Date: Thu, 13 Dec 2018 16:15:24 +0100 From: Kristof Provost <kp@freebsd.org> To: Goran =?utf-8?B?TWVracSH?= <meka@tilda.center> Cc: freebsd-pf@freebsd.org Subject: Re: VNET jails and PF service Message-ID: <20181213151524.GC49515@vega.codepro.be> In-Reply-To: <20181213120559.GB49515@vega.codepro.be> References: <20181213000232.vk4qoapuqyqly2jx@thinker.home.meka.rs> <20181213083012.GA49515@vega.codepro.be> <20181213113505.7utf6ddl3rkr7zsd@hal9000.home.meka.rs> <20181213120559.GB49515@vega.codepro.be>
next in thread | previous in thread | raw e-mail | index | archive | help
On 2018-12-13 13:06:00 (+0100), Kristof Provost <kristof@sigsegv.be> wrote:
> On 2018-12-13 12:35:05 (+0100), Goran Mekić <meka@tilda.center> wrote:
> > On Thu, Dec 13, 2018 at 09:30:12AM +0100, Kristof Provost wrote:
> > > On 2018-12-13 01:02:32 (+0100), Goran Mekić <meka@tilda.center> wrote:
> > > > I can't start PF as service from vnet jail. I have devfs rule to unhide
> > > > bpf (for dhclient) and pf that the jail is using. I can run "pfctl -e -f
> > > > /etc/pf.conf" but "service pf start" fails with:
> > > >
> > > > kldload: can't load pf: Operation not permitted
> > > > /etc/rc.d/pf: WARNING: Unable to load kernel module pf
> > > >
> > > Yes, jails can't load kernel modules, for obvious reasons.
> > > Your host needs to load the pf module, then the jail will be able to use
> > > it.
> >
> > I did load it on the host, that's why "pfctl -e -f /etc/pf.conf" works
> > in the jail, but "service pf start" doesn't.
>
> I can't seem to reproduce that. How did you start your jail?
>
> (The output of 'jls -na' might be helpful too)
>
At least on CURRENT that all does what I'd expect it to do:
% sudo kldload pfsync
% sudo jail -c name=alcatraz persist vnet
% sudo jexec alcatraz /bin/sh
# service pf onestart
Enabling pf.
# pfctl -s all
FILTER RULES:
scrub in all fragment reassemble
pass out all flags S/SA keep state
block drop in log all
pass in inet proto tcp from any to any port = ssh flags S/SA keep state
INFO:
Status: Enabled for 0 days 00:00:03 Debug: Urgent
...
Regards,
Kristof
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20181213151524.GC49515>