Date: Mon, 8 Jun 2026 09:00:38 +0100 From: Doug Rabson <dfr@rabson.org> To: Kristof Provost <kp@freebsd.org> Cc: freebsd-jail@freebsd.org Subject: Re: Running pfctl inside a jail Message-ID: <CACA0VUhigsCrqxrBySxptLCfh_K6%2BCb%2BT%2BDSJZgHnSMr0i9WOQ@mail.gmail.com> In-Reply-To: <96E80293-2013-452F-859C-B725EA7963CF@FreeBSD.org> References: <CACA0VUhJ78ES4AGMtLvZOVRJLoK=w=Vot%2BKSbx3Q=ikdC8UkFQ@mail.gmail.com> <96E80293-2013-452F-859C-B725EA7963CF@FreeBSD.org>
index | next in thread | previous in thread | raw e-mail
[-- Attachment #1 --] On Mon, 8 Jun 2026 at 08:43, Kristof Provost <kp@freebsd.org> wrote: > On 7 Jun 2026, at 19:04, Doug Rabson wrote: > > While upgrading machines in my home lab to 15.0, I discovered that I can > no > > longer run pfctl in a jail. Trying to run something simple like 'pfctl -s > > nat' fails with the error: "pfctl: DIOCGETRULES: Operation not > permitted". > > > That’s unexpected. I’m not aware of any reason why that would not work. > > That’s something the pf tests do consistently, and I’ve just tried on a > stable/15 machine and it also just worked. > > Is the jail a different freebsd version from the host kernel? > In my smallest test-case, the host and jail use the same root filesystem and the host is running 15.0-RELEASE-p8. I haven't tested with stable/15 yet. This reproduces the problem for me: $ sudo pfctl -s nat nat on bridge42 inet from <cni-nat> to any -> (bridge42) round-robin nat on bridge42 inet6 from <cni-nat> to ! ff00::/8 -> (bridge42) round-robin nat-anchor "cni-rdr/*" all rdr-anchor "cni-rdr/*" all $ cat jail-pfctl-15 #! /bin/sh j=$(jail -ic name=pfctl-in-jail15 ip4=inherit ip6=inherit path=/ persist) jexec $j pfctl -s nat jail -r $j $ sudo ./jail-pfctl-15 pfctl: DIOCGETRULES: Operation not permitted $ freebsd-version -k 15.0-RELEASE-p8 Do the pf unit tests cover the case where the jail shares the host vnet? Anyway, thanks for taking a look; I do have a workaround using FreeBSD-14.x version of pfctl but it would be nice to have this working properly on 15.x as well. Doug. [-- Attachment #2 --] <div dir="ltr"><div dir="ltr"><br></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">On Mon, 8 Jun 2026 at 08:43, Kristof Provost <<a href="mailto:kp@freebsd.org">kp@freebsd.org</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 7 Jun 2026, at 19:04, Doug Rabson wrote:<br> > While upgrading machines in my home lab to 15.0, I discovered that I can no<br> > longer run pfctl in a jail. Trying to run something simple like 'pfctl -s<br> > nat' fails with the error: "pfctl: DIOCGETRULES: Operation not permitted".<br> ><br> That’s unexpected. I’m not aware of any reason why that would not work.<br> <br> That’s something the pf tests do consistently, and I’ve just tried on a stable/15 machine and it also just worked.<br> <br> Is the jail a different freebsd version from the host kernel?<br></blockquote><div><br></div><div>In my smallest test-case, the host and jail use the same root filesystem and the host is running 15.0-RELEASE-p8. I haven't tested with stable/15 yet. This reproduces the problem for me:</div><div><br></div></div><blockquote style="margin:0 0 0 40px;border:none;padding:0px"><div class="gmail_quote gmail_quote_container">$ sudo pfctl -s nat<br>nat on bridge42 inet from <cni-nat> to any -> (bridge42) round-robin<br>nat on bridge42 inet6 from <cni-nat> to ! ff00::/8 -> (bridge42) round-robin<br>nat-anchor "cni-rdr/*" all<br>rdr-anchor "cni-rdr/*" all<br>$ cat jail-pfctl-15<br>#! /bin/sh<br>j=$(jail -ic name=pfctl-in-jail15 ip4=inherit ip6=inherit path=/ persist)<br>jexec $j pfctl -s nat<br>jail -r $j<br>$ sudo ./jail-pfctl-15<br>pfctl: DIOCGETRULES: Operation not permitted</div><div class="gmail_quote gmail_quote_container">$ freebsd-version -k</div>15.0-RELEASE-p8</blockquote><div class="gmail_quote gmail_quote_container"><div> </div><div>Do the pf unit tests cover the case where the jail shares the host vnet? Anyway, thanks for taking a look; I do have a workaround using FreeBSD-14.x version of pfctl but it would be nice to have this working properly on 15.x as well.</div><div><br></div><div>Doug.</div></div></div>home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CACA0VUhigsCrqxrBySxptLCfh_K6%2BCb%2BT%2BDSJZgHnSMr0i9WOQ>