From nobody Mon Jun 8 07:43:43 2026 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gYkYt32sXz6h1xF for ; Mon, 08 Jun 2026 07:43:46 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gYkYt2QHGz3b3m; Mon, 08 Jun 2026 07:43:46 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780904626; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KqsqIhFT2INPicJtA+q4bMWvvy5ChOQVYs64W5JNWDM=; b=Eqg3zmkOE/XK0YH1ZKeHe1jlMsKHpBbkHKcfgaatxAMlH3mWMq2Q5oVyGLea0AHcQRtc/0 tOfMexNEWvJBi6g1APZdOuQXINPtAyzwg5Qi/u7AG+dotZhZSLLAAl+dHsWw/FXH/gvLj1 EkD5FjHTS5tZxWOErxsgkw3tg4vbsXladSsQdSwuycuThZLbGT8X4xhDGe1MwRGgh/l4p5 RJFbol1Rl7zgaGJ81zG6WkI1dIGO5sGFjzUm1QvNpPG9mpgLw1h42Qy7/fqHJPSV1AALmi ZvMR/4POYIcVWVAN4uNJ1TZ9MF+X/8Z7urATo1BLEz1yWM8JPsVvpW4CcRfPhQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780904626; a=rsa-sha256; cv=none; b=pPfaZ9SMnPq2coezCFLM0jRm7k2LB7sHkIaUNrvBHWW0TL0+4XSPGIopmYOE9APKnoS8iQ wnaiCm4HDqg0xZPwK73XPs2aVhUOnPVKTaKdnlpT+NKLR7via/C/o9emfsZb4PhdGtyOF6 5/8qPTA6k3kMtRZ/SxwC9AxBQzpZenDl2tofSFTxQP2NSHNQf2tKOZGZgPsBJ6FC9S5ga2 pH7N7qwYg3Xf7u5jq5LaW/wU5wpmsj1t6HPR5D4GsU4VkaxCAeiyqJEPCR7BpE4A7DgPeO pmb8QOpkbZ/3J+SD58Xy8EqCAmth5qhcQw/qBPVjXRBIkuLzQwOVuX38JOwJXw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780904626; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=KqsqIhFT2INPicJtA+q4bMWvvy5ChOQVYs64W5JNWDM=; b=xgdJvssEt/nqa8VakxqcNYIDVnm3idzHv0orGTTkSzHZeyDi5bNmAyzNeD/tDjc/2nqeyC nDcv7aaTGXsSPBrFtghLfIV6HFjuQUVWxSDja2kj/GbGBDjp2l61UPb7iaBF3PVpYK5NTx cyTJZuF672zLRIQ3rYPuCn86zadC/+md/P86MfsJFNJQzLJpfr0pPZXhgDI+riwQdAjoKi 1m+7lqs1GjZX44WAAyXsU1u7x1LwgB38KCqsNX0RUq2k2PvqHOH8thhT2jQhgZgG5tyIzf mUdwvIMCV7fJO+1URCIa5mVTsdg8w3owN+EtGgmse4/MMovJnpfsLbzzQylwKg== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R12" (not verified)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4gYkYt1JfTzvJb; Mon, 08 Jun 2026 07:43:46 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 2264022309; Mon, 08 Jun 2026 09:43:44 +0200 (CEST) From: Kristof Provost To: Doug Rabson Cc: freebsd-jail@freebsd.org Subject: Re: Running pfctl inside a jail Date: Mon, 08 Jun 2026 09:43:43 +0200 X-Mailer: MailMate (2.0r6272) Message-ID: <96E80293-2013-452F-859C-B725EA7963CF@FreeBSD.org> In-Reply-To: References: List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; markup=markdown Content-Transfer-Encoding: quoted-printable On 7 Jun 2026, at 19:04, Doug Rabson wrote: > While upgrading machines in my home lab to 15.0, I discovered that I ca= n no > longer run pfctl in a jail. Trying to run something simple like 'pfctl = -s > nat' fails with the error: "pfctl: DIOCGETRULES: Operation not permitte= d". > That=E2=80=99s unexpected. I=E2=80=99m not aware of any reason why that w= ould not work. That=E2=80=99s something the pf tests do consistently, and I=E2=80=99ve j= ust tried on a stable/15 machine and it also just worked. Is the jail a different freebsd version from the host kernel? Best regards, Kristof From nobody Mon Jun 8 08:00:38 2026 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gYkxk5SNLz6h3Rq for ; Mon, 08 Jun 2026 08:00:58 +0000 (UTC) (envelope-from dfr@rabson.org) Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com [IPv6:2a00:1450:4864:20::12e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gYkxk0wKnz3bl9 for ; Mon, 08 Jun 2026 08:00:57 +0000 (UTC) (envelope-from dfr@rabson.org) Authentication-Results: mx1.freebsd.org; none Received: by mail-lf1-x12e.google.com with SMTP id 2adb3069b0e04-5aa7a7c9711so4458875e87.0 for ; Mon, 08 Jun 2026 01:00:57 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780905651; cv=none; d=google.com; s=arc-20240605; b=KqBB50K7pK0zOyqaxhgbxH02lP+bsuMyD6y4JEf2Ywus0/GT0NWMfxyi0IxTyopBS/ cEup3hLDHdLhytGLWt6eG4BL09rmHSGz6OVfmLCZjl/aZIcQTZxEW43wBrJLugOYOI30 eOW46Xc83On4Mb5o+senoip3BF95lZpVR6oraDsHJTsfuRPuU5j9YoITa+oHuVl1YIBU oTmbVssdsrbZgmKdO/a5sPLTeepMlVdyZ6XBVCV0rC/ONgljQLue88sqj7AOyT/gf9hE /TRHAUc9BCKZPe4VT/ztth0WCij+mD3UfAjrTFhUZRubjeOoXEzD5yHaGgnugJgjbCrU QpgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=eM5L685DHzHEkykOAikWk7CymTjZOg5SxBhruzvM0vs=; fh=vrw2Bj/2vkDrKQwNj2hfXSwlIIPVc8/6ZAUpHCGPyME=; b=MzYHCQ7UxPu9Mzfp3gOTo9+gbykwdRXqfeh9ulEwWoQCPeU3oN5SpZ/yl7ckk/xVs2 oEYiaZShgIx0E9QkN7EaKH02unMlHq0Ci9MdsAkq4xEogSRT3lNKUBLzccxo37LrktzQ xIPS5//XQ9RKmuuBDfHB4ioIIRNsFAiCUFnS356FI0rRgFTNUYH/E4fgCODWjk+kI4dq d8XTKaZnGq2k5Q9ixuC+ybQMR+i7l9WHV9h9JMz9W88+EgZVj4+HlreXTFeyhWCCgqn8 pVXalXvPiArIFxQ5tyO12hzvb86Hpinh8DeCxQJwVccYD2qb15EQvJUEAhd6v9gbempE sUfA==; darn=freebsd.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rabson-org.20251104.gappssmtp.com; s=20251104; t=1780905651; x=1781510451; darn=freebsd.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=eM5L685DHzHEkykOAikWk7CymTjZOg5SxBhruzvM0vs=; b=LW6GVIhNp8ZoFbF8KUu5yvFz058SXKkphL8FOkaEK8vVhYpTLus+8czHfBbmNhlaXL jAdIhTM3uFucCloBvaO1O7BpDo0d/yuIK3A1LOFn8YJOb7h2X0mXG2BnuWoEwCK4JhxY 7YktT2gbolChWTuGgpiYQK+P3yiic2vh6NWkc6R5BINMRueGBXOHH99Fub2MV2kLha/7 2KdB9aHaVkyCLo3LqUiRI3+r9xCzOvnkNx7KUX2PG92NxuOUvoiwgPNyJStPj79WyiN7 AipXGxqxrbAg1c+2tsHldGx+3NMGCeyhzqomoPip3xxD7CY7jWw2WdWajGoaV1rh5p77 UqtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780905651; x=1781510451; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=eM5L685DHzHEkykOAikWk7CymTjZOg5SxBhruzvM0vs=; b=BDOC4x9WHrY5UNqj0nOIGGZGSt+DW5cHq8GBsuk0rKpOmZWbhOCNlOXhNH6IhhYPu7 DUnaRKIfh3vt4nzsb5f4k4IQ1SmXadA/swV87Ae7h8Dhlvc7VGRfgZVho45Pllqru2Ws rDtGucFLmUZOo++xY3EHxTmUe2E9BqzNUVHV3IDNoT5e0MevQwnuseKhZIZcN7krCcaK IsXLtaDbf0dzlTRVu4j/6RiH2o8S+yhBDyrjMNEFwdsEf/YrCbhjQQE8ixXACHM3q7Df AqkUPKg3rgEgRnk/MCRgXwYbaD+z0HSARUap792BTzMN+aCt4qfomi4HY59KU8PEGm9L +YVw== X-Gm-Message-State: AOJu0YycKwZQjWI79dJFr1xBk89MF3y9c6XGKwZ12hzKzhhgFpGaHY0L SQUJ0c/r4jUzDGfHtcoHug97dsaiNBefyRbAFRD2nyg+z3x4VpaB23Cht3Nx09eWx7BlPTDtj+4 5Gcf97C78aqWBxj+3plp3P+7X+LcdTvEopU7AyDu1ug== X-Gm-Gg: Acq92OG0fp99ypHW+TlJxvyLUEhyEh3EXsgvff4n+whxghBNEUyr2+9FauZBtHioKfs PTbBkwYo4o5N6AvrO9G+qJYHe4Q4mwtRjkn3Y8nb5x6jVPJYFIy1i+J0H8yBlf1ByEsM/tkv3CY DSQdMEWFcseVJtvbn0BZzIKCEa4ll5ottFtC4FBbsmB2nBM/0aaHW9cTA+2NSolY+I+AZyj1j2W 2V7ukzMVKwIUekSMCSebb++VDp7Vw9eY5X++DbnjN8FZ8PzJ1UuOH6VqH3qgb0uSnrHShqCHdNS pdsepu4sgM5ISISs5Zp/V9ROiUerqigxii7co/gDnLaa4m2we0vkPDQwYP8GRjqzBU6d45meZlj 237RwD++ShndT/2LKVsddGIJhPwocsbTKhvIcQ01N3MKy X-Received: by 2002:a05:6512:6093:b0:5aa:7005:125c with SMTP id 2adb3069b0e04-5aa8866c7c5mr3249098e87.8.1780905651216; Mon, 08 Jun 2026 01:00:51 -0700 (PDT) List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 References: <96E80293-2013-452F-859C-B725EA7963CF@FreeBSD.org> In-Reply-To: <96E80293-2013-452F-859C-B725EA7963CF@FreeBSD.org> From: Doug Rabson Date: Mon, 8 Jun 2026 09:00:38 +0100 X-Gm-Features: AVVi8Ce93RArQllRe-sg3gphVj1KmhwSy3AhNqgxH1mmgKips5RP0pdMgvIhxFI Message-ID: Subject: Re: Running pfctl inside a jail To: Kristof Provost Cc: freebsd-jail@freebsd.org Content-Type: multipart/alternative; boundary="000000000000b82fc90653b96880" X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US] X-Rspamd-Queue-Id: 4gYkxk0wKnz3bl9 X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated --000000000000b82fc90653b96880 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 8 Jun 2026 at 08:43, Kristof Provost wrote: > On 7 Jun 2026, at 19:04, Doug Rabson wrote: > > While upgrading machines in my home lab to 15.0, I discovered that I ca= n > no > > longer run pfctl in a jail. Trying to run something simple like 'pfctl = -s > > nat' fails with the error: "pfctl: DIOCGETRULES: Operation not > permitted". > > > That=E2=80=99s unexpected. I=E2=80=99m not aware of any reason why that w= ould not work. > > That=E2=80=99s something the pf tests do consistently, and I=E2=80=99ve j= ust tried on a > stable/15 machine and it also just worked. > > Is the jail a different freebsd version from the