is it possible to name a bridge at the time of creation? I found a mailing list thread that said "yes you can, see the manpage" but I'm not finding an example there.

tsundoku: what is it that you want to achieve? to create a bridge you have to specify the bridge name. Can you reformulate the question?

tsundoku: the man page has an example using 'bridge0' as the bridge interface name, with two slaves to it. man.freebsd.org/cgi/man.cgi?bridge(4)

Title: bridge(4)

I can't find anything. unless I am completely failing to read, or looking at the wrong manpage, they don't say how to do it, and all the examples I'm finding assume the reader is fine with "bridge0"

yeah no idea what they're talking about

but you can do `ifconfig bridge0 create name whatabridge`

does that rename the bridge or make another one?

creates bridge0 and then immediately renames it

there's no atomic create-as-a-given-name outside of the classic <driver><unit> schema, so there's by necessity a msall window where someone can observe the original name in all cases

that may be what was referred to. it's just not apparent and I couldn't find any example of it in the manpage

fair enough

but I get the feeling you just don't want to do two ifconfig calls

I'm trying to unravel what bastille does so I can do some more stuff manually because it can't do what I need on its own

so bastille has already created "ixl1bridge" on its own

I'm getting deeper in the weeds than I intended to because its automatic features won't create two vnets for a jail

a jail can only have one vnet by design

you can do some wonky magic with neseted jails where the outer jail and inner jail each have their own vnet, but you can't have a jail with more than one vnet on its own

s/neseted/nested/

(this may be a terminology issue where I'm being a bit pedantic, sorry)

that's interesting... someone else told me that there's no limitation on jails and vnets, just that bastille only knows how to do one

that... kind of ruins what I was trying to do

can you give a high-level description of what you're trying to do?

I have a server with multiple physical NICs, each connected to a different VLAN on my core switch

I want to create VNET jails that are on various of those VLANs. most jails only need to be on one, but unless I dramatically change my setup, a few of them need to be on two

I'm coming from Solaris where you can add as many interfaces as you want into a zone

yeah, you shouldn't really need multiple vnets for that

no?

nah, this is definitely just a terminology mismatch. assuming you need to share these NICs with multiple jails, you'll likely just have a bridge per NIC and then an epair per jail

yes, that's exactly what I want to do.

but when I tell bastille to give the jail a vnet, that's what it does automatically, so I thought that was the correct term.

I'm also trying to figure out the best way to configure it so that I'm not just duct-taping things together.

(or defeating anything bastille is trying to do)

yeah, so vnet is the name for the virtualization of the network stack. so a jail gets a new vnet, and that vnet is the container for, e.g., all of the NICs assigned to it, the context in which the TCP stack operates, etc

oh, that's definitely not what I want

it is, though, it's just the concepts on top of a vnet that you care about

that's what bastille wants to do if you aren't putting the jail behind a NAT or something, though.

a vnet gets its own loopback and whatnot, it can bind to privileged ports

oh wait, maybe not by default still

Title: Bastille Networking in Depth | BastilleBSD

this is making it sound like what bastille called VNET is literally just a bridge and an epair

yeah, I can see where it gives off that vibe

so I think I get how I need to make my bridges

now I need to figure out how to specify the epairs in the jail.confs. what bastille does with its -V option isn't entirely apparent from the one it generates

i'm actually not sure the usual approach for that; you could certainly assign them in an exec.created script

hm

I'm trying to make this as clean as possible, so... still looking

I can't find where bastille specifies the epair, which is a problem for me needing to create my own extra ones

what exactly *is* jib and what does it create? there's no manpage as far as I can tell.

tsundoku: antranigv.am/weblog_en/posts/vnet-jail-howto

Title: VNET Jail HowTo | Antranig Vartanian

tsundoku: and this one skyforge.at/posts/an-introduction-to-jails-and-jail-networking

Title: An Introduction to Jails and Jail Networking

thanks

I can already tell this is doing things very differently from bastille, though

this is part of the problem I'm running into...

