Is there a way to load the igc driver from fbsd 14.3 in opnsense 25.4.1 (fbsd 14.2) ?

the way opnsense and pfsense work you can't really customize it without breaking it

this is mainly why I sold my netgate and just did it all by hand

yeah, that makes sense.

stdout, In any case the kernel module would need to match exactly. Crossing versions is almost a guaranteed kernel panic.

jail question, host-epair-jzeus-(do i need 3 epair?)-(jtom | jharry | jjim)

is vm-bhyve still the preferred way to manage bhyve VMs?

I vaguely remember seeing some discussion in here about it a couple months ago, that mentioned some other alternative, but I can't remember its name

i know these: pot, bastille and vm-bhyve

i had been used pot for a while for dns server jail

which i used it after i can't do what i wanted with bastille

if you gonna use graphics etc. use vm-bhyve imo

oh dang, pot and bastille should be for jails...

yeah I was planning to set up a linux gaming VM

hmm, then you are going to do gpu-passthrough too? these are easier to do with vm-bhyve

as a temporary solution until drm-kmod supports my dGPU

yeah, I'm running FreeBSD on my iGPU at the moment, so I can just passthrough the dGPU to the VM

okay great

i just have iGPU and i don't game

I've got the intel A770

and I predicted potential driver issues on the horizon, so I got the iGPU version of my CPU just to be safe, turned out to be a good choice when I switched to FreeBSD

nice thought

i hope gpu passthrough works for you

I mean it should be fine, linux drivers for intel arc are pretty much on par with the windows drivers

i see

i think freebsd should support some G-PT features to be able to do that, hope it got better

i remember watching a video of Colin(?) to give a presentation about G-PT

it was covering amd and nvidia

well, bhyve supports pci passthrough so it should just work

yes.

I'm assuming it'll just pass it through to VM as a pci device and then the guest OS can deal with the graphics stuff

i think so too

but i wonder what the freebsd host going to do in the background, what happens to it, how the guest take over the screen?

it's interesting

i guess you have to passthrough usb devices too?

nxjoseph: well, right now I have 2 of my 3 screens connected to the video outputs on the motherboard

in theory I should just be able to connect some of the screens to the dGPU outputs

oh right

and then switch inputs

i forgot about it

maybe even use synergy to share peripherals between the systems and magically run multiple OSes on the machine at once

the actual gaming will be with a PS5 controller, so I can pass that through to the VM, not too worried about latency issues with mouse/keyboard if I go for synergy

what is synergy?

it's a neat little piece of software for sharing peripherals between multiple computers as if it's a multi-monitor system

oh nice

so like let's say you had your laptop on the side next to your desktop/workstation, you could set it up so you can just move the cursor over to the laptop

very good

it uses the network to do that, and it's pretty decent in terms of stability and latency

never tried to run it on freebsd though, so that might be interesting

i see

synergy?

that's interesting

is it a FOSS implementation?

scottpedia: yes and no. you can pay for it and get user friendly GUI setup etc

but the backend is open source and you can configure that with a simple enough config file

wdym yes and no?

right

so you only pay for GUI if you want it

yeah

I think they sell it to businesses or something, idk

I never used that part of it

looks like synergy is in ports, so it should just work in freebsd

mtll, good

i see alright

it'd be good to try.

I have a problem: why is my memory usage limits still unlimited, even though I have limited it via rctl?

user:r:memoryuse:deny=500M

85236

sorry

30523

np

hi surrounder , do you know my solution for my problem?

I have a problem: why is my memory usage limits still unlimited, even though I have limited it via rctl

radhitya: no

user:r:memoryuse:deny=500M

surrounder: ah, sad, okay

so sad /o\

Hello. Any European people who use FreeBSD at work and impacted by the NIS2 directive?

I was wondering if there are some kind of information regarding FreeBSD and NIS2 compliance?

rwp: Actually, I use ZFSBootMenu to boot a native-encrypted-zfs-dataset with console prompt and remote unlocking (and potentially supporting tailscale VPN) in Linux. I think it uses kexec to switch kernel. Unfortunately ZFSBootMenu currently doesn't support booting FreeBSD. Otherwise it would be a good solution.

