I checked previously and it just didn't work until I used @domain
I didn't notice rule duplication on rebuild switch, I guess in between they just flush all -> forbid all -> flush -> apply new rules.
Just send the ping or telnet from intl to the hk end's NATed address. It gets rejected (in the logs) on the hk side, and then it sends destination/port unreachable to the unNATed intl (it's done…
Most likely because intl is NATed, and altnet is not, which interferes with conntrack rules in iptables.
cargo fmt and cargo clippy changes
It's nice to do, but maybe also add rustfmt.toml like in artiq-zynq? Also similar to it, add to hydra jobs, so it would run in CI and at least post-factum contributors would know that their…
If this note applies to the thermostats excluding 2.2.4, then yes
I guess prior would be better word instead of before
Appears that firewall indeed does reject the AH+GRE packets from intl host by default - it happens before these packages get unwrapped to other interfaces. Latest commit with iptables extra…