## Applying a recursive function to a list to get another list

Clash Royale CLAN TAG#URR8PPP

Here is code:

x2={1539.91, 5.05, -2.82, 0, 19, 135.93, 117.78, 11.61, 8.17, 13.76,
1.5, 36.75, 137.77, -16.18, 4.18, -2.82, 0, 18.42, 53.19, 5.91,
-16.18, 3.24, -2.82, 0, 53.19, 518.6, -16.18, 1.61, -2.82, 23, 0,
70.92, 58.89, 13.08, 42.32, 57.67, -15.32, 1.76, -2.68, 18.42, 0,
53.19, 6.33, -15.32, 2.01, -2.68, 0, 53.19, -15.32, 2.17, -2.68, 0,
-1000, 76.83, 27.18, 0.02, 8.88, 13.08, 30, 48.72, 16.02, -15.32,
1.69, -2.68, 0, 0.7, 53.19, 1128.85, 11.49, 53.19, 16.61, 209.84,
1243.2, 23, 1.08}


I want to create a new list called balancelist using a recursive function (or any other way so I learn) such that I end up with a list with something like this:

{1539.91,1539.91-5.05,1539.91-5.05-(-2.82),......}


I have tried the following code but it doesn’t work:

balancefinal = {}
For[i = 1, i <= Length[x2], i++, x2[[i]] - x2[[i + 1]];
Append[balancefinal]]


Here is code:

x2={1539.91, 5.05, -2.82, 0, 19, 135.93, 117.78, 11.61, 8.17, 13.76,
1.5, 36.75, 137.77, -16.18, 4.18, -2.82, 0, 18.42, 53.19, 5.91,
-16.18, 3.24, -2.82, 0, 53.19, 518.6, -16.18, 1.61, -2.82, 23, 0,
70.92, 58.89, 13.08, 42.32, 57.67, -15.32, 1.76, -2.68, 18.42, 0,
53.19, 6.33, -15.32, 2.01, -2.68, 0, 53.19, -15.32, 2.17, -2.68, 0,
-1000, 76.83, 27.18, 0.02, 8.88, 13.08, 30, 48.72, 16.02, -15.32,
1.69, -2.68, 0, 0.7, 53.19, 1128.85, 11.49, 53.19, 16.61, 209.84,
1243.2, 23, 1.08}


I want to create a new list called balancelist using a recursive function (or any other way so I learn) such that I end up with a list with something like this:

{1539.91,1539.91-5.05,1539.91-5.05-(-2.82),......}


I have tried the following code but it doesn’t work:

balancefinal = {}
For[i = 1, i <= Length[x2], i++, x2[[i]] - x2[[i + 1]];
Append[balancefinal]]


Here is code:

x2={1539.91, 5.05, -2.82, 0, 19, 135.93, 117.78, 11.61, 8.17, 13.76,
1.5, 36.75, 137.77, -16.18, 4.18, -2.82, 0, 18.42, 53.19, 5.91,
-16.18, 3.24, -2.82, 0, 53.19, 518.6, -16.18, 1.61, -2.82, 23, 0,
70.92, 58.89, 13.08, 42.32, 57.67, -15.32, 1.76, -2.68, 18.42, 0,
53.19, 6.33, -15.32, 2.01, -2.68, 0, 53.19, -15.32, 2.17, -2.68, 0,
-1000, 76.83, 27.18, 0.02, 8.88, 13.08, 30, 48.72, 16.02, -15.32,
1.69, -2.68, 0, 0.7, 53.19, 1128.85, 11.49, 53.19, 16.61, 209.84,
1243.2, 23, 1.08}


I want to create a new list called balancelist using a recursive function (or any other way so I learn) such that I end up with a list with something like this:

{1539.91,1539.91-5.05,1539.91-5.05-(-2.82),......}


I have tried the following code but it doesn’t work:

balancefinal = {}
For[i = 1, i <= Length[x2], i++, x2[[i]] - x2[[i + 1]];
Append[balancefinal]]


Here is code:

x2={1539.91, 5.05, -2.82, 0, 19, 135.93, 117.78, 11.61, 8.17, 13.76,
1.5, 36.75, 137.77, -16.18, 4.18, -2.82, 0, 18.42, 53.19, 5.91,
-16.18, 3.24, -2.82, 0, 53.19, 518.6, -16.18, 1.61, -2.82, 23, 0,
70.92, 58.89, 13.08, 42.32, 57.67, -15.32, 1.76, -2.68, 18.42, 0,
53.19, 6.33, -15.32, 2.01, -2.68, 0, 53.19, -15.32, 2.17, -2.68, 0,
-1000, 76.83, 27.18, 0.02, 8.88, 13.08, 30, 48.72, 16.02, -15.32,
1.69, -2.68, 0, 0.7, 53.19, 1128.85, 11.49, 53.19, 16.61, 209.84,
1243.2, 23, 1.08}


I want to create a new list called balancelist using a recursive function (or any other way so I learn) such that I end up with a list with something like this:

{1539.91,1539.91-5.05,1539.91-5.05-(-2.82),......}


I have tried the following code but it doesn’t work:

balancefinal = {}
For[i = 1, i <= Length[x2], i++, x2[[i]] - x2[[i + 1]];
Append[balancefinal]]


webmathematica mathematica-online

edited 12 mins ago

kglr

169k8192395

169k8192395

beemen

462

462

active

oldest

If you consider Accumulate a recursive function, then you could do:

2 x2[[1]] - Accumulate[x2]


This is much faster than using something like FoldList. For example:

x2 = RandomReal[{-10, 10}, 10^6];

r1 = 2 x2[[1]] - Accumulate[x2]; //AbsoluteTiming
r2 = FoldList[Subtract, x2]; //AbsoluteTiming

MinMax[r1 - r2]


{0.005461, Null}

{0.161103, Null}

{-3.86535*10^-12, 1.65983*10^-11}

You can Fold Subtract on x2:

FoldList[Subtract, x2]


{1539.91,1534.86,1537.68,1537.68,1518.68,1382.75,1264.97,1253.36,1245.19,1231.43,1229.93,1193.18,1055.41,1071.59,1067.41,1070.23,1070.23,1051.81,998.62,992.71,1008.89,1005.65,1008.47,1008.47,955.28,436.68,452.86,451.25,454.07,431.07,431.07,360.15,301.26,288.18,245.86,188.19,203.51,201.75,204.43,186.01,186.01,132.82,126.49,141.81,139.8,142.48,142.48,89.29,104.61,102.44,105.12,105.12,1105.12,1028.29,1001.11,1001.09,992.21,979.13,949.13,900.41,884.39,899.71,898.02,900.7,900.7,900.,846.81,-282.04,-293.53,-346.72,-363.33,-573.17,-1816.37,-1839.37,-1840.45}

If you have to use For here is a modification of your code that gives the correct result:

balancefinal = {x2[[1]]};
For[i = 1, i < Length[x2], i++, AppendTo[balancefinal, balancefinal[[-1]] - x2[[i + 1]]]]

balancefinal == FoldList[Subtract, x2]


True

active

oldest

active

oldest

active

oldest

active

oldest

If you consider Accumulate a recursive function, then you could do:

2 x2[[1]] - Accumulate[x2]


This is much faster than using something like FoldList. For example:

x2 = RandomReal[{-10, 10}, 10^6];

r1 = 2 x2[[1]] - Accumulate[x2]; //AbsoluteTiming
r2 = FoldList[Subtract, x2]; //AbsoluteTiming

MinMax[r1 - r2]


{0.005461, Null}

{0.161103, Null}

{-3.86535*10^-12, 1.65983*10^-11}

If you consider Accumulate a recursive function, then you could do:

2 x2[[1]] - Accumulate[x2]


This is much faster than using something like FoldList. For example:

x2 = RandomReal[{-10, 10}, 10^6];

r1 = 2 x2[[1]] - Accumulate[x2]; //AbsoluteTiming
r2 = FoldList[Subtract, x2]; //AbsoluteTiming

MinMax[r1 - r2]


{0.005461, Null}

{0.161103, Null}

{-3.86535*10^-12, 1.65983*10^-11}

If you consider Accumulate a recursive function, then you could do:

2 x2[[1]] - Accumulate[x2]


This is much faster than using something like FoldList. For example:

x2 = RandomReal[{-10, 10}, 10^6];

r1 = 2 x2[[1]] - Accumulate[x2]; //AbsoluteTiming
r2 = FoldList[Subtract, x2]; //AbsoluteTiming

MinMax[r1 - r2]


{0.005461, Null}

{0.161103, Null}

{-3.86535*10^-12, 1.65983*10^-11}

If you consider Accumulate a recursive function, then you could do:

2 x2[[1]] - Accumulate[x2]


This is much faster than using something like FoldList. For example:

x2 = RandomReal[{-10, 10}, 10^6];

r1 = 2 x2[[1]] - Accumulate[x2]; //AbsoluteTiming
r2 = FoldList[Subtract, x2]; //AbsoluteTiming

MinMax[r1 - r2]


{0.005461, Null}

{0.161103, Null}

{-3.86535*10^-12, 1.65983*10^-11}

Carl Woll

63.4k282163

63.4k282163

You can Fold Subtract on x2:

FoldList[Subtract, x2]


{1539.91,1534.86,1537.68,1537.68,1518.68,1382.75,1264.97,1253.36,1245.19,1231.43,1229.93,1193.18,1055.41,1071.59,1067.41,1070.23,1070.23,1051.81,998.62,992.71,1008.89,1005.65,1008.47,1008.47,955.28,436.68,452.86,451.25,454.07,431.07,431.07,360.15,301.26,288.18,245.86,188.19,203.51,201.75,204.43,186.01,186.01,132.82,126.49,141.81,139.8,142.48,142.48,89.29,104.61,102.44,105.12,105.12,1105.12,1028.29,1001.11,1001.09,992.21,979.13,949.13,900.41,884.39,899.71,898.02,900.7,900.7,900.,846.81,-282.04,-293.53,-346.72,-363.33,-573.17,-1816.37,-1839.37,-1840.45}

If you have to use For here is a modification of your code that gives the correct result:

balancefinal = {x2[[1]]};
For[i = 1, i < Length[x2], i++, AppendTo[balancefinal, balancefinal[[-1]] - x2[[i + 1]]]]

balancefinal == FoldList[Subtract, x2]


True

You can Fold Subtract on x2:

FoldList[Subtract, x2]


{1539.91,1534.86,1537.68,1537.68,1518.68,1382.75,1264.97,1253.36,1245.19,1231.43,1229.93,1193.18,1055.41,1071.59,1067.41,1070.23,1070.23,1051.81,998.62,992.71,1008.89,1005.65,1008.47,1008.47,955.28,436.68,452.86,451.25,454.07,431.07,431.07,360.15,301.26,288.18,245.86,188.19,203.51,201.75,204.43,186.01,186.01,132.82,126.49,141.81,139.8,142.48,142.48,89.29,104.61,102.44,105.12,105.12,1105.12,1028.29,1001.11,1001.09,992.21,979.13,949.13,900.41,884.39,899.71,898.02,900.7,900.7,900.,846.81,-282.04,-293.53,-346.72,-363.33,-573.17,-1816.37,-1839.37,-1840.45}

If you have to use For here is a modification of your code that gives the correct result:

balancefinal = {x2[[1]]};
For[i = 1, i < Length[x2], i++, AppendTo[balancefinal, balancefinal[[-1]] - x2[[i + 1]]]]

balancefinal == FoldList[Subtract, x2]


True

You can Fold Subtract on x2:

FoldList[Subtract, x2]


{1539.91,1534.86,1537.68,1537.68,1518.68,1382.75,1264.97,1253.36,1245.19,1231.43,1229.93,1193.18,1055.41,1071.59,1067.41,1070.23,1070.23,1051.81,998.62,992.71,1008.89,1005.65,1008.47,1008.47,955.28,436.68,452.86,451.25,454.07,431.07,431.07,360.15,301.26,288.18,245.86,188.19,203.51,201.75,204.43,186.01,186.01,132.82,126.49,141.81,139.8,142.48,142.48,89.29,104.61,102.44,105.12,105.12,1105.12,1028.29,1001.11,1001.09,992.21,979.13,949.13,900.41,884.39,899.71,898.02,900.7,900.7,900.,846.81,-282.04,-293.53,-346.72,-363.33,-573.17,-1816.37,-1839.37,-1840.45}

If you have to use For here is a modification of your code that gives the correct result:

balancefinal = {x2[[1]]};
For[i = 1, i < Length[x2], i++, AppendTo[balancefinal, balancefinal[[-1]] - x2[[i + 1]]]]

balancefinal == FoldList[Subtract, x2]


True

You can Fold Subtract on x2:

FoldList[Subtract, x2]


{1539.91,1534.86,1537.68,1537.68,1518.68,1382.75,1264.97,1253.36,1245.19,1231.43,1229.93,1193.18,1055.41,1071.59,1067.41,1070.23,1070.23,1051.81,998.62,992.71,1008.89,1005.65,1008.47,1008.47,955.28,436.68,452.86,451.25,454.07,431.07,431.07,360.15,301.26,288.18,245.86,188.19,203.51,201.75,204.43,186.01,186.01,132.82,126.49,141.81,139.8,142.48,142.48,89.29,104.61,102.44,105.12,105.12,1105.12,1028.29,1001.11,1001.09,992.21,979.13,949.13,900.41,884.39,899.71,898.02,900.7,900.7,900.,846.81,-282.04,-293.53,-346.72,-363.33,-573.17,-1816.37,-1839.37,-1840.45}

If you have to use For here is a modification of your code that gives the correct result:

balancefinal = {x2[[1]]};
For[i = 1, i < Length[x2], i++, AppendTo[balancefinal, balancefinal[[-1]] - x2[[i + 1]]]]

balancefinal == FoldList[Subtract, x2]


True

edited 5 mins ago

kglr

169k8192395

169k8192395

Â

draft saved

function () {
}
);

## Does the Boon of Spell Mastery benefit someone with Magic Initiate but no spell slots?

Clash Royale CLAN TAG#URR8PPP

As a Fighter with an above-average Intelligence score, I’ve chosen to take the Magic Initiate feat (PHB, p. 168), and as my 1st-level wizard spell, I’ve chosen to learn burning hands, which I’m now able to cast once per day as if I were a Wizard. This fulfills the requirements specified by the Boon of Spell Mastery (DMG, p. 232), which reads:

Choose one 1st-level sorcerer, warlock, or wizard spell that you can cast. You can now cast that spell at its lowest level without expending a spell slot.

But there’s a snag, in the fact that this fighter does not have spell slots to begin withÃ¢ÂÂthey are not an Eldritch Knight, and no part of the Magic Initiate feat specifies that they gain any spell slots. They weren’t casting burning hands using a spell slot in the first place, so saying they “can now cast burning hands without a spell slot” doesn’t mean anything.

Does this Boon benefit this character at all or is it useless to them?

As a Fighter with an above-average Intelligence score, I’ve chosen to take the Magic Initiate feat (PHB, p. 168), and as my 1st-level wizard spell, I’ve chosen to learn burning hands, which I’m now able to cast once per day as if I were a Wizard. This fulfills the requirements specified by the Boon of Spell Mastery (DMG, p. 232), which reads:

Choose one 1st-level sorcerer, warlock, or wizard spell that you can cast. You can now cast that spell at its lowest level without expending a spell slot.

But there’s a snag, in the fact that this fighter does not have spell slots to begin withÃ¢ÂÂthey are not an Eldritch Knight, and no part of the Magic Initiate feat specifies that they gain any spell slots. They weren’t casting burning hands using a spell slot in the first place, so saying they “can now cast burning hands without a spell slot” doesn’t mean anything.

Does this Boon benefit this character at all or is it useless to them?

As a Fighter with an above-average Intelligence score, I’ve chosen to take the Magic Initiate feat (PHB, p. 168), and as my 1st-level wizard spell, I’ve chosen to learn burning hands, which I’m now able to cast once per day as if I were a Wizard. This fulfills the requirements specified by the Boon of Spell Mastery (DMG, p. 232), which reads:

Choose one 1st-level sorcerer, warlock, or wizard spell that you can cast. You can now cast that spell at its lowest level without expending a spell slot.

But there’s a snag, in the fact that this fighter does not have spell slots to begin withÃ¢ÂÂthey are not an Eldritch Knight, and no part of the Magic Initiate feat specifies that they gain any spell slots. They weren’t casting burning hands using a spell slot in the first place, so saying they “can now cast burning hands without a spell slot” doesn’t mean anything.

Does this Boon benefit this character at all or is it useless to them?

As a Fighter with an above-average Intelligence score, I’ve chosen to take the Magic Initiate feat (PHB, p. 168), and as my 1st-level wizard spell, I’ve chosen to learn burning hands, which I’m now able to cast once per day as if I were a Wizard. This fulfills the requirements specified by the Boon of Spell Mastery (DMG, p. 232), which reads:

Choose one 1st-level sorcerer, warlock, or wizard spell that you can cast. You can now cast that spell at its lowest level without expending a spell slot.

But there’s a snag, in the fact that this fighter does not have spell slots to begin withÃ¢ÂÂthey are not an Eldritch Knight, and no part of the Magic Initiate feat specifies that they gain any spell slots. They weren’t casting burning hands using a spell slot in the first place, so saying they “can now cast burning hands without a spell slot” doesn’t mean anything.

