From owner-freebsd-pf@freebsd.org Thu Dec 13 00:02:42 2018 Return-Path: Delivered-To: freebsd-pf@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 38ED5132ABBD for ; Thu, 13 Dec 2018 00:02:42 +0000 (UTC) (envelope-from meka@tilda.center) Received: from mail.tilda.center (srv02.tilda.center [199.247.21.11]) by mx1.freebsd.org (Postfix) with ESMTP id 145528827F for ; Thu, 13 Dec 2018 00:02:40 +0000 (UTC) (envelope-from meka@tilda.center) Received: from thinker.home.meka.rs (109-93-224-120.dynamic.isp.telekom.rs [109.93.224.120]) by mail.tilda.center (Postfix) with ESMTPSA id 71BE21FABC for ; Thu, 13 Dec 2018 01:02:33 +0100 (CET) Date: Thu, 13 Dec 2018 01:02:32 +0100 From: Goran =?utf-8?B?TWVracSH?= To: freebsd-pf@freebsd.org Subject: VNET jails and PF service Message-ID: <20181213000232.vk4qoapuqyqly2jx@thinker.home.meka.rs> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="fjdo62hkmit72vr5" Content-Disposition: inline User-Agent: NeoMutt/20180716 X-Rspamd-Queue-Id: 145528827F X-Spamd-Bar: --- Authentication-Results: mx1.freebsd.org; spf=pass (mx1.freebsd.org: domain of meka@tilda.center designates 199.247.21.11 as permitted sender) smtp.mailfrom=meka@tilda.center X-Spamd-Result: default: False [-3.14 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; NEURAL_HAM_MEDIUM(-0.78)[-0.784,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; PREVIOUSLY_DELIVERED(0.00)[freebsd-pf@freebsd.org]; TO_DN_NONE(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; DMARC_NA(0.00)[tilda.center]; NEURAL_SPAM_SHORT(0.08)[0.083,0]; MX_GOOD(-0.01)[mail.tilda.center]; SIGNED_PGP(-2.00)[]; RCVD_NO_TLS_LAST(0.10)[]; RECEIVED_SPAMHAUS_PBL(0.00)[120.224.93.109.zen.spamhaus.org : 127.0.0.11]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+,1:+]; ASN(0.00)[asn:20473, ipnet:199.247.16.0/21, country:US]; RCVD_COUNT_TWO(0.00)[2]; IP_SCORE(-0.13)[asn: 20473(-0.58), country: US(-0.09)]; FROM_EQ_ENVFROM(0.00)[] X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 13 Dec 2018 00:02:42 -0000 --fjdo62hkmit72vr5 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Hello, I can't start PF as service from vnet jail. I have devfs rule to unhide bpf (for dhclient) and pf that the jail is using. I can run "pfctl -e -f /etc/pf.conf" but "service pf start" fails with: kldload: can't load pf: Operation not permitted /etc/rc.d/pf: WARNING: Unable to load kernel module pf That's expected given https://svnweb.freebsd.org/base/releng/12.0/libexec/rc/rc.d/pf?view=markup#l25 in the rc file. What is the proper way to enable PF in VNET jail? Regards, meka --fjdo62hkmit72vr5 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE1WIFkXy2ZeMKjjKEWj1TknovrLYFAlwRoZUACgkQWj1Tknov rLZqcA/+I3CYPBnOrH7FTAfcRi6/E8JYUojzB02dRTgA5XgWTzM40MgLz+OhO6qo qnyNd2Omz/AEHHsnIewuW6qgjcMfdxzk6aStX6ZTF0NKiWthrM7dMAFyJN3GMA2Q x9f653MR8sBMdlmVCtBhE/arXdFQNHthOQJokps5tuBv891AFU1A2g4Fr4jUHB1u rcrjZ/qN1naB3/z2CQbMGLb93nndiNo4QD9ufR69G8bB6A/ejX0Cx4Xc1UipGIOb jxLrYyA0AkHdkpsHxRGJboRWKuNHalnHq8PzishzjFYPw6/e8Eslr/VDMALYLWN3 AVVS2+4KrqbyN6iVeEfEsfLBIROt3CONA4KyfsOQ2pUcVP5krlYV9Uh0hEDrU5U5 E4j8cMqk6aYhWgRU0zrmYkftTE5btisRN7GL0gzAYDkEe4eDuB6f5tGlFtEbqpCO NR3B80XU+0QAusW/HJXlCAw30QICo7irwqiEagy+WxdAC/zscRYWXRltBHgZAnfE UBndQSa5BLQvF272O2+6IuDPbudRlVGRHV3tyXgZrjTx/fK0NRBzxrYh2uDdr5qb JtAOgukVFSofUtcZTFOoGHUAQK1ODAr29vijM2aTIIw5ZVijZdkiP+UDzAriFYFg VGhZzMjWuYO5MjmCXYCJRW67KTfOkxqvwOtQIP2tXGlayZBcOuU= =jazT -----END PGP SIGNATURE----- --fjdo62hkmit72vr5--