01:54:54 is ccache still recommended for port building? 02:08:18 Doesn't hurt (I think). 04:39:04 It can slow them down but if you're rebuilding the samething or close to it it helps. 12:59:13 gai.conf is supposed to work on both FreeBSD and Linux, or just on Linux? 13:07:42 i'm trying to learn about how freebsd works vs linux. i made a bin that starts and allocates mem while monitoring reported usage. then when mem and swap is fully used, it starts freeing mem. i notice that freebsd never frees swap. why not? 13:08:09 but linux does start reporting swap being freed up right away 13:30:43 Oleg, Unfortunately FreeBSD does not have an equivalent to the GNU glibc /etc/gai.conf file. That's a point where GNU's glibc is definitely better featured than FreeBSD. And as far as I know there is no real workaround to configure address preferences and such. Other than to avoid needing such configuration. 13:35:27 kerneldove, I don't understand what you mean when you say freeing swap. Normally a C process allocates memory using malloc() which requests the system to map more memory into the process (sbrk() is no longer used) but free() does not normally tell the system to return memory from the process. Therefore once allocated the memory is never given back to the system until the process exits. 13:36:20 That's true on both Linux and FreeBSD. And both systems have dynamic buffer cache which expands and contracts as needed. 13:37:47 Also by default both do memory overcommit. Which removes a direct relationship between virtual memory and process memory. It's all actually allocated only when used now. It's a copy-on-write type of situation for both now. On Linux this can be disabled but it is not possible to disable this on FreeBSD. 13:39:10 kerneldove does your program modify every page of memory as it is being allocated? It would need to do that in order to simulate actual memory use behavior. Otherwise if the pages are not modified they won't actually get allocated to the program. 13:42:20 my bin just uses more and more mem until swap is 100% then reverses the 'process' (no pun intended) and swap stays 100% used. when i do the same thing on linux i see mem fill up, then swap fill up, then as it reverses i see mem and swap free up 13:42:26 watching using sudo top on both 13:42:44 linux definitely frees whereas freebsd stays 100% reported usage 13:42:57 it's a rust bin fwiw 13:43:04 (well, a malloc implementation can give the memory back to the system, but that would only make sense if the ratio between requested memory and memory in use is big, as malloc has no idea how the program will allocate memory in the future, just giving back the memory to the system to request it again shortly after would be pretty inefficient) 13:43:38 I assume you request the memory via malloc and not directly via mmap? 13:43:43 im testing on 2 identical side by side systems, 32GB ram 1G swap 13:44:03 no even higher level, creating normal rust data structures 13:45:16 I have no idea how rust allocates memory from the system. For all I know rust releases program memory back to the system when it is freed there. 13:46:27 i would guess that, since linux /does/ show memory (and swap) freeing up 13:47:02 afaik rust uses jemalloc, but no idea if it is some external jemalloc even when the system malloc is jemalloc 13:47:29 i saw freebsd more memory efficient (less mem in use for same #freebsd of objects created) but sadly it isn't responsive like linux is and i really want that 13:47:36 It might be useful to use strace and truss to see if the linux rust is actually releasing memory back but the freebsd port is not? I would guess that is what is happening. A rust person might know how that side of things works. 13:47:58 i mean i'm just watching sudo top on both boxes 13:48:41 It might also be useful to write a C version using malloc() and free() and compare the results between the systems there too. 13:50:10 meh 13:56:50 and are you sure it is pages from your program that are mapped out, instead of other unused pages? 