Difference between pages "Package:Nftables" and "Package:AMD Catalyst Video Drivers"

(Difference between pages)
 
 
Line 1: Line 1:
 
{{Ebuild
 
{{Ebuild
|Summary=Linux kernel (3.13+) firewall, NAT and packet mangling tools
+
|Summary=Accelerated ATI/AMD binary drivers for Radeon HD 5000 and newer chipsets.
|CatPkg=net-firewall/nftables
+
|CatPkg=x11-drivers/ati-drivers
|Repository=Gentoo Portage Tree
+
|Maintainer=Drobbins
 +
|Homepage=
 +
|Repository=Funtoo Overlay
 +
|Overlay=Funtoo
 
}}
 
}}
=== What is nftables? ===
 
'''nftables''' is the successor to [[iptables]]. It replaces the existing iptables, ip6tables, arptables and ebtables framework. It uses the Linux kernel and a new userspace utility called nft. nftables provides a compatibility layer for the ip(6)tables and framework.
 
  
==Introduction==
+
{{Important|Version 14.12-r3 and above now include ATI GLESv2 and EGL libraries, which should improve stabilty with GNOME.}}
As with the iptables framework, nftables is build upon rules which specify the actions. These rules are attached to chains. A chain can contain a collection of rules and is registered into the netfilter hooks. Chains are stored inside tables. A table is specific for one of the layer 3 protocols. One of the main differences with iptables is that there are no predefined tables and chains anymore.
+
  
===Tables===
+
<tt>x11-drivers/ati-drivers</tt> (often referred to as "<tt>fglrx</tt>", the name of its kernel module) is the proprietary, accelerated driver for AMD (ATI) graphics cards.  
A table is nothing more than a container for your chains. With nftables there are no predefined tables (filter, raw, mangle...) anymore. You are free to recreate the iptables-like structure, but anything might do.
+
Currently there are 5 different families of tables:
+
* '''ip''': Used for IPv4 related chains;
+
* '''ip6''': Used for IPv6 related chains;
+
* '''arp''': Used for ARP related chains;
+
* '''bridge''': Used for bridging related chains;
+
* '''inet''': Mixed ipv4/ipv6 chains (kernel 3.14 and up).
+
  
It is not hard to recognize the old tables framework in these tables. The only new one is the inet table which is used for both IPv4 and IPv6 traffic. It should make firewalling for dual-stack hosts easier by combining the rules for IPv4 and IPv6.
+
=== Preparing to Install ===
  
===Chains===
+
==== Default Kernel ====
Chains are used to group together rules. As with the tables, nftables does not have any predefined chains. Chains are grouped in base and non-base types. Base chains are registered in one of the netfilter hooks. A base chain has a hook its registered with, a type and a priority.  Non-base chains are not attached to a hook and they don't see any traffic by default. They can be used to arrange a rule-set in a tree of chains.
+
There are currently three types of chains:
+
* '''filter''': for filtering packets
+
* '''route''': for rerouting packets
+
* '''nat''': for performing Network Address Translation. Only the first packet of a flow hits this chain, making it impossible to use it for filtering.
+
The hooks that can be used are:
+
* '''prerouting''': This is before the routing decision, all packets entering the machine hits this chain
+
* '''input''': All packets for the local system hits this hook
+
* '''forward''': Packets not for the local system, those that need to be forwarded hits this hook
+
* '''output''': Packets that originate from the local system pass this hook
+
* '''postrouting''': This hook is after the routing decision, all packets leaving the machine hits this chain
+
{{Note|The ARP address family only supports the input and output hook}}
+
{{Note|The bridge address family only seems to supports the input, forward and output hook}}
+
  
====Priorities====
+
If you are using the default kernel -- one like debian-sources that was built automatically, then you'll want to blacklist a few modules to prevent them from loading and interfering with the AMD Catalyst module. To avoid having the open source Radeon drivers automatically load and ruin your day, create a blacklist file as follows:
{{Note| Note: Priorities do not currently appear to have any effect on which chain sees packets first.}}
+
{{Note|Note: Since the priority seems to be an unsigned integer, negative priorities will be converted into very high priorities.}}
+
  
