                          ip netns exec myvpn ip route add default via 10.200.200.1 dev vpn1
                                                                          iptables -A INPUT ! -i vpn0 -s 10.200.200.0/24 -j DROP
                                                                          iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o en+ -j MASQUERADE
                                                                          sysctl -q net.ipv4.ip_forward=1
                                                                          mkdir -p /etc/netns/myvpn
                                                                          echo 'nameserver 8.8.8.8' > /etc/netns/myvpn/resolv.conf
                                                                          

                                                                          After that, I can check my external ip and get different results inside and outside of the namespace, just as intended:

                                                                          curl -s ipv4.icanhazip.com
                                                                          <my-isp-ip>
                                                                          ip netns exec myvpn curl -s ipv4.icanhazip.com
                                                                          <my-vpn-ip>
                                                                          

                                                                          The application is started, I’m using deluge for this example. I tried several applications with a web interface to make sure it’s not a deluge specific problem.

                                                                          ip netns exec myvpn sudo -u <my-user> /usr/bin/deluged
                                                                          ip netns exec myvpn sudo -u <my-user> /usr/bin/deluge-web -f
                                                                          ps $(ip netns pids myvpn)
                                                                           PID TTY      STAT   TIME COMMAND
                                                                          1468 ?        Ss     0:13 openvpn --config /etc/openvpn/myvpn/myvpn.conf
                                                                          9302 ?        Sl    10:10 /usr/bin/python /usr/bin/deluged
                                                                          9707 ?        S      0:37 /usr/bin/python /usr/bin/deluge-web -f
                                                                          

                                                                          I’m able to access the web interface on port 8112 from within the namespace and from outside if I specify the ip of veth vpn1.

                                                                          ip netns exec myvpn curl -Is localhost:8112 | head -1
                                                                          HTTP/1.1 200 OK
                                                                          ip netns exec myvpn curl -Is 10.200.200.2:8112 | head -1
                                                                          HTTP/1.1 200 OK
                                                                          curl -Is 10.200.200.2:8112 | head -1
                                                                          HTTP/1.1 200 OK
                                                                          

                                                                          But I do want to redirect port 8112 from my server to the application in the namespace. The goal is to open a browser on a computer inside my LAN and get the web interface with http://my-server-ip:8112 (my-server-ip being the static ip of the server that instantiated the network interface)

                                                                          EDIT: I removed my attempts to create iptables rules. What I’m trying to do is explained above and the following commands should output a HTTP 200:

                                                                          curl -I localhost:8112
                                                                          curl: (7) Failed to connect to localhost port 8112: Connection refused
                                                                          curl -I <my-server-ip>:8112
                                                                          curl: (7) Failed to connect to <my-server-ip> port 8112: Connection refused
                                                                          

                                                                          I tried DNAT and SNAT rules and threw in a MASQUERADE for good measure, but since I don’t know what I’m doing, my attempts are futile. Perhaps someone can help me put together this construct.

                                                                          EDIT: The tcpdump output of tcpdump -nn -q tcp port 8112. Unsurprisingly, the first command returns a HTTP 200 and the second command terminates with a refused connection.

                                                                          curl -Is 10.200.200.2:8112 | head -1
                                                                          listening on vpn0, link-type EN10MB (Ethernet), capture size 262144 bytes
                                                                          IP 10.200.200.1.36208 > 10.200.200.2.8112: tcp 82
                                                                          IP 10.200.200.2.8112 > 10.200.200.1.36208: tcp 145
                                                                          
                                                                          curl -Is <my-server-ip>:8112 | head -1
                                                                          listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
                                                                          IP <my-server-ip>.58228 > <my-server-ip>.8112: tcp 0
                                                                          IP <my-server-ip>.8112 > <my-server-ip>.58228: tcp 0
                                                                          

                                                                          EDIT: @schnouki himself pointed me to a Debian Administration article explaining a generic iptables TCP proxy. Applied to the problem at hand, their script would look like this:

                                                                          YourIP=<my-server-ip>
                                                                          YourPort=8112
                                                                          TargetIP=10.200.200.2
                                                                          TargetPort=8112
                                                                          
                                                                          iptables -t nat -A PREROUTING --dst $YourIP -p tcp --dport $YourPort -j DNAT 
                                                                          --to-destination $TargetIP:$TargetPort
                                                                          iptables -t nat -A POSTROUTING -p tcp --dst $TargetIP --dport $TargetPort -j SNAT 
                                                                          --to-source $YourIP
                                                                          iptables -t nat -A OUTPUT --dst $YourIP -p tcp --dport $YourPort -j DNAT 
                                                                          --to-destination $TargetIP:$TargetPort
                                                                          

                                                                          Unfortunately, traffic between the veth interfaces seized and nothing else happened. However, @schnouki also suggested the use of socat as a TCP proxy and this is working perfectly.

                                                                          curl -Is <my-server-ip>:8112 | head -1
                                                                          IP 10.200.200.1.43384 > 10.200.200.2.8112: tcp 913
                                                                          IP 10.200.200.2.8112 > 10.200.200.1.43384: tcp 1495
                                                                          

                                                                          I have yet to understand the strange port shuffling while traffic is traversing through the veth interfaces, but my problem is solved now.

                                                                          share|improve this question

                                                                          I was able to set up a network namespace, establish a tunnel with openvpn and start an application that uses this tunnel inside the namespace. So far so good, but this application can be accessed via a web interface and I cant’t figure out how to route requests to the web interface inside my LAN.

                                                                          I followed a guide from @schnouki explaining how to set up a network namespace and run OpenVPN inside of it

                                                                          ip netns add myvpn
                                                                          ip netns exec myvpn ip addr add 127.0.0.1/8 dev lo
                                                                          ip netns exec myvpn ip link set lo up
                                                                          ip link add vpn0 type veth peer name vpn1
                                                                          ip link set vpn0 up
                                                                          ip link set vpn1 netns myvpn up
                                                                          ip addr add 10.200.200.1/24 dev vpn0
                                                                          ip netns exec myvpn ip addr add 10.200.200.2/24 dev vpn1
                                                                          ip netns exec myvpn ip route add default via 10.200.200.1 dev vpn1
                                                                          iptables -A INPUT ! -i vpn0 -s 10.200.200.0/24 -j DROP
                                                                          iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o en+ -j MASQUERADE
                                                                          sysctl -q net.ipv4.ip_forward=1
                                                                          mkdir -p /etc/netns/myvpn
                                                                          echo 'nameserver 8.8.8.8' > /etc/netns/myvpn/resolv.conf
                                                                          

                                                                          After that, I can check my external ip and get different results inside and outside of the namespace, just as intended:

                                                                          curl -s ipv4.icanhazip.com
                                                                          <my-isp-ip>
                                                                          ip netns exec myvpn curl -s ipv4.icanhazip.com
                                                                          <my-vpn-ip>
                                                                          

                                                                          The application is started, I’m using deluge for this example. I tried several applications with a web interface to make sure it’s not a deluge specific problem.

                                                                          ip netns exec myvpn sudo -u <my-user> /usr/bin/deluged
                                                                          ip netns exec myvpn sudo -u <my-user> /usr/bin/deluge-web -f
                                                                          ps $(ip netns pids myvpn)
                                                                           PID TTY      STAT   TIME COMMAND
                                                                          1468 ?        Ss     0:13 openvpn --config /etc/openvpn/myvpn/myvpn.conf
                                                                          9302 ?        Sl    10:10 /usr/bin/python /usr/bin/deluged
                                                                          9707 ?        S      0:37 /usr/bin/python /usr/bin/deluge-web -f
                                                                          

                                                                          I’m able to access the web interface on port 8112 from within the namespace and from outside if I specify the ip of veth vpn1.

                                                                          ip netns exec myvpn curl -Is localhost:8112 | head -1
                                                                          HTTP/1.1 200 OK
                                                                          ip netns exec myvpn curl -Is 10.200.200.2:8112 | head -1
                                                                          HTTP/1.1 200 OK
                                                                          curl -Is 10.200.200.2:8112 | head -1
                                                                          HTTP/1.1 200 OK
                                                                          

                                                                          But I do want to redirect port 8112 from my server to the application in the namespace. The goal is to open a browser on a computer inside my LAN and get the web interface with http://my-server-ip:8112 (my-server-ip being the static ip of the server that instantiated the network interface)

                                                                          EDIT: I removed my attempts to create iptables rules. What I’m trying to do is explained above and the following commands should output a HTTP 200:

                                                                          curl -I localhost:8112
                                                                          curl: (7) Failed to connect to localhost port 8112: Connection refused
                                                                          curl -I <my-server-ip>:8112
                                                                          curl: (7) Failed to connect to <my-server-ip> port 8112: Connection refused
                                                                          

                                                                          I tried DNAT and SNAT rules and threw in a MASQUERADE for good measure, but since I don’t know what I’m doing, my attempts are futile. Perhaps someone can help me put together this construct.

                                                                          EDIT: The tcpdump output of tcpdump -nn -q tcp port 8112. Unsurprisingly, the first command returns a HTTP 200 and the second command terminates with a refused connection.

                                                                          curl -Is 10.200.200.2:8112 | head -1
                                                                          listening on vpn0, link-type EN10MB (Ethernet), capture size 262144 bytes
                                                                          IP 10.200.200.1.36208 > 10.200.200.2.8112: tcp 82
                                                                          IP 10.200.200.2.8112 > 10.200.200.1.36208: tcp 145
                                                                          
                                                                          curl -Is <my-server-ip>:8112 | head -1
                                                                          listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
                                                                          IP <my-server-ip>.58228 > <my-server-ip>.8112: tcp 0
                                                                          IP <my-server-ip>.8112 > <my-server-ip>.58228: tcp 0
                                                                          

                                                                          EDIT: @schnouki himself pointed me to a Debian Administration article explaining a generic iptables TCP proxy. Applied to the problem at hand, their script would look like this:

                                                                          YourIP=<my-server-ip>
                                                                          YourPort=8112
                                                                          TargetIP=10.200.200.2
                                                                          TargetPort=8112
                                                                          
                                                                          iptables -t nat -A PREROUTING --dst $YourIP -p tcp --dport $YourPort -j DNAT 
                                                                          --to-destination $TargetIP:$TargetPort
                                                                          iptables -t nat -A POSTROUTING -p tcp --dst $TargetIP --dport $TargetPort -j SNAT 
                                                                          --to-source $YourIP
                                                                          iptables -t nat -A OUTPUT --dst $YourIP -p tcp --dport $YourPort -j DNAT 
                                                                          --to-destination $TargetIP:$TargetPort
                                                                          

                                                                          Unfortunately, traffic between the veth interfaces seized and nothing else happened. However, @schnouki also suggested the use of socat as a TCP proxy and this is working perfectly.

                                                                          curl -Is <my-server-ip>:8112 | head -1
                                                                          IP 10.200.200.1.43384 > 10.200.200.2.8112: tcp 913
                                                                          IP 10.200.200.2.8112 > 10.200.200.1.43384: tcp 1495
                                                                          

                                                                          I have yet to understand the strange port shuffling while traffic is traversing through the veth interfaces, but my problem is solved now.

                                                                          iptables openvpn port-forwarding network-namespaces

                                                                          share|improve this question

                                                                          share|improve this question

                                                                          share|improve this question

                                                                          share|improve this question

                                                                          edited Feb 1 ’16 at 21:47

                                                                          asked Jan 25 ’16 at 12:17

                                                                          pskiebe

                                                                          6317

                                                                          6317

                                                                          • Disclaimer: I have no experience with veth devices at all (find this very interesting, though… 😉 ). Have you used tcpdump for checking how far the incoming packets get? If tcpdump -i veth0 doesn’t show anything then tcpdumo -i lo may be necessary.
                                                                            – Hauke Laging
                                                                            Jan 25 ’16 at 23:04

                                                                          • I added the non-verbose output of tcpdump
                                                                            – pskiebe
                                                                            Jan 26 ’16 at 16:41

                                                                          • Disclaimer: I have no experience with veth devices at all (find this very interesting, though… 😉 ). Have you used tcpdump for checking how far the incoming packets get? If tcpdump -i veth0 doesn’t show anything then tcpdumo -i lo may be necessary.
                                                                            – Hauke Laging
                                                                            Jan 25 ’16 at 23:04

                                                                          • I added the non-verbose output of tcpdump
                                                                            – pskiebe
                                                                            Jan 26 ’16 at 16:41

                                                                          Disclaimer: I have no experience with veth devices at all (find this very interesting, though… 😉 ). Have you used tcpdump for checking how far the incoming packets get? If tcpdump -i veth0 doesn’t show anything then tcpdumo -i lo may be necessary.
                                                                          – Hauke Laging
                                                                          Jan 25 ’16 at 23:04

                                                                          Disclaimer: I have no experience with veth devices at all (find this very interesting, though… 😉 ). Have you used tcpdump for checking how far the incoming packets get? If tcpdump -i veth0 doesn’t show anything then tcpdumo -i lo may be necessary.
                                                                          – Hauke Laging
                                                                          Jan 25 ’16 at 23:04

                                                                          I added the non-verbose output of tcpdump
                                                                          – pskiebe
                                                                          Jan 26 ’16 at 16:41

                                                                          I added the non-verbose output of tcpdump
                                                                          – pskiebe
                                                                          Jan 26 ’16 at 16:41

                                                                          4 Answers
                                                                          4

                                                                          active

                                                                          oldest

                                                                          votes

                                                                          up vote
                                                                          8
                                                                          down vote

                                                                          accepted

                                                                          I’ve always had issues with iptables redirections (probably my fault, I’m pretty sure it’s doable). But for a case like yours, it’s IMO easier to do it in user-land without iptables.