I'm trying to set up opensmtpd on freebsd and am seeing the following error in the syslog: smtpd[92308]: dispatcher: tls_config_set_ca_file: failed to open CA file '/etc/ssl/cert.pem': No such file or directory

I see no reference to such a file in smtpd.conf so I don't know where this is coming from

Zerock: can you try and generate a cert manually? i assume it's expecting one for tls

maybe try ca_root_nss?

Yup. security/ca_root_nss likely needs to be installed/updated.

is there a way to atomically write a new file but fail if it already exists? making the write atomic is usually done by writing to a temporary file and renaming, but rename() doesn't fail if the target exists, and O_EXCL doesn't help because the temp file won't exist

Zerock: can you show your config?

so I did find an old bug report suggested workaround of just making it as an empty file which worked

I'm not actually using TLS in this setup so a valid CA cert isn't vital

Zerock, if so, i think that that program can be modified to look for /usr/local/etc instead

it seems actually to be a hard-coded path unless you set a flag at compile time

by default opensmtpd doesn't require a cert, only when you configure one

anyway seems to be all good

I'm receiving email now

good

can't be hard-coded paths be changed from code? does it actually have a flag that you can set for that ?

mage: I'm a european and use FreeBSD at work. what is NIS2?

yeah, you can define OPENSMTPD_CA_FILE at build time

Zerock, ok nice

Grabunhold: an european directive on cybersecurity

the problem is that, of course, FreeBSD is not listed in the "supported" OSes

and... we may have to ditch FreeBSD completely because of this "compliance" stuff. This is ridiculous but I'm pretty sure we are not alone in this ship

mage where can that list be found?

I don't know, I haven't read the whole stuff yet (and don't want..). All that I know is that I'll have to "install some frankenstein NIS software" on the servers

NIS2*

Terrifying

yes, and ridiculous. For example I have to "make a report" because some of their "super security scanner" detected a vulnerable SSH server on our infrastructure..

and their "super security scanner" only uses the version ID of the ssh to said it's vulnerable or not (...)

sounds like an average govt compliance thing. so mostly useless

yes

I have to deal with stuff like that at work. Thankfully it is our own corporate policy and not government mandate.

"your http server is vulnerable. source: self-reported version number"

solution: change config to hide version number

"chatgpt says your ssh version is vulnerable"

I have to explain them that yes the SSHD of 13.4 is still 9.7 _but_ is patched against all CVE and that just using the version string or the protocol is stupid

yep, same scenario with my httpd

dstolfa: upcoming reality

The problem with those types of "scanners" is, in my experience, that they don't include patch numbers in the version check. So, when derp-v13.2 is vulnerable but is patched to v13.2-1 and fixed, it's still reported as vulnerable.

oh yeah, icing on the cake... this particular one was supposed to be a real penetration test from a pen testing company, not just some scanning software

I'm getting more and more tired of IT

so their "penetration test" was checking the version number

my response: okay but did you actually get in?

mccd: not too far off: gov.uk/government/publications/foi2…copy-of-peter-kyles-chatgpt-history

asking chatgpt why small-to-medium businesses in the uk don't adopt chatgpt and then trying to shape government policy around that is certainly the level of competence i'd expect from an average politician

mage: I'm not the EU, but do work for a very large corp that mandated certain security software be installed on every server (very similar to what you're experiencing.) When it came time to verify our BSD systems, we just filed an exemption request since the software doesn't install on/support BSD.

And were then just limited to external weekly scans. Basically an nmap that checks those stupid version numbers.

ek: yes, unfortunately it's an hard request for all gvt stuff, I don't have choice

no exemption possible

I'll even have to modify stupid 20+years old website to include MFA (although the login is just to hide certain parts of the website)

mage: Well, then they should have chosen a better solution. They're going to serverely limit their reliability and safety over a piece of software that can't be designed for all OSes?

it's funny because they plan to use tons of new Microsoft tools / infrastructure .. and in the meantime you hear all the time that EU should be less dependant of US techologies

we had a fantastic self hosted postfix/dovecot/rspamd/webmail that works very well, with templates (Saltstack) to configure everything in jails etc -> everything has been migrated to O365

Oh, yuck.

anyway; I seriously plan to /quit IT because of all this shit

mage: already did

well, the sysadmin side

dstolfa: Yeah I have to keep doing double takes at work because of ai generated code from colleagues. It really tests your fundamentals

like the other day someone used `dd if=/dev/urandom...` to generate random numbers.