host kernel? > In my smallest test-case, the host and jail use the same root filesystem and the host is running 15.0-RELEASE-p8. I haven't tested with stable/15 yet. This reproduces the problem for me: $ sudo pfctl -s nat nat on bridge42 inet from to any -> (bridge42) round-robin nat on bridge42 inet6 from to ! ff00::/8 -> (bridge42) round-robi= n nat-anchor "cni-rdr/*" all rdr-anchor "cni-rdr/*" all $ cat jail-pfctl-15 #! /bin/sh j=3D$(jail -ic name=3Dpfctl-in-jail15 ip4=3Dinherit ip6=3Dinherit path=3D/ = persist) jexec $j pfctl -s nat jail -r $j $ sudo ./jail-pfctl-15 pfctl: DIOCGETRULES: Operation not permitted $ freebsd-version -k 15.0-RELEASE-p8 Do the pf unit tests cover the case where the jail shares the host vnet? Anyway, thanks for taking a look; I do have a workaround using FreeBSD-14.x version of pfctl but it would be nice to have this working properly on 15.x as well. Doug. --000000000000b82fc90653b96880 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Mon, 8 Jun 2= 026 at 08:43, Kristof Provost <kp@free= bsd.org> wrote:
On 7 Jun 2026, at 19:04, Doug Rabson wrote:
> While upgrading machines in my home lab to 15.0, I discovered that I c= an no
> longer run pfctl in a jail. Trying to run something simple like 'p= fctl -s
> nat' fails with the error: "pfctl: DIOCGETRULES: Operation no= t permitted".
>
That=E2=80=99s unexpected. I=E2=80=99m not aware of any reason why that wou= ld not work.

That=E2=80=99s something the pf tests do consistently, and I=E2=80=99ve jus= t tried on a stable/15 machine and it also just worked.

Is the jail a different freebsd version from the host kernel?

In my smallest test-case, the host and jail use the = same root filesystem and the host is running=C2=A015.0-RELEASE-p8. I haven&= #39;t tested with stable/15 yet.=C2=A0 This reproduces the problem for me:<= /div>

$ sudo pfct= l -s nat
nat on bridge42 inet from <cni-nat> to any -> (bridge4= 2) round-robin
nat on bridge42 inet6 from <cni-nat> to ! ff00::/8 = -> (bridge42) round-robin
nat-anchor "cni-rdr/*" all
rdr= -anchor "cni-rdr/*" all
$ cat jail-pfctl-15
#! /bin/sh
j= =3D$(jail -ic name=3Dpfctl-in-jail15 ip4=3Dinherit ip6=3Dinherit path=3D/ p= ersist)
jexec $j pfctl -s nat
jail -r $j
$ sudo ./jail-pfctl-15pfctl: DIOCGETRULES: Operation not permitted
$ freebsd-version -k
15.0-RELEASE-p8
=C2=A0
= Do the pf unit tests cover the case where the jail shares the host vnet? An= yway, thanks for taking a look; I do have a workaround using FreeBSD-14.x v= ersion of pfctl but it would be nice to have this working properly on 15.x = as well.

Doug.
