From owner-freebsd-pf@freebsd.org Thu Dec 13 00:46:57 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id AB6FB132C50F for ; Thu, 13 Dec 2018 00:46:57 +0000 (UTC) (envelope-from SRS0=RpOD=OW=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 2937B89AA6 for ; Thu, 13 Dec 2018 00:46:57 +0000 (UTC) (envelope-from SRS0=RpOD=OW=quip.cz=000.fbsd@elsa.codelab.cz) Received: from elsa.codelab.cz (localhost [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id BAD2228428; Thu, 13 Dec 2018 01:46:52 +0100 (CET) Received: from illbsd.quip.test (ip-86-49-16-209.net.upcbroadband.cz [86.49.16.209]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTPSA id C7CDF28417; Thu, 13 Dec 2018 01:46:49 +0100 (CET) Subject: Re: VNET jails and PF service To: =?UTF-8?Q?Goran_Meki=c4=87?= , freebsd-pf@freebsd.org References: <20181213000232.vk4qoapuqyqly2jx@thinker.home.meka.rs> From: Miroslav Lachman <000.fbsd@quip.cz> Message-ID: Date: Thu, 13 Dec 2018 01:46:46 +0100 User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:52.0) Gecko/20100101 Firefox/52.0 SeaMonkey/2.49.3 MIME-Version: 1.0 In-Reply-To: <20181213000232.vk4qoapuqyqly2jx@thinker.home.meka.rs> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 2937B89AA6 X-Spamd-Bar: +++ Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [3.77 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; NEURAL_SPAM_SHORT(0.85)[0.853,0]; IP_SCORE(0.73)[ip: (1.92), ipnet: 94.124.104.0/21(0.96), asn: 42000(0.77), country: CZ(0.02)]; MIME_GOOD(-0.10)[text/plain]; RCVD_TLS_LAST(0.00)[]; DMARC_NA(0.00)[quip.cz]; AUTH_NA(1.00)[]; NEURAL_SPAM_MEDIUM(1.00)[0.999,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; MX_GOOD(-0.01)[cached: elsa.codelab.cz]; RCPT_COUNT_TWO(0.00)[2]; RCVD_IN_DNSWL_NONE(0.00)[4.105.124.94.list.dnswl.org : 127.0.10.0]; R_SPF_NA(0.00)[]; FORGED_SENDER(0.30)[000.fbsd@quip.cz,SRS0=RpOD=OW=quip.cz=000.fbsd@elsa.codelab.cz]; RECEIVED_SPAMHAUS_PBL(0.00)[209.16.49.86.zen.spamhaus.org : 127.0.0.11]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:42000, ipnet:94.124.104.0/21, country:CZ]; FROM_NEQ_ENVFROM(0.00)[000.fbsd@quip.cz,SRS0=RpOD=OW=quip.cz=000.fbsd@elsa.codelab.cz]; MID_RHS_MATCH_FROM(0.00)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Dec 2018 00:46:57 -0000 Goran Mekić wrote on 2018/12/13 01:02: > Hello, > > I can't start PF as service from vnet jail. I have devfs rule to unhide > bpf (for dhclient) and pf that the jail is using. I can run "pfctl -e -f > /etc/pf.conf" but "service pf start" fails with: > > kldload: can't load pf: Operation not permitted > /etc/rc.d/pf: WARNING: Unable to load kernel module pf > > That's expected given https://svnweb.freebsd.org/base/releng/12.0/libexec/rc/rc.d/pf?view=markup#l25 > in the rc file. What is the proper way to enable PF in VNET jail? Do you have PF compiled in to your kernel or loaded as module pf.ko in the host? Miroslav Lachman