https://wiki.archlinux.org/api.php?action=feedcontributions&user=Ender4&feedformat=atomArchWiki - User contributions [en]2024-03-28T13:59:47ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Rust&diff=776899Rust2023-05-04T05:32:13Z<p>Ender4: Update after binaries were moved to /usr/lib/rustup/bin</p>
<hr />
<div>[[Category:Programming languages]]<br />
[[ja:Rust]]<br />
[[pt:Rust]]<br />
[[ru:Rust]]<br />
{{Related articles start}}<br />
{{Related|Rust package guidelines}}<br />
{{Related articles end}}<br />
<br />
From [[Wikipedia:Rust (programming language)|Wikipedia]]:<br />
:[https://rust-lang.org/ Rust] is a general-purpose, multi-paradigm, compiled programming language sponsored by Mozilla Research. It is designed to be a "safe, concurrent, practical language", supporting pure-functional, imperative-procedural, and object-oriented styles. The goal of Rust is to be a good language for creating highly concurrent and highly safe systems, and programming in the large. This has led to a feature set with an emphasis on safety, control of memory layout, and concurrency. Performance of idiomatic Rust is comparable to the performance of idiomatic C++.<br />
<br />
== Core language ==<br />
<br />
=== Rust Core Library ===<br />
<br />
The [https://doc.rust-lang.org/core/ Rust Core Library] is the dependency-free foundation of the Rust Standard Library. It interfaces directly with LLVM primitives, which allows Rust to be platform and hardware-agnostic. It is this integration with LLVM that allows Rust to obtain greater performance than equivalent C applications compiled with Clang, making Rust software designed with libcore lower level than C. It contains only basic platform-independent types such as {{ic|Option}}, {{ic|Result}}, and {{ic|Iterator}}. Developers looking to target software for embedded platforms may forego the standard library with {{ic|#![no_std]}} to exclusively use the no-batteries-included core library for smaller binary sizes and improved performance. However, using {{ic|#![no_std]}} limits the amount of software support that you can get from the larger Rust community as a majority of libraries require the standard library.<br />
<br />
=== Rust Standard Library ===<br />
<br />
The [https://doc.rust-lang.org/std/index.html Rust Standard Library] provides the convenient high level abstractions by which a majority of portable Rust software is created with. It features convenient features such as the {{ic|Vec}} and {{ic|String}} types; a vast amount of methods for language primitives; a large number of standard macros; I/O and multithreading support; heap allocations with {{ic|Box}}; and many more high level features not available in the core library.<br />
<br />
=== Release cycle ===<br />
<br />
Rust follows a regular six-week release cycle, similar to the release cycle of Firefox. With each new release, the core and standard libraries are improved to support more platforms, improve performance, and stabilize new features for use with stable Rust.<br />
<br />
== Installation ==<br />
<br />
The two main ways to install Rust are:<br />
<br />
* The Native installation, recommended if you only use rust for running or installing software made with Rust<br />
* The Rustup installation, recommended if you intend to program anything in Rust<br />
<br />
=== Native installation ===<br />
<br />
To [[install]] the latest stable version of Rust from the official Arch Linux software repository, [[install]] the {{Pkg|rust}} package. This will install the {{ic|rustc}} compiler and [[#Cargo|Cargo]].<br />
<br />
There is also a development version of the Rust compiler available: {{AUR|rust-nightly-bin}} for prebuilt generic binaries or {{AUR|rust-git}} to build the compiler with system libraries.<br />
<br />
=== Rustup ===<br />
<br />
The official and recommended method of installing Rust for the purpose of developing software is to use the [https://www.rustup.rs/ Rustup toolchain manager], written in Rust.<br />
<br />
The benefit of using the Rustup toolchain manager instead of the standalone prepackaged Rust in the software repository is the ability to install multiple toolchains (stable, beta, nightly) for multiple targets (windows, mac, android) and architectures (x86, x86_64, arm).<br />
<br />
There are two choices for a Rustup installation, one is supported by Arch Linux via pacman, while the other is officially supported by Rust via their installation script.<br />
<br />
==== Arch Linux package ====<br />
<br />
{{Pkg|rustup}} is available on the Arch Linux software repository. Note that {{ic|rustup self update}} will '''not''' work when installed this way, the package needs to be updated by pacman.<br />
<br />
This package has the advantage that the various Rust executables live in {{ic|/usr/lib/rustup/bin}}, instead of {{ic|~/.cargo/bin}}. And it creates a system profile configuration that automatically adds that to the {{ic|PATH}} in the system removing the need to add another directory to your {{ic|PATH}} yourself.<br />
<br />
{{note|The {{Pkg|rustup}} package does '''not''' install a toolchain by default. It provides instead symlinks between {{ic|/usr/bin/rustup}} to the common binaries such as {{ic|/usr/lib/rustup/bin/rustc}} and {{ic|/usr/lib/rustup/bin/cargo}}. As stated above, the user still needs to install a toolchain manually for these Rust commands to do anything.}}<br />
<br />
In order to install the toolchain, you need to tell rustup which version to use: {{ic|stable}} or {{ic|nightly}}.<br />
<br />
Example:<br />
{{bc|$ rustup default stable}}<br />
<br />
==== Upstream installation script ====<br />
<br />
Rustup is also available to download and install manually via [https://rustup.rs/ rustup's official web page].<br />
<br />
Download the file with {{ic|<nowiki>curl --proto '=https' --tlsv1.3 -sSf https://sh.rustup.rs -o rust.sh</nowiki>}}, view it: {{ic|less ./rust.sh}}, and run the script {{ic|./rust.sh}} to start rustup installation. The script makes PATH changes only to login shell [[Bash#Invocation|configuration files]]. You need to {{ic|source ~/.cargo/env}} until you logout and login back into the system. To update rustup afterwards, run {{ic|rustup self update}}.<br />
<br />
The script installs and activates the default toolchain by default (the one used by the {{Pkg|rust}} package), so there is no need to manually install it to start using Rust.<br />
<br />
{{Warning|Running {{ic|curl ''some-url'' {{!}} sh}}, as the Rust documentation suggests, is considered as a security risk, because it executes unknown code, that might even be corrupted during the download. Therefore it is recommended to manually download the script and check it, before executing it.}}<br />
<br />
{{Note|Please make sure that {{ic|~/.cargo/bin}} is in your {{ic|PATH}} when you run {{ic|rustup}}.}}<br />
<br />
==== Usage ====<br />
<br />
You might need to manually install a toolchain, e.g. {{ic|stable}}, {{ic|beta}}, {{ic|nightly}} or {{ic|1.58.0}}. You also need to do this if you want to use/test another toolchain.<br />
<br />
$ rustup toolchain install ''toolchain''<br />
<br />
You can now run the Rust commands by running, {{ic|rustup run ''toolchain'' ''command''}}. However, to use these commands directly, you need to activate the toolchain:<br />
<br />
$ rustup default ''toolchain''<br />
<br />
Check the installed Rust version using {{ic|rustc -V}}:<br />
<br />
{{hc|$ rustc -V |<br />
rustc 1.58.0 (02072b482 2022-01-11)<br />
}}<br />
<br />
{{Note|<br />
Rust does not do its own linking, and so you’ll need to have a linker installed. You can use {{Pkg|gcc}}, otherwise Rust will generate the following {{ic| error: linker `cc` not found.}}<br />
}}<br />
<br />
=== Test your installation ===<br />
<br />
Check that Rust is installed correctly by building a simple program, as follows:<br />
<br />
{{hc|~/hello.rs|<br />
fn main() {<br />
println!("Hello, World!");<br />
}<br />
}}<br />
<br />
You can compile it with {{ic|rustc}}, then run it:<br />
<br />
{{hc|$ rustc hello.rs && ./hello|<br />
Hello, World!<br />
}}<br />
<br />
== Cross compiling ==<br />
<br />
=== Using rustup ===<br />
<br />
You can easily cross-compile using Rustup. Rustup supports many cross-compile targets. A full list can be found running {{ic|rustup target list}}.<br />
<br />
For instance, if you want to install rust using the stable channel for Windows, using the GNU Compiler, you will need to do: <br />
<br />
$ rustup toolchain install stable-x86_64-pc-windows-gnu<br />
<br />
This will only install rust and its tools for your target architecture, but some additional tools might be needed for cross-compiling.<br />
<br />
=== Windows ===<br />
<br />
In this section, {{ic|$ARCH}} is the target architecture (either {{ic|x86_64}} or {{ic|i686}}). It will explain how to cross compile using rustup.<br />
<br />
# [[Install]] {{Pkg|mingw-w64-gcc}}<br />
# Run {{ic|rustup target add $ARCH-pc-windows-gnu}} to install rust standard library for your architecture.<br />
# Finally, tell cargo where to find the MinGW-w64 gcc/ar by adding the following to your {{ic|~/.cargo/config}}:<br />
{{hc|~/.cargo/config|<nowiki><br />
[target.$ARCH-pc-windows-gnu]<br />
linker = "/usr/bin/$ARCH-w64-mingw32-gcc"<br />
ar = "/usr/bin/$ARCH-w64-mingw32-ar"<br />
</nowiki>}}<br />
<br />
Finally, you can cross compile for windows by passing the {{ic|--target $ARCH-pc-windows-gnu}} to cargo:<br />
<br />
$ # Build<br />
$ cargo build --release --target "$ARCH-pc-windows-gnu"<br />
$ # Run unit tests under wine<br />
$ cargo test --target "$ARCH-pc-windows-gnu"<br />
<br />
Currently building executables using MinGW 6 and the toolchains installed by rustup is broken. To fix it, execute<br />
<br />
for lib in crt2.o dllcrt2.o libmsvcrt.a; do cp -v /usr/x86_64-w64-mingw32/lib/$lib $HOME/.rustup/toolchains/$CHANNEL-x86_64-unknown-linux-gnu/lib/rustlib/x86_64-pc-windows-gnu/lib/; done<br />
<br />
where {{ic|CHANNEL}} is the update channel ({{ic|stable}}, {{ic|beta}} or {{ic|nightly}})<br />
<br />
=== Unofficial packages ===<br />
<br />
The [[Unofficial user repositories#archlinuxcn|unofficial repository archlinuxcn]] has rust-nightly and Rust std library for i686, ARM, ARMv7, Windows 32 and 64 so you can just install the one you want then enjoy cross-compiling. However, you have to find an ARM toolchain by yourself. For Windows 32bit targets, you will need to get a libgcc_s_dw2-1.dll (provided by {{Pkg|mingw-w64-gcc}}) to build and run.<br />
<br />
== Cargo ==<br />
<br />
[https://crates.io/ Cargo], Rust's package manager, is part of the {{Pkg|rust}} package. The nightly version is available in the AUR as part of {{AUR|rust-nightly-bin}}. If you use {{Pkg|rustup}}, it already includes cargo.<br />
<br />
Cargo is a tool that allows Rust projects to declare their various dependencies, and ensure that you will always get a repeatable build. You are encouraged to read the [https://doc.crates.io/guide.html official guide].<br />
<br />
=== Usage ===<br />
<br />
To create a new project using Cargo:<br />
<br />
$ cargo new hello_world <br />
<br />
This creates a directory with a default {{ic|Cargo.toml}} file, set to build an executable.<br />
<br />
{{Note|Cargo uses this {{ic|Cargo.toml}} as a manifest containing all of the metadata required to compile your project.<br />
<br />
{{hc|Cargo.toml|output=<br />
[package]<br />
name = "hello_world"<br />
version = "0.1.0"<br />
edition = "2021"<br />
<br />
[dependencies]<br />
}}<br />
}}<br />
<br />
=== Optimizing for native CPU platform ===<br />
<br />
In order to instruct Cargo to always compile optimal code for your CPU platform, you can achieve this by adding a flag to {{ic|~/.cargo/config}}. Please be aware that the resulting binaries can not be distributed for use on other computers, and might even fail on your own system if you decide to change your CPU in the future.<br />
<br />
Find out which target platform is used by default on your installation:<br />
<br />
{{hc|$ rustup toolchain list|<br />
stable-x86_64-unknown-linux-gnu (default)<br />
}}<br />
<br />
In this example, we are using {{ic|stable}} rust on the {{ic|x86_64-unknown-linux-gnu}} platform.<br />
<br />
Instruct Cargo to always compile code optimized for the native CPU platform:<br />
<br />
{{hc|~/.cargo/config|<nowiki><br />
[target.x86_64-unknown-linux-gnu]<br />
rustflags = ["-C", "target-cpu=native"]<br />
</nowiki>}}<br />
<br />
=== sccache ===<br />
<br />
Compilation times can be greatly reducing by using [https://github.com/mozilla/sccache sccache] ({{Pkg|sccache}} package). This will maintain a local cache of compiler artifacts, eliminating the need to recompile code that has not changed since the last time it was compiled.<br />
<br />
To enable sccache, you can use {{ic|RUSTC_WRAPPER}} [[environment variable]]:<br />
<br />
{{bc|1=<br />
export RUSTC_WRAPPER=sccache<br />
cargo build<br />
}}<br />
<br />
or<br />
<br />
RUSTC_WRAPPER=sccache cargo build<br />
<br />
Alternatively, add the following configuration to {{ic|~/.cargo/config}}:<br />
<br />
{{hc|~/.cargo/config|<nowiki><br />
[build]<br />
rustc-wrapper = "sccache"<br />
</nowiki>}}<br />
<br />
== IDE support ==<br />
<br />
=== Tools ===<br />
<br />
See https://www.rust-lang.org/tools for the recommended tools of the Rust project.<br />
<br />
==== rust-analyzer ====<br />
<br />
[https://rust-analyzer.github.io/ rust-analyzer] is an experimental Language Server Protocol implementation for Rust which has replaced [[#RLS]].<br />
<br />
It is available as the {{Pkg|rust-analyzer}} package, and the latest Git version is available as {{AUR|rust-analyzer-git}}. Alternatively, if you have {{Pkg|rustup}} installed, you can install rust-analyzer with:<br />
<br />
$ rustup component add rust-analyzer<br />
<br />
rust-analyzer needs the source code of the standard library. If it is not present, rust-analyzer will attempt to install it automatically using rustup. To install the source code manually using rustup, run the following command:<br />
<br />
$ rustup component add rust-src<br />
<br />
==== RLS ====<br />
<br />
{{Remove|RLS is deprecated as of {{Pkg|rust}} 1.65 in favour of [[Rust#rust-analyzer|rust-analyzer]] and no longer does anything useful.|Talk:Rust#Deprecated language servers}}<br />
<br />
[https://github.com/rust-lang/rls RLS] used to provide a [https://microsoft.github.io/language-server-protocol/ Language Server Protocol] implementation for Rust, providing IDEs, editors, and other tools with information about Rust programs. It supported functionality such as 'goto definition', symbol search, reformatting, and code completion, and enables renaming and refactorings.<br />
<br />
RLS is included in the {{Pkg|rust}} package. To install RLS using rustup:<br />
<br />
$ rustup component add rls rust-analysis rust-src<br />
<br />
==== Racer ====<br />
<br />
{{Template:Out of date|RLS and deprecated}}<br />
<br />
[https://github.com/phildawes/racer Racer] provides code completion support for editors and IDEs. It has been superseded by RLS (which uses Racer as a fallback).<br />
<br />
It requires that you also install a copy of the Rust source code, which you can obtain in one of several ways:<br />
<br />
* With rustup: {{ic|rustup component add rust-src}}<br />
* From the AUR: {{AUR|rust-src-git}} or {{AUR|rust-nightly-src}}, in this case you must set the {{ic|RUST_SRC_PATH}} environment var.<br />
<br />
After installing the source code, you can either use {{ic|Cargo}} to install racer or obtain it from the repos ({{AUR|rust-racer}}).<br />
<br />
$ cargo +nightly install racer<br />
<br />
==== Clippy ====<br />
<br />
[https://github.com/rust-lang/rust-clippy Clippy] takes advantage of compiler plugin support to provide a large number of additional lints for detecting and warning about a larger variety of errors and non-idiomatic Rust. <br />
<br />
Clippy is included in the {{Pkg|rust}} package. To install it with rustup use:<br />
<br />
$ rustup component add clippy<br />
<br />
==== Rustfmt ====<br />
<br />
[https://github.com/rust-lang/rustfmt Rustfmt] is a tool to format Rust code according to the official style guidelines.<br />
<br />
Rustfmt is included in the {{Pkg|rust}} package. To install it with rustup use:<br />
<br />
$ rustup component add rustfmt<br />
<br />
=== Editors ===<br />
<br />
==== Atom ====<br />
<br />
[[Atom]] support for Rust programming is provided by the [https://atom.io/packages/ide-rust ide-rust] plugin (requires rustup).<br />
<br />
==== Emacs ====<br />
<br />
[[Emacs]] support for Rust can be obtained via the official [https://github.com/rust-lang/rust-mode rust-mode] plugin.<br />
<br />
==== GNOME Builder ====<br />
<br />
GNOME Builder support for Rust is achieved using Language Server Protocol. It uses [[#rust-analyzer|rust-analyzer]] by default; all you need to do is install it along with the Rust source.<br />
<br />
==== Helix ====<br />
[[Helix]] editor is written in rust and has the rust language server protocol included. Helix is inspired by Neovim and Kakoune.<br />
<br />
==== Kate ====<br />
<br />
Kate support for Rust is achieved using Language Server Protocol. It uses [[#rust-analyzer|rust-analyzer]] by default; all you need to do is install it along with the Rust source.<br />
<br />
==== IntelliJ IDEA ====<br />
<br />
[https://www.jetbrains.com/idea/ IntelliJ IDEA] has a [https://github.com/intellij-rust/intellij-rust Rust plugin]. The same plugin also works with CLion.<br />
<br />
If using rustup, use rustup to download the source ({{ic|rustup component add rust-src}}), and then select {{ic|~/.rustup/toolchains/<your toolchain>/bin}} as the toolchain location.<br />
<br />
If using Rust from the official Arch Linux software repository, select {{ic|/usr/bin}} as the toolchain location and {{ic|/usr/lib/rustlib/src/rust/library/}} as the stdlib sources location.<br />
<br />
==== Visual Studio Code ====<br />
<br />
[[Visual Studio Code]] support for Rust can be obtained via [[#rust-analyzer|rust-analyzer]] with the [https://marketplace.visualstudio.com/items?itemName=matklad.rust-analyzer matklad.rust-analyzer] extension.<br />
<br />
==== Vim ====<br />
<br />
[[Vim]] support for Rust can be obtained via the official [https://github.com/rust-lang/rust.vim rust.vim] plugin, which provides file detection, syntax highlighting, formatting and support for the [https://github.com/vim-syntastic/syntastic Syntastic] syntax checking plugin. Many completion engines have Rust support, like [https://github.com/neoclide/coc.nvim coc] (via the [https://github.com/neoclide/coc-rls coc.rls] plugin) and [https://github.com/ycm-core/YouCompleteMe YouCompleteMe].<br />
<br />
<br />
<br />
== See also ==<br />
<br />
* [https://rust-lang.org/ Official website of the Rust Programming Language]<br />
* [https://www.rust-lang.org/documentation.html Rust Documentation]<br />
* [https://doc.rust-lang.org/stable/book/ Official Rust Book]<br />
* [https://doc.rust-lang.org/std/ Standard Library API Lookup]<br />
* [https://doc.rust-lang.org/stable/rust-by-example/ Examples with small descriptions]<br />
* [https://github.com/ctjhoa/rust-learning Page listing of Rust tutorials]<br />
* [https://crates.io/ Libraries(crates) available through Cargo]<br />
* [https://this-week-in-rust.org/ This Week in Rust]<br />
* [https://blog.rust-lang.org/ The Rust Programming Language Blog]<br />
* [https://users.rust-lang.org/ The Rust Users Forum]<br />
* [https://internals.rust-lang.org/ The Rust Internals Forum]<br />
* [https://rust.libhunt.com/ Awesome Rust: A curated list of Rust libraries and resources]<br />
* [[Wikipedia:Rust (programming language)]]</div>Ender4https://wiki.archlinux.org/index.php?title=Color_output_in_console&diff=622958Color output in console2020-06-30T06:35:21Z<p>Ender4: Add a couple of programs for adding color.</p>
<hr />
<div>[[Category:Linux console]]<br />
[[Category:Eye candy]]<br />
[[ja:コンソールのカラー出力]]<br />
[[zh-hans:Color output in console]]<br />
{{Expansion|And maybe create something bigger. Please take active approach if you can add some valuable information. Mention {{Pkg|python-pywal}}.|Talk:Color output in console#Why and what this page is about}}<br />
{{Style|Page is partly a collection of information on different applications, partly begin to lay theory to color output process. Please contribute your knowledge, if you can.}}<br />
{{Related articles start}}<br />
{{Related|Emacs#Custom colors and theme}}<br />
{{Related|nano#Syntax highlighting}}<br />
{{Related articles end}}<br />
This page was created to consolidate colorization of CLI outputs.<br />
<br />
== Applications ==<br />
<br />
=== diff ===<br />
<br />
diffutils from version 3.4 includes the {{ic|--color}} option ([https://lists.gnu.org/archive/html/info-gnu/2016-08/msg00004.html GNU mailing list]).<br />
<br />
$ alias diff='diff --color=auto'<br />
<br />
=== grep ===<br />
<br />
The {{ic|1=--color=auto}} option enables color highlighting. Color codes are emitted only on standard output; not in pipes or redirection.<br />
<br />
Color output in ''grep'' is also useful with [[Wikipedia:regexp|regexp]] tasks.<br />
<br />
Use an [[alias]] to permanently enable this option:<br />
<br />
alias grep='grep --color=auto'<br />
<br />
The {{ic|GREP_COLORS}} variable is used to define colors, and it configures various parts of highlighting. To change the colors, find the needed [http://www.tldp.org/HOWTO/Bash-Prompt-HOWTO/x329.html ANSI escape sequence] and apply it. See {{man|1|grep}} for more information.<br />
<br />
The {{ic|-n}} option includes file line numbers in the output.<br />
<br />
=== ip ===<br />
<br />
{{man|8|ip}} command from {{Pkg|iproute2}} supports colors with {{ic|-c}} option. You can use an [[alias]] to enable colored output. When using {{ic|auto}} parameter, colored output will be enabled only when stdout is a terminal.<br />
<br />
alias ip='ip -color=auto'<br />
<br />
=== less ===<br />
<br />
==== Environment variables ====<br />
<br />
Add the following lines to your shell configuration file:<br />
<br />
export LESS=-R<br />
export LESS_TERMCAP_mb=$'\E[1;31m' # begin blink<br />
export LESS_TERMCAP_md=$'\E[1;36m' # begin bold<br />
export LESS_TERMCAP_me=$'\E[0m' # reset bold/blink<br />
export LESS_TERMCAP_so=$'\E[01;44;33m' # begin reverse video<br />
export LESS_TERMCAP_se=$'\E[0m' # reset reverse video<br />
export LESS_TERMCAP_us=$'\E[1;32m' # begin underline<br />
export LESS_TERMCAP_ue=$'\E[0m' # reset underline<br />
# and so on<br />
<br />
Change the values ([[Wikipedia:ANSI escape code#Colors|ANSI escape code]]) as you like. [http://boredzo.org/blog/archives/2016-08-15/colorized-man-pages-understood-and-customized This blog post] and the page [[Bash/Prompt customization]] also help.<br />
<br />
{{note|The {{ic|LESS_TERMCAP_''xx''}} variables are currently undocumented in {{man|1|less}}. For a detailed explanation, see [http://unix.stackexchange.com/questions/108699/documentation-on-less-termcap-variables/108840#108840 this answer].}}<br />
<br />
==== Reading from stdin ====<br />
<br />
{{Note|It is recommended to add colored output through [[#Environment variables]] to your {{ic|~/.bashrc}} or {{ic|~/.zshrc}}, as the below is based on {{ic|1=export LESS=R}}}}<br />
<br />
When you run a command and pipe its [[Wikipedia:Standard output|standard output]] (''stdout'') to ''less'' for a paged view (e.g. {{ic|<nowiki>pacman -Qe | less</nowiki>}}), you may find that the output is no longer colored. This is usually because the program tries to detect if its ''stdout'' is an interactive terminal, in which case it prints colored text, and otherwise prints uncolored text. This is good behaviour when you want to redirect ''stdout'' to a file, e.g. {{ic|<nowiki>pacman -Qe > pkglst-backup.txt</nowiki>}}, but less suited when you want to view output in {{ic|less}}.<br />
<br />
Some programs provide an option to disable the interactive tty detection:<br />
<br />
# dmesg --color=always | less<br />
<br />
In case that the program does not provide any similar option, it is possible to trick the program into thinking its ''stdout'' is an interactive terminal with the following utilities:<br />
<br />
* {{App|ColorThis|Force colored output of a program by running it within a (group of) pty, support forwarding stdin.|https://github.com/Sasasu/ColorThis}}<br />
* {{App|stdoutisatty|A small program which catches the {{ic|isatty}} function call.|https://github.com/lilydjwg/stdoutisatty.|{{AUR|stdoutisatty-git}}}}<br />
:Example: {{ic|stdoutisatty ''program'' <nowiki>| less</nowiki>}}<br />
* {{App|unbuffer|A tclsh script comes with expect, it invokes desired program within a pty.|http://expect.sourceforge.net/example/unbuffer.man.html|{{Pkg|expect}}}}<br />
:Example: {{ic|unbuffer ''program'' <nowiki>| less</nowiki>}}<br />
<br />
Alternatively, using [http://zsh.sourceforge.net/Doc/Release/Zsh-Modules.html#The-zsh_002fzpty-Module zpty] module from [[zsh]]: [http://lilydjwg.is-programmer.com/2011/6/29/using-zpty-module-of-zsh.27677.html]<br />
<br />
{{hc|~/.zshrc|<nowiki><br />
zmodload zsh/zpty<br />
<br />
pty() {<br />
zpty pty-${UID} ${1+$@}<br />
if [[ ! -t 1 ]];then<br />
setopt local_traps<br />
trap '' INT<br />
fi<br />
zpty -r pty-${UID}<br />
zpty -d pty-${UID}<br />
}<br />
<br />
ptyless() {<br />
pty $@ | less<br />
}<br />
</nowiki>}}<br />
<br />
Usage:<br />
<br />
$ ptyless ''program''<br />
<br />
To pipe it to other pager (less in this example):<br />
<br />
$ pty ''program'' | less<br />
<br />
=== ls ===<br />
<br />
The {{ic|1=--color=auto}} option enables color highlighting. Color codes are emitted only on standard output; not in pipes or redirection.<br />
<br />
Use an [[alias]] to permanently enable this option:<br />
<br />
alias ls='ls --color=auto'<br />
<br />
The {{ic|LS_COLORS}} variable is used to define colors, and it configures various parts of highlighting. Use the {{man|1|dircolors}} command to set it.<br />
<br />
{{Note|Using the {{ic|--color}} option may incur a noticeable performance penalty when ''ls'' is run in a directory with very many entries. The default settings require ''ls'' to {{man|1|stat}} every single file it lists. However, if you would like most of the file-type coloring but can live without the other coloring options (e.g. executable, orphan, sticky, other-writable, capability), use ''dircolors'' to set the {{ic|LS_COLORS}} environment variable like this:<br />
<br />
<nowiki>eval $(dircolors -p | perl -pe 's/^((CAP|S[ET]|O[TR]|M|E)\w+).*/$1 00/' | dircolors -)</nowiki><br />
<br />
}}<br />
<br />
See {{man|1|ls}} for more information.<br />
<br />
=== man ===<br />
<br />
To enable colored {{Ic|man}}, two main pagers, {{Ic|less}} and {{Ic|most}}, are hacked here.<br />
<br />
==== Using less ====<br />
<br />
See [[#less]] for a more detailed description.<br />
<br />
For bash or zsh, add the following {{Ic|less}} wrapper function to {{ic|~/.bashrc}} or {{ic|~/.zshrc}}:<br />
<br />
{{bc|<nowiki><br />
man() {<br />
LESS_TERMCAP_md=$'\e[01;31m' \<br />
LESS_TERMCAP_me=$'\e[0m' \<br />
LESS_TERMCAP_se=$'\e[0m' \<br />
LESS_TERMCAP_so=$'\e[01;44;33m' \<br />
LESS_TERMCAP_ue=$'\e[0m' \<br />
LESS_TERMCAP_us=$'\e[01;32m' \<br />
command man "$@"<br />
}<br />
</nowiki>}}<br />
<br />
For [[Fish]] you could accomplish this with:<br />
<br />
{{hc|~/.config/fish/config.fish|<nowiki><br />
set -xU LESS_TERMCAP_md (printf "\e[01;31m")<br />
set -xU LESS_TERMCAP_me (printf "\e[0m")<br />
set -xU LESS_TERMCAP_se (printf "\e[0m")<br />
set -xU LESS_TERMCAP_so (printf "\e[01;44;33m")<br />
set -xU LESS_TERMCAP_ue (printf "\e[0m")<br />
set -xU LESS_TERMCAP_us (printf "\e[01;32m")<br />
</nowiki>}}<br />
<br />
Remember to source your config or restart your shell to make the changes take effect.<br />
<br />
==== Using most ====<br />
<br />
The basic function of 'most' is similar to {{Ic|less}} and {{Ic|more}}, but it has a smaller feature set. Configuring most to use colors is easier than using less, but additional configuration is necessary to make most behave like less.<br />
Install the {{Pkg|most}} package.<br />
<br />
Edit {{ic|/etc/man_db.conf}}, uncomment the pager definition and change it to:<br />
<br />
DEFINE pager most -s<br />
<br />
Test the new setup by typing:<br />
<br />
$ man whatever_man_page<br />
<br />
Modifying the color values requires editing {{ic|~/.mostrc}} (creating the file if it is not present) or editing {{ic|/etc/most.conf}} for system-wide changes. Example {{ic|~/.mostrc}}:<br />
<br />
% Color settings<br />
color normal lightgray black<br />
color status yellow blue<br />
color underline yellow black<br />
color overstrike brightblue black<br />
<br />
A list of all keybindings may be found at {{ic|/usr/share/doc/most/most-fun.txt}}. To get a basic {{ic|less}}/{{ic|vim}}-like configuration, you can copy {{ic|/usr/share/doc/most/lesskeys.rc}} to {{ic|~/.mostrc}}. The lesskeys rc included with most does not include 'g' or 'G', so you will also have to add these lines to {{ic|~/.mostrc}}:<br />
<br />
setkey bob "g"<br />
setkey eob "G"<br />
setkey page_down "d"<br />
setkey page_up "u"<br />
<br />
You may also want to set the {{ic|goto_line}} keybinding in the rc if you don't like the default of 'J'.<br />
<br />
Another example showing keybindings similar to {{Ic|less}} (jump to line is set to 'J'):<br />
<br />
% less-like keybindings<br />
unsetkey "^K"<br />
unsetkey "g"<br />
unsetkey "G"<br />
unsetkey ":"<br />
<br />
setkey next_file ":n"<br />
setkey find_file ":e"<br />
setkey next_file ":p"<br />
setkey toggle_options ":o"<br />
setkey toggle_case ":c"<br />
setkey delete_file ":d"<br />
setkey exit ":q"<br />
<br />
setkey bob "g"<br />
setkey eob "G"<br />
setkey down "e"<br />
setkey down "E"<br />
setkey down "j"<br />
setkey down "^N"<br />
setkey up "y"<br />
setkey up "^Y"<br />
setkey up "k"<br />
setkey up "^P"<br />
setkey up "^K"<br />
setkey page_down "f"<br />
setkey page_down "^F"<br />
setkey page_up "b"<br />
setkey page_up "^B"<br />
setkey other_window "z"<br />
setkey other_window "w"<br />
setkey search_backward "?"<br />
setkey bob "p"<br />
setkey goto_mark "'"<br />
setkey find_file "E"<br />
setkey edit "v"<br />
<br />
==== Using X resources ====<br />
<br />
A quick way to add color to manual pages viewed on {{Pkg|xterm}}/{{Ic|uxterm}} or {{Pkg|rxvt-unicode}} is to modify {{ic|~/.Xresources}}.<br />
<br />
===== xterm =====<br />
<br />
*VT100.colorBDMode: true<br />
*VT100.colorBD: red<br />
*VT100.colorULMode: true<br />
*VT100.colorUL: cyan<br />
<br />
which ''replaces'' the decorations with the colors. Also add:<br />
<br />
*VT100.veryBoldColors: 6<br />
<br />
if you want colors and decorations (bold or underline) ''at the same time''. See {{man|1|xterm}} for a description of the {{ic|veryBoldColors}} resource.<br />
<br />
===== rxvt-unicode =====<br />
<br />
URxvt.colorIT: #87af5f<br />
