From nobody Mon Jun 8 10:15:12 2026 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gYnx03Hh1z6fmJB for ; Mon, 08 Jun 2026 10:15:32 +0000 (UTC) (envelope-from dfr@rabson.org) Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gYnx00ChLz3rZG for ; Mon, 08 Jun 2026 10:15:32 +0000 (UTC) (envelope-from dfr@rabson.org) Authentication-Results: mx1.freebsd.org; none Received: by mail-lj1-x229.google.com with SMTP id 38308e7fff4ca-39677c80386so44427261fa.3 for ; Mon, 08 Jun 2026 03:15:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780913725; cv=none; d=google.com; s=arc-20240605; b=Dmh0HeFnpMNAQVuymlw1/Sa+dmIb/kChQohUGJF47CZIwuP30/67E/vePJO/Wff+JC a8p5PcE+Fpe9KVwWizx7/5rsKAXc/ztsVz+7HL2N4GNc1Kai1g9chVbskiNJNDe2HuwI MJjATUYO1JSlY3cwydiIBziP/CvDnKY/0tFDmQG3JAGnfi1HYlfli+txwyw96/Jhp4nE JPKlkc1I3r68G0yyLpm4TF1scArz0UTOgZYFGl22NZ+NQXPi44gmkQ2RCuT3XrmYQryi sk1APFbDxTnKGNqbjnUUT+X/fjF+FfqVzqzMhJZV7cXo4+ViIjKHag5juaN8xS5kX9Y6 ZPQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=ZhpdAW6q0yS2J8qfA+n+nqqQi/VFB1Q7G/9u/0Ji+aY=; fh=vrw2Bj/2vkDrKQwNj2hfXSwlIIPVc8/6ZAUpHCGPyME=; b=bYWjnwJOAdl++0D2Jm/OYuT7Nj+HjYx/NxZNjm0IRrv6Ztps1b60YDucuaZAMhbBs/ XnlZIn8g9VDbFnCBeiMJ+RkQbpWEwC75n6OX52fUjg/rscSQMV/wOubNZabiDA2+hbGy TIz2EM+x2JHHIoseSqVqWdXa0jy9vA/OhNIZr4HU/N1nW6dvYwsUyBLW1CZ1+6YmegYj 1kJmTnKB/InbJxkxdr8PWf/zSMN5WLzuN2ifFUmvymz00IfQn3kEx2yU8EKgZkON50OW BU/lC21Bejl68bflQKsYitQuW4q8sBG6fnWUEePf8NmCKRmPNrdJxecryNVSRMSUNB05 URlw==; darn=freebsd.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rabson-org.20251104.gappssmtp.com; s=20251104; t=1780913725; x=1781518525; darn=freebsd.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ZhpdAW6q0yS2J8qfA+n+nqqQi/VFB1Q7G/9u/0Ji+aY=; b=gXmpTMC8d63N3OpGu/gTrUJmkP/FFOfd9rJ3ejTFqqG/9IEawFEmF49I2Ph2YzbCDe QU0nt5bGMpo8m0D0M84IhX5bt7Jbxg+95TpsMNT2+hUKygFiSzC2fu5qGx9KoT9KYv3p t0M+qsYL/QzkcR68fsyF6jq+LVTbtNi7irAV+aoz8eT1LpeNG9Pf80ip5cpzvea8vc/Z A+474qMuKmTwqiycYfN1N1zskWBKjxD/0ELz17rQxoFslfANMpwjjQLlvKUmsRcicVxU ZkaZ8uqCkbsFh0zHhagbq6iQqvIzbOcs9Q5FZLNrqU8ybxMDTZTH/tyvZEtmeEo4TEVi n+Lw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780913725; x=1781518525; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ZhpdAW6q0yS2J8qfA+n+nqqQi/VFB1Q7G/9u/0Ji+aY=; b=jwaJ7xjdt2wwEhnWuCSIISIaoUXHvWTkWI8WzS9wIGM4VSBR5B3nIWjVUqtyDaUmGU RMOQ1TAH+rIXBp3yK7mYbXxEuTeERIjGxKSQKrbAXX2EuLxuIZHcN57Vc3fLa5k13WOI zJuLPC3pVUjwX+B1GdqvOc2FNkMIMVAaIiaWDfCt9F985o7nvKbA3UrS6lbHCKYqHg7m 4PKx+UyjxGttt0WUiFZoDybQNyR92xpGuJuvfeoAhBB8SyFSG5Rr9fcjQ52qlrIYgyix aUnikq2HKGCyMA3DvBZ5TPi1PMM9jtOwd+0E2tWecUcZLb36AKLhIry5Bano7L5FJTcO A94Q== X-Gm-Message-State: AOJu0YwBnkvs6PjGW7bGbt50+Zy8wdSWIZkxd2AeQElLTqa/gL+EP1Bx uukVSfUN5WAbUjSNcq5uxKpanLMVFFXxD8xdfqYY3DJ4yK77zZRtqdpV6vHYUhm5Czs7HjaDSNq JE3o0OMJL0btho+zht+ds6VeA91fSihW32JXGAou/DA== X-Gm-Gg: Acq92OGlozMD2c/UNQ1jEh0ni0lZ3HalzoYqavCgjRtUofCRo76AesxA5GkJL+b5Y2j ZcXz1oRe16ds3AQglJKP8tLndV14cKtCyCa9bit6SwcZTvino96DaNKMHTyuoh+g1AMFlJsPh4v lq0XRVc4KowSxuGCWKi8Nmmi8FpRzQT1jMZz53vqUJq2xWjtfjEECNIoVVGeR7lgtedO8CHzos4 OTmUeQomy/24t8ti8BUUoBuiN7/V6p7F8D9GwyFWIpGrbswg0Q7FbtToQgJG/k3K2qWEXSi63Rl DNe8/Cf5CJwyPDjVuvMq2Av0kmjKnYoGFyE6vh9KxU49Z4f6lJ9WEK2twIOi9G3abAIEHXUuXw+ sPgjS90NG1mh28dJT6lEl3qUHHpKPX5zc2lGL9o8EyZs= X-Received: by 2002:a05:6512:3194:b0:5aa:8822:f27e with SMTP id 2adb3069b0e04-5aa8822f2b3mr4517799e87.46.1780913724403; Mon, 08 Jun 2026 03:15:24 -0700 (PDT) List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 References: <96E80293-2013-452F-859C-B725EA7963CF@FreeBSD.org> <7C23D3B8-1A14-41B7-839A-580DB61E0403@FreeBSD.org> <745947DE-75CC-4B1B-A0E4-0FAC7FF8E221@FreeBSD.org> In-Reply-To: <745947DE-75CC-4B1B-A0E4-0FAC7FF8E221@FreeBSD.org> From: Doug Rabson Date: Mon, 8 Jun 2026 11:15:12 +0100 X-Gm-Features: AVVi8Ce60xJ55-RavVI-o0c3Fnb6PobbjAlb_Dqs42XjTov4kakrz1hHMP7KT5Q Message-ID: Subject: Re: Running pfctl inside a jail To: Kristof Provost Cc: freebsd-jail@freebsd.org Content-Type: multipart/alternative; boundary="000000000000eb3f710653bb493f" X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US] X-Rspamd-Queue-Id: 4gYnx00ChLz3rZG X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated --000000000000eb3f710653bb493f Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 8 Jun 2026 at 10:42, Kristof Provost wrote: > On 8 Jun 2026, at 11:29, Doug Rabson wrote: > > On Mon, 8 Jun 2026 at 09:37, Kristof Provost wrote: > > > >> On 8 Jun 2026, at 10:00, Doug Rabson wrote: > >>> In my smallest test-case, the host and jail use the same root > filesystem > >>> and the host is running 15.0-RELEASE-p8. I haven't tested with > stable/15 > >>> yet. This reproduces the problem for me: > >>> > >>> $ sudo pfctl -s nat > >>> nat on bridge42 inet from to any -> (bridge42) round-robin > >>> nat on bridge42 inet6 from to ! ff00::/8 -> (bridge42) > >> round-robin > >>> nat-anchor "cni-rdr/*" all > >>> rdr-anchor "cni-rdr/*" all > >>> $ cat jail-pfctl-15 > >>> #! /bin/sh > >>> j=3D$(jail -ic name=3Dpfctl-in-jail15 ip4=3Dinherit ip6=3Dinherit pat= h=3D/ > persist) > >>> jexec $j pfctl -s nat > >>> jail -r $j > >>> $ sudo ./jail-pfctl-15 > >>> pfctl: DIOCGETRULES: Operation not permitted > >>> $ freebsd-version -k > >>> 15.0-RELEASE-p8 > >>> > >>> > >>> Do the pf unit tests cover the case where the jail shares the host > vnet? > >>> > >> Oh. No, no they do not. That=E2=80=99s just plain not supposed to work= . > >> > > > > Historically, though, it has always worked, at least as far back as > > FreeBSD-13 so this is a regression. > > > > > >> You only ever get to manage your own pf instance, never the one of a > >> parent jail. > >> > > > > It seems reasonable (to me at least) that if a jail inherits a vnet fro= m > > its parent, it should be able to manage that vnet. I see some evidence = in > > the history that at least parts of netlink are intended to work for jai= ls > > which don't have their own vnet (e.g. > > > https://cgit.freebsd.org/src/commit/sys/netlink?id=3D04f75b980293d5175589= 90a7fda6900445edcac6 > ). > > That=E2=80=99s explicitly only for a handful of GET calls, not full manag= ement. > For full management we=E2=80=99d need some way for users to specify that = this is > allowed, which we currently don=E2=80=99t have. > > I suspect the check you=E2=80=99re running into is > https://cgit.freebsd.org/src/tree/sys/netlink/netlink_generic.c#n146 > > I actually raised the