From nobody Mon Jun 8 08:00:38 2026 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gYkxk5SNLz6h3Rq for ; Mon, 08 Jun 2026 08:00:58 +0000 (UTC) (envelope-from dfr@rabson.org) Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gYkxk0wKnz3bl9 for ; Mon, 08 Jun 2026 08:00:57 +0000 (UTC) (envelope-from dfr@rabson.org) Authentication-Results: mx1.freebsd.org; none Received: by mail-lf1-x12e.google.com with SMTP id 2adb3069b0e04-5aa7a7c9711so4458875e87.0 for ; Mon, 08 Jun 2026 01:00:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780905651; cv=none; d=google.com; s=arc-20240605; b=KqBB50K7pK0zOyqaxhgbxH02lP+bsuMyD6y4JEf2Ywus0/GT0NWMfxyi0IxTyopBS/ cEup3hLDHdLhytGLWt6eG4BL09rmHSGz6OVfmLCZjl/aZIcQTZxEW43wBrJLugOYOI30 eOW46Xc83On4Mb5o+senoip3BF95lZpVR6oraDsHJTsfuRPuU5j9YoITa+oHuVl1YIBU oTmbVssdsrbZgmKdO/a5sPLTeepMlVdyZ6XBVCV0rC/ONgljQLue88sqj7AOyT/gf9hE /TRHAUc9BCKZPe4VT/ztth0WCij+mD3UfAjrTFhUZRubjeOoXEzD5yHaGgnugJgjbCrU QpgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=eM5L685DHzHEkykOAikWk7CymTjZOg5SxBhruzvM0vs=; fh=vrw2Bj/2vkDrKQwNj2hfXSwlIIPVc8/6ZAUpHCGPyME=; b=MzYHCQ7UxPu9Mzfp3gOTo9+gbykwdRXqfeh9ulEwWoQCPeU3oN5SpZ/yl7ckk/xVs2 oEYiaZShgIx0E9QkN7EaKH02unMlHq0Ci9MdsAkq4xEogSRT3lNKUBLzccxo37LrktzQ xIPS5//XQ9RKmuuBDfHB4ioIIRNsFAiCUFnS356FI0rRgFTNUYH/E4fgCODWjk+kI4dq d8XTKaZnGq2k5Q9ixuC+ybQMR+i7l9WHV9h9JMz9W88+EgZVj4+HlreXTFeyhWCCgqn8 pVXalXvPiArIFxQ5tyO12hzvb86Hpinh8DeCxQJwVccYD2qb15EQvJUEAhd6v9gbempE sUfA==; darn=freebsd.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rabson-org.20251104.gappssmtp.com; s=20251104; t=1780905651; x=1781510451; darn=freebsd.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=eM5L685DHzHEkykOAikWk7CymTjZOg5SxBhruzvM0vs=; b=LW6GVIhNp8ZoFbF8KUu5yvFz058SXKkphL8FOkaEK8vVhYpTLus+8czHfBbmNhlaXL jAdIhTM3uFucCloBvaO1O7BpDo0d/yuIK3A1LOFn8YJOb7h2X0mXG2BnuWoEwCK4JhxY 7YktT2gbolChWTuGgpiYQK+P3yiic2vh6NWkc6R5BINMRueGBXOHH99Fub2MV2kLha/7 2KdB9aHaVkyCLo3LqUiRI3+r9xCzOvnkNx7KUX2PG92NxuOUvoiwgPNyJStPj79WyiN7 AipXGxqxrbAg1c+2tsHldGx+3NMGCeyhzqomoPip3xxD7CY7jWw2WdWajGoaV1rh5p77 UqtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780905651; x=1781510451; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=eM5L685DHzHEkykOAikWk7CymTjZOg5SxBhruzvM0vs=; b=BDOC4x9WHrY5UNqj0nOIGGZGSt+DW5cHq8GBsuk0rKpOmZWbhOCNlOXhNH6IhhYPu7 DUnaRKIfh3vt4nzsb5f4k4IQ1SmXadA/swV87Ae7h8Dhlvc7VGRfgZVho45Pllqru2Ws rDtGucFLmUZOo++xY3EHxTmUe2E9BqzNUVHV3IDNoT5e0MevQwnuseKhZIZcN7krCcaK IsXLtaDbf0dzlTRVu4j/6RiH2o8S+yhBDyrjMNEFwdsEf/YrCbhjQQE8ixXACHM3q7Df AqkUPKg3rgEgRnk/MCRgXwYbaD+z0HSARUap792BTzMN+aCt4qfomi4HY59KU8PEGm9L +YVw== X-Gm-Message-State: AOJu0YycKwZQjWI79dJFr1xBk89MF3y9c6XGKwZ12hzKzhhgFpGaHY0L SQUJ0c/r4jUzDGfHtcoHug97dsaiNBefyRbAFRD2nyg+z3x4VpaB23Cht3Nx09eWx7BlPTDtj+4 5Gcf97C78aqWBxj+3plp3P+7X+LcdTvEopU7AyDu1ug== X-Gm-Gg: Acq92OG0fp99ypHW+TlJxvyLUEhyEh3EXsgvff4n+whxghBNEUyr2+9FauZBtHioKfs PTbBkwYo4o5N6AvrO9G+qJYHe4Q4mwtRjkn3Y8nb5x6jVPJYFIy1i+J0H8yBlf1ByEsM/tkv3CY DSQdMEWFcseVJtvbn0BZzIKCEa4ll5ottFtC4FBbsmB2nBM/0aaHW9cTA+2NSolY+I+AZyj1j2W 2V7ukzMVKwIUekSMCSebb++VDp7Vw9eY5X++DbnjN8FZ8PzJ1UuOH6VqH3qgb0uSnrHShqCHdNS pdsepu4sgM5ISISs5Zp/V9ROiUerqigxii7co/gDnLaa4m2we0vkPDQwYP8GRjqzBU6d45meZlj 237RwD++ShndT/2LKVsddGIJhPwocsbTKhvIcQ01N3MKy X-Received: by 2002:a05:6512:6093:b0:5aa:7005:125c with SMTP id 2adb3069b0e04-5aa8866c7c5mr3249098e87.8.1780905651216; Mon, 08 Jun 2026 01:00:51 -0700 (PDT) List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 References: <96E80293-2013-452F-859C-B725EA7963CF@FreeBSD.org> In-Reply-To: <96E80293-2013-452F-859C-B725EA7963CF@FreeBSD.org> From: Doug Rabson Date: Mon, 8 Jun 2026 09:00:38 +0100 X-Gm-Features: AVVi8Ce93RArQllRe-sg3gphVj1KmhwSy3AhNqgxH1mmgKips5RP0pdMgvIhxFI Message-ID: Subject: Re: Running pfctl inside a jail To: Kristof Provost Cc: freebsd-jail@freebsd.org Content-Type: multipart/alternative; boundary="000000000000b82fc90653b96880" X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US] X-Rspamd-Queue-Id: 4gYkxk0wKnz3bl9 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated --000000000000b82fc90653b96880 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 8 Jun 2026 at 08:43, Kristof Provost wrote: > On 7 Jun 2026, at 19:04, Doug Rabson wrote: > > While upgrading machines in my home lab to 15.0, I discovered that I ca= n > no > > longer run pfctl in a jail. Trying to run something simple like 'pfctl = -s > > nat' fails with the error: "pfctl: DIOCGETRULES: Operation not > permitted". > > > That=E2=80=99s unexpected. I=E2=80=99m not aware of any reason why that w= ould not work. > > That=E2=80=99s something the pf tests do consistently, and I=E2=80=99ve j= ust tried on a > stable/15 machine and it also just worked. > > Is the jail a different freebsd version from the host kernel? > In my smallest test-case, the host and jail use the same root filesystem and the host is running 15.0-RELEASE-p8. I haven't tested with stable/15 yet. This reproduces the problem for me: $ sudo pfctl -s nat nat on bridge42 inet from to any -> (bridge42) round-robin nat on bridge42 inet6 from to ! ff00::/8 -> (bridge42) round-robi= n nat-anchor "cni-rdr/*" all rdr-anchor "cni-rdr/*" all $ cat jail-pfctl-15 #! /bin/sh j=3D$(jail -ic name=3Dpfctl-in-jail15 ip4=3Dinherit ip6=3Dinherit path=3D/ = persist) jexec $j pfctl -s nat jail -r $j $ sudo ./jail-pfctl-15 pfctl: DIOCGETRULES: Operation not permitted $ freebsd-version -k 15.0-RELEASE-p8 Do the pf unit tests cover the case where the jail shares the host vnet? Anyway, thanks for taking a look; I do have a workaround using FreeBSD-14.x version of pfctl but it would be nice to have this working properly on 15.x as well. Doug. --000000000000b82fc90653b96880 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Mon, 8 Jun 2= 026 at 08:43, Kristof Provost <kp@free= bsd.org> wrote:
On 7 Jun 2026, at 19:04, Doug Rabson wrote:
> While upgrading machines in my home lab to 15.0, I discovered that I c= an no
> longer run pfctl in a jail. Trying to run something simple like 'p= fctl -s
> nat' fails with the error: "pfctl: DIOCGETRULES: Operation no= t permitted".
>
That=E2=80=99s unexpected. I=E2=80=99m not aware of any reason why that wou= ld not work.