                                                                          Basically, you need to have a daemon in your “default” workspace listening on TCP port 8112 and redirecting all traffic to 10.200.200.2 port 8112. So it’s a simple TCP proxy.

                                                                          Here’s how to do it with socat:

                                                                          socat tcp-listen:8112,reuseaddr,fork tcp-connect:10.200.200.2:8112
                                                                          

                                                                          (The fork option is needed to avoid socat from stopping after the first proxied connection is closed).

                                                                          EDIT: added reuseaddr as suggested in the comments.

                                                                          If you absolutely want to do it with iptables, there’s a guide on the Debian Administration site. But I still prefer socat for more advanced stuff — like proxying IPv4 to IPv6, or stripping SSL to allow old Java programs to connect to secure services…

                                                                          Beware however that all connections in Deluge will be from your server IP instead of the real client IP. If you want to avoid that, you will need to use a real HTTP reverse proxy that adds the original client IP to the proxied request in a HTTP header.

                                                                          share|improve this answer

                                                                          • 1

                                                                            You just made my day! I never came across socat and it accomplishes exactly what I was trying to do with iptables for quite some time now. I tested several applications and they are all working flawlessly, connecting to the outside world through tun0, while still providing access to their web interface through veth1.
                                                                            – pskiebe
                                                                            Feb 1 ’16 at 21:25

                                                                          • 1

                                                                            After doing some testing, I added the reuseaddr flag. This prevents port already in use errors when starting and stopping socat in rapid succession: socat -4 TCP-LISTEN:8112,reuseaddr,fork TCP:10.200.200.2:8112
                                                                            – pskiebe
                                                                            Feb 1 ’16 at 21:55

                                                                          up vote
                                                                          5
                                                                          down vote

                                                                          Interconnecting network namespace with main namespace always bothers me.
                                                                          The reason I usually create a namespace is because I want it isolated.
                                                                          Depending on what it is you are trying to achieve with namespaces creating interconnects can defeat that purpose.

                                                                          But even isolated I still want to poke it over the network, for convenience.

                                                                          This solution lets you keep isolation and forward some connections to it anyway.
                                                                          You don’t need to create all that network between the two network namespaces just to forward one port.
                                                                          Run this in the namespace where you want to accept connections.
                                                                          Must be run as root for ip netns exec to work.

                                                                          socat tcp-listen:8112,fork,reuseaddr 
                                                                            exec:'ip netns exec myvpn socat STDIO tcp-connect:127.0.0.1:8112',nofork
                                                                          

                                                                          It listens for connections in one network namespace where you run it, on port 8112, then connected client gets exec to run ip netns exec myvpn ... to execute the rest inside the myvpn network namespace, then once inside the myvpn network namespace it creates second connection again with another socat.

                                                                          share|improve this answer

                                                                            up vote
                                                                            2
                                                                            down vote

                                                                            For deluge here is my solution. No need for iptables. Here are the steps:

                                                                            1. Start your openvpn tunnel
                                                                            2. Create namespace and bring your openvpn tunnel there:
                                                                            ip netns add $NS
                                                                            # Wait for the TUN to come up
                                                                            while [[ $(ip route|grep $TUN|wc -l) == 0 ]]; do sleep 1; done
                                                                            MY_IP=$(ip addr show $TUN|grep inet|cut -d' ' -f6|cut -d'/' -f1)
                                                                            # The way you extract gateway IP might be different for your openvpn connection
                                                                            GATEWAY_IP=$MY_IP
                                                                            # jail my $TUN (VPN interface) into the namespace
                                                                            ip link set $TUN netns $NS
                                                                            # Bring the interface up with a subnet (equivalent to the one given to me by VPN server)
                                                                            ip netns exec $NS ifconfig $TUN $MY_IP/24 up
                                                                            # Bring loopback up
                                                                            ip netns exec $NS ifconfig lo 127.0.0.1/8 up
                                                                            # Set up remote gateway (your pointtopoint VPN IP address)
                                                                            ip netns exec $NS route add default gw $GATEWAY_IP
                                                                            1. Establish veth connection between your default namespace and the one you’ve created:
                                                                            # Set up veth interfaces for communication between namespaces
                                                                            ip link add veth0 type veth peer name veth1
                                                                            # Move the second veth to your namespace
                                                                            ip link set veth1 netns $NS
                                                                            # give an IP from unused IP range to first veth
                                                                            ifconfig veth0 10.1.1.1/24 up
                                                                            # And the second one
                                                                            ip netns exec $NS ifconfig veth1 10.1.1.2/24 up
                                                                            # TODO: set up a bridge between veth1 and eth interface to let it communicate with LAN
                                                                            # Set up DNS client. ip netns will emulate /etc/resolv.conf using this file:
                                                                            mkdir -p /etc/netns/$NS
                                                                            echo "nameserver 8.8.4.4" >/etc/netns/$NS/resolv.conf
                                                                            
                                                                            1. Run your deluged in the $NS and your deluge-web in your default namespace. Point deluge-web to the 10.1.1.2 veth IP address, where deluged will be listening for its connection.

                                                                            Voila! You’ve got deluged secured behind the VPN while your deluge-web is freely accessible on your home network

                                                                            share|improve this answer

                                                                              up vote
                                                                              0
                                                                              down vote

                                                                              @AndrDevEK’s answer is useful. To expand upon that, you may not want to install socat. In which case you can achieve the same thing with a slightly convoluted SSH port-forward setup. In particular the feature of port-forwarding to/from a unix-domain socket is useful here, because unix-domain sockets operate independently of network namespaces:

                                                                              sudo ip netns exec myvpn su -c "ssh -N -L /tmp/myunixsock:localhost:8112 localhost" $USER &
                                                                              ssh_pid1=$!
                                                                              ssh -N -L localhost:8112:/tmp/myunixsock localhost &
                                                                              ssh_pid2=$!
                                                                              

                                                                              Cleanup:

                                                                              sudo kill $ssh_pid1
                                                                              kill $ssh_pid2
                                                                              rm /tmp/myunixsock
                                                                              

                                                                              The first ssh -N -L is started within the myvpn namespace. This creates a unix-domain socket /tmp/myunixsock and listens on it. Incoming connections are forwarded to localhost:8112 (inside the myvpn namespace).
                                                                              The second ssh -N -L is started in the default namespace. This creates a listening TCP port and forwards incoming connections to the unix-domain socket.

                                                                              It should be noted that in order for this to work, ssh inside your network namespace will need to be working if it is not already (and passwordless pubkey operation is helpful):

                                                                              sudo ip netns exec myvpn ip link set up dev lo
                                                                              sudo ip netns exec myvpn /usr/sbin/sshd -o PidFile=/run/sshd-myvpn.pid
                                                                              ssh-copy-id localhost
                                                                              

                                                                              share|improve this answer

                                                                                Your Answer

                                                                                StackExchange.ready(function() {
                                                                                var channelOptions = {
                                                                                tags: “”.split(” “),
                                                                                id: “106”
                                                                                };
                                                                                initTagRenderer(“”.split(” “), “”.split(” “), channelOptions);

                                                                                StackExchange.using(“externalEditor”, function() {
                                                                                // Have to fire editor after snippets, if snippets enabled
                                                                                if (StackExchange.settings.snippets.snippetsEnabled) {
                                                                                StackExchange.using(“snippets”, function() {
                                                                                createEditor();
                                                                                });
                                                                                }
                                                                                else {
                                                                                createEditor();
                                                                                }
                                                                                });

                                                                                function createEditor() {
                                                                                StackExchange.prepareEditor({
                                                                                heartbeatType: ‘answer’,
                                                                                convertImagesToLinks: false,
                                                                                noModals: true,
                                                                                showLowRepImageUploadWarning: true,
                                                                                reputationToPostImages: null,
                                                                                bindNavPrevention: true,
                                                                                postfix: “”,
                                                                                imageUploader: {
                                                                                brandingHtml: “Powered by u003ca class=”icon-imgur-white” href=”https://imgur.com/”u003eu003c/au003e”,
                                                                                contentPolicyHtml: “User contributions licensed under u003ca href=”https://creativecommons.org/licenses/by-sa/3.0/”u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href=”https://stackoverflow.com/legal/content-policy”u003e(content policy)u003c/au003e”,
                                                                                allowUrls: true
                                                                                },
                                                                                onDemand: true,
                                                                                discardSelector: “.discard-answer”
                                                                                ,immediatelyShowMarkdownHelp:true
                                                                                });

                                                                                }
                                                                                });

                                                                                 
                                                                                draft saved
                                                                                draft discarded

                                                                                StackExchange.ready(
                                                                                function () {
                                                                                StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2funix.stackexchange.com%2fquestions%2f257510%2fport-forwarding-to-application-in-network-namespace-with-vpn%23new-answer’, ‘question_page’);
                                                                                }
                                                                                );

                                                                                Post as a guest

                                                                                4 Answers
                                                                                4

                                                                                active

                                                                                oldest

                                                                                votes

                                                                                4 Answers
                                                                                4

                                                                                active

                                                                                oldest

                                                                                votes

                                                                                active

                                                                                oldest

                                                                                votes

                                                                                active

                                                                                oldest

                                                                                votes

                                                                                up vote
                                                                                8
                                                                                down vote

                                                                                accepted

                                                                                I’ve always had issues with iptables redirections (probably my fault, I’m pretty sure it’s doable). But for a case like yours, it’s IMO easier to do it in user-land without iptables.

                                                                                Basically, you need to have a daemon in your “default” workspace listening on TCP port 8112 and redirecting all traffic to 10.200.200.2 port 8112. So it’s a simple TCP proxy.

                                                                                Here’s how to do it with socat:

                                                                                socat tcp-listen:8112,reuseaddr,fork tcp-connect:10.200.200.2:8112
                                                                                

                                                                                (The fork option is needed to avoid socat from stopping after the first proxied connection is closed).

                                                                                EDIT: added reuseaddr as suggested in the comments.

                                                                                If you absolutely want to do it with iptables, there’s a guide on the Debian Administration site. But I still prefer socat for more advanced stuff — like proxying IPv4 to IPv6, or stripping SSL to allow old Java programs to connect to secure services…

                                                                                Beware however that all connections in Deluge will be from your server IP instead of the real client IP. If you want to avoid that, you will need to use a real HTTP reverse proxy that adds the original client IP to the proxied request in a HTTP header.

                                                                                share|improve this answer

                                                                                • 1

                                                                                  You just made my day! I never came across socat and it accomplishes exactly what I was trying to do with iptables for quite some time now. I tested several applications and they are all working flawlessly, connecting to the outside world through tun0, while still providing access to their web interface through veth1.
                                                                                  – pskiebe
                                                                                  Feb 1 ’16 at 21:25

                                                                                • 1

                                                                                  After doing some testing, I added the reuseaddr flag. This prevents port already in use errors when starting and stopping socat in rapid succession: socat -4 TCP-LISTEN:8112,reuseaddr,fork TCP:10.200.200.2:8112
                                                                                  – pskiebe
                                                                                  Feb 1 ’16 at 21:55

                                                                                up vote
                                                                                8
                                                                                down vote

                                                                                accepted

                                                                                I’ve always had issues with iptables redirections (probably my fault, I’m pretty sure it’s doable). But for a case like yours, it’s IMO easier to do it in user-land without iptables.

                                                                                Basically, you need to have a daemon in your “default” workspace listening on TCP port 8112 and redirecting all traffic to 10.200.200.2 port 8112. So it’s a simple TCP proxy.

                                                                                Here’s how to do it with socat:

                                                                                socat tcp-listen:8112,reuseaddr,fork tcp-connect:10.200.200.2:8112
                                                                                

                                                                                (The fork option is needed to avoid socat from stopping after the first proxied connection is closed).

                                                                                EDIT: added reuseaddr as suggested in the comments.

                                                                                If you absolutely want to do it with iptables, there’s a guide on the Debian Administration site. But I still prefer socat for more advanced stuff — like proxying IPv4 to IPv6, or stripping SSL to allow old Java programs to connect to secure services…

                                                                                Beware however that all connections in Deluge will be from your server IP instead of the real client IP. If you want to avoid that, you will need to use a real HTTP reverse proxy that adds the original client IP to the proxied request in a HTTP header.

                                                                                share|improve this answer

                                                                                • 1

                                                                                  You just made my day! I never came across socat and it accomplishes exactly what I was trying to do with iptables for quite some time now. I tested several applications and they are all working flawlessly, connecting to the outside world through tun0, while still providing access to their web interface through veth1.
                                                                                  – pskiebe
                                                                                  Feb 1 ’16 at 21:25

                                                                                • 1

                                                                                  After doing some testing, I added the reuseaddr flag. This prevents port already in use errors when starting and stopping socat in rapid succession: socat -4 TCP-LISTEN:8112,reuseaddr,fork TCP:10.200.200.2:8112
                                                                                  – pskiebe
                                                                                  Feb 1 ’16 at 21:55

                                                                                up vote
                                                                                8
                                                                                down vote

                                                                                accepted

                                                                                up vote
                                                                                8
                                                                                down vote

                                                                                accepted

                                                                                I’ve always had issues with iptables redirections (probably my fault, I’m pretty sure it’s doable). But for a case like yours, it’s IMO easier to do it in user-land without iptables.

                                                                                Basically, you need to have a daemon in your “default” workspace listening on TCP port 8112 and redirecting all traffic to 10.200.200.2 port 8112. So it’s a simple TCP proxy.