URxvt.colorBD: #d7d7d7<br />
URxvt.colorUL: #87afd7<br />
<br />
Run:<br />
<br />
$ xrdb -load ~/.Xresources<br />
<br />
Launch a new {{Ic|xterm/uxterm}} or {{Ic|rxvt-unicode}} and you should see colorful man pages.<br />
<br />
This combination puts colors to '''bold''' and <u>underlined</u> words in {{Ic|xterm/uxterm}} or to '''bold''', <u>underlined</u>, and ''italicized'' text in {{Ic|rxvt-unicode}}. You can play with different combinations of these attributes (see the [http://pub.ligatura.org/fs/xfree86/xresources/xterm sources]{{Dead link|2020|03|28|status=404}} of this item).<br />
<br />
=== pacman ===<br />
<br />
[[Pacman]] has a color option. Uncomment the {{ic|Color}} line in {{ic|/etc/pacman.conf}}.<br />
<br />
== Wrappers ==<br />
<br />
{{move||Some of these could be made into sections of their own, or moved to existing sections such as [[#diff]]}}<br />
<br />
=== Universal wrappers ===<br />
<br />
(most of them outdated but still functioning)<br />
<br />
They go with multiple preconfigured presets that can be changed, and new can be created/contributed.<br />
<br />
{{Warning|Wrappers replace output of commands with escape sequences. Some shell scripts and programs which use the output of standard shell utilities may work wrong. }}<br />
<br />
* {{App|rainbow|Colorize commands output or STDIN using patterns.<br>Presets: df, diff, env, host, ifconfig, java-stack-trace, jboss, jonas, md5sum, mvn2, mvn3, ping, tomcat, top, traceroute.|https://github.com/nicoulaj/rainbow|{{AUR|rainbow}}}}<br />
* {{App|grc|Yet another colouriser for beautifying your logfiles or output of commands.<br>Presets: cat, cvs, df, digg, gcc, g++, ls, ifconfig, make, mount, mtr, netstat, ping, ps, tail, traceroute, wdiff, blkid, du, dnf, docker, docker-machine, env, id, ip, iostat, last, lsattr, lsblk, lspci, lsmod, lsof, getfacl, getsebool, ulimit, uptime, nmap, fdisk, findmnt, free, semanage, sar, ss, sysctl, systemctl, stat, showmount, tune2fs and tcpdump.|https://github.com/pengwynn/grc|{{Pkg|grc}}}}<br />
* {{App|colorlogs|Colorize commands output or STDIN using patterns.<br>Presets: logs, git status, ant, maven.|https://github.com/memorius/colorlogs}}<br />
* {{App|cope|A colourful wrapper for terminal programs.<br>Presets: acpi, arp, cc, df, dprofpp, fdisk, free, g++, gcc, id, ifconfig, ls, lspci, lsusb, make, md5sum, mpc, netstat, nm, nmap, nocope, ping, pmap, ps, readelf, route, screen, sha1sum, sha224sum, sha256sum, sha384sum, sha512sum, shasum, socklist, stat, strace, tcpdump, tracepath, traceroute, w, wget, who, xrandr.|https://github.com/yogan/cope|{{AUR|cope-git}}}}<br />
* {{App|cw|A non-intrusive real-time ANSI color wrapper for common unix-based commands. Wraps {{Pkg|file}} which can cause issues.<br>Presets: arp, arping, auth.log@, blockdev, cal, cksum, clock, configure, cpuinfo@, crontab@, cw-pipe, cw-test.cgi, date, df, diff, dig, dmesg, du, env, figlet, file, find, finger, free, fstab@, fuser, g++, gcc, group@, groups, hdparm, hexdump, host, hosts@, id, ifconfig, inittab@, iptables, last, lastlog, lsattr, lsmod, lsof, ltrace-color, make, md5sum, meminfo@, messages@, mount, mpg123, netstat, nfsstat, nmap, nslookup, objdump, passwd@, ping, pmap, pmap_dump, praliases, profile@, protocols@, ps, pstree, quota, quotastats, resolv.conf@, route, routel, sdiff, services@, showmount, smbstatus, stat, strace-color, sysctl, syslog, tar, tcpdump, tracepath, traceroute, umount, uname, uptime, users, vmstat, w, wc, whereis, who, xferlog.|http://cwrapper.sourceforge.net/|{{AUR|cw}}}}<br />
* {{App|ccze|A fast log colorizer written in C, intended to be a drop-in replacement for colorize|https://github.com/cornet/ccze/|{{Pkg|ccze}}}}<br />
<br />
=== Libraries for colorizing an output ===<br />
<br />
* {{App|libtextstyle|A C library for styling text output to terminals|https://ftp.gnu.org/gnu/gettext/gettext-0.20.1.tar.gz}}<br />
* {{App|ruby-rainbow|Rainbow is extension to ruby's String class adding support for colorizing text on ANSI terminal|https://rubygems.org/gems/rainbow/|{{Pkg|ruby-rainbow}}}}<br />
* {{App|python-blessings|A thin, practical wrapper around terminal coloring, styling, and positioning|https://github.com/erikrose/blessings|{{Pkg|python-blessings}}}}<br />
* {{App|lolcat|Ruby program that makes the output colorful like a rainbow|https://github.com/busyloop/lolcat/|{{Pkg|lolcat}}}}<br />
<br />
=== Application specific ===<br />
<br />
==== Compilers ====<br />
<br />
* {{App|colorgcc|A Perl wrapper to colorize the output of compilers with warning/error messages matching the gcc output format|https://schlueters.de/colorgcc.html|{{Pkg|colorgcc}}}}<br />
<br />
==== diff ====<br />
<br />
Diff has [[#diff|built-in color output]], which is reasonable to use. But the following wrappers can be used:<br />
<br />
* {{App|colordiff|Perl script for ''diff'' highlighting.|http://www.colordiff.org/|{{Pkg|colordiff}}}}<br />
* {{App|cwdiff|''(w)diff'' wrapper with directories support and highlighting.|https://github.com/junghans/cwdiff|{{AUR|cwdiff}}, {{AUR|cwdiff-git}}}}<br />
* {{App|git-delta|A syntax-highlighting pager for git and diff output.|https://github.com/dandavison/delta|{{AUR|git-delta}}, {{AUR|git-delta-git}}, {{AUR|git-delta-bin}}}}<br />
<br />
==== cat ====<br />
<br />
* {{App|bat|Cat clone with syntax highlighting and git integration.|https://github.com/sharkdp/bat|{{Pkg|bat}}}}<br />
<br />
==== less ====<br />
<br />
===== source-highlight =====<br />
<br />
You can enable code syntax coloring in ''less''. First, [[install]] {{Pkg|source-highlight}}, then add these lines to your shell configuration file:<br />
<br />
{{hc|~/.bashrc|<nowiki><br />
export LESSOPEN="| /usr/bin/source-highlight-esc.sh %s"<br />
export LESS='-R '<br />
</nowiki>}}<br />
<br />
===== lesspipe =====<br />
<br />
Frequent users of the command line interface might want to install {{Pkg|lesspipe}}.<br />
<br />
Users may now list the compressed files inside of an archive using their pager:<br />
<br />
{{hc|$ less ''compressed_file''.tar.gz|2=<br />
==> use tar_file:contained_file to view a file in the archive<br />
-rw------- ''username''/''group'' 695 2008-01-04 19:24 ''compressed_file''/''content1''<br />
-rw------- ''username''/''group'' 43 2007-11-07 11:17 ''compressed_file''/''content2''<br />
''compressed_file''.tar.gz (END)<br />
}}<br />
<br />
''lesspipe'' also grants ''less'' the ability of interfacing with files other than archives, serving as an alternative for the specific command associated for that file-type (such as viewing HTML via {{Pkg|python-html2text}}).<br />
<br />
Re-login after installing ''lesspipe'' in order to activate it, or source {{ic|/etc/profile.d/lesspipe.sh}}.<br />
<br />
==== Make ====<br />
<br />
* {{App|colormake|A simple wrapper around make to make its output more readable.|https://github.com/pagekite/Colormake/|{{AUR|colormake}}, {{AUR|colormake-git}}}}<br />
<br />
==== Ping ====<br />
<br />
* {{App|prettyping|Add some great features to ping monitoring. A wrapper around the standard ping tool with the objective of making the output prettier, more colorful, more compact, and easier to read.|http://denilson.sa.nom.br/prettyping/|{{Pkg|prettyping}}}}<br />
<br />
== Shells ==<br />
<br />
=== bash ===<br />
<br />
See [[Bash/Prompt customization#Colors]].<br />
<br />
=== zsh ===<br />
<br />
See [[Zsh#Colors]].<br />
<br />
=== Fish ===<br />
<br />
See [[Fish#Web interface]].<br />
<br />
== Terminal emulators ==<br />
<br />
=== Virtual console ===<br />
<br />
{{Style|Lacks clarity on what "the colors" are, i.e. in [[#Virtual console]] they are about the ''representations'' of the 16 base colors (RGB values for yellow, red, blue, etc.), while in [[#Login screen]] they are about the base colors themselves. See also {{man|4|console_codes}} and [[User:Isacdaavid/Linux_Console]]}}<br />
<br />
The colors in the [[w:Virtual console|Linux virtual console]] running on the framebuffer can be changed. This is done by writing the escape code {{ic|\\e]PXRRGGBB}}, where {{ic|X}} is the hexadecimal index of the color from 0-F, and {{ic|RRGGBB}} is a traditional hexadecimal RGB code. <br />
<br />
For example, to reuse existing colors defined in {{ic|~/.Xresources}}, add the following to the shell initialization file (such as {{ic|~/.bashrc}}):<br />
<br />
if [ "$TERM" = "linux" ]; then<br />
_SEDCMD='s/.*\*color\([0-9]\{1,\}\).*#\([0-9a-fA-F]\{6\}\).*/\1 \2/p'<br />
for i in $(sed -n "$_SEDCMD" $HOME/.Xresources | awk '$1 < 16 {printf "\\e]P%X%s", $1, $2}'); do<br />
echo -en "$i"<br />
done<br />
clear<br />
fi<br />
<br />
==== Login screen ====<br />
<br />
The below is a colored example of the virtual console login screen in {{ic|/etc/issue}}. Create a backup of the original file with {{ic|mv /etc/issue /etc/issue.bak}} as root, and create a new {{ic|/etc/issue}}:<br />
<br />
\e[H\e[2J<br />
\e[1;30m| \e[34m\r \s<br />
\e[36;1m/\\\\ \e[37m|| \e[36m| = \e[30m|<br />
\e[36m/ \\\\ \e[37m|| \e[36m| \e[30m| \e[32m\t<br />
\e[1;36m/ \e[0;36m.. \e[1m\\\\ \e[37m//==\\\\\\ ||/= /==\\\\ ||/=\\\\ \e[36m| | |/\\\\ | | \\\\ / \e[30m| \e[32m\d<br />
\e[0;36m/ . . \\\\ \e[37m|| || || || || || \e[36m| | | | | | X \e[1;30m|<br />
\e[0;36m/ . . \\\\ \e[37m\\\\\\==/| || \\\\==/ || || \e[36m| | | |\ \\/| / \\\\ \e[1;30m| \e[31m\U<br />
\e[0;36m/ .. .. \\\\ \e[0;37mA simple, lightweight linux distribution. \e[1;30m|<br />
\e[0;36m/_' `_\\\\ \e[1;30m| \e[35m\l \e[0mon \e[1;33m\n<br />
\e[0m <br />
<br />
<br />
See also:<br />
<br />
* https://bbs.archlinux.org/viewtopic.php?pid=386429#p386429<br />
* http://www.linuxfromscratch.org/blfs/view/svn/postlfs/logon.html<br />
<br />
=== X window system ===<br />
<br />
Most [[Xorg]] terminals, including [[xterm]] and [[urxvt]], support at least 16 basic colors. The colors 0-7 are the 'normal' colors. Colors 8-15 are their 'bright' counterparts, used for highlighting. These colors can be modified through [[X resources]], or through specific terminal settings. For example:<br />
<br />
{{hc|1=~/.Xresources|2=<br />
! Black + DarkGrey<br />
*color0: #000000<br />
*color8: #555753<br />
! DarkRed + Red<br />
*color1: #ff6565<br />
*color9: #ff8d8d<br />
! DarkGreen + Green<br />
*color2: #93d44f<br />
*color10: #c8e7a8<br />
! DarkYellow + Yellow<br />
*color3: #eab93d<br />
*color11: #ffc123<br />
! DarkBlue + Blue<br />
*color4: #204a87<br />
*color12: #3465a4<br />
! DarkMagenta + Magenta<br />
*color5: #ce5c00<br />
*color13: #f57900<br />
!DarkCyan + Cyan (both not tango)<br />
*color6: #89b6e2<br />
*color14: #46a4ff<br />
! LightGrey + White<br />
*color7: #cccccc<br />
*color15: #ffffff<br />
}}<br />
<br />
{{Warning|Color resources such as {{ic|foreground}} and {{ic|background}} can be read by other applications (such as [https://www.gnu.org/software/emacs/manual/html_node/emacs/Table-of-Resources.html emacs]). This can be avoided by specifiying the class name, for example {{ic|XTerm.foreground}}.}}<br />
<br />
See also:<br />
<br />
* [[#Using X resources]] for how to color bold and underlined text automatically.<br />
* [https://web.archive.org/web/20090130061234/http://phraktured.net/terminal-colors/ Color Themes] - Extensive list of terminal color themes by Phraktured.<br />
* [http://beta.andrewrcraig.us/index.php?page=xcolors Xcolors by dkeg]{{Dead link|2020|02|28}}<br />
<br />
* [https://github.com/chriskempson/base16 base16 color schemes]<br />
<br />
=== Display all 256 colors ===<br />
<br />
Prints all 256 colors across the screen.<br />
<br />
$ (x=`tput op` y=`printf %76s`;for i in {0..256};do o=00$i;echo -e ${o:${#o}-3:3} `tput setaf $i;tput setab $i`${y// /=}$x;done)<br />
<br />
=== Display tput escape codes ===<br />
<br />
{{Merge|Bash/Prompt_customization|More context on ''tput'' is provided in that article}}<br />
<br />
Replace {{ic|tput op}} with whatever tput you want to trace. {{ic|op}} is the default foreground and background color.<br />
<br />
{{hc|<nowiki>$ ( strace -s5000 -e write tput op 2>&2 2>&1 ) | tee -a /dev/stderr | grep -o '"[^"]*"'</nowiki>|<br />
033[\033[1;34m"\33[39;49m"\033[00m<br />
}}<br />
<br />
=== Enumerate supported colors ===<br />
<br />
The following command will let you discover all the terminals you have terminfo support for, and the number of colors each terminal supports. The possible values are: 8, 15, 16, 52, 64, 88 and 256.<br />
<br />
{{hc|<nowiki>$ for T in `find /usr/share/terminfo -type f -printf '%f '`;do echo "$T `tput -T $T colors`";done|sort -nk2</nowiki>|<br />
Eterm-88color 88<br />
rxvt-88color 88<br />
xterm+88color 88<br />
xterm-88color 88<br />
Eterm-256color 256<br />
gnome-256color 256<br />
konsole-256color 256<br />
putty-256color 256<br />
rxvt-256color 256<br />
screen-256color 256<br />
screen-256color-bce 256<br />
screen-256color-bce-s 256<br />
screen-256color-s 256<br />
xterm+256color 256<br />
xterm-256color 256<br />
}}<br />
<br />
=== Enumerate terminal capabilities ===<br />
<br />
{{Merge|Bash/Prompt_customization|More context on ''tput'' is provided in that article}}<br />
<br />
This command is useful to see what features that are supported by your terminal.<br />
<br />
{{hc|<nowiki>$ infocmp -1 | tr -d '\0\t,' | cut -f1 -d'=' | grep -v "$TERM" | sort | column -c80</nowiki>|<br />
acsc ed kcuu1 kich1 rmso<br />
am el kDC kLFT rmul<br />
bce el1 kdch1 km rs1<br />
bel enacs kel kmous rs2<br />
blink eo kend knp s0ds<br />
bold flash kEND kNXT s1ds<br />
btns#5 fsl kent kpp s2ds<br />
bw home kf1 kPRV s3ds<br />
ccc hpa kf10 kRIT sc<br />
civis hs kf11 kslt setab<br />
clear ht kf12 lines#24 setaf<br />
cnorm hts kf13 lm#0 setb<br />
colors#0x100 ich kf14 mc0 setf<br />
cols#80 ich1 kf15 mc4 sgr<br />
cr il kf16 mc5 sgr0<br />
csr il1 kf17 mc5i sitm<br />
cub ind kf18 mir smacs<br />
cub1 indn kf19 msgr smam<br />
cud initc kf2 ncv#0 smcup<br />
cud1 is1 kf20 npc smir<br />
cuf is2 kf3 op smkx<br />
cuf1 it#8 kf4 pairs#0x7fff smso<br />
cup ka1 kf5 rc smul<br />
cuu ka3 kf6 rev tbc<br />
cuu1 kb2 kf7 ri tsl<br />
cvvis kbs kf8 rin u6<br />
dch kc1 kf9 ritm u7<br />
dch1 kc3 kfnd rmacs u8<br />
dl kcbt kFND rmam u9<br />
dl1 kcub1 kHOM rmcup vpa<br />
dsl kcud1 khome rmir xenl<br />
ech kcuf1 kIC rmkx xon<br />
<br />
}}<br />
<br />
=== Color scheme scripts ===<br />
<br />
See [https://paste.xinu.at/m-dAiJ/] for scripts which display a chart of your current terminal scheme.<br />
<br />
=== True color support ===<br />
<br />
Some terminals support the full range of 16 million colors (RGB, each with 8 bit resolution): xterm, konsole, st, etc. The corresponding TERM values {{ic|xterm-direct}}, {{ic|konsole-direct}}, {{ic|st-direct}}, etc. are supported starting with ncurses version 6.1 [http://lists.gnu.org/archive/html/bug-ncurses/2018-01/msg00045.html]. For more info about terminal emulators and applications that support true color, see [https://gist.github.com/XVilka/8346728].<br />
<br />
Note that the Linux kernel supports the SGR escape sequences for true-color, but it is pointless to use it, because the driver maps the 24-bit color specifications to a 256-colors color map in the kernel (see the functions {{ic|rgb_foreground}}, {{ic|rgb_background}}). For this reason, there is no terminfo entry {{ic|linux-direct}}.<br />
<br />
== See also ==<br />
<br />
* [https://gkbrk.com/2016/07/lolcat-clone-in-x64-assembly/ lolcat clone in x64 assembly]<br />
* [http://unix.stackexchange.com/a/147 Setting colors for less] and [http://unix.stackexchange.com/a/6357 solving related problems] (threads on StackExchange)</div>Ender4https://wiki.archlinux.org/index.php?title=Dracut&diff=607198Dracut2020-04-22T04:44:20Z<p>Ender4: /* Generate a new initramfs on kernel upgrade */ Add link to dracut-hook aur package</p>
<hr />
<div>{{Lowercase title}}<br />
[[Category:Boot process]]<br />
[[ja:Dracut]]<br />
[[pt:Dracut]]<br />
{{Related articles start}}<br />
{{Related|mkinitcpio}}<br />
{{Related articles end}}<br />
{{Note|Read the mailing list announcement for a possible [https://lists.archlinux.org/pipermail/arch-dev-public/2019-May/029570.html Mkinitcpio replacement with Dracut].}}<br />
<br />
[https://dracut.wiki.kernel.org/ dracut] creates an initial image used by the kernel for preloading the block device modules (such as IDE, SCSI or RAID) which are needed to access the root filesystem. Upon installing {{Pkg|linux}}, you can choose between [[mkinitcpio]] and dracut. dracut is used by Fedora, RHEL, Gentoo, and Debian, among others.<br />
<br />
You can read the full project documentation for dracut [https://mirrors.edge.kernel.org/pub/linux/utils/boot/dracut/dracut.html in the kernel documentation].<br />
<br />
== Installation ==<br />
<br />
[[Install]] the {{Pkg|dracut}} package, or {{AUR|dracut-git}} for the latest development version.<br />
<br />
{{Tip|If dracut works on your machine '''after you test it''', you can [[uninstall]] {{Pkg|mkinitcpio}}.}}<br />
<br />
== Configuration ==<br />
<br />
If you wish to always execute dracut with a certain set of flags, you can save a specified configuration in a {{ic|.conf}} file in {{ic|/etc/dracut.conf.d/}}. For example:<br />
<br />
{{hc|/etc/dracut.conf.d/myflags.conf|2=<br />
hostonly="yes"<br />
compress="lz4"<br />
add_drivers+=" i915 "<br />
omit_dracutmodules+=" network iscsi "<br />
}}<br />
<br />
You can see more configuration options with {{man|5|dracut.conf}}. Fuller descriptions of each option can be found with {{man|8|dracut}}.<br />
<br />
=== Kernel command line options ===<br />
<br />
You can force dracut to use kernel command line parameters in the initramfs environment. Be aware that you should [[#Spaces in kernel parameters|use the UUID naming scheme]] for specifying block devices. <br />
<br />
It is not necessary to specify the root block device for dracut. From {{man|7|dracut.cmdline}}:<br />
<br />
: The root device used by the kernel is specified in the boot configuration file on the kernel command line, as always.<br />
<br />
However, it may be useful to set some parameters early, and you can enable additional features like prompting for additional command line parameters. See {{man|7|dracut.cmdline}} for all options. Here are some example configuration options:<br />
<br />
* Resume from a swap partition: {{ic|1=resume=UUID=80895b78-7312-45bc-afe5-58eb4b579422}}<br />
* Prompt for additional kernel command line parameters: {{ic|1=rd.cmdline=ask}}<br />
* Print informational output even if "quiet" is set: {{ic|1=rd.info}}<br />
<br />
Kernel command line options should be placed line-by-line similar to the {{ic|/etc/dracut.conf.d/}} style, in a {{ic|*.conf}} file in {{ic|/etc/cmdline.d/}}. For example, your kernel command line options file could look like:<br />
<br />
{{hc|/etc/cmdline.d/myflags.conf|2=<br />
resume=UUID=80895b78-7312-45bc-afe5-58eb4b579422<br />
rd.cmdline=ask<br />
rd.info<br />
}}<br />
<br />
== Usage ==<br />
<br />
dracut is easy to use and typically does not require user configuration, even when using non-standard setups, like [[dm-crypt/Encrypting an entire system#LVM on LUKS|LVM on LUKS]].<br />
<br />
To generate an initramfs for the running kernel:<br />
<br />
# dracut /boot/initramfs-linux.img<br />
<br />
To generate a fallback initramfs run:<br />
<br />
# dracut -N /boot/initramfs-linux-fallback.img<br />
<br />
{{ic|/boot/initramfs-linux.img}} refers to the output image file. If you are using the non-regular kernel, consider changing the file name. For example, for the {{Pkg|linux-lts}} kernel, the output file should be named {{ic|/boot/initramfs-linux-lts.img}}. However, you can name these files whatever you wish as long as your [[boot loader]] configuration uses the same file names.<br />
<br />
=== Additional flags ===<br />
<br />
The {{ic|--hostonly}} flag creates an image that only contains the files needed to boot the local host system, instead of creating a generic image with more files. Using this flag reduces the size of the generated image, but you will not be able to use it on other computers or switch to a different root file system without generating a new image.<br />
<br />
The {{ic|--force}} flag overwrites the image file if it is already present.<br />
<br />
More flags can be found with {{man|8|dracut}}.<br />
<br />
== Tips and tricks ==<br />
<br />
{{Expansion|Add instructions for creating a [[unified kernel image]] using the {{ic|--uefi}} option.|section=Unified kernel image}}<br />
<br />
=== View information about generated image ===<br />
<br />
You can view information about a generated initramfs image, which you may wish to view in a pager: <br />
<br />
# lsinitrd ''/path/to/initramfs_image'' | less<br />
<br />
This command will list the arguments passed to dracut when the image was created, the list of included dracut modules, and the list of all included files.<br />
<br />
=== Change compression program ===<br />
<br />
To reduce the amount of time spent compressing the final image, you may change the compression program used.<br />
<br />
{{Warning|<br />
* Make sure your kernel has your chosen decompression support compiled in, otherwise you will not be able to boot. You must also have the chosen compression program package installed.<br />
* The Linux kernel does not support zstd compressed initramfs.[https://lore.kernel.org/lkml/20200316143018.1366-1-oss@malat.biz/]<br />
}}<br />
<br />
Simply add any one of the following lines (not multiple) [[#Configuration|to your dracut configuration]]:<br />
<br />
compress="cat"<br />
compress="gzip"<br />
compress="bzip2"<br />
compress="lzma"<br />
compress="xz"<br />
compress="lzo"<br />
compress="lz4"<br />
<br />
{{Pkg|gzip}} is the default compression program used. {{ic|1=compress="cat"}} will make the initramfs with no compression.<br />
<br />
You can also use a non-officially-supported compression program:<br />
<br />
compress="''program''"<br />
<br />
=== Generate a new initramfs on kernel upgrade ===<br />
<br />
It is possible to automatically generate new initramfs images upon each kernel upgrade. The instructions here are for the default {{Pkg|linux}} kernel, but it should be easy to add extra hooks for other kernels.<br />
<br />
The {{AUR|dracut-hook}} package includes hooks and scripts similar to the below.<br />
<br />
As the command to figure out the kernel version is somewhat complex, it will not work by itself in a [[pacman hook]]. So create a script anywhere on your system. For this example it will be created in {{ic|/usr/local/bin/}}.<br />
<br />
The script will also copy the new {{ic|vmlinuz}} kernel file to {{ic|/boot/}}, since the kernel packages do not place files in {{ic|/boot/}} anymore.[https://lists.archlinux.org/pipermail/arch-general/2019-October/047056.html]<br />
<br />
{{hc|/usr/local/bin/dracut-install.sh|<nowiki><br />
#!/usr/bin/env bash<br />
<br />
args=('--force' '--no-hostonly-cmdline')<br />
<br />
while read -r line; do<br />
if [[ "$line" == 'usr/lib/modules/'+([^/])'/pkgbase' ]]; then<br />
read -r pkgbase < "/${line}"<br />
kver="${line#'usr/lib/modules/'}"<br />
kver="${kver%'/pkgbase'}"<br />
<br />
install -Dm0644 "/${line%'/pkgbase'}/vmlinuz" "/boot/vmlinuz-${pkgbase}"<br />
dracut "${args[@]}" "/boot/initramfs-${pkgbase}.img" --kver "$kver"<br />
dracut "${args[@]}" --no-hostonly "/boot/initramfs-${pkgbase}-fallback.img" --kver "$kver"<br />
fi<br />
done<br />
</nowiki>}}<br />
<br />
{{hc|/usr/local/bin/dracut-remove.sh|<nowiki><br />
#!/usr/bin/env bash<br />
<br />
while read -r line; do<br />
if [[ "$line" == 'usr/lib/modules/'+([^/])'/pkgbase' ]]; then<br />
read -r pkgbase < "/${line}"<br />
rm -f "/boot/vmlinuz-${pkgbase}" "/boot/initramfs-${pkgbase}.img" "/boot/initramfs-${pkgbase}-fallback.img"<br />
fi<br />
done<br />
</nowiki>}}<br />
<br />
You need to make the scripts [[executable]]. If you wish to add or remove flags, you should [[#Configuration|add them to your dracut configuration]].<br />
<br />
The next step is creating [[pacman hook]]s:<br />
<br />
{{hc|/etc/pacman.d/hooks/90-dracut-install.hook|<nowiki><br />
[Trigger]<br />
Type = Path<br />
Operation = Install<br />
Operation = Upgrade<br />
Target = usr/lib/modules/*/pkgbase<br />
<br />
[Action]<br />
Description = Updating linux initcpios (with dracut!)...<br />
When = PostTransaction<br />
Exec = /usr/local/bin/dracut-install.sh<br />
NeedsTargets<br />
</nowiki>}}<br />
<br />
{{hc|/etc/pacman.d/hooks/60-dracut-remove.hook|<nowiki><br />
[Trigger]<br />
Type = Path<br />
Operation = Remove<br />
Target = usr/lib/modules/*/pkgbase<br />
<br />
[Action]<br />
Description = Removing linux initcpios...<br />
When = PreTransaction<br />
Exec = /usr/local/bin/dracut-remove.sh<br />
NeedsTargets<br />
</nowiki>}}<br />
<br />
You should stop [[mkinitcpio]] from creating and removing initramfs images as well, either by removing {{Pkg|mkinitcpio}} or with the following commands:<br />
<br />
# ln -sf /dev/null /etc/pacman.d/hooks/90-mkinitcpio-install.hook<br />
# ln -sf /dev/null /etc/pacman.d/hooks/60-mkinitcpio-remove.hook<br />
<br />
== Troubleshooting ==<br />
<br />
=== Spaces in kernel parameters ===<br />
<br />
dracut does not support quoted values with spaces in the {{ic|1=root=}} and {{ic|1=resume=}} [[kernel parameters]]. For example {{ic|1=root="PARTLABEL=Arch Linux"}}. See [https://github.com/dracutdevs/dracut/issues/720 dracut issue 720].<br />
<br />
You will need to specify the parameters using a different block device naming scheme like [[UUID]].<br />
<br />
== See also ==<br />
<br />
* [[Wikipedia:dracut (software)]]<br />
* [[Gentoo:Dracut]]</div>Ender4https://wiki.archlinux.org/index.php?title=List_of_applications/Internet&diff=597023List of applications/Internet2020-02-09T05:12:57Z<p>Ender4: Add wayvnc to list of Remote desktop servers</p>
<hr />
<div><noinclude><br />
[[Category:Internet applications]]<br />
[[Category:Lists of software]]<br />
[[cs:List of applications/Internet]]<br />
[[es:List of applications (Español)/Internet]]<br />
[[it:List of applications/Internet]]<br />
[[ja:アプリケーション一覧/インターネット]]<br />
[[ru:List of applications/Internet]]<br />
[[zh-hans:List of applications/Internet]]<br />
[[zh-hant:List of applications/Internet]]<br />
{{List of applications navigation}}<br />
</noinclude><br />
== Internet ==<br />
<br />
=== Network connection ===<br />
<br />
==== Network managers ====<br />
<br />
See [[Network configuration#Network managers]].<br />
<br />
==== VPN clients ====<br />
<br />
* {{App|Bitmask|Secured and encrypted communication using various service providers|https://bitmask.net/|{{AUR|bitmask}}}}<br />
* {{App|Libreswan| A free software implementation of the most widely supported and standarized VPN protocol based on ("IPsec") and the Internet Key Exchange ("IKE").|https://libreswan.org/|{{AUR|libreswan}}}}<br />
* {{App|[[NetworkManager]]|Supports a variety of protocols (e.g. MS, Cisco, Fortinet) via a plugin system.|https://wiki.gnome.org/Projects/NetworkManager/VPN|{{pkg|networkmanager}}}}<br />
* {{App|[[OpenConnect]]|Supports Cisco and Juniper VPNs.|http://www.infradead.org/openconnect/|{{pkg|openconnect}}}}<br />
* {{App|[[Openswan]]|IPsec-based VPN Solution.|https://www.openswan.org/|{{AUR|openswan}}}}<br />
* {{App|[[OpenVPN]]|To connect to OpenVPN VPNs.|https://openvpn.net/|{{pkg|openvpn}}}}<br />
* {{App|[[PPTP Client]]|To connect to PPTP VPNs, like Microsoft VPNs (MPPE). (insecure)|http://pptpclient.sourceforge.net/|{{pkg|pptpclient}}}}<br />
* {{App|[[strongSwan]]|IPsec-based VPN Solution.|https://www.strongswan.org/|{{pkg|strongswan}}}}<br />
* {{App|[[tinc]]|tinc is a free VPN daemon.|https://www.tinc-vpn.org/|{{pkg|tinc}}}}<br />
* {{App|[[Vpnc]]|To connect to Cisco 3000 VPN Concentrators.|https://www.unix-ag.uni-kl.de/~massar/vpnc/|{{pkg|vpnc}}}}<br />
* {{App|[[WireGuard]]|Next generation secure network tunnel.|https://www.wireguard.com/|{{Pkg|wireguard-tools}}}}<br />
<br />
==== Proxy servers ====<br />
<br />
* {{App|Dante|SOCKS server and SOCKS client, implementing RFC 1928 and related standards.|https://www.inet.no/dante/|{{Pkg|dante}}}}<br />
* {{App|[[Privoxy]]|Non-caching web proxy with advanced filtering capabilities for enhancing privacy, modifying web page data and HTTP headers, controlling access, and removing ads and other obnoxious Internet junk.|https://www.privoxy.org/|{{Pkg|privoxy}}}}<br />
* {{App|Project V|Project V is a set of tools to help you build your own privacy network over internet.|https://www.v2fly.org/en/|{{Pkg|v2ray}}}}<br />
* {{App|[[Shadowsocks]]|Secure socks5 proxy, designed to protect your Internet traffic.|https://www.shadowsocks.org/en/index.html|Python: {{Pkg|shadowsocks}}, C: {{Pkg|shadowsocks-libev}}, Qt: {{Pkg|shadowsocks-qt5}}}}<br />
* {{App|[[Squid]]|Caching proxy for the Web supporting HTTP, HTTPS, FTP, and more.|http://www.squid-cache.org/|{{Pkg|squid}}}}<br />
* {{App|[[Stunnel]]|A server and client to add and remove TLS encryption to TCP data flow.|https://www.stunnel.org/|{{Pkg|stunnel}}}}<br />
* {{App|Tinyproxy|Lightweight HTTP/HTTPS proxy daemon.|https://tinyproxy.github.io/|{{Pkg|tinyproxy}}}}<br />
* {{App|[[Trojan]]|An unidentifiable mechanism that helps you bypass GFW.|https://trojan-gfw.github.io/trojan/|{{Pkg|trojan}}}}<br />
* {{App|[[Varnish]]|High-performance HTTP accelerator.|https://varnish-cache.org/|{{Pkg|varnish}}}}<br />
* {{App|Ziproxy|Forwarding (non-caching) compressing HTTP proxy server.|http://ziproxy.sourceforge.net/|{{Pkg|ziproxy}}}}<br />
<br />
==== Anonymizing networks ====<br />
<br />
* {{App|[[Freenet]]|An encrypted network without censorship.|https://freenetproject.org/|{{AUR|freenet}}}}<br />
* {{App|[[GNUnet]]|Framework for secure peer-to-peer networking.|https://gnunet.org/|CLI: {{Pkg|gnunet}}, GUI: {{Pkg|gnunet-gtk}}}}<br />
* {{App|[[I2P]]|Distributed anonymous network.|https://geti2p.net/|{{AUR|i2p}}, {{AUR|i2p-bin}}}}<br />
* {{App|[[Lantern]]|Peer-to-peer internet censorship circumvention software.|https://getlantern.org/|{{AUR|lantern-bin}}}}<br />
* {{App|[[Tor]]|Anonymizing overlay network.|https://www.torproject.org/|{{Pkg|tor}}}}<br />
<br />
=== Web browsers ===<br />
<br />
See also [[Wikipedia:Comparison of web browsers]].<br />
<br />
==== Console ====<br />
<br />
* {{App|[[ELinks]]|Advanced and well-established feature-rich text mode web browser with mouse wheel scroll support (links fork, barely supported since 2009).|http://elinks.or.cz/|{{Pkg|elinks}}}}<br />
* {{App|[[Wikipedia:Links (web browser)|Links]]|Graphics and text mode web browser. Includes a console version similar to Lynx.|http://links.twibright.com/|{{Pkg|links}}}}<br />
* {{App|[[Wikipedia:Lynx (web browser)|Lynx]]|Text browser for the World Wide Web.|https://lynx.invisible-island.net/|{{Pkg|lynx}}}}<br />
* {{App|[[Wikipedia:W3m|w3m]]|Pager/text-based web browser. It has vim-like keybindings, and is able to display images.|http://w3m.sourceforge.net/|{{Pkg|w3m}}}}<br />
<br />
==== Graphical ====<br />
<br />
===== Gecko-based =====<br />
<br />
See also [[Wikipedia:Gecko (software)]].<br />