I think Bastille makes certain assumptions

it does, and I'm trying to figure out what they are, but the developers don't seem to expect you to need to care

so they're not making it easy

I've heard of 'jib' but forget what it is used for. its not part of base as far as I can tell

I think jib is the key to all of it

tsundoku: found it in /usr/share/examples/jail/

oh?

yeah, so it looks like it creates the epairs on its own

it looks like it's handled in generate_vnet_jail_netblock() in common.sh

using exec.prestart, etc, and calling the jib utility

so i don't see why you couldn't just use some exec.* variables for your additional interface

that's the idea

but I need to figure out the right syntax to use

personally i just i put that kind of initialisation in my own script called from an exec.* declaration. so if there is any way for you to specify those

i haven't used that software so i don't know

yeah

I'd rather not be adding helper scripts into the mix

I want to keep it tidy and as close to the bastille standard as possible, so just, in jail.conf, using jib, ideally

not calling homemade scripts that set up all the network stuff manually in my own way

I think I'm getting closer but there may still be a bunch of trial and error left

OK

right now I'm working on setting up the bridges I intend to use, then I'll see if I can get a jail.conf that will do the thing properly

so we were talking earlier about how to do like `ifconfig bridge0 create name whatabridge`

how would I reflect that in rc.conf?

hmm, i'd think it would be like other rc declarations, like ifconfig_bridge0="name whatabridge inet [...]" - a bit strange since the name will change. not sure

it is a little strange

and I can't find examples of bridges being named in the official documentation

and there's the cloned_interface thing too which I don't understand yet

actually, looks like you can do interface_bridge0_name="whatabridge" and then configure it normally with ifconfig_whatabridge

I'll try that

but yeah i don't think the ecosystem is very well developed yet, and you may find yourself doing more custom things than you originally want

yeah, I'm honestly really disappointed

I've been using Solaris zones for a long time and a friend who is a big FreeBSD believer told me to check out bastille because he thought it would do what I want

I'm getting the impression that it's not really there yet

I can make it work but it's much more crude than I hoped for

maybe it will get there in time...

tsundoku: another option would be cbsd or appjail .... I've not used appjail, and cbsd was more complicated than what I needed, but might suit your needs better than bastille

I'm actually looking to downgrade from bastille to just using /etc/jail.conf.d/jail_xxx.conf type of setup

I'd have to look

I want something that's at least sort of in the direction of Solaris zones and not doing a whole lot of manual handholding

I've not used Solaris zones so can't compare

basically it does all the networking stuff for you. you just tell it which interfaces you want it to have and what you want their IP configuration to be

Solaris had another container technology as well besides Zones.

you maybe thinking of LDOMs?

I never ended up playing with those.

no not LDOMs

then I'm not sure

I'd probably recognize it by name

its been a while since I did anything with Solaris

I'm still using it but I'm about to get off because my machine is old and I'm going to have to eventually...

about ten years ago I played with FreeBSD and jails, on FreeBSD 9, and I didn't like the state of things, so I stuck with Solaris, but now I think it's about time to give up

there is also netbsd and its nvm setup

interesting

I won't touch anything without ZFS for servers anymore, though

just have to wait for netbsd 10 then I think

unfortunately I don't have a whole lot of time on my hands to play around with a bunch of different things, so if I can beat bastille into shape I'm just going to go with it

so I got my bridge up and I got a jail connected to it with an epair, but the network is unreachable form inside the jail

hmm

pf firewall

not running

I think you need it to be running, but have a look at that VNET how to that I sent the link for earlier

I didn't need it running for the automatic jib-created ones

I think with bridges you do need it, as I recall.

but jib creates a bridge, too.

it does the same thing

you either need an address on the epair or a route

there shouldn't be any routing happening

not on the FreeBSD machine.