question of how to delegate these privs to regular > users (so not child jails, but that=E2=80=99s probably going to require t= he same > mechanism) last year: > https://lists.freebsd.org/archives/freebsd-arch/2025-September/001042.htm= l > That didn=E2=80=99t get any response and I didn=E2=80=99t chase it furthe= r at the time. > I like the idea of adding PRIV_NETINET_PF_RO and presumably adding jail allow flag(s) to responsibly grant these privileges to a jail. I am not entirely sure how that would work for users, though. I guess the MAC framework sits in the right place but I don't understand MAC at all. Doug. --000000000000eb3f710653bb493f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Mon, 8 Jun 2= 026 at 10:42, Kristof Provost <kp@free= bsd.org> wrote:
On 8 Jun 2026, at 11:29, Doug Rabson wrote:
> On Mon, 8 Jun 2026 at 09:37, Kristof Provost <kp@freebsd.org> wrote:
>
>> On 8 Jun 2026, at 10:00, Doug Rabson wrote:
>>> In my smallest test-case, the host and jail use the same root = filesystem
>>> and the host is running 15.0-RELEASE-p8. I haven't tested = with stable/15
>>> yet.=C2=A0 This reproduces the problem for me:
>>>
>>> $ sudo pfctl -s nat
>>> nat on bridge42 inet from <cni-nat> to any -> (bridge= 42) round-robin
>>> nat on bridge42 inet6 from <cni-nat> to ! ff00::/8 ->= (bridge42)
>> round-robin
>>> nat-anchor "cni-rdr/*" all
>>> rdr-anchor "cni-rdr/*" all
>>> $ cat jail-pfctl-15
>>> #! /bin/sh
>>> j=3D$(jail -ic name=3Dpfctl-in-jail15 ip4=3Dinherit ip6=3Dinhe= rit path=3D/ persist)
>>> jexec $j pfctl -s nat
>>> jail -r $j
>>> $ sudo ./jail-pfctl-15
>>> pfctl: DIOCGETRULES: Operation not permitted
>>> $ freebsd-version -k
>>> 15.0-RELEASE-p8
>>>
>>>
>>> Do the pf unit tests cover the case where the jail shares the = host vnet?
>>>
>> Oh. No, no they do not. That=E2=80=99s just plain not supposed to = work.
>>
>
> Historically, though, it has always worked, at least as far back as > FreeBSD-13 so this is a regression.
>
>
>> You only ever get to manage your own pf instance, never the one of= a
>> parent jail.
>>
>
> It seems reasonable (to me at least) that if a jail inherits a vnet fr= om
> its parent, it should be able to manage that vnet. I see some evidence= in
> the history that at least parts of netlink are intended to work for ja= ils
> which don't have their own vnet (e.g.
> ht= tps://cgit.freebsd.org/src/commit/sys/netlink?id=3D04f75b980293d517558990a7= fda6900445edcac6).

That=E2=80=99s explicitly only for a handful of GET calls, not full managem= ent. For full management we=E2=80=99d need some way for users to specify th= at this is allowed, which we currently don=E2=80=99t have.

I suspect the check you=E2=80=99re running into is https://cgit.freebsd.org/src/tree/sys/netlink/netlink_ge= neric.c#n146

I actually raised the question of how to delegate these privs to regular us= ers (so not child jails, but that=E2=80=99s probably going to require the s= ame mechanism) last year: = https://lists.freebsd.org/archives/freebsd-arch/2025-September/001042.html<= /a>
That didn=E2=80=99t get any response and I didn=E2=80=99t chase it further = at the time.

--000000000000eb3f710653bb493f--