13:57:23 what do you mean? both boxes are started and only run my bin, nothing else 13:58:36 right now my bin is sitting in top on the freebsd box at 39G size and 29G res, which is the peak it hit, and it's been shedding objects for 8 hours. hasn't gone down at all. swap still reporting 100% in use 14:06:45 Hi. Ipfw queston. I'm trying to do some basic automation, with a simple sh script that (1) connects to the target remote machine and (2) runs: sysrc firewall_enable=yes firewall_type=open; service ipfw start 14:07:13 rwp: I've been struggling with the gemini chat bot who can't explain to me why the machine running the openvpn client can't access the internet after connecting to the openvpn server. it claims there is a bug in pf that prevents me from accessing the internet on the client machine. 14:07:54 It looks like the second command (`service ipfw start`) fails because the well-known 65535 rule (deny ip from any to any) is enabled before anything else 14:08:18 by the way, which utility is better, pf or ipfw? 14:08:40 I see why this is like it is, and it makes a lot of sense. But this is also what kills my ssh call in flight... 14:08:45 any recommendation? 14:08:56 Oleg, You will get get an unbiased answer to that question! Because people like and prefer what they do. 14:09:08 Oleg, You will never get an unbiased answer to that question! Because people like and prefer what they do. 14:09:30 Oleg: asked same question a few days ago, and I rwp is very correct :D 14:10:56 I will start the fight by saying that the OpenBSD version of pf is the better of them. But that doesn't matter because the FreeBSD version is an old fork which is what we have and it continues. The FreeBSD version has been okay for the things I have needed it to do. But I am still learning it as I go along. 14:11:27 Oleg: if one of them was truly better, then the other would be deprecated and removed at some point, it mostly is preference (and we have a third firewall in base: ipf) 14:12:18 Oleg, I really have a hard time believing that FreeBSD pf has a bug in it that is preventing your network connectivity after starting up a vpn. It's probably incorrect configuration. Which can be tricky to get correct sometimes. Often even. 14:12:31 I will contribute to the fight by saying that ipfw must obviously be the better choice, because it is the native solution, but I will not be able to provide any proof of my claim, and start hijacking the discussion, and mentioning people's glasses. 14:13:03 pf is also in base. 14:13:15 :D (just kidding, I'm learning ipfw right now, and I don't know pf at all :D 14:13:35 rwp: yeah, I know it is 14:13:51 I like pf because I also use OpenBSD. As a user I never noticed much difference between the two. 14:14:40 There has been effort put in to keep FreeBSD and OpenBSD pf configurations compatible syntax. So that's not an accident. 14:14:54 :) 14:15:41 For myself having heard about pf for years when I picked one to learn I started learning pf. I find pf to be upside-down in syntax to what I expect after having used other configurations. Which is why there is the "quick" flag. The entire thing feels topside down but it does work with careful thought about it. And there are some featureful things in there that other firewalls don't have too. 14:16:14 the chat bot wrote this pf.conf for me: https://pastebin.com/zhUw6Uzj . My problem is that after starting an openvpn server on one machine and starting an openvpn client on another machine, the client machine can't access the internet. the chat bot told me pf is required if I want the problem to be resolved. It gave me that pf.conf, but after starting pf on the server machine, the client machine 14:16:16 still can't access the internet and the chat bot insists this pf.conf is perfect and some type of bug in pf prevents the client machine from accessing internet websites. 14:17:17 On the problem I raised above, I think this might be related with the `-q` flag discussion in the manpage, and I'll try to understand if that's it. :) 14:17:26 At the present time the "AI" LLM machine learning systems are truly amazing! But they are very often wrong too. I see that all of the time. But often they get me the right things to search for to complete the task and that's valuable. 14:18:48 can you please tell me what changes I need to make to pf.conf if I want the client machine to access the internet while openvpn is running on the client and the server? 