Does this Boon benefit this character at all or is it useless to them?

dnd-5e spells feats epic-tier

edited 8 mins ago

V2Blast

17.5k246110

17.5k246110

Xirema

10k3168

10k3168

active

oldest

# The character would benefit from the boon

Magic Initiate says:

[C]hoose one 1st-level spell from the [class’s] spell list. You learn that spell and can cast it at its lowest level. Once you cast it, you must finish a long rest before you can cast it again using this feat.

As you correctly say, Magic Initiate does not grant you spell slots, only (from this bullit) the ability to cast a single spell. So, you are already casting this spell without using up a spell slot. However, Magic Initiate only allows you to cast the spell once per long rest. Upon receiving the boon, you would be able to cast it as many times as you wanted. So there would be a benefit there.

• @Ruse it isn’t a requirement at all (I didn’t address requirements at all on my answer since it wasn’t part of the question). The DM is free to bestow it on the fighter. My point is though that the fighter will receive no benefit from it at all. Does that make sense? If I can make it clearer please let me know.
âÂ Rubiksmoose
2 hours ago

• It’s unclear to me why there is no benefit. Being able to a spell without spellslots (with the boon) is way more beneficial than being able to cast a spell without spellslots once per day (with just the feat).
âÂ Ruse
2 hours ago

• @Ruse Very good point! That was because I had overlooked that. I have updated my answer.
âÂ Rubiksmoose
1 hour ago

Epic Boons – like the Boon of Spell Mastery – do not have any more complicated requirements than are indicated in each boon. Your Fighter’s ability to cast Burning Hands is sufficient that they should then be able to qualify to take Boon of Spell Mastery upon exceeding 20th level by 3,000 XP.

All that said, Epic Boons are very directly to be given to a character at the DM’s discretion and only with their approval, should the DM allow you to choose which Epic Boon you want. If the boon does not fit thematically (can you really be a Spell Master without having spell slots?) they are well within their rights to assign you a different boon, perhaps something like Combat Prowess more fitting for the character.

• The question isn’t about whether they “qualify” to take the boon, nor whether it’s a good idea for them to take it (or for a DM to offer it), it’s about examining whether said character can actually benefit from said boon, even if it has been granted to them.
âÂ Xirema
3 hours ago

• This doesn’t answer the question at all. Check it now that the wording has been tweaked to see if it makes more sense to you.
âÂ Rubiksmoose
2 hours ago

active

oldest

active

oldest

active

oldest

active

oldest

# The character would benefit from the boon

Magic Initiate says:

[C]hoose one 1st-level spell from the [class’s] spell list. You learn that spell and can cast it at its lowest level. Once you cast it, you must finish a long rest before you can cast it again using this feat.

As you correctly say, Magic Initiate does not grant you spell slots, only (from this bullit) the ability to cast a single spell. So, you are already casting this spell without using up a spell slot. However, Magic Initiate only allows you to cast the spell once per long rest. Upon receiving the boon, you would be able to cast it as many times as you wanted. So there would be a benefit there.

• @Ruse it isn’t a requirement at all (I didn’t address requirements at all on my answer since it wasn’t part of the question). The DM is free to bestow it on the fighter. My point is though that the fighter will receive no benefit from it at all. Does that make sense? If I can make it clearer please let me know.
âÂ Rubiksmoose
2 hours ago

• It’s unclear to me why there is no benefit. Being able to a spell without spellslots (with the boon) is way more beneficial than being able to cast a spell without spellslots once per day (with just the feat).
âÂ Ruse
2 hours ago

• @Ruse Very good point! That was because I had overlooked that. I have updated my answer.
âÂ Rubiksmoose
1 hour ago

# The character would benefit from the boon

Magic Initiate says:

[C]hoose one 1st-level spell from the [class’s] spell list. You learn that spell and can cast it at its lowest level. Once you cast it, you must finish a long rest before you can cast it again using this feat.

As you correctly say, Magic Initiate does not grant you spell slots, only (from this bullit) the ability to cast a single spell. So, you are already casting this spell without using up a spell slot. However, Magic Initiate only allows you to cast the spell once per long rest. Upon receiving the boon, you would be able to cast it as many times as you wanted. So there would be a benefit there.

• @Ruse it isn’t a requirement at all (I didn’t address requirements at all on my answer since it wasn’t part of the question). The DM is free to bestow it on the fighter. My point is though that the fighter will receive no benefit from it at all. Does that make sense? If I can make it clearer please let me know.
âÂ Rubiksmoose
2 hours ago

• It’s unclear to me why there is no benefit. Being able to a spell without spellslots (with the boon) is way more beneficial than being able to cast a spell without spellslots once per day (with just the feat).
âÂ Ruse
2 hours ago

• @Ruse Very good point! That was because I had overlooked that. I have updated my answer.
âÂ Rubiksmoose
1 hour ago

# The character would benefit from the boon

Magic Initiate says:

[C]hoose one 1st-level spell from the [class’s] spell list. You learn that spell and can cast it at its lowest level. Once you cast it, you must finish a long rest before you can cast it again using this feat.

As you correctly say, Magic Initiate does not grant you spell slots, only (from this bullit) the ability to cast a single spell. So, you are already casting this spell without using up a spell slot. However, Magic Initiate only allows you to cast the spell once per long rest. Upon receiving the boon, you would be able to cast it as many times as you wanted. So there would be a benefit there.

# The character would benefit from the boon

Magic Initiate says:

[C]hoose one 1st-level spell from the [class’s] spell list. You learn that spell and can cast it at its lowest level. Once you cast it, you must finish a long rest before you can cast it again using this feat.

As you correctly say, Magic Initiate does not grant you spell slots, only (from this bullit) the ability to cast a single spell. So, you are already casting this spell without using up a spell slot. However, Magic Initiate only allows you to cast the spell once per long rest. Upon receiving the boon, you would be able to cast it as many times as you wanted. So there would be a benefit there.

edited 1 hour ago

Rubiksmoose

40.9k5203310

40.9k5203310

• @Ruse it isn’t a requirement at all (I didn’t address requirements at all on my answer since it wasn’t part of the question). The DM is free to bestow it on the fighter. My point is though that the fighter will receive no benefit from it at all. Does that make sense? If I can make it clearer please let me know.
âÂ Rubiksmoose
2 hours ago

• It’s unclear to me why there is no benefit. Being able to a spell without spellslots (with the boon) is way more beneficial than being able to cast a spell without spellslots once per day (with just the feat).
âÂ Ruse
2 hours ago

• @Ruse Very good point! That was because I had overlooked that. I have updated my answer.
âÂ Rubiksmoose
1 hour ago

• @Ruse it isn’t a requirement at all (I didn’t address requirements at all on my answer since it wasn’t part of the question). The DM is free to bestow it on the fighter. My point is though that the fighter will receive no benefit from it at all. Does that make sense? If I can make it clearer please let me know.
âÂ Rubiksmoose
2 hours ago

• It’s unclear to me why there is no benefit. Being able to a spell without spellslots (with the boon) is way more beneficial than being able to cast a spell without spellslots once per day (with just the feat).
âÂ Ruse
2 hours ago

• @Ruse Very good point! That was because I had overlooked that. I have updated my answer.
âÂ Rubiksmoose
1 hour ago

@Ruse it isn’t a requirement at all (I didn’t address requirements at all on my answer since it wasn’t part of the question). The DM is free to bestow it on the fighter. My point is though that the fighter will receive no benefit from it at all. Does that make sense? If I can make it clearer please let me know.
âÂ Rubiksmoose
2 hours ago

@Ruse it isn’t a requirement at all (I didn’t address requirements at all on my answer since it wasn’t part of the question). The DM is free to bestow it on the fighter. My point is though that the fighter will receive no benefit from it at all. Does that make sense? If I can make it clearer please let me know.
âÂ Rubiksmoose
2 hours ago

It’s unclear to me why there is no benefit. Being able to a spell without spellslots (with the boon) is way more beneficial than being able to cast a spell without spellslots once per day (with just the feat).
âÂ Ruse
2 hours ago

It’s unclear to me why there is no benefit. Being able to a spell without spellslots (with the boon) is way more beneficial than being able to cast a spell without spellslots once per day (with just the feat).
âÂ Ruse
2 hours ago

@Ruse Very good point! That was because I had overlooked that. I have updated my answer.
âÂ Rubiksmoose
1 hour ago

@Ruse Very good point! That was because I had overlooked that. I have updated my answer.
âÂ Rubiksmoose
1 hour ago

Epic Boons – like the Boon of Spell Mastery – do not have any more complicated requirements than are indicated in each boon. Your Fighter’s ability to cast Burning Hands is sufficient that they should then be able to qualify to take Boon of Spell Mastery upon exceeding 20th level by 3,000 XP.

All that said, Epic Boons are very directly to be given to a character at the DM’s discretion and only with their approval, should the DM allow you to choose which Epic Boon you want. If the boon does not fit thematically (can you really be a Spell Master without having spell slots?) they are well within their rights to assign you a different boon, perhaps something like Combat Prowess more fitting for the character.

• The question isn’t about whether they “qualify” to take the boon, nor whether it’s a good idea for them to take it (or for a DM to offer it), it’s about examining whether said character can actually benefit from said boon, even if it has been granted to them.
âÂ Xirema
3 hours ago

• This doesn’t answer the question at all. Check it now that the wording has been tweaked to see if it makes more sense to you.
âÂ Rubiksmoose
2 hours ago

Epic Boons – like the Boon of Spell Mastery – do not have any more complicated requirements than are indicated in each boon. Your Fighter’s ability to cast Burning Hands is sufficient that they should then be able to qualify to take Boon of Spell Mastery upon exceeding 20th level by 3,000 XP.

All that said, Epic Boons are very directly to be given to a character at the DM’s discretion and only with their approval, should the DM allow you to choose which Epic Boon you want. If the boon does not fit thematically (can you really be a Spell Master without having spell slots?) they are well within their rights to assign you a different boon, perhaps something like Combat Prowess more fitting for the character.

• The question isn’t about whether they “qualify” to take the boon, nor whether it’s a good idea for them to take it (or for a DM to offer it), it’s about examining whether said character can actually benefit from said boon, even if it has been granted to them.
âÂ Xirema
3 hours ago

• This doesn’t answer the question at all. Check it now that the wording has been tweaked to see if it makes more sense to you.
âÂ Rubiksmoose
2 hours ago

Epic Boons – like the Boon of Spell Mastery – do not have any more complicated requirements than are indicated in each boon. Your Fighter’s ability to cast Burning Hands is sufficient that they should then be able to qualify to take Boon of Spell Mastery upon exceeding 20th level by 3,000 XP.

All that said, Epic Boons are very directly to be given to a character at the DM’s discretion and only with their approval, should the DM allow you to choose which Epic Boon you want. If the boon does not fit thematically (can you really be a Spell Master without having spell slots?) they are well within their rights to assign you a different boon, perhaps something like Combat Prowess more fitting for the character.

Epic Boons – like the Boon of Spell Mastery – do not have any more complicated requirements than are indicated in each boon. Your Fighter’s ability to cast Burning Hands is sufficient that they should then be able to qualify to take Boon of Spell Mastery upon exceeding 20th level by 3,000 XP.

All that said, Epic Boons are very directly to be given to a character at the DM’s discretion and only with their approval, should the DM allow you to choose which Epic Boon you want. If the boon does not fit thematically (can you really be a Spell Master without having spell slots?) they are well within their rights to assign you a different boon, perhaps something like Combat Prowess more fitting for the character.

Weaveworker89

2,09821425

2,09821425

• The question isn’t about whether they “qualify” to take the boon, nor whether it’s a good idea for them to take it (or for a DM to offer it), it’s about examining whether said character can actually benefit from said boon, even if it has been granted to them.
âÂ Xirema
3 hours ago

• This doesn’t answer the question at all. Check it now that the wording has been tweaked to see if it makes more sense to you.
âÂ Rubiksmoose
2 hours ago

• The question isn’t about whether they “qualify” to take the boon, nor whether it’s a good idea for them to take it (or for a DM to offer it), it’s about examining whether said character can actually benefit from said boon, even if it has been granted to them.
âÂ Xirema
3 hours ago

• This doesn’t answer the question at all. Check it now that the wording has been tweaked to see if it makes more sense to you.
âÂ Rubiksmoose
2 hours ago

3

The question isn’t about whether they “qualify” to take the boon, nor whether it’s a good idea for them to take it (or for a DM to offer it), it’s about examining whether said character can actually benefit from said boon, even if it has been granted to them.
âÂ Xirema
3 hours ago

The question isn’t about whether they “qualify” to take the boon, nor whether it’s a good idea for them to take it (or for a DM to offer it), it’s about examining whether said character can actually benefit from said boon, even if it has been granted to them.
âÂ Xirema
3 hours ago

This doesn’t answer the question at all. Check it now that the wording has been tweaked to see if it makes more sense to you.
âÂ Rubiksmoose
2 hours ago

This doesn’t answer the question at all. Check it now that the wording has been tweaked to see if it makes more sense to you.
âÂ Rubiksmoose
2 hours ago

Â

draft saved

function () {
}
);

## Use playerctl or dbus to get the latest active media player

Clash Royale CLAN TAG#URR8PPP

Before I switched to bspwm, I used KDE/Plasma 5. In KDE, I could use my media keys to play/pause, etc in vlc, spotify and even in Firefox with an addon (youtube, netflix, pretty much everything worked). When both VLC, Firefox and Spotify were open, the media keys controlled the last used player, regardless if the window is open or not.

I’d like to get the same functionality in bspwm.

Right now I’m using playerctl -p spotify play-pause to control spotify, which is bound to XF86AudioPlay in sxhkdrc. I’d also like to do this with VLC, but playerctl needs to know which player to play/pause, if both are open.

Is there a way to get the same KDE/Plasma functionality for both VLC, Firefox and Spotify? If not, is there a way to determine which player was last active? That way I could write a script to play/pause only the last active player.

EDIT:

Looks like the Plasma Integration add-on for firefox still works with playerctl and bspwm, so sites like Youtube still respond to controls, great!

What I only need now is a way to get the latest active player, so when Spotify happens to be open in the background and I’m watching something on VLC, it knows to control VLC and not Spotify when I press media keys.

playerctl -l when multiple media players are open shows me that Plasma Browser Integration is always on top, meaning that will always have top priority with media keys. Second is VLC, third is Spotify.

Before I switched to bspwm, I used KDE/Plasma 5. In KDE, I could use my media keys to play/pause, etc in vlc, spotify and even in Firefox with an addon (youtube, netflix, pretty much everything worked). When both VLC, Firefox and Spotify were open, the media keys controlled the last used player, regardless if the window is open or not.

I’d like to get the same functionality in bspwm.

Right now I’m using playerctl -p spotify play-pause to control spotify, which is bound to XF86AudioPlay in sxhkdrc. I’d also like to do this with VLC, but playerctl needs to know which player to play/pause, if both are open.

Is there a way to get the same KDE/Plasma functionality for both VLC, Firefox and Spotify? If not, is there a way to determine which player was last active? That way I could write a script to play/pause only the last active player.

EDIT:

Looks like the Plasma Integration add-on for firefox still works with playerctl and bspwm, so sites like Youtube still respond to controls, great!

What I only need now is a way to get the latest active player, so when Spotify happens to be open in the background and I’m watching something on VLC, it knows to control VLC and not Spotify when I press media keys.

playerctl -l when multiple media players are open shows me that Plasma Browser Integration is always on top, meaning that will always have top priority with media keys. Second is VLC, third is Spotify.

1

Before I switched to bspwm, I used KDE/Plasma 5. In KDE, I could use my media keys to play/pause, etc in vlc, spotify and even in Firefox with an addon (youtube, netflix, pretty much everything worked). When both VLC, Firefox and Spotify were open, the media keys controlled the last used player, regardless if the window is open or not.

I’d like to get the same functionality in bspwm.

Right now I’m using playerctl -p spotify play-pause to control spotify, which is bound to XF86AudioPlay in sxhkdrc. I’d also like to do this with VLC, but playerctl needs to know which player to play/pause, if both are open.

Is there a way to get the same KDE/Plasma functionality for both VLC, Firefox and Spotify? If not, is there a way to determine which player was last active? That way I could write a script to play/pause only the last active player.

EDIT:

Looks like the Plasma Integration add-on for firefox still works with playerctl and bspwm, so sites like Youtube still respond to controls, great!

What I only need now is a way to get the latest active player, so when Spotify happens to be open in the background and I’m watching something on VLC, it knows to control VLC and not Spotify when I press media keys.

playerctl -l when multiple media players are open shows me that Plasma Browser Integration is always on top, meaning that will always have top priority with media keys. Second is VLC, third is Spotify.

Before I switched to bspwm, I used KDE/Plasma 5. In KDE, I could use my media keys to play/pause, etc in vlc, spotify and even in Firefox with an addon (youtube, netflix, pretty much everything worked). When both VLC, Firefox and Spotify were open, the media keys controlled the last used player, regardless if the window is open or not.

I’d like to get the same functionality in bspwm.

Right now I’m using playerctl -p spotify play-pause to control spotify, which is bound to XF86AudioPlay in sxhkdrc. I’d also like to do this with VLC, but playerctl needs to know which player to play/pause, if both are open.

Is there a way to get the same KDE/Plasma functionality for both VLC, Firefox and Spotify? If not, is there a way to determine which player was last active? That way I could write a script to play/pause only the last active player.

EDIT:

Looks like the Plasma Integration add-on for firefox still works with playerctl and bspwm, so sites like Youtube still respond to controls, great!