hmm, if it's IPv4 then i guess ensure you have ARP turned on in the bridge

by route i just mean an entry in the jail's routing table. this should happen if you have an address on the epair

yes, it has the correct default route

but it can't reach the gateway

by gateway you mean the nexthop in the route right

I mean the defaultrouter as configured in rc.conf

well, i guess you know that you need that defaultrouter to be part of a directly connected subnet (one of your epairs)

yes, the epair and the bridge are supposed to be doing that job

not sure about that error then. aside from actually receiving a network unreachable icmp response

on the host system, bridge needs to addm your vlan interface or you need net.inet.ip.forwarding=1 , though i don't know if lack of that would generate network unreachable

there are people who can help with this better than i can who are undoubtedly not here now

yeah I'm afraid I'm going to have to go to bed in defeat tonight

also worth checking you have a non-trivial netmask set on your epair i guess

no, it's nothing obvious like that

Hello, I just read freebsd.org/security/advisories/FreeBSD-EN-23:16.openzfs.asc and was wondering if there was no binary patch for 14.0. I did freebsd-update fetch, install and reboot, but zfs --version still reports zfs-2.2.0-FreeBSD_g95785196f and uname -a 14.0-RELEASE #0 releng/14.0-n265380 (while I hoped for releng/14.0-n265384) - did I miss something?

jupiter126: check with freebsd-version

try with freebsd-version -kru (k=kernen r=running u=userland)

Updating from 13.2 to 14.0 via freebsd-update tool, I know that there is an Errata "FreeBSD-EN-23:16.openzfs" solved the OpenZFS problem, I wonder is there anything additional I can do, during the upgrade process, to fetch and install that patch, or a regular upgrade process will install all the patches for 14.0 automatically?

is there any m2 pci-e expension card that is known to work well?

tercaL: first update to the latests 13.2p6 then to 14.0R

Oh

Hi

I am not sure if this is freebsd issue or mumble, since I am new to FreeBSD and Mumble. It won't accept my mic input. Same device is output, and playing sound works. Mumble is also playing sound on correct device. But it doesn't hear the mic

I can't use clbin. ssl expired? wat

curl: (60) SSL certificate problem: certificate has expired

Well, the line of interest is: pcm9: <USB audio> (play/rec) default

Ok so I have no idea why, today when I was gonna debugg mic works somehow

Hello, any news on OpenZFS 2.2.2 on FreeBSD? Will it be released as a 14.0-RELEASE-p releas?

it is already in stable/14. maybe it will be in some patch set

so stable != RELEASE, right?

what is your expectation in 2.2.2?

Title: Two new versions of OpenZFS fix long-hidden corruption bug • The Register

the corruption bug is fixed in 14.0-p1 / 13.2-p6, is there something else you want from openzfs 2.2.2?

RELEASE has some corruption bug fixes

I have applied the sysctl setting that is mentioned but that is just a workaround in a bug that aparently has been in ZFS for a long time.

Since 2.2.2 suposedly has fixed this bug I hope to be able to get it via a RELEASE-p upgrade.

"The FreeBSD project has published an errata notice, and made fixes available for FreeBSD 12, 13 and 14."

you will not get 2.2.2 but RELEASE has the fixes cherry-picked

Title: src - FreeBSD source tree

Title: src - FreeBSD source tree

Title: src - FreeBSD source tree

Does this imply that I can remove the sysctl setting that is mentioned in the errata?

I am (or rather my server is) on 14.0-RELEASE-p1

yes, the workaround section in the erratas is for the cases when you can't update to the point release that includes the errata

nimaje: Thank you for clarifying

it even contains "The workaround should be removed once the system is updated to include the fix described in this notice."

How do I explain that FreeBSD eating 2GB RAM because of ZFS and that it is a feature without sounding ironic?

zfs aims to use free ram and give it up when something requests it

Zyxer: just explain that the RAM ZFS uses is freed up if something else needs it, so look at it as "optimising by using available unused resources" rather than "eating ram"

Zyxer: Modern systems keep as much in disk cache as they can as an optimization. Spending electricity on empty RAM isn't useful.