14:18:51 dacav, Apparently no ipfw person is here to know about it but if you are patient and wait likely someone knowledgeable about it will appear and maybe be able to help you. Meanwhile... I am staring at Oleg's machine generated pf.conf file. 14:19:19 Yeah, no worries, rwp 14:21:55 Oleg, I have not set up an exact match for what you are trying to do so I haven't tinkered through a full configuration of it yet. And I do not know pf well enough to do it off the top of my head. 14:22:28 But I think that pf.conf file is too small. It is missing "set skip on lo0" to allow the loopback device for example. 14:23:36 And the "scrub on $ext_if all max-mss 1400" seems wrong to me, or at least not good, because 1280 is the size (that is required for IPv6) and therefore most often used as the lowest common denominator size. I think it should be 1280 not 1400. 14:24:26 Also I expect your VPN to use an additional network device such as /dev/tun0 or some such and that does not show up in the file either. 14:25:02 Note however that I am far from knowledgeable about this and I jump back and defer to anyone who has more information about it. It just seems that those things are missing. 14:26:00 (anyway, I solved the problem, and my intuition was correct, in case anyone is curious about it.) 14:27:32 What was your solution? 14:28:49 rwp: yes, after I changed it to 1280, the client machine can access the internet, even though I access the internet through ipv4, not ipv6. So, I don't know why it worked. 14:30:08 That probably means the problem was in Path MTU Discovery being unable to automatically determine the Path MTU and setting it to 1280 the minimum size avoided it ever needed to do Path MTU Discover. 14:31:20 The problem that blocks Path MTU discovery is blockage of ICMP packets since ICMP is used to make that determination. That is different ICMP on both IPv4 and IPv6. They each use different ICMP strategies and do it differently. 14:32:00 It's most often a problem on IPv6 when ICMP6 is blocked. It's really very often a problem there. Whereas on IPv4 things mostly just work. 14:33:25 the chat bot didn't even realize the number had to be changed to 1280. it kept insisting a bug in pf prevented me from accessing the internet 14:34:29 And now you know how far you can trust those machine generated answers. They are getting better all of the time. They are pretty amazing now. In a year they will make fewer mistakes. In two years we will not see so many mistakes from them. 14:34:32 rwp: the solution was to redirect the output of `service firewall start` to a file and cat it to stderr afterwards. By doing so no traffic is done on ssh, so no packet is denied, and the tcp connection remains up. 14:35:09 dacav, Ah! That makes sense. 14:36:03 rwp: thanks for the suggestion that resolved the issue 14:37:01 Not to blame anyone, but the issue with machine generated answers is that they don't give experience points. My problem for example would have been hard to guess, and I figured out quickly because of the manpage mentioning it! 14:37:44 Reading manual => insightful. Generated code => not insightful. 14:38:04 which is OT, but I'm a bit frustrated by the trend 14:39:21 I am not sure AI help can be off topic these days because it's becoming the new normal. The cat is out of the bag now and there is no putting it back in now. 14:42:50 I think everyone should be helpful regardless of where people take their information from. But also that we shouldn't stop promoting knowledge 14:43:06 My two cents 14:45:30 the chat bot also kept stubbornly insisting that gai.conf is something that can be utilized on both FreeBSD and Linux 14:46:22 Yeah, the other thing with those bots is that when they don't know they just invent 14:46:30 which is sort of similar to how humans do, btw :D 14:46:41 except they have no critical thinking filter 14:48:47 Yeah, and it's critical thinking that's going to be especially important in the upcoming years and decades, with young people disinscentivized from practicing. "Why think and look for primary reference sources, when you can just ask a statistical model?" 14:50:11 * dacav nods 14:50:37 It's basically the difference between academic "book" knowledge and practical experience knowledge. In theory there is no difference between theory and practice but in practice there is. 14:51:12 generative AI doesn't have either though, it just has statistics 14:54:23 And that's why it hallucinates. It's by design. But in a year it will be different and then it will make fewer mistakes. 