01:12:44 dstolfa: you around? 06:56:40 [tj] (from a few days ago) I'm doing what's in the wiki but bhyve aborts immediately: Unable to setup memory (17) 06:57:01 I'm trying to pass through a pie USB card 06:57:12 pcie 06:58:11 does your computer support VT-d? 06:59:26 crb: acpidump -t | grep DMAR 07:00:14 I think so it's a 5950x, that's relatively recent risen 9 07:00:33 Maybe I don't have it turned on in BIOS since that command give nothing 07:02:36 yeah, unboot the machine, go into the bios, and check that it's got the IOMMU (AMD-Vi I believe it's called) enabled (it won't be called VT-d as it is AMD) 07:03:24 https://forums.freebsd.org/threads/amd-bhyve-iommu-pci-passthru.78843/ 07:04:13 OK I'll have to give that try next time I can reboot it 07:04:15 thank you! 07:07:00 put it in your handwritten journal if that will be more than a few days 07:58:40 <[tj]> crb: you need amdvi enabled on 14, something has occured on current I haven't figured out yet 07:58:54 <[tj]> this is covered in the pcie passthrough wiki page 07:59:25 <[tj]> I had an issue where ppt was loading far too far behind xhci so it couldn't take the controller, but I don't know if that is on 14 or not 08:02:01 OK I did not have IOMMU turned on, it's on now 08:02:04 but ....bhyve: PCI device at 8/0/0 is not using the ppt(4) driver 08:02:04 Device emulation initialization error: No such file or directory 08:02:43 <[tj]> you can try: devctl detach pci0:8:0:0 08:02:50 <[tj]> devctl set driver pci0:8:0:0 ppt 08:04:10 still Unable to setup memory (17) 08:06:55 <[tj]> pciconf -l | grep ppt 08:14:01 devctl: Failed to set pci0:8:0:0 driver to ppt: No such file or directory 08:14:01 devctl: Failed to set pci0:8:0:0 driver to ppt: No such file or directory 08:17:55 I don't think you can attach the ppt driver if there's already another driver assigned (i.e. not "none") 08:17:58 but I can be entirely wrong 08:18:47 <[tj]> devctl detach pci0:8:0:0 08:18:51 <[tj]> that is why you need to detach it first 08:19:17 <[tj]> you might need to correct the pci path 08:24:14 true 08:34:55 iltisadl 08:35:53 pretty sure that is the correct path and I did detach it first 08:37:50 <[tj]> what is attached to it right now? 08:38:03 <[tj]> what is in pciconf? 08:42:39 none1@pci0:8:0:0: class=0x0c0330 rev=0x02 hdr=0x00 vendor=0x1912 device=0x0015 subvendor=0xffff subdevice=0xffff 08:46:05 <[tj]> is vmm loaded? 08:46:14 <[tj]> what freebsd? 08:46:51 FreeBSD eclipse.ChrisBowman.com 14.2-RELEASE FreeBSD 14.2-RELEASE releng/14.2-n269506-c8918d6c7412 GENERIC amd64 08:47:23 22 1 0xffffffff83400000 33e438 vmm.ko 08:50:01 <[tj]> you could try adding 8/0/0 to ppt devs and rebooting 08:50:17 not familiar with that, how do I do that? 08:53:04 <[tj]> https://wiki.freebsd.org/bhyve/pci_passthru 08:59:17 so I have this: pptdevs="8/0/0" in /boot/loader.conf I reboot and pciconf -l | grep pci0:8:0:0 shows: 08:59:25 xhci0@pci0:8:0:0: class=0x0c0330 rev=0x02 hdr=0x00 vendor=0x1912 device=0x0015 subvendor=0xffff subdevice=0xffff 08:59:25 none2@pci0:18:0:0: class=0x130000 rev=0x00 hdr=0x00 vendor=0x1022 device=0x1485 subvendor=0x1022 subdevice=0x1485 09:00:30 <[tj]> you can try detaching xhci and reattaching: devctl detach xhci0 09:00:47 <[tj]> devctl set driver pci0:8:0:0, but it might not work again 09:01:07 ok now xhci0@pci0:8:0:0: class=0x0c0330 rev=0x02 hdr=0x00 vendor=0x1912 device=0x0015 subvendor=0xffff subdevice=0xffff 09:01:07 none2@pci0:18:0:0: class=0x130000 rev=0x00 hdr=0x00 vendor=0x1022 device=0x1485 subvendor=0x1022 subdevice=0x1485 09:01:46 ok now: ppt0@pci0:8:0:0: class=0x0c0330 rev=0x02 hdr=0x00 vendor=0x1912 device=0x0015 subvendor=0xffff subdevice=0xffff 09:02:20 but still Unable to setup memory (17) 09:36:51 jbo: i am now 09:36:57 jpb: ^ wrong ping 09:38:12 :o 11:00:42 hello there, anyone fancy committing this patch for support for 2 sitecom wlan adapters? http://paste.debian.net/plain/1366657 11:43:01 racoon: nice patch, please submit it via bugzilla 11:43:50 will do, have requested an account 11:47:20 OK 11:55:14 <[tj]> racoon: https://reviews.freebsd.org/D49588 11:55:28 <[tj]> racoon: please tell me who you are so I can set the author line in a commit 13:19:33 has anyone been able to get intel discrete graphics cards working on FreeBSD? 