Thanks

how do i check if ikev2 is supported in strongswan?

free RAM is wasted RAM

echelon: not a FreeBSD question per se

echelon: have you tried ipsec statusall?

thorre: thanks

it's showing ikev2

you are welcome ;-)

jupiter126: i had your same question, and came to the same conclusion (or at least question) as you. for now, i am waiting to revert the vfs.zfs.dmu_offset_next_sync sysctl setting

update to the latest point release and revert the setting, the point release should have the fix

What man provides docs for rc scripts vars like required_files?

er.. think I found it... rcsubr

Yeah, that's it. nm.

thorre: you happen to know what it means when you get: parsed IKE_SA_INIT response 0 [ N(NO_PROP) ]? :/

Looks like a proposal missmatch to me

conn myconnection

...

ike=aes256-sha1-modp1024,aes128-sha1-modp1024!

esp=aes256-sha1,aes128-sha1!

...

sorry for the off topic paste :|-

Basically, to the best of my understanding, you have a miss match of the proposed and supported cyphers between the client and the server

i don't have any ciphers configured :/

thorre: happen to know what the log path for strongswan? /var/log/messages isn't registering anything

do a "ls -lrt" in /var/log and check wich files got updated last. Check the contents of daemon

hello there i have bug in freebsd 13.2 p6 i try run inspircd version 4 and i get error and this a error Undefined symbol "_ZN3fmt2v912format_errorD1Ev"

someone can help to me please?

did you build it or install it via pkg ?

i run it look the version 3 is run good but when i run the version 4 i get error

i think something in freebsd not working good

i think the error come from system Undefined symbol "_ZN3fmt2v912format_errorD1Ev

but where did you get the binary you are trying to run from? as version 4 is in alpha, my guess would be you build it yourself, but instead of getting such an error at runtime you should have got it at build time

I was thinking might be a missing library or something like that, or a version mismatch

yeah, but that shouldn't happen at runtime with a freshly build binary, it should have failed to compile instead (but of course that "freshly build binary" is just an assumption because inspircd version 4 is in alpha and likely wrong)

Is it possible to read LUKS on FreeBSD?

hm, there is freshports.org/devel/libluksde but no idea if it works

Title: FreshPorts -- devel/libluksde: Library and tools to access LUKS Disk Encryption encrypted volumes

anyone attempt an in-place upgrade from 13.x to 14.0? Have one running now. Hope I don't brick this ting.

i have a update to 13.2.p6

I just updated to that, wanting to see what 14 is like. I'm pretty green anymore with BSD. I haven't touched it in like 2 decades

i cant see the update to 14

i dont have it in system

and now i also run it freshports.org/devel/libluksde and again i get error

Title: FreshPorts -- devel/libluksde: Library and tools to access LUKS Disk Encryption encrypted volumes

I kicked it off with freebsd-update -r 14.0-RELEASE upgrade

ah, so you updated from -p5 to -p6 and then you got that error? that shouldn't happen normally, point releases should stay ABI compatible, no idea where that symbol should come from and why it doesn't anymore

yes i get error only from inspircd version 4 but not version 3

update completed. Moment of truth...

The excitement is unbearable

Despite we always manage to fix misshaps and errors.

the excitement of discovery

So far so good, but for some reason it didn't initalize the graphics driver automatically

glad to see you "on the other side" daneurysm

heh, if it went completely sideways, I would have just installed via ISO. Wouldn't be the first time

Just killing it has never been an option. At work I only have cattle so I indulge myself with a server "pet" at home.

drwxr-xr-x 2 root wheel 2 Sep 29 2016 mnt // I thought this box was older than this. I must be misremembering.