                                                                                Here’s how to do it with socat:

                                                                                socat tcp-listen:8112,reuseaddr,fork tcp-connect:10.200.200.2:8112
                                                                                

                                                                                (The fork option is needed to avoid socat from stopping after the first proxied connection is closed).

                                                                                EDIT: added reuseaddr as suggested in the comments.

                                                                                If you absolutely want to do it with iptables, there’s a guide on the Debian Administration site. But I still prefer socat for more advanced stuff — like proxying IPv4 to IPv6, or stripping SSL to allow old Java programs to connect to secure services…

                                                                                Beware however that all connections in Deluge will be from your server IP instead of the real client IP. If you want to avoid that, you will need to use a real HTTP reverse proxy that adds the original client IP to the proxied request in a HTTP header.

                                                                                share|improve this answer

                                                                                I’ve always had issues with iptables redirections (probably my fault, I’m pretty sure it’s doable). But for a case like yours, it’s IMO easier to do it in user-land without iptables.

                                                                                Basically, you need to have a daemon in your “default” workspace listening on TCP port 8112 and redirecting all traffic to 10.200.200.2 port 8112. So it’s a simple TCP proxy.

                                                                                Here’s how to do it with socat:

                                                                                socat tcp-listen:8112,reuseaddr,fork tcp-connect:10.200.200.2:8112
                                                                                

                                                                                (The fork option is needed to avoid socat from stopping after the first proxied connection is closed).

                                                                                EDIT: added reuseaddr as suggested in the comments.

                                                                                If you absolutely want to do it with iptables, there’s a guide on the Debian Administration site. But I still prefer socat for more advanced stuff — like proxying IPv4 to IPv6, or stripping SSL to allow old Java programs to connect to secure services…

                                                                                Beware however that all connections in Deluge will be from your server IP instead of the real client IP. If you want to avoid that, you will need to use a real HTTP reverse proxy that adds the original client IP to the proxied request in a HTTP header.

                                                                                share|improve this answer

                                                                                share|improve this answer

                                                                                share|improve this answer

                                                                                edited Mar 29 ’16 at 12:47

                                                                                answered Feb 1 ’16 at 0:26

                                                                                Schnouki

                                                                                1963

                                                                                1963

                                                                                • 1

                                                                                  You just made my day! I never came across socat and it accomplishes exactly what I was trying to do with iptables for quite some time now. I tested several applications and they are all working flawlessly, connecting to the outside world through tun0, while still providing access to their web interface through veth1.
                                                                                  – pskiebe
                                                                                  Feb 1 ’16 at 21:25

                                                                                • 1

                                                                                  After doing some testing, I added the reuseaddr flag. This prevents port already in use errors when starting and stopping socat in rapid succession: socat -4 TCP-LISTEN:8112,reuseaddr,fork TCP:10.200.200.2:8112
                                                                                  – pskiebe
                                                                                  Feb 1 ’16 at 21:55

                                                                                • 1

                                                                                  You just made my day! I never came across socat and it accomplishes exactly what I was trying to do with iptables for quite some time now. I tested several applications and they are all working flawlessly, connecting to the outside world through tun0, while still providing access to their web interface through veth1.
                                                                                  – pskiebe
                                                                                  Feb 1 ’16 at 21:25

                                                                                • 1

                                                                                  After doing some testing, I added the reuseaddr flag. This prevents port already in use errors when starting and stopping socat in rapid succession: socat -4 TCP-LISTEN:8112,reuseaddr,fork TCP:10.200.200.2:8112
                                                                                  – pskiebe
                                                                                  Feb 1 ’16 at 21:55

                                                                                1

                                                                                1

                                                                                You just made my day! I never came across socat and it accomplishes exactly what I was trying to do with iptables for quite some time now. I tested several applications and they are all working flawlessly, connecting to the outside world through tun0, while still providing access to their web interface through veth1.
                                                                                – pskiebe
                                                                                Feb 1 ’16 at 21:25

                                                                                You just made my day! I never came across socat and it accomplishes exactly what I was trying to do with iptables for quite some time now. I tested several applications and they are all working flawlessly, connecting to the outside world through tun0, while still providing access to their web interface through veth1.
                                                                                – pskiebe
                                                                                Feb 1 ’16 at 21:25

                                                                                1

                                                                                1

                                                                                After doing some testing, I added the reuseaddr flag. This prevents port already in use errors when starting and stopping socat in rapid succession: socat -4 TCP-LISTEN:8112,reuseaddr,fork TCP:10.200.200.2:8112
                                                                                – pskiebe
                                                                                Feb 1 ’16 at 21:55

                                                                                After doing some testing, I added the reuseaddr flag. This prevents port already in use errors when starting and stopping socat in rapid succession: socat -4 TCP-LISTEN:8112,reuseaddr,fork TCP:10.200.200.2:8112
                                                                                – pskiebe
                                                                                Feb 1 ’16 at 21:55

                                                                                up vote
                                                                                5
                                                                                down vote

                                                                                Interconnecting network namespace with main namespace always bothers me.
                                                                                The reason I usually create a namespace is because I want it isolated.
                                                                                Depending on what it is you are trying to achieve with namespaces creating interconnects can defeat that purpose.

                                                                                But even isolated I still want to poke it over the network, for convenience.

                                                                                This solution lets you keep isolation and forward some connections to it anyway.
                                                                                You don’t need to create all that network between the two network namespaces just to forward one port.
                                                                                Run this in the namespace where you want to accept connections.
                                                                                Must be run as root for ip netns exec to work.

                                                                                socat tcp-listen:8112,fork,reuseaddr 
                                                                                  exec:'ip netns exec myvpn socat STDIO tcp-connect:127.0.0.1:8112',nofork
                                                                                

                                                                                It listens for connections in one network namespace where you run it, on port 8112, then connected client gets exec to run ip netns exec myvpn ... to execute the rest inside the myvpn network namespace, then once inside the myvpn network namespace it creates second connection again with another socat.

                                                                                share|improve this answer

                                                                                  up vote
                                                                                  5
                                                                                  down vote

                                                                                  Interconnecting network namespace with main namespace always bothers me.
                                                                                  The reason I usually create a namespace is because I want it isolated.
                                                                                  Depending on what it is you are trying to achieve with namespaces creating interconnects can defeat that purpose.

                                                                                  But even isolated I still want to poke it over the network, for convenience.

                                                                                  This solution lets you keep isolation and forward some connections to it anyway.
                                                                                  You don’t need to create all that network between the two network namespaces just to forward one port.
                                                                                  Run this in the namespace where you want to accept connections.
                                                                                  Must be run as root for ip netns exec to work.

                                                                                  socat tcp-listen:8112,fork,reuseaddr 
                                                                                    exec:'ip netns exec myvpn socat STDIO tcp-connect:127.0.0.1:8112',nofork
                                                                                  

                                                                                  It listens for connections in one network namespace where you run it, on port 8112, then connected client gets exec to run ip netns exec myvpn ... to execute the rest inside the myvpn network namespace, then once inside the myvpn network namespace it creates second connection again with another socat.

                                                                                  share|improve this answer

                                                                                    up vote
                                                                                    5
                                                                                    down vote

                                                                                    up vote
                                                                                    5
                                                                                    down vote

                                                                                    Interconnecting network namespace with main namespace always bothers me.
                                                                                    The reason I usually create a namespace is because I want it isolated.
                                                                                    Depending on what it is you are trying to achieve with namespaces creating interconnects can defeat that purpose.

                                                                                    But even isolated I still want to poke it over the network, for convenience.

                                                                                    This solution lets you keep isolation and forward some connections to it anyway.
                                                                                    You don’t need to create all that network between the two network namespaces just to forward one port.
                                                                                    Run this in the namespace where you want to accept connections.
                                                                                    Must be run as root for ip netns exec to work.

                                                                                    socat tcp-listen:8112,fork,reuseaddr 
                                                                                      exec:'ip netns exec myvpn socat STDIO tcp-connect:127.0.0.1:8112',nofork
                                                                                    

                                                                                    It listens for connections in one network namespace where you run it, on port 8112, then connected client gets exec to run ip netns exec myvpn ... to execute the rest inside the myvpn network namespace, then once inside the myvpn network namespace it creates second connection again with another socat.

                                                                                    share|improve this answer

                                                                                    Interconnecting network namespace with main namespace always bothers me.
                                                                                    The reason I usually create a namespace is because I want it isolated.
                                                                                    Depending on what it is you are trying to achieve with namespaces creating interconnects can defeat that purpose.

                                                                                    But even isolated I still want to poke it over the network, for convenience.

                                                                                    This solution lets you keep isolation and forward some connections to it anyway.
                                                                                    You don’t need to create all that network between the two network namespaces just to forward one port.
                                                                                    Run this in the namespace where you want to accept connections.
                                                                                    Must be run as root for ip netns exec to work.

                                                                                    socat tcp-listen:8112,fork,reuseaddr 
                                                                                      exec:'ip netns exec myvpn socat STDIO tcp-connect:127.0.0.1:8112',nofork
                                                                                    

                                                                                    It listens for connections in one network namespace where you run it, on port 8112, then connected client gets exec to run ip netns exec myvpn ... to execute the rest inside the myvpn network namespace, then once inside the myvpn network namespace it creates second connection again with another socat.

                                                                                    share|improve this answer

                                                                                    share|improve this answer

                                                                                    share|improve this answer

                                                                                    edited Jul 26 ’16 at 16:50

                                                                                    answered Jul 26 ’16 at 16:08

                                                                                    AndrDevEK

                                                                                    17528

                                                                                    17528

                                                                                        up vote
                                                                                        2
                                                                                        down vote

                                                                                        For deluge here is my solution. No need for iptables. Here are the steps:

                                                                                        1. Start your openvpn tunnel
                                                                                        2. Create namespace and bring your openvpn tunnel there:
                                                                                        ip netns add $NS
                                                                                        # Wait for the TUN to come up
                                                                                        while [[ $(ip route|grep $TUN|wc -l) == 0 ]]; do sleep 1; done
                                                                                        MY_IP=$(ip addr show $TUN|grep inet|cut -d' ' -f6|cut -d'/' -f1)
                                                                                        # The way you extract gateway IP might be different for your openvpn connection
                                                                                        GATEWAY_IP=$MY_IP
                                                                                        # jail my $TUN (VPN interface) into the namespace
                                                                                        ip link set $TUN netns $NS
                                                                                        # Bring the interface up with a subnet (equivalent to the one given to me by VPN server)
                                                                                        ip netns exec $NS ifconfig $TUN $MY_IP/24 up
                                                                                        # Bring loopback up
                                                                                        ip netns exec $NS ifconfig lo 127.0.0.1/8 up
                                                                                        # Set up remote gateway (your pointtopoint VPN IP address)
                                                                                        ip netns exec $NS route add default gw $GATEWAY_IP
                                                                                        1. Establish veth connection between your default namespace and the one you’ve created:
                                                                                        # Set up veth interfaces for communication between namespaces
                                                                                        ip link add veth0 type veth peer name veth1
                                                                                        # Move the second veth to your namespace
                                                                                        ip link set veth1 netns $NS
                                                                                        # give an IP from unused IP range to first veth
                                                                                        ifconfig veth0 10.1.1.1/24 up
                                                                                        # And the second one
                                                                                        ip netns exec $NS ifconfig veth1 10.1.1.2/24 up
                                                                                        # TODO: set up a bridge between veth1 and eth interface to let it communicate with LAN
                                                                                        # Set up DNS client. ip netns will emulate /etc/resolv.conf using this file:
                                                                                        mkdir -p /etc/netns/$NS
                                                                                        echo "nameserver 8.8.4.4" >/etc/netns/$NS/resolv.conf
                                                                                        
                                                                                        1. Run your deluged in the $NS and your deluge-web in your default namespace. Point deluge-web to the 10.1.1.2 veth IP address, where deluged will be listening for its connection.

                                                                                        Voila! You’ve got deluged secured behind the VPN while your deluge-web is freely accessible on your home network

                                                                                        share|improve this answer

                                                                                          up vote
                                                                                          2
                                                                                          down vote

                                                                                          For deluge here is my solution. No need for iptables. Here are the steps:

                                                                                          1. Start your openvpn tunnel
                                                                                          2. Create namespace and bring your openvpn tunnel there:
                                                                                          ip netns add $NS
                                                                                          # Wait for the TUN to come up
                                                                                          while [[ $(ip route|grep $TUN|wc -l) == 0 ]]; do sleep 1; done
                                                                                          MY_IP=$(ip addr show $TUN|grep inet|cut -d' ' -f6|cut -d'/' -f1)
                                                                                          # The way you extract gateway IP might be different for your openvpn connection
                                                                                          GATEWAY_IP=$MY_IP
                                                                                          # jail my $TUN (VPN interface) into the namespace
                                                                                          ip link set $TUN netns $NS
                                                                                          # Bring the interface up with a subnet (equivalent to the one given to me by VPN server)
                                                                                          ip netns exec $NS ifconfig $TUN $MY_IP/24 up
                                                                                          # Bring loopback up
                                                                                          ip netns exec $NS ifconfig lo 127.0.0.1/8 up
                                                                                          # Set up remote gateway (your pointtopoint VPN IP address)
                                                                                          ip netns exec $NS route add default gw $GATEWAY_IP
                                                                                          1. Establish veth connection between your default namespace and the one you’ve created:
                                                                                          # Set up veth interfaces for communication between namespaces
                                                                                          ip link add veth0 type veth peer name veth1
                                                                                          # Move the second veth to your namespace
                                                                                          ip link set veth1 netns $NS
                                                                                          # give an IP from unused IP range to first veth
                                                                                          ifconfig veth0 10.1.1.1/24 up
                                                                                          # And the second one
                                                                                          ip netns exec $NS ifconfig veth1 10.1.1.2/24 up
                                                                                          # TODO: set up a bridge between veth1 and eth interface to let it communicate with LAN
                                                                                          # Set up DNS client. ip netns will emulate /etc/resolv.conf using this file:
                                                                                          mkdir -p /etc/netns/$NS
                                                                                          echo "nameserver 8.8.4.4" >/etc/netns/$NS/resolv.conf
                                                                                          
                                                                                          1. Run your deluged in the $NS and your deluge-web in your default namespace. Point deluge-web to the 10.1.1.2 veth IP address, where deluged will be listening for its connection.