<br />
* {{App|[[Firefox]]|Extensible browser from Mozilla based on Gecko with fast rendering.|https://mozilla.com/firefox|{{Pkg|firefox}}}}<br />
* {{App|[[Wikipedia:SeaMonkey|SeaMonkey]]|Continuation of the Mozilla Internet Suite.|https://www.seamonkey-project.org/|{{Pkg|seamonkey}}}}<br />
<br />
====== Firefox spin-offs ======<br />
* {{App|[[Wikipedia:Cliqz|Cliqz]]|Firefox-based privacy aware web browser.|https://cliqz.com/|{{AUR|cliqz}} or {{AUR|cliqz-bin}}}}<br />
* {{App|Cyberfox|Fast and privacy oriented fork of Mozilla Firefox.|https://cyberfox.8pecxstudios.com/|{{AUR|cyberfox-bin}}}}<br />
* {{App|[[Wikipedia:GNU IceCat|GNU IceCat]]|A customized build of Firefox ESR distributed by the GNU Project, stripped of non-free components and with additional privacy extensions. Release cycle may be delayed compared to Mozilla Firefox.|https://www.gnu.org/software/gnuzilla/|{{AUR|icecat}} or {{AUR|icecat-bin}}}}<br />
* {{App|LibreWolf|A fork of Firefox, focused on privacy, security and freedom.|https://librewolf-community.gitlab.io/|{{AUR|librewolf}} or {{AUR|librewolf-bin}}}}<br />
* {{App|Waterfox Classic|Optimized fork of Mozilla Firefox, without data collection and allowing unsigned extensions and NPAPI plugins.|https://www.waterfox.net/|{{AUR|waterfox-classic-bin}}}}<br />
* {{App|Waterfox Current|Optimized fork of Mozilla Firefox, updated feature-rich branch of Waterfox.|https://www.waterfox.net/|{{AUR|waterfox-current-bin}}}}<br />
<br />
===== Blink-based =====<br />
<br />
See also [[Wikipedia:Blink (web engine)]].<br />
<br />
* {{App|[[Chromium]]|Web browser developed by Google, the open source project behind Google Chrome.|https://www.chromium.org/|{{Pkg|chromium}}}}<br />
<br />
====== Privacy-focused chromium spin-offs ======<br />
<br />
* {{App|[[Wikipedia:Brave (web browser)|Brave]]|Web browser that blocks ads and trackers by default.|https://www.brave.com/|{{AUR|brave-bin}}}}<br />
* {{App|Iridium|A privacy-focused [https://git.iridiumbrowser.de/cgit.cgi/iridium-browser/tree/?h&#61;patchview patchset] for Chromium. See [https://github.com/iridium-browser/tracker/wiki/Differences-between-Iridium-and-Chromium differences from Chromium].|https://iridiumbrowser.de/|{{AUR|iridium-deb}}}}<br />
* {{App|Ungoogled Chromium|Modifications to Google Chromium for removing Google integration and enhancing privacy, control, and transparency|https://github.com/Eloston/ungoogled-chromium|{{AUR|ungoogled-chromium}}}}<br />
<br />
====== Proprietary chromium spin-offs ======<br />
<br />
* {{App|[[Google Chrome]]|Proprietary web browser developed by Google.|https://www.google.com/chrome/|{{AUR|google-chrome}}}}<br />
* {{App|[[Opera]]|Proprietary browser developed by Opera Software.|https://opera.com|{{Pkg|opera}}}}<br />
* {{App|[[Wikipedia:SlimBrowser|Slimjet]]|Fast, smart and powerful proprietary browser based on Chromium.|https://www.slimjet.com/|{{AUR|slimjet}}}}<br />
* {{App|[[Vivaldi]]|An advanced proprietary browser made with the power user in mind.|https://vivaldi.com/|{{AUR|vivaldi}}}}<br />
* {{App|[[Wikipedia:Yandex Browser|Yandex Browser]]|Proprietary browser that combines a minimal design with sophisticated technology to make the web faster, safer, and easier.|https://browser.yandex.com/|{{AUR|yandex-browser-beta}}}}<br />
<br />
====== Browsers based on qt5-webengine ======<br />
<br />
* {{App|Crusta|Blazingly fast full feature web browser with unique features.|https://github.com/Crusta/CrustaBrowser/|{{AUR|crusta}}}}<br />
* {{App|[[Wikipedia:Dooble|Dooble]]|Colorful Web browser.|https://textbrowser.github.io/dooble/|{{AUR|dooble}}}}<br />
* {{App|[[Wikipedia:Eric Python IDE|Eric]]|QtWebEngine-based HTML browser, part of the eric6 development toolset, can be launched with the {{ic|eric6_browser}} command.|https://eric-ide.python-projects.org/|{{Pkg|eric}}}}<br />
* {{App|[[Wikipedia:Falkon|Falkon]]|Web browser based on QtWebEngine, written in Qt framework.|https://falkon.org/|{{pkg|falkon}}}}<br />
* {{App|[[Wikipedia:Konqueror|Konqueror]]|Web browser based on Qt toolkit and Qt WebEngine (or KHTML layout engine), part of {{Grp|kdebase}}. |https://kde.org/applications/internet/org.kde.konqueror|{{Pkg|konqueror}}}}<br />
* {{App|Liri Browser|A minimalistic material design web browser written for Liri.|https://github.com/lirios/browser|{{AUR|liri-browser-git}}}}<br />
* {{App|[[Otter Browser]]|Browser aiming to recreate classic Opera (12.x) UI using Qt5. It can use Qt WebEngine as an alternative backend.|https://otter-browser.org/|{{Pkg|otter-browser}}}}<br />
* {{App|Qt WebBrowser|Browser for embedded devices developed using the capabilities of Qt and Qt WebEngine.|https://doc.qt.io/QtWebBrowser/|{{AUR|qtwebbrowser}}}}<br />
* {{App|[[qutebrowser]]|A keyboard-driven, [[vim]]-like browser based on PyQt5 and QtWebEngine.|https://qutebrowser.org/|{{Pkg|qutebrowser}}}}<br />
<br />
====== Browsers based on electron ======<br />
<br />
* {{App|Beaker|Peer-to-peer web browser with tools to create and host websites. Based on the [https://electronjs.org/ Electron] platform.|https://github.com/beakerbrowser/beaker|{{AUR|beaker}}}}<br />
* {{App|Min|A smarter, faster web browser based on the [https://electronjs.org/ Electron] platform.|https://minbrowser.github.io/min/|{{Pkg|min}}}}<br />
<br />
===== WebKit-based =====<br />
<br />
See also [[Wikipedia:WebKit]].<br />
<br />
{{Note|webkitgtk, webkitgtk2 and qtwebkit-based browsers were removed from the list, because these are today considered insecure and outdated. More info [https://blogs.gnome.org/mcatanzaro/2016/02/01/on-webkit-security-updates/ here].}}<br />
<br />
====== Browsers based on webkit2gtk ======<br />
<br />
* {{App|Eolie|Simple web browser for GNOME.|https://wiki.gnome.org/Apps/Eolie|{{Pkg|eolie}}}}<br />
* {{App|[[GNOME Web]]|Browser which uses the WebKitGTK rendering engine, part of {{Grp|gnome}}.|https://wiki.gnome.org/Apps/Web/|{{Pkg|epiphany}}}}<br />
* {{App|[[Lariza]]|A simple, experimental web browser using GTK 3, GLib and WebKit2GTK.|https://www.uninformativ.de/git/lariza/|{{AUR|lariza}}}}<br />
* {{App|[[Luakit]]|Fast, small, webkit based browser framework extensible by Lua.|https://luakit.github.io/|{{Pkg|luakit}}}}<br />
* {{App|[[Midori]]|Lightweight web browser based on GTK and WebKit.|https://www.midori-browser.org/|{{Pkg|midori}}}}<br />
* {{App|Next|Keyboard-oriented, infinitely extensible browser.|https://next.atlas.engineer/|{{AUR|next-browser-git}}}}<br />
* {{App|[[surf]]|Lightweight WebKit-based browser, which follows the [https://suckless.org/philosophy suckless ideology] (basically, the browser itself is a single C source file).|https://surf.suckless.org/|{{Pkg|surf}}}}<br />
* {{App|Surfer|Simple keyboard based web browser, written in C.|https://github.com/nihilowy/surfer|{{AUR|surfer-git}}}}<br />
* {{App|Vimb|A Vim-like web browser that is inspired by Pentadactyl and Vimprobable.|https://fanglingsu.github.io/vimb/|{{Pkg|vimb}}}}<br />
<br />
====== Browsers based on qt5-webkit ======<br />
<br />
* {{App|[[Wikipedia:Eric Python IDE|Eric]]|QtWebKit-based HTML browser, part of the eric6 development toolset, can be launched with the {{ic|eric6_webbrowser}} command.|https://eric-ide.python-projects.org/|{{Pkg|eric}}}}<br />
* {{App|OSPKit|Webkit based html browser for printing.|http://osp.kitchen/tools/ospkit/|{{AUR|ospkit-git}}}}<br />
* {{App|[[Otter Browser]]|Browser aiming to recreate classic Opera (12.x) UI using Qt5.|https://otter-browser.org/|{{Pkg|otter-browser}} or {{Pkg|otter-browser-nowebengine}}}}<br />
* {{App|[[qutebrowser]]|A keyboard-driven, [[vim]]-like browser based on PyQt5 with QtWebKit as an available backend.|https://github.com/qutebrowser/qutebrowser|{{Pkg|qutebrowser}}}}<br />
* {{App|smtube|Application that allows to browse, search and play YouTube videos.|https://www.smtube.org/|{{Pkg|smtube}}}}<br />
* {{App|WCGBrowser|A web browser for kiosk systems.|http://www.alandmoore.com/wcgbrowser/wcgbrowser.html|{{AUR|wcgbrowser-git}}}}<br />
<br />
===== Other =====<br />
<br />
* {{App|[[Wikipedia:Dillo|Dillo]]|Small, fast graphical web browser built on [[Wikipedia:Fltk|FLTK]]. Uses its own layout engine.|https://www.dillo.org/|{{Pkg|dillo}}}}<br />
* {{App|[[Wikipedia:Links (web browser)|Links]]|Graphics and text mode web browser. Includes a graphical X-window/framebuffer version with CSS, image rendering, pull-down menus. It can be launched with the {{ic|xlinks -g}} command.|http://links.twibright.com/|{{Pkg|links}}}}<br />
* {{App|[[Wikipedia:NetSurf|NetSurf]]|Featherweight browser written in C, notable for its slowly developing JavaScript support and fast rendering through its own layout engine.|http://www.netsurf-browser.org/|{{Pkg|netsurf}}}}<br />
* {{App|[[Wikipedia:Pale Moon (web browser)|Pale Moon]]|A Firefox fork focussing on speed, with a pre-Firefox 29 interface. Uses [[Wikipedia:Goanna (software)|Goanna]] layout engine, a fork of Gecko. Firefox add-ons may not be compatible. [https://addons.palemoon.org/firefox/incompatible/] Without support for newer Firefox features such as cache2, e10s, and OTMC.|http://www.palemoon.org/|{{AUR|palemoon}} or {{AUR|palemoon-bin}}}}<br />
*{{app|[[Wikipedia:Basilisk (web browser)|Basilisk]]|Another [[Wikipedia:Goanna (software)|Goanna-based]] browser from the developers of [[Wikipedia:Pale Moon (web browser)|Pale Moon]]. It features a Firefox 52-based UI, and is a perpetual beta. It lacks support for WebExtensions, but still supports XUL-based addons.|https://basilisk-browser.org/|{{AUR|basilisk-bin}}}}<br />
<br />
=== Web servers ===<br />
<br />
A [[Wikipedia:Web server|web server]] serves HTML web pages and other files via HTTP to clients like [[:Category:Web browser|web browsers]].<br />
The major web servers can be interfaced with programs to serve dynamic content ([[web applications]]).<br />
<br />
See also [[:Category:Web server]] and [[Wikipedia:Comparison of web server software]].<br />
<br />
* {{App|[[Apache]]|A high performance Unix-based HTTP server.|http://www.apache.org/dist/httpd/|{{Pkg|apache}}}}<br />
* {{App|[[Caddy]]|HTTP/2 web server with automatic HTTPS.|https://caddyserver.com/|{{Pkg|caddy}}}}<br />
* {{App|[[Hiawatha]]|Secure and advanced web server.|https://www.hiawatha-webserver.org/|{{Pkg|hiawatha}}}}<br />
* {{App|[[Lighttpd]]|A secure, fast, compliant and very flexible web-server.|http://www.lighttpd.net/|{{Pkg|lighttpd}}}}<br />
* {{App|[[nginx]]|Lightweight HTTP server and IMAP/POP3 proxy server.|https://nginx.org/|{{Pkg|nginx}}}}<br />
* {{App|sthttpd|Supported fork of the thttpd web server.|https://github.com/blueness/sthttpd|{{Pkg|sthttpd}}}}<br />
* {{App|yaws|Web server/framework written in Erlang.|http://yaws.hyber.org/|{{Pkg|yaws}}}}<br />
<br />
==== Static web servers ====<br />
<br />
* {{App|darkhttpd|A small and secure static web server, written in C, does not support HTTPS or Auth.|https://unix4lyfe.org/darkhttpd/|{{Pkg|darkhttpd}}}}<br />
* {{App|KatWeb|A lightweight static web server and reverse proxy, written in Go, designed for the modern web.|https://github.com/kittyhacker101/KatWeb|{{AUR|katweb}}}}<br />
* {{App|quark|An extremly small and simple http get-only web server. It only serves static pages on a single host.|http://tools.suckless.org/quark/|{{AUR|quark-git}}}}<br />
* {{App|serve|Static file serving and directory listing.|https://github.com/zeit/serve|{{AUR|nodejs-serve}}}}<br />
* {{App|servy|A tiny little web server, single binary, written in Rust.|https://github.com/zethra/servy|{{AUR|servy}}}}<br />
* {{App|Webfs|Simple and instant web server for mostly static content.|http://linux.bytesex.org/misc/webfs.html|{{Pkg|webfs}}}}<br />
<br />
The [[Python]] standard library module [https://docs.python.org/library/http.server.html http.server] can also be used from the command-line.<br />
<br />
==== Specialized web servers ====<br />
<br />
* {{App|Mongoose|Embedded web server library, supports WebSocket and MQTT.|https://github.com/cesanta/mongoose|{{AUR|mongoose}}}}<br />
* {{App|webhook|Small server for creating HTTP endpoints (hooks)|https://github.com/adnanh/webhook|{{Pkg|webhook}}}}<br />
* {{App|Woof|An ad-hoc single file webserver; Web Offer One File.|http://www.home.unix-ag.org/simon/woof.html|{{AUR|woof}}}}<br />
<br />
==== WSGI servers ====<br />
<br />
* {{App|Gunicorn|A Python WSGI HTTP Server for UNIX.|https://gunicorn.org/|{{Pkg|gunicorn}}, {{AUR|python2-gunicorn}}}}<br />
* {{App|[[uWSGI]]|A fast, self-healing and developer/sysadmin-friendly application container server written in C.|https://uwsgi-docs.readthedocs.io/|{{Pkg|uwsgi}}}}<br />
* {{App|Waitress|A WSGI server for Python 2 and 3.|https://github.com/Pylons/waitress|{{Pkg|python-waitress}}, {{Pkg|python2-waitress}}}}<br />
<br />
Apache also supports WSGI with [[mod_wsgi]].<br />
<br />
==== Performance testing ====<br />
<br />
* {{App|http_load|A webserver performance testing tool, runs in a single process.|http://www.acme.com/software/http_load/|{{AUR|http_load}}}}<br />
* {{App|httperf|Can generate various HTTP workloads, written in C.|https://github.com/httperf/httperf|{{AUR|httperf}}}}<br />
* {{App|vegeta|HTTP load testing tool, written in Go.|https://github.com/tsenart/vegeta|{{Pkg|vegeta}}}}<br />
* {{App|Web Bench|Benchmarking tool, uses fork() for simulating multiple clients.|http://home.tiscali.cz/~cz210552/webbench.html|{{AUR|webbench}}}}<br />
<br />
=== File sharing ===<br />
<br />
==== Download managers ====<br />
<br />
See also [[Wikipedia:Comparison of download managers]].<br />
<br />
===== Console =====<br />
<br />
* {{App|[[aria2]]|Lightweight download utility that supports HTTP, FTP, SFTP, BitTorrent and Metalink. It can run as a daemon controlled via a built-in JSON-RPC or XML-RPC interface.|https://aria2.github.io/|{{Pkg|aria2}}}}<br />
* {{App|Axel|Light command line download accelerator. Supports HTTP and FTP.|https://github.com/eribertomota/axel|{{Pkg|axel}}}}<br />
* {{App|[[Wikipedia:cURL|cURL]]|An URL retrieval utility and library. Supports HTTP, FTP and SFTP.|https://curl.haxx.se/|{{Pkg|curl}}}}<br />
* {{App|[[Wikipedia:Lftp|LFTP]]|Sophisticated file transfer program. Supports HTTP, FTP, SFTP, FISH, and BitTorrent.|http://lftp.yar.ru/|{{Pkg|lftp}}}}<br />
* {{App|mps-youtube|Terminal based YouTube jukebox with playlist management. Plays audio/video through mplayer/mpv.|https://github.com/mps-youtube/mps-youtube|{{Pkg|mps-youtube}}}}<br />
* {{App|Plowshare|A set of command-line tools designed for managing file-sharing websites (aka Hosters).|https://github.com/mcrapet/plowshare|{{Pkg|plowshare}}}}<br />
* {{App|[[Wikipedia:RTMPDump|RTMPDump]]|Download FLV videos through RTMP (Adobe's proprietary protocol for Flash video players)|http://rtmpdump.mplayerhq.hu/|{{Pkg|rtmpdump}}}}<br />
* {{App|snarf|Command-line URL retrieval tool. Supports HTTP and FTP.|https://www.xach.com/snarf/|{{Pkg|snarf}}}}<br />
* {{App|[[Streamlink]]|Launch streams from various streaming services in a custom video player or save them to a file.|https://streamlink.github.io/|{{Pkg|streamlink}}}}<br />
* {{App|[[Wikipedia:Streamripper|Streamripper]]|Records and splits streaming mp3 into tracks.|http://streamripper.sourceforge.net/|{{AUR|streamripper}}}}<br />
* {{App|You-Get|Download media contents (videos, audios, images) from the Web.|https://you-get.org/|{{Pkg|you-get}}}}<br />
* {{App|[[youtube-dl]]|Download videos from YouTube and many other web sites.|https://rg3.github.io/youtube-dl/|{{Pkg|youtube-dl}}}}<br />
* {{App|youtube-viewer|Command line utility for viewing YouTube videos.|https://github.com/trizen/youtube-viewer|{{Pkg|youtube-viewer}}}}<br />
* {{App|[[Wikipedia:Wget|Wget]]|A network utility to retrieve files from the Web. Supports HTTP and FTP.|https://www.gnu.org/software/wget/|{{Pkg|wget}}}}<br />
<br />
===== Graphical =====<br />
<br />
* {{App|ClipGrab|Downloader and converter for YouTube, Vimeo and many other online video sites.|https://clipgrab.org/|{{Pkg|clipgrab}}}}<br />
* {{App|FatRat|Qt based download manager with support for HTTP, FTP, SFTP, BitTorrent and Metalink.|http://fatrat.dolezel.info/|{{AUR|fatrat-git}}}}<br />
* {{App|FreeRapid|Java-based downloader that supports downloading from file-sharing services.|http://wordrider.net/freerapid/|{{AUR|freerapid}}}}<br />
* {{App|[[Wikipedia:FrostWire|FrostWire]]|Easy to use cloud downloader, BitTorrent client and media player.|https://www.frostwire.com/|{{AUR|frostwire}}}}<br />
* {{App|gtk-youtube-viewer|GTK utility for viewing YouTube videos.|https://github.com/trizen/youtube-viewer|{{Pkg|youtube-viewer}} + {{Pkg|gtk2-perl}} + {{Pkg|perl-file-sharedir}}}}<br />
* {{App|[[Wikipedia:Wget#GWget|Gwget]]|Download manager for GNOME. Supports HTTP and FTP.|https://projects.gnome.org/gwget/|{{Pkg|gwget}}}}<br />
* {{App|Gydl|GUI wrapper around the already existing youtube-dl program to download content from sites like YouTube.|https://github.com/JannikHv/gydl|{{AUR|gydl-git}}}}<br />
* {{App|[[JDownloader]]|Java-based downloader for one-click hosting sites.|http://jdownloader.org/|{{AUR|jdownloader2}}}}<br />
* {{App|[[Wikipedia:KGet|KGet]]|Download manager for KDE. Supports HTTP, FTP, BitTorrent and Metalink. Part of {{Grp|kdenetwork}}.|https://www.kde.org/applications/internet/kget/|{{Pkg|kget}}}}<br />
* {{App|Persepolis|Graphical front-end for aria2 download manager with lots of features. Supports HTTP and FTP.|https://persepolisdm.github.io/|{{AUR|persepolis}}}}<br />
* {{App|[[pyLoad]]|Downloader written in Python and designed to be extremely lightweight, easily extensible and fully manageable via web.|https://pyload.net/|{{AUR|pyload}}{{Broken package link|package not found}}}}<br />
* {{App|Steadyflow|Simple download manager for GNOME. Supports HTTP and FTP.|https://launchpad.net/steadyflow|{{Pkg|steadyflow}}}}<br />
* {{App|Streamtuner2|Internet radio station and video browser. It simply lists stations in categories from different directories and launches your preferred media apps for playback.|https://sourceforge.net/projects/streamtuner2/|{{AUR|streamtuner2}}}}<br />
* {{App|uGet|GTK download manager featuring download classification and HTML import. Supports HTTP, FTP, BitTorrent, Metalink, YouTube and Mega.|https://ugetdm.com/|{{Pkg|uget}}}}<br />
* {{App|Xtreme Download Manager|Powerful tool to increase download speed up-to 500%. Supports HTTP and FTP. Video grabber works in a general way and is not limited to certain websites.|http://xdman.sourceforge.net/|{{AUR|xdman}}}}<br />
<br />
==== Cloud storage servers ====<br />
<br />
* {{App|[[Cozy]]|A personal cloud you can hack, host and delete.|https://cozy.io/|{{Pkg|cozy-stack}}}}<br />
* {{App|[[Nextcloud]]|A cloud server to store your files centrally on a hardware controlled by you.|https://nextcloud.com|{{Pkg|nextcloud}}}}<br />
* {{App|[[Pydio]]|Mature open source web application for file sharing and synchronization.|https://pydio.com/|{{AUR|pydio}}}}<br />
* {{App|[[Seafile]]|An online file storage and collaboration tool with advanced support for file syncing, privacy protection and teamwork.|https://www.seafile.com/|{{AUR|seafile-server}}}}<br />
<br />
==== Cloud synchronization clients ====<br />
<br />
{{Tip|<nowiki></nowiki><br />
* Some [[synchronization and backup programs]] provide direct support for some cloud-storage services.<br />
* Some [[FUSE#List of FUSE filesystems|FUSE filesystems]] provide a way to mount cloud-storage as a filesystem. Google Drive can be accessed also by {{Pkg|gvfs-google}} for GVFS-based applications (like [[Nautilus]]), and by {{Pkg|kio-gdrive}} for KIO-based applications (like [[Dolphin]]).<br />
* See [[Disk encryption#Cloud-storage optimized]] to achieve zero-knowledge (client-side transparent encryption) storage on any third-party cloud service.<br />
}}<br />
<br />
* {{App|aws-cli|CLI for Amazon Web Services, including efficient file transfers to and from Amazon S3.|https://aws.amazon.com/cli/|{{Pkg|aws-cli}}}}<br />
* {{App|Backblaze B2|Backblaze B2 open-source command-line client.|https://www.backblaze.com/b2/cloud-storage.html|{{AUR|backblaze-b2}}}}<br />
* {{App|CloudCross|Synchronize local files and folders with many cloud providers. Mail.ru Cloud, Yandex Disk, Google Drive, OneDrive and Dropbox support is available.|https://cloudcross.mastersoft24.ru/|{{AUR|cloudcross}}}}<br />
* {{App|[[Cozy]] Drive|Desktop client for Cozy.|https://cozy-labs.github.io/cozy-desktop/|{{Pkg|cozy-desktop}}}}<br />
* {{App|drive|Tiny program to pull or push Google Drive files.|https://github.com/odeke-em/drive|{{AUR|drive-bin}}, {{AUR|drive-git}}}}<br />
* {{App|DriveSync|Command line utility that synchronizes your Google Drive files with a local folder on your machine.|https://github.com/MStadlmeier/drivesync|{{AUR|drivesync}}}}<br />
* {{App|[[Dropbox]]|Proprietary desktop client for Dropbox.|https://www.dropbox.com/|{{AUR|dropbox}}}}<br />
* {{App|gdrive|Command line utility for interacting with Google Drive.|https://github.com/prasmussen/gdrive|{{AUR|gdrive}}}}<br />
* {{App|Grive|Google Drive client with support for new Drive REST API and partial sync.|https://github.com/vitalif/grive2|{{AUR|grive}}}}<br />
* {{App|ODrive|Google Drive GUI for Windows / Mac / Linux.|https://github.com/liberodark/ODrive|{{AUR|odrive-bin}}}}<br />
* {{App|hubiC|Proprietary synchronization client service and command line tools for hubiC.|https://hubic.com/en/downloads|{{AUR|hubic}}}}<br />
* {{App|[[Insync]]|Unofficial proprietary Google Drive desktop client.|https://www.insynchq.com/|{{AUR|insync}}}}<br />
* {{App|[[Wikipedia:Mail.Ru|Mail.ru]] Cloud|Proprietary client for Mail.ru Cloud storage service.|https://cloud.mail.ru/|{{AUR|mailru-cloud}}{{Broken package link|package not found}}}}<br />
* {{App|[[Wikipedia:Mega (service)|Mega]] Sync Client|Desktop client to sync files with Mega.|https://mega.nz/|{{AUR|megasync}}}}<br />
* {{App|Megatools|Unofficial CLI for Mega.|https://megatools.megous.com/|{{AUR|megatools}}}}<br />
* {{App|[[Nextcloud]] Client|Desktop client for Nextcloud.|https://nextcloud.com/|{{Pkg|nextcloud-client}}}}<br />
* {{App|Nutstore|Desktop client for Nutstore.|https://www.jianguoyun.com/|{{AUR|nutstore}}}}<br />
* {{App|OneDrive|Unofficial CLI for [https://onedrive.live.com/about/ OneDrive].|https://github.com/skilion/onedrive|{{AUR|onedrive}}}}<br />
* {{App|[[Wikipedia:ownCloud|ownCloud]] Desktop Client|Desktop syncing client for ownCloud.|https://owncloud.com/client/|{{Pkg|owncloud-client}}}}<br />
* {{App|pCloud Drive|Proprietary desktop syncing client for pCloud. Based on the [https://electronjs.org/ Electron] platform.|https://www.pcloud.com/download-free-online-cloud-file-storage.html|{{AUR|pcloud-drive}}}}<br />
* {{App|[[Pydio]]Sync|Desktop client for Pydio.|https://pydio.com/|{{AUR|pydio-sync}}}}<br />
* {{App|Rclone|Multi-provider sync, copy, and mount client.|https://rclone.org/|{{Pkg|rclone}}}}<br />
* {{App|Rclone Browser|GUI client for Rclone.|https://github.com/kapitainsky/RcloneBrowser|{{AUR|rclone-browser}}}}<br />
* {{App|S3cmd|Unofficial CLI for Amazon S3.|https://s3tools.org/s3cmd|{{Pkg|s3cmd}}}}<br />
* {{App|[[Seafile]] Client|GUI client for Seafile.|https://www.seafile.com/|{{AUR|seafile-client}}}}<br />
* {{App|[[Wikipedia:SpiderOak|SpiderOak]] One|Proprietary client for SpiderOak One.|https://spideroak.com/|{{AUR|spideroak-one}}}}<br />
* {{App|[[Wikipedia:Tresorit|Tresorit]]|Proprietary desktop syncing client for Tresorit.|https://tresorit.com/download|{{AUR|tresorit}}}}<br />
* {{App|[[Yandex Disk]]|Proprietary CLI for Yandex Disk.|https://disk.yandex.ru/|{{AUR|yandex-disk}}}}<br />
<br />
==== FTP ====<br />
<br />
===== FTP clients =====<br />
<br />
See also [[Wikipedia:Comparison of FTP client software]].<br />
* {{App|[[Wikipedia:FileZilla|FileZilla]]|Fast and reliable FTP, FTPS and SFTP client.|https://filezilla-project.org/|{{Pkg|filezilla}}}}<br />
* {{App|[[Wikipedia:gFTP|gFTP]]|Multithreaded FTP client for Linux.|https://www.gftp.org/|{{Pkg|gftp}}}}<br />
* {{App|ftp|Simple ftp client provided by GNU Inetutils|https://www.gnu.org/software/inetutils/manual/inetutils.html#ftp-invocation|{{Pkg|inetutils}}}}<br />
* {{App|ncftp|A set of free application programs implementing FTP.|https://www.ncftp.com/|{{Pkg|ncftp}}}}<br />
* {{App|[[Wikipedia:tnftp|tnftp]]|FTP client with several advanced features for [[Wikipedia:NetBSD|NetBSD]].|http://freshmeat.sourceforge.net/projects/tnftp|{{Pkg|tnftp}}}}<br />
<br />
Some file managers like [[Dolphin]], [[GNOME Files]] and [[Thunar]] also provide FTP functionality.<br />
<br />
===== FTP servers =====<br />
<br />
See also [[Wikipedia:List of FTP server software]].<br />
<br />
* {{App|[[bftpd]]|Small, easy-to-configure FTP server|http://bftpd.sourceforge.net/|{{Pkg|bftpd}}}}<br />
* {{App|chezdav|WebDAV server that allows to share a particular directory.|https://wiki.gnome.org/phodav|{{Pkg|phodav}}}}<br />
* {{App|ftpd|Simple ftp server provided by GNU Inetutils|https://www.gnu.org/software/inetutils/manual/inetutils.html#ftpd-invocation|{{Pkg|inetutils}}}}<br />
* {{App|[[Proftpd|proFTPd]]|A secure and configurable FTP server|http://www.proftpd.org/|{{AUR|proftpd}}}}<br />
* {{App|[[Pure-FTPd]]|Free (BSD-licensed), secure, production-quality and standard-compliant FTP server.|https://www.pureftpd.org/project/pure-ftpd/|{{AUR|pure-ftpd}}}}<br />
* {{App|[[SSH]]|SFTP is a network protocol that provides file access, file transfer, and file management over any reliable data stream.|https://www.openssh.com|{{Pkg|openssh}}}}<br />
* {{App|[[vsftpd]]|Lightweight, stable and secure FTP server for UNIX-like systems.|https://security.appspot.com/vsftpd.html|{{Pkg|vsftpd}}}}<br />
<br />
==== BitTorrent clients ====<br />
<br />
Some [[#Download managers|download managers]] are also able to connect to the BitTorrent network: [[Aria2]], [[Wikipedia:Lftp|LFTP]], FatRat, [[Wikipedia:FrostWire|FrostWire]], [[Wikipedia:KGet|KGet]], [[Wikipedia:MLDonkey|MLDonkey]], uGet.<br />
<br />
See also [[Wikipedia:Comparison of BitTorrent clients]].<br />
<br />
===== Console =====<br />
<br />
* {{App|btpd|The BitTorrent Protocol Daemon.|https://github.com/btpd/btpd|{{AUR|btpd}}}}<br />
* {{App|Ctorrent|CTorrent is a BitTorrent client implemented in C++ to be lightweight and quick.|http://www.rahul.net/dholmes/ctorrent/|{{AUR|enhanced-ctorrent}}}}<br />
* {{App|peerflix|Streaming torrent client for node.js.|https://github.com/mafintosh/peerflix|{{AUR|peerflix}}}}<br />
* {{App|[[rTorrent]]|Simple and lightweight ncurses BitTorrent client. Requires {{Pkg|libtorrent}} backend.|https://rakshasa.github.io/rtorrent/|{{Pkg|rtorrent}}}}<br />
* {{App|[[Transmission]] CLI|Simple and easy-to-use BitTorrent client with a daemon version and multiple front-ends. This package includes backend, daemon, command-line interface, and a Web UI interface.|https://transmissionbt.com/|{{Pkg|transmission-cli}}}}<br />
<br />
===== Graphical =====<br />
<br />
* {{App|[[Deluge]]|User-friendly BitTorrent client written in Python using GTK that can run as a daemon.|https://deluge-torrent.org/|{{Pkg|deluge}}}}<br />
* {{App|Fragments|Easy to use BitTorrent client which follows the GNOME HIG and includes well thought-out features.|https://gitlab.gnome.org/World/Fragments|{{Pkg|fragments}}}}<br />
* {{App|[[Ktorrent]]|Feature-rich BitTorrent client for KDE.|https://www.kde.org/applications/internet/ktorrent/|{{Pkg|ktorrent}}}}<br />
* {{App|Powder Player|Hybrid between a streaming BitTorrent client and a player. Based on the [https://electronjs.org/ Electron] platform.|https://powder.media/|{{AUR|powder-player-bin}}}}<br />
* {{App|[[Wikipedia:qBittorrent|qBittorrent]]|Open source (GPLv2) BitTorrent client that strongly resembles µtorrent.|https://www.qbittorrent.org/|{{Pkg|qbittorrent}} or {{Pkg|qbittorrent-nox}}}}<br />
* {{App|[[Wikipedia:Tixati|Tixati]]|Proprietary peer-to-peer file sharing program that uses the popular BitTorrent protocol.|https://tixati.com/|{{AUR|tixati}}}}<br />
* {{App|Torrential|Simple torrent client for elementary OS.|https://github.com/davidmhewitt/torrential|{{AUR|torrential}}}}<br />
* {{App|[[Transmission]]|Simple and easy-to-use BitTorrent client with a daemon version and multiple front-ends.|https://transmissionbt.com/|GTK: {{Pkg|transmission-gtk}}, Qt: {{Pkg|transmission-qt}}}}<br />
* {{App|[[Transmission]] Remote|GTK client for remote management of the Transmission BitTorrent client, using its HTTP RPC protocol.|https://github.com/transmission-remote-gtk/transmission-remote-gtk|{{Pkg|transmission-remote-gtk}}}}<br />
* {{App|[[Wikipedia:Tribler|Tribler]]|4th generation file sharing system BitTorrent client.|https://www.tribler.org|{{Pkg|tribler}}}}<br />
* {{App|[[Wikipedia:Vuze|Vuze]]|Feature-rich BitTorrent client written in Java (formerly Azureus).|https://www.vuze.com/|{{AUR|vuze}}}}<br />
* {{App|WebTorrent Desktop|Streaming BitTorrent application. Based on the [https://electronjs.org/ Electron] platform.|https://webtorrent.io/desktop/|{{AUR|webtorrent-desktop}}}}<br />
<br />
==== Other P2P networks ====<br />
<br />
See also [[Wikipedia:Comparison of file-sharing applications]].<br />
<br />
* {{App|[[aMule]]|Well-known eDonkey/Kad client with a daemon version and GTK, web, and CLI front-ends.|http://www.amule.org/|{{Pkg|amule}}}}<br />
* {{App|EiskaltDC++|Direct Connect and ADC client.|https://github.com/eiskaltdcpp/eiskaltdcpp|GTK: {{AUR|eiskaltdcpp-gtk}}, Qt: {{AUR|eiskaltdcpp-qt}}}}<br />
* {{App|[[Wikipedia:gtk-gnutella|gtk-gnutella]]|GTK server/client for the Gnutella peer-to-peer network.|http://gtk-gnutella.sourceforge.net/|{{AUR|gtk-gnutella}}}}<br />
* {{App|KaMule|KDE graphical front-end for aMule.|https://www.linux-apps.com/content/show.php?content&#61;150270|{{AUR|kamule}}}}<br />
* {{App|LBRY|Browser and wallet for LBRY, the decentralized, user-controlled content marketplace. Based on the [https://electronjs.org/ Electron] platform.|https://lbry.io/|{{AUR|lbry-app-bin}}}}<br />
* {{App|[[Wikipedia:MLDonkey|MLDonkey]]|Multi-protocol P2P client that supports HTTP, FTP, BitTorrent, Direct Connect, eDonkey and FastTrack.|http://mldonkey.sourceforge.net/|{{Pkg|mldonkey}}}}<br />
* {{App|ncdc|Modern and lightweight Direct Connect and ADC client with a friendly ncurses interface.|https://dev.yorhel.nl/ncdc|{{AUR|ncdc}}}}<br />
* {{App|Nicotine+|A graphical client for the Soulseek P2P network.|https://www.nicotine-plus.org/|{{Pkg|nicotine+}}}}<br />
* {{App|Valknut|Direct Connect client (like DC++) with segmented downloading.|http://wxdcgui.sourceforge.net/|{{AUR|valknut}}}}<br />
<br />
==== Pastebin clients ====<br />
<br />
See also [[Wikipedia:Pastebin]].<br />
<br />
Pastebin services are often used to quote text or images while collaborating and troubleshooting. Pastebin clients provide a convenient way to post from the command line.<br />
<br />
{{Tip| You can access the [http://ix.io/ ix.io] pastebin using curl. For example pipe the output of a command to ix.io: {{bc|''command'' <nowiki>|& curl -F 'f:1=<-' ix.io </nowiki>}} or upload a file: {{bc|<nowiki>curl -F 'f:1=<-' ix.io < </nowiki>''file''}}}}<br />