What I only need now is a way to get the latest active player, so when Spotify happens to be open in the background and I’m watching something on VLC, it knows to control VLC and not Spotify when I press media keys.

playerctl -l when multiple media players are open shows me that Plasma Browser Integration is always on top, meaning that will always have top priority with media keys. Second is VLC, third is Spotify.

d-bus vlc mediaplayer bspwm

edited 8 mins ago

zjeffer

336

336

active

oldest

active

oldest

active

oldest

active

oldest

active

oldest

Â

draft saved

function () {
}
);

## Does the Brute fighter’s extra damage die get added to the monk’s Martial Arts and Flurry of Blows attacks?

Clash Royale CLAN TAG#URR8PPP

I am considering a build that would start with monk, then multiclass to fighter up to level 3 to get the Brute archetype (from Unearthed Arcana: Three Subclasses).

Would the extra damage die from the Brute subclass still get added to the monk’s Martial Arts and Flurry of Blows attacks?

New contributor
Eternallord66 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• Where is this fighter subclass from? UA?
âÂ Szega
6 hours ago

• @Szega Yes
âÂ NathanS
6 hours ago

• Please note that Unearthed Arcana is not tuned for Multiclassing.
âÂ NautArch
6 hours ago

• in a home campaign I can multiclass with unearthed arcana features if I wish or am I wrong?
âÂ Eternallord66
6 hours ago

• Yes, my apologies if that came off as a You Can Not Do This At All 🙂 But did want to let it be known that there may be unknown interactions that can make multiclassing with UA problematic at times.
âÂ NautArch
5 hours ago

I am considering a build that would start with monk, then multiclass to fighter up to level 3 to get the Brute archetype (from Unearthed Arcana: Three Subclasses).

Would the extra damage die from the Brute subclass still get added to the monk’s Martial Arts and Flurry of Blows attacks?

New contributor
Eternallord66 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• Where is this fighter subclass from? UA?
âÂ Szega
6 hours ago

• @Szega Yes
âÂ NathanS
6 hours ago

• Please note that Unearthed Arcana is not tuned for Multiclassing.
âÂ NautArch
6 hours ago

• in a home campaign I can multiclass with unearthed arcana features if I wish or am I wrong?
âÂ Eternallord66
6 hours ago

• Yes, my apologies if that came off as a You Can Not Do This At All 🙂 But did want to let it be known that there may be unknown interactions that can make multiclassing with UA problematic at times.
âÂ NautArch
5 hours ago

1

I am considering a build that would start with monk, then multiclass to fighter up to level 3 to get the Brute archetype (from Unearthed Arcana: Three Subclasses).

Would the extra damage die from the Brute subclass still get added to the monk’s Martial Arts and Flurry of Blows attacks?

New contributor
Eternallord66 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

I am considering a build that would start with monk, then multiclass to fighter up to level 3 to get the Brute archetype (from Unearthed Arcana: Three Subclasses).

Would the extra damage die from the Brute subclass still get added to the monk’s Martial Arts and Flurry of Blows attacks?

dnd-5e monk damage fighter unearthed-arcana

New contributor
Eternallord66 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor
Eternallord66 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

edited 20 mins ago

V2Blast

17.5k246110

17.5k246110

New contributor
Eternallord66 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Eternallord66

384

384

New contributor
Eternallord66 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

New contributor

Eternallord66 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

Eternallord66 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• Where is this fighter subclass from? UA?
âÂ Szega
6 hours ago

• @Szega Yes
âÂ NathanS
6 hours ago

• Please note that Unearthed Arcana is not tuned for Multiclassing.
âÂ NautArch
6 hours ago

• in a home campaign I can multiclass with unearthed arcana features if I wish or am I wrong?
âÂ Eternallord66
6 hours ago

• Yes, my apologies if that came off as a You Can Not Do This At All 🙂 But did want to let it be known that there may be unknown interactions that can make multiclassing with UA problematic at times.
âÂ NautArch
5 hours ago

• Where is this fighter subclass from? UA?
âÂ Szega
6 hours ago

• @Szega Yes
âÂ NathanS
6 hours ago

• Please note that Unearthed Arcana is not tuned for Multiclassing.
âÂ NautArch
6 hours ago

• in a home campaign I can multiclass with unearthed arcana features if I wish or am I wrong?
âÂ Eternallord66
6 hours ago

• Yes, my apologies if that came off as a You Can Not Do This At All 🙂 But did want to let it be known that there may be unknown interactions that can make multiclassing with UA problematic at times.
âÂ NautArch
5 hours ago

Where is this fighter subclass from? UA?
âÂ Szega
6 hours ago

Where is this fighter subclass from? UA?
âÂ Szega
6 hours ago

@Szega Yes
âÂ NathanS
6 hours ago

@Szega Yes
âÂ NathanS
6 hours ago

2

Please note that Unearthed Arcana is not tuned for Multiclassing.
âÂ NautArch
6 hours ago

Please note that Unearthed Arcana is not tuned for Multiclassing.
âÂ NautArch
6 hours ago

in a home campaign I can multiclass with unearthed arcana features if I wish or am I wrong?
âÂ Eternallord66
6 hours ago

in a home campaign I can multiclass with unearthed arcana features if I wish or am I wrong?
âÂ Eternallord66
6 hours ago

1

Yes, my apologies if that came off as a You Can Not Do This At All 🙂 But did want to let it be known that there may be unknown interactions that can make multiclassing with UA problematic at times.
âÂ NautArch
5 hours ago

Yes, my apologies if that came off as a You Can Not Do This At All 🙂 But did want to let it be known that there may be unknown interactions that can make multiclassing with UA problematic at times.
âÂ NautArch
5 hours ago

active

oldest

## Not with unarmed strikes

As of the first Player’s Handbook errata unarmed strikes no longer count as weapons.

Instead of using a weapon to make a melee weapon attack, you can use an un-armed [sic] strike: a punch, kick, head-butt, or similar forceful blow (none of which count as weapons).

The Brute Damage requires a weapon:

Whenever you hit with a weapon that youÃ¢ÂÂre proficient with and deal damage, the weapon’s damage increases

This means that Flurry of Blows can not use Brute Damage as it only uses unarmed strikes (emphasis mine):

Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.

## You could use a Monk Weapon with Martial Arts

Martial Arts affects certain weapons in addition to unarmed strikes (emphasis mine):

• You can useÃÂ DexterityÃÂ instead of StrengthÃÂ for theÃÂ attackÃÂ andÃÂ damage rolls of your unarmed strikes and monkÃÂ weapons.

• You can roll a d4 in place of the normal damage of yourÃÂ unarmed strikeÃÂ or monk weapon.

If using a monk weapon, the Brute Damage would apply.

• Since the question specifically calls it out, you should mention that “Flurry of Blows” does NOT use monk weapons, only unarmed strikes so those would not stack. “Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.”
âÂ MivaScott
5 hours ago

âÂ David Coffron
5 hours ago

# The Brute’s Damage is not added to unarmed strikes

The Brute archetype says:

### Brute Force

Starting at 3rd level, youÃ¢ÂÂre able to strike with your weapons with especially brutal force. Whenever you hit with a weapon that youÃ¢ÂÂre proficient with and deal damage, the weaponÃ¢ÂÂs damage increases by an amount based on your level in this class, as shown on the Brute Bonus Damage table.

Even though unarmed strike is considered a weapon attack, it is not considered a weapon, so the extra damage from Brute Force would not be added to it as it specifically says “hit with a weapon” rather than “make a melee weapon attack” like most features do, although it would of course still be added to any weapon attacks you make with a weapon.

active

oldest

active

oldest

active

oldest

active

oldest

## Not with unarmed strikes

As of the first Player’s Handbook errata unarmed strikes no longer count as weapons.

Instead of using a weapon to make a melee weapon attack, you can use an un-armed [sic] strike: a punch, kick, head-butt, or similar forceful blow (none of which count as weapons).

The Brute Damage requires a weapon:

Whenever you hit with a weapon that youÃ¢ÂÂre proficient with and deal damage, the weapon’s damage increases

This means that Flurry of Blows can not use Brute Damage as it only uses unarmed strikes (emphasis mine):

Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.

## You could use a Monk Weapon with Martial Arts

Martial Arts affects certain weapons in addition to unarmed strikes (emphasis mine):

• You can useÃÂ DexterityÃÂ instead of StrengthÃÂ for theÃÂ attackÃÂ andÃÂ damage rolls of your unarmed strikes and monkÃÂ weapons.

• You can roll a d4 in place of the normal damage of yourÃÂ unarmed strikeÃÂ or monk weapon.

If using a monk weapon, the Brute Damage would apply.

• Since the question specifically calls it out, you should mention that “Flurry of Blows” does NOT use monk weapons, only unarmed strikes so those would not stack. “Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.”
âÂ MivaScott
5 hours ago

âÂ David Coffron
5 hours ago

## Not with unarmed strikes

As of the first Player’s Handbook errata unarmed strikes no longer count as weapons.

Instead of using a weapon to make a melee weapon attack, you can use an un-armed [sic] strike: a punch, kick, head-butt, or similar forceful blow (none of which count as weapons).

The Brute Damage requires a weapon:

Whenever you hit with a weapon that youÃ¢ÂÂre proficient with and deal damage, the weapon’s damage increases

This means that Flurry of Blows can not use Brute Damage as it only uses unarmed strikes (emphasis mine):

Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.

## You could use a Monk Weapon with Martial Arts

Martial Arts affects certain weapons in addition to unarmed strikes (emphasis mine):

• You can useÃÂ DexterityÃÂ instead of StrengthÃÂ for theÃÂ attackÃÂ andÃÂ damage rolls of your unarmed strikes and monkÃÂ weapons.

• You can roll a d4 in place of the normal damage of yourÃÂ unarmed strikeÃÂ or monk weapon.

If using a monk weapon, the Brute Damage would apply.

• Since the question specifically calls it out, you should mention that “Flurry of Blows” does NOT use monk weapons, only unarmed strikes so those would not stack. “Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.”
âÂ MivaScott
5 hours ago

âÂ David Coffron
5 hours ago

## Not with unarmed strikes

As of the first Player’s Handbook errata unarmed strikes no longer count as weapons.

Instead of using a weapon to make a melee weapon attack, you can use an un-armed [sic] strike: a punch, kick, head-butt, or similar forceful blow (none of which count as weapons).

The Brute Damage requires a weapon:

Whenever you hit with a weapon that youÃ¢ÂÂre proficient with and deal damage, the weapon’s damage increases

This means that Flurry of Blows can not use Brute Damage as it only uses unarmed strikes (emphasis mine):

Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.

## You could use a Monk Weapon with Martial Arts

Martial Arts affects certain weapons in addition to unarmed strikes (emphasis mine):

• You can useÃÂ DexterityÃÂ instead of StrengthÃÂ for theÃÂ attackÃÂ andÃÂ damage rolls of your unarmed strikes and monkÃÂ weapons.

• You can roll a d4 in place of the normal damage of yourÃÂ unarmed strikeÃÂ or monk weapon.

If using a monk weapon, the Brute Damage would apply.

## Not with unarmed strikes

As of the first Player’s Handbook errata unarmed strikes no longer count as weapons.

Instead of using a weapon to make a melee weapon attack, you can use an un-armed [sic] strike: a punch, kick, head-butt, or similar forceful blow (none of which count as weapons).

The Brute Damage requires a weapon:

Whenever you hit with a weapon that youÃ¢ÂÂre proficient with and deal damage, the weapon’s damage increases

This means that Flurry of Blows can not use Brute Damage as it only uses unarmed strikes (emphasis mine):

Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.

## You could use a Monk Weapon with Martial Arts

Martial Arts affects certain weapons in addition to unarmed strikes (emphasis mine):

• You can useÃÂ DexterityÃÂ instead of StrengthÃÂ for theÃÂ attackÃÂ andÃÂ damage rolls of your unarmed strikes and monkÃÂ weapons.

• You can roll a d4 in place of the normal damage of yourÃÂ unarmed strikeÃÂ or monk weapon.

If using a monk weapon, the Brute Damage would apply.

edited 4 hours ago

David Coffron

30k2103204

30k2103204

• Since the question specifically calls it out, you should mention that “Flurry of Blows” does NOT use monk weapons, only unarmed strikes so those would not stack. “Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.”
âÂ MivaScott
5 hours ago

âÂ David Coffron
5 hours ago

• Since the question specifically calls it out, you should mention that “Flurry of Blows” does NOT use monk weapons, only unarmed strikes so those would not stack. “Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.”
âÂ MivaScott
5 hours ago

âÂ David Coffron
5 hours ago

1

Since the question specifically calls it out, you should mention that “Flurry of Blows” does NOT use monk weapons, only unarmed strikes so those would not stack. “Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.”
âÂ MivaScott
5 hours ago

Since the question specifically calls it out, you should mention that “Flurry of Blows” does NOT use monk weapons, only unarmed strikes so those would not stack. “Immediately after you take the Attack action on your turn, you can spend 1 ki point to make two unarmed strikes as a bonus action.”
âÂ MivaScott
5 hours ago

âÂ David Coffron
5 hours ago

âÂ David Coffron
5 hours ago

# The Brute’s Damage is not added to unarmed strikes

The Brute archetype says:

### Brute Force

Starting at 3rd level, youÃ¢ÂÂre able to strike with your weapons with especially brutal force. Whenever you hit with a weapon that youÃ¢ÂÂre proficient with and deal damage, the weaponÃ¢ÂÂs damage increases by an amount based on your level in this class, as shown on the Brute Bonus Damage table.

Even though unarmed strike is considered a weapon attack, it is not considered a weapon, so the extra damage from Brute Force would not be added to it as it specifically says “hit with a weapon” rather than “make a melee weapon attack” like most features do, although it would of course still be added to any weapon attacks you make with a weapon.

# The Brute’s Damage is not added to unarmed strikes

The Brute archetype says:

### Brute Force

Starting at 3rd level, youÃ¢ÂÂre able to strike with your weapons with especially brutal force. Whenever you hit with a weapon that youÃ¢ÂÂre proficient with and deal damage, the weaponÃ¢ÂÂs damage increases by an amount based on your level in this class, as shown on the Brute Bonus Damage table.

Even though unarmed strike is considered a weapon attack, it is not considered a weapon, so the extra damage from Brute Force would not be added to it as it specifically says “hit with a weapon” rather than “make a melee weapon attack” like most features do, although it would of course still be added to any weapon attacks you make with a weapon.

# The Brute’s Damage is not added to unarmed strikes

The Brute archetype says:

### Brute Force

Starting at 3rd level, youÃ¢ÂÂre able to strike with your weapons with especially brutal force. Whenever you hit with a weapon that youÃ¢ÂÂre proficient with and deal damage, the weaponÃ¢ÂÂs damage increases by an amount based on your level in this class, as shown on the Brute Bonus Damage table.

Even though unarmed strike is considered a weapon attack, it is not considered a weapon, so the extra damage from Brute Force would not be added to it as it specifically says “hit with a weapon” rather than “make a melee weapon attack” like most features do, although it would of course still be added to any weapon attacks you make with a weapon.

# The Brute’s Damage is not added to unarmed strikes

The Brute archetype says:

### Brute Force

Starting at 3rd level, youÃ¢ÂÂre able to strike with your weapons with especially brutal force. Whenever you hit with a weapon that youÃ¢ÂÂre proficient with and deal damage, the weaponÃ¢ÂÂs damage increases by an amount based on your level in this class, as shown on the Brute Bonus Damage table.

Even though unarmed strike is considered a weapon attack, it is not considered a weapon, so the extra damage from Brute Force would not be added to it as it specifically says “hit with a weapon” rather than “make a melee weapon attack” like most features do, although it would of course still be added to any weapon attacks you make with a weapon.

NathanS

18.3k675194

18.3k675194

Eternallord66 is a new contributor. Be nice, and check out our Code of Conduct.

Eternallord66 is a new contributor. Be nice, and check out our Code of Conduct.

Eternallord66 is a new contributor. Be nice, and check out our Code of Conduct.

Â

draft saved

function () {
}
);

## Can Certificate be validated locally

Clash Royale CLAN TAG#URR8PPP

When I establish TLS/SSL with some server he sends me the certificate in the process. The certificate is signed by a certificate authority.

In my PC/browser I have a list of trusted certificate authorities.

Do I send the certificate to the authority or I validate it locally (checking the certificate’s signature using data stored within the certificate authority list)?

(note: if needed take the browser for the example TLS/SSL client)

When I establish TLS/SSL with some server he sends me the certificate in the process. The certificate is signed by a certificate authority.

In my PC/browser I have a list of trusted certificate authorities.

Do I send the certificate to the authority or I validate it locally (checking the certificate’s signature using data stored within the certificate authority list)?

(note: if needed take the browser for the example TLS/SSL client)

When I establish TLS/SSL with some server he sends me the certificate in the process. The certificate is signed by a certificate authority.

In my PC/browser I have a list of trusted certificate authorities.

Do I send the certificate to the authority or I validate it locally (checking the certificate’s signature using data stored within the certificate authority list)?

(note: if needed take the browser for the example TLS/SSL client)

When I establish TLS/SSL with some server he sends me the certificate in the process. The certificate is signed by a certificate authority.

In my PC/browser I have a list of trusted certificate authorities.

Do I send the certificate to the authority or I validate it locally (checking the certificate’s signature using data stored within the certificate authority list)?