:-)

zfs get creation zroot

NAME PROPERTY VALUE SOURCE

zroot creation Tue Mar 6 19:34 2018 -

:)

The impressive thing is that I have screwed up so many upgrades. Missed bootloader (zfs) upgrades etc. The blody server is still running strong. Corrupted files? No problem, just scrub the file system once ow twice. Unexpected powercut no problem etc. If we would submit any of the "high end" stuff at work for similar "administratio" they would be fucked up beyon repair.

FreeBSD always delivers.

I find it a pity that so many admmins nowadays do not apreciate the no frills operations systems.

Yes, I know that NetApp etc. use a lot of FreeBSD under the hood but when arguing about FreeBSD at work I am often met with the "what about all the liabilities" argument that RedHat and the other commerical players have "solved" with service contracts.

Do we know if something similar (that covers IPR liabilities) exists in the FreeBSD space?

IPR = Interlectual Property Rights

For example, how does NetAapp handle it's involvement in FreeBSD?

how do i get the list of fib #'s for my existing routing table?

@scoobybejesus, ok thanks ^^ am not the only one ;)

Lotta patches... Glad I waited

I'm still at a loss as to why jails connected to my bridges with an epair aren't reaching the network...

everything looks right, but it's just not happening

tsundoku: which network? internal or do you mean NAT?

no NAT

Testing with something other than ICMP, right? IIRC ICMP is disabled by default

yes

k

I have a bridge with an interface as a member

I have an epair set up through bastille (external bridge vnet) with a on the bridge and b as the vnet inside the jail

but let me try again to make sure I wasn't just testing ICMP earlier

how would I enable ICMP for that?

Erhard: ICMP is not disabled for VNET jails

okay, so it's definitely not working

I have never tried bastille

Don't you have to allow raw sockets?

the setup I have isn't bastille-specific. bastille is just doing the epair setup with ifconfig, but it's all bog standard

Erhard: hmm you might be right

I get "ping: sendto: Host is down" when I try to ping the gateway

tsundoku: allow.raw_sockets should be 1

probably

Would probably get a perm error if it were the sockets

But I can't recall

tsundoku: do you see traffic on your interface on the host side?

Erhard: lemme test actually

is allow.raw_sockets a jail.conf value?

allow.raw_sockets=1; in jail.conf

ping: ssend socket: Operation not permitted

Without it

seems to work without raw_sockets

13.2-RELEASE-p5

so I have two jails on two different bridges right now

I think you can set it in sysctl as well

one is on a bridge I made myself, and another is on a bridge bastille made automatically

shows as allow.noraw_sockets

the bastille-created bridge works. mine doesn't

and the one that works doesn't have allow.raw_sockets set in jail.conf

in sysctl it is: security.jail.param.allow.raw_sockets: 0

security.jail.allow_raw_sockets: 0

allow.noraw_sockets is set

I think this may be a red herring

ping works

Doesn't work here in a jail without those settings

Erhard: VNET or regular?

security.jail.param.allow.raw_sockets: 0

I think it works in the vnet jail, but not the others.

Without those systctls set (set to 0)

okay, so the whole thread of discussion around allow.raw_sockets is irrelevant to vnet jails?

I cannot say for sure but it does not seem to affect my VNET jails

for the record I'm not getting any "operation not permitted," just "host is down" when I try to ping other IP addresses on the network the bridge is supposed to be connected to

I think that is a different issue.

WOul ignore the raw sockets thing for now

tsundoku: tcpdump your bridge interface

or the epair

run ping

sure, just a moment

Or test with telnet google.com 80 and see if you get a connection.

you'd need to have routing enabled

and a working resolv.conf

it should, but right now I'm just trying to ping the gateway to keep it simple

telnet to any local server you know is up by ip ;-)

okay I'm getting something

looks like just ARP requests

"14:53:45.820021 ARP, Ethernet (len 6), IPv4 (len 4), Request who-has 10.4.255.254 tell 10.4.0.13, length 28"

10.4.255.254 is the gateway, 10.4.0.13 is the jail

that's from tcpdump of the bridge end of the epair

so the ARP requests aren't getting answered?

