From nobody Mon Jun  8 07:43:43 2026
X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gYkYt32sXz6h1xF
	for <freebsd-jail@mlmmj.nyi.freebsd.org>; Mon, 08 Jun 2026 07:43:46 +0000 (UTC)
	(envelope-from kp@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R12" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gYkYt2QHGz3b3m;
	Mon, 08 Jun 2026 07:43:46 +0000 (UTC)
	(envelope-from kp@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1780904626;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=KqsqIhFT2INPicJtA+q4bMWvvy5ChOQVYs64W5JNWDM=;
	b=Eqg3zmkOE/XK0YH1ZKeHe1jlMsKHpBbkHKcfgaatxAMlH3mWMq2Q5oVyGLea0AHcQRtc/0
	tOfMexNEWvJBi6g1APZdOuQXINPtAyzwg5Qi/u7AG+dotZhZSLLAAl+dHsWw/FXH/gvLj1
	EkD5FjHTS5tZxWOErxsgkw3tg4vbsXladSsQdSwuycuThZLbGT8X4xhDGe1MwRGgh/l4p5
	RJFbol1Rl7zgaGJ81zG6WkI1dIGO5sGFjzUm1QvNpPG9mpgLw1h42Qy7/fqHJPSV1AALmi
	ZvMR/4POYIcVWVAN4uNJ1TZ9MF+X/8Z7urATo1BLEz1yWM8JPsVvpW4CcRfPhQ==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780904626; a=rsa-sha256; cv=none;
	b=pPfaZ9SMnPq2coezCFLM0jRm7k2LB7sHkIaUNrvBHWW0TL0+4XSPGIopmYOE9APKnoS8iQ
	wnaiCm4HDqg0xZPwK73XPs2aVhUOnPVKTaKdnlpT+NKLR7via/C/o9emfsZb4PhdGtyOF6
	5/8qPTA6k3kMtRZ/SxwC9AxBQzpZenDl2tofSFTxQP2NSHNQf2tKOZGZgPsBJ6FC9S5ga2
	pH7N7qwYg3Xf7u5jq5LaW/wU5wpmsj1t6HPR5D4GsU4VkaxCAeiyqJEPCR7BpE4A7DgPeO
	pmb8QOpkbZ/3J+SD58Xy8EqCAmth5qhcQw/qBPVjXRBIkuLzQwOVuX38JOwJXw==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1780904626;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=KqsqIhFT2INPicJtA+q4bMWvvy5ChOQVYs64W5JNWDM=;
	b=xgdJvssEt/nqa8VakxqcNYIDVnm3idzHv0orGTTkSzHZeyDi5bNmAyzNeD/tDjc/2nqeyC
	nDcv7aaTGXsSPBrFtghLfIV6HFjuQUVWxSDja2kj/GbGBDjp2l61UPb7iaBF3PVpYK5NTx
	cyTJZuF672zLRIQ3rYPuCn86zadC/+md/P86MfsJFNJQzLJpfr0pPZXhgDI+riwQdAjoKi
	1m+7lqs1GjZX44WAAyXsU1u7x1LwgB38KCqsNX0RUq2k2PvqHOH8thhT2jQhgZgG5tyIzf
	mUdwvIMCV7fJO+1URCIa5mVTsdg8w3owN+EtGgmse4/MMovJnpfsLbzzQylwKg==
Received: from venus.codepro.be (venus.codepro.be [5.9.86.228])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mx1.codepro.be", Issuer "R12" (not verified))
	(Authenticated sender: kp)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4gYkYt1JfTzvJb;
	Mon, 08 Jun 2026 07:43:46 +0000 (UTC)
	(envelope-from kp@FreeBSD.org)
Received: by venus.codepro.be (Postfix, authenticated sender kp)
 id 2264022309;
	Mon, 08 Jun 2026 09:43:44 +0200 (CEST)
From: Kristof Provost <kp@FreeBSD.org>
To: Doug Rabson <dfr@rabson.org>
Cc: freebsd-jail@freebsd.org
Subject: Re: Running pfctl inside a jail
Date: Mon, 08 Jun 2026 09:43:43 +0200
X-Mailer: MailMate (2.0r6272)
Message-ID: <96E80293-2013-452F-859C-B725EA7963CF@FreeBSD.org>
In-Reply-To: <CACA0VUhJ78ES4AGMtLvZOVRJLoK=w=Vot+KSbx3Q=ikdC8UkFQ@mail.gmail.com>
References: <CACA0VUhJ78ES4AGMtLvZOVRJLoK=w=Vot+KSbx3Q=ikdC8UkFQ@mail.gmail.com>
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@FreeBSD.org
List-Id: <freebsd-jail.FreeBSD.org>
List-Post: <mailto:freebsd-jail@FreeBSD.org>
List-Help: <mailto:freebsd-jail+help@FreeBSD.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8; markup=markdown
Content-Transfer-Encoding: quoted-printable

On 7 Jun 2026, at 19:04, Doug Rabson wrote:
> While upgrading machines in my home lab to 15.0, I discovered that I ca=
n no
> longer run pfctl in a jail. Trying to run something simple like 'pfctl =
-s
> nat' fails with the error: "pfctl: DIOCGETRULES: Operation not permitte=
d".
>
That=E2=80=99s unexpected. I=E2=80=99m not aware of any reason why that w=
ould not work.

That=E2=80=99s something the pf tests do consistently, and I=E2=80=99ve j=
ust tried on a stable/15 machine and it also just worked.

Is the jail a different freebsd version from the host kernel?

Best regards,
Kristof