That=E2=80=99s something the pf tests do consistently, and I=E2=80=99ve jus= t tried on a stable/15 machine and it also just worked.

Is the jail a different freebsd version from the host kernel?

In my smallest test-case, the host and jail use the = same root filesystem and the host is running=C2=A015.0-RELEASE-p8. I haven&= #39;t tested with stable/15 yet.=C2=A0 This reproduces the problem for me:<= /div>

$ sudo pfct= l -s nat
nat on bridge42 inet from <cni-nat> to any -> (bridge4= 2) round-robin
nat on bridge42 inet6 from <cni-nat> to ! ff00::/8 = -> (bridge42) round-robin
nat-anchor "cni-rdr/*" all
rdr= -anchor "cni-rdr/*" all
$ cat jail-pfctl-15
#! /bin/sh
j= =3D$(jail -ic name=3Dpfctl-in-jail15 ip4=3Dinherit ip6=3Dinherit path=3D/ p= ersist)
jexec $j pfctl -s nat
jail -r $j
$ sudo ./jail-pfctl-15pfctl: DIOCGETRULES: Operation not permitted
$ freebsd-version -k
15.0-RELEASE-p8
=C2=A0
= Do the pf unit tests cover the case where the jail shares the host vnet? An= yway, thanks for taking a look; I do have a workaround using FreeBSD-14.x v= ersion of pfctl but it would be nice to have this working properly on 15.x = as well.

Doug.
--000000000000b82fc90653b96880--