<br />
{{Note| [http://pastebin.com/ pastebin.com] is blocked for some people and has a history of annoying issues (javascript, adverts, poor formatting, etc). Do ''not'' use it.}}<br />
<br />
* {{App|Elmer|Pastebin client similar to wgetpaste and curlpaste, except written in Perl and usable with wget or curl. Servers: [http://codepad.org/ codepad.org], [http://rafb.me/ rafb.me], [http://sprunge.us/ sprunge.us].|https://github.com/sudokode/elmer|{{AUR|elmer}}}}<br />
* {{App|Fb-client|Client for the [http://paste.xinu.at/ paste.xinu.at] pastebin.|http://paste.xinu.at|{{Pkg|fb-client}}}}<br />
* {{App|Gist|Command-line interface for the [https://gist.github.com/ gist.github.com] pastebin service.|https://github.com/defunkt/gist|{{Pkg|gist}}}}<br />
* {{App|imgur|A CLI client which can upload image to [https://imgur.com imgur.com] image sharing service.|https://github.com/tremby/imgur.sh|{{AUR|imgur.sh}}}}<br />
* {{App|Ix|Client for the ix.io pastebin.|http://ix.io|{{AUR|ix}}}}<br />
* {{App|Pastebinit|Really small Python script that acts as a Pastebin client. Servers: [http://pastie.org/ pastie.org], [https://paste.kde.org/ paste.kde.org], [http://paste.debian.net/ paste.debian.net], [http://paste.ubuntu.com/ paste.ubuntu.com] and others (for a full list see {{ic|pastebinit -l}}).|https://launchpad.net/pastebinit|{{Pkg|pastebinit}}}}<br />
* {{App|ruby-haste|Client for [http://hastebin.com/ hastebin.com].|https://github.com/seejohnrun/haste-client|{{AUR|ruby-haste}}}}<br />
* {{App|Uppity|The pastebin client with an attitude.|https://github.com/Kiwi/Uppity|{{AUR|uppity-git}}}}<br />
* {{App|Wgetpaste|Bash script that automates pasting to a number of pastebin services. Servers: [http://pastebin.ca/ pastebin.ca], [http://codepad.org/ codepad.org], [http://dpaste.com/ dpaste.com] and [http://pastebin.osuosl.org/ pastebin.osuosl.org].|http://wgetpaste.zlin.dk/|{{Pkg|wgetpaste}}}}<br />
<br />
=== Communication ===<br />
<br />
==== Email clients ====<br />
<br />
See also [[Wikipedia:Comparison of email clients]]<br />
<br />
===== Console =====<br />
<br />
* {{App|aerc|Work in progress asynchronous email client.|https://git.sr.ht/~sircmpwn/aerc|{{AUR|aerc-git}}}}<br />
* {{App|alot|An experimental terminal MUA based on [https://notmuchmail.org/ notmuch mail]. It is written in python using the [http://urwid.org/ urwid] toolkit.|https://github.com/pazz/alot|{{Pkg|alot}}}}<br />
* {{App|[[Alpine]]|Fast, easy-to-use and Apache-licensed email client based on [[Wikipedia:Pine (email client)|Pine]].|http://www.washington.edu/alpine/|{{AUR|alpine-git}}}}<br />
* {{App|[[S-nail]]|a mail processing system with a command syntax reminiscent of ''ed'' with lines replaced by messages. Provides the functionality of [[Wikipedia:mailx|mailx]].|https://www.sdaoden.eu/code.html#s-mailx|{{Pkg|s-nail}}}}<br />
* {{App|mu/mu4e|Email indexer (mu) and client for emacs (mu4e). Xapian based for fast searches.|http://www.djcbsoftware.nl/code/mu/mu4e.html|{{AUR|mu}}}}<br />
* {{App|[[Mutt]]|Small but very powerful text-based mail client.|http://www.mutt.org/|{{Pkg|mutt}}}}<br />
* {{App|[[Mutt#NeoMutt|NeoMutt]]|Command line mail reader (or MUA). It's a fork of Mutt with added features.|https://www.neomutt.org/|{{Pkg|neomutt}}}}<br />
* {{App|[[nmh]]|A modular mail handling system.|http://www.nongnu.org/nmh/|{{AUR|nmh}}}}<br />
* {{App|[[notmuch]]|A fast mail indexer built on top of ''xapian''.|https://notmuchmail.org/|{{Pkg|notmuch}}}}<br />
* {{App|[[Sup]]|CLI mail client with very fast searching, tagging, threading and GMail like operation.|https://sup-heliotrope.github.io/|{{AUR|sup}}}}<br />
* {{App|Wanderlust|Email client and news reader for Emacs.|http://www.gohome.org/wl/|{{Pkg|wanderlust}}}}<br />
<br />
===== Graphical =====<br />
<br />
* {{App|Balsa|Simple and light email client for GNOME.|https://pawsa.fedorapeople.org/balsa/|{{Pkg|balsa}}}}<br />
* {{App|[[Wikipedia:Claws Mail|Claws Mail]]|Lightweight GTK-based email client and news reader.|https://www.claws-mail.org/|{{Pkg|claws-mail}}}}<br />
* {{App|ElectronMail|Unofficial desktop app for several end-to-end encrypted email providers (like ProtonMail, Tutanota). Based on the [https://electronjs.org/ Electron] platform.|https://github.com/vladimiry/ElectronMail|{{AUR|electronmail-bin}}}}<br />
* {{App|[[Evolution]]|Mature and feature-rich e-mail client that is part of the GNOME project. Part of {{Grp|gnome-extra}}.|https://wiki.gnome.org/Apps/Evolution|{{Pkg|evolution}}}}<br />
* {{App|Geary|Simple desktop mail client built in [[Wikipedia:Vala (programming language)|Vala]].|https://wiki.gnome.org/Apps/Geary|{{Pkg|geary}}}}<br />
* {{App|Gnubiff|Mail notification program that checks for mail and displays headers when new mail has arrived.|http://gnubiff.sourceforge.net/|{{Pkg|gnubiff}}}}<br />
* {{App|Inboxer|Unofficial, free and open-source Google Inbox desktop app. Based on the [https://electronjs.org/ Electron] platform.|https://denysdovhan.com/inboxer/|{{AUR|inboxer}}}}<br />
* {{App|[[Wikipedia:Kmail|Kmail]]|Mature and feature-rich email client. Part of {{Grp|kdepim}}.|https://www.kde.org/applications/internet/kmail/|{{Pkg|kmail}}}}<br />
* {{App|Kube|Modern communication and collaboration client built with QtQuick.|https://kube.kde.org/|{{Pkg|kube}}}}<br />
* {{App|Mailnag|Extensible mail notification daemon.|https://github.com/pulb/mailnag|{{Pkg|mailnag}}}}<br />
* {{App|Mailspring|[https://github.com/Foundry376/Mailspring/issues/24 Proprietary] fork of Nylas Mail by one of the original authors.|https://getmailspring.com/|{{AUR|mailspring}}}}<br />
* {{App|Nylas Mail|Extensible desktop mail app. Based on the [https://electronjs.org/ Electron] platform.|https://www.nylas.com/nylas-mail/|{{AUR|nylas-mail-lives-bin}}}}<br />
* {{App|openWMail|The missing desktop client for Gmail & Google Inbox. Based on the [https://electronjs.org/ Electron] platform.|https://openwmail.github.io/|{{AUR|openwmail}}}}<br />
* {{App|QGmailNotifier|Portable Qt5 based GMail notifier.|https://github.com/eteran/qgmailnotifier|{{AUR|qgmailnotifier}}}}<br />
* {{App|Protonmail Desktop|Unofficial app that emulates a native client for the ProtonMail e-mail service. Based on the [https://electronjs.org/ Electron] platform.|http://protondesktop.com/|{{AUR|protonmail-desktop}}}}<br />
* {{App|[[Wikipedia:SeaMonkey#Mail|SeaMonkey Mail & Newsgroups]]|Email client included in the SeaMonkey suite.|https://www.seamonkey-project.org/|{{Pkg|seamonkey}}}}<br />
* {{App|[[Wikipedia:Sylpheed|Sylpheed]]|Lightweight and user-friendly GTK email client.|https://sylpheed.sraoss.jp/en/|{{Pkg|sylpheed}}}}<br />
* {{App|[[Thunderbird]]|Feature-rich email client from Mozilla written in GTK.|https://www.thunderbird.net/|{{Pkg|thunderbird}}}}<br />
* {{App|Trojitá|Qt IMAP email client. Only supports [https://bugs.kde.org/show_bug.cgi?id&#61;321374 one IMAP account].|http://trojita.flaska.net/|{{Pkg|trojita}}}}<br />
<br />
===== Web-based =====<br />
<br />
* {{App|[[Wikipedia:Mailpile|Mailpile]]|A modern, fast web-mail client with user-friendly encryption and privacy features.|https://www.mailpile.is/|{{AUR|mailpile}}}}<br />
* {{App|[[Nextcloud]] Mail|An email webapp for NextCloud.|https://github.com/nextcloud/mail|{{Pkg|nextcloud-app-mail}}}}<br />
* {{App|Roundcubemail|Browser-based multilingual IMAP client webapp with a native application-like user interface.|https://roundcube.net/|{{Pkg|roundcubemail}}}}<br />
* {{App|[[Squirrelmail|SquirrelMail]]|Webmail for Nuts!|https://squirrelmail.org/|{{AUR|squirrelmail}}}}<br />
<br />
==== Mail servers ====<br />
<br />
See [[Mail server]].<br />
<br />
* {{App|Modoboa|A modular mail hosting and management platform, written in Python.|https://modoboa.org/|{{AUR|modoboa}}}}<br />
<br />
==== Mail retrieval agents ====<br />
<br />
See also [[Wikipedia:Mail retrieval agent]].<br />
<br />
* {{App|[[fdm]]|Program to fetch and deliver mail.|https://github.com/nicm/fdm|{{Pkg|fdm}}}}<br />
* {{App|[[Wikipedia:Fetchmail|Fetchmail]]|A remote-mail retrieval utility.|https://www.fetchmail.info/|{{AUR|fetchmail}}}}<br />
* {{App|[[getmail]]|A POP3/IMAP4 mail retriever with reliable Maildir and command delivery.|http://pyropus.ca/software/getmail/|{{Pkg|getmail}}}}<br />
* {{App|imapsync|IMAP synchronisation, sync, copy or migration tool|http://imapsync.lamiral.info/|{{AUR|imapsync}}}}<br />
* {{App|[[isync]]|IMAP and MailDir mailbox synchronizer|http://isync.sourceforge.net/|{{Pkg|isync}}}}<br />
* {{App|mpop|A small, fast POP3 client suitable as a fetchmail replacement|https://marlam.de/mpop/|{{Pkg|mpop}}}}<br />
* {{App|[[OfflineIMAP]]|Synchronizes emails between two repositories.|http://www.offlineimap.org/|{{Pkg|offlineimap}}}}<br />
<br />
==== Instant messaging clients ====<br />
<br />
See also [[Wikipedia:Comparison of instant messaging clients]] and [[Wikipedia:Comparison of VoIP software]].<br />
<br />
This section lists all client software with [[Wikipedia:Instant messaging|instant messaging]] support.<br />
<br />
===== Multi-protocol clients =====<br />
<br />
{{Note|All messengers, that support several networks by means of direct connections to them, belong to this section.}}<br />
<br />
The number of networks supported by these clients is very large but they (like any multi-protocol clients) usually have very limited or no support for network-specific features.<br />
<br />
====== Console ======<br />
<br />
* {{App|BarnOwl|Ncurses-based chat client with support for the Zephyr, XMPP, IRC and Twitter protocols.|https://barnowl.mit.edu/|{{AUR|barnowl}}}}<br />
* {{App|[[Bitlbee|BitlBee]]|IRC gateway to popular chat networks (XMPP, ICQ and Twitter).|https://bitlbee.org/|{{Pkg|bitlbee}}}}<br />
* {{App|[[Wikipedia:Centericq|CenterIM]]|Text mode menu- and window-driven IM interface. Supports most of widely used IM protocols, including ICQ, IRC, XMPP. |http://centerim.org/|{{AUR|centerim}}}}<br />
* {{App|EKG2|Ncurses based XMPP, Gadu-Gadu, ICQ and IRC client. |http://en.ekg2.org/{{Dead link|2018|09|21}}|{{AUR|ekg2}}}}<br />
* {{App|Finch|Ncurses-based chat client that uses libpurple and supports all its protocols (Bonjour, Gadu-Gadu, Groupwise, ICQ, IRC, SIMPLE, XMPP, Zephyr).|https://developer.pidgin.im/wiki/Using%20Finch|{{Pkg|finch}}}}<br />
* {{App|Minbif|IRC gateway to IM networks that uses libpurple.|https://symlink.me/projects/minbif/wiki|{{Pkg|minbif}}}}<br />
<br />
====== Graphical ======<br />
<br />
* {{App|[[Wikipedia:Empathy (software)|Empathy]]|GNOME instant messaging client with audio/video support using the [[Wikipedia:Telepathy (software)|Telepathy]] framework.|https://wiki.gnome.org/Apps/Empathy|{{Pkg|empathy}}}}<br />
* {{App|Franz|[[Wikipedia:Electron (software framework)|Electron]] application. Supports Discord, Facebook Messenger, Google Hangouts, Skype, Slack, Telegram, WhatsApp, Zulip and many more.|https://meetfranz.com/|{{AUR|franz}}}}<br />
* {{App|[[Wikipedia:Jitsi|Jitsi]]|Audio/video VoIP phone and instant messenger written in Java that supports protocols such as SIP, XMPP, ICQ, IRC and many other useful features.|https://jitsi.org/|{{AUR|jitsi}}}}<br />
* {{App|[[Wikipedia:Kopete|Kopete]]|User-friendly IM supporting Bonjour, Gadu-Gadu, GroupWise, ICQ, XMPP.|https://userbase.kde.org/Kopete|{{Pkg|kopete}}}}<br />
* {{App|[[KDE#KDE Telepathy|KDE Telepathy]]|KDE instant messaging client using the [[Wikipedia:Telepathy (software)|Telepathy]] framework. Meant as a replacement for Kopete.|https://userbase.kde.org/Telepathy|{{Pkg|telepathy-kde-meta}}}}<br />
* {{App|[[Pidgin]]|Multi-protocol instant messaging client with audio support that uses libpurple and supports all its protocols (Bonjour, Gadu-Gadu, Groupwise, ICQ, IRC, SIMPLE, XMPP, Zephyr).|http://pidgin.im/|{{Pkg|pidgin}}}}<br />
* {{App|qutIM|Simple and user-friendly IM supporting ICQ, XMPP, Mail.Ru, IRC and VKontakte messaging.|http://qutim.org/|{{AUR|qutim}}}}<br />
* {{App|[[Wikipedia:Smuxi|Smuxi]]|Cross-platform IRC client that also supports Twitter and XMPP. |https://smuxi.im/|{{AUR|smuxi}}}}<br />
* {{App|[[Thunderbird]]|Feature-rich email client supports instant messaging and chat using IRC, XMPP and Twitter.|https://www.thunderbird.net/|{{Pkg|thunderbird}}}}<br />
* {{App|Volt|Proprietary native desktop client for Skype, Telegram, Slack, XMPP, Discord, IRC and more. |https://volt-app.com/|{{AUR|volt}}}}<br />
<br />
===== IRC clients =====<br />
<br />
See also [[Wikipedia:Comparison of Internet Relay Chat clients]].<br />
<br />
====== Console ======<br />
<br />
* {{App|[[Wikipedia:BitchX|BitchX]]|Console-based IRC client developed from the popular [[Wikipedia:ircII|ircII]].|http://www.bitchx.org/|{{AUR|bitchx-git}}}}<br />
* {{App|ERC|Powerful, modular and extensible IRC client for [[Emacs]].|https://savannah.gnu.org/projects/erc/|included with {{Pkg|emacs}}}}<br />
* {{App|[[Wikipedia:Ii (IRC client)|ii]]|Featherweight IRC client, literally {{ic|tail -f}} the conversation and {{ic|echo}} back your replies to a file.|https://tools.suckless.org/ii/|{{AUR|ii}}}}<br />
* {{App|[[Irssi]]|Highly-configurable ncurses-based IRC client.|https://irssi.org/|{{Pkg|irssi}}}}<br />
* {{App|pork|Programmable, ncurses-based IRC client that mostly looks and feels like ircII.|http://dev.ojnk.net/|{{Pkg|pork}}}}<br />
* {{App|ScrollZ|Advanced IRC client based on [[Wikipedia:ircII|ircII]].|https://www.scrollz.info/|{{AUR|scrollz}}}}<br />
* {{App|sic|Extremely simple IRC client, similar to [[Wikipedia:Ii (IRC client)|ii]].|https://tools.suckless.org/sic/|{{AUR|sic}}}}<br />
* {{App|[[WeeChat]]|Modular, lightweight ncurses-based IRC client.|https://weechat.org/|{{Pkg|weechat}}}}<br />
* {{App|tiny|an IRC client written in Rust with a clutter-free interface|https://github.com/osa1/tiny|{{AUR|tiny-irc-client-git}}}}<br />
<br />
'''Comparison'''<br />
<br />
{| class="wikitable sortable"<br />
! Name !! Package !! Written in !! Extensible !! [[Wikipedia:Simple Authentication and Security Layer|SASL]]<br />
|-<br />
! [[Wikipedia:BitchX|BitchX]]<br />
| {{AUR|bitchx-git}} || C || {{C|?}} || {{C|?}}<br />
|-<br />
! [https://savannah.gnu.org/projects/erc/ ERC]<br />
| {{Pkg|emacs}} || ELisp || {{G|in ELisp}} || {{Y|[https://www.emacswiki.org/emacs/ErcSASL via script]}}<br />
|-<br />
! [[Wikipedia:Ii (IRC client)|ii]]<br />
| {{AUR|ii}} || C || {{G|stdin/stdout}} || {{No}}<br />
|-<br />
! [[Irssi]]<br />
| {{Pkg|irssi}} || C || {{G|in Perl}} || {{Yes}}<br />
|-<br />
! [http://dev.ojnk.net/ pork]<br />
| {{Pkg|pork}} || C || {{G|in Perl}} || {{No}}<br />
|-<br />
! [https://www.scrollz.info/ ScrollZ]<br />
| {{AUR|scrollz}} || C || {{C|?}} || {{No}}<br />
|-<br />
! [https://tools.suckless.org/sic/ sic]<br />
| {{AUR|sic}} || C || {{G|stdin/stdout}} || {{No}}<br />
|-<br />
! [[WeeChat]]<br />
| {{Pkg|weechat}} || C || {{G|[https://weechat.org/files/doc/stable/weechat_scripting.en.html multiple languages]}} || {{Yes}}<br />
|-<br />
! [https://github.com/osa1/tiny tiny]<br />
| {{AUR|tiny-irc-client-git}} || Rust || {{No}} || {{Yes}}<br />
|}<br />
<br />
====== Graphical ======<br />
<br />
* {{App|HexChat|Fork of XChat for Linux and Windows.|https://hexchat.github.io/|{{Pkg|hexchat}}}}<br />
* {{App|[[Wikipedia:Konversation|Konversation]]|Qt-based IRC client for the KDE desktop.|https://konversation.kde.org/|{{Pkg|konversation}}}}<br />
* {{App|[[Wikipedia:KVIrc|KVIrc]]|Qt-based IRC client featuring extensive themes support.|http://kvirc.net/|{{AUR|kvirc-git}}}}<br />
* {{App|Loqui|GTK IRC client.|https://launchpad.net/loqui|{{AUR|loqui}}}}<br />
* {{App|LostIRC|Simple GTK IRC client with tab-autocompletion, multiple server support, logging and others.|http://lostirc.sourceforge.net|{{AUR|lostirc}}}}<br />
* {{App|Polari|Simple IRC client by the GNOME project.|https://wiki.gnome.org/Apps/Polari|{{Pkg|polari}}}}<br />
* {{App|[[Quassel]]|Modern, cross-platform, distributed IRC client.|https://quassel-irc.org/|{{Pkg|quassel-monolithic}}}}<br />
* {{App|Srain|Modern, beautiful IRC client written in GTK 3.|https://srain.im/|{{AUR|srain}}}}<br />
<br />
===== XMPP clients =====<br />
<br />
See also [[Wikipedia:XMPP]] and [[Wikipedia:Comparison of instant messaging clients#XMPP-related features]].<br />
<br />
====== Console ======<br />
<br />
* {{App|Freetalk|Console-based XMPP client.|https://www.gnu.org/software/freetalk/|{{AUR|freetalk}}}}<br />
* {{App|jabber.el|Minimal XMPP client for [[Emacs]].|http://emacs-jabber.sourceforge.net/|{{AUR|emacs-jabber}}}}<br />
* {{App|jp (Salut à Toi)|CLI frontend for Salut à Toi, multi-purpose XMPP client|https://salut-a-toi.org/|{{AUR|sat-jp}}}}<br />
* {{App|[[Wikipedia:MCabber|MCabber]]|Small XMPP console client, includes features: SSL, PGP, MUC, OTR and UTF8.|https://mcabber.com/|{{Pkg|mcabber}}}}<br />
* {{App|Poezio|XMPP client with IRC feeling|https://poez.io/|{{AUR|poezio}}}}<br />
* {{App|Primitivus (Salut à Toi)|Console frontend for Salut à Toi, multi-purpose XMPP client|https://salut-a-toi.org/|{{AUR|sat-primitivus}}}}<br />
* {{App|Profanity|A console based XMPP client inspired by Irssi.|http://profanity.im/|{{Pkg|profanity}}}}<br />
* {{App|xmpp-client|A minimalist XMPP client with OTR support.|https://github.com/agl/xmpp-client|{{AUR|go-xmpp-client}}}}<br />
<br />
====== Graphical ======<br />
<br />
* {{App|Cagou (Salut à Toi)|Desktop/mobiles frontend for Salut à Toi, multi-purpose XMPP client|https://salut-a-toi.org/|{{AUR|sat-cagou-hg}}}}<br />
* {{App|Converse.js|Web-based XMPP chat client written in JavaScript.|https://conversejs.org/|{{AUR|conversejs-git}}}}<br />
* {{App|Dino|A modern, easy to use XMPP client, with PGP and OMEMO support.|https://dino.im/|{{AUR|dino-git}}}}<br />
* {{App|[[Gajim]]|XMPP client with audio support written in Python using GTK.|https://gajim.org/|{{Pkg|gajim}}}}<br />
* {{App|[[Wikipedia:Kadu (software)|Kadu]]|Qt-based XMPP and Gadu-Gadu client.|http://www.kadu.im/|{{AUR|kadu}}}}<br />
* {{App|Libervia (Salut à Toi)|Web frontend for Salut à Toi, multi-purpose XMPP client|https://salut-a-toi.org/|{{AUR|sat-libervia-hg}}}}<br />
* {{App|Nextcloud JavaScript XMPP Client|Chat app for Nextcloud with XMPP, end-to-end encryption, video calls, file transfer & group chat.|https://github.com/nextcloud/jsxc.nextcloud|{{AUR|nextcloud-app-jsxc}}}}<br />
* {{App|[[Wikipedia:Psi (instant messaging client)|Psi]]|Qt-based XMPP client.|https://psi-im.org/|{{Pkg|psi}} or {{Pkg|psi-nowebengine}}}}<br />
* {{App|[[Wikipedia:Spark (XMPP client)|Spark]]|Cross-platform real-time XMPP collaboration client optimized for business and organizations.|https://www.igniterealtime.org/projects/spark/|{{AUR|spark}}}}<br />
* {{App|Swift|XMPP client written in C++ with Qt and Swiften.|https://swift.im/|{{Pkg|swift-im}}}}<br />
* {{App|[[Wikipedia:Tkabber|Tkabber]]|Easy to hack feature-rich XMPP client by the author of the ejabberd XMPP server.|http://tkabber.jabber.ru/|{{AUR|tkabber}}}}<br />
* {{App|Vacuum IM|Full-featured crossplatform XMPP client.|https://github.com/Vacuum-IM/vacuum-im|{{AUR|vacuum-im}}}}<br />
<br />
===== SIP clients =====<br />
<br />
See also [[Wikipedia:List of SIP software#Clients]].<br />
<br />
* {{App|[[Jami|Banji]]|SIP-compatible softphone and instant messenger for the decentralized Jami network. KDE client, formerly known as Ring KDE.|https://kde.org/applications/internet/org.kde.ring-kde|{{AUR|ring-kde}}}}<br />
* {{App|[[Wikipedia:Blink (SIP client)|Blink]]|State of the art, easy to use SIP client.|http://icanblink.com/|{{AUR|blink}}}}<br />
* {{App|[[Wikipedia:Ekiga|Ekiga]]|VoIP and video conferencing application with full SIP and H.323 support (formerly known as GNOME Meeting).|https://www.ekiga.org/|{{Pkg|ekiga}}{{Broken package link|package not found}}}}<br />
* {{App|[[Jami]]|SIP-compatible softphone and instant messenger for the decentralized Jami network. Formerly known as Ring and SFLphone.|https://jami.net/|{{Pkg|jami-gnome}}}}<br />
* {{App|[[Wikipedia:Linphone|Linphone]]|VoIP phone application (SIP client) for communicating freely with people over the internet, with voice, video, and text instant messaging.|http://www.linphone.org/|{{AUR|linphone}}{{Broken package link|package not found}}}}<br />
* {{App|[[Wikipedia:Twinkle (software)|Twinkle]]|Qt softphone for VoIP and IM communication using SIP.|http://twinkle.dolezel.info/|{{AUR|twinkle-qt5}}}}<br />
<br />
===== Matrix clients =====<br />
<br />
See also [[Matrix]].<br />
<br />
* {{App|Fractal|Matrix client for GNOME written in Rust.|https://wiki.gnome.org/Apps/Fractal|{{Pkg|fractal}}}}<br />
* {{App|nheko|Desktop client for the Matrix protocol.|https://github.com/Nheko-Reborn/nheko|{{AUR|nheko}}, {{AUR|nheko-git}}}}<br />
* {{App|Quaternion|Qt5-based IM client for the Matrix protocol.|https://github.com/QMatrixClient/Quaternion|{{AUR|quaternion}}}}<br />
* {{App|Riot|Glossy Matrix client with an emphasis on performance and usability. Web application and desktop application based on the [https://electronjs.org/ Electron] platform.|https://about.riot.im/|{{Pkg|riot-web}}, {{Pkg|riot-desktop}}}}<br />
* {{App|Tensor|Qt5/QML-based Matrix client.|https://github.com/davidar/tensor|{{AUR|tensor-git}}}}<br />
<br />
===== Tox clients =====<br />
<br />
See also [[Tox]].<br />
<br />
* {{App|qTox|Powerful Tox client written in C++/Qt that follows the Tox design guidelines.|https://qtox.github.io/|{{Pkg|qtox}}}}<br />
* {{App|ratox|FIFO based tox client.|https://ratox.2f30.org/|{{AUR|ratox-git}}}}<br />
* {{App|Ricin|Dead-simple but powerful Tox client.|https://github.com/RicinApp/Ricin|{{AUR|ricin}}}}<br />
* {{App|Toxic|ncurses-based Tox client|https://github.com/Jfreegman/toxic|{{Pkg|toxic}}}}<br />
* {{App|Toxygen|Tox client written in pure Python3.|https://github.com/toxygen-project/toxygen|{{AUR|toxygen-git}}}}<br />
* {{App|Venom|a modern Tox client for the GNU/Linux desktop|https://github.com/naxuroqa/Venom|{{AUR|venom}}}}<br />
* {{App|µTox|Lightweight Tox client.|https://utox.io/|{{Pkg|utox}}}}<br />
<br />
===== Serverless (decentralized) clients =====<br />
<br />
See also [[Avahi#Link-Local (Bonjour/Zeroconf) chat|Bonjour]], [[Ring]], [[Tox]] and [[Wikipedia:Comparison of LAN messengers]].<br />
<br />
* {{App|BeeBEEP|Secure LAN Messenger.|http://beebeep.sourceforge.net/|{{AUR|beebeep}}}}<br />
* {{App|Bit Chat|Secure, peer-to-peer instant messenger.|https://bitchat.im/|{{AUR|bitchat}}}}<br />
* {{App|[[Bitmessage]]|Decentralized and trustless P2P communications protocol for sending encrypted messages to another person or to many subscribers.|https://bitmessage.org/|{{AUR|pybitmessage}}}}<br />
* {{App|iptux|LAN communication software, compatible with IP Messenger.|https://github.com/iptux-src/iptux|{{AUR|iptux}}}}<br />
* {{App|LAN Messenger|P2P chat application for intranet communication and does not require a server. A variety of handy features are supported including notifications, personal and group messaging with encryption, file transfer and message logging.|https://lanmessenger.github.io/|{{AUR|lmc}}}}<br />
* {{App|Patchwork|Decentralized messaging and sharing app built on top of Secure Scuttlebutt (SSB). Based on the [https://electronjs.org/ Electron] platform.|https://github.com/ssbc/patchwork|{{AUR|ssb-patchwork}}}}<br />
* {{App|[[RetroShare]]|Serverless encrypted instant messenger with filesharing, chatgroups, mail.|http://retroshare.net/|{{AUR|retroshare}}}}<br />
* {{App|[[Wikipedia:Ricochet (software)|Ricochet]]|Anonymous peer-to-peer instant messaging system built on [[Tor]] hidden services.|https://ricochet.im/|{{AUR|ricochet}}}}<br />
<br />
===== Other IM clients =====<br />
<br />
* {{App|Caprine|Unofficial Facebook Messenger app. Based on the [https://electronjs.org/ Electron] platform.|https://github.com/sindresorhus/caprine|{{Pkg|caprine}}}}<br />
* {{App|[[Discord]]|Proprietary all-in-one voice and text chat application for gamers that’s free and works on both your desktop and phone.|https://discordapp.com/|{{Pkg|discord}}}}<br />
* {{App|Esmska|Program for sending SMS over the Internet.|https://github.com/kparal/esmska|{{Pkg|esmska}}}} <br />
* {{App|[[Wikipedia:Gitter|Gitter]]|Communication product for communities and teams on GitHub.|https://gitter.im/|{{AUR|gitter}}}}<br />
* {{App|Hangups|Third-party instant messaging client for Google Hangouts.|https://github.com/tdryer/hangups|{{AUR|hangups}}}}<br />
* {{App|[[ICQ]]|Official ICQ client for Linux.|https://icq.com/linux/|{{AUR|icqdesktop-bin}}}}<br />
* {{App|Licq|Instant messaging client for UNIX supporting ICQ.|http://licq.org/|{{Pkg|licq}}{{Broken package link|package not found}}}}<br />
* {{App|Matterhorn|Console client for the Mattermost chat system.|https://github.com/matterhorn-chat/matterhorn|{{AUR|matterhorn}}}}<br />
* {{App|[[Mattermost]] Desktop|Desktop application for Mattermost. Based on the [https://electronjs.org/ Electron] platform.|https://github.com/mattermost/desktop|{{AUR|mattermost-desktop}}}}<br />
* {{App|[[Mumble]]|Voice chat application similar to TeamSpeak.|https://www.mumble.info/|{{Pkg|mumble}}}}<br />
* {{App|QHangups|Alternative client for Google Hangouts written in PyQt.|https://github.com/xmikos/qhangups|{{AUR|qhangups}}}}<br />
* {{App|Rocket.Chat Desktop|Desktop application for Rocket.Chat. Based on the [https://electronjs.org/ Electron] platform.|https://github.com/RocketChat/Rocket.Chat.Electron|{{AUR|rocketchat-desktop}}}}<br />
* {{App|[[Wikipedia:Signal (software)|Signal]]|Signal Private Messenger for the Desktop. Based on the [https://electronjs.org/ Electron] platform.|https://github.com/signalapp/Signal-Desktop|{{Pkg|signal-desktop}}}}<br />
* {{App|[[Wikipedia:Skype|Skype]]|Popular but proprietary application for voice and video communication. Based on the [https://electronjs.org/ Electron] platform.|https://www.skype.com/|{{AUR|skypeforlinux-stable-bin}}}}<br />
* {{App|[[Wikipedia:Slack (software)|Slack]]|Proprietary Slack client for desktop. Based on the [https://electronjs.org/ Electron] platform.|https://slack.com/downloads/linux|{{AUR|slack-desktop}}}}<br />
* {{App|[[TeamSpeak]]|Proprietary VoIP application with gamers as its target audience.|https://www.teamspeak.com/|{{Pkg|teamspeak3}}}}<br />
* {{App|[[TeamTalk]]|Proprietary VoIP application with video chat, file and desktop sharing. Desktop sharing doesn't appear to be working in Linux though. AUR package is server only, but client is built in the make process.|https://bearware.dk|{{AUR|teamtalk}}}}<br />
* {{App|[[Telegram]] Desktop|Official Telegram desktop client.|https://desktop.telegram.org/|{{Pkg|telegram-desktop}}}}<br />
* {{App|[[Wikipedia:Viber|Viber]]|Proprietary cross-platform IM and VoIP software.|https://www.viber.com/products/linux/|{{AUR|viber}}}}<br />
* {{App|[[Wikipedia:Wire (software)|Wire]]|Modern, private messenger. Based on the [https://electronjs.org/ Electron] platform.|https://wire.com/|{{Pkg|wire-desktop}}}}<br />
* {{App|YakYak|Unofficial desktop client for Google Hangouts. Based on the [https://electronjs.org/ Electron] platform.|https://github.com/yakyak/yakyak|{{AUR|yakyak}}}}<br />
* {{App|[[Wikipedia:Zoom Video Communications|Zoom]]|Proprietary video conferencing, online meetings and group messaging application.|https://zoom.us/|{{AUR|zoom}}}}<br />
* {{App|[[Wikipedia:Zulip|Zulip]]|Desktop client for Zulip group chat. Based on the [https://electronjs.org/ Electron] platform.|https://zulipchat.com/apps/linux|{{AUR|zulip-electron-bin}}}}<br />
<br />
==== Instant messaging servers ====<br />
<br />
See also [[Wikipedia:Comparison of instant messaging protocols]].<br />
<br />
===== IRC servers =====<br />
<br />
See also [[Wikipedia:Comparison of Internet Relay Chat daemons]].<br />
<br />
* {{App|[[InspIRCd]]|A stable, modern and lightweight IRC daemon.|https://www.inspircd.org/|{{AUR|inspircd}}}}<br />
* {{App|IRCD-Hybrid|A lightweight, high-performance internet relay chat daemon.|http://www.ircd-hybrid.org/|{{AUR|ircd-hybrid}}}}<br />
* {{App|miniircd|A small and configuration free IRC server, suitable for private use.|https://github.com/jrosdahl/miniircd|{{AUR|miniircd-git}}}}<br />
* {{App|[[UnrealIRCd]]|Open Source IRC Server.|https://www.unrealircd.org/|{{Pkg|unrealircd}}}}<br />
* {{App|ngIRCd|A free, portable and lightweight Internet Relay Chat server for small or private networks.|https://ngircd.barton.de/|{{Pkg|ngircd}}}}<br />
<br />
===== XMPP servers =====<br />
<br />
See also [[Wikipedia:Comparison of XMPP server software]].<br />
<br />
* {{App|[[Prosody]]|An XMPP server written in the [http://www.lua.org/ Lua] programming language. Prosody is designed to be lightweight and highly extensible. It is licensed under a permissive [http://prosody.im/source/mit MIT license].|http://prosody.im/|{{Pkg|prosody}}}}<br />
* {{App|Ejabberd|Robust, scalable and extensible XMPP Server written in Erlang|https://www.ejabberd.im/|{{Pkg|ejabberd}}}}<br />
* {{App|[[Jabberd2]]|An XMPP server written in the C language and licensed under the GNU General Public License. It was inspired by jabberd14.|https://jabberd2.org/|{{AUR|jabberd2}}}}<br />
* {{App|[[Openfire]]|An XMPP IM multiplatform server written in Java|http://www.igniterealtime.org/projects/openfire/|{{Pkg|openfire}}}}<br />
<br />
===== SIP servers =====<br />
<br />
See also [[Wikipedia:List of SIP software#Servers]].<br />
<br />
* {{App|[[Asterisk]]|A complete PBX solution.|https://www.asterisk.org/|{{AUR|asterisk}}}}<br />
* {{App|Kamailio|Rock solid SIP server.|https://www.kamailio.org/|{{AUR|kamailio}}}}<br />
* {{App|openSIPS|SIP proxy/server for voice, video, IM, presence and any other SIP extensions.|https://opensips.org/|{{Pkg|opensips}}}}<br />
* {{App|Repro|An open-source, free SIP server.|https://www.resiprocate.org/About_Repro|{{AUR|repro}}}}<br />
* {{App|[[Wikipedia:Yate (telephony engine)|Yate]]|Advanced, mature, flexible telephony server that is used for VoIP and fixed networks, and for traditional mobile operators and MVNOs.|http://yate.ro/|{{Pkg|yate}}}}<br />
<br />
===== Other IM servers =====<br />
<br />
* {{App|[[Mattermost]]|Open source private cloud server, Slack-alternative.|https://github.com/mattermost/mattermost-server|{{AUR|mattermost}}}}<br />
* {{App|[[Murmur]]|The voice chat application server for Mumble.|https://www.mumble.info/|{{Pkg|murmur}}}}<br />
* {{App|Nextcloud Talk|Video- and audio-conferencing app for Nextcloud.|https://github.com/nextcloud/spreed|{{Pkg|nextcloud-app-spreed}}}}<br />
* {{App|Rocket.Chat|Web chat server, developed in JavaScript, using the Meteor fullstack framework.|https://github.com/RocketChat/Rocket.Chat|{{AUR|rocketchat-server}}}}<br />
* {{App|Spreed WebRTC|WebRTC audio/video call and conferencing server.|https://github.com/strukturag/spreed-webrtc|{{AUR|spreed-webrtc-server}}}}<br />
* {{App|[[Matrix|Synapse]]|Reference homeserver for the Matrix protocol.|https://github.com/matrix-org/synapse|{{Pkg|matrix-synapse}}}}<br />
* {{App|[[TeamSpeak]] Server|Proprietary VoIP conference server.|https://teamspeak.com/|{{Pkg|teamspeak3-server}}}}<br />
