From nobody Mon Jun  8 09:42:04 2026
X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gYnBS6TFHz6fjhy
	for <freebsd-jail@mlmmj.nyi.freebsd.org>; Mon, 08 Jun 2026 09:42:08 +0000 (UTC)
	(envelope-from kp@FreeBSD.org)
Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "smtp.freebsd.org", Issuer "R12" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4gYnBS5thTz3ntN;
	Mon, 08 Jun 2026 09:42:08 +0000 (UTC)
	(envelope-from kp@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1780911728;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=miigWiS6O0ldSWI0vXlzqEiEPQVU1nBZa4fa9XMrb6Y=;
	b=fvNR27/FRv65cosc4LJ7+/bhMp9c/hCm4JjcvpooG0sDLZ5eKqSX4tuuJ43kl2jA/IvuCS
	2DzXxOoHG4tPY64HNgCfzKbdddLxvFf/5D4JUi5HHdtMxGCXz4yirlkNXoZe2Llh2ROhjF
	KRhRQbFkxJ8ItvLBxDcXWddxUufTDyDhlLDkbJXlPNQz1O66nMgWg9cPZRbjFsIzM8UM2f
	kqCRcInEhwaicpTVJnXOWEtbsR2PhptTZ3WM3nk2rrSw1WqZL2dNkvL1Mr2Fxh/oGzwE5t
	g41k0vSn+B9vhEZJTLYzbUiAR7Y9lhHwk5aF3tSG7MGiuWmYB+zxMu+j3/3FDw==
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780911728; a=rsa-sha256; cv=none;
	b=k+4N8j2Tl8xqKpp3eTmpC4xd3YLtQn/mq7adaM5/sbGY6BZoBTEct8XB4NjzFTTgatd2tM
	xLJnWSeYzT538E6kpQQzhufHSeURLt9RWMKF6vMJxSIoR6dzxyv4FJOk5FQoJ8a+9k1Zlo
	OeHdPlPb59m3mxDK3YVcBz4Eajtu/UBNHLpykBcsPZP4Zb+DNxC3WRsRc5akhhH5jgUt4P
	NarjyBxj9loTOLkNrVSz0KiRnDPtQP6r+BXntWVfRMt0CXBWr+efL2wb/3IptDCo1NrImk
	RjjAyeq3/JrxRn933/hwoE6kdpl5MaB+efernmUuCRUzLUjArD+j3Zp2VOV09w==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1780911728;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=miigWiS6O0ldSWI0vXlzqEiEPQVU1nBZa4fa9XMrb6Y=;
	b=psLBvZxYUyD46Z0d2lcngz4W7OpCx9fsueJBDrv3yNDoA7k/ccP8/Y6mg6UFsDGpeOls2G
	pKtp+LZYwRf8OZOhSFcqHoFhO07zDf5BrSK6GMOMjhGUPN53IsuUjoGKGP5CSjPD8Adej4
	g1sY6rrBaJbH/YE0YkwWvXBDBsvLJ9DwHhQKaPUE/BrXzfQCjH1rEJhvBRzbi+OXQUlvi3
	wKY2vyTK0uusscac05/b/fJgdQJqOdPlETGRx9j9nIcjJdbDwG9Aa9YG/pN5XCxbwVHE6w
	MMctszRDLPNOdJoupVoWH57/xfOn/VwwoUQs5viO5Dd6gWts/M3RfThFW8wYYg==
Received: from venus.codepro.be (venus.codepro.be [5.9.86.228])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "mx1.codepro.be", Issuer "R12" (not verified))
	(Authenticated sender: kp)
	by smtp.freebsd.org (Postfix) with ESMTPSA id 4gYnBS4s3qzxXT;
	Mon, 08 Jun 2026 09:42:08 +0000 (UTC)
	(envelope-from kp@FreeBSD.org)
Received: by venus.codepro.be (Postfix, authenticated sender kp)
 id 86B87223C7;
	Mon, 08 Jun 2026 11:42:06 +0200 (CEST)
From: Kristof Provost <kp@FreeBSD.org>
To: Doug Rabson <dfr@rabson.org>
Cc: freebsd-jail@freebsd.org
Subject: Re: Running pfctl inside a jail
Date: Mon, 08 Jun 2026 11:42:04 +0200
X-Mailer: MailMate (2.0r6272)
Message-ID: <745947DE-75CC-4B1B-A0E4-0FAC7FF8E221@FreeBSD.org>
In-Reply-To: <CACA0VUhPCX9AzJzaNYF=25PRgU4TeUMPn36CZhBrb8wPDdFX9w@mail.gmail.com>
References: <CACA0VUhJ78ES4AGMtLvZOVRJLoK=w=Vot+KSbx3Q=ikdC8UkFQ@mail.gmail.com>
 <96E80293-2013-452F-859C-B725EA7963CF@FreeBSD.org>
 <CACA0VUhigsCrqxrBySxptLCfh_K6+Cb+T+DSJZgHnSMr0i9WOQ@mail.gmail.com>
 <7C23D3B8-1A14-41B7-839A-580DB61E0403@FreeBSD.org>
 <CACA0VUhPCX9AzJzaNYF=25PRgU4TeUMPn36CZhBrb8wPDdFX9w@mail.gmail.com>
List-Id: Discussion about FreeBSD jail(8) <freebsd-jail.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-jail
List-Help: <mailto:freebsd-jail+help@freebsd.org>
List-Post: <mailto:freebsd-jail@freebsd.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@freebsd.org>
Sender: owner-freebsd-jail@FreeBSD.org
List-Id: <freebsd-jail.FreeBSD.org>
List-Post: <mailto:freebsd-jail@FreeBSD.org>
List-Help: <mailto:freebsd-jail+help@FreeBSD.org>
List-Subscribe: <mailto:freebsd-jail+subscribe@FreeBSD.org>
List-Unsubscribe: <mailto:freebsd-jail+unsubscribe@FreeBSD.org>
List-Owner: <mailto:postmaster@FreeBSD.org>
Precedence: list
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: quoted-printable