                                                                                          Voila! You’ve got deluged secured behind the VPN while your deluge-web is freely accessible on your home network

                                                                                          share|improve this answer

                                                                                            up vote
                                                                                            2
                                                                                            down vote

                                                                                            up vote
                                                                                            2
                                                                                            down vote

                                                                                            For deluge here is my solution. No need for iptables. Here are the steps:

                                                                                            1. Start your openvpn tunnel
                                                                                            2. Create namespace and bring your openvpn tunnel there:
                                                                                            ip netns add $NS
                                                                                            # Wait for the TUN to come up
                                                                                            while [[ $(ip route|grep $TUN|wc -l) == 0 ]]; do sleep 1; done
                                                                                            MY_IP=$(ip addr show $TUN|grep inet|cut -d' ' -f6|cut -d'/' -f1)
                                                                                            # The way you extract gateway IP might be different for your openvpn connection
                                                                                            GATEWAY_IP=$MY_IP
                                                                                            # jail my $TUN (VPN interface) into the namespace
                                                                                            ip link set $TUN netns $NS
                                                                                            # Bring the interface up with a subnet (equivalent to the one given to me by VPN server)
                                                                                            ip netns exec $NS ifconfig $TUN $MY_IP/24 up
                                                                                            # Bring loopback up
                                                                                            ip netns exec $NS ifconfig lo 127.0.0.1/8 up
                                                                                            # Set up remote gateway (your pointtopoint VPN IP address)
                                                                                            ip netns exec $NS route add default gw $GATEWAY_IP
                                                                                            1. Establish veth connection between your default namespace and the one you’ve created:
                                                                                            # Set up veth interfaces for communication between namespaces
                                                                                            ip link add veth0 type veth peer name veth1
                                                                                            # Move the second veth to your namespace
                                                                                            ip link set veth1 netns $NS
                                                                                            # give an IP from unused IP range to first veth
                                                                                            ifconfig veth0 10.1.1.1/24 up
                                                                                            # And the second one
                                                                                            ip netns exec $NS ifconfig veth1 10.1.1.2/24 up
                                                                                            # TODO: set up a bridge between veth1 and eth interface to let it communicate with LAN
                                                                                            # Set up DNS client. ip netns will emulate /etc/resolv.conf using this file:
                                                                                            mkdir -p /etc/netns/$NS
                                                                                            echo "nameserver 8.8.4.4" >/etc/netns/$NS/resolv.conf
                                                                                            
                                                                                            1. Run your deluged in the $NS and your deluge-web in your default namespace. Point deluge-web to the 10.1.1.2 veth IP address, where deluged will be listening for its connection.

                                                                                            Voila! You’ve got deluged secured behind the VPN while your deluge-web is freely accessible on your home network

                                                                                            share|improve this answer

                                                                                            For deluge here is my solution. No need for iptables. Here are the steps:

                                                                                            1. Start your openvpn tunnel
                                                                                            2. Create namespace and bring your openvpn tunnel there:
                                                                                            ip netns add $NS
                                                                                            # Wait for the TUN to come up
                                                                                            while [[ $(ip route|grep $TUN|wc -l) == 0 ]]; do sleep 1; done
                                                                                            MY_IP=$(ip addr show $TUN|grep inet|cut -d' ' -f6|cut -d'/' -f1)
                                                                                            # The way you extract gateway IP might be different for your openvpn connection
                                                                                            GATEWAY_IP=$MY_IP
                                                                                            # jail my $TUN (VPN interface) into the namespace
                                                                                            ip link set $TUN netns $NS
                                                                                            # Bring the interface up with a subnet (equivalent to the one given to me by VPN server)
                                                                                            ip netns exec $NS ifconfig $TUN $MY_IP/24 up
                                                                                            # Bring loopback up
                                                                                            ip netns exec $NS ifconfig lo 127.0.0.1/8 up
                                                                                            # Set up remote gateway (your pointtopoint VPN IP address)
                                                                                            ip netns exec $NS route add default gw $GATEWAY_IP
                                                                                            1. Establish veth connection between your default namespace and the one you’ve created:
                                                                                            # Set up veth interfaces for communication between namespaces
                                                                                            ip link add veth0 type veth peer name veth1
                                                                                            # Move the second veth to your namespace
                                                                                            ip link set veth1 netns $NS
                                                                                            # give an IP from unused IP range to first veth
                                                                                            ifconfig veth0 10.1.1.1/24 up
                                                                                            # And the second one
                                                                                            ip netns exec $NS ifconfig veth1 10.1.1.2/24 up
                                                                                            # TODO: set up a bridge between veth1 and eth interface to let it communicate with LAN
                                                                                            # Set up DNS client. ip netns will emulate /etc/resolv.conf using this file:
                                                                                            mkdir -p /etc/netns/$NS
                                                                                            echo "nameserver 8.8.4.4" >/etc/netns/$NS/resolv.conf
                                                                                            
                                                                                            1. Run your deluged in the $NS and your deluge-web in your default namespace. Point deluge-web to the 10.1.1.2 veth IP address, where deluged will be listening for its connection.

                                                                                            Voila! You’ve got deluged secured behind the VPN while your deluge-web is freely accessible on your home network

                                                                                            share|improve this answer

                                                                                            share|improve this answer

                                                                                            share|improve this answer

                                                                                            answered Mar 19 ’17 at 1:45

                                                                                            Vlad

                                                                                            211

                                                                                            211

                                                                                                up vote
                                                                                                0
                                                                                                down vote

                                                                                                @AndrDevEK’s answer is useful. To expand upon that, you may not want to install socat. In which case you can achieve the same thing with a slightly convoluted SSH port-forward setup. In particular the feature of port-forwarding to/from a unix-domain socket is useful here, because unix-domain sockets operate independently of network namespaces:

                                                                                                sudo ip netns exec myvpn su -c "ssh -N -L /tmp/myunixsock:localhost:8112 localhost" $USER &
                                                                                                ssh_pid1=$!
                                                                                                ssh -N -L localhost:8112:/tmp/myunixsock localhost &
                                                                                                ssh_pid2=$!
                                                                                                

                                                                                                Cleanup:

                                                                                                sudo kill $ssh_pid1
                                                                                                kill $ssh_pid2
                                                                                                rm /tmp/myunixsock
                                                                                                

                                                                                                The first ssh -N -L is started within the myvpn namespace. This creates a unix-domain socket /tmp/myunixsock and listens on it. Incoming connections are forwarded to localhost:8112 (inside the myvpn namespace).
                                                                                                The second ssh -N -L is started in the default namespace. This creates a listening TCP port and forwards incoming connections to the unix-domain socket.

                                                                                                It should be noted that in order for this to work, ssh inside your network namespace will need to be working if it is not already (and passwordless pubkey operation is helpful):

                                                                                                sudo ip netns exec myvpn ip link set up dev lo
                                                                                                sudo ip netns exec myvpn /usr/sbin/sshd -o PidFile=/run/sshd-myvpn.pid
                                                                                                ssh-copy-id localhost
                                                                                                

                                                                                                share|improve this answer

                                                                                                  up vote
                                                                                                  0
                                                                                                  down vote

                                                                                                  @AndrDevEK’s answer is useful. To expand upon that, you may not want to install socat. In which case you can achieve the same thing with a slightly convoluted SSH port-forward setup. In particular the feature of port-forwarding to/from a unix-domain socket is useful here, because unix-domain sockets operate independently of network namespaces:

                                                                                                  sudo ip netns exec myvpn su -c "ssh -N -L /tmp/myunixsock:localhost:8112 localhost" $USER &
                                                                                                  ssh_pid1=$!
                                                                                                  ssh -N -L localhost:8112:/tmp/myunixsock localhost &
                                                                                                  ssh_pid2=$!
                                                                                                  

                                                                                                  Cleanup:

                                                                                                  sudo kill $ssh_pid1
                                                                                                  kill $ssh_pid2
                                                                                                  rm /tmp/myunixsock
                                                                                                  

                                                                                                  The first ssh -N -L is started within the myvpn namespace. This creates a unix-domain socket /tmp/myunixsock and listens on it. Incoming connections are forwarded to localhost:8112 (inside the myvpn namespace).
                                                                                                  The second ssh -N -L is started in the default namespace. This creates a listening TCP port and forwards incoming connections to the unix-domain socket.

                                                                                                  It should be noted that in order for this to work, ssh inside your network namespace will need to be working if it is not already (and passwordless pubkey operation is helpful):

                                                                                                  sudo ip netns exec myvpn ip link set up dev lo
                                                                                                  sudo ip netns exec myvpn /usr/sbin/sshd -o PidFile=/run/sshd-myvpn.pid
                                                                                                  ssh-copy-id localhost
                                                                                                  

                                                                                                  share|improve this answer

                                                                                                    up vote
                                                                                                    0
                                                                                                    down vote

                                                                                                    up vote
                                                                                                    0
                                                                                                    down vote

                                                                                                    @AndrDevEK’s answer is useful. To expand upon that, you may not want to install socat. In which case you can achieve the same thing with a slightly convoluted SSH port-forward setup. In particular the feature of port-forwarding to/from a unix-domain socket is useful here, because unix-domain sockets operate independently of network namespaces:

                                                                                                    sudo ip netns exec myvpn su -c "ssh -N -L /tmp/myunixsock:localhost:8112 localhost" $USER &
                                                                                                    ssh_pid1=$!
                                                                                                    ssh -N -L localhost:8112:/tmp/myunixsock localhost &
                                                                                                    ssh_pid2=$!
                                                                                                    

                                                                                                    Cleanup:

                                                                                                    sudo kill $ssh_pid1
                                                                                                    kill $ssh_pid2
                                                                                                    rm /tmp/myunixsock
                                                                                                    

                                                                                                    The first ssh -N -L is started within the myvpn namespace. This creates a unix-domain socket /tmp/myunixsock and listens on it. Incoming connections are forwarded to localhost:8112 (inside the myvpn namespace).
                                                                                                    The second ssh -N -L is started in the default namespace. This creates a listening TCP port and forwards incoming connections to the unix-domain socket.

                                                                                                    It should be noted that in order for this to work, ssh inside your network namespace will need to be working if it is not already (and passwordless pubkey operation is helpful):

                                                                                                    sudo ip netns exec myvpn ip link set up dev lo
                                                                                                    sudo ip netns exec myvpn /usr/sbin/sshd -o PidFile=/run/sshd-myvpn.pid
                                                                                                    ssh-copy-id localhost
                                                                                                    

                                                                                                    share|improve this answer

                                                                                                    @AndrDevEK’s answer is useful. To expand upon that, you may not want to install socat. In which case you can achieve the same thing with a slightly convoluted SSH port-forward setup. In particular the feature of port-forwarding to/from a unix-domain socket is useful here, because unix-domain sockets operate independently of network namespaces:

                                                                                                    sudo ip netns exec myvpn su -c "ssh -N -L /tmp/myunixsock:localhost:8112 localhost" $USER &
                                                                                                    ssh_pid1=$!
                                                                                                    ssh -N -L localhost:8112:/tmp/myunixsock localhost &
                                                                                                    ssh_pid2=$!
                                                                                                    

                                                                                                    Cleanup:

                                                                                                    sudo kill $ssh_pid1
                                                                                                    kill $ssh_pid2
                                                                                                    rm /tmp/myunixsock
                                                                                                    

                                                                                                    The first ssh -N -L is started within the myvpn namespace. This creates a unix-domain socket /tmp/myunixsock and listens on it. Incoming connections are forwarded to localhost:8112 (inside the myvpn namespace).
                                                                                                    The second ssh -N -L is started in the default namespace. This creates a listening TCP port and forwards incoming connections to the unix-domain socket.

                                                                                                    It should be noted that in order for this to work, ssh inside your network namespace will need to be working if it is not already (and passwordless pubkey operation is helpful):

                                                                                                    sudo ip netns exec myvpn ip link set up dev lo
                                                                                                    sudo ip netns exec myvpn /usr/sbin/sshd -o PidFile=/run/sshd-myvpn.pid
                                                                                                    ssh-copy-id localhost
                                                                                                    

                                                                                                    share|improve this answer

                                                                                                    share|improve this answer

                                                                                                    share|improve this answer

                                                                                                    answered 11 mins ago

                                                                                                    Digital Trauma

                                                                                                    5,70211528

                                                                                                    5,70211528

                                                                                                         
                                                                                                        draft saved
                                                                                                        draft discarded

                                                                                                         

                                                                                                        draft saved

                                                                                                        draft discarded

                                                                                                        StackExchange.ready(
                                                                                                        function () {
                                                                                                        StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2funix.stackexchange.com%2fquestions%2f257510%2fport-forwarding-to-application-in-network-namespace-with-vpn%23new-answer’, ‘question_page’);
                                                                                                        }
                                                                                                        );

                                                                                                        Post as a guest

                                                                                                        Restrict inbound access on localhost:TCP port

                                                                                                        The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP

                                                                                                        up vote
                                                                                                        0
                                                                                                        down vote

                                                                                                        favorite

                                                                                                        For reasons beyond my control, I have a binary that binds to TCP “localhost:$PORT”. (Unix socket bindings would make this question moot).