===Rules===
+
{{file|name=/etc/modprobe.d/radeon.conf|desc=Prevent open source DRM and radeon drivers from loading|body=
Rules specify which action has to be taken for which packets. Rules are attached to chains. Each rule can has an expression to match packets with and one or multiple actions when matching. Main differences with iptables is that it is possible to specify multiple actions and that by default counters are off. It must be specified explicitly in rules if you want packet- and byte-counters for a rule.
+
blacklist radeon
Each rule has a unique handle number by which it can be distinguished.
+
blacklist drm
The following matches are available:
+
}}
* '''ip''': IP protocol
+
* '''ip6''': IPv6 protocol
+
* '''tcp''': TCP protocol
+
* '''udp''': UDP protocol
+
* '''udplite''': UDP-lite protocol
+
* '''sctp''': SCTP protocol
+
* '''dccp''': DCCP protocol
+
* '''ah''': Authentication headers
+
* '''esp''': Encrypted security payload headers
+
* '''ipcomp''': IPcomp headers
+
* '''icmp''': icmp protocol
+
* '''icmpv6''': icmpv6 protocol
+
* '''ct''': Connection tracking
+
* '''meta''': meta properties such as interfaces
+
  
====Matches====
+
==== Custom Kernel ====
{|class=wikitable
+
| Match
+
| Arguments
+
| Description/Example
+
|-
+
| rowspan="11" | '''ip'''
+
| version
+
| Ip Header version
+
|-
+
| hdrlength
+
| IP header length
+
|-
+
| tos
+
|Type of Service
+
|-
+
| length
+
| Total packet length
+
|-
+
| id
+
| IP ID
+
|-
+
| frag-off
+
| Fragmentation offset
+
|-
+
| ttl
+
| Time to live
+
|-
+
| protocol
+
| Upper layer protocol
+
|-
+
| checksum
+
| IP header checksum
+
|-
+
| saddr
+
| Source address
+
|-
+
| daddr
+
| Destination address
+
|-
+
| rowspan="8" | '''ip6'''
+
| version
+
| IP header version
+
|-
+
| priority
+
|
+
|-
+
| flowlabel
+
| Flow label
+
|-
+
| length
+
| Payload length
+
|-
+
| nexthdr
+
| Next header type (Upper layer protocol number)
+
|-
+
| hoplimit
+
| Hop limit
+
|-
+
|saddr
+
| Source Address
+
|-
+
|daddr
+
| Destination Address
+
|-
+
| rowspan="9" | '''tcp'''
+
| sport
+
| Source port
+
|-
+
| dport
+
| Destination port
+
|-
+
| sequence
+
| Sequence number
+
|-
+
| ackseq
+
| Acknowledgement number
+
|-
+
| doff
+
| Data offset
+
|-
+
| flags
+
| TCP flags
+
|-
+
| window
+
| Window
+
|-
+
| checksum
+
| Checksum
+
|-
+
| urgptr
+
| Urgent pointer
+
|-
+
| rowspan="4" | '''udp'''
+
| sport
+
| Source port
+
|-
+
| dport
+
| destination port
+
|-
+
| length
+
| Total packet length
+
|-
+
| checksum
+
| Checksum
+
|-
+
| rowspan="4" | '''udplite'''
+
| sport
+
| Source port
+
|-
+
| dport
+
| destination port
+
|-
+
| cscov
+
| Checksum coverage
+
|-
+
| checksum
+
| Checksum
+
|-
+
| rowspan="4" |'''sctp'''
+
| sport
+
| Source port
+
|-
+
| dport
+
| destination port
+
|-
+
|vtag
+
|Verification tag
+
|-
+
| checksum
+
| Checksum
+
|-
+
| rowspan="2" |'''dccp'''
+
| sport
+
| Source port
+
|-
+
| dport
+
| destination port
+
|-
+
| rowspan="4" |'''ah'''
+
| nexthdr
+
| Next header protocol (Upper layer protocol)
+
|-
+
| hdrlength
+
| AH header length
+
|-
+
| spi
+
| Security Parameter Index
+
|-
+
| sequence
+
| Sequence Number
+
|-
+
| rowspan="2" | '''esp'''
+
| spi
+
| Security Parameter Index
+
|-
+
| sequence
+
| Sequence Number