Is it that they used 'dd' that's the issue? X-D

along with piping it through three different steps

and they weren't writing to a file

so it worked but was far more complex than it needed to be

I have an NFSv4 share that is guaranteed to only have one client. Can I somehow tell that client to aggressively cache files for reading? For a second I was excited because I saw the cachefs manpage, but that one's not available on FreeBSD. NFS itself also does not seem to come with options.

mage: you have my sympathy. I sure hope we will stay small enough of a company not to anger the compliance gods too much so I can get away with my FreeBSD.

you can always get away with FereBSD if the question is compliance.

kevans, why?

zilti, effective read caching is hard.

Unless maybe you're reading from a tape drive.

CrtxReavr: Hmm, I guess so. But I'd have assumed that there's stuff like a file-based cache for NFS - I just switched over to self-hosted storage and NFS from an s3backer setup. The latter has the option for a file-based read cache, and I actually have slightly worse performance now even... But to be fair, I for now use NFS over a wireguard tunnel and the internet, instead of locally.

CrtxReavr: why not?

kevans, how about the bpaste I provided as evidence against?

5.513632 bits per byte

is pretty solid

And strong encryption would reflect about 5 bits/byte of entropy.

But. . . since the goal is entropy, why not a more random source?

rwp, NFS was also likely designed on ArcNet LANs.

I always associate NFS and Sun together but I worked for HP at the time and being a competitor I don't know the inner details of NFS development. But I didn't think Sun used ArcNet at that time.

NFS was all based upon UDP at the time. It's definitely design for low latency LANs. It definitely suffers serious performance degradation on high latency network such as the Internet WAN.

rwp: NFSv4 delegations significantly improve NFS latency issues. Rick made some improvements to this in -CURRENT recently

zilti: this is basically what you want ^

I still would not consider using NFS over an Internet connection.

"I'll take where tech companies go to die for $500, Alex."

i've also never heard of Sun using ArcNet... weren't they always Ethernet?

rwp: Yes, it is just a stop gap though. It soon will be on a very local LAN. Still, some client-side caching that takes load off the file server would be good.

Not actually sure. . . didn't touch a Sun box 'til '96.

AFAIK Sun was always ethernet based networking.

ivy: Oh, I'll check that out, thanks

And at that time it means coax cables and lots of T connectors.

zilti: NFS clients can already cache data, the problem is certain operations (mostly GETATTR) can't be cached very long. delegations are supposed to fix this by allowing a client to take a lease on a file and modify it locally, until another client wants to access it

By normal tuning it is a local 120 file attribute cache.

By normal tuning it is a local 120 second file attribute cache.

If you disable that cache then performance is really terrible even on a LAN. And with that cache in place cache coherency between is a problem. Let me just drop there here. "Stale NFS file handle."

rwp: this is what delegations fix

And therefore it requires careful design of inter-operating client systems in that environment to avoid the issue. But if you are heads-up about the client side file cache then you can make really good use of it.

delegations allow local caching without the historical issues this causes with concurrent modifications

Read caching for "random access" filesystems is just hard.

ie., it's hard to know what to cache.

Where do I find more about those delegations?

i don't know if it's documented anywhere, but if you mail fs@ rick might have more info

Hmm wait, according to the nfsv4 manpage I've already fully enabled them

even if you enable them, freebsd didn't have full support until very recently and then only in -CURRENT, and even then i'm not sure everything has been committed yet

Ah well. But good to know for the future. For the next weeks, the slightly worse performance will have to do.

zilti: Stupid question but, if s3backer was "suitable", why not drop minio on the remote end and use that until you can get local NFS?

wavefunction: Because the way it creates the file system is different. So I'd have to create a fresh ZFS again when switching.

