From owner-freebsd-pf@freebsd.org  Thu Dec 13 11:35:09 2018
Return-Path: <owner-freebsd-pf@freebsd.org>
Delivered-To: freebsd-pf@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id D2F4813186D0
 for <freebsd-pf@mailman.ysv.freebsd.org>; Thu, 13 Dec 2018 11:35:09 +0000 (UTC)
 (envelope-from meka@tilda.center)
Received: from mail.tilda.center (srv02.tilda.center [199.247.21.11])
 by mx1.freebsd.org (Postfix) with ESMTP id 62681840DB;
 Thu, 13 Dec 2018 11:35:08 +0000 (UTC)
 (envelope-from meka@tilda.center)
Received: from hal9000.home.meka.rs (109-93-224-120.dynamic.isp.telekom.rs
 [109.93.224.120])
 by mail.tilda.center (Postfix) with ESMTPSA id DA6961FCD5;
 Thu, 13 Dec 2018 12:35:04 +0100 (CET)
Date: Thu, 13 Dec 2018 12:35:05 +0100
From: Goran =?utf-8?B?TWVracSH?= <meka@tilda.center>
To: Kristof Provost <kp@freebsd.org>
Cc: freebsd-pf@freebsd.org
Subject: Re: VNET jails and PF service
Message-ID: <20181213113505.7utf6ddl3rkr7zsd@hal9000.home.meka.rs>
References: <20181213000232.vk4qoapuqyqly2jx@thinker.home.meka.rs>
 <20181213083012.GA49515@vega.codepro.be>
MIME-Version: 1.0
Content-Type: multipart/signed; micalg=pgp-sha256;
 protocol="application/pgp-signature"; boundary="zlry4lfd4z44kbzd"
Content-Disposition: inline
In-Reply-To: <20181213083012.GA49515@vega.codepro.be>
User-Agent: NeoMutt/20180716
X-Rspamd-Queue-Id: 62681840DB
X-Spamd-Bar: ---
Authentication-Results: mx1.freebsd.org;
 spf=pass (mx1.freebsd.org: domain of meka@tilda.center designates
 199.247.21.11 as permitted sender) smtp.mailfrom=meka@tilda.center
X-Spamd-Result: default: False [-3.79 / 15.00]; ARC_NA(0.00)[];
 RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-0.96)[-0.960,0];
 FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[];
 R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[];
 MIME_GOOD(-0.20)[multipart/signed,text/plain];
 DMARC_NA(0.00)[tilda.center];
 IP_SCORE(-0.17)[asn: 20473(-0.75), country: US(-0.09)];
 MX_GOOD(-0.01)[cached: mail.tilda.center];
 RCPT_COUNT_TWO(0.00)[2]; NEURAL_HAM_SHORT(-0.35)[-0.352,0];
 SIGNED_PGP(-2.00)[]; RCVD_NO_TLS_LAST(0.10)[];
 RECEIVED_SPAMHAUS_PBL(0.00)[120.224.93.109.zen.spamhaus.org : 127.0.0.11];
 R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+];
 ASN(0.00)[asn:20473, ipnet:199.247.16.0/21, country:US];
 RCVD_COUNT_TWO(0.00)[2]; FROM_EQ_ENVFROM(0.00)[]
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
 \(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <https://lists.freebsd.org/mailman/options/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf/>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <https://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
 <mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 13 Dec 2018 11:35:10 -0000


--zlry4lfd4z44kbzd
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Dec 13, 2018 at 09:30:12AM +0100, Kristof Provost wrote:
> On 2018-12-13 01:02:32 (+0100), Goran Meki=C4=87 <meka@tilda.center> wrot=
e:
> > I can't start PF as service from vnet jail. I have devfs rule to unhide
> > bpf (for dhclient) and pf that the jail is using. I can run "pfctl -e -f
> > /etc/pf.conf" but "service pf start" fails with:
> >
> > kldload: can't load pf: Operation not permitted
> > /etc/rc.d/pf: WARNING: Unable to load kernel module pf
> >
> Yes, jails can't load kernel modules, for obvious reasons.
> Your host needs to load the pf module, then the jail will be able to use
> it.

I did load it on the host, that's why "pfctl -e -f /etc/pf.conf" works
in the jail, but "service pf start" doesn't.

--zlry4lfd4z44kbzd
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCAAdFiEE1WIFkXy2ZeMKjjKEWj1TknovrLYFAlwSQ+UACgkQWj1Tknov
rLb/Kg/+JBEJSxZpSSKDEd4r/tcWuNEYmLFUFeq5878de8tiPF9A7CmbsZlJxj+V
cPZ8uZ2IqRU1OO7Gd33qOPr2TbePg+CPMhpZUxdHkT9fFMjI8JlijJIFWwtSxrJs
yg8tRvkOojmJ8du82NSOO22q5zrukYosQBUOT0MtIbRrTE5CAKtF+vWcMI3oJmX7
A3ZA08TTnf7psNx+XixtT2wbu0QJDHqWT7HVb4EqrIAblH8Os9S9JoIkdazdCZ7C
IZEGag52mRDLvV7TLQP5vQNTz4VeXxgDmobUWoXHsVdSLg/F1Nle0TEDlihi4Wro
fDT7u4QwgEo9U9mTYq4B/qsENa2/ol4sCTqlRUtPJVQudI2HTmx3XRTo5YO8Ioui
6FdBhlitOltl5qjOO6yNkoEUznwjHTfgYjfrW6MtjcQabcP83YJ7nRe3Z+XnaTpt
UP2b5qbXyX1YTBAPUrNS4/kD4u5ZPfolXLPwLG5qmI8iIvI/lqF3i9xRxQPqi02g
FO+/hgl5kmwuXALoo2GIQ/+bsurZjvi7suv+xeX8jqhdm2Gaqf/qDS2GjJfsxLcX
bEkc/NHQvtL+p6Lo4BSlHrVKJmhBUdr8xBvq5SZN5raPN4f25MklPZgTJH5W9phe
L73VETKmidIf5kxKo8vcJF2s5d+pcQf9UPObZwaRW8me2xHFK80=
=CoDI
-----END PGP SIGNATURE-----

--zlry4lfd4z44kbzd--