+
|-
+
| rowspan="3" | '''ipcomp'''
+
| nexthdr
+
| Next header protocol (Upper layer protocol)
+
|-
+
| flags
+
| Flags
+
|-
+
| cfi
+
| Compression Parameter Index
+
|-
+
| '''icmp'''
+
| type
+
| icmp packet type
+
|-
+
| '''icmpv6'''
+
| type
+
| icmpv6 packet type
+
|-
+
|rowspan="12"|'''ct'''
+
|state
+
|State of the connection
+
|-
+
|direction
+
|Direction of the packet relative to the connection
+
|-
+
|status
+
|Status of the connection
+
|-
+
|mark
+
|Connection mark
+
|-
+
|expiration
+
|Connection expiration time
+
|-
+
|helper
+
|Helper associated with the connection
+
|-
+
|l3proto
+
|Layer 3 protocol of the connection
+
|-
+
|saddr
+
|Source address of the connection for the given direction
+
|-
+
|daddr
+
|Destination address of the connection for the given direction
+
|-
+
|protocol
+
|Layer 4 protocol of the connection for the given direction
+
|-
+
|proto-src
+
|Layer 4 protocol source for the given direction
+
|-
+
|proto-dst
+
|Layer 4 protocol destination for the given direction
+
|-
+
| rowspan="13" | '''meta'''
+
| length
+
| Length of the packet in bytes: ''meta length > 1000''
+
|-
+
| protocol
+
| ethertype protocol: ''meta protocol vlan''
+
|-
+
| priority
+
| TC packet priority
+
|-
+
| mark
+
| Packet mark
+
|-
+
| iif
+
| Input interface index
+
|-
+
| iifname
+
| Input interface name
+
|-
+
| iiftype
+
| Input interface type
+
|-
+
| oif
+
| Output interface index
+
|-
+
| oifname
+
| Output interface name
+
|-
+
| oiftype
+
| Output interface hardware type
+
|-
+
| skuid
+
| UID associated with originating socket
+
|-
+
| skgid
+
| GID associated with originating socket
+
|-
+
| rtclassid
+
| Routing realm
+
|-
+
|}
+
====Statements====
+
Statements represent the action to be performed when the rule matches. They exist in two kinds: Terminal statements, unconditionally terminate the evaluation of the current rules and non-terminal statements that either conditionally or never terminate the current rules. There can be an arbitrary amount of non-terminal statements, but there must be only a single terminal statement.
+
The terminal statements can be:
+
* '''accept''': Accept the packet and stop the ruleset evaluation.
+
* '''drop''': Drop the packet and stop the ruleset evaluation.
+
* '''reject''': Reject the packet with an icmp message
+
* '''queue''': Queue the packet to userspace and stop the ruleset evaluation.
+
* '''continue''':
+
* '''return''': Return from the current chain and continue at the next rule of the last chain. In a base chain it is equivalent to accept
+
* '''jump <chain>''': Continue at the first rule of <chain>. It will continue at the next rule after a return statement is issued
+
* '''goto <chain>''': Similar to jump, but after the new chain the evaluation will continue at the last chain instead of the one containing the goto statement
+
  
== Installing nftables ==
+
If you are building a custom kernel, rather than blacklisting modules as above, you can simply ensure that the Direct Rendering Manager and in-kernel Radeon drivers are not enabled. If you do build them as modules, you will need to blacklist them as above. Also ensure that the following kernel options are enabled.
=== Kernel ===
+
These kernel options must be set:
+
  