15:00:59 rwp: the chat bot can't explain to me why I can't ssh into the server machine using the LAN IP of the server machine now that openvpn is running on both the server and the client 15:02:00 rwp: the client machine is outside the LAN on which the server machine is situated, but LAN IPs should still be accessible if openvpn server/client connection is established, right? 15:03:15 Not necessarily. And I would think probably not. If all packets are routed out through the tunnel then the LAN addresses might no longer be accessible. 15:04:25 Also the path packets take out and the path packets take back might be asymmetrical. Asymmetrical routes work if it is outside of NAT. But not if it crosses a NAT layer. 15:04:52 That's going to be confusing. I don't know how to word it more clearly. Sorry. 15:05:20 well, the chat bot kept insisting that the LAN IP of the server machine would be accessible from the client machine that is not part of that LAN if openvpn connection is established between the client and server machines 15:05:23 I only see NATing in that pf config you gave, no idea if you set up routing so they share that subnet you want them to share 15:06:05 My best advice is to draw out a big block diagram of how everything is routing and where NAT is involved and trace packets both outbound and inbound and make sure they make sense. They can't go out through one interface for example and return through a different interface. 15:15:33 rwp: okay, you are saying that the LAN IP of a server machine can only be accessed by the client machines located on the same LAN? if client machines are outside of that LAN, then it doesn't matter if openvpn is utilized? in this case, the LAN IP of the server machine will still be inaccessible from client machines? 15:22:59 you have to set up routing correctly and your current description of your set up isn't good enought for us to verify that you have done that (we only see the NAT in your pf.conf) 15:25:03 nimaje +1 to what you said. Oleg, It all depends and we need to know more to know. 15:26:32 I just found out that on my client machine, I can ping the LAN IP of the server machine, even though the client machine is not on the LAN where the server machine is. On the client machine, using the LAN IP of the router connected to the server machine, I can access the web interface of the router. But, as I said, ssh'ing into the server machine using the server's LAN IP still doesn't work 15:27:25 of course, as you know, the openvpn connection has been established between the client and the server machine 15:28:41 probably on the "server" the routing isn't set up correctly for it to reach the "client" via the source ip of the connection 15:28:43 I'll just say that packet routing is where details matter and the smallest of details can cause large breakage. It's confusing to me and I have been doing this for years. I suggest drawing it out. For me that helps me understand it the best. But different people are different. 16:14:13 according to ssh -vvv, the ssh connection to the LAN IP hangs after debug1: expecting SSH2_MSG_KEX_ECDH_REPLY. but if I use the public IP, the connection won't hang: debug3: receive packet: type 31 16:14:15 debug1: SSH2_MSG_KEX_ECDH_REPLY received 16:17:09 Oleg: can you ping the "client" from the "server" via that LAN IP? I expect you missed to set up that part of the routing 16:20:43 nimaje: I don't understand what you mean. The LAN IP belongs to the server machine. How can I ping the client using that IP if the IP belongs to the server, not the client? 16:35:57 this actually worked for me: https://unix.stackexchange.com/questions/722954/ssh-stuck-at-expecting-ssh2-msg-kex-ecdh-reply 16:37:04 after passing -o KexAlgorithms=ecdh-sha2-nistp521 to ssh, I could connect to the server using the LAN IP 16:37:38 I don't know why this option doesn't have to be passed to ssh when I am connecting to the server using the public IP 17:22:49 Oleg: That's interesting. And makes absolutely zero sense (to me). How could the server side accept unsupported algorithms from the same client using different incoming IP's? 17:23:08 Or, are you using different clients to connect/test with? 17:31:04 ek: I've been using the same client. 