Date: Mon, 08 Jun 2026 10:36:59 +0200 From: Kristof Provost <kp@FreeBSD.org> To: Doug Rabson <dfr@rabson.org> Cc: freebsd-jail@freebsd.org Subject: Re: Running pfctl inside a jail Message-ID: <7C23D3B8-1A14-41B7-839A-580DB61E0403@FreeBSD.org> In-Reply-To: <CACA0VUhigsCrqxrBySxptLCfh_K6%2BCb%2BT%2BDSJZgHnSMr0i9WOQ@mail.gmail.com> References: <CACA0VUhJ78ES4AGMtLvZOVRJLoK=w=Vot%2BKSbx3Q=ikdC8UkFQ@mail.gmail.com> <96E80293-2013-452F-859C-B725EA7963CF@FreeBSD.org> <CACA0VUhigsCrqxrBySxptLCfh_K6%2BCb%2BT%2BDSJZgHnSMr0i9WOQ@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
On 8 Jun 2026, at 10:00, Doug Rabson wrote: > In my smallest test-case, the host and jail use the same root filesystem > and the host is running 15.0-RELEASE-p8. I haven't tested with stable/15 > yet. This reproduces the problem for me: > > $ sudo pfctl -s nat > nat on bridge42 inet from <cni-nat> to any -> (bridge42) round-robin > nat on bridge42 inet6 from <cni-nat> to ! ff00::/8 -> (bridge42) round-robin > nat-anchor "cni-rdr/*" all > rdr-anchor "cni-rdr/*" all > $ cat jail-pfctl-15 > #! /bin/sh > j=$(jail -ic name=pfctl-in-jail15 ip4=inherit ip6=inherit path=/ persist) > jexec $j pfctl -s nat > jail -r $j > $ sudo ./jail-pfctl-15 > pfctl: DIOCGETRULES: Operation not permitted > $ freebsd-version -k > 15.0-RELEASE-p8 > > > Do the pf unit tests cover the case where the jail shares the host vnet? > Oh. No, no they do not. That’s just plain not supposed to work. You only ever get to manage your own pf instance, never the one of a parent jail. Best regards, Kristofhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7C23D3B8-1A14-41B7-839A-580DB61E0403>