[*] Networking support --->
+
{{kernelop|desc=
    Networking options --->
+
[*] Enable loadable module support
        [*] Network packet filtering framework (Netfilter)  --->
+
Processor type and features --->
            Core Netfilter Configuration  --->
+
      [*] MTRR (Memory Type Range Register) support
                <M> Netfilter nf_tables support
+
Bus options (PCI etc.) --->
                <M>  Netfilter nf_tables IPv6 exthdr module
+
      [*] PCI Express Port Bus Support
                <M>  Netfilter nf_tables meta module
+
      [*] Message Signaled Interrupts (MSI and MSI-X)
                <M>  Netfilter nf_tables conntrack module
+
Device Drivers --->
                <M>  Netfilter nf_tables rbtree set module
+
      Graphics support --->
                <M>  Netfilter nf_tables hash set module
+
            < > Direct Rendering Manager (xFree86 4.1.0 and higher DRI support) --->
                <M>  Netfilter nf_tables counter module
+
}}
                <M>  Netfilter nf_tables log module
+
                <M>  Netfilter nf_tables limit module
+
                <M>  Netfilter nf_tables nat module
+
                <M>  Netfilter x_tables over nf_tables module
+
            IP: Netfilter Configuration  --->
+
                <M> IPv4 nf_tables support
+
                <M>  nf_tables IPv4 reject support
+
                <M>  IPv4 nf_tables route chain support
+
                <M>  IPv4 nf_tables nat chain support
+
            IPv6: Netfilter Configuration  --->
+
                <M> IPv6 nf_tables support
+
                <M>  IPv6 nf_tables route chain support
+
                <M>  IPv6 nf_tables nat chain support
+
            <M>  Ethernet Bridge nf_tables support
+
  
=== Emerging ===
+
{{note|If you need support for AGP cards, enable the following kernel options:}}
To install nftables, run the following command:
+
{{kernelop|desc=
<console>
+
Device Drivers --->
###i## emerge net-firewall/nftables
+
      Graphics support --->
</console>
+
            <*> /dev/agpgart (AGP Support) --->
 +
                  Select an appropriate AGP driver:
 +
                  <*> AMD Opteron/Athlon64 on-CPU GART support
 +
}}
  
 +
=== Editing make.conf ===
  
== OpenRC configuration ==
+
Add the following to your <code>/etc/make.conf</code>:
Don't forget to add nftables service to startup:
+
 
<console>
 
<console>
###i## rc-update add nftables default
+
# ##i##nano /etc/make.conf
 +
VIDEO_CARDS="fglrx"
 
</console>
 
</console>
  
You cannot use iptables and nft to perform NAT at the same time. So make sure that the iptable_nat module is unloaded. Remove iptables_nat module:
+
=== Enabling AMD Catalyst Control Center ===
<console>
+
###i## rmmod iptable_nat
+
</console>
+
  
Start nftables:
+
Then, add the following to <code>/etc/portage/package.use</code> if you would like to enable support for AMD Catalyst Control Center:
 
<console>
 
<console>
###i## /etc/init.d/nftables start
+
###i## nano /etc/portage/package.use
 +
x11-drivers/ati-drivers qt4
 
</console>
 
</console>
  
 +
{{Note|If you are using a desktop or workstation profile, this USE flag will be enabled by default.}}
  
== Using nftables ==
+
=== Emerging the package ===
All nftable commands are done with the nft ultility from {{Package|net-firewall/nftables}}.
+
===Tables===
+
====Creating tables====
+
The following command adds a table called filter for the ip(v4) layer
+
<console>
+
###i## nft add table ip filter
+
</console>
+
Likewise a table for arp can be created with
+
<console>
+
###i## nft add table arp filter
+
</console>
+
{{Note|The name "filter" used here is completly arbitrary. It could have any name}}
+
====Listing tables====
+
The following command lists all tables for the ip(v4) layer
+
<console>
+
###i## nft list tables ip
+
</console>
+
<pre>
+
table filter
+
</pre>
+
The contents of the table filter can be listed with:
+
<console>
+
###i## nft list table ip filter
+
</console>
+
<pre>
+
table ip filter {
+
        chain input {
+
                type filter hook input priority 0;
+
                ct state established,related accept
+
                iifname "lo" accept
+
                ip protocol icmp accept
+
                drop
+
        }
+
}
+
</pre>
+
using -a with the nft command, it shows the handle of each rule. Handles are used for various operations on specific rules:
+
<console>
+
###i## nft -a list table ip filter
+
</console>
+
<pre>
+
table ip filter {
+
        chain input {
+
                type filter hook input priority 0;
+
                ct state established,related accept # handle 2
+
                iifname "lo" accept # handle 3
+
                ip protocol icmp accept # handle 4
+
                drop # handle 5
+
        }
+
}
+
</pre>
+
  
