From nobody Mon Jun 8 09:29:30 2026 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gYmwC4gnQz6fhnk for ; Mon, 08 Jun 2026 09:29:47 +0000 (UTC) (envelope-from dfr@rabson.org) Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gYmwC2jk9z3m1M for ; Mon, 08 Jun 2026 09:29:47 +0000 (UTC) (envelope-from dfr@rabson.org) Authentication-Results: mx1.freebsd.org; none Received: by mail-lj1-x232.google.com with SMTP id 38308e7fff4ca-39666f49929so37199641fa.0 for ; Mon, 08 Jun 2026 02:29:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780910985; cv=none; d=google.com; s=arc-20240605; b=YXakpECBfEMpROILOR512ggSHHNRrWWctjOrWCqxoY/SbfTd8DW7X96HflgwPrsC8y TNy04UtZ+x2tSlyRSrgKs6fdkdik2FxChvTFA8cQwSxeSmCCrqL+fvmPKUiszKCwVCr9 f+wgZ4u4WavyaM6g2xemeeB5zGVF6F9fKGOXPh9rnV1msCP4U7wROoJ1VoN1ebXlnqwG T6tMlpA8Bys47/yoOncttVJ0IEhEfv2SjZbXcb0JpFkV36gylm8sFa24kX+iaG3h2ZCa bt3G5EznCebPOM4OlEGAXTCZnrmihMVIddac0uYJY754sjNlFVxxRfOl1gwrZuI0DHpZ jb6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=XF2eqom0sBWSVWBqrrfajlhdntQoMUuV4cglRGrJ0Ew=; fh=vrw2Bj/2vkDrKQwNj2hfXSwlIIPVc8/6ZAUpHCGPyME=; b=Uerpt9a7dD9Pk9hE0JgUyuFpLuXKqz3o6RYgPSqPk/pGpLN32YywPgK3sq7XUWB4dU v0aGAYICaLFwk+JET2WugPJKsfQ98p6GFYG1PMQlztbCaD3hWBH5ESHuXnNUeu+6EBNq 0DAqwp75Rc9TQt5N6oteRUKtHTtx2q9hbTcq4tnWXNAcN0bIm06qXAT1ULgDvUCvFxfg s7XmmOHKb4q49mwakKn3m37ODjjYhbhBwWKhuqwkyRXBSSCzBa5pYHRKT9kfUPSbKww3 a/gDwHEe7GBGAI7zZZRmnYdfX0KS7fXGLDJQFgzi5VkmL9+oHDGARadndi9IM6uyzQgJ RVdw==; darn=freebsd.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rabson-org.20251104.gappssmtp.com; s=20251104; t=1780910985; x=1781515785; darn=freebsd.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=XF2eqom0sBWSVWBqrrfajlhdntQoMUuV4cglRGrJ0Ew=; b=rocOW1UPuZYrZT8+A11H2u2ct2BoY4uTwgrlWpDYaHp9K3Ek6vo8nfWTjmFOizWAMn ycalfidm73tAiaQ5U33d4Hqcq+x4Yz7adYru4FrIppD7uo9l3szDfu33I0/GvNMI2DV1 I6IsIl6UYFK33QW+zsbyNYp0L/YfVQgX2wPWbFOdy+7gFsm9+7bj0pjF9G+/ofcLj+El LePmzl+XjsZs2OIK9swDQRUcRPzYqI7z3Vme9LIDYoBohIc0SCPGVRtJL3rUxelnUtCS 4o+X/ExW4E6139VQNexzGTXLGQKAwzjqx7b1J8h7n7R4g/C0uMqTsC5FHPnZD8fx6r51 It9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780910985; x=1781515785; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=XF2eqom0sBWSVWBqrrfajlhdntQoMUuV4cglRGrJ0Ew=; b=b6p2olI5gvNXv+gTgd6LRYYvduhcnmEF9xrI44Z9n+Dg427XjZrV0aAHlji/EiMh53 3T52Em58t7uaM2KkEie6zcTJw3e4ayiNnS6aRq9pL1Cc9cJ5AmBzknJtoq8kjj0vyhFv Jv2aNdS02E9A8rdOQlx/s0397VcZiWq3uxhDteOwFw1Ww3m6rnPtqZXE8Lg09WzzWVS7 5YMHIYpOyZzVLUccyHJqs4KS1vYMqh5MpGnwqoI/e1BKQJO2YRfmL5PM0bN/V8XM/jyt V7HI0jbFx2STM1CpbzmRtyR7JW1aa5UyDjcKFS/EDQJbdQVSKhyQgzTGrHH2PFtcQ5Xu yB3g== X-Gm-Message-State: AOJu0YxHNQ9xjrR7Z+Wi7ToB9pBCaHiKPjStXdrC9I3mMRDOhvCQBA4F Os5AXqaQf59HB+bUk5GsTSZIRdBjH3y/ZpfCkePhm5ALqh9tv0jBNpl4PdbixDxXn0ah6MUY/Z4 