Date: Mon, 08 Jun 2026 11:42:04 +0200 From: Kristof Provost <kp@FreeBSD.org> To: Doug Rabson <dfr@rabson.org> Cc: freebsd-jail@freebsd.org Subject: Re: Running pfctl inside a jail Message-ID: <745947DE-75CC-4B1B-A0E4-0FAC7FF8E221@FreeBSD.org> In-Reply-To: <CACA0VUhPCX9AzJzaNYF=25PRgU4TeUMPn36CZhBrb8wPDdFX9w@mail.gmail.com> References: <CACA0VUhJ78ES4AGMtLvZOVRJLoK=w=Vot%2BKSbx3Q=ikdC8UkFQ@mail.gmail.com> <96E80293-2013-452F-859C-B725EA7963CF@FreeBSD.org> <CACA0VUhigsCrqxrBySxptLCfh_K6%2BCb%2BT%2BDSJZgHnSMr0i9WOQ@mail.gmail.com> <7C23D3B8-1A14-41B7-839A-580DB61E0403@FreeBSD.org> <CACA0VUhPCX9AzJzaNYF=25PRgU4TeUMPn36CZhBrb8wPDdFX9w@mail.gmail.com>
index | next in thread | previous in thread | raw e-mail
On 8 Jun 2026, at 11:29, Doug Rabson wrote: > On Mon, 8 Jun 2026 at 09:37, Kristof Provost <kp@freebsd.org> wrote: > >> On 8 Jun 2026, at 10:00, Doug Rabson wrote: >>> In my smallest test-case, the host and jail use the same root filesystem >>> and the host is running 15.0-RELEASE-p8. I haven't tested with stable/15 >>> yet. This reproduces the problem for me: >>> >>> $ sudo pfctl -s nat >>> nat on bridge42 inet from <cni-nat> to any -> (bridge42) round-robin >>> nat on bridge42 inet6 from <cni-nat> to ! ff00::/8 -> (bridge42) >> round-robin >>> nat-anchor "cni-rdr/*" all >>> rdr-anchor "cni-rdr/*" all >>> $ cat jail-pfctl-15 >>> #! /bin/sh >>> j=$(jail -ic name=pfctl-in-jail15 ip4=inherit ip6=inherit path=/ persist) >>> jexec $j pfctl -s nat >>> jail -r $j >>> $ sudo ./jail-pfctl-15 >>> pfctl: DIOCGETRULES: Operation not permitted >>> $ freebsd-version -k >>> 15.0-RELEASE-p8 >>> >>> >>> Do the pf unit tests cover the case where the jail shares the host vnet? >>> >> Oh. No, no they do not. That’s just plain not supposed to work. >> > > Historically, though, it has always worked, at least as far back as > FreeBSD-13 so this is a regression. > > >> You only ever get to manage your own pf instance, never the one of a >> parent jail. >> > > It seems reasonable (to me at least) that if a jail inherits a vnet from > its parent, it should be able to manage that vnet. I see some evidence in > the history that at least parts of netlink are intended to work for jails > which don't have their own vnet (e.g. > https://cgit.freebsd.org/src/commit/sys/netlink?id=04f75b980293d517558990a7fda6900445edcac6). That’s explicitly only for a handful of GET calls, not full management. For full management we’d need some way for users to specify that this is allowed, which we currently don’t have. I suspect the check you’re running into is https://cgit.freebsd.org/src/tree/sys/netlink/netlink_generic.c#n146 I actually raised the question of how to delegate these privs to regular users (so not child jails, but that’s probably going to require the same mechanism) last year: https://lists.freebsd.org/archives/freebsd-arch/2025-September/001042.html That didn’t get any response and I didn’t chase it further at the time. Best regards, Kristofhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?745947DE-75CC-4B1B-A0E4-0FAC7FF8E221>