====Deleting tables====
+
If you allready have emerged xorg-server, all you need to install the drivers is running the following command:
The following command deletes the table called filter for the ip(v4) layer:
+
<console>
+
###i## nft delete table ip filter
+
</console>
+
===chains===
+
====Adding chains====
+
The following command adds a chain called input to the ip filter table and registered to the input hook with priority 0. It is of the type filter.
+
 
<console>
 
<console>
###i## nft add chain ip filter input { type filter hook input priority 0 \; }
+
###i## emerge -av --changed-use --deep @world
 
</console>
 
</console>
{{Note|If You're running this command from Bash you need to escape the semicolon}}
 
A non-base chain can be added by not specifying the chain configurations between the curly braces.
 
  
====Removing chains====
+
otherwise you may install the drivers with
The following command deletes the chain called input
+
 
<console>
 
<console>
###i## nft delete chain ip filter input
+
###i## emerge -av x11-drivers/ati-drivers
</console>
+
{{Note|Chains can only be deleted if there are no rules in them.}}
+
===rules===
+
====Adding rules====
+
The following command adds a rule to the chain called input, on the ip filter table, dropping all traffic to port 80:
+
<console>
+
###i## nft add rule ip filter input tcp dport 80 drop
+
</console>
+
====Deleting Rules====
+
To delete a rule, you first need to get the handle number of the rule. This can be done by using the -a flag on nft:
+
<console>
+
###i## nft  rule ip filter input tcp dport 80 drop
+
</console>
+
<pre>
+
table ip filter {
+
        chain input {
+
                type filter hook input priority 0;
+
                tcp dport http drop # handle 2
+
        }
+
}
+
</pre>
+
It is then possible to delete the rule with:
+
<console>
+
###i## nft delete rule ip filter input handle 2
+
</console>
+
== Management ==
+
=== Backup ===
+
You can also backup your rules:
+
<console>
+
###i## echo "nft flush ruleset" > backup.nft
+
 
</console>
 
</console>
  
<console>
+
Before using the driver, ensure that the "fglrx" module has been loaded -- run {{c|modprobe fglrx}} as root  -- it should return with no error. If the module can't be found, run {{c|depmod -a}} as root -- then the modprobe command should work. If you are switching from the open source Radeon driver, then shutting down your desktop and rebooting your system (be sure to disable xdm) may be required to get the new "fglrx" module to load cleanly.
###i## nft list ruleset >> backup.nft
+
 
</console>
+
=== Configuring ===
 +
 
 +
Next, set ati-drivers to manage the system's OpenGL and OpenCL implementations.  
 +
Doing this is particulary important for desktop environments like GNOME, which use hardware acceleration by default. Not doing this will result in the GNOME display manager not being able to start!
  
=== Restoration ===
 
And load it atomically:
 
 
<console>
 
<console>
###i## nft -f backup.nft
+
###i## eselect opengl set ati
 +
###i## eselect opencl set amd
 
</console>
 
</console>
  
== OpenRC configuration ==
+
Afterwards, run <code>aticonfig</code> to modify the X-server configuration file to work with the ati-drivers:  
 
+
Don't forget to add nftables service to startup:
+
 
<console>
 
<console>
###i## rc-update add nftables default
+
###i## aticonfig --initial
 
</console>
 
</console>
== Init script - firewall nftables like a firewall iptables ==
 
<pre>
 
#!/sbin/runscript
 
#      Raphael Bastos aka coffnix        #
 
#      Init Script for Funtoo Linux      #
 
##########################################
 
  
depend() {
+
{{tip|If you would like to have a full-resolution framebuffer with ati-drivers, check out [[uvesafb| uvesafb]]}}
        need net
+
        need nftables
+
        }
+
  
start(){
+
=== Multi-Head Display ===
##################### PARTE 1 #####################
+
ebegin "Starting Firewall NFTables"
+
  