lrJynd8DqpiXvj5CCrHL57tIU5bVlp850CbrYScuGTQ== X-Gm-Gg: Acq92OG33/07uK+rHUzQhmla/iBn4CkwMIisOExD7tuR8u1Kr4W/mAJJY3HuUrf8KTA k6veqNKMhscFgI0Ofh6cMl1FCfHKgJE8c+ge9wcucYLvEvX9bZiuEpzs1F1TyLKTC1sOadKm3Rn pkj0aF3S3VrlCmDgwCmQKrguLZeiA+A+5pF0DFgvZd03vc0PfXmEFyCOJjCC9m7+2fUDJaa4ch5 K5ZFz5KPSQXJtK05enTBceLqk0zPkvfMcxETRyK8BNAXOOTW1RZ/dNSuPddp6jqjXeaqDwm4n0m 1BlDYS4monltynio8TrVd4BaT/ogDRXGJvvVFQk2fKF5Fk1j+FLOq+nIWiOuAcy4j/loG7KNQIn hhP53XCOxhdT8bprU9kAp6CHK/lbcVjl+ X-Received: by 2002:a2e:bcc3:0:b0:395:fded:ee35 with SMTP id 38308e7fff4ca-396d07c08a3mr40804401fa.3.1780910984524; Mon, 08 Jun 2026 02:29:44 -0700 (PDT) List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 References: <96E80293-2013-452F-859C-B725EA7963CF@FreeBSD.org> <7C23D3B8-1A14-41B7-839A-580DB61E0403@FreeBSD.org> In-Reply-To: <7C23D3B8-1A14-41B7-839A-580DB61E0403@FreeBSD.org> From: Doug Rabson Date: Mon, 8 Jun 2026 10:29:30 +0100 X-Gm-Features: AVVi8CcTiAYwZE0JUp8fD2rZUeD-pGD_ZKkeVl7HQvbtnYbPvlL19whfqGg7Zm0 Message-ID: Subject: Re: Running pfctl inside a jail To: Kristof Provost Cc: freebsd-jail@freebsd.org Content-Type: multipart/alternative; boundary="0000000000009c35680653baa6e5" X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US] X-Rspamd-Queue-Id: 4gYmwC2jk9z3m1M X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated --0000000000009c35680653baa6e5 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 8 Jun 2026 at 09:37, Kristof Provost wrote: > On 8 Jun 2026, at 10:00, Doug Rabson wrote: > > In my smallest test-case, the host and jail use the same root filesyste= m > > and the host is running 15.0-RELEASE-p8. I haven't tested with stable/1= 5 > > yet. This reproduces the problem for me: > > > > $ sudo pfctl -s nat > > nat on bridge42 inet from to any -> (bridge42) round-robin > > nat on bridge42 inet6 from to ! ff00::/8 -> (bridge42) > round-robin > > nat-anchor "cni-rdr/*" all > > rdr-anchor "cni-rdr/*" all > > $ cat jail-pfctl-15 > > #! /bin/sh > > j=3D$(jail -ic name=3Dpfctl-in-jail15 ip4=3Dinherit ip6=3Dinherit path= =3D/ persist) > > jexec $j pfctl -s nat > > jail -r $j > > $ sudo ./jail-pfctl-15 > > pfctl: DIOCGETRULES: Operation not permitted > > $ freebsd-version -k > > 15.0-RELEASE-p8 > > > > > > Do the pf unit tests cover the case where the jail shares the host vnet= ? > > > Oh. No, no they do not. That=E2=80=99s just plain not supposed to work. > Historically, though, it has always worked, at least as far back as FreeBSD-13 so this is a regression. > You only ever get to manage your own pf instance, never the one of a > parent jail. > It seems reasonable (to me at least) that if a jail inherits a vnet from its parent, it should be able to manage that vnet. I see some evidence