--000000000000b82fc90653b96880-- From nobody Mon Jun 8 08:36:59 2026 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gYllM62Hbz6h5Hw for ; Mon, 08 Jun 2026 08:37:03 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gYllM5TSKz3fTl; Mon, 08 Jun 2026 08:37:03 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780907823; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vRAcmuNat77h0S5VMbWtagGO7gNCFwkx7Gl/prFyu4E=; b=WwaJgBEkMsfcFsXd17mz4lktsDOvZG/iwpLvzCCF/fvMsv6xFGowk0LTS0aXRY+U/1UptZ P9g5qO1nTB7XGdfaA3h2FBFzsH58CWtvV0idAIZCCEH6J4mAZhElkunZZwA0Y7B3aRxcBq tYKUsSwh4SrOnz1nZCQSy07LPruKtlxixrDsyu/Rpy76FoTu/1gyDzzNwkcGk7CZIvoC5a A2XlIsfJQhdnaVng07uvHLpTYfP5oawDSvwB5//pxATFaZpSFTN405doo87oNr4k8HrUiD 8NlYlWxcWN6w8XVq4gytt5Sd/J6voHSz9mZ34eXNM8MzJq7po7c5tGsxZbvvFA== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780907823; a=rsa-sha256; cv=none; b=RQHezPmcCaDJilglru4kX1gix9qLVySPFFxqKuppXR0lseoZ9iGClii/dF+o3VMkCgoOUV B5n3B1DqoDSpCoaUTZq8X9uRPZgte5RTbuPmSIhgQywKtgXJUytLAMXX2kboVVXxzYnsBc BiapgdhSsdbFMlIGupcGbmHClDGp13xvVbCacNAPpAFt3PFMzsycXaoZsHkZtJt1usvaPS OfJ78Xu4P/oGiTCrwe7ZwGV6Ohe2v3F6QsSn29Rc3v+STNE/StVNCdDOADQ73i9ccN0vKG cZR8np8hXvSmFUd/JIxnLrb8U3+d+VGaXxaoE86GUffS3VyaxTMg7YBiGF073A== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780907823; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=vRAcmuNat77h0S5VMbWtagGO7gNCFwkx7Gl/prFyu4E=; b=NRIfFXX/eh9SH9Ws1UmeNmqBnPY/gQ8seOCSmgw3YHfdZe7x7Dl3A+juIQtEoWpCErbzlx NfgwK3MpxG6H6CES7WutZRulSCruGn4vaCVz3nWMoA1KwADXVq6gJWx9LyWCLlIsieJRWh WjyEeg4FYwY2QLSK6jUdAjhT1KQxzbMntkAVkWoFw4KozTzm9xcWi+J4XIOrFh1cECYYzA CNlPGoznH2meMyC4HxskoWrHipkt5kCGSZsR/WjmmfzfgTps8OXoL7zAVJizHZ3+4+Lhvq nKSPpa9wfC8kPQHVvFIVHusnowC601HuAxQCIEfSmwCTQJQeXktsOyzvFWykHQ== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R12" (not verified)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4gYllM47c7zvNf; Mon, 08 Jun 2026 08:37:03 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id DB6FF223A3; Mon, 08 Jun 2026 10:37:01 +0200 (CEST) From: Kristof Provost To: Doug Rabson Cc: freebsd-jail@freebsd.org Subject: Re: Running pfctl inside a jail Date: Mon, 08 Jun 2026 10:36:59 +0200 X-Mailer: MailMate (2.0r6272) Message-ID: <7C23D3B8-1A14-41B7-839A-580DB61E0403@FreeBSD.org> In-Reply-To: References: <96E80293-2013-452F-859C-B725EA7963CF@FreeBSD.org> List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit On 8 Jun 2026, at 10:00, Doug Rabson wrote: > In my smallest test-case, the host and jail use the same root filesystem > and the host is running 15.0-RELEASE-p8. I haven't tested with stable/15 > yet. This reproduces the problem for me: > > $ sudo pfctl -s nat > nat on bridge42 inet from to any -> (bridge42) round-robin > nat on bridge42 inet6 from to ! ff00::/8 -> (bridge42) round-robin > nat-anchor "cni-rdr/*" all > rdr-anchor "cni-rdr/*" all > $ cat jail-pfctl-15 > #! /bin/sh > j=$(jail -ic name=pfctl-in-jail15 ip4=inherit ip6=inherit path=/ persist) > jexec $j pfctl -s nat > jail -r $j > $ sudo ./jail-pfctl-15 > pfctl: DIOCGETRULES: Operation not permitted > $ freebsd-version -k > 15.0-RELEASE-p8 > > > Do the pf unit tests cover the case where the jail shares the host vnet? > Oh. No, no they do not. That’s just plain not supposed to work. You only ever get to manage your own pf instance, never the one of a parent jail. Best regards, Kristof From nobody Mon Jun 8 09:29:30 2026 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gYmwC4gnQz6fhnk for ; Mon, 08 Jun 2026 09:29:47 +0000 (UTC) (envelope-from dfr@rabson.org) Received: from mail-lj1-x232.google.com (mail-lj1-x232.google.com [IPv6:2a00:1450:4864:20::232]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gYmwC2jk9z3m1M for ; Mon, 08 Jun 2026 09:29:47 +0000 (UTC) (envelope-from dfr@rabson.org) Authentication-Results: mx1.freebsd.org; none Received: by mail-lj1-x232.google.com with SMTP id 38308e7fff4ca-39666f49929so37199641fa.0 for ; Mon, 08 Jun 2026 02:29:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780910985; cv=none; d=google.com; s=arc-20240605; b=YXakpECBfEMpROILOR512ggSHHNRrWWctjOrWCqxoY/SbfTd8DW7X96HflgwPrsC8y TNy04UtZ+x2tSlyRSrgKs6fdkdik2FxChvTFA8cQwSxeSmCCrqL+fvmPKUiszKCwVCr9 f+wgZ4u4WavyaM6g2xemeeB5zGVF6F9fKGOXPh9rnV1msCP4U7wROoJ1VoN1ebXlnqwG T6tMlpA8Bys47/yoOncttVJ0IEhEfv2SjZbXcb0JpFkV36gylm8sFa24kX+iaG3h2ZCa bt3G5EznCebPOM4OlEGAXTCZnrmihMVIddac0uYJY754sjNlFVxxRfOl1gwrZuI0DHpZ jb6Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=XF2eqom0sBWSVWBqrrfajlhdntQoMUuV4cglRGrJ0Ew=; fh=vrw2Bj/2vkDrKQwNj2hfXSwlIIPVc8/6ZAUpHCGPyME=; b=Uerpt9a7dD9Pk9hE0JgUyuFpLuXKqz3o6RYgPSqPk/pGpLN32YywPgK3sq7XUWB4dU v0aGAYICaLFwk+JET2WugPJKsfQ98p6GFYG1PMQlztbCaD3hWBH5ESHuXnNUeu+6EBNq 0DAqwp75Rc9TQt5N6oteRUKtHTtx2q9hbTcq4tnWXNAcN0bIm06qXAT1ULgDvUCvFxfg s7XmmOHKb4q49mwakKn3m37ODjjYhbhBwWKhuqwkyRXBSSCzBa5pYHRKT9kfUPSbKww3 a/gDwHEe7GBGAI7zZZRmnYdfX0KS7fXGLDJQFgzi5VkmL9+oHDGARadndi9IM6uyzQgJ RVdw==; darn=freebsd.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rabson-org.20251104.gappssmtp.com; s=20251104; t=1780910985; x=1781515785; darn=freebsd.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=XF2eqom0sBWSVWBqrrfajlhdntQoMUuV4cglRGrJ0Ew=; b=rocOW1UPuZYrZT8+A11H2u2ct2BoY4uTwgrlWpDYaHp9K3Ek6vo8nfWTjmFOizWAMn ycalfidm73tAiaQ5U33d4Hqcq+x4Yz7adYru4FrIppD7uo9l3szDfu33I0/GvNMI2DV1 I6IsIl6UYFK33QW+zsbyNYp0L/YfVQgX2wPWbFOdy+7gFsm9+7bj0pjF9G+/ofcLj+El LePmzl+XjsZs2OIK9swDQRUcRPzYqI7z3Vme9LIDYoBohIc0SCPGVRtJL3rUxelnUtCS 4o+X/ExW4E6139VQNexzGTXLGQKAwzjqx7b1J8h7n7R4g/C0uMqTsC5FHPnZD8fx6r51 It9w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780910985; x=1781515785; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=XF2eqom0sBWSVWBqrrfajlhdntQoMUuV4cglRGrJ0Ew=; b=b6p2olI5gvNXv+gTgd6LRYYvduhcnmEF9xrI44Z9n+Dg427XjZrV0aAHlji/EiMh53 3T52Em58t7uaM2KkEie6zcTJw3e4ayiNnS6aRq9pL1Cc9cJ5AmBzknJtoq8kjj0vyhFv Jv2aNdS02E9A8rdOQlx/s0397VcZiWq3uxhDteOwFw1Ww3m6rnPtqZXE8Lg09WzzWVS7 5YMHIYpOyZzVLUccyHJqs4KS1vYMqh5MpGnwqoI/e1BKQJO2YRfmL5PM0bN/V8XM/jyt V7HI0jbFx2STM1CpbzmRtyR7JW1aa5UyDjcKFS/EDQJbdQVSKhyQgzTGrHH2PFtcQ5Xu yB3g== X-Gm-Message-State: AOJu0YxHNQ9xjrR7Z+Wi7ToB9pBCaHiKPjStXdrC9I3mMRDOhvCQBA4F