* {{App|uMurmur|Minimalistic Mumble server.|https://umurmur.net/|{{Pkg|umurmur}}}}<br />
<br />
==== Collaborative software ====<br />
<br />
See also [[Wikipedia:Collaborative software]].<br />
<br />
* {{App|[[Wikipedia:Citadel/UX|Citadel/UX]]|Includes an email & mailing list server, instant messaging, address books, calendar/scheduling, bulletin boards, and wiki and blog engines.|http://www.citadel.org/|{{AUR|webcit}}}}<br />
* {{App|[[Kolab]]|Kolab Groupware solution consisting of a server and various clients.|https://kolab.org/|{{AUR|kolab}}}}<br />
* {{App|[[Open-xchange]]|A groupware solution providing mail facilities, calendaring, shared contacts and Google-Docs-like text editing|http://www.ox.io/|{{AUR|open-xchange}}}}<br />
* {{App|[[SOGo]]|Groupware server built around OpenGroupware.org (OGo) and the SOPE application server.|https://sogo.nu/|{{AUR|sogo}}}}<br />
<br />
=== News, RSS, and blogs ===<br />
<br />
==== News aggregators ====<br />
<br />
[[Wikipedia:RSS|RSS]]/[[Wikipedia:Atom (standard)|Atom]] aggregators. Some [[#Email clients|email clients]] are also able to act as news aggregator: [[Wikipedia:Claws Mail|Claws Mail]] RSSyl plugin, [[Evolution]] RSS plugin, [[Wikipedia:SeaMonkey#Mail|SeaMonkey Mail & Newsgroups]], [[Thunderbird]].<br />
<br />
See also [[Wikipedia:Comparison of feed aggregators]].<br />
<br />
===== Console =====<br />
<br />
* {{App|[[Wikipedia:Canto (news aggregator)|Canto]]|Ncurses RSS aggregator.|https://codezen.org/canto/|{{Pkg|canto-curses}}}}<br />
* {{App|[[Wikipedia:Gnus|Gnus]]|Email, NNTP and RSS client for Emacs.|http://gnus.org/|{{Pkg|emacs}}}}<br />
* {{App|[[Newsboat]]|Ncurses RSS aggregator with layout and keybinding similar to the [[Mutt]] email client.|https://newsboat.org/|{{Pkg|newsboat}}}}<br />
* {{App|Rawdog|"RSS Aggregator Without Delusions Of Grandeur" that parses RSS/CDF/Atom feeds into a static HTML page of articles in chronological order.|http://offog.org/code/rawdog/|{{Pkg|rawdog}}}}<br />
* {{App|Snownews|Text mode RSS news reader.|https://github.com/kouya/snownews|{{AUR|snownews}}}}<br />
* {{App|sfeed|Lightweight RSS and Atom parser.|https://codemadness.org/sfeed-simple-feed-parser.html|{{AUR|sfeed-git}}}}<br />
<br />
===== Graphical =====<br />
<br />
* {{App|[[Wikipedia:Kontact#News Feed Aggregator|Akregator]]|News aggregator for KDE, part of {{Grp|kdepim}}.|https://www.kde.org/applications/internet/akregator/|{{Pkg|akregator}}}}<br />
* {{App|Alduin|RSS, Atom and JSON feed aggregator. Based on the [https://electronjs.org/ Electron] platform.|https://alduinapp.github.io/|{{AUR|alduin}}}}<br />
* {{App|FeedReader| Modern desktop application designed to complement existing web-based RSS accounts.|https://jangernert.github.io/FeedReader/|{{Pkg|feedreader}}}}<br />
* {{App|[[Wikipedia:Liferea|Liferea]]|GTK news aggregator for online news feeds and weblogs.|https://lzone.de/liferea/|{{Pkg|liferea}}}}<br />
* {{App|[[Nextcloud]] News|RSS/Atom feed reader for Nextcloud.|https://github.com/nextcloud/news|{{Pkg|nextcloud-app-news}}}}<br />
* {{App|QuiteRSS|RSS/Atom feed reader written on Qt/С++.|http://quiterss.org/|{{Pkg|quiterss}}}}<br />
* {{App|RSS Guard|Very tiny RSS and ATOM news reader developed using Qt framework.|https://github.com/martinrotter/rssguard|{{Pkg|rssguard}} or {{Pkg|rssguard-nowebengine}}}}<br />
* {{App|selfoss|The new multipurpose RSS reader, live stream, mashup, aggregation web application.|https://selfoss.aditu.de/|{{AUR|selfoss}}}}<br />
* {{App|Tickr|GTK-based RSS Reader that displays feeds as a smooth scrolling line on your desktop, as known from TV stations.|https://www.open-tickr.net/|{{AUR|tickr}}}}<br />
* {{App|[[Wikipedia:Tiny Tiny RSS|Tiny Tiny RSS]]|Web-based news feed (RSS/Atom) aggregator.|https://tt-rss.org/|{{Pkg|tt-rss}}}}<br />
<br />
==== Podcast clients ====<br />
<br />
Some media players are also able to act as podcast client: [[Amarok]], [[Wikipedia:Banshee (media player)|Banshee]], Cantata, [[Wikipedia:Clementine_(software)|Clementine]], Goggles Music Manager, [[Wikipedia:Rhythmbox|Rhythmbox]], [[VLC media player]]. [[Wikipedia:git-annex|git-annex]] can also [https://git-annex.branchable.com/tips/downloading_podcasts/ function as podcatcher].<br />
<br />
See also [[Wikipedia:List of podcatchers]].<br />
<br />
===== Console =====<br />
<br />
* {{App|castget|Simple, command-line RSS enclosure downloader, primarily intended for automatic, unattended downloading of podcasts.|https://castget.johndal.com/|{{Pkg|castget}}}}<br />
* {{App|gpo|Text mode interface of gPodder.|https://gpodder.github.io/|{{Pkg|gpodder}}}}<br />
* {{App|Greg|A command-line podcast aggregator.|https://github.com/manolomartinez/greg|{{AUR|greg-git}}}}<br />
* {{App|Marrie|A simple podcast client that runs on the Command Line Interface.|https://github.com/rafaelmartins/marrie/|{{AUR|marrie-git}}}}<br />
* {{App|pcd|A minimal podcast client written in go|https://github.com/kvannotten/pcd|{{AUR|pcd}}}}<br />
<br />
===== Graphical =====<br />
<br />
* {{App|CPod|Simple, beautiful podcast app. Based on the [https://electronjs.org/ Electron] platform.|https://github.com/z-------------/cumulonimbus|{{AUR|cpod}}}}<br />
* {{App|GNOME Podcasts|Podcast client for the GNOME Desktop written in Rust.|https://gitlab.gnome.org/World/podcasts|{{Pkg|gnome-podcasts}}}}<br />
* {{App|gPodder|Podcast client and media aggregator (GTK interface).|https://gpodder.github.io/|{{Pkg|gpodder}}}}<br />
* {{App|Vocal|Simple podcast client for the Modern Desktop (GTK).|https://vocalproject.net/|{{Pkg|vocal}}}}<br />
<br />
==== Usenet newsreaders ====<br />
<br />
Some [[#Email clients|email clients]] are also able to act as Usenet newsreader: [[Wikipedia:Claws Mail|Claws Mail]], [[Evolution]], [[Mutt#NeoMutt|NeoMutt]], [[Wikipedia:SeaMonkey#Mail|SeaMonkey Mail & Newsgroups]], [[Wikipedia:Sylpheed|Sylpheed]], [[Thunderbird]].<br />
<br />
See also: [[Wikipedia:List of Usenet newsreaders]], [[Wikipedia:Comparison of Usenet newsreaders]].<br />
<br />
===== Console =====<br />
<br />
* {{app|[[Wikipedia:nn (newsreader)|nn]]|Alternative more user-friendly (curses-based) Usenet newsreader for UNIX.|http://www.nndev.org/|{{AUR|nn}}}}<br />
* {{app|[[Wikipedia:slrn|slrn]]|Text-based news client.|http://www.slrn.org/|{{AUR|slrn}}}}<br />
* {{app|[[Wikipedia:Tin_(newsreader)|tin]]|A cross-platform threaded NNTP and spool based UseNet newsreader.|http://tin.org/|{{AUR|tin}}}}<br />
* {{app|trn|A text-based Threaded Usenet newsreader.|http://trn.sourceforge.net/|{{AUR|trn}}}}<br />
<br />
===== Graphical =====<br />
<br />
* {{app|LottaNZB|A ''SABnzbd'' (Usenet binary downloader) GUI front-end written in PyGTK (Python 2)|https://launchpad.net/lottanzb/|{{aur|lottanzb}}}}<br />
* {{app|[[NZBGet]]|Usenet binary downloader for .nzb files with web and CLI interface.|https://nzbget.net/|{{Pkg|nzbget}}}}<br />
* {{app|[[Wikipedia:Pan (newsreader)|Pan]]|GTK Usenet newsreader that's good at both text and binaries.|http://pan.rebelbase.com/|{{Pkg|pan}}}}<br />
* {{app|[[SABnzbd]]|An open-source binary newsreader webapp written in Python.|https://sabnzbd.org/|{{AUR|sabnzbd}}}}<br />
* {{app|XRN|Usenet newsreader for X Window System.|http://www.mit.edu/people/jik/software/xrn.html|{{AUR|xrn}}}}<br />
<br />
==== Microblogging clients ====<br />
<br />
See also [[Wikipedia:List of Twitter services and applications]].<br />
<br />
===== Console =====<br />
<br />
* {{App|oysttyer|(official fork of ttytter) An interactive console text-based command-line Twitter client written in Perl.|https://github.com/oysttyer/oysttyer|{{AUR|oysttyer-git}}}}<br />
* {{App|Rainbowstream|A powerful and fully-featured console Twitter client written in Python.|https://github.com/orakaro/rainbowstream |{{AUR|rainbowstream}}}}<br />
* {{App|toot|CLI and TUI tool for interacting with Mastodon instances|https://github.com/ihabunek/toot|{{AUR|toot}}}}<br />
* {{App|turses|Twitter client for the console based off ''tyrs'' with major improvements.|https://github.com/louipc/turses|{{AUR|turses-git}}}}<br />
<br />
===== Graphical =====<br />
<br />
* {{App|Birdie|Beautiful Twitter client designed for elementary OS.|https://www.amuza.uk/birdie|{{AUR|birdie-git}}}}<br />
* {{App|Choqok|Microblogging client for KDE that supports Twitter.com, Pump.io, GNU social and opendesktop.org services.|http://choqok.gnufolks.org/|{{Pkg|choqok}}}}<br />
* {{App|Corebird|Native GTK Twitter client for the Linux desktop.|https://corebird.baedert.org//|{{AUR|corebird}}{{Broken package link|package not found}}}}<br />
* {{App|Mikutter|Simple, powerful Twitter client using [[GTK]] and Ruby.|https://mikutter.hachune.net/|{{AUR|mikutter}}}}<br />
* {{App|Polly|Linux Twitter client designed for multiple columns of multiple accounts.|https://launchpad.net/polly/|{{AUR|polly}}}}<br />
* {{App|Pumpa|Pump.io client written in C++ and Qt.|https://pumpa.branchable.com/|{{AUR|pumpa-git}}}}<br />
* {{App|Turpial|Multi-interface Twitter client written in Python.|http://turpial.org.ve/|{{AUR|turpial-git}}}}<br />
* {{App|Whalebird|Mastodon client application. Based on the [https://electronjs.org/ Electron] platform.|https://whalebird.org/|{{AUR|whalebird-bin}}}}<br />
<br />
==== Blog engines ====<br />
<br />
See also [[Wikipedia:Blog software]] and [[Wikipedia:List of content management systems]].<br />
{{note|Content managers, social networks, and blog publishers overlap in many functions.}}<br />
* {{App|[[Diaspora]]|A distributed privacy aware social network.|https://diasporafoundation.org|{{AUR|diaspora-mysql}} or {{AUR|diaspora-postgresql}}}}<br />
* {{App|[[Drupal]]|A PHP-based content management platform.|https://www.drupal.org/|{{Pkg|drupal}}}}<br />
* {{App|[[Ghost]]|Blogging platform written in JavaScript and distributed under the MIT License, designed to simplify the process of online publishing for individual bloggers as well as online publications.|https://ghost.org/|{{AUR|ghost-web}}}}<br />
* {{App|[[Joomla]]|A php Content Management System (CMS) which enables you to build websites and powerful online applications.|https://www.joomla.org/|{{AUR|joomla}}}}<br />
* {{App|[[Wordpress]]|Blog tool and publishing platform.|https://wordpress.org/|{{Pkg|wordpress}}}}<br />
<br />
==== Static site generators ====<br />
<br />
* {{App|Hexo|Fast, simple and powerful blog framework.|https://hexo.io/|{{AUR|nodejs-hexo-cli}}}}<br />
* {{App|Hugo|Hugo is a static HTML and CSS website generator written in Go. It is optimized for speed, ease of use, and configurability.|https://gohugo.io/|{{Pkg|hugo}}}}<br />
* {{App|[[Jekyll]]|Static blog engine, written in Ruby, which supports Markdown, textile and other formats.|https://jekyllrb.com/|{{AUR|jekyll}}}}<br />
* {{App|Nanoblogger|A small weblog engine written in Bash for the command line. It uses common UNIX tools such as cat, grep, and sed to create static HTML content. It is not maintained anymore.|http://nanoblogger.sourceforge.net/|{{AUR|nanoblogger}}}}<br />
* {{App|Nikola|Static site generator written in Python, with incremental rebuilds and multiple markup formats.|https://getnikola.com/|{{Pkg|nikola}}}}<br />
* {{app|Pelican|Static site generator, powered by Python.|http://docs.getpelican.com/|{{Pkg|pelican}}}}<br />
<br />
=== Remote desktop ===<br />
<br />
See also [[Wikipedia:Remote desktop software]] and [[Wikipedia:Comparison of remote desktop software]].<br />
<br />
==== Remote desktop clients ====<br />
<br />
* {{App|[[Wikipedia:AnyDesk|AnyDesk]]|Proprietary remote desktop software.|https://anydesk.com/|{{AUR|anydesk}}}}<br />
* {{App|[[Wikipedia:GNOME Boxes|GNOME Boxes]]|A simple GNOME 3 application to access remote or virtual systems. Supports VNC and SPICE.|https://wiki.gnome.org/Apps/Boxes|{{Pkg|gnome-boxes}}}}<br />
* {{App|GVncViewer|Simple VNC Client on Gtk-VNC. Run with {{ic|gvncviewer}}.|https://wiki.gnome.org/Projects/gtk-vnc|{{Pkg|gtk-vnc}}}}<br />
* {{App|[[Wikipedia:KRDC|KRDC]]|Remote Desktop Client for KDE. Supports RDP and VNC. Part of {{Grp|kdenetwork}}.|https://www.kde.org/applications/internet/krdc/|{{Pkg|krdc}}}}<br />
* {{App|[[Remmina]]|Remote desktop client written in GTK. Supports RDP, VNC, NX, XDMCP and SSH.|https://remmina.org/|{{Pkg|remmina}}}}<br />
* {{App|Remote Viewer|Simple remote display client. Supports SPICE and VNC.|https://virt-manager.org/|{{Pkg|virt-viewer}}}}<br />
* {{App|[[Wikipedia:TeamViewer|TeamViewer]]|Proprietary remote desktop client. It uses its own proprietary protocol.|https://www.teamviewer.com/|{{AUR|teamviewer}}}}<br />
* {{App|[[TigerVNC|vncviewer (TigerVNC)]]|VNC viewer for X.|https://tigervnc.org/|{{Pkg|tigervnc}}}}<br />
* {{App|[[Wikipedia:Vinagre|Vinagre]]|Remote desktop viewer for GNOME. Supports RDP, VNC, SPICE and SSH. Part of {{Grp|gnome-extra}}.|https://wiki.gnome.org/Apps/Vinagre|{{Pkg|vinagre}}}}<br />
* {{App|xfreerdp|FreeRDP X11 client. Run with {{ic|xfreerdp}}.|http://www.freerdp.com/|{{Pkg|freerdp}}}}<br />
* {{App|[[X2Go]] Client|A graphical client (Qt4) for the X2Go system that uses the [[w:NX technology|NX technology]] protocol.|https://wiki.x2go.org/doku.php|{{Pkg|x2goclient}}}}<br />
<br />
==== Remote desktop servers ====<br />
<br />
* {{App|Krfb|VNC server for KDE. Part of {{Grp|kdenetwork}}.|https://www.kde.org/applications/system/krfb|{{Pkg|krfb}}}}<br />
* {{App|[[Vino]]|VNC server for GNOME. Part of {{Grp|gnome}}.|https://wiki.gnome.org/Projects/Vino|{{Pkg|vino}}}}<br />
* {{App|[[TigerVNC|x0vncserver (TigerVNC)]]|VNC Server for X displays.|https://tigervnc.org/|{{Pkg|tigervnc}}}}<br />
* {{App|[[x11vnc]]|VNC server for real X displays.|http://www.karlrunge.com/x11vnc/|{{Pkg|x11vnc}}}}<br />
* {{App|[[X2Go]] Server|An open source remote desktop software that uses the [[w:NX technology|NX technology]] protocol.|https://wiki.x2go.org/doku.php|{{Pkg|x2goserver}}}}<br />
* {{App|[[Xrdp]]|A daemon that supports RDP. It uses Xvnc, X11rdp or xorgxrdp as a backend.|http://xrdp.org/|{{AUR|xrdp}}}}<br />
* {{App|wayvnc|VNC server for wlroots based wayland compositors (such as {{Pkg|sway}}).|https://github.com/any1/wayvnc|{{AUR|wayvnc}}}}</div>Ender4https://wiki.archlinux.org/index.php?title=Nftables&diff=585323Nftables2019-10-12T04:22:00Z<p>Ender4: Fix a typo</p>
<hr />
<div>{{DISPLAYTITLE:nftables}}<br />
[[Category:Firewalls]]<br />
[[es:Nftables]]<br />
[[ja:Nftables]]<br />
[[zh-hans:Nftables]]<br />
{{Related articles start}}<br />
{{Related|iptables}}<br />
{{Related articles end}}<br />
[http://netfilter.org/projects/nftables/ nftables] is a netfilter project that aims to replace the existing {ip,ip6,arp,eb}tables framework. It provides a new packet filtering framework, a new user-space utility (nft), and a compatibility layer for {ip,ip6}tables. It uses the existing hooks, connection tracking system, user-space queueing component, and logging subsystem of netfilter.<br />
<br />
It consists of three main components: a kernel implementation, the libnl netlink communication and the nftables user-space front-end.<br />
The kernel provides a netlink configuration interface, as well as run-time rule-set evaluation, libnl contains the low-level functions for communicating with the kernel, and the nftables front-end is what the user interacts with via nft.<br />
<br />
You can also visit the [https://wiki.nftables.org/wiki-nftables/index.php/Main_Page official nftables wiki page] for more information.<br />
<br />
== Installation ==<br />
<br />
{{Expansion|Mention {{Pkg|iptables-nft}}.[https://www.redhat.com/en/blog/using-iptables-nft-hybrid-linux-firewall]}}<br />
<br />
[[Install]] the userspace utilities package {{Pkg|nftables}} or the git version {{AUR|nftables-git}}.<br />
<br />
{{Tip|Most [[iptables#Front-ends|iptables front-ends]] feature no direct or indirect support of nftables, but may introduce it.[https://www.spinics.net/lists/netfilter/msg58215.html] One graphical front-end that supports both, nftables and iptables, is [[firewalld]].[https://firewalld.org/2018/07/nftables-backend]}}<br />
<br />
== Usage ==<br />
<br />
''nftables'' makes a distinction between temporary rules made in the commandline and permanent ones loaded from or saved to a file.<br />
The default file is {{ic|/etc/nftables.conf}} which already contains a simple ipv4/ipv6 firewall table named "inet filter".<br />
<br />
To use it [[start/enable]] the {{ic|nftables.service}}.<br />
<br />
You can check the ruleset with<br />
<br />
# nft list ruleset<br />
<br />
{{Note|You may have to create {{ic|/etc/modules-load.d/nftables.conf}} with all of the nftables related modules you require as entries for the systemd service to work correctly. You can get a list of modules using this command: {{bc|$ grep -Eo '^nf\w+' /proc/modules}}<br />
<br />
Otherwise, you could end up with the dreaded {{ic|Error: Could not process rule: No such file or directory}} error.}}<br />
<br />
== Configuration ==<br />
<br />
nftables' user-space utility ''nft'' performs most of the rule-set evaluation before handing rule-sets to the kernel. Rules are stored in chains, which in turn are stored in tables. The following sections indicate how to create and modify these constructs.<br />
<br />
All changes below are temporary. To make changes permanent, save your ruleset to {{ic|/etc/nftables.conf}} which is loaded by {{ic|nftables.service}}:<br />
# nft -s list ruleset > /etc/nftables.conf<br />
<br />
{{Note|{{ic|nft list}} does not output variable definitions, if you have any in {{ic|/etc/nftables.conf}} they will be lost. Any variables used in rules will be replaced by their value.}}<br />
<br />
To read input from a file use the {{ic|-f}} flag:<br />
<br />
# nft -f ''filename''<br />
<br />
Note that any rules already loaded are not automatically flushed.<br />
<br />
See {{man|8|nft}} for a complete list of all commands.<br />
<br />
=== Tables ===<br />
<br />
Tables hold [[#Chains]]. Unlike tables in iptables, there are no built-in tables in nftables. The number of tables and their names is up to the user. However, each table only has one address family and only applies to packets of this family. Tables can have one of five families specified:<br />
<br />
{| class="wikitable"<br />
! nftables family || iptables utility<br />
|-<br />
| ip || iptables<br />
|-<br />
| ip6 || ip6tables<br />
|- <br />
| inet || iptables and ip6tables<br />
|-<br />
| arp || arptables<br />
|-<br />
| bridge || ebtables<br />
|-<br />
|}<br />
<br />
{{ic|ip}} (i.e. IPv4) is the default family and will be used if family is not specified.<br />
<br />
To create one rule that applies to both IPv4 and IPv6, use {{ic|inet}}. {{ic|inet}} allows for the unification of the {{ic|ip}} and {{ic|ip6}} families to make defining rules for both easier.<br />
<br />
See the section {{ic|ADDRESS FAMILIES}} in {{man|8|nft}} for a complete description of address families.<br />
<br />
In all of the following, {{ic|''family''}} is optional, and if not specified is set to {{ic|ip}}.<br />
<br />
==== Create table ====<br />
<br />
The following adds a new table:<br />
<br />
# nft add table ''family'' ''table''<br />
<br />
==== List tables ====<br />
<br />
To list all tables:<br />
<br />
# nft list tables<br />
<br />
==== List chains and rules in a table ====<br />
<br />
To list all chains and rules of a specified table do:<br />
<br />
# nft list table ''family'' ''table''<br />
<br />
For example, to list all the rules of the {{ic|filter}} table of the {{ic|inet}} family:<br />
<br />
# nft list table inet filter<br />
<br />
==== Delete table ====<br />
<br />
To delete a table do:<br />
<br />
# nft delete table ''family'' ''table''<br />
<br />
Tables can only be deleted if there are no chains in them.<br />
<br />
==== Flush table ====<br />
<br />
To flush all rules from a table do:<br />
<br />
# nft flush table ''family'' ''table''<br />
<br />
=== Chains ===<br />
<br />
The purpose of chains is to hold [[#Rules]]. Unlike chains in iptables, there are no built-in chains in nftables. This means that if no chain uses any types or hooks in the netfilter framework, packets that would flow through those chains will not be touched by nftables, unlike iptables.<br />
<br />
Chains have two types. A ''base'' chain is an entry point for packets from the networking stack, where a hook value is specified. A ''regular'' chain may be used as a jump target for better organization.<br />
<br />
In all of the following {{ic|''family''}} is optional, and if not specified is set to {{ic|ip}}.<br />
<br />
==== Create chain ====<br />
<br />
===== Regular chain =====<br />
<br />
The following adds a regular chain named {{ic|''chain''}} to the table named {{ic|''table''}}:<br />
<br />
# nft add chain ''family'' ''table'' ''chain''<br />
<br />
For example, to add a regular chain named {{ic|tcpchain}} to the {{ic|filter}} table of the {{ic|inet}} address family do:<br />
<br />
# nft add chain inet filter tcpchain<br />
<br />
===== Base chain =====<br />
<br />
To add a base chain specify hook and priority values:<br />
<br />
# nft add chain ''family'' ''table'' ''chain'' '{ type ''type'' hook ''hook'' priority ''priority'' ; }'<br />
<br />
{{ic|''type''}} can be {{ic|filter}}, {{ic|route}}, or {{ic|nat}}.<br />
<br />
For IPv4/IPv6/Inet address families {{ic|''hook''}} can be {{ic|prerouting}}, {{ic|input}}, {{ic|forward}}, {{ic|output}}, or {{ic|postrouting}}. See {{man|8|nft}} for a list of hooks for other families.<br />
<br />
{{ic|''priority''}} takes an integer value. Chains with lower numbers are processed first and can be negative. [https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_types]<br />
<br />
For example, to add a base chain that filters input packets:<br />
<br />
# nft add chain inet filter input '{ type filter hook input priority 0; }'<br />
<br />
Replace {{ic|add}} with {{ic|create}} in any of the above to add a new chain but return an error if the chain already exists.<br />
<br />
==== List rules ====<br />
<br />
The following lists all rules of a chain:<br />
<br />
# nft list chain ''family'' ''table'' ''chain''<br />
<br />
For example, the following lists the rules of the chain named {{ic|output}} in the {{ic|inet}} table named {{ic|filter}}:<br />
<br />
# nft list chain inet filter output<br />
<br />
==== Edit a chain ====<br />
<br />
To edit a chain, simply call it by its name and define the rules you want to change.<br />
<br />
# nft chain ''family table chain'' '{ [ type ''type'' hook ''hook'' device ''device'' priority ''priority'' ; policy ''policy'' ; ] }'<br />
<br />
For example, to change the input chain policy of the default table from {{ic|accept}} to {{ic|drop}}<br />
<br />
# nft chain inet filter input '{ policy drop ; }'<br />
<br />
==== Delete a chain ====<br />
<br />
To delete a chain do:<br />
<br />
# nft delete chain ''family'' ''table'' ''chain''<br />
<br />
The chain must not contain any rules or be a jump target.<br />
<br />
==== Flush rules from a chain ====<br />
<br />
To flush rules from a chain do:<br />
<br />
# nft flush chain ''family'' ''table'' ''chain''<br />
<br />
=== Rules ===<br />
<br />
Rules are either constructed from expressions or statements and are contained within chains.<br />
<br />
==== Add rule ====<br />
<br />
{{Tip|The ''iptables-translate'' utility translates [[iptables]] rules to nftables format.}}<br />
<br />
To add a rule to a chain do:<br />
<br />
# nft add rule ''family'' ''table'' ''chain'' handle ''handle'' ''statement''<br />
<br />
The rule is appended at {{ic|''handle''}}, which is optional. If not specified, the rule is appended to the end of the chain.<br />
<br />
To prepend the rule to the position do:<br />
<br />
# nft insert rule ''family'' ''table'' ''chain'' handle ''handle'' ''statement''<br />
<br />
If {{ic|''handle''}} is not specified, the rule is prepended to the chain.<br />
<br />
===== Expressions =====<br />
<br />
Typically a {{ic|''statement''}} includes some expression to be matched and then a verdict statement. Verdict statements include {{ic|accept}}, {{ic|drop}}, {{ic|queue}}, {{ic|continue}}, {{ic|return}}, {{ic|jump ''chain''}}, and {{ic|goto ''chain''}}. Other statements than verdict statements are possible. See {{man|8|nft}} for more information.<br />
<br />
There are various expressions available in nftables and, for the most part, coincide with their iptables counterparts. The most noticeable difference is that there are no generic or implicit matches. A generic match was one that was always available, such as {{ic|--protocol}} or {{ic|--source}}. Implicit matches were protocol-specific, such as {{ic|--sport}} when a packet was determined to be TCP.<br />
<br />
The following is an incomplete list of the matches available:<br />
<br />
* meta (meta properties, e.g. interfaces)<br />
* icmp (ICMP protocol)<br />
* icmpv6 (ICMPv6 protocol)<br />
* ip (IP protocol)<br />
* ip6 (IPv6 protocol)<br />
* tcp (TCP protocol)<br />
* udp (UDP protocol)<br />
* sctp (SCTP protocol)<br />
* ct (connection tracking)<br />
<br />
The following is an incomplete list of match arguments (for a more complete list, see {{man|8|nft}}):<br />
<br />
{{bc|<nowiki><br />
meta:<br />
oif <output interface INDEX><br />
iif <input interface INDEX><br />
oifname <output interface NAME><br />
iifname <input interface NAME><br />
<br />
(oif and iif accept string arguments and are converted to interface indexes)<br />
(oifname and iifname are more dynamic, but slower because of string matching)<br />
<br />
icmp:<br />
type <icmp type><br />
<br />
icmpv6:<br />
type <icmpv6 type><br />
<br />
ip:<br />
protocol <protocol><br />
daddr <destination address><br />
saddr <source address><br />
<br />
ip6:<br />
daddr <destination address><br />
saddr <source address><br />
<br />
tcp:<br />
dport <destination port><br />
sport <source port><br />
<br />
udp:<br />
dport <destination port><br />
sport <source port><br />
<br />
sctp:<br />
dport <destination port><br />
sport <source port><br />
<br />
ct:<br />
state <new | established | related | invalid><br />
</nowiki>}}<br />
<br />
==== Deletion ====<br />
<br />
Individual rules can only be deleted by their handles. The {{ic|nft --handle list}} command must be used to determine rule handles. Note the {{ic|--handle}} switch, which tells {{ic|nft}} to list handles in its output.<br />
<br />
The following determines the handle for a rule and then deletes it. The {{ic|--number}} argument is useful for viewing some numeric output, like unresolved IP addresses.<br />
<br />
{{hc|# nft --handle --numeric list chain inet filter input|2=<nowiki><br />
table inet fltrTable {<br />
chain input {<br />
type filter hook input priority 0;<br />
ip saddr 127.0.0.1 accept # handle 10<br />
}<br />
}<br />
</nowiki>}}<br />
<br />
# nft delete rule inet fltrTable input handle 10<br />
<br />
All the chains in a table can be flushed with the {{ic|nft flush table}} command. Individual chains can be flushed using either the {{ic|nft flush chain}} or {{ic|nft delete rule}} commands.<br />
<br />
# nft flush table foo<br />
# nft flush chain foo bar<br />
# nft delete rule ip6 foo bar<br />
<br />
The first command flushes all of the chains in the ip {{ic|foo}} table. The second flushes the {{ic|bar}} chain in the ip {{ic|foo}} table. The third deletes all of the rules in {{ic|bar}} chain in the ip6 {{ic|foo}} table.<br />
<br />
=== Atomic reloading ===<br />
<br />
Flush the current ruleset:<br />
<br />
# echo "flush ruleset" > /tmp/nftables <br />
<br />
Dump the current ruleset:<br />
<br />
# nft -s list ruleset >> /tmp/nftables<br />
<br />
Now you can edit /tmp/nftables and apply your changes with:<br />
<br />
# nft -f /tmp/nftables<br />
<br />
== Examples ==<br />
<br />
=== Workstation ===<br />
<br />
{{hc|/etc/nftables.conf|2=<nowiki><br />
#!/usr/bin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
chain input {<br />
type filter hook input priority 0; policy drop;<br />
<br />
iif lo accept comment "Accept any localhost traffic"<br />
ct state invalid drop comment "Drop invalid connections"<br />
ct state established,related accept comment "Accept traffic originated from us"<br />
<br />
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept comment "Accept ICMPv6"<br />
ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept comment "Accept ICMP"<br />
ip protocol igmp accept comment "Accept IGMP"<br />
<br />
udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS"<br />
udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"<br />
<br />
udp sport 1900 udp dport >= 1024 ip6 saddr { fd00::/8, fe80::/10 } meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply"<br />
udp sport 1900 udp dport >= 1024 ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply"<br />
<br />
udp sport netbios-ns udp dport >= 1024 meta pkttype unicast ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept Samba Workgroup browsing replies"<br />
udp sport netbios-ns udp dport >= 1024 meta pkttype unicast ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept Samba Workgroup browsing replies"<br />
<br />
counter comment "Count any other traffic"<br />
}<br />
<br />
chain forward {<br />
type filter hook forward priority 0; policy drop;<br />
}<br />
<br />
chain output {<br />
type filter hook output priority 0; policy accept;<br />
}<br />
<br />
}<br />
</nowiki>}}<br />
<br />
=== Server ===<br />
<br />
{{hc|/etc/nftables.conf|2=<nowiki><br />
#!/usr/bin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
chain input {<br />
type filter hook input priority 0; policy drop;<br />
<br />
iif lo accept comment "Accept any localhost traffic"<br />
ct state invalid drop comment "Drop invalid connections"<br />
ct state established,related accept comment "Accept traffic originated from us"<br />
<br />
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept comment "Accept ICMPv6"<br />
ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept comment "Accept ICMP"<br />
ip protocol igmp accept comment "Accept IGMP"<br />
<br />
udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS"<br />
udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"<br />
<br />
tcp dport ssh accept comment "Accept SSH on port 22"<br />
<br />
tcp dport { http, https, 8008, 8080 } accept comment "Accept HTTP (ports 80, 443, 8008, 8080)"<br />
<br />
meta l4proto { tcp, udp } th dport 2049 ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NFS"<br />
meta l4proto { tcp, udp } th dport 2049 ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NFS"<br />
<br />
udp dport netbios-ns ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NetBIOS Name Service (nmbd)"<br />
udp dport netbios-ns ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NetBIOS Name Service (nmbd)"<br />
udp dport netbios-dgm ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NetBIOS Datagram Service (nmbd)"<br />
udp dport netbios-dgm ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NetBIOS Datagram Service (nmbd)"<br />