#######################################################################
+
There are a couple of options for setting up a multi-head display. For some systems, all you need to do is plug in your additional monitor, and it will be detected by your desktop environment, and will work.
### Incompatibilities ###
+
# You cannot use iptables and nft to perform NAT at the same time.
+
# So make sure that the iptable_nat module is unloaded
+
rmmod iptable_nat
+
  
#######################################################################
+
If your second monitor does not display anything at all, then play around with your X configuration. Try using the following command to generate a new X config:
  
echo 1 > /proc/sys/net/ipv4/ip_forward
+
{{console|body=
echo 1 > /proc/sys/net/ipv4/ip_dynaddr
+
# ##i##aticonfig --initial=dual-head
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
+
}}
for f in /proc/sys/net/ipv4/conf/*/rp_filter ; do echo 1 > $f ; done
+
  
#######################################################################
+
You can use the {{c|--screen-layout={left|right|above|below}}} option to specify the relationship of the second screen to the first.
  
iptables -t nat -F
+
For more than two heads, or multiple cards, you can use the following approach to generate an appropriate X config. First, list adapters to see what adapters are available:
  
#######################################################################
+
{{console|body=
 +
# ##i##aticonfig --list-adapters
 +
}}
  
# ipv4
+
Now, a variant of one of the following commands to generate an X configuration for your needs:
nft -f /etc/nftables/ipv4-filter
+
  
# ipv4 nat
+
{{console|body=
nft -f /etc/nftables/ipv4-nat
+
# ##i##aticonfig --initial --heads=4 --adapter=1
 +
# ##i##aticonfig --adapter=0,2 --initial
 +
# ##i##aticonfig --adapter=all --initial
 +
# ##i##aticonfig --xinerama=on
 +
}}
  
# ipv6
+
One you have your displays enabled so that your mouse pointer can move to all displays, you still may not be able to drag windows to certain monitors. In this situation, each monitor is probably configured as a separate X screen, and you'll need to use the Catalyst Control Center {{c|amdcccle}} GUI configuration tool to tie them together. The Catalyst Control Center is installed when the {{c|qt4}} USE variable is enabled.
nft -f /etc/nftables/ipv6-filter
+
  
# Rules firewall NTFtables
+
Open up a graphical terminal, and become root by typing {{c|su -}} -- your user will need to be in the {{c|wheel}} group to do this:
nft -f /etc/nftables/firewall.rules
+
  
#######################################################################
+
{{console|body=
 +
$ ##i##su -
 +
Password: ##i##*******
 +
# source /etc/profile
 +
# amdcccle
 +
}}
  
}
+
[[File:amdcccle.png|class=img-responsive|center]]
 +
Navigate to Display Manager, and choose the option {{c|Multi-display desktop with display(s) X}} for each display. Then, drag and drop the blue displays to arrange them to match how they are arranged in front of you. Click {{c|OK}}. The Catalyst Control Center will tell you that you will need to restart your system for the changes to take effect. Simply log out if you are running {{c|xdm}}, or end your X session, and start it up again. You should now have a fully-functioning multi-head display.
  
stop(){
+
=== Troubleshooting ===
ebegin "Stoping Firewall NFTables"
+
==== I am using a HDMI connection, and my monitor's display has a black border around it. ====
 +
Disable overscan as follows:
  
#######################################################################
+
<console>
 +
$ ##i##su -
 +
Password: ##i##*********
 +
# ##i##aticonfig --set-pcs-val=MCIL,DigitalHDTVDefaultUnderscan,0
 +
</console>
  
#iptables -t nat -F
+
You will need to restart your X session for the changes to take effect. If you are using a display manager, logging out and back in again should cause the new settings to be visible.
NFT=nft
+
FAMILIES="ip ip6 arp bridge"
+
  
for FAMILY in $FAMILIES; do
+
==== The tabs in Google Chrome are becoming garbled/corrupted ====
  TABLES=$($NFT list tables $FAMILY | grep "^table\s" | cut -d' ' -f2)
+
  