                                                                                                        If I understand correctly, this means that although no network machine can connect, other users on the machine (including unprivileged daemon users) can connect to this port.

                                                                                                        Is there some way for me to specify that only binaries running as $me should be allowed to connect to this port? I can become root in order to specify the configuration, but the listening binary and the connecting binaries both run as the non-root $me user

                                                                                                        share

                                                                                                          up vote
                                                                                                          0
                                                                                                          down vote

                                                                                                          favorite

                                                                                                          For reasons beyond my control, I have a binary that binds to TCP “localhost:$PORT”. (Unix socket bindings would make this question moot).

                                                                                                          If I understand correctly, this means that although no network machine can connect, other users on the machine (including unprivileged daemon users) can connect to this port.

                                                                                                          Is there some way for me to specify that only binaries running as $me should be allowed to connect to this port? I can become root in order to specify the configuration, but the listening binary and the connecting binaries both run as the non-root $me user

                                                                                                          share

                                                                                                            up vote
                                                                                                            0
                                                                                                            down vote

                                                                                                            favorite

                                                                                                            up vote
                                                                                                            0
                                                                                                            down vote

                                                                                                            favorite

                                                                                                            For reasons beyond my control, I have a binary that binds to TCP “localhost:$PORT”. (Unix socket bindings would make this question moot).

                                                                                                            If I understand correctly, this means that although no network machine can connect, other users on the machine (including unprivileged daemon users) can connect to this port.

                                                                                                            Is there some way for me to specify that only binaries running as $me should be allowed to connect to this port? I can become root in order to specify the configuration, but the listening binary and the connecting binaries both run as the non-root $me user

                                                                                                            share

                                                                                                            For reasons beyond my control, I have a binary that binds to TCP “localhost:$PORT”. (Unix socket bindings would make this question moot).

                                                                                                            If I understand correctly, this means that although no network machine can connect, other users on the machine (including unprivileged daemon users) can connect to this port.

                                                                                                            Is there some way for me to specify that only binaries running as $me should be allowed to connect to this port? I can become root in order to specify the configuration, but the listening binary and the connecting binaries both run as the non-root $me user

                                                                                                            linux networking tcp port

                                                                                                            share

                                                                                                            share

                                                                                                            share

                                                                                                            share

                                                                                                            asked 4 mins ago

                                                                                                            Soumya

                                                                                                            21929

                                                                                                            21929

                                                                                                                active

                                                                                                                oldest

                                                                                                                votes

                                                                                                                Your Answer

                                                                                                                StackExchange.ready(function() {
                                                                                                                var channelOptions = {
                                                                                                                tags: “”.split(” “),
                                                                                                                id: “106”
                                                                                                                };
                                                                                                                initTagRenderer(“”.split(” “), “”.split(” “), channelOptions);

                                                                                                                StackExchange.using(“externalEditor”, function() {
                                                                                                                // Have to fire editor after snippets, if snippets enabled
                                                                                                                if (StackExchange.settings.snippets.snippetsEnabled) {
                                                                                                                StackExchange.using(“snippets”, function() {
                                                                                                                createEditor();
                                                                                                                });
                                                                                                                }
                                                                                                                else {
                                                                                                                createEditor();
                                                                                                                }
                                                                                                                });

                                                                                                                function createEditor() {
                                                                                                                StackExchange.prepareEditor({
                                                                                                                heartbeatType: ‘answer’,
                                                                                                                convertImagesToLinks: false,
                                                                                                                noModals: true,
                                                                                                                showLowRepImageUploadWarning: true,
                                                                                                                reputationToPostImages: null,
                                                                                                                bindNavPrevention: true,
                                                                                                                postfix: “”,
                                                                                                                imageUploader: {
                                                                                                                brandingHtml: “Powered by u003ca class=”icon-imgur-white” href=”https://imgur.com/”u003eu003c/au003e”,
                                                                                                                contentPolicyHtml: “User contributions licensed under u003ca href=”https://creativecommons.org/licenses/by-sa/3.0/”u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href=”https://stackoverflow.com/legal/content-policy”u003e(content policy)u003c/au003e”,
                                                                                                                allowUrls: true
                                                                                                                },
                                                                                                                onDemand: true,
                                                                                                                discardSelector: “.discard-answer”
                                                                                                                ,immediatelyShowMarkdownHelp:true
                                                                                                                });

                                                                                                                }
                                                                                                                });

                                                                                                                 
                                                                                                                draft saved
                                                                                                                draft discarded

                                                                                                                StackExchange.ready(
                                                                                                                function () {
                                                                                                                StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2funix.stackexchange.com%2fquestions%2f479012%2frestrict-inbound-access-on-localhosttcp-port%23new-answer’, ‘question_page’);
                                                                                                                }
                                                                                                                );

                                                                                                                Post as a guest

                                                                                                                active

                                                                                                                oldest

                                                                                                                votes

                                                                                                                active

                                                                                                                oldest

                                                                                                                votes

                                                                                                                active

                                                                                                                oldest

                                                                                                                votes

                                                                                                                active

                                                                                                                oldest

                                                                                                                votes

                                                                                                                 
                                                                                                                draft saved
                                                                                                                draft discarded

                                                                                                                 

                                                                                                                draft saved

                                                                                                                draft discarded

                                                                                                                StackExchange.ready(
                                                                                                                function () {
                                                                                                                StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2funix.stackexchange.com%2fquestions%2f479012%2frestrict-inbound-access-on-localhosttcp-port%23new-answer’, ‘question_page’);
                                                                                                                }
                                                                                                                );

                                                                                                                Post as a guest

                                                                                                                Nested Port Forward

                                                                                                                The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP

                                                                                                                up vote
                                                                                                                0
                                                                                                                down vote

                                                                                                                favorite

                                                                                                                Is there a built in software way to essentially port forward like the following?

                                                                                                                example.com/81/* -> example.com:81/*
                                                                                                                example.com/82/* -> example.com:82/*
                                                                                                                ...
                                                                                                                

                                                                                                                Alternatively maybe for subdomains something similar?

                                                                                                                example.com/a/* -> a.example.com/*
                                                                                                                example.com/b/* -> b.example.com/*
                                                                                                                ...
                                                                                                                

                                                                                                                I understand there may be speed issues but I would like to essentially access all ports on my machine when only being able to open one port through my router.

                                                                                                                I believe I can feasible get this to work with pipes with node.js but this seems like it may be a common need.

                                                                                                                share

                                                                                                                  up vote
                                                                                                                  0
                                                                                                                  down vote

                                                                                                                  favorite

                                                                                                                  Is there a built in software way to essentially port forward like the following?

                                                                                                                  example.com/81/* -> example.com:81/*
                                                                                                                  example.com/82/* -> example.com:82/*
                                                                                                                  ...
                                                                                                                  

                                                                                                                  Alternatively maybe for subdomains something similar?

                                                                                                                  example.com/a/* -> a.example.com/*
                                                                                                                  example.com/b/* -> b.example.com/*
                                                                                                                  ...
                                                                                                                  

                                                                                                                  I understand there may be speed issues but I would like to essentially access all ports on my machine when only being able to open one port through my router.

                                                                                                                  I believe I can feasible get this to work with pipes with node.js but this seems like it may be a common need.

                                                                                                                  share

                                                                                                                    up vote
                                                                                                                    0
                                                                                                                    down vote

                                                                                                                    favorite

                                                                                                                    up vote
                                                                                                                    0
                                                                                                                    down vote

                                                                                                                    favorite

                                                                                                                    Is there a built in software way to essentially port forward like the following?

                                                                                                                    example.com/81/* -> example.com:81/*
                                                                                                                    example.com/82/* -> example.com:82/*
                                                                                                                    ...
                                                                                                                    

                                                                                                                    Alternatively maybe for subdomains something similar?

                                                                                                                    example.com/a/* -> a.example.com/*
                                                                                                                    example.com/b/* -> b.example.com/*
                                                                                                                    ...
                                                                                                                    

                                                                                                                    I understand there may be speed issues but I would like to essentially access all ports on my machine when only being able to open one port through my router.

                                                                                                                    I believe I can feasible get this to work with pipes with node.js but this seems like it may be a common need.

                                                                                                                    share

                                                                                                                    Is there a built in software way to essentially port forward like the following?

                                                                                                                    example.com/81/* -> example.com:81/*
                                                                                                                    example.com/82/* -> example.com:82/*
                                                                                                                    ...
                                                                                                                    

                                                                                                                    Alternatively maybe for subdomains something similar?

                                                                                                                    example.com/a/* -> a.example.com/*
                                                                                                                    example.com/b/* -> b.example.com/*
                                                                                                                    ...
                                                                                                                    

                                                                                                                    I understand there may be speed issues but I would like to essentially access all ports on my machine when only being able to open one port through my router.

                                                                                                                    I believe I can feasible get this to work with pipes with node.js but this seems like it may be a common need.

                                                                                                                    port-forwarding

                                                                                                                    share

                                                                                                                    share

                                                                                                                    share

                                                                                                                    share

                                                                                                                    asked 8 mins ago

                                                                                                                    William

                                                                                                                    3291214

                                                                                                                    3291214

                                                                                                                        active

                                                                                                                        oldest

                                                                                                                        votes

                                                                                                                        Your Answer

                                                                                                                        StackExchange.ready(function() {
                                                                                                                        var channelOptions = {
                                                                                                                        tags: “”.split(” “),
                                                                                                                        id: “106”
                                                                                                                        };
                                                                                                                        initTagRenderer(“”.split(” “), “”.split(” “), channelOptions);

                                                                                                                        StackExchange.using(“externalEditor”, function() {
                                                                                                                        // Have to fire editor after snippets, if snippets enabled
                                                                                                                        if (StackExchange.settings.snippets.snippetsEnabled) {
                                                                                                                        StackExchange.using(“snippets”, function() {
                                                                                                                        createEditor();
                                                                                                                        });
                                                                                                                        }
                                                                                                                        else {
                                                                                                                        createEditor();
                                                                                                                        }
                                                                                                                        });

                                                                                                                        function createEditor() {
                                                                                                                        StackExchange.prepareEditor({
                                                                                                                        heartbeatType: ‘answer’,
                                                                                                                        convertImagesToLinks: false,
                                                                                                                        noModals: true,
                                                                                                                        showLowRepImageUploadWarning: true,
                                                                                                                        reputationToPostImages: null,
                                                                                                                        bindNavPrevention: true,
                                                                                                                        postfix: “”,
                                                                                                                        imageUploader: {
                                                                                                                        brandingHtml: “Powered by u003ca class=”icon-imgur-white” href=”https://imgur.com/”u003eu003c/au003e”,
                                                                                                                        contentPolicyHtml: “User contributions licensed under u003ca href=”https://creativecommons.org/licenses/by-sa/3.0/”u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href=”https://stackoverflow.com/legal/content-policy”u003e(content policy)u003c/au003e”,
                                                                                                                        allowUrls: true
                                                                                                                        },
                                                                                                                        onDemand: true,
                                                                                                                        discardSelector: “.discard-answer”
                                                                                                                        ,immediatelyShowMarkdownHelp:true
                                                                                                                        });

                                                                                                                        }
                                                                                                                        });

                                                                                                                         
                                                                                                                        draft saved
                                                                                                                        draft discarded

                                                                                                                        StackExchange.ready(
                                                                                                                        function () {
                                                                                                                        StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2funix.stackexchange.com%2fquestions%2f479010%2fnested-port-forward%23new-answer’, ‘question_page’);
                                                                                                                        }
                                                                                                                        );

                                                                                                                        Post as a guest

                                                                                                                        active

                                                                                                                        oldest

                                                                                                                        votes

                                                                                                                        active

                                                                                                                        oldest

                                                                                                                        votes

                                                                                                                        active

                                                                                                                        oldest

                                                                                                                        votes

                                                                                                                        active

                                                                                                                        oldest

                                                                                                                        votes

                                                                                                                         
                                                                                                                        draft saved
                                                                                                                        draft discarded

                                                                                                                         

                                                                                                                        draft saved

                                                                                                                        draft discarded

                                                                                                                        StackExchange.ready(
                                                                                                                        function () {
                                                                                                                        StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2funix.stackexchange.com%2fquestions%2f479010%2fnested-port-forward%23new-answer’, ‘question_page’);
                                                                                                                        }
                                                                                                                        );

                                                                                                                        Post as a guest

                                                                                                                        VMWare vCentre Appliance boots into GRUB

                                                                                                                        The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP

                                                                                                                        up vote
                                                                                                                        0
                                                                                                                        down vote

                                                                                                                        favorite

                                                                                                                        I did post this question in VMWare communities, but 11 days later there’s been no response, so I thought I’d try on a more general *nix forum.