(note: if needed take the browser for the example TLS/SSL client)

tls certificates certificate-authority

croraf

1165

1165

active

oldest

Certificates are validated locally. However, the client may contact the CA repository if some pieces of information are missing. For example, if an intermediate CA certificate is missing from the local store and the web server didn’t return it during the handshake, the client may download the missing certificate from the CA repository. Additionally, the client can check certificate revocation by contacting the CA via OCSP or by downloding a CRL from the CA repository when no up-to-date revocation information is stored in the local cache.

Signature and chain validations are always performed locally.

• +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
âÂ Mike Ounsworth
2 hours ago

• I mentioned that client contacts CA-managed OCSP/CRL servers.
âÂ Crypt32
2 hours ago

• Yup! Hence why it’s a “+1 TL;DR”, not a correction.
âÂ Mike Ounsworth
2 hours ago

# Does checking the certificate chain require connecting to external servers?

Not necessarily, if the chain is complete from a trusted CA to the leaf certificate (the site’s certificate) then no requests are needed. Each cert is either trusted, or signed by a cert higher in the chain. For example.com this would look like this:

• Root CA (trusted as it is installed in the browser)
• Intermediate A (trusted as it is signed by Root CA)
• Intermediate B (trusted as it is signed by Intermediate A)
• Site cert (trusted as it is signed by Intermediate B)

# Does checking expiry require connecting to external sources?

Using a CRL, or normal OCSP requires making an external request to check if the certificate has been invalidated since being issued, this can be a privacy issue as it allows a third party (the one running the OCSP responder) to track users.

To work around this issue, OCSP stapling can be used, where the server requests the OCSP response and returns it while it is valid to clients, before having to get a fresh response, preventing stale responses being used forever.

# What happens when the chain is incomplete?

If the chain is incomplete then an AIA Extention can be used to point to the issuer of a certificate, allowing the client to repair the gap in the chain, but client support for this is not ensured, so it is better to present a full chain when possible.

active

oldest

active

oldest

active

oldest

active

oldest

Certificates are validated locally. However, the client may contact the CA repository if some pieces of information are missing. For example, if an intermediate CA certificate is missing from the local store and the web server didn’t return it during the handshake, the client may download the missing certificate from the CA repository. Additionally, the client can check certificate revocation by contacting the CA via OCSP or by downloding a CRL from the CA repository when no up-to-date revocation information is stored in the local cache.

Signature and chain validations are always performed locally.

• +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
âÂ Mike Ounsworth
2 hours ago

• I mentioned that client contacts CA-managed OCSP/CRL servers.
âÂ Crypt32
2 hours ago

• Yup! Hence why it’s a “+1 TL;DR”, not a correction.
âÂ Mike Ounsworth
2 hours ago

Certificates are validated locally. However, the client may contact the CA repository if some pieces of information are missing. For example, if an intermediate CA certificate is missing from the local store and the web server didn’t return it during the handshake, the client may download the missing certificate from the CA repository. Additionally, the client can check certificate revocation by contacting the CA via OCSP or by downloding a CRL from the CA repository when no up-to-date revocation information is stored in the local cache.

Signature and chain validations are always performed locally.

• +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
âÂ Mike Ounsworth
2 hours ago

• I mentioned that client contacts CA-managed OCSP/CRL servers.
âÂ Crypt32
2 hours ago

• Yup! Hence why it’s a “+1 TL;DR”, not a correction.
âÂ Mike Ounsworth
2 hours ago

Certificates are validated locally. However, the client may contact the CA repository if some pieces of information are missing. For example, if an intermediate CA certificate is missing from the local store and the web server didn’t return it during the handshake, the client may download the missing certificate from the CA repository. Additionally, the client can check certificate revocation by contacting the CA via OCSP or by downloding a CRL from the CA repository when no up-to-date revocation information is stored in the local cache.

Signature and chain validations are always performed locally.

Certificates are validated locally. However, the client may contact the CA repository if some pieces of information are missing. For example, if an intermediate CA certificate is missing from the local store and the web server didn’t return it during the handshake, the client may download the missing certificate from the CA repository. Additionally, the client can check certificate revocation by contacting the CA via OCSP or by downloding a CRL from the CA repository when no up-to-date revocation information is stored in the local cache.

Signature and chain validations are always performed locally.

edited 2 hours ago

ÃÂurous

1075

1075

Crypt32

2,138511

2,138511

• +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
âÂ Mike Ounsworth
2 hours ago

• I mentioned that client contacts CA-managed OCSP/CRL servers.
âÂ Crypt32
2 hours ago

• Yup! Hence why it’s a “+1 TL;DR”, not a correction.
âÂ Mike Ounsworth
2 hours ago

• +1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
âÂ Mike Ounsworth
2 hours ago

• I mentioned that client contacts CA-managed OCSP/CRL servers.
âÂ Crypt32
2 hours ago

• Yup! Hence why it’s a “+1 TL;DR”, not a correction.
âÂ Mike Ounsworth
2 hours ago

1

+1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
âÂ Mike Ounsworth
2 hours ago

+1 TL;DR: certs are validated locally, but if you want up-to-date information on whether the cert has been revoked then the client needs to contact the CA.
âÂ Mike Ounsworth
2 hours ago

I mentioned that client contacts CA-managed OCSP/CRL servers.
âÂ Crypt32
2 hours ago

I mentioned that client contacts CA-managed OCSP/CRL servers.
âÂ Crypt32
2 hours ago

Yup! Hence why it’s a “+1 TL;DR”, not a correction.
âÂ Mike Ounsworth
2 hours ago

Yup! Hence why it’s a “+1 TL;DR”, not a correction.
âÂ Mike Ounsworth
2 hours ago

# Does checking the certificate chain require connecting to external servers?

Not necessarily, if the chain is complete from a trusted CA to the leaf certificate (the site’s certificate) then no requests are needed. Each cert is either trusted, or signed by a cert higher in the chain. For example.com this would look like this:

• Root CA (trusted as it is installed in the browser)
• Intermediate A (trusted as it is signed by Root CA)
• Intermediate B (trusted as it is signed by Intermediate A)
• Site cert (trusted as it is signed by Intermediate B)

# Does checking expiry require connecting to external sources?

Using a CRL, or normal OCSP requires making an external request to check if the certificate has been invalidated since being issued, this can be a privacy issue as it allows a third party (the one running the OCSP responder) to track users.

To work around this issue, OCSP stapling can be used, where the server requests the OCSP response and returns it while it is valid to clients, before having to get a fresh response, preventing stale responses being used forever.

# What happens when the chain is incomplete?

If the chain is incomplete then an AIA Extention can be used to point to the issuer of a certificate, allowing the client to repair the gap in the chain, but client support for this is not ensured, so it is better to present a full chain when possible.

# Does checking the certificate chain require connecting to external servers?

Not necessarily, if the chain is complete from a trusted CA to the leaf certificate (the site’s certificate) then no requests are needed. Each cert is either trusted, or signed by a cert higher in the chain. For example.com this would look like this:

• Root CA (trusted as it is installed in the browser)
• Intermediate A (trusted as it is signed by Root CA)
• Intermediate B (trusted as it is signed by Intermediate A)
• Site cert (trusted as it is signed by Intermediate B)

# Does checking expiry require connecting to external sources?

Using a CRL, or normal OCSP requires making an external request to check if the certificate has been invalidated since being issued, this can be a privacy issue as it allows a third party (the one running the OCSP responder) to track users.

To work around this issue, OCSP stapling can be used, where the server requests the OCSP response and returns it while it is valid to clients, before having to get a fresh response, preventing stale responses being used forever.

# What happens when the chain is incomplete?

If the chain is incomplete then an AIA Extention can be used to point to the issuer of a certificate, allowing the client to repair the gap in the chain, but client support for this is not ensured, so it is better to present a full chain when possible.

# Does checking the certificate chain require connecting to external servers?

Not necessarily, if the chain is complete from a trusted CA to the leaf certificate (the site’s certificate) then no requests are needed. Each cert is either trusted, or signed by a cert higher in the chain. For example.com this would look like this:

• Root CA (trusted as it is installed in the browser)
• Intermediate A (trusted as it is signed by Root CA)
• Intermediate B (trusted as it is signed by Intermediate A)
• Site cert (trusted as it is signed by Intermediate B)

# Does checking expiry require connecting to external sources?

Using a CRL, or normal OCSP requires making an external request to check if the certificate has been invalidated since being issued, this can be a privacy issue as it allows a third party (the one running the OCSP responder) to track users.

To work around this issue, OCSP stapling can be used, where the server requests the OCSP response and returns it while it is valid to clients, before having to get a fresh response, preventing stale responses being used forever.

# What happens when the chain is incomplete?

If the chain is incomplete then an AIA Extention can be used to point to the issuer of a certificate, allowing the client to repair the gap in the chain, but client support for this is not ensured, so it is better to present a full chain when possible.

# Does checking the certificate chain require connecting to external servers?

Not necessarily, if the chain is complete from a trusted CA to the leaf certificate (the site’s certificate) then no requests are needed. Each cert is either trusted, or signed by a cert higher in the chain. For example.com this would look like this:

• Root CA (trusted as it is installed in the browser)
• Intermediate A (trusted as it is signed by Root CA)
• Intermediate B (trusted as it is signed by Intermediate A)
• Site cert (trusted as it is signed by Intermediate B)

# Does checking expiry require connecting to external sources?

Using a CRL, or normal OCSP requires making an external request to check if the certificate has been invalidated since being issued, this can be a privacy issue as it allows a third party (the one running the OCSP responder) to track users.

To work around this issue, OCSP stapling can be used, where the server requests the OCSP response and returns it while it is valid to clients, before having to get a fresh response, preventing stale responses being used forever.

# What happens when the chain is incomplete?

If the chain is incomplete then an AIA Extention can be used to point to the issuer of a certificate, allowing the client to repair the gap in the chain, but client support for this is not ensured, so it is better to present a full chain when possible.

jrtapsell

2,805924

2,805924

Â

draft saved

function () {
}
);

## port forwarding to application in network namespace with vpn

Clash Royale CLAN TAG#URR8PPP

I was able to set up a network namespace, establish a tunnel with openvpn and start an application that uses this tunnel inside the namespace. So far so good, but this application can be accessed via a web interface and I cant’t figure out how to route requests to the web interface inside my LAN.

I followed a guide from @schnouki explaining how to set up a network namespace and run OpenVPN inside of it

ip netns add myvpn
ip netns exec myvpn ip link set lo up
ip link set vpn1 netns myvpn up
ip netns exec myvpn ip route add default via 10.200.200.1 dev vpn1
iptables -A INPUT ! -i vpn0 -s 10.200.200.0/24 -j DROP
iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o en+ -j MASQUERADE
sysctl -q net.ipv4.ip_forward=1
mkdir -p /etc/netns/myvpn
echo 'nameserver 8.8.8.8' > /etc/netns/myvpn/resolv.conf


After that, I can check my external ip and get different results inside and outside of the namespace, just as intended:

curl -s ipv4.icanhazip.com
<my-isp-ip>
ip netns exec myvpn curl -s ipv4.icanhazip.com
<my-vpn-ip>


The application is started, I’m using deluge for this example. I tried several applications with a web interface to make sure it’s not a deluge specific problem.

ip netns exec myvpn sudo -u <my-user> /usr/bin/deluged
ip netns exec myvpn sudo -u <my-user> /usr/bin/deluge-web -f
ps $(ip netns pids myvpn) PID TTY STAT TIME COMMAND 1468 ? Ss 0:13 openvpn --config /etc/openvpn/myvpn/myvpn.conf 9302 ? Sl 10:10 /usr/bin/python /usr/bin/deluged 9707 ? S 0:37 /usr/bin/python /usr/bin/deluge-web -f  I’m able to access the web interface on port 8112 from within the namespace and from outside if I specify the ip of veth vpn1. ip netns exec myvpn curl -Is localhost:8112 | head -1 HTTP/1.1 200 OK ip netns exec myvpn curl -Is 10.200.200.2:8112 | head -1 HTTP/1.1 200 OK curl -Is 10.200.200.2:8112 | head -1 HTTP/1.1 200 OK  But I do want to redirect port 8112 from my server to the application in the namespace. The goal is to open a browser on a computer inside my LAN and get the web interface with http://my-server-ip:8112 (my-server-ip being the static ip of the server that instantiated the network interface) EDIT: I removed my attempts to create iptables rules. What I’m trying to do is explained above and the following commands should output a HTTP 200: curl -I localhost:8112 curl: (7) Failed to connect to localhost port 8112: Connection refused curl -I <my-server-ip>:8112 curl: (7) Failed to connect to <my-server-ip> port 8112: Connection refused  I tried DNAT and SNAT rules and threw in a MASQUERADE for good measure, but since I don’t know what I’m doing, my attempts are futile. Perhaps someone can help me put together this construct. EDIT: The tcpdump output of tcpdump -nn -q tcp port 8112. Unsurprisingly, the first command returns a HTTP 200 and the second command terminates with a refused connection. curl -Is 10.200.200.2:8112 | head -1 listening on vpn0, link-type EN10MB (Ethernet), capture size 262144 bytes IP 10.200.200.1.36208 > 10.200.200.2.8112: tcp 82 IP 10.200.200.2.8112 > 10.200.200.1.36208: tcp 145 curl -Is <my-server-ip>:8112 | head -1 listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes IP <my-server-ip>.58228 > <my-server-ip>.8112: tcp 0 IP <my-server-ip>.8112 > <my-server-ip>.58228: tcp 0  EDIT: @schnouki himself pointed me to a Debian Administration article explaining a generic iptables TCP proxy. Applied to the problem at hand, their script would look like this: YourIP=<my-server-ip> YourPort=8112 TargetIP=10.200.200.2 TargetPort=8112 iptables -t nat -A PREROUTING --dst$YourIP -p tcp --dport $YourPort -j DNAT --to-destination$TargetIP:$TargetPort iptables -t nat -A POSTROUTING -p tcp --dst$TargetIP --dport $TargetPort -j SNAT --to-source$YourIP
iptables -t nat -A OUTPUT --dst $YourIP -p tcp --dport$YourPort -j DNAT
--to-destination $TargetIP:$TargetPort


Unfortunately, traffic between the veth interfaces seized and nothing else happened. However, @schnouki also suggested the use of socat as a TCP proxy and this is working perfectly.

curl -Is <my-server-ip>:8112 | head -1
IP 10.200.200.1.43384 > 10.200.200.2.8112: tcp 913
IP 10.200.200.2.8112 > 10.200.200.1.43384: tcp 1495


I have yet to understand the strange port shuffling while traffic is traversing through the veth interfaces, but my problem is solved now.

• Disclaimer: I have no experience with veth devices at all (find this very interesting, though… 😉 ). Have you used tcpdump for checking how far the incoming packets get? If tcpdump -i veth0 doesn’t show anything then tcpdumo -i lo may be necessary.
âÂ Hauke Laging
Jan 25 ’16 at 23:04

• I added the non-verbose output of tcpdump
âÂ pskiebe
Jan 26 ’16 at 16:41

I was able to set up a network namespace, establish a tunnel with openvpn and start an application that uses this tunnel inside the namespace. So far so good, but this application can be accessed via a web interface and I cant’t figure out how to route requests to the web interface inside my LAN.

I followed a guide from @schnouki explaining how to set up a network namespace and run OpenVPN inside of it

ip netns add myvpn
ip netns exec myvpn ip link set lo up
ip link set vpn1 netns myvpn up
ip netns exec myvpn ip route add default via 10.200.200.1 dev vpn1
iptables -A INPUT ! -i vpn0 -s 10.200.200.0/24 -j DROP
iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o en+ -j MASQUERADE
sysctl -q net.ipv4.ip_forward=1
mkdir -p /etc/netns/myvpn
echo 'nameserver 8.8.8.8' > /etc/netns/myvpn/resolv.conf


After that, I can check my external ip and get different results inside and outside of the namespace, just as intended:

curl -s ipv4.icanhazip.com
<my-isp-ip>
ip netns exec myvpn curl -s ipv4.icanhazip.com
<my-vpn-ip>


The application is started, I’m using deluge for this example. I tried several applications with a web interface to make sure it’s not a deluge specific problem.

ip netns exec myvpn sudo -u <my-user> /usr/bin/deluged
ip netns exec myvpn sudo -u <my-user> /usr/bin/deluge-web -f
ps $(ip netns pids myvpn) PID TTY STAT TIME COMMAND 1468 ? Ss 0:13 openvpn --config /etc/openvpn/myvpn/myvpn.conf 9302 ? Sl 10:10 /usr/bin/python /usr/bin/deluged 9707 ? S 0:37 /usr/bin/python /usr/bin/deluge-web -f  I’m able to access the web interface on port 8112 from within the namespace and from outside if I specify the ip of veth vpn1. ip netns exec myvpn curl -Is localhost:8112 | head -1 HTTP/1.1 200 OK ip netns exec myvpn curl -Is 10.200.200.2:8112 | head -1 HTTP/1.1 200 OK curl -Is 10.200.200.2:8112 | head -1 HTTP/1.1 200 OK  But I do want to redirect port 8112 from my server to the application in the namespace. The goal is to open a browser on a computer inside my LAN and get the web interface with http://my-server-ip:8112 (my-server-ip being the static ip of the server that instantiated the network interface) EDIT: I removed my attempts to create iptables rules. What I’m trying to do is explained above and the following commands should output a HTTP 200: curl -I localhost:8112 curl: (7) Failed to connect to localhost port 8112: Connection refused curl -I <my-server-ip>:8112 curl: (7) Failed to connect to <my-server-ip> port 8112: Connection refused  I tried DNAT and SNAT rules and threw in a MASQUERADE for good measure, but since I don’t know what I’m doing, my attempts are futile. Perhaps someone can help me put together this construct. EDIT: The tcpdump output of tcpdump -nn -q tcp port 8112. Unsurprisingly, the first command returns a HTTP 200 and the second command terminates with a refused connection. curl -Is 10.200.200.2:8112 | head -1 listening on vpn0, link-type EN10MB (Ethernet), capture size 262144 bytes IP 10.200.200.1.36208 > 10.200.200.2.8112: tcp 82 IP 10.200.200.2.8112 > 10.200.200.1.36208: tcp 145 curl -Is <my-server-ip>:8112 | head -1 listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes IP <my-server-ip>.58228 > <my-server-ip>.8112: tcp 0 IP <my-server-ip>.8112 > <my-server-ip>.58228: tcp 0  EDIT: @schnouki himself pointed me to a Debian Administration article explaining a generic iptables TCP proxy. Applied to the problem at hand, their script would look like this: YourIP=<my-server-ip> YourPort=8112 TargetIP=10.200.200.2 TargetPort=8112 iptables -t nat -A PREROUTING --dst$YourIP -p tcp --dport $YourPort -j DNAT --to-destination$TargetIP:$TargetPort iptables -t nat -A POSTROUTING -p tcp --dst$TargetIP --dport $TargetPort -j SNAT --to-source$YourIP
iptables -t nat -A OUTPUT --dst $YourIP -p tcp --dport$YourPort -j DNAT
--to-destination $TargetIP:$TargetPort


Unfortunately, traffic between the veth interfaces seized and nothing else happened. However, @schnouki also suggested the use of socat as a TCP proxy and this is working perfectly.

curl -Is <my-server-ip>:8112 | head -1
IP 10.200.200.1.43384 > 10.200.200.2.8112: tcp 913
IP 10.200.200.2.8112 > 10.200.200.1.43384: tcp 1495


I have yet to understand the strange port shuffling while traffic is traversing through the veth interfaces, but my problem is solved now.