On 8 Jun 2026, at 11:29, Doug Rabson wrote:
> On Mon, 8 Jun 2026 at 09:37, Kristof Provost <kp@freebsd.org> wrote:
>
>> On 8 Jun 2026, at 10:00, Doug Rabson wrote:
>>> In my smallest test-case, the host and jail use the same root filesys=
tem
>>> and the host is running 15.0-RELEASE-p8. I haven't tested with stable=
/15
>>> yet.  This reproduces the problem for me:
>>>
>>> $ sudo pfctl -s nat
>>> nat on bridge42 inet from <cni-nat> to any -> (bridge42) round-robin
>>> nat on bridge42 inet6 from <cni-nat> to ! ff00::/8 -> (bridge42)
>> round-robin
>>> nat-anchor "cni-rdr/*" all
>>> rdr-anchor "cni-rdr/*" all
>>> $ cat jail-pfctl-15
>>> #! /bin/sh
>>> j=3D$(jail -ic name=3Dpfctl-in-jail15 ip4=3Dinherit ip6=3Dinherit pat=
h=3D/ persist)
>>> jexec $j pfctl -s nat
>>> jail -r $j
>>> $ sudo ./jail-pfctl-15
>>> pfctl: DIOCGETRULES: Operation not permitted
>>> $ freebsd-version -k
>>> 15.0-RELEASE-p8
>>>
>>>
>>> Do the pf unit tests cover the case where the jail shares the host vn=
et?
>>>
>> Oh. No, no they do not. That=E2=80=99s just plain not supposed to work=
=2E
>>
>
> Historically, though, it has always worked, at least as far back as
> FreeBSD-13 so this is a regression.
>
>
>> You only ever get to manage your own pf instance, never the one of a
>> parent jail.
>>
>
> It seems reasonable (to me at least) that if a jail inherits a vnet fro=
m
> its parent, it should be able to manage that vnet. I see some evidence =
in
> the history that at least parts of netlink are intended to work for jai=
ls
> which don't have their own vnet (e.g.
> https://cgit.freebsd.org/src/commit/sys/netlink?id=3D04f75b980293d51755=
8990a7fda6900445edcac6).

That=E2=80=99s explicitly only for a handful of GET calls, not full manag=
ement. For full management we=E2=80=99d need some way for users to specif=
y that this is allowed, which we currently don=E2=80=99t have.

I suspect the check you=E2=80=99re running into is https://cgit.freebsd.o=
rg/src/tree/sys/netlink/netlink_generic.c#n146

I actually raised the question of how to delegate these privs to regular =
users (so not child jails, but that=E2=80=99s probably going to require t=
he same mechanism) last year: https://lists.freebsd.org/archives/freebsd-=
arch/2025-September/001042.html
That didn=E2=80=99t get any response and I didn=E2=80=99t chase it furthe=
r at the time.

Best regards,
Kristof