Having it in the kernel config means that it's built-in to the kernel itself, so you shouldn't need a module.

But it looks like it's usually in cam.ko

I renamed kernel.old to kernel.ORIG which still boots, but none of the kernels I built load zfs root.

Mounting from zfs:zroot/ROOT/default fails with error 45

any way to get pf to include /path/to/rules/*.conf?

yes, theres a rc.conf var for the file

huh?

do you want to change the default location of pf.conf, or include additional rules from inside pf.conf?

from the standard /etc/pf.conf, i want to include /path/to/rules/*.conf

and have it include all .conf files in that dir

Ah i see. Not sure pf has support for that. rc.conf has pf_rules.

oh it does

try include "/path/to/conf"

oh weird, that seemed to work. i'll put a rule file in there and see if it works

yes, its documented in pf.conf(5)

which line? i read it

nope, doesn't work

lol

seems pf has no way to wildcard include files, fuck

total security theater. if someone can inject files into dirs without privs you're fucked already

kerneldove: grep for 'include', or use apropos.

robert12 ya it doesn't say what you think it says

include only works for 1 specific literal file, not a dir with wildcard pattern

i never claimed that, the reality is, it doesnt do what you expect it to do, but it does everything i have claimed.

./ignore

good luck in life

and learn how to use the docs, good start

robert12: maybe you should start reading what other people are asking for, kerneldove never asked if it is possible to include one specific file, it was always all files from a specific directory, so without knowing what files there would be beforehand

yep

i had to resort to tee -a to push include lines into a .conf, so dirty. i don't suppose there's a way to make tee only append the line if the line isn't already in the file?

i feel icky like i'm doing ansible lineinfile crap

how about adding an indirection and regenerating all the includes?

meh

printf 'include %s\n' /path/to/rules/*.conf > /path/to/rules.conf seems easier than building something with tee to me

if i got vtnet and a bridge, then the ip is assigned to the bridge, in pf i skip bridge and only put rules on vtnet right?

How can I use fusefs as a regular user? I'm trying to mount a backup via borgmatic.

I can't find any documentation for this.

i got vtnet and a bridge, then the ip is assigned to the bridge, in pf i got block all, and no traffic gets to the machine which is expected, but then when i add set skip on bridge, traffic gets to the machine? i thought that would allow traffic through bridge, but the block all would still be blocking all traffic to the machine?

Hund: did you sysctl vfs.usermount=1 (or set it in /etc/sysctl.conf)?

nimaje: I did not! Thank you!

seeing that pf filters on the bridge, what confuses me is, i thought bridge was like a switch. plug a bunch of machines into a switch and the firewalling is done on the machines plugging into it, not on the switch itself. so why is filtering done on the bridge?

i want to leave the bridge unfiltered so vms and jails running on the computer, also connected to the bridge just like the host machine is, can make up their own firewall rules

I know I should not upgrade before the announcement, but going from 15.1-rc2 to 15.1-release on my rPI400 broke the USB mouse :(

(Ugh, the cable for my raspberry mouse was ... sat on by someone, so it's dead)

But .. packages seem to be built for newer arm CPUs than this one, so stuff like firefox gives illegal instruction :( :(

am i insane? wouldn't we want bridge to be unfiltered and keep filtering on each machine, so each machine can have its own firewall rules?

depends

do you trust the machine and its firewall

dunno why?

if you dont trust whats attached to the bridge you might want to filter in front of it

kerneldove, It's your system. You can do what you want. So basically when I read what you just said it read to me that you are asking, Why am I doing something I don't want to do? If you don't want to do it then don't do it. If you do want to do it then do it.

I am sure if I read far enough back in the scrollback I would find someone advising you. It's probably generally usable and generally acceptable advice that would be good for most people. But if you want to do something different then no one is going to stop you. Do what you want!

totally useless waste of your time to type all that out

didn't read what i've been writing but bro chose to write 2 paragraphs

big weird

If you do something completely in opposition to what everyone else is doing there is probably a reason other people are doing things differently. And then you may be the only one doing things your way. And then you have to debug problems you are having yourself. Because no one else has the same configuration.

Well... I read the "am i insane" part. That's what I was responding ot.

I was just giving advice. You have things in control so I will go back to working on other things now. Enjoy!

when i set up a vm host, i use bridge. i want the vm host machine, and each vm, to have their own sets of firewall rules, because they do different things. they also get their own ips. but that doesn't really seem possible because with bridge networking, the pf filter rules happen on the bridge and not the member interfaces

i must be missing something

cool cya

i'll wait for someone who's into reading what ppl say and engaging with that vs whatever comes to their imagination

ok so weird thing, i have all traffic on machine blocked with pf, seeing pflog show that, then i ssh into a jail running on machine and ping out, works fine, don't see any blocks in host machine's pflog

so seems like they're separated like i want even if i don't fully understand it

cool, nice to see it working

I'm not quite get whats your question is. is it "why does this feature exists at all?" , "why does people use this feature?", or "you sould I use this feature?"