                                                                                                                        After an upgrade of my VCSA to version 6.5.0.22000-9451637, on reboot it gets stuck on the GRUB screen with the following:

                                                                                                                        setparams 'Photon'  
                                                                                                                        linux "/"$photon_linux root=$rootpartition net.ifname=0 $photon_cmd  
                                                                                                                        line coredump_filter=0x37 consoleblank=0  
                                                                                                                           if [ "$photon_initrd" ]; then  
                                                                                                                               initrd "/"$photon_initrd  
                                                                                                                           fi  
                                                                                                                        

                                                                                                                        If I then press F10 (to boot), I get the error message:

                                                                                                                        Booting a command list  
                                                                                                                        error: not a regular file.  
                                                                                                                        Press any key to continue...
                                                                                                                        

                                                                                                                        The only reference to the issue is here, where the OP mentions how he fixed the issue:

                                                                                                                        I found broken link from photon.cfg to old linux-4.9.99-1.ph2-esx.cfg

                                                                                                                        Trouble is, I don’t know where to start to look for photon.cfg. Apart from the fact that it has 12 virtual disks, I don’t know enough about GRUB to know how to get out of it, therefore, any pointers would be greatly apreciated.

                                                                                                                        TIA

                                                                                                                        share

                                                                                                                        New contributor
                                                                                                                        woter324 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                                                                                                        Check out our Code of Conduct.

                                                                                                                          up vote
                                                                                                                          0
                                                                                                                          down vote

                                                                                                                          favorite

                                                                                                                          I did post this question in VMWare communities, but 11 days later there’s been no response, so I thought I’d try on a more general *nix forum.

                                                                                                                          After an upgrade of my VCSA to version 6.5.0.22000-9451637, on reboot it gets stuck on the GRUB screen with the following:

                                                                                                                          setparams 'Photon'  
                                                                                                                          linux "/"$photon_linux root=$rootpartition net.ifname=0 $photon_cmd  
                                                                                                                          line coredump_filter=0x37 consoleblank=0  
                                                                                                                             if [ "$photon_initrd" ]; then  
                                                                                                                                 initrd "/"$photon_initrd  
                                                                                                                             fi  
                                                                                                                          

                                                                                                                          If I then press F10 (to boot), I get the error message:

                                                                                                                          Booting a command list  
                                                                                                                          error: not a regular file.  
                                                                                                                          Press any key to continue...
                                                                                                                          

                                                                                                                          The only reference to the issue is here, where the OP mentions how he fixed the issue:

                                                                                                                          I found broken link from photon.cfg to old linux-4.9.99-1.ph2-esx.cfg

                                                                                                                          Trouble is, I don’t know where to start to look for photon.cfg. Apart from the fact that it has 12 virtual disks, I don’t know enough about GRUB to know how to get out of it, therefore, any pointers would be greatly apreciated.

                                                                                                                          TIA

                                                                                                                          share

                                                                                                                          New contributor
                                                                                                                          woter324 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                                                                                                          Check out our Code of Conduct.

                                                                                                                            up vote
                                                                                                                            0
                                                                                                                            down vote

                                                                                                                            favorite

                                                                                                                            up vote
                                                                                                                            0
                                                                                                                            down vote

                                                                                                                            favorite

                                                                                                                            I did post this question in VMWare communities, but 11 days later there’s been no response, so I thought I’d try on a more general *nix forum.

                                                                                                                            After an upgrade of my VCSA to version 6.5.0.22000-9451637, on reboot it gets stuck on the GRUB screen with the following:

                                                                                                                            setparams 'Photon'  
                                                                                                                            linux "/"$photon_linux root=$rootpartition net.ifname=0 $photon_cmd  
                                                                                                                            line coredump_filter=0x37 consoleblank=0  
                                                                                                                               if [ "$photon_initrd" ]; then  
                                                                                                                                   initrd "/"$photon_initrd  
                                                                                                                               fi  
                                                                                                                            

                                                                                                                            If I then press F10 (to boot), I get the error message:

                                                                                                                            Booting a command list  
                                                                                                                            error: not a regular file.  
                                                                                                                            Press any key to continue...
                                                                                                                            

                                                                                                                            The only reference to the issue is here, where the OP mentions how he fixed the issue:

                                                                                                                            I found broken link from photon.cfg to old linux-4.9.99-1.ph2-esx.cfg

                                                                                                                            Trouble is, I don’t know where to start to look for photon.cfg. Apart from the fact that it has 12 virtual disks, I don’t know enough about GRUB to know how to get out of it, therefore, any pointers would be greatly apreciated.

                                                                                                                            TIA

                                                                                                                            share

                                                                                                                            New contributor
                                                                                                                            woter324 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                                                                                                            Check out our Code of Conduct.

                                                                                                                            I did post this question in VMWare communities, but 11 days later there’s been no response, so I thought I’d try on a more general *nix forum.

                                                                                                                            After an upgrade of my VCSA to version 6.5.0.22000-9451637, on reboot it gets stuck on the GRUB screen with the following:

                                                                                                                            setparams 'Photon'  
                                                                                                                            linux "/"$photon_linux root=$rootpartition net.ifname=0 $photon_cmd  
                                                                                                                            line coredump_filter=0x37 consoleblank=0  
                                                                                                                               if [ "$photon_initrd" ]; then  
                                                                                                                                   initrd "/"$photon_initrd  
                                                                                                                               fi  
                                                                                                                            

                                                                                                                            If I then press F10 (to boot), I get the error message:

                                                                                                                            Booting a command list  
                                                                                                                            error: not a regular file.  
                                                                                                                            Press any key to continue...
                                                                                                                            

                                                                                                                            The only reference to the issue is here, where the OP mentions how he fixed the issue:

                                                                                                                            I found broken link from photon.cfg to old linux-4.9.99-1.ph2-esx.cfg

                                                                                                                            Trouble is, I don’t know where to start to look for photon.cfg. Apart from the fact that it has 12 virtual disks, I don’t know enough about GRUB to know how to get out of it, therefore, any pointers would be greatly apreciated.

                                                                                                                            TIA

                                                                                                                            grub2 vmware

                                                                                                                            share

                                                                                                                            New contributor
                                                                                                                            woter324 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                                                                                                            Check out our Code of Conduct.

                                                                                                                            share

                                                                                                                            New contributor
                                                                                                                            woter324 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                                                                                                            Check out our Code of Conduct.

                                                                                                                            share

                                                                                                                            share

                                                                                                                            New contributor
                                                                                                                            woter324 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                                                                                                            Check out our Code of Conduct.

                                                                                                                            asked 1 min ago

                                                                                                                            woter324

                                                                                                                            1011

                                                                                                                            1011

                                                                                                                            New contributor
                                                                                                                            woter324 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                                                                                                            Check out our Code of Conduct.

                                                                                                                            New contributor

                                                                                                                            woter324 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                                                                                                            Check out our Code of Conduct.

                                                                                                                            woter324 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
                                                                                                                            Check out our Code of Conduct.

                                                                                                                                active

                                                                                                                                oldest

                                                                                                                                votes

                                                                                                                                Your Answer

                                                                                                                                StackExchange.ready(function() {
                                                                                                                                var channelOptions = {
                                                                                                                                tags: “”.split(” “),
                                                                                                                                id: “106”
                                                                                                                                };
                                                                                                                                initTagRenderer(“”.split(” “), “”.split(” “), channelOptions);

                                                                                                                                StackExchange.using(“externalEditor”, function() {
                                                                                                                                // Have to fire editor after snippets, if snippets enabled
                                                                                                                                if (StackExchange.settings.snippets.snippetsEnabled) {
                                                                                                                                StackExchange.using(“snippets”, function() {
                                                                                                                                createEditor();
                                                                                                                                });
                                                                                                                                }
                                                                                                                                else {
                                                                                                                                createEditor();
                                                                                                                                }
                                                                                                                                });

                                                                                                                                function createEditor() {
                                                                                                                                StackExchange.prepareEditor({
                                                                                                                                heartbeatType: ‘answer’,
                                                                                                                                convertImagesToLinks: false,
                                                                                                                                noModals: true,
                                                                                                                                showLowRepImageUploadWarning: true,
                                                                                                                                reputationToPostImages: null,
                                                                                                                                bindNavPrevention: true,
                                                                                                                                postfix: “”,
                                                                                                                                imageUploader: {
                                                                                                                                brandingHtml: “Powered by u003ca class=”icon-imgur-white” href=”https://imgur.com/”u003eu003c/au003e”,
                                                                                                                                contentPolicyHtml: “User contributions licensed under u003ca href=”https://creativecommons.org/licenses/by-sa/3.0/”u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href=”https://stackoverflow.com/legal/content-policy”u003e(content policy)u003c/au003e”,
                                                                                                                                allowUrls: true
                                                                                                                                },
                                                                                                                                onDemand: true,
                                                                                                                                discardSelector: “.discard-answer”
                                                                                                                                ,immediatelyShowMarkdownHelp:true
                                                                                                                                });

                                                                                                                                }
                                                                                                                                });

                                                                                                                                woter324 is a new contributor. Be nice, and check out our Code of Conduct.

                                                                                                                                 
                                                                                                                                draft saved
                                                                                                                                draft discarded

                                                                                                                                StackExchange.ready(
                                                                                                                                function () {
                                                                                                                                StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2funix.stackexchange.com%2fquestions%2f479011%2fvmware-vcentre-appliance-boots-into-grub%23new-answer’, ‘question_page’);
                                                                                                                                }
                                                                                                                                );

                                                                                                                                Post as a guest

                                                                                                                                active

                                                                                                                                oldest

                                                                                                                                votes

                                                                                                                                active

                                                                                                                                oldest

                                                                                                                                votes

                                                                                                                                active

                                                                                                                                oldest

                                                                                                                                votes

                                                                                                                                active

                                                                                                                                oldest

                                                                                                                                votes

                                                                                                                                woter324 is a new contributor. Be nice, and check out our Code of Conduct.

                                                                                                                                 
                                                                                                                                draft saved
                                                                                                                                draft discarded
                                                                                                                                woter324 is a new contributor. Be nice, and check out our Code of Conduct.

                                                                                                                                woter324 is a new contributor. Be nice, and check out our Code of Conduct.

                                                                                                                                woter324 is a new contributor. Be nice, and check out our Code of Conduct.

                                                                                                                                 

                                                                                                                                draft saved

                                                                                                                                draft discarded

                                                                                                                                StackExchange.ready(
                                                                                                                                function () {
                                                                                                                                StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2funix.stackexchange.com%2fquestions%2f479011%2fvmware-vcentre-appliance-boots-into-grub%23new-answer’, ‘question_page’);
                                                                                                                                }
                                                                                                                                );

                                                                                                                                Post as a guest

                                                                                                                                Lazy Loading for Lightning Components

                                                                                                                                The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP

                                                                                                                                .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty{ margin-bottom:0;
                                                                                                                                }

                                                                                                                                up vote
                                                                                                                                1
                                                                                                                                down vote

                                                                                                                                favorite

                                                                                                                                Need some advise. Following is the code for lightning app, where all components are included. I am running out of various governor limits when they execute together. Hence, I am planning to make their context separate. What would be the best solution to invoke/execute each lightning components in separate context by keeping all of them single app? Thanks in advance!

                                                                                                                                <aura:application extends="force:slds">
                                                                                                                                    <c:ComponentOne />
                                                                                                                                    <c:ComponentTwo />
                                                                                                                                    <c:ComponentThree />
                                                                                                                                    <c:ComponentFour />
                                                                                                                                    <c:ComponentFive />
                                                                                                                                    <c:ComponentSix />
                                                                                                                                     .
                                                                                                                                     .
                                                                                                                                     .
                                                                                                                                </aura:application>
                                                                                                                                

                                                                                                                                share|improve this question

                                                                                                                                • Can you clarify what do you refer by this — I am planning to make their context separate, as how are you planning to separate the context? I would imagine using aura:if here to load the other components only when required should be your approach.
                                                                                                                                  – Jayant Das
                                                                                                                                  5 hours ago

                                                                                                                                • Not sure what you are doing in each of them but when u talk about lazyloading compoents you use aura:If as the the child dom would not be loaded in the first place. More on Best Practices for Conditional Markup
                                                                                                                                  – codeyinthecloud
                                                                                                                                  5 hours ago

                                                                                                                                • @JayantDas I would like to load all components in single app, hence I can’t use aura:if . Assuming I have VF page and different VF components, I would have used <apex:actionFunction> inside each VF component to perform lazy loading. Similarly, I am looking for a solution in case of lightning component.
                                                                                                                                  – Devendra
                                                                                                                                  5 hours ago

                                                                                                                                • I would like to load all components in single app, hence I can’t use aura:if — you can still use aura:if to load all components in single app. Based on what you have in your snippet in your question, you just surround other components which you want to lazy load in an aura:if and load only based on the condition.
                                                                                                                                  – Jayant Das
                                                                                                                                  5 hours ago

                                                                                                                                • @Devendra IF you are talking about loading one component after other you will have to implement some sort of custom time based mechanaism either by aura:if or $A.createcomponent by loading them dynamically in javascript either approach would not load the dom so all the onload functionalities(such as server calls which i why your’e probably talking about governer limits) are held untill they render. One other way would be to trigger $A.createComponent on after render of each component
                                                                                                                                  – codeyinthecloud
                                                                                                                                  5 hours ago

                                                                                                                                up vote
                                                                                                                                1
                                                                                                                                down vote

                                                                                                                                favorite

                                                                                                                                Need some advise. Following is the code for lightning app, where all components are included. I am running out of various governor limits when they execute together. Hence, I am planning to make their context separate. What would be the best solution to invoke/execute each lightning components in separate context by keeping all of them single app? Thanks in advance!