Os5AXqaQf59HB+bUk5GsTSZIRdBjH3y/ZpfCkePhm5ALqh9tv0jBNpl4PdbixDxXn0ah6MUY/Z4 lrJynd8DqpiXvj5CCrHL57tIU5bVlp850CbrYScuGTQ== X-Gm-Gg: Acq92OG33/07uK+rHUzQhmla/iBn4CkwMIisOExD7tuR8u1Kr4W/mAJJY3HuUrf8KTA k6veqNKMhscFgI0Ofh6cMl1FCfHKgJE8c+ge9wcucYLvEvX9bZiuEpzs1F1TyLKTC1sOadKm3Rn pkj0aF3S3VrlCmDgwCmQKrguLZeiA+A+5pF0DFgvZd03vc0PfXmEFyCOJjCC9m7+2fUDJaa4ch5 K5ZFz5KPSQXJtK05enTBceLqk0zPkvfMcxETRyK8BNAXOOTW1RZ/dNSuPddp6jqjXeaqDwm4n0m 1BlDYS4monltynio8TrVd4BaT/ogDRXGJvvVFQk2fKF5Fk1j+FLOq+nIWiOuAcy4j/loG7KNQIn hhP53XCOxhdT8bprU9kAp6CHK/lbcVjl+ X-Received: by 2002:a2e:bcc3:0:b0:395:fded:ee35 with SMTP id 38308e7fff4ca-396d07c08a3mr40804401fa.3.1780910984524; Mon, 08 Jun 2026 02:29:44 -0700 (PDT) List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 References: <96E80293-2013-452F-859C-B725EA7963CF@FreeBSD.org> <7C23D3B8-1A14-41B7-839A-580DB61E0403@FreeBSD.org> In-Reply-To: <7C23D3B8-1A14-41B7-839A-580DB61E0403@FreeBSD.org> From: Doug Rabson Date: Mon, 8 Jun 2026 10:29:30 +0100 X-Gm-Features: AVVi8CcTiAYwZE0JUp8fD2rZUeD-pGD_ZKkeVl7HQvbtnYbPvlL19whfqGg7Zm0 Message-ID: Subject: Re: Running pfctl inside a jail To: Kristof Provost Cc: freebsd-jail@freebsd.org Content-Type: multipart/alternative; boundary="0000000000009c35680653baa6e5" X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US] X-Rspamd-Queue-Id: 4gYmwC2jk9z3m1M X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated --0000000000009c35680653baa6e5 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 8 Jun 2026 at 09:37, Kristof Provost wrote: > On 8 Jun 2026, at 10:00, Doug Rabson wrote: > > In my smallest test-case, the host and jail use the same root filesyste= m > > and the host is running 15.0-RELEASE-p8. I haven't tested with stable/1= 5 > > yet. This reproduces the problem for me: > > > > $ sudo pfctl -s nat > > nat on bridge42 inet from to any -> (bridge42) round-robin > > nat on bridge42 inet6 from to ! ff00::/8 -> (bridge42) > round-robin > > nat-anchor "cni-rdr/*" all > > rdr-anchor "cni-rdr/*" all > > $ cat jail-pfctl-15 > > #! /bin/sh > > j=3D$(jail -ic name=3Dpfctl-in-jail15 ip4=3Dinherit ip6=3Dinherit path= =3D/ persist) > > jexec $j pfctl -s nat > > jail -r $j > > $ sudo ./jail-pfctl-15 > > pfctl: DIOCGETRULES: Operation not permitted > > $ freebsd-version -k > > 15.0-RELEASE-p8 > > > > > > Do the pf unit tests cover the case where the jail shares the host vnet= ? > > > Oh. No, no they do not. That=E2=80=99s just plain not supposed to work. > Historically, though, it has always worked, at least as far back as FreeBSD-13 so this is a regression. > You only ever get to manage your own pf instance, never the one of a > parent jail. > It seems reasonable (to me at least) that if a jail inherits a vnet from its parent, it should be able to manage that vnet. I see some evidence in the history that at least parts of netlink are intended to work for jails which don't have their own vnet (e.g. https://cgit.freebsd.org/src/commit/sys/netlink?id=3D04f75b980293d517558990= a7fda6900445edcac6). I would also like to be able to create interfaces in non-vnet jails but that is another