  for TABLE in $TABLES; do
+
New versions of Google Chrome use hardware acceleration by default which appears to have rendering issues with AMD's drivers. To work around this, disable hardware acceleration in Google Chrome by going to {{c|Settings}}, {{c|Show advanced settings...}} and then uncheck the {{c|Use hardware acceleration when available (requires Chrome restart)}}. Once Chrome is restarted, the rendering problem should be resolved.
    CHAINS=$($NFT list table $FAMILY $TABLE | grep "^\schain\s" | cut -d' ' -f2)
+
  
    for CHAIN in $CHAINS; do
+
==== Compton with backend glx does not work well with ati-drivers ====
      echo "Flushing chain: $FAMILY->$TABLE->$CHAIN"
+
Try running compton with the following switches:
      $NFT flush chain $FAMILY $TABLE $CHAIN
+
<console>
      $NFT delete chain $FAMILY $TABLE $CHAIN
+
###i## compton --backend glx --vsync none --paint-on-overlay
    done
+
</console>
 
+
    echo "Flushing table: $FAMILY->$TABLE"
+
    $NFT flush table $FAMILY $TABLE
+
    $NFT delete table $FAMILY $TABLE
+
  done
+
done
+
}
+
 
+
status(){
+
nft list ruleset
+
}
+
 
+
# End
+
</pre>
+
  
[[Category:System]]
+
[[Category:Video Cards]]
 
[[Category:First Steps]]
 
[[Category:First Steps]]
 
{{EbuildFooter}}
 
{{EbuildFooter}}

Revision as of 17:42, February 22, 2015

x11-drivers/ati-drivers


Current Maintainer(s):Daniel Robbins
Source Repository:Funtoo Overlay

Summary: Accelerated ATI/AMD binary drivers for Radeon HD 5000 and newer chipsets.

Use Flags

qt4
Install qt4 dependent optional tools (e.g Catalyst Control Panel)
modules
Build the kernel modules
disable-watermark
Do a potentially dangerous binary search and replace to disable watermark
pax_kernel
Enable pax kernel specific patches
vaapi
Enabled Video Acceleration API

News

Mgorny

New OpenGL management in Funtoo

Funtoo is switching to an improved system for managing multiple OpenGL providers (Mesa/Xorg, AMD and nVidia). The update may involve blockers and file collisions.
30 March 2015 by Mgorny
Drobbins

Subarch Profiles are coming...

Subarch profiles are on their way! Learn more here.
29 March 2015 by Drobbins
Drobbins

RSS/Atom Support

You can now follow this news feed at http://www.funtoo.org/news/atom.xml .
10 February 2015 by Drobbins
View More News...

AMD Catalyst Video Drivers

Tip

This is a wiki page. To edit it, Create a Funtoo account. Then log in and then click here to edit this page. See our editing guidelines to becoming a wiki-editing pro.


Important

Version 14.12-r3 and above now include ATI GLESv2 and EGL libraries, which should improve stabilty with GNOME.

x11-drivers/ati-drivers (often referred to as "fglrx", the name of its kernel module) is the proprietary, accelerated driver for AMD (ATI) graphics cards.

Preparing to Install

Default Kernel

If you are using the default kernel -- one like debian-sources that was built automatically, then you'll want to blacklist a few modules to prevent them from loading and interfering with the AMD Catalyst module. To avoid having the open source Radeon drivers automatically load and ruin your day, create a blacklist file as follows:

/etc/modprobe.d/radeon.conf - Prevent open source DRM and radeon drivers from loading
blacklist radeon
blacklist drm

Custom Kernel

If you are building a custom kernel, rather than blacklisting modules as above, you can simply ensure that the Direct Rendering Manager and in-kernel Radeon drivers are not enabled. If you do build them as modules, you will need to blacklist them as above. Also ensure that the following kernel options are enabled.