• Disclaimer: I have no experience with veth devices at all (find this very interesting, though… 😉 ). Have you used tcpdump for checking how far the incoming packets get? If tcpdump -i veth0 doesn’t show anything then tcpdumo -i lo may be necessary.
âÂ Hauke Laging
Jan 25 ’16 at 23:04

• I added the non-verbose output of tcpdump
âÂ pskiebe
Jan 26 ’16 at 16:41

4

I was able to set up a network namespace, establish a tunnel with openvpn and start an application that uses this tunnel inside the namespace. So far so good, but this application can be accessed via a web interface and I cant’t figure out how to route requests to the web interface inside my LAN.

I followed a guide from @schnouki explaining how to set up a network namespace and run OpenVPN inside of it

ip netns add myvpn
ip netns exec myvpn ip link set lo up
ip link set vpn1 netns myvpn up
ip netns exec myvpn ip route add default via 10.200.200.1 dev vpn1
iptables -A INPUT ! -i vpn0 -s 10.200.200.0/24 -j DROP
iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o en+ -j MASQUERADE
sysctl -q net.ipv4.ip_forward=1
mkdir -p /etc/netns/myvpn
echo 'nameserver 8.8.8.8' > /etc/netns/myvpn/resolv.conf


After that, I can check my external ip and get different results inside and outside of the namespace, just as intended:

curl -s ipv4.icanhazip.com
<my-isp-ip>
ip netns exec myvpn curl -s ipv4.icanhazip.com
<my-vpn-ip>


The application is started, I’m using deluge for this example. I tried several applications with a web interface to make sure it’s not a deluge specific problem.

ip netns exec myvpn sudo -u <my-user> /usr/bin/deluged
ip netns exec myvpn sudo -u <my-user> /usr/bin/deluge-web -f
ps $(ip netns pids myvpn) PID TTY STAT TIME COMMAND 1468 ? Ss 0:13 openvpn --config /etc/openvpn/myvpn/myvpn.conf 9302 ? Sl 10:10 /usr/bin/python /usr/bin/deluged 9707 ? S 0:37 /usr/bin/python /usr/bin/deluge-web -f  I’m able to access the web interface on port 8112 from within the namespace and from outside if I specify the ip of veth vpn1. ip netns exec myvpn curl -Is localhost:8112 | head -1 HTTP/1.1 200 OK ip netns exec myvpn curl -Is 10.200.200.2:8112 | head -1 HTTP/1.1 200 OK curl -Is 10.200.200.2:8112 | head -1 HTTP/1.1 200 OK  But I do want to redirect port 8112 from my server to the application in the namespace. The goal is to open a browser on a computer inside my LAN and get the web interface with http://my-server-ip:8112 (my-server-ip being the static ip of the server that instantiated the network interface) EDIT: I removed my attempts to create iptables rules. What I’m trying to do is explained above and the following commands should output a HTTP 200: curl -I localhost:8112 curl: (7) Failed to connect to localhost port 8112: Connection refused curl -I <my-server-ip>:8112 curl: (7) Failed to connect to <my-server-ip> port 8112: Connection refused  I tried DNAT and SNAT rules and threw in a MASQUERADE for good measure, but since I don’t know what I’m doing, my attempts are futile. Perhaps someone can help me put together this construct. EDIT: The tcpdump output of tcpdump -nn -q tcp port 8112. Unsurprisingly, the first command returns a HTTP 200 and the second command terminates with a refused connection. curl -Is 10.200.200.2:8112 | head -1 listening on vpn0, link-type EN10MB (Ethernet), capture size 262144 bytes IP 10.200.200.1.36208 > 10.200.200.2.8112: tcp 82 IP 10.200.200.2.8112 > 10.200.200.1.36208: tcp 145 curl -Is <my-server-ip>:8112 | head -1 listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes IP <my-server-ip>.58228 > <my-server-ip>.8112: tcp 0 IP <my-server-ip>.8112 > <my-server-ip>.58228: tcp 0  EDIT: @schnouki himself pointed me to a Debian Administration article explaining a generic iptables TCP proxy. Applied to the problem at hand, their script would look like this: YourIP=<my-server-ip> YourPort=8112 TargetIP=10.200.200.2 TargetPort=8112 iptables -t nat -A PREROUTING --dst$YourIP -p tcp --dport $YourPort -j DNAT --to-destination$TargetIP:$TargetPort iptables -t nat -A POSTROUTING -p tcp --dst$TargetIP --dport $TargetPort -j SNAT --to-source$YourIP
iptables -t nat -A OUTPUT --dst $YourIP -p tcp --dport$YourPort -j DNAT
--to-destination $TargetIP:$TargetPort


Unfortunately, traffic between the veth interfaces seized and nothing else happened. However, @schnouki also suggested the use of socat as a TCP proxy and this is working perfectly.

curl -Is <my-server-ip>:8112 | head -1
IP 10.200.200.1.43384 > 10.200.200.2.8112: tcp 913
IP 10.200.200.2.8112 > 10.200.200.1.43384: tcp 1495


I have yet to understand the strange port shuffling while traffic is traversing through the veth interfaces, but my problem is solved now.

I was able to set up a network namespace, establish a tunnel with openvpn and start an application that uses this tunnel inside the namespace. So far so good, but this application can be accessed via a web interface and I cant’t figure out how to route requests to the web interface inside my LAN.

I followed a guide from @schnouki explaining how to set up a network namespace and run OpenVPN inside of it

ip netns add myvpn
ip netns exec myvpn ip link set lo up
ip link set vpn1 netns myvpn up
ip netns exec myvpn ip route add default via 10.200.200.1 dev vpn1
iptables -A INPUT ! -i vpn0 -s 10.200.200.0/24 -j DROP
iptables -t nat -A POSTROUTING -s 10.200.200.0/24 -o en+ -j MASQUERADE
sysctl -q net.ipv4.ip_forward=1
mkdir -p /etc/netns/myvpn
echo 'nameserver 8.8.8.8' > /etc/netns/myvpn/resolv.conf


After that, I can check my external ip and get different results inside and outside of the namespace, just as intended:

curl -s ipv4.icanhazip.com
<my-isp-ip>
ip netns exec myvpn curl -s ipv4.icanhazip.com
<my-vpn-ip>


The application is started, I’m using deluge for this example. I tried several applications with a web interface to make sure it’s not a deluge specific problem.

ip netns exec myvpn sudo -u <my-user> /usr/bin/deluged
ip netns exec myvpn sudo -u <my-user> /usr/bin/deluge-web -f
ps $(ip netns pids myvpn) PID TTY STAT TIME COMMAND 1468 ? Ss 0:13 openvpn --config /etc/openvpn/myvpn/myvpn.conf 9302 ? Sl 10:10 /usr/bin/python /usr/bin/deluged 9707 ? S 0:37 /usr/bin/python /usr/bin/deluge-web -f  I’m able to access the web interface on port 8112 from within the namespace and from outside if I specify the ip of veth vpn1. ip netns exec myvpn curl -Is localhost:8112 | head -1 HTTP/1.1 200 OK ip netns exec myvpn curl -Is 10.200.200.2:8112 | head -1 HTTP/1.1 200 OK curl -Is 10.200.200.2:8112 | head -1 HTTP/1.1 200 OK  But I do want to redirect port 8112 from my server to the application in the namespace. The goal is to open a browser on a computer inside my LAN and get the web interface with http://my-server-ip:8112 (my-server-ip being the static ip of the server that instantiated the network interface) EDIT: I removed my attempts to create iptables rules. What I’m trying to do is explained above and the following commands should output a HTTP 200: curl -I localhost:8112 curl: (7) Failed to connect to localhost port 8112: Connection refused curl -I <my-server-ip>:8112 curl: (7) Failed to connect to <my-server-ip> port 8112: Connection refused  I tried DNAT and SNAT rules and threw in a MASQUERADE for good measure, but since I don’t know what I’m doing, my attempts are futile. Perhaps someone can help me put together this construct. EDIT: The tcpdump output of tcpdump -nn -q tcp port 8112. Unsurprisingly, the first command returns a HTTP 200 and the second command terminates with a refused connection. curl -Is 10.200.200.2:8112 | head -1 listening on vpn0, link-type EN10MB (Ethernet), capture size 262144 bytes IP 10.200.200.1.36208 > 10.200.200.2.8112: tcp 82 IP 10.200.200.2.8112 > 10.200.200.1.36208: tcp 145 curl -Is <my-server-ip>:8112 | head -1 listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes IP <my-server-ip>.58228 > <my-server-ip>.8112: tcp 0 IP <my-server-ip>.8112 > <my-server-ip>.58228: tcp 0  EDIT: @schnouki himself pointed me to a Debian Administration article explaining a generic iptables TCP proxy. Applied to the problem at hand, their script would look like this: YourIP=<my-server-ip> YourPort=8112 TargetIP=10.200.200.2 TargetPort=8112 iptables -t nat -A PREROUTING --dst$YourIP -p tcp --dport $YourPort -j DNAT --to-destination$TargetIP:$TargetPort iptables -t nat -A POSTROUTING -p tcp --dst$TargetIP --dport $TargetPort -j SNAT --to-source$YourIP
iptables -t nat -A OUTPUT --dst $YourIP -p tcp --dport$YourPort -j DNAT
--to-destination $TargetIP:$TargetPort


Unfortunately, traffic between the veth interfaces seized and nothing else happened. However, @schnouki also suggested the use of socat as a TCP proxy and this is working perfectly.

curl -Is <my-server-ip>:8112 | head -1
IP 10.200.200.1.43384 > 10.200.200.2.8112: tcp 913
IP 10.200.200.2.8112 > 10.200.200.1.43384: tcp 1495


I have yet to understand the strange port shuffling while traffic is traversing through the veth interfaces, but my problem is solved now.

iptables openvpn port-forwarding network-namespaces

edited Feb 1 ’16 at 21:47

asked Jan 25 ’16 at 12:17

pskiebe

6317

6317

• Disclaimer: I have no experience with veth devices at all (find this very interesting, though… 😉 ). Have you used tcpdump for checking how far the incoming packets get? If tcpdump -i veth0 doesn’t show anything then tcpdumo -i lo may be necessary.
âÂ Hauke Laging
Jan 25 ’16 at 23:04

• I added the non-verbose output of tcpdump
âÂ pskiebe
Jan 26 ’16 at 16:41

• Disclaimer: I have no experience with veth devices at all (find this very interesting, though… 😉 ). Have you used tcpdump for checking how far the incoming packets get? If tcpdump -i veth0 doesn’t show anything then tcpdumo -i lo may be necessary.
âÂ Hauke Laging
Jan 25 ’16 at 23:04

• I added the non-verbose output of tcpdump
âÂ pskiebe
Jan 26 ’16 at 16:41

Disclaimer: I have no experience with veth devices at all (find this very interesting, though… 😉 ). Have you used tcpdump for checking how far the incoming packets get? If tcpdump -i veth0 doesn’t show anything then tcpdumo -i lo may be necessary.
âÂ Hauke Laging
Jan 25 ’16 at 23:04

Disclaimer: I have no experience with veth devices at all (find this very interesting, though… 😉 ). Have you used tcpdump for checking how far the incoming packets get? If tcpdump -i veth0 doesn’t show anything then tcpdumo -i lo may be necessary.
âÂ Hauke Laging
Jan 25 ’16 at 23:04

I added the non-verbose output of tcpdump
âÂ pskiebe
Jan 26 ’16 at 16:41

I added the non-verbose output of tcpdump
âÂ pskiebe
Jan 26 ’16 at 16:41

active

oldest

I’ve always had issues with iptables redirections (probably my fault, I’m pretty sure it’s doable). But for a case like yours, it’s IMO easier to do it in user-land without iptables.

Basically, you need to have a daemon in your “default” workspace listening on TCP port 8112 and redirecting all traffic to 10.200.200.2 port 8112. So it’s a simple TCP proxy.

Here’s how to do it with socat:

socat tcp-listen:8112,reuseaddr,fork tcp-connect:10.200.200.2:8112


(The fork option is needed to avoid socat from stopping after the first proxied connection is closed).

EDIT: added reuseaddr as suggested in the comments.

If you absolutely want to do it with iptables, there’s a guide on the Debian Administration site. But I still prefer socat for more advanced stuff — like proxying IPv4 to IPv6, or stripping SSL to allow old Java programs to connect to secure services…

Beware however that all connections in Deluge will be from your server IP instead of the real client IP. If you want to avoid that, you will need to use a real HTTP reverse proxy that adds the original client IP to the proxied request in a HTTP header.

• You just made my day! I never came across socat and it accomplishes exactly what I was trying to do with iptables for quite some time now. I tested several applications and they are all working flawlessly, connecting to the outside world through tun0, while still providing access to their web interface through veth1.
âÂ pskiebe
Feb 1 ’16 at 21:25

• After doing some testing, I added the reuseaddr flag. This prevents port already in use errors when starting and stopping socat in rapid succession: socat -4 TCP-LISTEN:8112,reuseaddr,fork TCP:10.200.200.2:8112
âÂ pskiebe
Feb 1 ’16 at 21:55

Interconnecting network namespace with main namespace always bothers me.
The reason I usually create a namespace is because I want it isolated.
Depending on what it is you are trying to achieve with namespaces creating interconnects can defeat that purpose.

But even isolated I still want to poke it over the network, for convenience.

This solution lets you keep isolation and forward some connections to it anyway.
You don’t need to create all that network between the two network namespaces just to forward one port.
Run this in the namespace where you want to accept connections.
Must be run as root for ip netns exec to work.

socat tcp-listen:8112,fork,reuseaddr
exec:'ip netns exec myvpn socat STDIO tcp-connect:127.0.0.1:8112',nofork


It listens for connections in one network namespace where you run it, on port 8112, then connected client gets exec to run ip netns exec myvpn ... to execute the rest inside the myvpn network namespace, then once inside the myvpn network namespace it creates second connection again with another socat.

For deluge here is my solution. No need for iptables. Here are the steps:

2. Create namespace and bring your openvpn tunnel there:
ip netns add $NS # Wait for the TUN to come up while [[$(ip route|grep $TUN|wc -l) == 0 ]]; do sleep 1; done MY_IP=$(ip addr show $TUN|grep inet|cut -d' ' -f6|cut -d'/' -f1) # The way you extract gateway IP might be different for your openvpn connection GATEWAY_IP=$MY_IP
# jail my $TUN (VPN interface) into the namespace ip link set$TUN netns $NS # Bring the interface up with a subnet (equivalent to the one given to me by VPN server) ip netns exec$NS ifconfig $TUN$MY_IP/24 up
# Bring loopback up
ip netns exec $NS ifconfig lo 127.0.0.1/8 up # Set up remote gateway (your pointtopoint VPN IP address) ip netns exec$NS route add default gw $GATEWAY_IP 1. Establish veth connection between your default namespace and the one you’ve created: # Set up veth interfaces for communication between namespaces ip link add veth0 type veth peer name veth1 # Move the second veth to your namespace ip link set veth1 netns$NS
# give an IP from unused IP range to first veth
ifconfig veth0 10.1.1.1/24 up
# And the second one
ip netns exec $NS ifconfig veth1 10.1.1.2/24 up # TODO: set up a bridge between veth1 and eth interface to let it communicate with LAN # Set up DNS client. ip netns will emulate /etc/resolv.conf using this file: mkdir -p /etc/netns/$NS
echo "nameserver 8.8.4.4" >/etc/netns/$NS/resolv.conf  1. Run your deluged in the$NS and your deluge-web in your default namespace. Point deluge-web to the 10.1.1.2 veth IP address, where deluged will be listening for its connection.