17:34:53 Oleg: Is there maybe something in the client-side ~/.ssh/config specifying what to use for a certain IP and not the other? Like an "Host *" line for defaults and a more host-specific config for the IP/hostname somewhere else in there, maybe? 17:42:04 On the client, I did "rm -r .ssh". The same problem kept occurring: without using the -o KexAlgorithms=ecdh-sha2-nistp521 option, I could only ssh into the server using the public IP. I couldn't do it by using the LAN IP. But after adding the -o KexAlgorithms=ecdh-sha2-nistp521 option, I could ssh into the server by using the LAN IP as well. 17:43:34 Very odd. Is there anything in the client-side /etc/ssh/ssh_config that might cause that? 17:44:08 The server accepting and not accepting key algs from the same client just makes no sense. 17:46:36 ek: on the client, /etc/ssh/ssh_config was never edited by me. it's the same file that comes with vanilla FreeBSD. 17:48:48 Check the server-side configs as well. 18:07:23 ek: they are vanilla as well... but maybe this issue has something to do with openvpn. If I don't use openvpn, and both the client and server machines are part of the same LAN, then I can establish a ssh connection by using the LAN IP and without using the -o KexAlgorithms=ecdh-sha2-nistp521 option. However, if the client machine is not on the same LAN as the server machine and I use openvpn, then 18:07:25 -o KexAlgorithms=ecdh-sha2-nistp521 option has to be passed for the LAN IP case. Without openvpn, LAN IPs of the server side would be useless to me, of course, when clients are not on the same LAN as servers. 18:48:41 mysterious problems just keep occurring when you are using a computer 19:02:02 [<65;97;33M 19:02:10 ups sorry 19:15:14 Oleg: How are you routing this VPN subnets? Is the "server" connecting to a VPN server and the client connecting to the VPN server as well or is the "server" the VPN server itself and the client is connecting to it? 19:16:25 Or, is the VPN server a separate system on the same LAN as the server, maybe? Sorry if this was already gone over. I tried scrolling through stuff above but didn't catch the topology in there. 19:17:01 ek: I start the openvpn server on one machine and the openvpn client on another machine. 19:19:45 Oleg: Right, but are they all on the same LAN or something? Is the "server" you're referring to the OVPN server or is it another server you're trying to reach through the OVPN server? 19:20:50 it's the OVPN server. there is no other server 19:21:06 Okay. 19:30:53 Oleg: So, SSHing to the VPN server's public IP is fine and the LAN IP is fine. But, SSHing to the VPN's VPN subnet IP isn't right? Or, are you SSHing to the server's LAN IP from the VPN subnet IP assigned to the client? 20:02:32 ek: the vpn subnet IP assigned to the client... the LAN IP of the server is just a regular IP that stays the same in vpn-related and non-vpn-related cases. 21:36:22 what is the diffrence between git-lite and gite-tiny? If all I need is to clone repositories, is the tiny version enough? 21:37:23 tuaris: Yes. 21:38:34 they both pull in the expat dep, so I guess the diffrence is more in the installation size. 21:40:28 And/Or build options for little extras. 21:45:24 Yep. Build options and size. 21:46:05 tuaris: Take a look at pkg search -f git-{tiny,lite} 21:48:03 speaking of git/git-lite/git-tiny, why aren't they part of the base system? 21:53:51 Likely because they aren't the only option as repository tools. FBSD likes to keep BASE nice and tidy (for good reason.) 21:55:03 Although, once pkgbase becomes the norm, this might not be such a big deal and perhaps more will be included in the future. 22:04:47 those are all the reference git implementation, which is GPLv2 22:05:31 so then you get to debate between alternatives that will interoperate with git, and then that's not fun 22:08:47 I found out about svnup recently. 22:30:29 Nerds! 22:57:22 with zfs now being mature, does anyone know if there's any scenario where ufs is more efficient? i have some resource constrained workloads i need to get the most out of. i like zfs so i'd like to stick with it as long as it's as efficient (cpu, mem) as ufs. i did some side by side testing and it *seems* so, just wanted 2nd opinions pls 23:01:13 I'm mind of a ufs luddite. 23:01:17 kind of 23:01:46 I think your / volume should always be on UFS. . . but then, I still like hardware RAID, so. . . 