[*] Enable loadable module support
Processor type and features --->
      [*] MTRR (Memory Type Range Register) support
Bus options (PCI etc.) --->
      [*] PCI Express Port Bus Support
      [*] Message Signaled Interrupts (MSI and MSI-X)
Device Drivers --->
      Graphics support --->
            < > Direct Rendering Manager (xFree86 4.1.0 and higher DRI support) --->
Note

If you need support for AGP cards, enable the following kernel options:

Device Drivers --->
      Graphics support --->
            <*> /dev/agpgart (AGP Support) --->
                  Select an appropriate AGP driver:
                  <*> AMD Opteron/Athlon64 on-CPU GART support

Editing make.conf

Add the following to your /etc/make.conf:

# nano /etc/make.conf
VIDEO_CARDS="fglrx"

Enabling AMD Catalyst Control Center

Then, add the following to /etc/portage/package.use if you would like to enable support for AMD Catalyst Control Center:

# nano /etc/portage/package.use
x11-drivers/ati-drivers qt4
Note

If you are using a desktop or workstation profile, this USE flag will be enabled by default.

Emerging the package

If you allready have emerged xorg-server, all you need to install the drivers is running the following command:

# emerge -av --changed-use --deep @world

otherwise you may install the drivers with

# emerge -av x11-drivers/ati-drivers

Before using the driver, ensure that the "fglrx" module has been loaded -- run modprobe fglrx as root -- it should return with no error. If the module can't be found, run depmod -a as root -- then the modprobe command should work. If you are switching from the open source Radeon driver, then shutting down your desktop and rebooting your system (be sure to disable xdm) may be required to get the new "fglrx" module to load cleanly.

Configuring

Next, set ati-drivers to manage the system's OpenGL and OpenCL implementations. Doing this is particulary important for desktop environments like GNOME, which use hardware acceleration by default. Not doing this will result in the GNOME display manager not being able to start!

# eselect opengl set ati
# eselect opencl set amd

Afterwards, run aticonfig to modify the X-server configuration file to work with the ati-drivers:

# aticonfig --initial
Tip

If you would like to have a full-resolution framebuffer with ati-drivers, check out uvesafb

Multi-Head Display

There are a couple of options for setting up a multi-head display. For some systems, all you need to do is plug in your additional monitor, and it will be detected by your desktop environment, and will work.

If your second monitor does not display anything at all, then play around with your X configuration. Try using the following command to generate a new X config:

# aticonfig --initial=dual-head


You can use the right} option to specify the relationship of the second screen to the first.

For more than two heads, or multiple cards, you can use the following approach to generate an appropriate X config. First, list adapters to see what adapters are available:

# aticonfig --list-adapters


Now, a variant of one of the following commands to generate an X configuration for your needs:

# aticonfig --initial --heads=4 --adapter=1 
# aticonfig --adapter=0,2 --initial
# aticonfig --adapter=all --initial
# aticonfig --xinerama=on


One you have your displays enabled so that your mouse pointer can move to all displays, you still may not be able to drag windows to certain monitors. In this situation, each monitor is probably configured as a separate X screen, and you'll need to use the Catalyst Control Center amdcccle GUI configuration tool to tie them together. The Catalyst Control Center is installed when the qt4 USE variable is enabled.

Open up a graphical terminal, and become root by typing su - -- your user will need to be in the wheel group to do this:

$ su -
Password: *******
# source /etc/profile
# amdcccle


Amdcccle.png

Navigate to Display Manager, and choose the option Multi-display desktop with display(s) X for each display. Then, drag and drop the blue displays to arrange them to match how they are arranged in front of you. Click OK. The Catalyst Control Center will tell you that you will need to restart your system for the changes to take effect. Simply log out if you are running xdm, or end your X session, and start it up again. You should now have a fully-functioning multi-head display.

Troubleshooting

I am using a HDMI connection, and my monitor's display has a black border around it.

Disable overscan as follows:

$ su -
Password: *********
# aticonfig --set-pcs-val=MCIL,DigitalHDTVDefaultUnderscan,0

You will need to restart your X session for the changes to take effect. If you are using a display manager, logging out and back in again should cause the new settings to be visible.

The tabs in Google Chrome are becoming garbled/corrupted

New versions of Google Chrome use hardware acceleration by default which appears to have rendering issues with AMD's drivers. To work around this, disable hardware acceleration in Google Chrome by going to Settings, Show advanced settings... and then uncheck the Use hardware acceleration when available (requires Chrome restart). Once Chrome is restarted, the rendering problem should be resolved.

Compton with backend glx does not work well with ati-drivers

Try running compton with the following switches:

# compton --backend glx --vsync none --paint-on-overlay