13:20:21 I've tried i915 from drm-66-kmod on 15-CURRENT, but it just panics on loading the module 13:22:58 <[tj]> does the card work on linux 6.6? 13:23:33 yes 13:24:00 but the relevant issues on drm-kmod github page don't look promising 13:24:39 https://github.com/freebsd/drm-kmod/issues/315 14:23:50 just tried the 6.8 version here https://github.com/freebsd/drm-kmod/pull/344 14:23:58 same thing, panics when loaded 14:34:00 mtll: was the drm-66-kmod package built in place using up-to-date sources ? 14:34:53 yeah I built it from the ports tree 14:35:04 freebsd is CURRENT, installed literally today 14:37:56 OK, there are https://cgit.freebsd.org/src/commit/?id=f33989797374d135b64da59e0ef533ac69d0a5b7 and https://cgit.freebsd.org/src/commit/?id=0b02cfb9488a3ac6b75836ca9cee8227b9d4b54c, but I don't know how relevant they are 14:40:24 mzar: yeah, might be relevant, probably included in the custom kernel I built for the 6.8 DRM branch though 14:41:32 it was straight from dumbbell's github anyway 15:13:44 dstolfa: may i dm? 15:17:15 jpb: sure thing 15:55:39 Hi there, quick question: the datasets I create on top of a pool = are they going to consume from the total pool available size? 15:58:02 sure, they will 17:19:14 As much as I love the 'offline' build feature of the ports tree (I know you can turn that off, but I'm talking about 'official' pkg build), language based package managers don't show any signs of going away. Considering how security is a big deal these days, 17:19:17 I find it ironic that this is common place/generally accepted practice. What's FreeBSD's latest stance on this? Will they begin to allow the building of official packages to work with things like npm, yarn, gem, gradle, maven, composer, etc...? 17:20:03 still haven't, no 17:21:28 golang notably wants to do similar, but we instead ended up with some tooling to generate the required dependency list to download 17:24:07 It's great option, very simple and effective (when it works). I wish we'd have similiar tooling for the other ones. I tried making one for composer, but got stuck on some issue where composer wouldn't allow me to see what it wants to download. 17:24:34 That's the problem, a lot of these package managers don't like it when you try to force them offline 17:24:59 ...And the upstream devs are unwilling to help. 17:29:48 there's going to be very aggressive opposition if you try to enforce ports tree full build to depend on online connectivity and having it bring outside data/parameters in dynamically 17:30:06 and I mean violently aggressive, because it's a hideously bad idea 17:36:02 Yeah, which is why I find the practice by every Linux distro out there so ironic. 17:39:34 I guess there are benefits in being in a company where doing nothing is already a success story 18:06:49 tuaris: yeah, the mix of download/build by 1 tool and sometimes even 1 command is really frustrating 18:11:52 i really hope "panic: tcp_do_segment: sent too much" gets fixed soon, i've been putting off upgrading just in case 18:31:26 it was fixed IIRC 18:31:42 mzar: maybe not as someone just reported running into it on latest current 18:32:06 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=282605#c51 18:33:06 ah.. so they will work with packet drill... hard work 18:33:10 ivy: I've switched to the rack stack locally until tuexen gets a chance to analyze the pcap from my report 18:33:27 kevans: ah, is rack not affected? 18:33:36 same here, I am on RACK since it showed up in 13 18:34:31 ivy: yeah, tcp_do_segment is specifically the default stack implementation; rack has its own implementation 18:35:07 RACK always worked for me like hell 18:43:25 my historical position has been to just keep with the default stack barring some compelling reason to switch; I just don't understand the scenarios where I'd benefit from RACK well enough to make the informed decision to move to it full-time (and the default stack has filled my needs to the best of my knowledge) 18:44:01 now, panicking once or twice a day especially when I'm about to host a meeting is a compellingr eason 18:44:56 kevans: i heard RACK might become the default at some point so i guess switching