                                                                                                                                <aura:application extends="force:slds">
                                                                                                                                    <c:ComponentOne />
                                                                                                                                    <c:ComponentTwo />
                                                                                                                                    <c:ComponentThree />
                                                                                                                                    <c:ComponentFour />
                                                                                                                                    <c:ComponentFive />
                                                                                                                                    <c:ComponentSix />
                                                                                                                                     .
                                                                                                                                     .
                                                                                                                                     .
                                                                                                                                </aura:application>
                                                                                                                                

                                                                                                                                share|improve this question

                                                                                                                                • Can you clarify what do you refer by this — I am planning to make their context separate, as how are you planning to separate the context? I would imagine using aura:if here to load the other components only when required should be your approach.
                                                                                                                                  – Jayant Das
                                                                                                                                  5 hours ago

                                                                                                                                • Not sure what you are doing in each of them but when u talk about lazyloading compoents you use aura:If as the the child dom would not be loaded in the first place. More on Best Practices for Conditional Markup
                                                                                                                                  – codeyinthecloud
                                                                                                                                  5 hours ago

                                                                                                                                • @JayantDas I would like to load all components in single app, hence I can’t use aura:if . Assuming I have VF page and different VF components, I would have used <apex:actionFunction> inside each VF component to perform lazy loading. Similarly, I am looking for a solution in case of lightning component.
                                                                                                                                  – Devendra
                                                                                                                                  5 hours ago

                                                                                                                                • I would like to load all components in single app, hence I can’t use aura:if — you can still use aura:if to load all components in single app. Based on what you have in your snippet in your question, you just surround other components which you want to lazy load in an aura:if and load only based on the condition.
                                                                                                                                  – Jayant Das
                                                                                                                                  5 hours ago

                                                                                                                                • @Devendra IF you are talking about loading one component after other you will have to implement some sort of custom time based mechanaism either by aura:if or $A.createcomponent by loading them dynamically in javascript either approach would not load the dom so all the onload functionalities(such as server calls which i why your’e probably talking about governer limits) are held untill they render. One other way would be to trigger $A.createComponent on after render of each component
                                                                                                                                  – codeyinthecloud
                                                                                                                                  5 hours ago

                                                                                                                                up vote
                                                                                                                                1
                                                                                                                                down vote

                                                                                                                                favorite

                                                                                                                                up vote
                                                                                                                                1
                                                                                                                                down vote

                                                                                                                                favorite

                                                                                                                                Need some advise. Following is the code for lightning app, where all components are included. I am running out of various governor limits when they execute together. Hence, I am planning to make their context separate. What would be the best solution to invoke/execute each lightning components in separate context by keeping all of them single app? Thanks in advance!

                                                                                                                                <aura:application extends="force:slds">
                                                                                                                                    <c:ComponentOne />
                                                                                                                                    <c:ComponentTwo />
                                                                                                                                    <c:ComponentThree />
                                                                                                                                    <c:ComponentFour />
                                                                                                                                    <c:ComponentFive />
                                                                                                                                    <c:ComponentSix />
                                                                                                                                     .
                                                                                                                                     .
                                                                                                                                     .
                                                                                                                                </aura:application>
                                                                                                                                

                                                                                                                                share|improve this question

                                                                                                                                Need some advise. Following is the code for lightning app, where all components are included. I am running out of various governor limits when they execute together. Hence, I am planning to make their context separate. What would be the best solution to invoke/execute each lightning components in separate context by keeping all of them single app? Thanks in advance!

                                                                                                                                <aura:application extends="force:slds">
                                                                                                                                    <c:ComponentOne />
                                                                                                                                    <c:ComponentTwo />
                                                                                                                                    <c:ComponentThree />
                                                                                                                                    <c:ComponentFour />
                                                                                                                                    <c:ComponentFive />
                                                                                                                                    <c:ComponentSix />
                                                                                                                                     .
                                                                                                                                     .
                                                                                                                                     .
                                                                                                                                </aura:application>
                                                                                                                                

                                                                                                                                lightning-components lightning lightning-experience lightning-apps

                                                                                                                                share|improve this question

                                                                                                                                share|improve this question

                                                                                                                                share|improve this question

                                                                                                                                share|improve this question

                                                                                                                                edited 5 hours ago

                                                                                                                                asked 5 hours ago

                                                                                                                                Devendra

                                                                                                                                4,1591320

                                                                                                                                4,1591320

                                                                                                                                • Can you clarify what do you refer by this — I am planning to make their context separate, as how are you planning to separate the context? I would imagine using aura:if here to load the other components only when required should be your approach.
                                                                                                                                  – Jayant Das
                                                                                                                                  5 hours ago

                                                                                                                                • Not sure what you are doing in each of them but when u talk about lazyloading compoents you use aura:If as the the child dom would not be loaded in the first place. More on Best Practices for Conditional Markup
                                                                                                                                  – codeyinthecloud
                                                                                                                                  5 hours ago

                                                                                                                                • @JayantDas I would like to load all components in single app, hence I can’t use aura:if . Assuming I have VF page and different VF components, I would have used <apex:actionFunction> inside each VF component to perform lazy loading. Similarly, I am looking for a solution in case of lightning component.
                                                                                                                                  – Devendra
                                                                                                                                  5 hours ago

                                                                                                                                • I would like to load all components in single app, hence I can’t use aura:if — you can still use aura:if to load all components in single app. Based on what you have in your snippet in your question, you just surround other components which you want to lazy load in an aura:if and load only based on the condition.
                                                                                                                                  – Jayant Das
                                                                                                                                  5 hours ago

                                                                                                                                • @Devendra IF you are talking about loading one component after other you will have to implement some sort of custom time based mechanaism either by aura:if or $A.createcomponent by loading them dynamically in javascript either approach would not load the dom so all the onload functionalities(such as server calls which i why your’e probably talking about governer limits) are held untill they render. One other way would be to trigger $A.createComponent on after render of each component
                                                                                                                                  – codeyinthecloud
                                                                                                                                  5 hours ago

                                                                                                                                • Can you clarify what do you refer by this — I am planning to make their context separate, as how are you planning to separate the context? I would imagine using aura:if here to load the other components only when required should be your approach.
                                                                                                                                  – Jayant Das
                                                                                                                                  5 hours ago

                                                                                                                                • Not sure what you are doing in each of them but when u talk about lazyloading compoents you use aura:If as the the child dom would not be loaded in the first place. More on Best Practices for Conditional Markup
                                                                                                                                  – codeyinthecloud
                                                                                                                                  5 hours ago

                                                                                                                                • @JayantDas I would like to load all components in single app, hence I can’t use aura:if . Assuming I have VF page and different VF components, I would have used <apex:actionFunction> inside each VF component to perform lazy loading. Similarly, I am looking for a solution in case of lightning component.
                                                                                                                                  – Devendra
                                                                                                                                  5 hours ago

                                                                                                                                • I would like to load all components in single app, hence I can’t use aura:if — you can still use aura:if to load all components in single app. Based on what you have in your snippet in your question, you just surround other components which you want to lazy load in an aura:if and load only based on the condition.
                                                                                                                                  – Jayant Das
                                                                                                                                  5 hours ago

                                                                                                                                • @Devendra IF you are talking about loading one component after other you will have to implement some sort of custom time based mechanaism either by aura:if or $A.createcomponent by loading them dynamically in javascript either approach would not load the dom so all the onload functionalities(such as server calls which i why your’e probably talking about governer limits) are held untill they render. One other way would be to trigger $A.createComponent on after render of each component
                                                                                                                                  – codeyinthecloud
                                                                                                                                  5 hours ago

                                                                                                                                Can you clarify what do you refer by this — I am planning to make their context separate, as how are you planning to separate the context? I would imagine using aura:if here to load the other components only when required should be your approach.
                                                                                                                                – Jayant Das
                                                                                                                                5 hours ago

                                                                                                                                Can you clarify what do you refer by this — I am planning to make their context separate, as how are you planning to separate the context? I would imagine using aura:if here to load the other components only when required should be your approach.
                                                                                                                                – Jayant Das
                                                                                                                                5 hours ago

                                                                                                                                Not sure what you are doing in each of them but when u talk about lazyloading compoents you use aura:If as the the child dom would not be loaded in the first place. More on Best Practices for Conditional Markup
                                                                                                                                – codeyinthecloud
                                                                                                                                5 hours ago

                                                                                                                                Not sure what you are doing in each of them but when u talk about lazyloading compoents you use aura:If as the the child dom would not be loaded in the first place. More on Best Practices for Conditional Markup
                                                                                                                                – codeyinthecloud
                                                                                                                                5 hours ago

                                                                                                                                @JayantDas I would like to load all components in single app, hence I can’t use aura:if . Assuming I have VF page and different VF components, I would have used <apex:actionFunction> inside each VF component to perform lazy loading. Similarly, I am looking for a solution in case of lightning component.
                                                                                                                                – Devendra
                                                                                                                                5 hours ago

                                                                                                                                @JayantDas I would like to load all components in single app, hence I can’t use aura:if . Assuming I have VF page and different VF components, I would have used <apex:actionFunction> inside each VF component to perform lazy loading. Similarly, I am looking for a solution in case of lightning component.
                                                                                                                                – Devendra
                                                                                                                                5 hours ago

                                                                                                                                I would like to load all components in single app, hence I can’t use aura:if — you can still use aura:if to load all components in single app. Based on what you have in your snippet in your question, you just surround other components which you want to lazy load in an aura:if and load only based on the condition.
                                                                                                                                – Jayant Das
                                                                                                                                5 hours ago

                                                                                                                                I would like to load all components in single app, hence I can’t use aura:if — you can still use aura:if to load all components in single app. Based on what you have in your snippet in your question, you just surround other components which you want to lazy load in an aura:if and load only based on the condition.
                                                                                                                                – Jayant Das
                                                                                                                                5 hours ago

                                                                                                                                @Devendra IF you are talking about loading one component after other you will have to implement some sort of custom time based mechanaism either by aura:if or $A.createcomponent by loading them dynamically in javascript either approach would not load the dom so all the onload functionalities(such as server calls which i why your’e probably talking about governer limits) are held untill they render. One other way would be to trigger $A.createComponent on after render of each component
                                                                                                                                – codeyinthecloud
                                                                                                                                5 hours ago

                                                                                                                                @Devendra IF you are talking about loading one component after other you will have to implement some sort of custom time based mechanaism either by aura:if or $A.createcomponent by loading them dynamically in javascript either approach would not load the dom so all the onload functionalities(such as server calls which i why your’e probably talking about governer limits) are held untill they render. One other way would be to trigger $A.createComponent on after render of each component
                                                                                                                                – codeyinthecloud
                                                                                                                                5 hours ago

                                                                                                                                2 Answers
                                                                                                                                2

                                                                                                                                active

                                                                                                                                oldest

                                                                                                                                votes

                                                                                                                                up vote
                                                                                                                                3
                                                                                                                                down vote

                                                                                                                                I thing you can do to make context different is use action.setBackground() action. So action call that is making use of most of apex limit can be used as background action.

                                                                                                                                Another solution can be using aura:if or dynamically creating components using $A.createcomponent.

                                                                                                                                Least preferred solution can be using enqueueAction

                                                                                                                                https://medium.com/manj-force/did-a-enqueueaction-action-grouped-your-actions-f33ce710f0e3

                                                                                                                                share|improve this answer

                                                                                                                                • +1 from me nice that you made me recall about the background actions!
                                                                                                                                  – codeyinthecloud
                                                                                                                                  4 hours ago

                                                                                                                                • 1

                                                                                                                                  Background actions do not guarantee separate execution contexts, though, only that they are separate from foreground actions. But it can definitely alleviate problems.
                                                                                                                                  – sfdcfox
                                                                                                                                  4 hours ago

                                                                                                                                • Yes all the background actions can be grouped again that’s why I asked that only API call that is consuming more limits should be background action.
                                                                                                                                  – Manjot Singh
                                                                                                                                  3 hours ago

                                                                                                                                up vote
                                                                                                                                0
                                                                                                                                down vote

                                                                                                                                Just to get the flow you are looking for you have an app container loading multiple child and you wanted to load one child after the other child to make sure the server calls on each child wont throw you into risk of governor limits.

                                                                                                                                There are couple of ways you could try this. But the idea here is to delay server calls(Run them in some kind of series setup rather than parallel)

                                                                                                                                1. Use aura:if or $A.CreateComponent and implement some sort of time lag mechsnism(this would still will not guarantee proper series mechanism as its hard to caluculate the time)
                                                                                                                                2. Use the aura:if or $A.CreateComponent and fire an event from the first component success response of server call that will reach to the app and load the second component and so on until you load the subsequent components
                                                                                                                                3. Use $A.CreateComponent and fire afterRender event in the first loaded component and capture it in the parent to load the next one and so on.
                                                                                                                                4. Like @manjotsingh suggested Background Actions can be preffered too!