tcp dport netbios-ssn ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NetBIOS Session Service (smbd)"<br />
tcp dport netbios-ssn ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NetBIOS Session Service (smbd)"<br />
tcp dport microsoft-ds ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept Microsoft Directory Service (smbd)"<br />
tcp dport microsoft-ds ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept Microsoft Directory Service (smbd)"<br />
<br />
udp sport bootpc udp dport bootps ip saddr 0.0.0.0 ip daddr 255.255.255.255 accept comment "Accept DHCPDISCOVER (for DHCP-Proxy)"<br />
udp sport { bootpc, 4011 } udp dport { bootps, 4011 } ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept PXE"<br />
udp dport tftp ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept TFTP"<br />
udp dport tftp ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept TFTP"<br />
<br />
}<br />
<br />
chain forward {<br />
type filter hook forward priority 0; policy drop;<br />
}<br />
<br />
chain output {<br />
type filter hook output priority 0; policy accept;<br />
}<br />
<br />
}<br />
</nowiki>}}<br />
<br />
=== Limit rate ===<br />
<br />
{{bc|1=<nowiki><br />
table inet filter {<br />
chain input {<br />
type filter hook input priority 0; policy drop;<br />
<br />
iif lo accept comment "Accept any localhost traffic"<br />
ct state invalid drop comment "Drop invalid connections"<br />
<br />
ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets drop comment "No ping floods"<br />
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 4 packets drop comment "No ping floods"<br />
<br />
ct state established,related accept comment "Accept traffic originated from us"<br />
<br />
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept comment "Accept ICMPv6"<br />
ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept comment "Accept ICMP"<br />
ip protocol igmp accept comment "Accept IGMP"<br />
<br />
tcp dport ssh ct state new limit rate 15/minute accept comment "Avoid brute force on SSH"<br />
<br />
}<br />
<br />
}<br />
</nowiki>}}<br />
<br />
=== Jump ===<br />
<br />
When using jumps in config file, it is necessary to define the target chain first. Otherwise one could end up with {{ic|Error: Could not process rule: No such file or directory}}.<br />
<br />
{{bc|1=<nowiki><br />
table inet filter {<br />
chain web {<br />
tcp dport http accept<br />
tcp dport 8080 accept<br />
}<br />
chain input {<br />
type filter hook input priority 0;<br />
ip saddr 10.0.2.0/24 jump web<br />
drop<br />
}<br />
}<br />
</nowiki>}}<br />
<br />
=== Different rules for different interfaces ===<br />
<br />
If your box has more than one network interface, and you would like to use different rules for different interfaces, you may want to use a "dispatching" filter chain, and then interface-specific filter chains. For example, let us assume your box acts as a home router, you want to run a web server accessible over the LAN (interface nsp3s0), but not from the public internet (interface enp2s0), you may want to consider a structure like this:<br />
<br />
{{bc|<nowiki><br />
table inet filter {<br />
chain input { # this chain serves as a dispatcher<br />
type filter hook input priority 0;<br />
<br />
iif lo accept # always accept loopback<br />
iifname enp2s0 jump input_enp2s0<br />
iifname enp3s0 jump input_enp3s0<br />
<br />
reject with icmp type port-unreachable # refuse traffic from all other interfaces<br />
}<br />
chain input_enp2s0 { # rules applicable to public interface interface<br />
ct state {established,related} accept<br />
ct state invalid drop<br />
udp dport bootpc accept<br />
tcp dport bootpc accept<br />
reject with icmp type port-unreachable # all other traffic<br />
}<br />
chain input_enp3s0 {<br />
ct state {established,related} accept<br />
ct state invalid drop<br />
udp dport bootpc accept<br />
tcp dport bootpc accept<br />
tcp port http accept<br />
tcp port https accept<br />
reject with icmp type port-unreachable # all other traffic<br />
}<br />
chain ouput { # we let everything out<br />
type filter hook output priority 0;<br />
accept<br />
}<br />
}<br />
</nowiki>}}<br />
<br />
Alternatively you could choose only one {{ic|iifname}} statement, such as for the single upstream interface, and put the default rules for all other interfaces in one place, instead of dispatching for each interface.<br />
<br />
=== Masquerading ===<br />
<br />
nftables has a special keyword {{ic|masquerade}} "where the source address is automagically set to the address of the output interface" ([http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29#Masquerading source]). This is particularly useful for situations in which the IP address of the interface is unpredictable or unstable, such as the upstream interface of routers connecting to many ISPs. Without it, the Network Address Translation rules would have to be updated every time the IP address of the interface changed.<br />
<br />
To use it:<br />
<br />
* make sure masquerading is enabled in the kernel (true if you use the default kernel), otherwise during kernel configuration, set {{ic|1=CONFIG_NFT_MASQ=m}}.<br />
* the {{ic|masquerade}} keyword can only be used in chains of type {{ic|nat}}.<br />
* masquerading is a kind of source NAT, so only works in the output path.<br />
<br />
Example for a machine with two interfaces: LAN connected to {{ic|nsp3s0}}, and public internet connected to {{ic|enp2s0}}:<br />
<br />
{{bc|<nowiki><br />
table inet nat {<br />
chain prerouting {<br />
type nat hook prerouting priority 0;<br />
}<br />
chain postrouting {<br />
type nat hook postrouting priority 100;<br />
oifname "enp0s2" masquerade<br />
}<br />
}<br />
</nowiki>}}<br />
<br />
== Tips and tricks ==<br />
<br />
=== Simple stateful firewall ===<br />
<br />
See [[Simple stateful firewall]] for more information.<br />
<br />
==== Single machine ====<br />
<br />
Flush the current ruleset:<br />
<br />
# nft flush ruleset<br />
<br />
Add a table:<br />
<br />
# nft add table inet filter<br />
<br />
Add the input, forward, and output base chains. The policy for input and forward will be to drop. The policy for output will be to accept.<br />
<br />
# nft add chain inet filter input '{ type filter hook input priority 0 ; policy drop ; }'<br />
# nft add chain inet filter forward '{ type filter hook forward priority 0 ; policy drop ; }'<br />
# nft add chain inet filter output '{ type filter hook output priority 0 ; policy accept ; }'<br />
<br />
Add two regular chains that will be associated with tcp and udp:<br />
<br />
# nft add chain inet filter TCP<br />
# nft add chain inet filter UDP<br />
<br />
Related and established traffic will be accepted:<br />
<br />
# nft add rule inet filter input ct state related,established accept<br />
<br />
All loopback interface traffic will be accepted:<br />
<br />
# nft add rule inet filter input iif lo accept<br />
<br />
Drop any invalid traffic:<br />
<br />
# nft add rule inet filter input ct state invalid drop<br />
<br />
Accept ICMP and IGMP:<br />
<br />
# nft add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type '{ destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report }' accept<br />
# nft add rule inet filter input ip protocol icmp icmp type '{ destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem }' accept<br />
# nft add rule inet filter input ip protocol igmp accept<br />
<br />
New udp traffic will jump to the UDP chain:<br />
<br />
# nft add rule inet filter input ip protocol udp ct state new jump UDP<br />
<br />
New tcp traffic will jump to the TCP chain:<br />
<br />
# nft add rule inet filter input 'ip protocol tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump TCP'<br />
<br />
Reject all traffic that was not processed by other rules:<br />
<br />
# nft add rule inet filter input ip protocol udp reject<br />
# nft add rule inet filter input ip protocol tcp reject with tcp reset<br />
# nft add rule inet filter input counter reject with icmp type prot-unreachable<br />
<br />
At this point you should decide what ports you want to open to incoming connections, which are handled by the TCP and UDP chains. For example to open connections for a web server add:<br />
<br />
# nft add rule inet filter TCP tcp dport 80 accept<br />
<br />
To accept HTTPS connections for a webserver on port 443:<br />
<br />
# nft add rule inet filter TCP tcp dport 443 accept<br />
<br />
To accept SSH traffic on port 22:<br />
<br />
# nft add rule inet filter TCP tcp dport 22 accept<br />
<br />
To accept incoming DNS requests:<br />
<br />
# nft add rule inet filter TCP tcp dport 53 accept<br />
# nft add rule inet filter UDP udp dport 53 accept<br />
<br />
Be sure to make your changes permanent when satisifed.<br />
<br />
=== Prevent brute-force attacks ===<br />
<br />
[[Sshguard]] is program that can detect brute-force attacks and modify firewalls based on IP addresses it temporarily blacklists. See [[Sshguard#nftables]] on how to set up nftables to be used with it.<br />
<br />
== Troubleshooting ==<br />
<br />
=== Working with Docker ===<br />
<br />
Using nftables can interfere with [[Docker]] networking (and probably other container runtimes as well). In particular the drop policy for the {{ic|forward}} chain will block packets originating in docker containers. If you want to keep the {{ic|forward}} rule in your {{ic|inet}} table, you can use the following:<br />
<br />
# [[Install]] {{Pkg|iptables-nft}} to provide an iptables compatible interface for nftables that docker can use.<br />
# Use the following for the {{ic|forward}} chain in your {{ic|inet}} table:<br />
#:{{bc|<nowiki><br />
chain forward {<br />
type filter hook forward priority security; policy drop<br />
mark 1 accept<br />
</nowiki>}}<br />
# Add a rule to the DOCKER-USER chain in the {{ic|ip filter}} table to mark packets if docker is running:<br />
#:{{bc|<nowiki><br />
table ip filter {<br />
chain DOCKER-USER {<br />
mark set 1<br />
}<br />
}<br />
</nowiki>}}<br />
<br />
This works by marking packets if docker is active, and accepting the packets in this case, since docker has already filtered them (the forward chain defined by docker uses a drop policy).<br />
<br />
== See also ==<br />
<br />
* [https://wiki.nftables.org/ netfilter nftables wiki]<br />
* [[debian:nftables]]<br />
* [[gentoo:nftables]]<br />
* [https://lwn.net/Articles/324251/ First release of nftables]<br />
* [https://home.regit.org/netfilter-en/nftables-quick-howto/ nftables quick howto]<br />
* [https://lwn.net/Articles/564095/ The return of nftables]<br />
* [http://developers.redhat.com/blog/2016/10/28/what-comes-after-iptables-its-successor-of-course-nftables/ What comes after ‘iptables’? Its successor, of course: `nftables`]</div>Ender4https://wiki.archlinux.org/index.php?title=Nftables&diff=585200Nftables2019-10-11T06:04:51Z<p>Ender4: Add some commentary and using nftables with docker.</p>
<hr />
<div>{{DISPLAYTITLE:nftables}}<br />
[[Category:Firewalls]]<br />
[[es:Nftables]]<br />
[[ja:Nftables]]<br />
[[zh-hans:Nftables]]<br />
{{Related articles start}}<br />
{{Related|iptables}}<br />
{{Related articles end}}<br />
[http://netfilter.org/projects/nftables/ nftables] is a netfilter project that aims to replace the existing {ip,ip6,arp,eb}tables framework. It provides a new packet filtering framework, a new user-space utility (nft), and a compatibility layer for {ip,ip6}tables. It uses the existing hooks, connection tracking system, user-space queueing component, and logging subsystem of netfilter.<br />
<br />
It consists of three main components: a kernel implementation, the libnl netlink communication and the nftables user-space front-end.<br />
The kernel provides a netlink configuration interface, as well as run-time rule-set evaluation, libnl contains the low-level functions for communicating with the kernel, and the nftables front-end is what the user interacts with via nft.<br />
<br />
You can also visit the [https://wiki.nftables.org/wiki-nftables/index.php/Main_Page official nftables wiki page] for more information.<br />
<br />
== Installation ==<br />
<br />
[[Install]] the userspace utilities package {{Pkg|nftables}} or the git version {{AUR|nftables-git}}.<br />
<br />
{{Tip|Most [[iptables#Front-ends|iptables front-ends]] feature no direct or indirect support of nftables, but may introduce it.[https://www.spinics.net/lists/netfilter/msg58215.html] One graphical front-end that supports both, nftables and iptables, is [[firewalld]].[https://firewalld.org/2018/07/nftables-backend]}}<br />
<br />
== Usage ==<br />
<br />
''nftables'' makes a distinction between temporary rules made in the commandline and permanent ones loaded from or saved to a file.<br />
The default file is {{ic|/etc/nftables.conf}} which already contains a simple ipv4/ipv6 firewall table named "inet filter".<br />
<br />
To use it [[start/enable]] the {{ic|nftables.service}}.<br />
<br />
You can check the ruleset with<br />
<br />
# nft list ruleset<br />
<br />
{{Note|You may have to create {{ic|/etc/modules-load.d/nftables.conf}} with all of the nftables related modules you require as entries for the systemd service to work correctly. You can get a list of modules using this command: {{bc|$ grep -Eo '^nf\w+' /proc/modules}}<br />
<br />
Otherwise, you could end up with the dreaded {{ic|Error: Could not process rule: No such file or directory}} error.}}<br />
<br />
== Configuration ==<br />
<br />
nftables' user-space utility ''nft'' performs most of the rule-set evaluation before handing rule-sets to the kernel. Rules are stored in chains, which in turn are stored in tables. The following sections indicate how to create and modify these constructs.<br />
<br />
All changes below are temporary. To make changes permanent, save your ruleset to {{ic|/etc/nftables.conf}} which is loaded by {{ic|nftables.service}}:<br />
# nft -s list ruleset > /etc/nftables.conf<br />
<br />
{{Note|{{ic|nft list}} does not output variable definitions, if you have any in {{ic|/etc/nftables.conf}} they will be lost. Any variables used in rules will be replaced by their value.}}<br />
<br />
To read input from a file use the {{ic|-f}} flag:<br />
<br />
# nft -f ''filename''<br />
<br />
Note that any rules already loaded are not automatically flushed.<br />
<br />
See {{man|8|nft}} for a complete list of all commands.<br />
<br />
=== Tables ===<br />
<br />
Tables hold [[#Chains]]. Unlike tables in iptables, there are no built-in tables in nftables. The number of tables and their names is up to the user. However, each table only has one address family and only applies to packets of this family. Tables can have one of five families specified:<br />
<br />
{| class="wikitable"<br />
! nftables family || iptables utility<br />
|-<br />
| ip || iptables<br />
|-<br />
| ip6 || ip6tables<br />
|- <br />
| inet || iptables and ip6tables<br />
|-<br />
| arp || arptables<br />
|-<br />
| bridge || ebtables<br />
|-<br />
|}<br />
<br />
{{ic|ip}} (i.e. IPv4) is the default family and will be used if family is not specified.<br />
<br />
To create one rule that applies to both IPv4 and IPv6, use {{ic|inet}}. {{ic|inet}} allows for the unification of the {{ic|ip}} and {{ic|ip6}} families to make defining rules for both easier.<br />
<br />
See the section {{ic|ADDRESS FAMILIES}} in {{man|8|nft}} for a complete description of address families.<br />
<br />
In all of the following, {{ic|''family''}} is optional, and if not specified is set to {{ic|ip}}.<br />
<br />
==== Create table ====<br />
<br />
The following adds a new table:<br />
<br />
# nft add table ''family'' ''table''<br />
<br />
==== List tables ====<br />
<br />
To list all tables:<br />
<br />
# nft list tables<br />
<br />
==== List chains and rules in a table ====<br />
<br />
To list all chains and rules of a specified table do:<br />
<br />
# nft list table ''family'' ''table''<br />
<br />
For example, to list all the rules of the {{ic|filter}} table of the {{ic|inet}} family:<br />
<br />
# nft list table inet filter<br />
<br />
==== Delete table ====<br />
<br />
To delete a table do:<br />
<br />
# nft delete table ''family'' ''table''<br />
<br />
Tables can only be deleted if there are no chains in them.<br />
<br />
==== Flush table ====<br />
<br />
To flush all rules from a table do:<br />
<br />
# nft flush table ''family'' ''table''<br />
<br />
=== Chains ===<br />
<br />
The purpose of chains is to hold [[#Rules]]. Unlike chains in iptables, there are no built-in chains in nftables. This means that if no chain uses any types or hooks in the netfilter framework, packets that would flow through those chains will not be touched by nftables, unlike iptables.<br />
<br />
Chains have two types. A ''base'' chain is an entry point for packets from the networking stack, where a hook value is specified. A ''regular'' chain may be used as a jump target for better organization.<br />
<br />
In all of the following {{ic|''family''}} is optional, and if not specified is set to {{ic|ip}}.<br />
<br />
==== Create chain ====<br />
<br />
===== Regular chain =====<br />
<br />
The following adds a regular chain named {{ic|''chain''}} to the table named {{ic|''table''}}:<br />
<br />
# nft add chain ''family'' ''table'' ''chain''<br />
<br />
For example, to add a regular chain named {{ic|tcpchain}} to the {{ic|filter}} table of the {{ic|inet}} address family do:<br />
<br />
# nft add chain inet filter tcpchain<br />
<br />
===== Base chain =====<br />
<br />
To add a base chain specify hook and priority values:<br />
<br />
# nft add chain ''family'' ''table'' ''chain'' '{ type ''type'' hook ''hook'' priority ''priority'' ; }'<br />
<br />
{{ic|''type''}} can be {{ic|filter}}, {{ic|route}}, or {{ic|nat}}.<br />
<br />
For IPv4/IPv6/Inet address families {{ic|''hook''}} can be {{ic|prerouting}}, {{ic|input}}, {{ic|forward}}, {{ic|output}}, or {{ic|postrouting}}. See {{man|8|nft}} for a list of hooks for other families.<br />
<br />
{{ic|''priority''}} takes an integer value. Chains with lower numbers are processed first and can be negative. [https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_types]<br />
<br />
For example, to add a base chain that filters input packets:<br />
<br />
# nft add chain inet filter input '{ type filter hook input priority 0; }'<br />
<br />
Replace {{ic|add}} with {{ic|create}} in any of the above to add a new chain but return an error if the chain already exists.<br />
<br />
==== List rules ====<br />
<br />
The following lists all rules of a chain:<br />
<br />
# nft list chain ''family'' ''table'' ''chain''<br />
<br />
For example, the following lists the rules of the chain named {{ic|output}} in the {{ic|inet}} table named {{ic|filter}}:<br />
<br />
# nft list chain inet filter output<br />
<br />
==== Edit a chain ====<br />
<br />
To edit a chain, simply call it by its name and define the rules you want to change.<br />
<br />
# nft chain ''family table chain'' '{ [ type ''type'' hook ''hook'' device ''device'' priority ''priority'' ; policy ''policy'' ; ] }'<br />
<br />
For example, to change the input chain policy of the default table from {{ic|accept}} to {{ic|drop}}<br />
<br />
# nft chain inet filter input '{ policy drop ; }'<br />
<br />
==== Delete a chain ====<br />
<br />
To delete a chain do:<br />
<br />
# nft delete chain ''family'' ''table'' ''chain''<br />
<br />
The chain must not contain any rules or be a jump target.<br />
<br />
==== Flush rules from a chain ====<br />
<br />
To flush rules from a chain do:<br />
<br />
# nft flush chain ''family'' ''table'' ''chain''<br />
<br />
=== Rules ===<br />
<br />
Rules are either constructed from expressions or statements and are contained within chains.<br />
<br />
==== Add rule ====<br />
<br />
{{Tip|The ''iptables-translate'' utility translates [[iptables]] rules to nftables format.}}<br />
<br />
To add a rule to a chain do:<br />
<br />
# nft add rule ''family'' ''table'' ''chain'' handle ''handle'' ''statement''<br />
<br />
The rule is appended at {{ic|''handle''}}, which is optional. If not specified, the rule is appended to the end of the chain.<br />
<br />
To prepend the rule to the position do:<br />
<br />
# nft insert rule ''family'' ''table'' ''chain'' handle ''handle'' ''statement''<br />
<br />
If {{ic|''handle''}} is not specified, the rule is prepended to the chain.<br />
<br />
===== Expressions =====<br />
<br />
Typically a {{ic|''statement''}} includes some expression to be matched and then a verdict statement. Verdict statements include {{ic|accept}}, {{ic|drop}}, {{ic|queue}}, {{ic|continue}}, {{ic|return}}, {{ic|jump ''chain''}}, and {{ic|goto ''chain''}}. Other statements than verdict statements are possible. See {{man|8|nft}} for more information.<br />
<br />
There are various expressions available in nftables and, for the most part, coincide with their iptables counterparts. The most noticeable difference is that there are no generic or implicit matches. A generic match was one that was always available, such as {{ic|--protocol}} or {{ic|--source}}. Implicit matches were protocol-specific, such as {{ic|--sport}} when a packet was determined to be TCP.<br />
<br />
The following is an incomplete list of the matches available:<br />
<br />
* meta (meta properties, e.g. interfaces)<br />
* icmp (ICMP protocol)<br />
* icmpv6 (ICMPv6 protocol)<br />
* ip (IP protocol)<br />
* ip6 (IPv6 protocol)<br />
* tcp (TCP protocol)<br />
* udp (UDP protocol)<br />
* sctp (SCTP protocol)<br />
* ct (connection tracking)<br />
<br />
The following is an incomplete list of match arguments (for a more complete list, see {{man|8|nft}}):<br />
<br />
{{bc|<nowiki><br />
meta:<br />
oif <output interface INDEX><br />
iif <input interface INDEX><br />
oifname <output interface NAME><br />
iifname <input interface NAME><br />
<br />
(oif and iif accept string arguments and are converted to interface indexes)<br />
(oifname and iifname are more dynamic, but slower because of string matching)<br />
<br />
icmp:<br />
type <icmp type><br />
<br />
icmpv6:<br />
type <icmpv6 type><br />
<br />
ip:<br />
protocol <protocol><br />
daddr <destination address><br />
saddr <source address><br />
<br />
ip6:<br />
daddr <destination address><br />
saddr <source address><br />
<br />
tcp:<br />
dport <destination port><br />
sport <source port><br />
<br />
udp:<br />
dport <destination port><br />
sport <source port><br />
<br />
sctp:<br />
dport <destination port><br />
sport <source port><br />
<br />
ct:<br />
state <new | established | related | invalid><br />
</nowiki>}}<br />
<br />
==== Deletion ====<br />
<br />
Individual rules can only be deleted by their handles. The {{ic|nft --handle list}} command must be used to determine rule handles. Note the {{ic|--handle}} switch, which tells {{ic|nft}} to list handles in its output.<br />
<br />
The following determines the handle for a rule and then deletes it. The {{ic|--number}} argument is useful for viewing some numeric output, like unresolved IP addresses.<br />
<br />
{{hc|# nft --handle --numeric list chain inet filter input|2=<nowiki><br />
table inet fltrTable {<br />
chain input {<br />
type filter hook input priority 0;<br />
ip saddr 127.0.0.1 accept # handle 10<br />
}<br />
}<br />
</nowiki>}}<br />
<br />
# nft delete rule inet fltrTable input handle 10<br />
<br />
All the chains in a table can be flushed with the {{ic|nft flush table}} command. Individual chains can be flushed using either the {{ic|nft flush chain}} or {{ic|nft delete rule}} commands.<br />
<br />
# nft flush table foo<br />
# nft flush chain foo bar<br />
# nft delete rule ip6 foo bar<br />
<br />
The first command flushes all of the chains in the ip {{ic|foo}} table. The second flushes the {{ic|bar}} chain in the ip {{ic|foo}} table. The third deletes all of the rules in {{ic|bar}} chain in the ip6 {{ic|foo}} table.<br />
<br />
=== Atomic reloading ===<br />
<br />
Flush the current ruleset:<br />
<br />
# echo "flush ruleset" > /tmp/nftables <br />
<br />
Dump the current ruleset:<br />
<br />
# nft -s list ruleset >> /tmp/nftables<br />
<br />
Now you can edit /tmp/nftables and apply your changes with:<br />
<br />
# nft -f /tmp/nftables<br />
<br />
== Examples ==<br />
<br />
=== Workstation ===<br />
<br />
{{hc|/etc/nftables.conf|2=<nowiki><br />
#!/usr/bin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
chain input {<br />
type filter hook input priority 0; policy drop;<br />
<br />
iif lo accept comment "Accept any localhost traffic"<br />
ct state invalid drop comment "Drop invalid connections"<br />
ct state established,related accept comment "Accept traffic originated from us"<br />
<br />
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept comment "Accept ICMPv6"<br />
ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept comment "Accept ICMP"<br />
ip protocol igmp accept comment "Accept IGMP"<br />
<br />
udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS"<br />
udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"<br />
<br />
udp sport 1900 udp dport >= 1024 ip6 saddr { fd00::/8, fe80::/10 } meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply"<br />
udp sport 1900 udp dport >= 1024 ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } meta pkttype unicast limit rate 4/second burst 20 packets accept comment "Accept UPnP IGD port mapping reply"<br />
<br />
udp sport netbios-ns udp dport >= 1024 meta pkttype unicast ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept Samba Workgroup browsing replies"<br />
udp sport netbios-ns udp dport >= 1024 meta pkttype unicast ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept Samba Workgroup browsing replies"<br />
<br />
counter comment "Count any other traffic"<br />
}<br />
<br />
chain forward {<br />
type filter hook forward priority 0; policy drop;<br />
}<br />
<br />
chain output {<br />
type filter hook output priority 0; policy accept;<br />
}<br />
<br />
}<br />
</nowiki>}}<br />
<br />
=== Server ===<br />
<br />
{{hc|/etc/nftables.conf|2=<nowiki><br />
#!/usr/bin/nft -f<br />
<br />
flush ruleset<br />
<br />
table inet filter {<br />
chain input {<br />
type filter hook input priority 0; policy drop;<br />
<br />
iif lo accept comment "Accept any localhost traffic"<br />
ct state invalid drop comment "Drop invalid connections"<br />
ct state established,related accept comment "Accept traffic originated from us"<br />
<br />
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept comment "Accept ICMPv6"<br />
ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept comment "Accept ICMP"<br />
ip protocol igmp accept comment "Accept IGMP"<br />
<br />
udp dport mdns ip6 daddr ff02::fb accept comment "Accept mDNS"<br />
udp dport mdns ip daddr 224.0.0.251 accept comment "Accept mDNS"<br />
<br />
tcp dport ssh accept comment "Accept SSH on port 22"<br />
<br />
tcp dport { http, https, 8008, 8080 } accept comment "Accept HTTP (ports 80, 443, 8008, 8080)"<br />
<br />
meta l4proto { tcp, udp } th dport 2049 ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NFS"<br />
meta l4proto { tcp, udp } th dport 2049 ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NFS"<br />
<br />
udp dport netbios-ns ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NetBIOS Name Service (nmbd)"<br />
udp dport netbios-ns ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NetBIOS Name Service (nmbd)"<br />
udp dport netbios-dgm ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NetBIOS Datagram Service (nmbd)"<br />
udp dport netbios-dgm ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NetBIOS Datagram Service (nmbd)"<br />
tcp dport netbios-ssn ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept NetBIOS Session Service (smbd)"<br />
tcp dport netbios-ssn ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept NetBIOS Session Service (smbd)"<br />
tcp dport microsoft-ds ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept Microsoft Directory Service (smbd)"<br />
tcp dport microsoft-ds ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept Microsoft Directory Service (smbd)"<br />
<br />
udp sport bootpc udp dport bootps ip saddr 0.0.0.0 ip daddr 255.255.255.255 accept comment "Accept DHCPDISCOVER (for DHCP-Proxy)"<br />
udp sport { bootpc, 4011 } udp dport { bootps, 4011 } ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept PXE"<br />
udp dport tftp ip6 saddr { fd00::/8, fe80::/10 } accept comment "Accept TFTP"<br />
udp dport tftp ip saddr { 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16, 169.254.0.0/16 } accept comment "Accept TFTP"<br />
<br />
}<br />
<br />
chain forward {<br />
type filter hook forward priority 0; policy drop;<br />
}<br />
<br />
chain output {<br />
type filter hook output priority 0; policy accept;<br />
}<br />
<br />
}<br />
</nowiki>}}<br />
<br />
=== Limit rate ===<br />
<br />
{{bc|1=<nowiki><br />
table inet filter {<br />
chain input {<br />
type filter hook input priority 0; policy drop;<br />
<br />
iif lo accept comment "Accept any localhost traffic"<br />
ct state invalid drop comment "Drop invalid connections"<br />
<br />
ip protocol icmp icmp type echo-request limit rate over 10/second burst 4 packets drop comment "No ping floods"<br />
ip6 nexthdr icmpv6 icmpv6 type echo-request limit rate over 10/second burst 4 packets drop comment "No ping floods"<br />
<br />
ct state established,related accept comment "Accept traffic originated from us"<br />
<br />
ip6 nexthdr icmpv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report } accept comment "Accept ICMPv6"<br />
ip protocol icmp icmp type { destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem } accept comment "Accept ICMP"<br />
ip protocol igmp accept comment "Accept IGMP"<br />
<br />
tcp dport ssh ct state new limit rate 15/minute accept comment "Avoid brute force on SSH"<br />
<br />
}<br />
<br />
}<br />
</nowiki>}}<br />
<br />
=== Jump ===<br />
<br />
When using jumps in config file, it is necessary to define the target chain first. Otherwise one could end up with {{ic|Error: Could not process rule: No such file or directory}}.<br />
<br />
{{bc|1=<nowiki><br />
table inet filter {<br />
chain web {<br />
tcp dport http accept<br />
tcp dport 8080 accept<br />
}<br />
chain input {<br />
type filter hook input priority 0;<br />
ip saddr 10.0.2.0/24 jump web<br />
drop<br />
}<br />
}<br />
</nowiki>}}<br />
<br />
=== Different rules for different interfaces ===<br />
<br />
If your box has more than one network interface, and you would like to use different rules for different interfaces, you may want to use a "dispatching" filter chain, and then interface-specific filter chains. For example, let us assume your box acts as a home router, you want to run a web server accessible over the LAN (interface nsp3s0), but not from the public internet (interface enp2s0), you may want to consider a structure like this:<br />