This is a new one: GEOM_ELI: Crypto request failed (ENOMEM). gpt/s10-10t-backup.eli[WRITE(offset=2534816686080, length=614400)]

This is with 14.3. That seems like fairly unfortunate memory handling.

i thought minio did some license change recently.. maybe it was removing the GUI from the community edition..

there are other s3 compatible backends than minio

rclone can be an s3 backend in a pinch

question.. when i use startx i have exec sxhkd & and exec dwm of course not on the same line.. when i use this sometimes my x freezes and i can't do anything.. ctrl alt delete dosen't work.. switching to a tty dosen't work.. i have to ssh in then reboot it.. any ideas why ? when i don't have sxhkd in .xinitrc everything works fine

i was opened a thread about this

no one replied

wait a sec

nxjoseph: i see you on the forums a lot

oxbar, haha nice

i guess it happens when you reload sxhkd config?

i should have googled or looked first.. watch it be something silly

nxjoseph: probably

i use dwm too, back then i was using bspwm

i just set keybindings in dwm config

does your window manager not have it's own key handling?

rtprio, it does have but in a .c file

not everyone prefer it

no shit

rtprio: yes but i don't like using it.. i just like a straight forward keybinding.. well i could do it but i like sxhkd

yes, i like sxhkd too, it's too easy to set shortcuts

oxbar, what's your name on forums or don't you have an account

maybe i see you too

rtprio, not a .c file but config.def.h

header file i guess

AFAIK there is no solution to that sxhkd problem

i will just use the deraults

Thanks though :D

defaults*

you're welcome. what were the defaults? i don't remember them

maybe dmenu and suckless st

super+shift and enter i think

yes, right

or mod

i use alt key

dunno what's the default

ok late

it seems there are no PRs filed on bugzilla about this problem

maybe sxhkd is just not working on freebsd

IIRC, it was happening to me right after reloading the sxhkd config

For those with ryzen platforms, how does the latest release do? I'm running an older dual-xeon E5-2680v3 box and looking to build a new large-storage box.

im on 14.3 with ryzen 3 4300ge

nxjoseph: Is it "grunty" enough

grunty? idk it

Looking at a ryzen9 9950x just to get the strongest "throughput" for my machine.

iirc, there were someone who use r9 99xx on forums

Thank you! I'll search there.

you are welcome, i might give it a try too after my work ends

geez 14.3-RELEASE is a big one

been too busy to update, taking agesss

has anyone played with the iwlwifi stuff?

polarian: haven't played with wifi -- full release was tough on my machine though. I made several errors during the pkg upgrade and "lost" a couple dozen packages.

Good news is, nothing is Actually broken.

ugh it seems 14.3 has broken iwn for me

wifi borked now

so we get fancy new 802.11ac andddd... 802.11n is now broken?

and I discovered a bug where I wasn't archiving a copy of my pkg-export like I thought, so, win-win

maybe for you I have no wifi

wifi connects to ssid then I get a wpa supplicant error

*sigh*

no dmesg errors tho... good sign I hope!

also I will need to recompile drm-kmod

polarian: You can get a binary from pkg now.

mason: it works now?

so if I pull in pkg updates the drm-kmod pkg will be compiled against 14.3-RELEASE?

polarian: pkg upgrade -r FreeBSD-kmods (per mzar) worked for me

polarian: See /etc/pkg/FreeBSD.conf

hmmm

will investigate...

right now its bedtime though :)

polarian: sleep well

how come every freebsd update goes terribly wrong for me ugh

polarian: Not just you. I've had tons of things explode over the years.

Crazy things.

im kinda pissed at freebsd right now.. nothing the company did but i probably did something wrong.. im on a laptop everything works sound everything.. today i turned it on went to a meeting and my video and audio weren't working.. had to talk on the phone.. i don't know what to say

The "company" ?

nothing personal against freebsd

im just pissed lol

Sure. It's just... managed by a foundation rather than a Corporate structure, IIRC.

:shrug:

polarian: Here's salt in the wound :( freebsdfoundation.org/blog/the-road-to-better-wi-fi-on-freebsd

Oh, this might actually help. freebsdfoundation.org/blog/how-to-u…lock-high-speed-wi-fi-on-freebsd-14