Voila! You’ve got deluged secured behind the VPN while your deluge-web is freely accessible on your home network

@AndrDevEK’s answer is useful. To expand upon that, you may not want to install socat. In which case you can achieve the same thing with a slightly convoluted SSH port-forward setup. In particular the feature of port-forwarding to/from a unix-domain socket is useful here, because unix-domain sockets operate independently of network namespaces:

sudo ip netns exec myvpn su -c "ssh -N -L /tmp/myunixsock:localhost:8112 localhost" $USER & ssh_pid1=$!
ssh -N -L localhost:8112:/tmp/myunixsock localhost &
ssh_pid2=$!  Cleanup: sudo kill$ssh_pid1
kill $ssh_pid2 rm /tmp/myunixsock  The first ssh -N -L is started within the myvpn namespace. This creates a unix-domain socket /tmp/myunixsock and listens on it. Incoming connections are forwarded to localhost:8112 (inside the myvpn namespace). The second ssh -N -L is started in the default namespace. This creates a listening TCP port and forwards incoming connections to the unix-domain socket. It should be noted that in order for this to work, ssh inside your network namespace will need to be working if it is not already (and passwordless pubkey operation is helpful): sudo ip netns exec myvpn ip link set up dev lo sudo ip netns exec myvpn /usr/sbin/sshd -o PidFile=/run/sshd-myvpn.pid ssh-copy-id localhost  ## 4 Answers4 active oldest votes ## 4 Answers4 active oldest votes active oldest votes active oldest votes I’ve always had issues with iptables redirections (probably my fault, I’m pretty sure it’s doable). But for a case like yours, it’s IMO easier to do it in user-land without iptables. Basically, you need to have a daemon in your “default” workspace listening on TCP port 8112 and redirecting all traffic to 10.200.200.2 port 8112. So it’s a simple TCP proxy. Here’s how to do it with socat: socat tcp-listen:8112,reuseaddr,fork tcp-connect:10.200.200.2:8112  (The fork option is needed to avoid socat from stopping after the first proxied connection is closed). EDIT: added reuseaddr as suggested in the comments. If you absolutely want to do it with iptables, there’s a guide on the Debian Administration site. But I still prefer socat for more advanced stuff — like proxying IPv4 to IPv6, or stripping SSL to allow old Java programs to connect to secure services… Beware however that all connections in Deluge will be from your server IP instead of the real client IP. If you want to avoid that, you will need to use a real HTTP reverse proxy that adds the original client IP to the proxied request in a HTTP header. • You just made my day! I never came across socat and it accomplishes exactly what I was trying to do with iptables for quite some time now. I tested several applications and they are all working flawlessly, connecting to the outside world through tun0, while still providing access to their web interface through veth1. âÂ pskiebe Feb 1 ’16 at 21:25 • After doing some testing, I added the reuseaddr flag. This prevents port already in use errors when starting and stopping socat in rapid succession: socat -4 TCP-LISTEN:8112,reuseaddr,fork TCP:10.200.200.2:8112 âÂ pskiebe Feb 1 ’16 at 21:55 I’ve always had issues with iptables redirections (probably my fault, I’m pretty sure it’s doable). But for a case like yours, it’s IMO easier to do it in user-land without iptables. Basically, you need to have a daemon in your “default” workspace listening on TCP port 8112 and redirecting all traffic to 10.200.200.2 port 8112. So it’s a simple TCP proxy. Here’s how to do it with socat: socat tcp-listen:8112,reuseaddr,fork tcp-connect:10.200.200.2:8112  (The fork option is needed to avoid socat from stopping after the first proxied connection is closed). EDIT: added reuseaddr as suggested in the comments. If you absolutely want to do it with iptables, there’s a guide on the Debian Administration site. But I still prefer socat for more advanced stuff — like proxying IPv4 to IPv6, or stripping SSL to allow old Java programs to connect to secure services… Beware however that all connections in Deluge will be from your server IP instead of the real client IP. If you want to avoid that, you will need to use a real HTTP reverse proxy that adds the original client IP to the proxied request in a HTTP header. • You just made my day! I never came across socat and it accomplishes exactly what I was trying to do with iptables for quite some time now. I tested several applications and they are all working flawlessly, connecting to the outside world through tun0, while still providing access to their web interface through veth1. âÂ pskiebe Feb 1 ’16 at 21:25 • After doing some testing, I added the reuseaddr flag. This prevents port already in use errors when starting and stopping socat in rapid succession: socat -4 TCP-LISTEN:8112,reuseaddr,fork TCP:10.200.200.2:8112 âÂ pskiebe Feb 1 ’16 at 21:55 I’ve always had issues with iptables redirections (probably my fault, I’m pretty sure it’s doable). But for a case like yours, it’s IMO easier to do it in user-land without iptables. Basically, you need to have a daemon in your “default” workspace listening on TCP port 8112 and redirecting all traffic to 10.200.200.2 port 8112. So it’s a simple TCP proxy. Here’s how to do it with socat: socat tcp-listen:8112,reuseaddr,fork tcp-connect:10.200.200.2:8112  (The fork option is needed to avoid socat from stopping after the first proxied connection is closed). EDIT: added reuseaddr as suggested in the comments. If you absolutely want to do it with iptables, there’s a guide on the Debian Administration site. But I still prefer socat for more advanced stuff — like proxying IPv4 to IPv6, or stripping SSL to allow old Java programs to connect to secure services… Beware however that all connections in Deluge will be from your server IP instead of the real client IP. If you want to avoid that, you will need to use a real HTTP reverse proxy that adds the original client IP to the proxied request in a HTTP header. I’ve always had issues with iptables redirections (probably my fault, I’m pretty sure it’s doable). But for a case like yours, it’s IMO easier to do it in user-land without iptables. Basically, you need to have a daemon in your “default” workspace listening on TCP port 8112 and redirecting all traffic to 10.200.200.2 port 8112. So it’s a simple TCP proxy. Here’s how to do it with socat: socat tcp-listen:8112,reuseaddr,fork tcp-connect:10.200.200.2:8112  (The fork option is needed to avoid socat from stopping after the first proxied connection is closed). EDIT: added reuseaddr as suggested in the comments. If you absolutely want to do it with iptables, there’s a guide on the Debian Administration site. But I still prefer socat for more advanced stuff — like proxying IPv4 to IPv6, or stripping SSL to allow old Java programs to connect to secure services… Beware however that all connections in Deluge will be from your server IP instead of the real client IP. If you want to avoid that, you will need to use a real HTTP reverse proxy that adds the original client IP to the proxied request in a HTTP header. edited Mar 29 ’16 at 12:47 answered Feb 1 ’16 at 0:26 Schnouki 1963 1963 • You just made my day! I never came across socat and it accomplishes exactly what I was trying to do with iptables for quite some time now. I tested several applications and they are all working flawlessly, connecting to the outside world through tun0, while still providing access to their web interface through veth1. âÂ pskiebe Feb 1 ’16 at 21:25 • After doing some testing, I added the reuseaddr flag. This prevents port already in use errors when starting and stopping socat in rapid succession: socat -4 TCP-LISTEN:8112,reuseaddr,fork TCP:10.200.200.2:8112 âÂ pskiebe Feb 1 ’16 at 21:55 • You just made my day! I never came across socat and it accomplishes exactly what I was trying to do with iptables for quite some time now. I tested several applications and they are all working flawlessly, connecting to the outside world through tun0, while still providing access to their web interface through veth1. âÂ pskiebe Feb 1 ’16 at 21:25 • After doing some testing, I added the reuseaddr flag. This prevents port already in use errors when starting and stopping socat in rapid succession: socat -4 TCP-LISTEN:8112,reuseaddr,fork TCP:10.200.200.2:8112 âÂ pskiebe Feb 1 ’16 at 21:55 1 You just made my day! I never came across socat and it accomplishes exactly what I was trying to do with iptables for quite some time now. I tested several applications and they are all working flawlessly, connecting to the outside world through tun0, while still providing access to their web interface through veth1. âÂ pskiebe Feb 1 ’16 at 21:25 You just made my day! I never came across socat and it accomplishes exactly what I was trying to do with iptables for quite some time now. I tested several applications and they are all working flawlessly, connecting to the outside world through tun0, while still providing access to their web interface through veth1. âÂ pskiebe Feb 1 ’16 at 21:25 1 After doing some testing, I added the reuseaddr flag. This prevents port already in use errors when starting and stopping socat in rapid succession: socat -4 TCP-LISTEN:8112,reuseaddr,fork TCP:10.200.200.2:8112 âÂ pskiebe Feb 1 ’16 at 21:55 After doing some testing, I added the reuseaddr flag. This prevents port already in use errors when starting and stopping socat in rapid succession: socat -4 TCP-LISTEN:8112,reuseaddr,fork TCP:10.200.200.2:8112 âÂ pskiebe Feb 1 ’16 at 21:55 Interconnecting network namespace with main namespace always bothers me. The reason I usually create a namespace is because I want it isolated. Depending on what it is you are trying to achieve with namespaces creating interconnects can defeat that purpose. But even isolated I still want to poke it over the network, for convenience. This solution lets you keep isolation and forward some connections to it anyway. You don’t need to create all that network between the two network namespaces just to forward one port. Run this in the namespace where you want to accept connections. Must be run as root for ip netns exec to work. socat tcp-listen:8112,fork,reuseaddr exec:'ip netns exec myvpn socat STDIO tcp-connect:127.0.0.1:8112',nofork  It listens for connections in one network namespace where you run it, on port 8112, then connected client gets exec to run ip netns exec myvpn ... to execute the rest inside the myvpn network namespace, then once inside the myvpn network namespace it creates second connection again with another socat. Interconnecting network namespace with main namespace always bothers me. The reason I usually create a namespace is because I want it isolated. Depending on what it is you are trying to achieve with namespaces creating interconnects can defeat that purpose. But even isolated I still want to poke it over the network, for convenience. This solution lets you keep isolation and forward some connections to it anyway. You don’t need to create all that network between the two network namespaces just to forward one port. Run this in the namespace where you want to accept connections. Must be run as root for ip netns exec to work. socat tcp-listen:8112,fork,reuseaddr exec:'ip netns exec myvpn socat STDIO tcp-connect:127.0.0.1:8112',nofork  It listens for connections in one network namespace where you run it, on port 8112, then connected client gets exec to run ip netns exec myvpn ... to execute the rest inside the myvpn network namespace, then once inside the myvpn network namespace it creates second connection again with another socat. Interconnecting network namespace with main namespace always bothers me. The reason I usually create a namespace is because I want it isolated. Depending on what it is you are trying to achieve with namespaces creating interconnects can defeat that purpose. But even isolated I still want to poke it over the network, for convenience. This solution lets you keep isolation and forward some connections to it anyway. You don’t need to create all that network between the two network namespaces just to forward one port. Run this in the namespace where you want to accept connections. Must be run as root for ip netns exec to work. socat tcp-listen:8112,fork,reuseaddr exec:'ip netns exec myvpn socat STDIO tcp-connect:127.0.0.1:8112',nofork  It listens for connections in one network namespace where you run it, on port 8112, then connected client gets exec to run ip netns exec myvpn ... to execute the rest inside the myvpn network namespace, then once inside the myvpn network namespace it creates second connection again with another socat. Interconnecting network namespace with main namespace always bothers me. The reason I usually create a namespace is because I want it isolated. Depending on what it is you are trying to achieve with namespaces creating interconnects can defeat that purpose. But even isolated I still want to poke it over the network, for convenience. This solution lets you keep isolation and forward some connections to it anyway. You don’t need to create all that network between the two network namespaces just to forward one port. Run this in the namespace where you want to accept connections. Must be run as root for ip netns exec to work. socat tcp-listen:8112,fork,reuseaddr exec:'ip netns exec myvpn socat STDIO tcp-connect:127.0.0.1:8112',nofork  It listens for connections in one network namespace where you run it, on port 8112, then connected client gets exec to run ip netns exec myvpn ... to execute the rest inside the myvpn network namespace, then once inside the myvpn network namespace it creates second connection again with another socat. edited Jul 26 ’16 at 16:50 answered Jul 26 ’16 at 16:08 AndrDevEK 17528 17528 For deluge here is my solution. No need for iptables. Here are the steps: 1. Start your openvpn tunnel 2. Create namespace and bring your openvpn tunnel there: ip netns add$NS
# Wait for the TUN to come up
while [[ $(ip route|grep$TUN|wc -l) == 0 ]]; do sleep 1; done
MY_IP=$(ip addr show$TUN|grep inet|cut -d' ' -f6|cut -d'/' -f1)
# The way you extract gateway IP might be different for your openvpn connection
GATEWAY_IP=$MY_IP # jail my$TUN (VPN interface) into the namespace
ip link set $TUN netns$NS
# Bring the interface up with a subnet (equivalent to the one given to me by VPN server)
ip netns exec $NS ifconfig$TUN $MY_IP/24 up # Bring loopback up ip netns exec$NS ifconfig lo 127.0.0.1/8 up
ip netns exec $NS route add default gw$GATEWAY_IP
1. Establish veth connection between your default namespace and the one you’ve created:
# Set up veth interfaces for communication between namespaces
# Move the second veth to your namespace
ip link set veth1 netns $NS # give an IP from unused IP range to first veth ifconfig veth0 10.1.1.1/24 up # And the second one ip netns exec$NS ifconfig veth1 10.1.1.2/24 up
# TODO: set up a bridge between veth1 and eth interface to let it communicate with LAN
# Set up DNS client. ip netns will emulate /etc/resolv.conf using this file:
mkdir -p /etc/netns/$NS echo "nameserver 8.8.4.4" >/etc/netns/$NS/resolv.conf

1. Run your deluged in the $NS and your deluge-web in your default namespace. Point deluge-web to the 10.1.1.2 veth IP address, where deluged will be listening for its connection. Voila! You’ve got deluged secured behind the VPN while your deluge-web is freely accessible on your home network For deluge here is my solution. No need for iptables. Here are the steps: 1. Start your openvpn tunnel 2. Create namespace and bring your openvpn tunnel there: ip netns add$NS
# Wait for the TUN to come up
while [[ $(ip route|grep$TUN|wc -l) == 0 ]]; do sleep 1; done
MY_IP=$(ip addr show$TUN|grep inet|cut -d' ' -f6|cut -d'/' -f1)
# The way you extract gateway IP might be different for your openvpn connection
GATEWAY_IP=$MY_IP # jail my$TUN (VPN interface) into the namespace
ip link set $TUN netns$NS
# Bring the interface up with a subnet (equivalent to the one given to me by VPN server)
ip netns exec $NS ifconfig$TUN $MY_IP/24 up # Bring loopback up ip netns exec$NS ifconfig lo 127.0.0.1/8 up
ip netns exec $NS route add default gw$GATEWAY_IP
1. Establish veth connection between your default namespace and the one you’ve created:
# Set up veth interfaces for communication between namespaces
# Move the second veth to your namespace
ip link set veth1 netns $NS # give an IP from unused IP range to first veth ifconfig veth0 10.1.1.1/24 up # And the second one ip netns exec$NS ifconfig veth1 10.1.1.2/24 up
# TODO: set up a bridge between veth1 and eth interface to let it communicate with LAN
# Set up DNS client. ip netns will emulate /etc/resolv.conf using this file:
mkdir -p /etc/netns/$NS echo "nameserver 8.8.4.4" >/etc/netns/$NS/resolv.conf

1. Run your deluged in the $NS and your deluge-web in your default namespace. Point deluge-web to the 10.1.1.2 veth IP address, where deluged will be listening for its connection. Voila! You’ve got deluged secured behind the VPN while your deluge-web is freely accessible on your home network For deluge here is my solution. No need for iptables. Here are the steps: 1. Start your openvpn tunnel 2. Create namespace and bring your openvpn tunnel there: ip netns add$NS
# Wait for the TUN to come up
while [[ $(ip route|grep$TUN|wc -l) == 0 ]]; do sleep 1; done
MY_IP=$(ip addr show$TUN|grep inet|cut -d' ' -f6|cut -d'/' -f1)
# The way you extract gateway IP might be different for your openvpn connection
GATEWAY_IP=$MY_IP # jail my$TUN (VPN interface) into the namespace
ip link set $TUN netns$NS
# Bring the interface up with a subnet (equivalent to the one given to me by VPN server)
ip netns exec $NS ifconfig$TUN $MY_IP/24 up # Bring loopback up ip netns exec$NS ifconfig lo 127.0.0.1/8 up
ip netns exec $NS route add default gw$GATEWAY_IP
1. Establish veth connection between your default namespace and the one you’ve created:
# Set up veth interfaces for communication between namespaces
# Move the second veth to your namespace
ip link set veth1 netns $NS # give an IP from unused IP range to first veth ifconfig veth0 10.1.1.1/24 up # And the second one ip netns exec$NS ifconfig veth1 10.1.1.2/24 up
# TODO: set up a bridge between veth1 and eth interface to let it communicate with LAN
# Set up DNS client. ip netns will emulate /etc/resolv.conf using this file:
mkdir -p /etc/netns/$NS echo "nameserver 8.8.4.4" >/etc/netns/$NS/resolv.conf