                                                                                                                                Note: This is theoretical

                                                                                                                                share|improve this answer

                                                                                                                                  Your Answer

                                                                                                                                  StackExchange.ready(function() {
                                                                                                                                  var channelOptions = {
                                                                                                                                  tags: “”.split(” “),
                                                                                                                                  id: “459”
                                                                                                                                  };
                                                                                                                                  initTagRenderer(“”.split(” “), “”.split(” “), channelOptions);

                                                                                                                                  StackExchange.using(“externalEditor”, function() {
                                                                                                                                  // Have to fire editor after snippets, if snippets enabled
                                                                                                                                  if (StackExchange.settings.snippets.snippetsEnabled) {
                                                                                                                                  StackExchange.using(“snippets”, function() {
                                                                                                                                  createEditor();
                                                                                                                                  });
                                                                                                                                  }
                                                                                                                                  else {
                                                                                                                                  createEditor();
                                                                                                                                  }
                                                                                                                                  });

                                                                                                                                  function createEditor() {
                                                                                                                                  StackExchange.prepareEditor({
                                                                                                                                  heartbeatType: ‘answer’,
                                                                                                                                  convertImagesToLinks: false,
                                                                                                                                  noModals: true,
                                                                                                                                  showLowRepImageUploadWarning: true,
                                                                                                                                  reputationToPostImages: null,
                                                                                                                                  bindNavPrevention: true,
                                                                                                                                  postfix: “”,
                                                                                                                                  imageUploader: {
                                                                                                                                  brandingHtml: “Powered by u003ca class=”icon-imgur-white” href=”https://imgur.com/”u003eu003c/au003e”,
                                                                                                                                  contentPolicyHtml: “User contributions licensed under u003ca href=”https://creativecommons.org/licenses/by-sa/3.0/”u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href=”https://stackoverflow.com/legal/content-policy”u003e(content policy)u003c/au003e”,
                                                                                                                                  allowUrls: true
                                                                                                                                  },
                                                                                                                                  onDemand: true,
                                                                                                                                  discardSelector: “.discard-answer”
                                                                                                                                  ,immediatelyShowMarkdownHelp:true
                                                                                                                                  });

                                                                                                                                  }
                                                                                                                                  });

                                                                                                                                   
                                                                                                                                  draft saved
                                                                                                                                  draft discarded

                                                                                                                                  StackExchange.ready(
                                                                                                                                  function () {
                                                                                                                                  StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2fsalesforce.stackexchange.com%2fquestions%2f237955%2flazy-loading-for-lightning-components%23new-answer’, ‘question_page’);
                                                                                                                                  }
                                                                                                                                  );

                                                                                                                                  Post as a guest

                                                                                                                                  2 Answers
                                                                                                                                  2

                                                                                                                                  active

                                                                                                                                  oldest

                                                                                                                                  votes

                                                                                                                                  2 Answers
                                                                                                                                  2

                                                                                                                                  active

                                                                                                                                  oldest

                                                                                                                                  votes

                                                                                                                                  active

                                                                                                                                  oldest

                                                                                                                                  votes

                                                                                                                                  active

                                                                                                                                  oldest

                                                                                                                                  votes

                                                                                                                                  up vote
                                                                                                                                  3
                                                                                                                                  down vote

                                                                                                                                  I thing you can do to make context different is use action.setBackground() action. So action call that is making use of most of apex limit can be used as background action.

                                                                                                                                  Another solution can be using aura:if or dynamically creating components using $A.createcomponent.

                                                                                                                                  Least preferred solution can be using enqueueAction

                                                                                                                                  https://medium.com/manj-force/did-a-enqueueaction-action-grouped-your-actions-f33ce710f0e3

                                                                                                                                  share|improve this answer

                                                                                                                                  • +1 from me nice that you made me recall about the background actions!
                                                                                                                                    – codeyinthecloud
                                                                                                                                    4 hours ago

                                                                                                                                  • 1

                                                                                                                                    Background actions do not guarantee separate execution contexts, though, only that they are separate from foreground actions. But it can definitely alleviate problems.
                                                                                                                                    – sfdcfox
                                                                                                                                    4 hours ago

                                                                                                                                  • Yes all the background actions can be grouped again that’s why I asked that only API call that is consuming more limits should be background action.
                                                                                                                                    – Manjot Singh
                                                                                                                                    3 hours ago

                                                                                                                                  up vote
                                                                                                                                  3
                                                                                                                                  down vote

                                                                                                                                  I thing you can do to make context different is use action.setBackground() action. So action call that is making use of most of apex limit can be used as background action.

                                                                                                                                  Another solution can be using aura:if or dynamically creating components using $A.createcomponent.

                                                                                                                                  Least preferred solution can be using enqueueAction

                                                                                                                                  https://medium.com/manj-force/did-a-enqueueaction-action-grouped-your-actions-f33ce710f0e3

                                                                                                                                  share|improve this answer

                                                                                                                                  • +1 from me nice that you made me recall about the background actions!
                                                                                                                                    – codeyinthecloud
                                                                                                                                    4 hours ago

                                                                                                                                  • 1

                                                                                                                                    Background actions do not guarantee separate execution contexts, though, only that they are separate from foreground actions. But it can definitely alleviate problems.
                                                                                                                                    – sfdcfox
                                                                                                                                    4 hours ago

                                                                                                                                  • Yes all the background actions can be grouped again that’s why I asked that only API call that is consuming more limits should be background action.
                                                                                                                                    – Manjot Singh
                                                                                                                                    3 hours ago

                                                                                                                                  up vote
                                                                                                                                  3
                                                                                                                                  down vote

                                                                                                                                  up vote
                                                                                                                                  3
                                                                                                                                  down vote

                                                                                                                                  I thing you can do to make context different is use action.setBackground() action. So action call that is making use of most of apex limit can be used as background action.

                                                                                                                                  Another solution can be using aura:if or dynamically creating components using $A.createcomponent.

                                                                                                                                  Least preferred solution can be using enqueueAction

                                                                                                                                  https://medium.com/manj-force/did-a-enqueueaction-action-grouped-your-actions-f33ce710f0e3

                                                                                                                                  share|improve this answer

                                                                                                                                  I thing you can do to make context different is use action.setBackground() action. So action call that is making use of most of apex limit can be used as background action.

                                                                                                                                  Another solution can be using aura:if or dynamically creating components using $A.createcomponent.

                                                                                                                                  Least preferred solution can be using enqueueAction

                                                                                                                                  https://medium.com/manj-force/did-a-enqueueaction-action-grouped-your-actions-f33ce710f0e3

                                                                                                                                  share|improve this answer

                                                                                                                                  share|improve this answer

                                                                                                                                  share|improve this answer

                                                                                                                                  answered 4 hours ago

                                                                                                                                  Manjot Singh

                                                                                                                                  1,828521

                                                                                                                                  1,828521

                                                                                                                                  • +1 from me nice that you made me recall about the background actions!
                                                                                                                                    – codeyinthecloud
                                                                                                                                    4 hours ago

                                                                                                                                  • 1

                                                                                                                                    Background actions do not guarantee separate execution contexts, though, only that they are separate from foreground actions. But it can definitely alleviate problems.
                                                                                                                                    – sfdcfox
                                                                                                                                    4 hours ago

                                                                                                                                  • Yes all the background actions can be grouped again that’s why I asked that only API call that is consuming more limits should be background action.
                                                                                                                                    – Manjot Singh
                                                                                                                                    3 hours ago

                                                                                                                                  • +1 from me nice that you made me recall about the background actions!
                                                                                                                                    – codeyinthecloud
                                                                                                                                    4 hours ago

                                                                                                                                  • 1

                                                                                                                                    Background actions do not guarantee separate execution contexts, though, only that they are separate from foreground actions. But it can definitely alleviate problems.
                                                                                                                                    – sfdcfox
                                                                                                                                    4 hours ago

                                                                                                                                  • Yes all the background actions can be grouped again that’s why I asked that only API call that is consuming more limits should be background action.
                                                                                                                                    – Manjot Singh
                                                                                                                                    3 hours ago

                                                                                                                                  +1 from me nice that you made me recall about the background actions!
                                                                                                                                  – codeyinthecloud
                                                                                                                                  4 hours ago

                                                                                                                                  +1 from me nice that you made me recall about the background actions!
                                                                                                                                  – codeyinthecloud
                                                                                                                                  4 hours ago

                                                                                                                                  1

                                                                                                                                  1

                                                                                                                                  Background actions do not guarantee separate execution contexts, though, only that they are separate from foreground actions. But it can definitely alleviate problems.
                                                                                                                                  – sfdcfox
                                                                                                                                  4 hours ago

                                                                                                                                  Background actions do not guarantee separate execution contexts, though, only that they are separate from foreground actions. But it can definitely alleviate problems.
                                                                                                                                  – sfdcfox
                                                                                                                                  4 hours ago

                                                                                                                                  Yes all the background actions can be grouped again that’s why I asked that only API call that is consuming more limits should be background action.
                                                                                                                                  – Manjot Singh
                                                                                                                                  3 hours ago

                                                                                                                                  Yes all the background actions can be grouped again that’s why I asked that only API call that is consuming more limits should be background action.
                                                                                                                                  – Manjot Singh
                                                                                                                                  3 hours ago

                                                                                                                                  up vote
                                                                                                                                  0
                                                                                                                                  down vote

                                                                                                                                  Just to get the flow you are looking for you have an app container loading multiple child and you wanted to load one child after the other child to make sure the server calls on each child wont throw you into risk of governor limits.

                                                                                                                                  There are couple of ways you could try this. But the idea here is to delay server calls(Run them in some kind of series setup rather than parallel)

                                                                                                                                  1. Use aura:if or $A.CreateComponent and implement some sort of time lag mechsnism(this would still will not guarantee proper series mechanism as its hard to caluculate the time)
                                                                                                                                  2. Use the aura:if or $A.CreateComponent and fire an event from the first component success response of server call that will reach to the app and load the second component and so on until you load the subsequent components
                                                                                                                                  3. Use $A.CreateComponent and fire afterRender event in the first loaded component and capture it in the parent to load the next one and so on.
                                                                                                                                  4. Like @manjotsingh suggested Background Actions can be preffered too!

                                                                                                                                  Note: This is theoretical

                                                                                                                                  share|improve this answer

                                                                                                                                    up vote
                                                                                                                                    0
                                                                                                                                    down vote

                                                                                                                                    Just to get the flow you are looking for you have an app container loading multiple child and you wanted to load one child after the other child to make sure the server calls on each child wont throw you into risk of governor limits.

                                                                                                                                    There are couple of ways you could try this. But the idea here is to delay server calls(Run them in some kind of series setup rather than parallel)

                                                                                                                                    1. Use aura:if or $A.CreateComponent and implement some sort of time lag mechsnism(this would still will not guarantee proper series mechanism as its hard to caluculate the time)
                                                                                                                                    2. Use the aura:if or $A.CreateComponent and fire an event from the first component success response of server call that will reach to the app and load the second component and so on until you load the subsequent components
                                                                                                                                    3. Use $A.CreateComponent and fire afterRender event in the first loaded component and capture it in the parent to load the next one and so on.
                                                                                                                                    4. Like @manjotsingh suggested Background Actions can be preffered too!

                                                                                                                                    Note: This is theoretical

                                                                                                                                    share|improve this answer

                                                                                                                                      up vote
                                                                                                                                      0
                                                                                                                                      down vote

                                                                                                                                      up vote
                                                                                                                                      0
                                                                                                                                      down vote

                                                                                                                                      Just to get the flow you are looking for you have an app container loading multiple child and you wanted to load one child after the other child to make sure the server calls on each child wont throw you into risk of governor limits.

                                                                                                                                      There are couple of ways you could try this. But the idea here is to delay server calls(Run them in some kind of series setup rather than parallel)

                                                                                                                                      1. Use aura:if or $A.CreateComponent and implement some sort of time lag mechsnism(this would still will not guarantee proper series mechanism as its hard to caluculate the time)
                                                                                                                                      2. Use the aura:if or $A.CreateComponent and fire an event from the first component success response of server call that will reach to the app and load the second component and so on until you load the subsequent components
                                                                                                                                      3. Use $A.CreateComponent and fire afterRender event in the first loaded component and capture it in the parent to load the next one and so on.
                                                                                                                                      4. Like @manjotsingh suggested Background Actions can be preffered too!

                                                                                                                                      Note: This is theoretical

                                                                                                                                      share|improve this answer

                                                                                                                                      Just to get the flow you are looking for you have an app container loading multiple child and you wanted to load one child after the other child to make sure the server calls on each child wont throw you into risk of governor limits.

                                                                                                                                      There are couple of ways you could try this. But the idea here is to delay server calls(Run them in some kind of series setup rather than parallel)

                                                                                                                                      1. Use aura:if or $A.CreateComponent and implement some sort of time lag mechsnism(this would still will not guarantee proper series mechanism as its hard to caluculate the time)
                                                                                                                                      2. Use the aura:if or $A.CreateComponent and fire an event from the first component success response of server call that will reach to the app and load the second component and so on until you load the subsequent components
                                                                                                                                      3. Use $A.CreateComponent and fire afterRender event in the first loaded component and capture it in the parent to load the next one and so on.
                                                                                                                                      4. Like @manjotsingh suggested Background Actions can be preffered too!

                                                                                                                                      Note: This is theoretical

                                                                                                                                      share|improve this answer

                                                                                                                                      share|improve this answer

                                                                                                                                      share|improve this answer

                                                                                                                                      edited 4 hours ago

                                                                                                                                      answered 4 hours ago

                                                                                                                                      codeyinthecloud

                                                                                                                                      1,628217

                                                                                                                                      1,628217

                                                                                                                                           
                                                                                                                                          draft saved
                                                                                                                                          draft discarded

                                                                                                                                           

                                                                                                                                          draft saved

                                                                                                                                          draft discarded

                                                                                                                                          StackExchange.ready(
                                                                                                                                          function () {
                                                                                                                                          StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2fsalesforce.stackexchange.com%2fquestions%2f237955%2flazy-loading-for-lightning-components%23new-answer’, ‘question_page’);
                                                                                                                                          }
                                                                                                                                          );

                                                                                                                                          Post as a guest