You have a route setup?

yes but that's not the issue right now

I'm just trying to ping the gateway. no routing involved.

Through the epair

what do you mean

On my vnet jail I use an exec.prestart to set a route.

It's been a while since I set this all up, mind you.

So I don't know what the hell I am tlaking about, but I recall needing that.

the default route is set in rc.conf inside the jail

but that shouldn't be relevant to this because I'm not trying to leave the network the jail is on?

I have this in rc.conf: ifconfig_epair0a="192.168.20.2/24"

defaultrouter="192.168.20.1"

sure but

defaultrouter only matters when the destination is outside the network

But then in jail.conf route add 192.168.250.0/24 192.168.20.2

right now what I'm trying to do is ping the defaultrouter itself. not send anything through it.

That may be to get to my other jail. nvm.

Carry on. I'll shut up

yeah, that looks like a specific route to reach another network

so if I were in your jail I'd be pinging 192.168.20.1

and getting nothing

iT'S SO MY WIREGUARD JAIL CAN REACH THE DNS JAIL.

Oops. Sorry for caps

teehee I was about to say "you okay over there?"

tsundoku: 10.4.255.254 is your gateway?

yes, for this network

do you have that address up on the bridge for these jails' epairs?

it doesn't belong to the bridge, but it's connected

oh, is it a member of the bridge?

10.4.255.254 specifically

10.4.255.254 is not on the FreeBSD machine at all. it's elsewhere on the network.

what are you expecting then

the bridge just has the interface and the jail epairs as members. there's no IP setting on that

first ping the host from the jail

the physical interface is plugged into a port on a switch that is carrying this network

try pinging the IP on the host running the jails from inside a jail or vice versa

the host isn't on this network

oh

do you have only one jail? if there are two, can they ping each other?

I only have one on this network right now

and no firewall active?

correct

the bridge is supposed to just be a dumb link between the physical interface and the epairs

so epair is bridged with the interface that is on the same network as the gateway?

correct

and this setup does work, if I let bastille create the bridge.

so I think something is wrong with the bridge I created myself.

is the bridge UP?

brj: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500

I know this is a stupid question

maybe it's no!

*not

let me try to confirm

check ifconfig

so it doesn't specifically say LOWER_UP, but neither does the bastille-created one that works

does it have UP though

no

:|

ifconfig <bridge> up

igb0bridge: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500

problem solved

that's the one bastille created. it works.

svcbridge: flags=8802<BROADCAST,SIMPLEX,MULTICAST> metric 0 mtu 1500

this is the one I created. it does not work.

see a difference? I don't

please try `ifconfig svcbridge up`

sure, why not

svcbridge: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500

but... no change in behavior

I have never tried downing the bridge myself

epairs are up too?

yes, epairs have been up

so there is *one* difference I can see

the epair on the bridge bastille created has both an ether and a hwaddr value

the epair on the bridge I created only has ether, no hwaddr.

well I do not have hwaddrs either

yeah, I'm not sure whether that means anything.

it's just the only observable difference between the one that works and the one that doesn't

my bridge is created with rc.conf

hmm

honestly it is very late here and I gotta go sleep :(

alright. thanks for exploring it with me

FYI mine is created in rc.conf too

Still no go?

YOu have vnet.interface = "epair0a"; or similar?

yes

For the hell of it did you try a full reboot?

(if able)

I do seem to recall encountering some issue when setting up jails where that cleared itup (presumably I had set something I did not recall)

But I always test them with a reboot anyway to make sure there will be no surprises later.

at least restarting networking could be a worthwhile thing

Which wasd likely all that was required.

just realized the pain of upgrading from 13.2 p6 ->14 is that it doesn't also upgrade the software you've installed via ports