1. Run your deluged in the $NS and your deluge-web in your default namespace. Point deluge-web to the 10.1.1.2 veth IP address, where deluged will be listening for its connection. Voila! You’ve got deluged secured behind the VPN while your deluge-web is freely accessible on your home network For deluge here is my solution. No need for iptables. Here are the steps: 1. Start your openvpn tunnel 2. Create namespace and bring your openvpn tunnel there: ip netns add$NS
# Wait for the TUN to come up
while [[ $(ip route|grep$TUN|wc -l) == 0 ]]; do sleep 1; done
MY_IP=$(ip addr show$TUN|grep inet|cut -d' ' -f6|cut -d'/' -f1)
# The way you extract gateway IP might be different for your openvpn connection
GATEWAY_IP=$MY_IP # jail my$TUN (VPN interface) into the namespace
ip link set $TUN netns$NS
# Bring the interface up with a subnet (equivalent to the one given to me by VPN server)
ip netns exec $NS ifconfig$TUN $MY_IP/24 up # Bring loopback up ip netns exec$NS ifconfig lo 127.0.0.1/8 up
ip netns exec $NS route add default gw$GATEWAY_IP
1. Establish veth connection between your default namespace and the one you’ve created:
# Set up veth interfaces for communication between namespaces
# Move the second veth to your namespace
ip link set veth1 netns $NS # give an IP from unused IP range to first veth ifconfig veth0 10.1.1.1/24 up # And the second one ip netns exec$NS ifconfig veth1 10.1.1.2/24 up
# TODO: set up a bridge between veth1 and eth interface to let it communicate with LAN
# Set up DNS client. ip netns will emulate /etc/resolv.conf using this file:
mkdir -p /etc/netns/$NS echo "nameserver 8.8.4.4" >/etc/netns/$NS/resolv.conf

1. Run your deluged in the $NS and your deluge-web in your default namespace. Point deluge-web to the 10.1.1.2 veth IP address, where deluged will be listening for its connection. Voila! You’ve got deluged secured behind the VPN while your deluge-web is freely accessible on your home network answered Mar 19 ’17 at 1:45 Vlad 211 211 @AndrDevEK’s answer is useful. To expand upon that, you may not want to install socat. In which case you can achieve the same thing with a slightly convoluted SSH port-forward setup. In particular the feature of port-forwarding to/from a unix-domain socket is useful here, because unix-domain sockets operate independently of network namespaces: sudo ip netns exec myvpn su -c "ssh -N -L /tmp/myunixsock:localhost:8112 localhost"$USER &
ssh_pid1=$! ssh -N -L localhost:8112:/tmp/myunixsock localhost & ssh_pid2=$!


Cleanup:

sudo kill $ssh_pid1 kill$ssh_pid2
rm /tmp/myunixsock


The first ssh -N -L is started within the myvpn namespace. This creates a unix-domain socket /tmp/myunixsock and listens on it. Incoming connections are forwarded to localhost:8112 (inside the myvpn namespace).
The second ssh -N -L is started in the default namespace. This creates a listening TCP port and forwards incoming connections to the unix-domain socket.

It should be noted that in order for this to work, ssh inside your network namespace will need to be working if it is not already (and passwordless pubkey operation is helpful):

sudo ip netns exec myvpn ip link set up dev lo
sudo ip netns exec myvpn /usr/sbin/sshd -o PidFile=/run/sshd-myvpn.pid
ssh-copy-id localhost


@AndrDevEK’s answer is useful. To expand upon that, you may not want to install socat. In which case you can achieve the same thing with a slightly convoluted SSH port-forward setup. In particular the feature of port-forwarding to/from a unix-domain socket is useful here, because unix-domain sockets operate independently of network namespaces:

sudo ip netns exec myvpn su -c "ssh -N -L /tmp/myunixsock:localhost:8112 localhost" $USER & ssh_pid1=$!
ssh -N -L localhost:8112:/tmp/myunixsock localhost &
ssh_pid2=$!  Cleanup: sudo kill$ssh_pid1
kill $ssh_pid2 rm /tmp/myunixsock  The first ssh -N -L is started within the myvpn namespace. This creates a unix-domain socket /tmp/myunixsock and listens on it. Incoming connections are forwarded to localhost:8112 (inside the myvpn namespace). The second ssh -N -L is started in the default namespace. This creates a listening TCP port and forwards incoming connections to the unix-domain socket. It should be noted that in order for this to work, ssh inside your network namespace will need to be working if it is not already (and passwordless pubkey operation is helpful): sudo ip netns exec myvpn ip link set up dev lo sudo ip netns exec myvpn /usr/sbin/sshd -o PidFile=/run/sshd-myvpn.pid ssh-copy-id localhost  @AndrDevEK’s answer is useful. To expand upon that, you may not want to install socat. In which case you can achieve the same thing with a slightly convoluted SSH port-forward setup. In particular the feature of port-forwarding to/from a unix-domain socket is useful here, because unix-domain sockets operate independently of network namespaces: sudo ip netns exec myvpn su -c "ssh -N -L /tmp/myunixsock:localhost:8112 localhost"$USER &
ssh_pid1=$! ssh -N -L localhost:8112:/tmp/myunixsock localhost & ssh_pid2=$!


Cleanup:

sudo kill $ssh_pid1 kill$ssh_pid2
rm /tmp/myunixsock


The first ssh -N -L is started within the myvpn namespace. This creates a unix-domain socket /tmp/myunixsock and listens on it. Incoming connections are forwarded to localhost:8112 (inside the myvpn namespace).
The second ssh -N -L is started in the default namespace. This creates a listening TCP port and forwards incoming connections to the unix-domain socket.

It should be noted that in order for this to work, ssh inside your network namespace will need to be working if it is not already (and passwordless pubkey operation is helpful):

sudo ip netns exec myvpn ip link set up dev lo
sudo ip netns exec myvpn /usr/sbin/sshd -o PidFile=/run/sshd-myvpn.pid
ssh-copy-id localhost


@AndrDevEK’s answer is useful. To expand upon that, you may not want to install socat. In which case you can achieve the same thing with a slightly convoluted SSH port-forward setup. In particular the feature of port-forwarding to/from a unix-domain socket is useful here, because unix-domain sockets operate independently of network namespaces:

sudo ip netns exec myvpn su -c "ssh -N -L /tmp/myunixsock:localhost:8112 localhost" $USER & ssh_pid1=$!
ssh -N -L localhost:8112:/tmp/myunixsock localhost &
ssh_pid2=$!  Cleanup: sudo kill$ssh_pid1
kill $ssh_pid2 rm /tmp/myunixsock  The first ssh -N -L is started within the myvpn namespace. This creates a unix-domain socket /tmp/myunixsock and listens on it. Incoming connections are forwarded to localhost:8112 (inside the myvpn namespace). The second ssh -N -L is started in the default namespace. This creates a listening TCP port and forwards incoming connections to the unix-domain socket. It should be noted that in order for this to work, ssh inside your network namespace will need to be working if it is not already (and passwordless pubkey operation is helpful): sudo ip netns exec myvpn ip link set up dev lo sudo ip netns exec myvpn /usr/sbin/sshd -o PidFile=/run/sshd-myvpn.pid ssh-copy-id localhost  answered 11 mins ago Digital Trauma 5,70211528 5,70211528 Â draft saved draft discarded StackExchange.ready( function () { StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2funix.stackexchange.com%2fquestions%2f257510%2fport-forwarding-to-application-in-network-namespace-with-vpn%23new-answer’, ‘question_page’); } ); ### Post as a guest ## Restrict inbound access on localhost:TCP port Clash Royale CLAN TAG#URR8PPP For reasons beyond my control, I have a binary that binds to TCP “localhost:$PORT”. (Unix socket bindings would make this question moot).

If I understand correctly, this means that although no network machine can connect, other users on the machine (including unprivileged daemon users) can connect to this port.

Is there some way for me to specify that only binaries running as $me should be allowed to connect to this port? I can become root in order to specify the configuration, but the listening binary and the connecting binaries both run as the non-root$me user

For reasons beyond my control, I have a binary that binds to TCP “localhost:$PORT”. (Unix socket bindings would make this question moot). If I understand correctly, this means that although no network machine can connect, other users on the machine (including unprivileged daemon users) can connect to this port. Is there some way for me to specify that only binaries running as$me should be allowed to connect to this port? I can become root in order to specify the configuration, but the listening binary and the connecting binaries both run as the non-root $me user For reasons beyond my control, I have a binary that binds to TCP “localhost:$PORT”. (Unix socket bindings would make this question moot).

If I understand correctly, this means that although no network machine can connect, other users on the machine (including unprivileged daemon users) can connect to this port.

Is there some way for me to specify that only binaries running as $me should be allowed to connect to this port? I can become root in order to specify the configuration, but the listening binary and the connecting binaries both run as the non-root$me user

For reasons beyond my control, I have a binary that binds to TCP “localhost:$PORT”. (Unix socket bindings would make this question moot). If I understand correctly, this means that although no network machine can connect, other users on the machine (including unprivileged daemon users) can connect to this port. Is there some way for me to specify that only binaries running as$me should be allowed to connect to this port? I can become root in order to specify the configuration, but the listening binary and the connecting binaries both run as the non-root $me user linux networking tcp port asked 4 mins ago Soumya 21929 21929 active oldest votes active oldest votes active oldest votes active oldest votes active oldest votes Â draft saved draft discarded StackExchange.ready( function () { StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2funix.stackexchange.com%2fquestions%2f479012%2frestrict-inbound-access-on-localhosttcp-port%23new-answer’, ‘question_page’); } ); ### Post as a guest ## Nested Port Forward Clash Royale CLAN TAG#URR8PPP Is there a built in software way to essentially port forward like the following? example.com/81/* -> example.com:81/* example.com/82/* -> example.com:82/* ...  Alternatively maybe for subdomains something similar? example.com/a/* -> a.example.com/* example.com/b/* -> b.example.com/* ...  I understand there may be speed issues but I would like to essentially access all ports on my machine when only being able to open one port through my router. I believe I can feasible get this to work with pipes with node.js but this seems like it may be a common need. Is there a built in software way to essentially port forward like the following? example.com/81/* -> example.com:81/* example.com/82/* -> example.com:82/* ...  Alternatively maybe for subdomains something similar? example.com/a/* -> a.example.com/* example.com/b/* -> b.example.com/* ...  I understand there may be speed issues but I would like to essentially access all ports on my machine when only being able to open one port through my router. I believe I can feasible get this to work with pipes with node.js but this seems like it may be a common need. Is there a built in software way to essentially port forward like the following? example.com/81/* -> example.com:81/* example.com/82/* -> example.com:82/* ...  Alternatively maybe for subdomains something similar? example.com/a/* -> a.example.com/* example.com/b/* -> b.example.com/* ...  I understand there may be speed issues but I would like to essentially access all ports on my machine when only being able to open one port through my router. I believe I can feasible get this to work with pipes with node.js but this seems like it may be a common need. Is there a built in software way to essentially port forward like the following? example.com/81/* -> example.com:81/* example.com/82/* -> example.com:82/* ...  Alternatively maybe for subdomains something similar? example.com/a/* -> a.example.com/* example.com/b/* -> b.example.com/* ...  I understand there may be speed issues but I would like to essentially access all ports on my machine when only being able to open one port through my router. I believe I can feasible get this to work with pipes with node.js but this seems like it may be a common need. port-forwarding asked 8 mins ago William 3291214 3291214 active oldest votes active oldest votes active oldest votes active oldest votes active oldest votes Â draft saved draft discarded StackExchange.ready( function () { StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2funix.stackexchange.com%2fquestions%2f479010%2fnested-port-forward%23new-answer’, ‘question_page’); } ); ### Post as a guest ## VMWare vCentre Appliance boots into GRUB Clash Royale CLAN TAG#URR8PPP I did post this question in VMWare communities, but 11 days later there’s been no response, so I thought I’d try on a more general *nix forum. After an upgrade of my VCSA to version 6.5.0.22000-9451637, on reboot it gets stuck on the GRUB screen with the following: setparams 'Photon' linux "/"$photon_linux root=$rootpartition net.ifname=0$photon_cmd
line coredump_filter=0x37 consoleblank=0
if [ "$photon_initrd" ]; then initrd "/"$photon_initrd
fi


If I then press F10 (to boot), I get the error message:

Booting a command list
error: not a regular file.
Press any key to continue...


The only reference to the issue is here, where the OP mentions how he fixed the issue:

I found broken link from photon.cfg to old linux-4.9.99-1.ph2-esx.cfg

Trouble is, I don’t know where to start to look for photon.cfg. Apart from the fact that it has 12 virtual disks, I don’t know enough about GRUB to know how to get out of it, therefore, any pointers would be greatly apreciated.

TIA

New contributor
woter324 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

I did post this question in VMWare communities, but 11 days later there’s been no response, so I thought I’d try on a more general *nix forum.

After an upgrade of my VCSA to version 6.5.0.22000-9451637, on reboot it gets stuck on the GRUB screen with the following:

setparams 'Photon'
linux "/"$photon_linux root=$rootpartition net.ifname=0 $photon_cmd line coredump_filter=0x37 consoleblank=0 if [ "$photon_initrd" ]; then
initrd "/"$photon_initrd fi  If I then press F10 (to boot), I get the error message: Booting a command list error: not a regular file. Press any key to continue...  The only reference to the issue is here, where the OP mentions how he fixed the issue: I found broken link from photon.cfg to old linux-4.9.99-1.ph2-esx.cfg Trouble is, I don’t know where to start to look for photon.cfg. Apart from the fact that it has 12 virtual disks, I don’t know enough about GRUB to know how to get out of it, therefore, any pointers would be greatly apreciated. TIA New contributor woter324 is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct. I did post this question in VMWare communities, but 11 days later there’s been no response, so I thought I’d try on a more general *nix forum. After an upgrade of my VCSA to version 6.5.0.22000-9451637, on reboot it gets stuck on the GRUB screen with the following: setparams 'Photon' linux "/"$photon_linux root=$rootpartition net.ifname=0$photon_cmd
line coredump_filter=0x37 consoleblank=0
if [ "$photon_initrd" ]; then initrd "/"$photon_initrd
fi


If I then press F10 (to boot), I get the error message:

Booting a command list
error: not a regular file.
Press any key to continue...


The only reference to the issue is here, where the OP mentions how he fixed the issue:

I found broken link from photon.cfg to old linux-4.9.99-1.ph2-esx.cfg

Trouble is, I don’t know where to start to look for photon.cfg. Apart from the fact that it has 12 virtual disks, I don’t know enough about GRUB to know how to get out of it, therefore, any pointers would be greatly apreciated.

TIA

New contributor
woter324 is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

I did post this question in VMWare communities, but 11 days later there’s been no response, so I thought I’d try on a more general *nix forum.

After an upgrade of my VCSA to version 6.5.0.22000-9451637, on reboot it gets stuck on the GRUB screen with the following:

setparams 'Photon'
linux "/"$photon_linux root=$rootpartition net.ifname=0 $photon_cmd line coredump_filter=0x37 consoleblank=0 if [ "$photon_initrd" ]; then
initrd "/"$photon_initrd fi  If I then press F10 (to boot), I get the error message: Booting a command list error: not a regular file. Press any key to continue...  The only reference to the issue is here, where the OP mentions how he fixed the issue: I found broken link from photon.cfg to old linux-4.9.99-1.ph2-esx.cfg Trouble is, I don’t know where to start to look for photon.cfg. Apart from the fact that it has 12 virtual disks, I don’t know enough about GRUB to know how to get out of it, therefore, any pointers would be greatly apreciated. TIA grub2 vmware New contributor woter324 is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct. New contributor woter324 is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct. New contributor woter324 is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct. asked 1 min ago woter324 1011 1011 New contributor woter324 is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct. New contributor woter324 is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct. woter324 is a new contributor to this site. Take care in asking for clarification, commenting, and answering. Check out our Code of Conduct. active oldest votes active oldest votes active oldest votes active oldest votes active oldest votes woter324 is a new contributor. Be nice, and check out our Code of Conduct. woter324 is a new contributor. Be nice, and check out our Code of Conduct. woter324 is a new contributor. Be nice, and check out our Code of Conduct. Â draft saved draft discarded StackExchange.ready( function () { StackExchange.openid.initPostLogin(‘.new-post-login’, ‘https%3a%2f%2funix.stackexchange.com%2fquestions%2f479011%2fvmware-vcentre-appliance-boots-into-grub%23new-answer’, ‘question_page’); } ); ### Post as a guest ## Lazy Loading for Lightning Components Clash Royale CLAN TAG#URR8PPP .everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty{ margin-bottom:0; } Need some advise. Following is the code for lightning app, where all components are included. I am running out of various governor limits when they execute together. Hence, I am planning to make their context separate. What would be the best solution to invoke/execute each lightning components in separate context by keeping all of them single app? Thanks in advance! <aura:application extends="force:slds"> <c:ComponentOne /> <c:ComponentTwo /> <c:ComponentThree /> <c:ComponentFour /> <c:ComponentFive /> <c:ComponentSix /> . . . </aura:application>  • Can you clarify what do you refer by this — I am planning to make their context separate, as how are you planning to separate the context? I would imagine using aura:if here to load the other components only when required should be your approach. âÂ Jayant Das 5 hours ago • Not sure what you are doing in each of them but when u talk about lazyloading compoents you use aura:If as the the child dom would not be loaded in the first place. More on Best Practices for Conditional Markup âÂ codeyinthecloud 5 hours ago • @JayantDas I would like to load all components in single app, hence I can’t use aura:if . Assuming I have VF page and different VF components, I would have used <apex:actionFunction> inside each VF component to perform lazy loading. Similarly, I am looking for a solution in case of lightning component. âÂ Devendra 5 hours ago • I would like to load all components in single app, hence I can’t use aura:if — you can still use aura:if to load all components in single app. Based on what you have in your snippet in your question, you just surround other components which you want to lazy load in an aura:if and load only based on the condition. âÂ Jayant Das 5 hours ago • @Devendra IF you are talking about loading one component after other you will have to implement some sort of custom time based mechanaism either by aura:if or $A.createcomponent by loading them dynamically in javascript either approach would not load the dom so all the onload functionalities(such as server calls which i why your’e probably talking about governer limits) are held untill they render. One other way would be to trigger $A.createComponent on after render of each component âÂ codeyinthecloud 5 hours ago Need some advise. Following is the code for lightning app, where all components are included. I am running out of various governor limits when they execute together. Hence, I am planning to make their context separate. What would be the best solution to invoke/execute each lightning components in separate context by keeping all of them single app? Thanks in advance! <aura:application extends="force:slds"> <c:ComponentOne /> <c:ComponentTwo /> <c:ComponentThree /> <c:ComponentFour /> <c:ComponentFive /> <c:ComponentSix /> . . . </aura:application>  • Can you clarify what do you refer by this — I am planning to make their context separate, as how are you planning to separate the context? I would imagine using aura:if here to load the other components only when required should be your approach. âÂ Jayant Das 5 hours ago • Not sure what you are doing in each of them but when u talk about lazyloading compoents you use aura:If as the the child dom would not be loaded in the first place. More on Best Practices for Conditional Markup âÂ codeyinthecloud 5 hours ago • @JayantDas I would like to load all components in single app, hence I can’t use aura:if . Assuming I have VF page and different VF components, I would have used <apex:actionFunction> inside each VF component to perform lazy loading. Similarly, I am looking for a solution in case of lightning component. âÂ Devendra 5 hours ago • I would like to load all components in single app, hence I can’t use aura:if — you can still use aura:if to load all components in single app. Based on what you have in your snippet in your question, you just surround other components which you want to lazy load in an aura:if and load only based on the condition. âÂ Jayant Das 5 hours ago • @Devendra IF you are talking about loading one component after other you will have to implement some sort of custom time based mechanaism either by aura:if or $A.createcomponent by loading them dynamically in javascript either approach would not load the dom so all the onload functionalities(such as server calls which i why your’e probably talking about governer limits) are held untill they render. One other way would be to trigger $A.createComponent on after render of each component âÂ codeyinthecloud 5 hours ago Need some advise. Following is the code for lightning app, where all components are included. I am running out of various governor limits when they execute together. Hence, I am planning to make their context separate. What would be the best solution to invoke/execute each lightning components in separate context by keeping all of them single app? Thanks in advance! <aura:application extends="force:slds"> <c:ComponentOne /> <c:ComponentTwo /> <c:ComponentThree /> <c:ComponentFour /> <c:ComponentFive /> <c:ComponentSix /> . . . </aura:application>  Need some advise. Following is the code for lightning app, where all components are included. I am running out of various governor limits when they execute together. Hence, I am planning to make their context separate. What would be the best solution to invoke/execute each lightning components in separate context by keeping all of them single app? Thanks in advance! <aura:application extends="force:slds"> <c:ComponentOne /> <c:ComponentTwo /> <c:ComponentThree /> <c:ComponentFour /> <c:ComponentFive /> <c:ComponentSix /> . . . </aura:application>  lightning-components lightning lightning-experience lightning-apps edited 5 hours ago asked 5 hours ago Devendra 4,1591320 4,1591320 • Can you clarify what do you refer by this — I am planning to make their context separate, as how are you planning to separate the context? I would imagine using aura:if here to load the other components only when required should be your approach. âÂ Jayant Das 5 hours ago • Not sure what you are doing in each of them but when u talk about lazyloading compoents you use aura:If as the the child dom would not be loaded in the first place. More on Best Practices for Conditional Markup âÂ codeyinthecloud 5 hours ago • @JayantDas I would like to load all components in single app, hence I can’t use aura:if . Assuming I have VF page and different VF components, I would have used <apex:actionFunction> inside each VF component to perform lazy loading. Similarly, I am looking for a solution in case of lightning component. âÂ Devendra 5 hours ago • I would like to load all components in single app, hence I can’t use aura:if — you can still use aura:if to load all components in single app. Based on what you have in your snippet in your question, you just surround other components which you want to lazy load in an aura:if and load only based on the condition. âÂ Jayant Das 5 hours ago • @Devendra IF you are talking about loading one component after other you will have to implement some sort of custom time based mechanaism either by aura:if or $A.createcomponent by loading them dynamically in javascript either approach would not load the dom so all the onload functionalities(such as server calls which i why your’e probably talking about governer limits) are held untill they render. One other way would be to trigger $A.createComponent on after render of each component âÂ codeyinthecloud 5 hours ago • Can you clarify what do you refer by this — I am planning to make their context separate, as how are you planning to separate the context? I would imagine using aura:if here to load the other components only when required should be your approach. âÂ Jayant Das 5 hours ago • Not sure what you are doing in each of them but when u talk about lazyloading compoents you use aura:If as the the child dom would not be loaded in the first place. More on Best Practices for Conditional Markup âÂ codeyinthecloud 5 hours ago • @JayantDas I would like to load all components in single app, hence I can’t use aura:if . Assuming I have VF page and different VF components, I would have used <apex:actionFunction> inside each VF component to perform lazy loading. Similarly, I am looking for a solution in case of lightning component. âÂ Devendra 5 hours ago • I would like to load all components in single app, hence I can’t use aura:if — you can still use aura:if to load all components in single app. Based on what you have in your snippet in your question, you just surround other components which you want to lazy load in an aura:if and load only based on the condition. âÂ Jayant Das 5 hours ago • @Devendra IF you are talking about loading one component after other you will have to implement some sort of custom time based mechanaism either by aura:if or $A.createcomponent by loading them dynamically in javascript either approach would not load the dom so all the onload functionalities(such as server calls which i why your’e probably talking about governer limits) are held untill they render. One other way would be to trigger $A.createComponent on after render of each component âÂ codeyinthecloud 5 hours ago Can you clarify what do you refer by this — I am planning to make their context separate, as how are you planning to separate the context? I would imagine using aura:if here to load the other components only when required should be your approach. âÂ Jayant Das 5 hours ago Can you clarify what do you refer by this — I am planning to make their context separate, as how are you planning to separate the context? I would imagine using aura:if here to load the other components only when required should be your approach. âÂ Jayant Das 5 hours ago Not sure what you are doing in each of them but when u talk about lazyloading compoents you use aura:If as the the child dom would not be loaded in the first place. More on Best Practices for Conditional Markup âÂ codeyinthecloud 5 hours ago Not sure what you are doing in each of them but when u talk about lazyloading compoents you use aura:If as the the child dom would not be loaded in the first place. More on Best Practices for Conditional Markup âÂ codeyinthecloud 5 hours ago @JayantDas I would like to load all components in single app, hence I can’t use aura:if . Assuming I have VF page and different VF components, I would have used <apex:actionFunction> inside each VF component to perform lazy loading. Similarly, I am looking for a solution in case of lightning component. âÂ Devendra 5 hours ago @JayantDas I would like to load all components in single app, hence I can’t use aura:if . Assuming I have VF page and different VF components, I would have used <apex:actionFunction> inside each VF component to perform lazy loading. Similarly, I am looking for a solution in case of lightning component. âÂ Devendra 5 hours ago I would like to load all components in single app, hence I can’t use aura:if — you can still use aura:if to load all components in single app. Based on what you have in your snippet in your question, you just surround other components which you want to lazy load in an aura:if and load only based on the condition. âÂ Jayant Das 5 hours ago I would like to load all components in single app, hence I can’t use aura:if — you can still use aura:if to load all components in single app. Based on what you have in your snippet in your question, you just surround other components which you want to lazy load in an aura:if and load only based on the condition. âÂ Jayant Das 5 hours ago @Devendra IF you are talking about loading one component after other you will have to implement some sort of custom time based mechanaism either by aura:if or $A.createcomponent by loading them dynamically in javascript either approach would not load the dom so all the onload functionalities(such as server calls which i why your’e probably talking about governer limits) are held untill they render. One other way would be to trigger $A.createComponent on after render of each component âÂ codeyinthecloud 5 hours ago @Devendra IF you are talking about loading one component after other you will have to implement some sort of custom time based mechanaism either by aura:if or $A.createcomponent by loading them dynamically in javascript either approach would not load the dom so all the onload functionalities(such as server calls which i why your’e probably talking about governer limits) are held untill they render. One other way would be to trigger $A.createComponent on after render of each component âÂ codeyinthecloud 5 hours ago ## 2 Answers2 active oldest votes I thing you can do to make context different is use action.setBackground() action. So action call that is making use of most of apex limit can be used as background action. Another solution can be using aura:if or dynamically creating components using$A.createcomponent.

Least preferred solution can be using enqueueAction

https://medium.com/manj-force/did-a-enqueueaction-action-grouped-your-actions-f33ce710f0e3

• +1 from me nice that you made me recall about the background actions!
âÂ codeyinthecloud
4 hours ago

• Background actions do not guarantee separate execution contexts, though, only that they are separate from foreground actions. But it can definitely alleviate problems.
âÂ sfdcfox
4 hours ago

• Yes all the background actions can be grouped again that’s why I asked that only API call that is consuming more limits should be background action.
âÂ Manjot Singh
3 hours ago

Just to get the flow you are looking for you have an app container loading multiple child and you wanted to load one child after the other child to make sure the server calls on each child wont throw you into risk of governor limits.

There are couple of ways you could try this. But the idea here is to delay server calls(Run them in some kind of series setup rather than parallel)

1. Use aura:if or $A.CreateComponent and implement some sort of time lag mechsnism(this would still will not guarantee proper series mechanism as its hard to caluculate the time) 2. Use the aura:if or $A.CreateComponent and fire an event from the first component success response of server call that will reach to the app and load the second component and so on until you load the subsequent components
3. Use $A.CreateComponent and fire afterRender event in the first loaded component and capture it in the parent to load the next one and so on. 4. Like @manjotsingh suggested Background Actions can be preffered too! Note: This is theoretical ## 2 Answers2 active oldest votes ## 2 Answers2 active oldest votes active oldest votes active oldest votes I thing you can do to make context different is use action.setBackground() action. So action call that is making use of most of apex limit can be used as background action. Another solution can be using aura:if or dynamically creating components using$A.createcomponent.

Least preferred solution can be using enqueueAction

https://medium.com/manj-force/did-a-enqueueaction-action-grouped-your-actions-f33ce710f0e3

• +1 from me nice that you made me recall about the background actions!
âÂ codeyinthecloud
4 hours ago

• Background actions do not guarantee separate execution contexts, though, only that they are separate from foreground actions. But it can definitely alleviate problems.
âÂ sfdcfox
4 hours ago

• Yes all the background actions can be grouped again that’s why I asked that only API call that is consuming more limits should be background action.
âÂ Manjot Singh
3 hours ago

I thing you can do to make context different is use action.setBackground() action. So action call that is making use of most of apex limit can be used as background action.

Another solution can be using aura:if or dynamically creating components using $A.createcomponent. Least preferred solution can be using enqueueAction https://medium.com/manj-force/did-a-enqueueaction-action-grouped-your-actions-f33ce710f0e3 • +1 from me nice that you made me recall about the background actions! âÂ codeyinthecloud 4 hours ago • Background actions do not guarantee separate execution contexts, though, only that they are separate from foreground actions. But it can definitely alleviate problems. âÂ sfdcfox 4 hours ago • Yes all the background actions can be grouped again that’s why I asked that only API call that is consuming more limits should be background action. âÂ Manjot Singh 3 hours ago I thing you can do to make context different is use action.setBackground() action. So action call that is making use of most of apex limit can be used as background action. Another solution can be using aura:if or dynamically creating components using$A.createcomponent.

Least preferred solution can be using enqueueAction

https://medium.com/manj-force/did-a-enqueueaction-action-grouped-your-actions-f33ce710f0e3

I thing you can do to make context different is use action.setBackground() action. So action call that is making use of most of apex limit can be used as background action.

Another solution can be using aura:if or dynamically creating components using $A.createcomponent. Least preferred solution can be using enqueueAction https://medium.com/manj-force/did-a-enqueueaction-action-grouped-your-actions-f33ce710f0e3 answered 4 hours ago Manjot Singh 1,828521 1,828521 • +1 from me nice that you made me recall about the background actions! âÂ codeyinthecloud 4 hours ago • Background actions do not guarantee separate execution contexts, though, only that they are separate from foreground actions. But it can definitely alleviate problems. âÂ sfdcfox 4 hours ago • Yes all the background actions can be grouped again that’s why I asked that only API call that is consuming more limits should be background action. âÂ Manjot Singh 3 hours ago • +1 from me nice that you made me recall about the background actions! âÂ codeyinthecloud 4 hours ago • Background actions do not guarantee separate execution contexts, though, only that they are separate from foreground actions. But it can definitely alleviate problems. âÂ sfdcfox 4 hours ago • Yes all the background actions can be grouped again that’s why I asked that only API call that is consuming more limits should be background action. âÂ Manjot Singh 3 hours ago +1 from me nice that you made me recall about the background actions! âÂ codeyinthecloud 4 hours ago +1 from me nice that you made me recall about the background actions! âÂ codeyinthecloud 4 hours ago 1 Background actions do not guarantee separate execution contexts, though, only that they are separate from foreground actions. But it can definitely alleviate problems. âÂ sfdcfox 4 hours ago Background actions do not guarantee separate execution contexts, though, only that they are separate from foreground actions. But it can definitely alleviate problems. âÂ sfdcfox 4 hours ago Yes all the background actions can be grouped again that’s why I asked that only API call that is consuming more limits should be background action. âÂ Manjot Singh 3 hours ago Yes all the background actions can be grouped again that’s why I asked that only API call that is consuming more limits should be background action. âÂ Manjot Singh 3 hours ago Just to get the flow you are looking for you have an app container loading multiple child and you wanted to load one child after the other child to make sure the server calls on each child wont throw you into risk of governor limits. There are couple of ways you could try this. But the idea here is to delay server calls(Run them in some kind of series setup rather than parallel) 1. Use aura:if or$A.CreateComponent and implement some sort of time lag mechsnism(this would still will not guarantee proper series mechanism as its hard to caluculate the time)
2. Use the aura:if or $A.CreateComponent and fire an event from the first component success response of server call that will reach to the app and load the second component and so on until you load the subsequent components 3. Use $A.CreateComponent and fire afterRender event in the first loaded component and capture it in the parent to load the next one and so on.
4. Like @manjotsingh suggested Background Actions can be preffered too!

Note: This is theoretical

Just to get the flow you are looking for you have an app container loading multiple child and you wanted to load one child after the other child to make sure the server calls on each child wont throw you into risk of governor limits.

There are couple of ways you could try this. But the idea here is to delay server calls(Run them in some kind of series setup rather than parallel)

1. Use aura:if or $A.CreateComponent and implement some sort of time lag mechsnism(this would still will not guarantee proper series mechanism as its hard to caluculate the time) 2. Use the aura:if or $A.CreateComponent and fire an event from the first component success response of server call that will reach to the app and load the second component and so on until you load the subsequent components
3. Use $A.CreateComponent and fire afterRender event in the first loaded component and capture it in the parent to load the next one and so on. 4. Like @manjotsingh suggested Background Actions can be preffered too! Note: This is theoretical Just to get the flow you are looking for you have an app container loading multiple child and you wanted to load one child after the other child to make sure the server calls on each child wont throw you into risk of governor limits. There are couple of ways you could try this. But the idea here is to delay server calls(Run them in some kind of series setup rather than parallel) 1. Use aura:if or$A.CreateComponent and implement some sort of time lag mechsnism(this would still will not guarantee proper series mechanism as its hard to caluculate the time)
2. Use the aura:if or $A.CreateComponent and fire an event from the first component success response of server call that will reach to the app and load the second component and so on until you load the subsequent components 3. Use $A.CreateComponent and fire afterRender event in the first loaded component and capture it in the parent to load the next one and so on.
4. Like @manjotsingh suggested Background Actions can be preffered too!

Note: This is theoretical

Just to get the flow you are looking for you have an app container loading multiple child and you wanted to load one child after the other child to make sure the server calls on each child wont throw you into risk of governor limits.

There are couple of ways you could try this. But the idea here is to delay server calls(Run them in some kind of series setup rather than parallel)

1. Use aura:if or $A.CreateComponent and implement some sort of time lag mechsnism(this would still will not guarantee proper series mechanism as its hard to caluculate the time) 2. Use the aura:if or $A.CreateComponent and fire an event from the first component success response of server call that will reach to the app and load the second component and so on until you load the subsequent components
3. Use \$A.CreateComponent and fire afterRender event in the first loaded component and capture it in the parent to load the next one and so on.
4. Like @manjotsingh suggested Background Actions can be preffered too!

Note: This is theoretical

edited 4 hours ago

codeyinthecloud

1,628217

1,628217

Â

draft saved