23:02:29 these are boxes with only 1 disk fwiw 23:03:57 kerneldove: you can zfs fine with one disk 23:04:29 but i would probably skip it if the machine was low memory, a vm, or could fit in a ufs layout 23:04:30 ya i know, i am. i only mentioned because he said raid which to me implies multiple disks. just wanted to specify i'm only using 1 disk to see if that changed his opinion 23:04:40 mind if i ask why? 23:05:03 32gb ram, but i guess you could call it 'low mem' because i want to squeeze all i can out of it 23:05:19 no, if it had 1 or 2 gb, is low 23:06:31 what i have plenty of is disk, so i was gonna make the swap 32gb to match the ram. no prob with that right? 23:07:17 no problem, but i guess it depends on what the box is doing 23:07:28 i have 32 and don't think i've ever swapped 23:07:57 what i'm gonna do is pack workload on it until i see 5% swap to make sure all mem is filled and being used 23:08:26 why 23:08:34 to make sure all mem is filled and being used 23:08:43 but why 23:08:54 the more workload i can put on the box the more cost efficient it is 23:09:07 but workload isn't ram, it's cpu 23:09:09 workload uses ram. it's light on cpu and disk 23:09:18 depends on the workload no? 23:09:36 ok. but i will tell you now that 32gb of swap is probably a waste of 28gb of disk 23:09:54 that's fine i have plenty of disk (and cpu) 23:11:33 cool 23:12:13 any problem running zfs without compression? i see it's on by default but i wanted to run it with that off so i can see how it works 23:12:25 no problems 23:12:32 just use more disk? or more ram too 23:12:47 More disk, less CPU. 23:12:54 Won't be a problem. 23:12:56 ok ty 23:12:59 Might wanna check atime as well. 23:13:06 ? 23:13:07 ... if you don't need it. 23:13:18 that'll cut down cpu use? 23:13:29 or disk io or? 23:13:33 And speed up I/O a hair. 23:13:45 oh nice 23:13:58 Could make a difference if you're doing lots of I/O (doesn't sound like you are, though.) 23:14:01 ya i think i recall seeing that on by default too right? in the zfs installer 23:14:08 ya a good amount of io 23:14:22 file server workload mainly 23:14:39 would free up io for swap since i plan to 105% fill ram 23:15:04 Sure. Give it a shot and see what happens. 23:15:23 ok ty guys 23:17:15 Of course, you can adjust compression and atime on the fly. So, maybe check and see how they perform together, separately, etc... while the system is under the desired load. 23:17:51 oh ya? happen to know off hand the cmd to turn compression off? would like to throw it at a test box 23:18:16 zfs set compression=off zpool/dataset 23:19:29 kerneldove: Check the man pages for "zfs-set" and "zfsprops". Might find other things you'd like to enable/disable/change while you tweak with it. 23:20:50 ok will do ty. btw is it just zfs set compression=off zroot to disable it for all datasets off of zroot pool? 23:22:19 kerneldove: Depends on how the child datasets were set up, you may not need that. 23:22:37 But, I would assume the "-r" arg (recursive) would be needed for that. 23:22:40 just used the auto zfs installer 23:23:03 Generally children inherit the parent attributes. 23:23:56 zfs get -r compression zroot should tell you. 23:24:34 ok ya it's saying all datasets have it off, and all inherit from zroot 23:24:41 ty 23:24:57 still seeing in sudo top it having some compressed some not under ARC section 23:25:48 It will only disable for future I/O after enabled/disabled. So, there may be some I/O that hasn't finished yet. 23:25:58 ahh 23:28:43 Alrighty. Off to a cookout I go! Good luck and have fun, kerneldove. :) 23:38:08 6:38PM up 6:31, 2 users, load averages: 12.17, 11.15, 10.84 23:38:25 FreeBSD bareMetalFreeBSD 15.0-CURRENT FreeBSD 15.0-CURRENT #0 main-n279073-763d1bc05a71: Fri Jul 25 19:55:24 CDT 2025 root@bareMetalFreeBSD:/usr/obj/usr/src/amd64.amd64/sys/GENERIC-NODEBUG amd64 1500054 1500054 23:38:26 How can I determine what version of (for example) PostgreSQL Client a package will install when it's a dependancy? Lets say I do pkg install php83-pgsql. How would I know before the action what client version of PostgreSQL will be installed. And is there anyway to override that? 23:39:05 For added context, this would need to be determined in a shell script 23:46:22 "pkg query %dn " returns nothing if the package is not installed