<br />
{{bc|<nowiki><br />
table inet filter {<br />
chain input { # this chain serves as a dispatcher<br />
type filter hook input priority 0;<br />
<br />
iif lo accept # always accept loopback<br />
iifname enp2s0 jump input_enp2s0<br />
iifname enp3s0 jump input_enp3s0<br />
<br />
reject with icmp type port-unreachable # refuse traffic from all other interfaces<br />
}<br />
chain input_enp2s0 { # rules applicable to public interface interface<br />
ct state {established,related} accept<br />
ct state invalid drop<br />
udp dport bootpc accept<br />
tcp dport bootpc accept<br />
reject with icmp type port-unreachable # all other traffic<br />
}<br />
chain input_enp3s0 {<br />
ct state {established,related} accept<br />
ct state invalid drop<br />
udp dport bootpc accept<br />
tcp dport bootpc accept<br />
tcp port http accept<br />
tcp port https accept<br />
reject with icmp type port-unreachable # all other traffic<br />
}<br />
chain ouput { # we let everything out<br />
type filter hook output priority 0;<br />
accept<br />
}<br />
}<br />
</nowiki>}}<br />
<br />
Alternatively you could choose only one {{ic|iifname}} statement, such as for the single upstream interface, and put the default rules for all other interfaces in one place, instead of dispatching for each interface.<br />
<br />
=== Masquerading ===<br />
<br />
nftables has a special keyword {{ic|masquerade}} "where the source address is automagically set to the address of the output interface" ([http://wiki.nftables.org/wiki-nftables/index.php/Performing_Network_Address_Translation_%28NAT%29#Masquerading source]). This is particularly useful for situations in which the IP address of the interface is unpredictable or unstable, such as the upstream interface of routers connecting to many ISPs. Without it, the Network Address Translation rules would have to be updated every time the IP address of the interface changed.<br />
<br />
To use it:<br />
<br />
* make sure masquerading is enabled in the kernel (true if you use the default kernel), otherwise during kernel configuration, set {{ic|1=CONFIG_NFT_MASQ=m}}.<br />
* the {{ic|masquerade}} keyword can only be used in chains of type {{ic|nat}}.<br />
* masquerading is a kind of source NAT, so only works in the output path.<br />
<br />
Example for a machine with two interfaces: LAN connected to {{ic|nsp3s0}}, and public internet connected to {{ic|enp2s0}}:<br />
<br />
{{bc|<nowiki><br />
table inet nat {<br />
chain prerouting {<br />
type nat hook prerouting priority 0;<br />
}<br />
chain postrouting {<br />
type nat hook postrouting priority 100;<br />
oifname "enp0s2" masquerade<br />
}<br />
}<br />
</nowiki>}}<br />
<br />
== Tips and tricks ==<br />
<br />
=== Simple stateful firewall ===<br />
<br />
See [[Simple stateful firewall]] for more information.<br />
<br />
==== Single machine ====<br />
<br />
Flush the current ruleset:<br />
<br />
# nft flush ruleset<br />
<br />
Add a table:<br />
<br />
# nft add table inet filter<br />
<br />
Add the input, forward, and output base chains. The policy for input and forward will be to drop. The policy for output will be to accept.<br />
<br />
# nft add chain inet filter input '{ type filter hook input priority 0 ; policy drop ; }'<br />
# nft add chain inet filter forward '{ type filter hook forward priority 0 ; policy drop ; }'<br />
# nft add chain inet filter output '{ type filter hook output priority 0 ; policy accept ; }'<br />
<br />
Add two regular chains that will be associated with tcp and udp:<br />
<br />
# nft add chain inet filter TCP<br />
# nft add chain inet filter UDP<br />
<br />
Related and established traffic will be accepted:<br />
<br />
# nft add rule inet filter input ct state related,established accept<br />
<br />
All loopback interface traffic will be accepted:<br />
<br />
# nft add rule inet filter input iif lo accept<br />
<br />
Drop any invalid traffic:<br />
<br />
# nft add rule inet filter input ct state invalid drop<br />
<br />
Accept ICMP and IGMP:<br />
<br />
# nft add rule inet filter input ip6 nexthdr icmpv6 icmpv6 type '{ destination-unreachable, packet-too-big, time-exceeded, parameter-problem, mld-listener-query, mld-listener-report, mld-listener-reduction, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, ind-neighbor-solicit, ind-neighbor-advert, mld2-listener-report }' accept<br />
# nft add rule inet filter input ip protocol icmp icmp type '{ destination-unreachable, router-solicitation, router-advertisement, time-exceeded, parameter-problem }' accept<br />
# nft add rule inet filter input ip protocol igmp accept<br />
<br />
New udp traffic will jump to the UDP chain:<br />
<br />
# nft add rule inet filter input ip protocol udp ct state new jump UDP<br />
<br />
New tcp traffic will jump to the TCP chain:<br />
<br />
# nft add rule inet filter input 'ip protocol tcp tcp flags & (fin|syn|rst|ack) == syn ct state new jump TCP'<br />
<br />
Reject all traffic that was not processed by other rules:<br />
<br />
# nft add rule inet filter input ip protocol udp reject<br />
# nft add rule inet filter input ip protocol tcp reject with tcp reset<br />
# nft add rule inet filter input counter reject with icmp type prot-unreachable<br />
<br />
At this point you should decide what ports you want to open to incoming connections, which are handled by the TCP and UDP chains. For example to open connections for a web server add:<br />
<br />
# nft add rule inet filter TCP tcp dport 80 accept<br />
<br />
To accept HTTPS connections for a webserver on port 443:<br />
<br />
# nft add rule inet filter TCP tcp dport 443 accept<br />
<br />
To accept SSH traffic on port 22:<br />
<br />
# nft add rule inet filter TCP tcp dport 22 accept<br />
<br />
To accept incoming DNS requests:<br />
<br />
# nft add rule inet filter TCP tcp dport 53 accept<br />
# nft add rule inet filter UDP udp dport 53 accept<br />
<br />
Be sure to make your changes permanent when satisifed.<br />
<br />
=== Prevent brute-force attacks ===<br />
<br />
[[Sshguard]] is program that can detect brute-force attacks and modify firewalls based on IP addresses it temporarily blacklists. See [[Sshguard#nftables]] on how to set up nftables to be used with it.<br />
<br />
=== Working with Docker ===<br />
<br />
Using nftables can interfere with docker networking (and probably other container runtimes as well). In particular the drop policy for the {{ic|forward}} chain will block packets originating in docker containers. If you want to keep the {{ic|forward}} rule in your {{ic|inet}} table, you can use the following:<br />
<br />
# Install {{Pkg|iptables-nft}} to provide an iptables compatible interface for nftables that docker can use.<br />
# Use the following for the {{ic|forward}} chain in your {{ic|inet}} table:<br />
#:{{bc|<nowiki><br />
chain forward {<br />
type filter hook forward priority security; policy drop<br />
mark 1 accept<br />
</nowiki>}}<br />
# Add a rule to the DOCKER-USER chain in the {{ic|ip filter}} table to mark packets if docker is running:<br />
#:{{bc|<nowiki><br />
table ip filter {<br />
chain DOCKER-USER {<br />
mark set 1<br />
}<br />
}<br />
</nowiki>}}<br />
<br />
This works by marking backets if docker is active, and accepting the packets in this case, since docker has already filtered them (the forward chain defined by docker uses a drop policy).<br />
<br />
<br />
== See also ==<br />
<br />
* [https://wiki.nftables.org/ netfilter nftables wiki]<br />
* [[debian:nftables]]<br />
* [[gentoo:nftables]]<br />
* [https://lwn.net/Articles/324251/ First release of nftables]<br />
* [https://home.regit.org/netfilter-en/nftables-quick-howto/ nftables quick howto]<br />
* [https://lwn.net/Articles/564095/ The return of nftables]<br />
* [http://developers.redhat.com/blog/2016/10/28/what-comes-after-iptables-its-successor-of-course-nftables/ What comes after ‘iptables’? Its successor, of course: `nftables`]</div>Ender4https://wiki.archlinux.org/index.php?title=Dotfiles&diff=579073Dotfiles2019-08-07T06:46:37Z<p>Ender4: Add chezmoi to list of tools</p>
<hr />
<div>[[Category:Configuration files]]<br />
[[Category:Configuration management]]<br />
[[ja:ドットファイル]]<br />
[[pt:Dotfiles]]<br />
{{Related articles start}}<br />
{{Related|XDG Base Directory support}}<br />
{{Related|X resources}}<br />
{{Related articles end}}<br />
User-specific application configuration is traditionally stored in so called [[Wikipedia:dotfile|dotfiles]] (files whose filename starts with a dot). It is common practice to track dotfiles with a [[version control system]] such as [[Git]] to keep track of changes and synchronize dotfiles across various hosts. There are various approaches to managing your dotfiles (e.g. directly tracking dotfiles in the home directory v.s. storing them in a subdirectory and symlinking/copying/generating files with a [[shell]] script or [[#Tools|a dedicated tool]]). Apart from explaining how to manage your dotfiles this article also contains [[#User repositories|a list of dotfile repositories]] from Arch Linux users.<br />
<br />
== Tracking dotfiles directly with Git ==<br />
<br />
The benefit of tracking dotfiles directly with Git is that it only requires [[Git]] and does not involve symlinks. The disadvantage is that [[#Host-specific configuration|host-specific configuration]] generally requires merging changes into multiple [[Git#Branching|branches]].<br />
<br />
The simplest way to achieve this approach is to initialize a [[Git]] repository directly in your home directory and ignoring all files by default with a {{man|5|gitignore}} pattern of {{ic|*}}. This method however comes with two drawbacks: it can become confusing when you have other Git repositories in your home directory (e.g. if you forget to initialize a repository you suddenly operate on your dotfile repository) and you can no longer easily see which files in the current directory are untracked (because they are ignored).<br />
<br />
An alternative method without these drawbacks is the "bare repository and alias method" popularized by [https://news.ycombinator.com/item?id=11070797 this Hacker News comment], which just takes three commands to set up:<br />
<br />
$ git init --bare ~/.dotfiles<br />
$ alias config='/usr/bin/git --git-dir=$HOME/.dotfiles/ --work-tree=$HOME'<br />
$ config config status.showUntrackedFiles no<br />
<br />
You can then manage your dotfiles with the created [[alias]].<br />
<br />
{{Tip|To avoid accidentally commiting confidential information, see [[Git#Filtering confidential information]].}}<br />
<br />
== Host-specific configuration ==<br />
<br />
A common problem with synchronizing dotfiles across various machines is host-specific configuration.<br />
<br />
With [[Git]] this can be solved by maintaining a master branch for all shared configuration, while each individual machine has a machine-specific branch checked out. Host-specific configuration can be committed to the machine-specific branch; when shared configuration is modified in the master branch, the per-machine branches need to be rebased on top of the updated master.<br />
<br />
In configuration scripts like [[Command-line shell#Configuration files|shell configuration files]] conditional logic can be used. For example, [[Bash]] scripts (i.e. {{ic|.bashrc}}) can apply different configuration depending on the machine name (or type, custom variable, etc.):<br />
<br />
if <nowiki>[[ "$(hostname)" == "archlaptop" ]];</nowiki> then<br />
# laptop specific commands here<br />
else<br />
# desktop or server machine commands<br />
fi<br />
<br />
Similar can also be achieved with [[.Xresources]].[https://jnrowe.github.io/articles/tips/Sharing_Xresources_between_systems.html]<br />
<br />
If you find rebasing Git branches too cumbersome, you may want to use a [[#Tools|tool]] that supports ''file grouping'', or if even greater flexibility is desired, a tool that does ''processing''.<br />
<br />
== Tools ==<br />
<br />
;File grouping<br />
:How configuration files can be grouped to configuration groups (also called profiles or packages).<br />
;Processing<br />
:Some tools process configuration files to allow them to be customized depending on the host.<br />
<br />
{| class="wikitable sortable" style="text-align: center;"<br />
! Name !! Package !! Written in !! File grouping !! Processing<br />
|-<br />
! [https://github.com/kesslern/dot-templater dot-templater]<br />
| {{AUR|dot-templater-git}} || Rust || directory-based || custom syntax<br />
|-<br />
! [https://deadc0de.re/dotdrop/ dotdrop]<br />
| {{AUR|dotdrop}} || Python || configuration file || Jinja2<br />
|-<br />
! [https://github.com/jbernard/dotfiles dotfiles]<br />
| {{AUR|dotfiles}} || Python || {{Grey|[https://github.com/jbernard/dotfiles/pull/24 No]}} || {{Grey|No}}<br />
|-<br />
! [https://github.com/EvanPurkhiser/dots Dots]<br />
| {{AUR|dots-manager}} || Python || directory-based || custom append points<br />
|-<br />
! [https://github.com/twpayne/chezmoi chezmoi]<br />
| {{Pkg|chezmoi}} || Go || directory-based || Go templates<br />
|-<br />
! [https://www.gnu.org/software/stow/ GNU Stow]<br />
| {{Pkg|stow}} || Perl || directory-based[http://brandon.invergo.net/news/2012-05-26-using-gnu-stow-to-manage-your-dotfiles.html] || {{Grey|No}}<br />
|-<br />
! [https://github.com/lra/mackup Mackup]<br />
| {{AUR|mackup}} || Python || automatic per application || {{Grey|No}}<br />
|-<br />
! [https://github.com/darkfeline/mir.qualia mir.qualia]<br />
| {{AUR|mir.qualia}} || Python || {{Grey|No}} || custom blocks<br />
|-<br />
! [https://github.com/thoughtbot/rcm rcm]<br />
| {{AUR|rcm}} || Perl || directory-based (by host or tag) || {{Grey|No}}<br />
|}<br />
<br />
=== Tools wrapping Git ===<br />
<br />
If you are uncomfortable with [[Git]], you may want to use one of these tools, which abstract the version control system away (more or less).<br />
<br />
{| class="wikitable sortable" style="text-align:center;"<br />
! Name !! Package !! Written in !! File grouping !! Processing<br />
|-<br />
! [https://github.com/kobus-v-schoor/dotgit dotgit]<br />
| {{AUR|dotgit}} || Bash || filename-based || {{Grey|No}}<br />
|-<br />
! [https://github.com/andsens/homeshick homeshick]<br />
| {{AUR|homeshick-git}} || Bash || repository-wise || {{Grey|No}}<br />
|-<br />
! [https://github.com/technicalpickles/homesick homesick]<br />
| {{AUR|homesick}} || Ruby || repository-wise || {{Grey|No}}<br />
|-<br />
! [https://github.com/pearl-core/pearl Pearl]<br />
| {{AUR|pearl-git}} || Bash || repository-wise || {{Grey|No}}<br />
|-<br />
! [https://github.com/RichiH/vcsh vcsh]<br />
| {{AUR|vcsh}} || Shell || repository-wise || {{Grey|No}}<br />
|-<br />
! [https://thelocehiliosan.github.io/yadm/ yadm]<sup>(1)</sup><br />
| {{AUR|yadm-git}} || Shell || filename-based<br>(by class, OS, hostname & user) [https://thelocehiliosan.github.io/yadm/docs/alternates] || Jinja2<br>(optional)[https://thelocehiliosan.github.io/yadm/docs/alternates#jinja-templates]<br />
|}<br />
<br />
# Supports encryption of confidential files with [[GPG]].[https://thelocehiliosan.github.io/yadm/docs/encryption]<br />
<br />
== User repositories ==<br />
<br />
{| class="wikitable sortable" style="text-align:center"<br />
! Author || Shell (Shell framework) || WM / DE || Editor || Terminal || Multiplexer || Audio || Monitor || Mail || IRC<br />
|-<br />
! [https://github.com/alfunx/.dotfiles alfunx]<br />
| zsh || awesome || vim || kitty || tmux || ncmpcpp/mpd || htop/lain || thunderbird ||<br />
|-<br />
! [https://gitlab.com/peterzuger/dotfiles peterzuger]<br />
| zsh || i3-gaps || emacs || rxvt-unicode || screen || moc || htop || ||<br />
|-<br />
! [https://gitlab.com/Ambrevar/dotfiles Ambrevar]<br />
| Eshell || EXWM || Emacs || Emacs (Eshell) || Emacs TRAMP + dtach || EMMS || conky/dzen || mu4e || Circe<br />
|-<br />
! [https://github.com/awalGarg/dotfiles awal]<br />
| fish || i3 || vim || st || tmux || || i3status || || The Lounge<br />
|-<br />
! [https://github.com/ayekat/dotfiles ayekat]<br />
| zsh || karuiwm || vim || rxvt-unicode || tmux || ncmpcpp/mpd || karuibar || mutt || irssi<br />
|-<br />
! [https://github.com/bamos/dotfiles bamos]<br />
| zsh || i3/xmonad || vim/emacs || rxvt-unicode || tmux || mpv/cmus || conky/xmobar || mutt || ERC<br />
|-<br />
! [https://github.com/pbrisbin/dotfiles brisbin33]<br />
| [https://github.com/pbrisbin/oh-my-zsh zsh] || [https://github.com/pbrisbin/xmonad-config xmonad] || [https://github.com/pbrisbin/vim-config vim] || rxvt-unicode || screen || || dzen || [https://github.com/pbrisbin/mutt-config mutt] || [https://github.com/pbrisbin/irssi-config irssi]<br />
|-<br />
! [https://gitlab.com/BVollmerhaus/dotfiles BVollmerhaus]<br />
| [https://gitlab.com/BVollmerhaus/dotfiles/tree/master/config/fish-custom fish] || [https://gitlab.com/BVollmerhaus/dotfiles/blob/master/config/i3/config i3-gaps] || [https://gitlab.com/BVollmerhaus/dotfiles/blob/master/config/kak/kakrc kakoune] || rxvt-unicode || || || [https://gitlab.com/BVollmerhaus/dotfiles/blob/master/config/polybar/config polybar] || thunderbird ||<br />
|-<br />
! [https://github.com/cinelli/dotfiles cinelli]<br />
| zsh || dwm || vim || termite-git || || pianobar || htop || mutt-kz || weechat<br />
|-<br />
! [https://github.com/dikiaap/dotfiles dikiaap]<br />
| zsh || i3-gaps || neovim || alacritty || tmux || || i3blocks || ||<br />
|-<br />
! [https://github.com/Earnestly/dotfiles Earnestly]<br />
| zsh || i3/orbment || vim/emacs || termite || tmux || mpd || conky || mutt || weechat<br />
|-<br />
! [https://github.com/ErikBjare/dotfiles ErikBjare]<br />
| zsh || xmonad/xfce4 || vim || terminator || tmux || || xfce4-panel || || weechat<br />
|-<br />
! [https://github.com/falconindy/dotfiles falconindy]<br />
| bash || i3 || vim || rxvt-unicode || || ncmpcpp || conky || mutt ||<br />
|-<br />
! [https://github.com/graysky2/configs/tree/master/dotfiles graysky]<br />
| zsh || xfce4 || vim || terminal || || ncmpcpp || custom || thunderbird ||<br />
|-<br />
! [https://github.com/hugdru/dotfiles hugdru]<br />
| zsh || awesome || neovim || rxvt-unicode || tmux || || || thunderbird || weechat<br />
|-<br />
! [https://github.com/insanum/dotfiles insanum]<br />
| bash || herbstluftwm || vim || evilvte || tmux || || dzen || mutt-kz ||<br />
|-<br />
! [https://bitbucket.org/jasonwryan/shiv/src jasonwryan]<br />
| bash/zsh || dwm || vim || rxvt-unicode || tmux || ncmpcpp || custom || mutt || irssi<br />
|-<br />
! [https://github.com/JDevlieghere/dotfiles/ jdevlieghere]<br />
| zsh || xmonad || vim || terminal || tmux || || htop || mutt || weechat<br />
|-<br />
! [https://github.com/jelly/Dotfiles jelly]<br />
| zsh || i3 || vim || termite || tmux || ncmpcpp || || mutt-kz-git || weechat<br />
|-<br />
! [https://github.com/Jorengarenar/dotfiles Jorengarenar] <br />
| bash || i3 || vim || xterm || || mpv || i3blocks || aerc || weechat<br />
|-<br />
! [https://github.com/maximbaz/dotfiles maximbaz]<br />
| zsh || i3-gaps || neovim || kitty || || || py3status || thunderbird ||<br />
|-<br />
! [https://gitlab.com/mehalter/dotfiles mehalter]<br />
| zsh || i3-gaps || neovim || termite || tmux || gpymusic || i3blocks, gotop || neomutt || weechat<br />
|-<br />
! [https://github.com/meskarune/.dotfiles meskarune]<br />
| bash || herbstluftwm || vim || rxvt-unicode || screen || || conky || || weechat<br />
|-<br />
! [https://github.com/neersighted/dotfiles neersighted]<br />
| zsh || i3 || vim || rxvt-unicode || tmux || ncmpcpp || htop || mutt || irssi<br />
|-<br />
! [https://github.com/oibind/dotfiles oibind]<br />
| fish || awesome || neovim || termite || || || htop-vim || || weechat<br />
|-<br />
! [https://github.com/ok100/configs OK100]<br />
| bash || dwm || vim || rxvt-unicode || || cmus || conky, dzen || mutt || weechat<br />
|-<br />
! [https://github.com/pablox-cl/dotfiles pablox-cl]<br />
| zsh (zplug) || gnome3 || neovim || kitty || || || || ||<br />
|-<br />
! [https://github.com/reisub0/dot reisub0]<br />
| fish || qtile || neovim || kitty || || mpd || conky || ||<br />
|-<br />
! [https://github.com/sistematico/majestic sistematico]<br />
| zsh/fish/bash || [https://github.com/Airblader/i3 i3-gaps] || vim/nano || termite || tmux || ncmpcpp || polybar || mutt || weechat<br />
|-<br />
! [https://git.sitilge.id.lv/sitilge/dotfiles sitilge]<br />
| zsh || awesome ||neovim || termite || || || || thunderbird ||<br />
|-<br />
! [https://github.com/swalladge/dotfiles swalladge]<br />
| zsh/bash || i3 || neovim/vim || termite || tmux || cmus || i3pystatus || mutt ||<br />
|-<br />
! [https://github.com/SyfiMalik/cfg SyfiMalik]<br />
| zsh || i3 || vim || rxvt-unicode || tmux || ncmpcpp/mpd || polybar || mutt || weechat<br />
|-<br />
! [https://github.com/thiagowfx/dotfiles thiagowfx]<br />
| bash || i3 || vim/emacs || tilix || || || i3blocks || ||<br />
|-<br />
! [https://github.com/vodik/dotfiles vodik]<br />
| zsh || xmonad || vim || termite-git || tmux || ncmpcpp || custom || mutt || weechat<br />
|-<br />
! [https://github.com/w0ng/dotfiles w0ng]<br />
| zsh || dwm || vim || rxvt-unicode || tmux || ncmpcpp || custom || mutt || irssi<br />
|-<br />
! [https://github.com/whitelynx/dotfiles whitelynx]<br />
| fish || i3 || neovim || kitty || || || i3pystatus || ||<br />
|-<br />
! [https://github.com/Wintervenom/Configuration Wintervenom]<br />
| bash || herbstluftwm ||vim || rxvt-unicode || screen ||mpd ([https://github.com/Wintervenom/Scripts/tree/master/audio/mpd mpc-utils]) || [https://github.com/Wintervenom/Scripts/blob/master/wm/herbstluftwm/hlwm-dzen2 hlwm-dzen2] || mutt || weechat<br />
|-<br />
! [https://github.com/wolfcore/dotfiles wolfcore] <br />
| bash || dwm || vim || rxvt-unicode || tmux || cmus || custom || || weechat<br />
|-<br />
! [https://github.com/zendeavor zendeavor]<br />
| [https://github.com/zendeavor/config-stuff/tree/sandbag/zsh zsh] || [https://github.com/zendeavor/config-stuff/blob/sandbag/i3/config i3] || [https://github.com/zendeavor/dotvim/tree/sandbag vim] || [https://github.com/zendeavor/config-stuff/blob/sandbag/X11/Xresources#L14 rxvt-unicode] || [https://github.com/zendeavor/config-stuff/tree/sandbag/tmux tmux] || [https://github.com/zendeavor/config-stuff/blob/sandbag/ncmpcpp/config ncmpcpp] || [https://github.com/zendeavor/config-stuff/blob/sandbag/i3/i3status.conf i3status] || || [https://github.com/zendeavor/config-stuff/tree/kiwi/weechat weechat]<br />
|-<br />
<br />
|}<br />
<br />
== See also ==<br />
<br />
* [[gregswiki:DotFiles]]<br />
* [http://wiki.haskell.org/Xmonad/Config_archive XMonad Config Archive]<br />
* [http://dotshare.it dotshare.it]<br />
* [https://dotfiles.github.io/ dotfiles.github.io]<br />
* [https://terminal.sexy/ terminal.sexy] - Terminal color scheme designer</div>Ender4https://wiki.archlinux.org/index.php?title=OpenLDAP&diff=380372OpenLDAP2015-06-29T00:12:28Z<p>Ender4: /* Create initial entry */</p>
<hr />
<div>[[Category:Networking]]<br />
[[ja:openLDAP]]<br />
[[ru:openLDAP]]<br />
[[zh-cn:OpenLDAP]]<br />
{{Related articles start}}<br />
{{Related|LDAP Authentication}}<br />
{{Related|LDAP Hosts}}<br />
{{Related articles end}}<br />
<br />
OpenLDAP is an open-source implementation of the LDAP protocol. An LDAP server basically is a non-relational database which is optimised for accessing, but not writing, data. It is mainly used as an address book (for e.g. email clients) or authentication backend to various services (such as Samba, where it is used to emulate a domain controller, or [[LDAP authentication|Linux system authentication]], where it replaces {{ic|/etc/passwd}}) and basically holds the user data.<br />
<br />
{{note|Commands related to OpenLDAP that begin with {{ic|ldap}} (like {{ic|ldapsearch}}) are client-side utilities, while commands that begin with {{ic|slap}} (like {{ic|slapcat}}) are server-side.}}<br />
<br />
This page is a starting point for a basic OpenLDAP installation and a sanity check.<br />
<br />
{{Tip|Directory services are an enormous topic. Configuration can therefore be complex. If you are totally new to those concepts, [http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html this] is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.}}<br />
<br />
== Installation ==<br />
<br />
OpenLDAP contains both a LDAP server and client. Install it with the package {{Pkg|openldap}}, available in the [[official repositories]].<br />
<br />
== Configuration ==<br />
<br />
=== The server ===<br />
<br />
{{Note|If you already have an OpenLDAP database on your machine, remove it by deleting everything inside {{ic|/var/lib/openldap/openldap-data/}}.}}<br />
<br />
The server configuration file is located at {{ic|/etc/openldap/slapd.conf}}.<br />
<br />
Edit the suffix and rootdn. The suffix typically is your domain name but it does not have to be. It depends on how you use your directory. We will use ''example'' for the domain name, and ''com'' for the tld. The rootdn is your LDAP administrator's name (we will use ''root'' here).<br />
{{bc|<nowiki><br />
suffix "dc=example,dc=com"<br />
rootdn "cn=root,dc=example,dc=com"<br />
</nowiki>}}<br />
<br />
Now we delete the default root password and create a strong one:<br />
# sed -i "/rootpw/ d" /etc/openldap/slapd.conf #find the line with rootpw and delete it<br />
# echo "rootpw $(slappasswd)" >> /etc/openldap/slapd.conf #add a line which includes the hashed password output from slappasswd<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/schema.html schemas] to the top of {{ic|slapd.conf}}:<br />
cp /usr/share/doc/samba/examples/LDAP/samba.schema /etc/openldap/schema<br />
{{bc|<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
include /etc/openldap/schema/nis.schema<br />
include /etc/openldap/schema/samba.schema<br />
}}<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/tuning.html#Indexes indexes] to the bottom of {{ic|slapd.conf}}:<br />
{{bc|<br />
index uid pres,eq<br />
index mail pres,sub,eq<br />
index cn pres,sub,eq<br />
index sn pres,sub,eq<br />
index dc eq<br />
}}<br />
<br />
Now prepare the database directory. You will need to copy the default config file and set the proper ownership:<br />
# cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG<br />
<br />
{{Note|With OpenLDAP 2.4 the configuration of {{ic|slapd.conf}} is deprecated. From this version on all configuration settings are stored in {{ic|/etc/openldap/slapd.d/}}.}}<br />
<br />
To store the recent changes in {{ic|slapd.conf}} to the new {{ic|/etc/openldap/slapd.d/}} configuration settings, we have to delete the old configuration files first, do this every time you change the configuration:<br />
<br />
# rm -rf /etc/openldap/slapd.d/*<br />
<br />
<br />
(if you do not have a database yet, you might need to create one by starting and stopping the {{ic|slapd.service}} [[systemd#Using units|using systemd]] )<br />
<br />
Then we generate the new configuration with:<br />
<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/<br />
<br />
The above command has to be run every time you change {{ic|slapd.conf}}. Check if everything succeeded. Ignore message "bdb_monitor_db_open: monitoring disabled; configure monitor database to enable". <br />
<br />
Change ownership recursively on the new files and directory in /etc/openldap/slapd.d:<br />
<br />
# chown -R ldap:ldap /etc/openldap/slapd.d<br />
<br />
<br />
{{note|Index the directory after you populate it. You should stop slapd before doing this.<br />
# slapindex<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
or just<br />
<br />
$ sudo -u ldap slapindex<br />
}}<br />
<br />
Finally, start the slapd daemon with {{ic|slapd.service}} using systemd.<br />
<br />
=== The client ===<br />
The client config file is located at {{ic|/etc/openldap/ldap.conf}}. <br />
<br />
It is quite simple: you will only have to alter {{ic|BASE}} to reflect the suffix of the server, and {{ic|URI}} to reflect the address of the server, like:<br />
<br />
{{hc|/etc/openldap/ldap.conf|2=<br />
BASE dc=example,dc=com<br />
URI ldap://localhost<br />
}}<br />
<br />
If you decide to use SSL:<br />
<br />
* The protocol (ldap or ldaps) in the {{ic|URI}} entry has to conform with the slapd configuration <br />
* If you decide to use self-signed certificates, add a {{ic|TLS_REQCERT allow}} line to {{ic|ldap.conf}}<br />
<br />
=== Create initial entry ===<br />
Once your client is configured, you probably want to create the root entry, and an entry for the root role:<br />
<br />
$ ldapadd -x -D 'cn=root,dc=example,dc=com' -W<br />
dn: dc=example,dc=com<br />
objectClass: dcObject<br />
objectClass: organization<br />
dc: example<br />
o: Example<br />
description: Example directory<br />
<br />
dn: cn=root,dc=example,dc=com<br />
objectClass: organizationalRole<br />
cn: root<br />
description: Directory Manager<br />
^D<br />
<br />
The text after the first line is entered on stdin, or could be read from a file either with the -f option or a file redirect.<br />
<br />
=== Test your new OpenLDAP installation ===<br />
<br />
This is easy, just run the command below:<br />
$ ldapsearch -x '(objectclass=*)'<br />
<br />
Or authenticating as the rootdn (replacing {{ic|-x}} by {{ic|-D <user> -W}}), using the example configuration we had above:<br />
$ ldapsearch -D "cn=root,dc=example,dc=com" -W '(objectclass=*)'<br />
<br />
Now you should see some information about your database.<br />
<br />
=== OpenLDAP over TLS ===<br />
{{Note|[http://www.openldap.org/doc/admin24/ upstream documentation] is much more useful/complete than this section}}<br />
<br />
If you access the OpenLDAP server over the network and especially if you have sensitive data stored on the server you run the risk of someone sniffing your data which is sent clear-text. The next part will guide you on how to setup an SSL connection between the LDAP server and the client so the data will be sent encrypted.<br />
<br />
In order to use TLS, you must have a certificate. For testing purposes, a ''self-signed'' certificate will suffice. To learn more about certificates, see [[OpenSSL]].<br />
<br />
{{Warning|OpenLDAP cannot use a certificate that has a password associated to it.}}<br />
<br />
==== Create a self-signed certificate ====<br />
To create a ''self-signed'' certificate, type the following:<br />
$ openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365<br />
<br />
You will be prompted for information about your LDAP server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your LDAP server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).<br />
<br />
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (create this directory if it does not exist) and secure them. <br />
{{ic|slapdcert.pem}} must be world readable because it contains the public key. {{ic|slapdkey.pem}} on the other hand should only be readable for the ldap user for security reasons:<br />