now isn't so bad anyway :-) 18:46:54 after RACK gained TCP-MD5 support it became 100% comprehensive stack, we are not using it on the routers though 18:52:25 mzar: are you still deploying TCP MD5? i thought it had been obsoleted by TTL security 19:08:04 obsoleted by TCP-AO, but it is implemented in neither of our TCP stacks 19:10:27 FreeBSD is mostly business-driven project, we need more ISP businesses here hiring programmers and upstreaming changes 19:10:51 i'm curious what tcp-md5 protects against that ttl security doesn't 19:11:08 at least all ISPs in finland are completely retarded, no chance they'd contribute anything :( 19:11:11 RST 19:11:33 mzar: why doesn't ttl security protect against rst? 19:12:27 i mean, protecting against forge RST is basically the entire purpose of ttl security, aiui 19:14:45 it recognises only TTL 19:15:07 that's sad story Koston 19:15:14 yes, but RST packets have a TTL, don't they? 19:16:21 it's imminent part of the IP header 19:16:26 mzar, it really is unfortunate. the fiber network here is very good, but that's the extent of what ISPs comprehend as good business 19:16:32 right, so ttl security will drop forged RST packets 19:16:41 because the ttl will be too low 19:17:04 i'm not saying you shouldn't use tcp-md5 if you want, i've just never heard that ttl security can't protect against this 19:18:00 at least you have FTTH, in some countries ISPs are only charging for cooper and changing voltage/current/modulation to maximise profits 19:18:25 true, I know it's even worse in most places 19:18:42 ISPs are just owned by old af geezers who are interested in nothing but their retirement bank account 19:22:01 this is a nice patch, I tried to attract some people to it, but they are busy, if you guys have PCs and IPv6 on them, maybe want to try and give feedback here https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=245103 19:25:04 it needs more testing, and comments from people familiar with EPOCH and VNET contextes which probably should be added here 19:25:35 does it apply on rel branches or only -current? 19:26:10 I have it on stable/14 too, so should apply on 14.2 19:26:37 ok cool, then I can give it a spin, just need to consolidate a few services to free up a box for testing 19:26:45 mzar: thanks. 19:28:40 Lets say I have a spare disk (not the system/boot) that I am enabling gely encryption - single partition, full size. I want to create a zps pool with that disk. I first gely attach (password prompted) and then add to pool. 19:29:32 once a boot, I will manually gely attach again and type password. How do I make zfs recognize that disk.eli is available and auto mount? 19:30:10 geom will taste it 19:32:09 mzar: I (no doubt) did something wrong. Cause geom is not identifying it. I am certain that I am doing it wrongly. 19:32:39 cybercrypto: I could be wrong, I am sorry 19:35:14 mzar: nope, I am learning. since this is 'sandbox disk' I will redo step by step again... my goal is simple= I want a 'zfs-pool-my-data' running in a disk, that disk is previoulsy gpt partioned + gely. 19:38:08 do it step by step, take notes, prepare script and you will be fine 19:38:53 mzar: sure, that will help me understanding where is the possible missing step. thanks 20:07:17 what is the name of the feature for AMD VT-d/IOMMU? 20:12:49 crb: VT-d doesn't exist on AMD, and AMD IOMMU support isn't indicated in cpuid as far as i know, so there's no feature flag for it 20:13:08 ivy, that's what I wanted to know, thank you 20:13:24 so is there a way I can tell if freebsd see that feature as turned on? 20:15:33 crb: i believe you will see an ivhd device in dmesg, or you can check for "options IOMMU" in the kernel config 20:16:14 I *guess* that amd-vi is implemented after a certain point on all their kit, hence lack of a feature associated with certain firmwares 20:16:43 duncan: no, it's just not in cpuid, there's another way to check for it via ACPI. see https://www.amd.com/content/dam/amd/en/documents/processor-tech-docs/specifications/48882_IOMMU.pdf ยง5.2 20:16:49 AllanJude: you around? 