'you should i'.. nice

*why should I (sorry missed at rewriting it)

eh it was more 'how can i do what i want to do?'

because it's not very intuitive to me how it works the conventional way

but whatever i tested it and it works so *shrug*

i already explained above how it's confusing to me to filter on the bridge, when afaik bridge is like switch, and we don't firewall on switches, we firewall on machines themselves, and ofc on dedicated firewalls

you can just add an epair for the host and tap devices for the vms (or epairs for jails) and only filter on the host epair, ipaddress need then to move from the bridge to the epair not in the bridge and you might need a pass for the bridge interface in pf

a brigde is more like a hybride between an virtual-interface and a emulated switch, but depending on how set it up you can totaly ignore the virtual-interface part

well i already use host bridge + tap for vm and epair for jails. i'll just keep putting pf filtering on the bridge because that seems to be the norm, and it doesn't cause a problem for the vms and jails. somehow they aren't affected at all by the host's filters on the bridge

ty

i keep hearing this faint crunchy sound like when disks are being written to. it's almost nonstop. i ran iostat 2 and there's barely any activity. anyone know what else it could be?

tailed var/log/messages, nothing. zpool status all clean

mine used to go whirrr

thermal re-calibrate?

kerneldove: well, your pf on the host can only firewall on the host and not inside your vms, so if you don't want to firewall your vms on the host you shouldn't add rules for that. No idea if you can filter on the member interfaces of a bridge, but my guess would be yes

hmm

my vnet jails are host firewalled

some disks are noisy when the heads move

maybe it does internal tasks

but it would be lower

it could also about to go bust soon

smart would tell you, but i would find that highly unlikely

smart can also be dumb

i mean it can measure things

hi, ketas! Did Boru feed you cat nuggets?

I am going to throw out a "wide net" question, a very helpful individual was assisting me with checksum fail errors and python 3.11 packages a few days ago. If you are seeing, could you say hello? I have some questions on potential follow-up. It is in reference to this bug report: bugs.freebsd.org/bugzilla/show_bug.cgi?id=295726 i think i may be "missing" something in my bug report and would

appreciate any assistance. Thank you

voy4g3r2: I think I just commented the missing bit, some don't seem to see that as a bug, I think it is a big design flaw in the ports framework

voy4g3r2: I don't think you missed anything. This bug isn't a simple thing to fix, it uncovers a problem in how the whole handling of unversioned distfiles

Yeah, what nimaje said

ah okay, thank you both

let the experts hash it out.. it was just a very "odd" hiccup

your summary makes sense to me, as i said in the comment, and i leave it to smarter minds than me.. i just know checksum failed.. and my "work-around" worked.. but probably not the best way.. it unblocked me :)

i have heard, quite a few times, that python is not the easiest thing to compile.. i am just glad it worked and i can go back to my LLM research

hmm... StardewValley (the linux binary) seems to try to execute /bin/bash hardcoded

Color me unsurprised. This is why we see that being symlinked on many systems.

I'd rather binary patch it out, but I'm not too familiar with that

I always add a /bin/bash symlink. I am pragmatic.

ketas what do you do to make your vnet jails host firewalled? do they use same ip as host bridge has?

kerneldove: no, they have own ip's

run own dhclient and so on

with dhcpd on host

so as if separate machines

there's epair into jail

on host it goes either into bridge or it's p2p

hmm

virtual networks a cool

and since they run full networking, i can just pf it

pf the pfing pfers

is there a way to lock a package without also locking the packages it depends upon? I had to compile gammastep from ports in order to set a non-default option, but pkg upgrade is insisting on overwriting my custom build with the one from the repo, reinstalling because "options changed"

it seems like locking gammastep will also prevent other packages like libdrm, libxcb, and glib from upgrading, which is not behavior that I want

I want those to continue upgrading, even if it means gammastep breaks because it needed to be linked against new libs

voy4g3r2: sorry for uncovering that problem by convincing the poudriere maintainer(s?) that checksum should only do checksumming and no refetching

hm, locking should only lock that one package, everything else should upgrade as usual

cool, iwlwifi just panicked on me

I'm sorry

with gammastep I guess I should have just compiled it from source, sidestepping ports/pkg. I did try that but ran into some issue though I'll have to remind myself what that was

pkg lock's behavior would be fine to me if it took into account backwards compatible upgrades, like for instance allowing glib to upgrade as long as the new package still provided the same library version

nimaje: that makes sense to me.. i just know doing the refetch AFTER the checksum fixed the issue i was having. I do agree that the fetch should do a better job and the checksum should be just that. But i am in no position to be as definitive as you :)

it'd also be nice if pkg could just see that the reason the options are different between my installed package and the one in the repo is because I manually changed the options, and don't want pkg insisting on reinstalling it for no good reason

nimaje: plus if it prevents an issue, like this, happening again.. i am at the will of the maintainer.. i am just a humble user.

i presented my case and evidence and they do with it, what they like. :)

i don't get the issue?

oh i think i see

but why not making your entire full repo

so nothing will fuck with you like that

ketas: i did

dvl: Did victoria end up panning out for you?

heston76: Sill playing.

See recent posts here: bsd.network/web/@dvl