in the history that at least parts of netlink are intended to work for jails which don't have their own vnet (e.g. https://cgit.freebsd.org/src/commit/sys/netlink?id=3D04f75b980293d517558990= a7fda6900445edcac6). I would also like to be able to create interfaces in non-vnet jails but that is another conversation entirely. For what it's worth, this pattern of delegating network management to a privileged container is common on Linux. For instance, the Linux version of kube-proxy as well as the popular Calico cluster networking stack, uses this pattern to manage interfaces and iptable rule sets. Doug. --0000000000009c35680653baa6e5 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Mon, 8 Jun 2= 026 at 09:37, Kristof Provost <kp@free= bsd.org> wrote:
On 8 Jun 2026, at 10:00, Doug Rabson wrote:
> In my smallest test-case, the host and jail use the same root filesyst= em
> and the host is running 15.0-RELEASE-p8. I haven't tested with sta= ble/15
> yet.=C2=A0 This reproduces the problem for me:
>
> $ sudo pfctl -s nat
> nat on bridge42 inet from <cni-nat> to any -> (bridge42) roun= d-robin
> nat on bridge42 inet6 from <cni-nat> to ! ff00::/8 -> (bridge= 42) round-robin
> nat-anchor "cni-rdr/*" all
> rdr-anchor "cni-rdr/*" all
> $ cat jail-pfctl-15
> #! /bin/sh
> j=3D$(jail -ic name=3Dpfctl-in-jail15 ip4=3Dinherit ip6=3Dinherit path= =3D/ persist)
> jexec $j pfctl -s nat
> jail -r $j
> $ sudo ./jail-pfctl-15
> pfctl: DIOCGETRULES: Operation not permitted
> $ freebsd-version -k
> 15.0-RELEASE-p8
>
>
> Do the pf unit tests cover the case where the jail shares the host vne= t?
>
Oh. No, no they do not. That=E2=80=99s just plain not supposed to work.
=

Historically, though, it has always worked= , at least as far back as FreeBSD-13 so this is a regression.
=C2= =A0
You only ever ge= t to manage your own pf instance, never the one of a parent jail.

It seems reasonable (to me at least) that if a j= ail inherits a vnet from its parent, it should be able to manage that vnet.= I see some evidence in the history that at least parts of netlink are inte= nded to work for jails which don't have their own vnet (e.g.=C2=A0https://cgit.freebsd.org/src/commit/sys/netlink?i= d=3D04f75b980293d517558990a7fda6900445edcac6). I would also like to be = able to create interfaces in non-vnet jails but that is another conversatio= n entirely.

For what it's worth, this pattern = of delegating network management to a privileged container is common on Lin= ux. For instance, the Linux version of kube-proxy as well as the popular Ca= lico cluster networking stack, uses this pattern to manage interfaces and <= span class=3D"G8OMXb ng">iptable rule sets.
=C2=A0
Doug.
--0000000000009c35680653baa6e5--