21:19:40 Ok I assume if I have a wireguard configured on my laptop, split tunneling is a bad idea, and seen as wg-quick redirects ALL traffic through wg interface (apart from traffic to the WG peer) this would not be possible without writing the routing table rules manually. So I assume the better approach would be to delve into rdomain's? 21:20:01 I remember some discussions on it within the OpenBSD mailing list (I am aware the rdomain implementations differ) 21:20:38 have the default rdomain for everything to go via the VPN, and then something you need to be outside of the tunnel (for example local traffic, you can use a second rdomain 21:20:45 any other suggestions? 21:22:49 wg-quick does not redirect all traffic, just what's specified in the allowedIPs right? 21:23:06 it's not manual at all 21:23:08 hm, what is your desired network layout? I don't fully understand that 21:24:42 yes, wg-quick creates routing rules for whatever is in AllowedIPs 21:25:42 'split tunneling is a bad idea' is maybe a bad premise to start with, it depends on what you're trying to accomplish with the tunnel 21:41:52 rtprio: yes it does, it adds a rule for 0.0.0.0/1 via wg0 21:42:19 ohh right its from AllowedIPs 21:42:21 duh I am silly 21:42:31 I completely forgot it existed 21:42:45 could just exempt local subnets from it 21:43:06 * polarian is a giant idiot :P 21:43:19 kevans: always on vpn 21:43:28 in which case you want no split tunnelling, not even for local traffic 21:43:47 the very concept is to harden wifi, as WPA is not the strongest 21:44:45 .... 21:44:47 with wireguard you have 3 layers of encryption on a packet payload, TLS, then WPA ontop of the packet, and then Wireguard on top of that 21:45:50 but sometimes, and only sometimes, say you want to configure a new device, without configuration you got to drop the wireguard tunnel (I have pf drop all packets to anything other than the wg endpoint) 21:45:51 wpa3 is plenty strong enough 21:46:03 rtprio: and unless you are running latest APs, you wont be that lucky 21:46:59 i am that lucky 21:47:03 and lets not forget, in most peoples cases you are trusting a black box 21:47:07 unless you are running openwrt 21:47:15 which I wish I could but my APs are too old and too shit 21:48:52 and that doesn't protect you on public wifi, in a lot of cases do not use any encryption 21:49:05 Always-on-VPN should be something you set up and leave... 21:49:15 also there is another problem, captive portals, something I haven't delved into yet 21:49:55 my attempt is very basic and incomplete... 21:50:20 i pity the intern that has to set up wireguard on everyones pc 21:52:07 polarian: right, but that kind of setup isn't necessarily implied by 'running wireguard' 21:53:45 kevans: sorry for being ambiguous 21:55:13 rtprio: this is a home setup, not for a business... a business would not want all traffic going via their network, their employees youtube browsing will cost them a fortune in bandwidth. From what I have heard the majority of businesses split tunnel, secure access to the companies network while out of office, but not pushing the users normal traffic via the tunnel and congesting the companies 21:55:15 network. 21:55:28 is it extreme? sure 21:55:42 if it's a home setup, how hard is it to update your ap, jfc 21:56:08 but it also protects against common attacks, such as DNS spoofing... cant spoof DNS which is only provided via a trusted recursive resolver over a wg tunnel + DNSSEC validated 21:56:28 rtprio: I am stubborn and do not wish to throw away working hardware 21:56:46 polarian: my dad says the same thing about his windows 2000 systme 21:56:58 rtprio: I am running a E6430 21:57:02 right now 21:57:07 who all are you letting on your homenetwork who's spoofing dns 21:57:18 might not be as old, but it is still old 21:57:23 but it works, why replace it? 21:57:40 rtprio: this is my laptop, I travel with it 21:57:41 because it doesn't support modern cryptogaphy, or receive regular updates 21:57:45 (not sure if you can really call any internet connected device "working hardware") 21:58:05 I mainly hotspot because of the damn captive portals 21:58:40 I assume learning rdomains would be a good idea 21:58:50 ok man, good luck to you 21:59:18 my question was kinda answered though, I forgot the routes were added from AllowedIPs 21:59:24 so thanks for the correction :)