# mv slapdcert.pem slapdkey.pem /etc/openldap/ssl/<br />
# chmod -R 755 /etc/openldap/ssl/<br />
# chmod 400 /etc/openldap/ssl/slapdkey.pem<br />
# chmod 444 /etc/openldap/ssl/slapdcert.pem<br />
# chown ldap /etc/openldap/ssl/slapdkey.pem<br />
<br />
==== Configure slapd for SSL ====<br />
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:<br />
{{bc|<br />
# Certificate/SSL Section<br />
TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3<br />
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem<br />
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem<br />
}}<br />
<br />
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards. <br />
<br />
{{Note|To see which ciphers are supported by your local OpenSSL installation, type the following: {{ic|openssl ciphers -v ALL}} }}<br />
<br />
Regenerate the configuration directory:<br />
# rm -rf /etc/openldap/slapd.d/* # erase old config settings<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ # generate new config directory from config file<br />
# chown -R ldap:ldap /etc/openldap/slapd.d # Change ownership recursively to ldap on the config directory<br />
<br />
==== Start slapd with SSL ====<br />
You will have to edit {{ic|slapd.service}} to change to protocol slapd listens on.<br />
<br />
First, disable {{ic|slapd.service}} if it is enabled.<br />
<br />
Then, copy the stock service to {{ic|/etc/systemd/system/}}:<br />
# cp /usr/lib/systemd/system/slapd.service /etc/systemd/system/<br />
<br />
Edit it, and add change {{ic|ExecStart}} to:<br />
{{hc|/etc/systemd/system/slapd.service|<nowiki><br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldaps:///"</nowiki>}}<br />
<br />
Localhost connections do not need to use SSL. So, if you want to access the server locally you should change the {{ic|ExecStart}} line to:<br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldap://127.0.0.1 ldaps:///"<br />
<br />
Then reenable and start it:<br />
# systemctl daemon-reload<br />
# systemctl restart slapd.service<br />
<br />
If {{ic|slapd}} started successfully you can enable it.<br />
<br />
{{Note|If you created a self-signed certificate above, be sure to add {{ic|TLS_REQCERT allow}} to {{ic|/etc/openldap/ldap.conf}} on the client, or it will not be able connect to the server.}}<br />
<br />
== Next Steps ==<br />
<br />
You now have a basic LDAP installation. The next step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to LDAP, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, [[Postfix]], etc).<br />
<br />
A directory for system authentication is the [[LDAP authentication]] article.<br />
<br />
A nice web frontend is [[phpLDAPadmin]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Client Authentication Checking ===<br />
If you cannot connect to your server for non-secure authentication<br />
<br />
$ ldapsearch -x -H ldap://ldaservername:389 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
and for TLS secured authentication with:<br />
<br />
$ ldapsearch -x -H ldaps://ldaservername:636 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
=== LDAP Server Stops Suddenly ===<br />
<br />
If you notice that slapd seems to start but then stops, try running:<br />
<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
to allow slapd write access to its data directory as the user "ldap".<br />
<br />
== See Also ==<br />
* [http://www.openldap.org/doc/admin24/ Official OpenLDAP Software 2.4 Administrator's Guide]<br />
* [[phpLDAPadmin]] is a web interface tool in the style of phpMyAdmin.<br />
* [[LDAP authentication]]<br />
* {{AUR|apachedirectorystudio}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect with OpenLDAP installations.</div>Ender4https://wiki.archlinux.org/index.php?title=OpenLDAP&diff=380371OpenLDAP2015-06-29T00:12:06Z<p>Ender4: </p>
<hr />
<div>[[Category:Networking]]<br />
[[ja:openLDAP]]<br />
[[ru:openLDAP]]<br />
[[zh-cn:OpenLDAP]]<br />
{{Related articles start}}<br />
{{Related|LDAP Authentication}}<br />
{{Related|LDAP Hosts}}<br />
{{Related articles end}}<br />
<br />
OpenLDAP is an open-source implementation of the LDAP protocol. An LDAP server basically is a non-relational database which is optimised for accessing, but not writing, data. It is mainly used as an address book (for e.g. email clients) or authentication backend to various services (such as Samba, where it is used to emulate a domain controller, or [[LDAP authentication|Linux system authentication]], where it replaces {{ic|/etc/passwd}}) and basically holds the user data.<br />
<br />
{{note|Commands related to OpenLDAP that begin with {{ic|ldap}} (like {{ic|ldapsearch}}) are client-side utilities, while commands that begin with {{ic|slap}} (like {{ic|slapcat}}) are server-side.}}<br />
<br />
This page is a starting point for a basic OpenLDAP installation and a sanity check.<br />
<br />
{{Tip|Directory services are an enormous topic. Configuration can therefore be complex. If you are totally new to those concepts, [http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html this] is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.}}<br />
<br />
== Installation ==<br />
<br />
OpenLDAP contains both a LDAP server and client. Install it with the package {{Pkg|openldap}}, available in the [[official repositories]].<br />
<br />
== Configuration ==<br />
<br />
=== The server ===<br />
<br />
{{Note|If you already have an OpenLDAP database on your machine, remove it by deleting everything inside {{ic|/var/lib/openldap/openldap-data/}}.}}<br />
<br />
The server configuration file is located at {{ic|/etc/openldap/slapd.conf}}.<br />
<br />
Edit the suffix and rootdn. The suffix typically is your domain name but it does not have to be. It depends on how you use your directory. We will use ''example'' for the domain name, and ''com'' for the tld. The rootdn is your LDAP administrator's name (we will use ''root'' here).<br />
{{bc|<nowiki><br />
suffix "dc=example,dc=com"<br />
rootdn "cn=root,dc=example,dc=com"<br />
</nowiki>}}<br />
<br />
Now we delete the default root password and create a strong one:<br />
# sed -i "/rootpw/ d" /etc/openldap/slapd.conf #find the line with rootpw and delete it<br />
# echo "rootpw $(slappasswd)" >> /etc/openldap/slapd.conf #add a line which includes the hashed password output from slappasswd<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/schema.html schemas] to the top of {{ic|slapd.conf}}:<br />
cp /usr/share/doc/samba/examples/LDAP/samba.schema /etc/openldap/schema<br />
{{bc|<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
include /etc/openldap/schema/nis.schema<br />
include /etc/openldap/schema/samba.schema<br />
}}<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/tuning.html#Indexes indexes] to the bottom of {{ic|slapd.conf}}:<br />
{{bc|<br />
index uid pres,eq<br />
index mail pres,sub,eq<br />
index cn pres,sub,eq<br />
index sn pres,sub,eq<br />
index dc eq<br />
}}<br />
<br />
Now prepare the database directory. You will need to copy the default config file and set the proper ownership:<br />
# cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG<br />
<br />
{{Note|With OpenLDAP 2.4 the configuration of {{ic|slapd.conf}} is deprecated. From this version on all configuration settings are stored in {{ic|/etc/openldap/slapd.d/}}.}}<br />
<br />
To store the recent changes in {{ic|slapd.conf}} to the new {{ic|/etc/openldap/slapd.d/}} configuration settings, we have to delete the old configuration files first, do this every time you change the configuration:<br />
<br />
# rm -rf /etc/openldap/slapd.d/*<br />
<br />
<br />
(if you do not have a database yet, you might need to create one by starting and stopping the {{ic|slapd.service}} [[systemd#Using units|using systemd]] )<br />
<br />
Then we generate the new configuration with:<br />
<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/<br />
<br />
The above command has to be run every time you change {{ic|slapd.conf}}. Check if everything succeeded. Ignore message "bdb_monitor_db_open: monitoring disabled; configure monitor database to enable". <br />
<br />
Change ownership recursively on the new files and directory in /etc/openldap/slapd.d:<br />
<br />
# chown -R ldap:ldap /etc/openldap/slapd.d<br />
<br />
<br />
{{note|Index the directory after you populate it. You should stop slapd before doing this.<br />
# slapindex<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
or just<br />
<br />
$ sudo -u ldap slapindex<br />
}}<br />
<br />
Finally, start the slapd daemon with {{ic|slapd.service}} using systemd.<br />
<br />
=== The client ===<br />
The client config file is located at {{ic|/etc/openldap/ldap.conf}}. <br />
<br />
It is quite simple: you will only have to alter {{ic|BASE}} to reflect the suffix of the server, and {{ic|URI}} to reflect the address of the server, like:<br />
<br />
{{hc|/etc/openldap/ldap.conf|2=<br />
BASE dc=example,dc=com<br />
URI ldap://localhost<br />
}}<br />
<br />
If you decide to use SSL:<br />
<br />
* The protocol (ldap or ldaps) in the {{ic|URI}} entry has to conform with the slapd configuration <br />
* If you decide to use self-signed certificates, add a {{ic|TLS_REQCERT allow}} line to {{ic|ldap.conf}}<br />
<br />
=== Create initial entry ===<br />
Once your client is configured, you probably want to create the root entry, and an entry for the root role:<br />
<br />
$ ldapadd -x -D 'cn=root,dc=example,dc=com' -W<br />
dn: dc=example,dc=com<br />
objectClass: dcObject<br />
objectClass: organization<br />
dc: example<br />
o: Example<br />
description: Example directory<br />
<br />
dn: cn=root,dc=example,dc=com<br />
objectClass: organizationalRole<br />
cn: root<br />
description: Directory Manager<br />
^D<br />
<br />
The text after the first line is entered on stdin, or could be read from a file either with the -f option or a file redirect.<br />
<br />
=== Test your new OpenLDAP installation ===<br />
<br />
This is easy, just run the command below:<br />
$ ldapsearch -x '(objectclass=*)'<br />
<br />
Or authenticating as the rootdn (replacing {{ic|-x}} by {{ic|-D <user> -W}}), using the example configuration we had above:<br />
$ ldapsearch -D "cn=root,dc=example,dc=com" -W '(objectclass=*)'<br />
<br />
Now you should see some information about your database.<br />
<br />
=== OpenLDAP over TLS ===<br />
{{Note|[http://www.openldap.org/doc/admin24/ upstream documentation] is much more useful/complete than this section}}<br />
<br />
If you access the OpenLDAP server over the network and especially if you have sensitive data stored on the server you run the risk of someone sniffing your data which is sent clear-text. The next part will guide you on how to setup an SSL connection between the LDAP server and the client so the data will be sent encrypted.<br />
<br />
In order to use TLS, you must have a certificate. For testing purposes, a ''self-signed'' certificate will suffice. To learn more about certificates, see [[OpenSSL]].<br />
<br />
{{Warning|OpenLDAP cannot use a certificate that has a password associated to it.}}<br />
<br />
==== Create a self-signed certificate ====<br />
To create a ''self-signed'' certificate, type the following:<br />
$ openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365<br />
<br />
You will be prompted for information about your LDAP server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your LDAP server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).<br />
<br />
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (create this directory if it does not exist) and secure them. <br />
{{ic|slapdcert.pem}} must be world readable because it contains the public key. {{ic|slapdkey.pem}} on the other hand should only be readable for the ldap user for security reasons:<br />
# mv slapdcert.pem slapdkey.pem /etc/openldap/ssl/<br />
# chmod -R 755 /etc/openldap/ssl/<br />
# chmod 400 /etc/openldap/ssl/slapdkey.pem<br />
# chmod 444 /etc/openldap/ssl/slapdcert.pem<br />
# chown ldap /etc/openldap/ssl/slapdkey.pem<br />
<br />
==== Configure slapd for SSL ====<br />
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:<br />
{{bc|<br />
# Certificate/SSL Section<br />
TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3<br />
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem<br />
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem<br />
}}<br />
<br />
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards. <br />
<br />
{{Note|To see which ciphers are supported by your local OpenSSL installation, type the following: {{ic|openssl ciphers -v ALL}} }}<br />
<br />
Regenerate the configuration directory:<br />
# rm -rf /etc/openldap/slapd.d/* # erase old config settings<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ # generate new config directory from config file<br />
# chown -R ldap:ldap /etc/openldap/slapd.d # Change ownership recursively to ldap on the config directory<br />
<br />
==== Start slapd with SSL ====<br />
You will have to edit {{ic|slapd.service}} to change to protocol slapd listens on.<br />
<br />
First, disable {{ic|slapd.service}} if it is enabled.<br />
<br />
Then, copy the stock service to {{ic|/etc/systemd/system/}}:<br />
# cp /usr/lib/systemd/system/slapd.service /etc/systemd/system/<br />
<br />
Edit it, and add change {{ic|ExecStart}} to:<br />
{{hc|/etc/systemd/system/slapd.service|<nowiki><br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldaps:///"</nowiki>}}<br />
<br />
Localhost connections do not need to use SSL. So, if you want to access the server locally you should change the {{ic|ExecStart}} line to:<br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldap://127.0.0.1 ldaps:///"<br />
<br />
Then reenable and start it:<br />
# systemctl daemon-reload<br />
# systemctl restart slapd.service<br />
<br />
If {{ic|slapd}} started successfully you can enable it.<br />
<br />
{{Note|If you created a self-signed certificate above, be sure to add {{ic|TLS_REQCERT allow}} to {{ic|/etc/openldap/ldap.conf}} on the client, or it will not be able connect to the server.}}<br />
<br />
== Next Steps ==<br />
<br />
You now have a basic LDAP installation. The next step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to LDAP, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, [[Postfix]], etc).<br />
<br />
A directory for system authentication is the [[LDAP authentication]] article.<br />
<br />
A nice web frontend is [[phpLDAPadmin]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Client Authentication Checking ===<br />
If you cannot connect to your server for non-secure authentication<br />
<br />
$ ldapsearch -x -H ldap://ldaservername:389 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
and for TLS secured authentication with:<br />
<br />
$ ldapsearch -x -H ldaps://ldaservername:636 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
=== LDAP Server Stops Suddenly ===<br />
<br />
If you notice that slapd seems to start but then stops, try running:<br />
<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
to allow slapd write access to its data directory as the user "ldap".<br />
<br />
== See Also ==<br />
* [http://www.openldap.org/doc/admin24/ Official OpenLDAP Software 2.4 Administrator's Guide]<br />
* [[phpLDAPadmin]] is a web interface tool in the style of phpMyAdmin.<br />
* [[LDAP authentication]]<br />
* {{AUR|apachedirectorystudio}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect with OpenLDAP installations.</div>Ender4https://wiki.archlinux.org/index.php?title=OpenLDAP&diff=380370OpenLDAP2015-06-29T00:03:29Z<p>Ender4: </p>
<hr />
<div>[[Category:Networking]]<br />
[[ja:openLDAP]]<br />
[[ru:openLDAP]]<br />
[[zh-cn:OpenLDAP]]<br />
{{Related articles start}}<br />
{{Related|LDAP Authentication}}<br />
{{Related|LDAP Hosts}}<br />
{{Related articles end}}<br />
<br />
OpenLDAP is an open-source implementation of the LDAP protocol. An LDAP server basically is a non-relational database which is optimised for accessing, but not writing, data. It is mainly used as an address book (for e.g. email clients) or authentication backend to various services (such as Samba, where it is used to emulate a domain controller, or [[LDAP authentication|Linux system authentication]], where it replaces {{ic|/etc/passwd}}) and basically holds the user data.<br />
<br />
{{note|Commands related to OpenLDAP that begin with {{ic|ldap}} (like {{ic|ldapsearch}}) are client-side utilities, while commands that begin with {{ic|slap}} (like {{ic|slapcat}}) are server-side.}}<br />
<br />
This page is a starting point for a basic OpenLDAP installation and a sanity check.<br />
<br />
{{Tip|Directory services are an enormous topic. Configuration can therefore be complex. If you are totally new to those concepts, [http://www.brennan.id.au/20-Shared_Address_Book_LDAP.html this] is an good introduction that is easy to understand and that will get you started, even if you are new to everything LDAP.}}<br />
<br />
== Installation ==<br />
<br />
OpenLDAP contains both a LDAP server and client. Install it with the package {{Pkg|openldap}}, available in the [[official repositories]].<br />
<br />
== Configuration ==<br />
<br />
=== The server ===<br />
<br />
{{Note|If you already have an OpenLDAP database on your machine, remove it by deleting everything inside {{ic|/var/lib/openldap/openldap-data/}}.}}<br />
<br />
The server configuration file is located at {{ic|/etc/openldap/slapd.conf}}.<br />
<br />
Edit the suffix and rootdn. The suffix typically is your domain name but it does not have to be. It depends on how you use your directory. We will use ''example'' for the domain name, and ''com'' for the tld. The rootdn is your LDAP administrator's name (we will use ''root'' here).<br />
{{bc|<nowiki><br />
suffix "dc=example,dc=com"<br />
rootdn "cn=root,dc=example,dc=com"<br />
</nowiki>}}<br />
<br />
Now we delete the default root password and create a strong one:<br />
# sed -i "/rootpw/ d" /etc/openldap/slapd.conf #find the line with rootpw and delete it<br />
# echo "rootpw $(slappasswd)" >> /etc/openldap/slapd.conf #add a line which includes the hashed password output from slappasswd<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/schema.html schemas] to the top of {{ic|slapd.conf}}:<br />
cp /usr/share/doc/samba/examples/LDAP/samba.schema /etc/openldap/schema<br />
{{bc|<br />
include /etc/openldap/schema/cosine.schema<br />
include /etc/openldap/schema/inetorgperson.schema<br />
include /etc/openldap/schema/nis.schema<br />
include /etc/openldap/schema/samba.schema<br />
}}<br />
<br />
You will likely want to add some typically used [http://www.openldap.org/doc/admin24/tuning.html#Indexes indexes] to the bottom of {{ic|slapd.conf}}:<br />
{{bc|<br />
index uid pres,eq<br />
index mail pres,sub,eq<br />
index cn pres,sub,eq<br />
index sn pres,sub,eq<br />
index dc eq<br />
}}<br />
<br />
Now prepare the database directory. You will need to copy the default config file and set the proper ownership:<br />
# cp /etc/openldap/DB_CONFIG.example /var/lib/openldap/openldap-data/DB_CONFIG<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/DB_CONFIG<br />
<br />
{{Note|With OpenLDAP 2.4 the configuration of {{ic|slapd.conf}} is deprecated. From this version on all configuration settings are stored in {{ic|/etc/openldap/slapd.d/}}.}}<br />
<br />
To store the recent changes in {{ic|slapd.conf}} to the new {{ic|/etc/openldap/slapd.d/}} configuration settings, we have to delete the old configuration files first, do this every time you change the configuration:<br />
<br />
# rm -rf /etc/openldap/slapd.d/*<br />
<br />
<br />
(if you do not have a database yet, you might need to create one by starting and stopping the {{ic|slapd.service}} [[systemd#Using units|using systemd]] )<br />
<br />
Then we generate the new configuration with:<br />
<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/<br />
<br />
The above command has to be run every time you change {{ic|slapd.conf}}. Check if everything succeeded. Ignore message "bdb_monitor_db_open: monitoring disabled; configure monitor database to enable". <br />
<br />
Change ownership recursively on the new files and directory in /etc/openldap/slapd.d:<br />
<br />
# chown -R ldap:ldap /etc/openldap/slapd.d<br />
<br />
<br />
{{note|Index the directory after you populate it. You should stop slapd before doing this.<br />
# slapindex<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
or just<br />
<br />
$ sudo -u ldap slapindex<br />
}}<br />
<br />
Finally, start the slapd daemon with {{ic|slapd.service}} using systemd.<br />
<br />
=== The client ===<br />
The client config file is located at {{ic|/etc/openldap/ldap.conf}}. <br />
<br />
It is quite simple: you will only have to alter {{ic|BASE}} to reflect the suffix of the server, and {{ic|URI}} to reflect the address of the server, like:<br />
<br />
{{hc|/etc/openldap/ldap.conf|2=<br />
BASE dc=example,dc=com<br />
URI ldap://localhost<br />
}}<br />
<br />
If you decide to use SSL:<br />
<br />
* The protocol (ldap or ldaps) in the {{ic|URI}} entry has to conform with the slapd configuration <br />
* If you decide to use self-signed certificates, add a {{ic|TLS_REQCERT allow}} line to {{ic|ldap.conf}}<br />
<br />
=== Test your new OpenLDAP installation ===<br />
<br />
This is easy, just run the command below:<br />
$ ldapsearch -x '(objectclass=*)'<br />
<br />
Or authenticating as the rootdn (replacing {{ic|-x}} by {{ic|-D <user> -W}}), using the example configuration we had above:<br />
$ ldapsearch -D "cn=root,dc=example,dc=com" -W '(objectclass=*)'<br />
<br />
Now you should see some information about your database.<br />
<br />
=== OpenLDAP over TLS ===<br />
{{Note|[http://www.openldap.org/doc/admin24/ upstream documentation] is much more useful/complete than this section}}<br />
<br />
If you access the OpenLDAP server over the network and especially if you have sensitive data stored on the server you run the risk of someone sniffing your data which is sent clear-text. The next part will guide you on how to setup an SSL connection between the LDAP server and the client so the data will be sent encrypted.<br />
<br />
In order to use TLS, you must have a certificate. For testing purposes, a ''self-signed'' certificate will suffice. To learn more about certificates, see [[OpenSSL]].<br />
<br />
{{Warning|OpenLDAP cannot use a certificate that has a password associated to it.}}<br />
<br />
==== Create a self-signed certificate ====<br />
To create a ''self-signed'' certificate, type the following:<br />
$ openssl req -new -x509 -nodes -out slapdcert.pem -keyout slapdkey.pem -days 365<br />
<br />
You will be prompted for information about your LDAP server. Much of the information can be left blank. The most important information is the common name. This must be set to the DNS name of your LDAP server. If your LDAP server's IP address resolves to example.org but its server certificate shows a CN of bad.example.org, LDAP clients will reject the certificate and will be unable to negotiate TLS connections (apparently the results are wholly unpredictable).<br />
<br />
Now that the certificate files have been created copy them to {{ic|/etc/openldap/ssl/}} (create this directory if it does not exist) and secure them. <br />
{{ic|slapdcert.pem}} must be world readable because it contains the public key. {{ic|slapdkey.pem}} on the other hand should only be readable for the ldap user for security reasons:<br />
# mv slapdcert.pem slapdkey.pem /etc/openldap/ssl/<br />
# chmod -R 755 /etc/openldap/ssl/<br />
# chmod 400 /etc/openldap/ssl/slapdkey.pem<br />
# chmod 444 /etc/openldap/ssl/slapdcert.pem<br />
# chown ldap /etc/openldap/ssl/slapdkey.pem<br />
<br />
==== Configure slapd for SSL ====<br />
Edit the daemon configuration file ({{ic|/etc/openldap/slapd.conf}}) to tell LDAP where the certificate files reside by adding the following lines:<br />
{{bc|<br />
# Certificate/SSL Section<br />
TLSCipherSuite HIGH:MEDIUM:-SSLv2:-SSLv3<br />
TLSCertificateFile /etc/openldap/ssl/slapdcert.pem<br />
TLSCertificateKeyFile /etc/openldap/ssl/slapdkey.pem<br />
}}<br />
<br />
The TLSCipherSuite specifies a list of OpenSSL ciphers from which slapd will choose when negotiating TLS connections, in decreasing order of preference. In addition to those specific ciphers, you can use any of the wildcards supported by OpenSSL. '''NOTE:''' HIGH, MEDIUM, and +SSLv2 are all wildcards. <br />
<br />
{{Note|To see which ciphers are supported by your local OpenSSL installation, type the following: {{ic|openssl ciphers -v ALL}} }}<br />
<br />
Regenerate the configuration directory:<br />
# rm -rf /etc/openldap/slapd.d/* # erase old config settings<br />
# slaptest -f /etc/openldap/slapd.conf -F /etc/openldap/slapd.d/ # generate new config directory from config file<br />
# chown -R ldap:ldap /etc/openldap/slapd.d # Change ownership recursively to ldap on the config directory<br />
<br />
==== Start slapd with SSL ====<br />
You will have to edit {{ic|slapd.service}} to change to protocol slapd listens on.<br />
<br />
First, disable {{ic|slapd.service}} if it is enabled.<br />
<br />
Then, copy the stock service to {{ic|/etc/systemd/system/}}:<br />
# cp /usr/lib/systemd/system/slapd.service /etc/systemd/system/<br />
<br />
Edit it, and add change {{ic|ExecStart}} to:<br />
{{hc|/etc/systemd/system/slapd.service|<nowiki><br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldaps:///"</nowiki>}}<br />
<br />
Localhost connections do not need to use SSL. So, if you want to access the server locally you should change the {{ic|ExecStart}} line to:<br />
ExecStart=/usr/bin/slapd -u ldap -g ldap -h "ldap://127.0.0.1 ldaps:///"<br />
<br />
Then reenable and start it:<br />
# systemctl daemon-reload<br />
# systemctl restart slapd.service<br />
<br />
If {{ic|slapd}} started successfully you can enable it.<br />
<br />
{{Note|If you created a self-signed certificate above, be sure to add {{ic|TLS_REQCERT allow}} to {{ic|/etc/openldap/ldap.conf}} on the client, or it will not be able connect to the server.}}<br />
<br />
== Next Steps ==<br />
<br />
You now have a basic LDAP installation. The next step is to design your directory. The design is heavily dependent on what you are using it for. If you are new to LDAP, consider starting with a directory design recommended by the specific client services that will use the directory (PAM, [[Postfix]], etc).<br />
<br />
A directory for system authentication is the [[LDAP authentication]] article.<br />
<br />
A nice web frontend is [[phpLDAPadmin]].<br />
<br />
== Troubleshooting ==<br />
<br />
=== Client Authentication Checking ===<br />
If you cannot connect to your server for non-secure authentication<br />
<br />
$ ldapsearch -x -H ldap://ldaservername:389 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
and for TLS secured authentication with:<br />
<br />
$ ldapsearch -x -H ldaps://ldaservername:636 -D cn=Manager,dc=example,dc=exampledomain<br />
<br />
=== LDAP Server Stops Suddenly ===<br />
<br />
If you notice that slapd seems to start but then stops, try running:<br />
<br />
# chown ldap:ldap /var/lib/openldap/openldap-data/*<br />
<br />
to allow slapd write access to its data directory as the user "ldap".<br />
<br />
== See Also ==<br />
* [http://www.openldap.org/doc/admin24/ Official OpenLDAP Software 2.4 Administrator's Guide]<br />
* [[phpLDAPadmin]] is a web interface tool in the style of phpMyAdmin.<br />
* [[LDAP authentication]]<br />
* {{AUR|apachedirectorystudio}} from the [[Arch User Repository]] is an Eclipse-based LDAP viewer. Works perfect with OpenLDAP installations.</div>Ender4https://wiki.archlinux.org/index.php?title=GNOME/Keyring&diff=202924GNOME/Keyring2012-05-26T19:05:29Z<p>Ender4: /* Unlock at Startup */</p>
<hr />
<div>[[Category:Daemons and system services]]<br />
[[Category:Desktop environments]]<br />
{{i18n|GNOME Keyring}}<br />
<br />
{{stub}}<br />
<br />
The GNOME Keyring stores passwords in an encrypted file that can be accessed by applications.<br />
<br />
== Manage using GUI ==<br />
pacman -S seahorse<br />
It is possible to leave the gnome keyring password blank. In seahorse, on the Passwords tab, right click on "Passwords: login" and pick "Change password." Enter the old password and leave empty the new password. You will be warned about using unencrypted storage; continue by pushing "Use Unsafe Storage."<br />
<br />
== Use Without Gnome ==<br />
It is possible to use GNOME Keyring without the rest of the gnome desktop. This can be accomplished by adding to your .xinitrc:<br />
# Start a dbus-session<br />
source /etc/X11/xinit/xinitrc.d/30-dbus<br />
# Start Gnome-Keyring<br />
eval $(/usr/bin/gnome-keyring-daemon --start --components=gpg,pkcs11,secrets,ssh)<br />
# You probably need to do this too:<br />
export SSH_AUTH_SOCK<br />
export GPG_AGENT_INFO<br />
export GNOME_KEYRING_CONTROL<br />
export GNOME_KEYRING_PID<br />
See [https://bugs.archlinux.org/task/13986 Bug #13986] for more info.<br />
<br />
== SSH Keys ==<br />
To add your SSH key:<br />
<br />
$ ssh-add ~/.ssh/id_dsa<br />
Enter passphrase for /home/mith/.ssh/id_dsa:<br />
<br />
To list automatically loaded keys:<br />
<br />
$ ssh-add -L<br />
<br />
To disable all keys;<br />
<br />
$ ssh-add -D<br />
<br />
Now when you connect to a server, the key will be found and a dialog will popup asking you for the passphrase. It has an option to automatically unlock the key when you login. If you check this you will not need to enter your passphrase again!<br />
<br />
== The gnome-keyring dialog does not appear in some terminals when connecting with SSH ==<br />
Solution:<br />
<br />
Add the following lines to your {{ic|~/.bashrc}}<br />
<br />
SSH_AUTH_SOCK=`netstat -xl | grep -o "$HOME"'/.cache/keyring-.*/ssh$'`<br />
[ -z "$SSH_AUTH_SOCK" ] || export SSH_AUTH_SOCK<br />
<br />
If you run on your terminal the following:<br />
<br />
echo $SSH_AUTH_SOCK<br />
<br />
will return something like the following:<br />
<br />
/home/USER/.cache/keyring-ABCDEF/ssh<br />
<br />
Now when you connect with ssh, gnome-keyring dialog will launch the "entry of the passphrase"<br />
<br />
== Unlock at Startup ==<br />
GNOME's login manager (gdm) will automatically unlock the keyring once you login, for others it is not so easy.<br />
<br />
For SLiM, see [[SLiM#SLiM_and_Gnome_Keyring]], This method works for KDM as well, but you need to edit /etc/pam.d/kde instead of /etc/pam.d/slim.<br />
<br />
If you are using automatic login, then you can disable the keyring manager by setting a blank password on the login keyring. '''Note''': your passwords will be stored unencrypted if you do this.<br />
<br />
== Useful Tools ==<br />
=== gnome-keyring-query ===<br />
{{ic|gnome-keyring-query}} from the AUR provides a simple command-line-tool for querying passwords from the password store of the Gnome Keyring.</div>Ender4