conversation entirely. For what it's worth, this pattern of delegating network management to a privileged container is common on Linux. For instance, the Linux version of kube-proxy as well as the popular Calico cluster networking stack, uses this pattern to manage interfaces and iptable rule sets. Doug. --0000000000009c35680653baa6e5 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Mon, 8 Jun 2= 026 at 09:37, Kristof Provost <kp@free= bsd.org> wrote:
On 8 Jun 2026, at 10:00, Doug Rabson wrote:
> In my smallest test-case, the host and jail use the same root filesyst= em
> and the host is running 15.0-RELEASE-p8. I haven't tested with sta= ble/15
> yet.=C2=A0 This reproduces the problem for me:
>
> $ sudo pfctl -s nat
> nat on bridge42 inet from <cni-nat> to any -> (bridge42) roun= d-robin
> nat on bridge42 inet6 from <cni-nat> to ! ff00::/8 -> (bridge= 42) round-robin
> nat-anchor "cni-rdr/*" all
> rdr-anchor "cni-rdr/*" all
> $ cat jail-pfctl-15
> #! /bin/sh
> j=3D$(jail -ic name=3Dpfctl-in-jail15 ip4=3Dinherit ip6=3Dinherit path= =3D/ persist)
> jexec $j pfctl -s nat
> jail -r $j
> $ sudo ./jail-pfctl-15
> pfctl: DIOCGETRULES: Operation not permitted
> $ freebsd-version -k
> 15.0-RELEASE-p8
>
>
> Do the pf unit tests cover the case where the jail shares the host vne= t?
>
Oh. No, no they do not. That=E2=80=99s just plain not supposed to work.
=

Historically, though, it has always worked= , at least as far back as FreeBSD-13 so this is a regression.
=C2= =A0
You only ever ge= t to manage your own pf instance, never the one of a parent jail.

It seems reasonable (to me at least) that if a j= ail inherits a vnet from its parent, it should be able to manage that vnet.= I see some evidence in the history that at least parts of netlink are inte= nded to work for jails which don't have their own vnet (e.g.=C2=A0https://cgit.freebsd.org/src/commit/sys/netlink?i= d=3D04f75b980293d517558990a7fda6900445edcac6). I would also like to be = able to create interfaces in non-vnet jails but that is another conversatio= n entirely.

For what it's worth, this pattern = of delegating network management to a privileged container is common on Lin= ux. For instance, the Linux version of kube-proxy as well as the popular Ca= lico cluster networking stack, uses this pattern to manage interfaces and <= span class=3D"G8OMXb ng">iptable rule sets.
=C2=A0
Doug.
--0000000000009c35680653baa6e5-- From nobody Mon Jun 8 09:42:04 2026 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gYnBS6TFHz6fjhy for ; Mon, 08 Jun 2026 09:42:08 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [IPv6:2610:1c1:1:606c::24b:4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R12" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gYnBS5thTz3ntN; Mon, 08 Jun 2026 09:42:08 +0000 (UTC) (envelope-from kp@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780911728; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=miigWiS6O0ldSWI0vXlzqEiEPQVU1nBZa4fa9XMrb6Y=; b=fvNR27/FRv65cosc4LJ7+/bhMp9c/hCm4JjcvpooG0sDLZ5eKqSX4tuuJ43kl2jA/IvuCS 2DzXxOoHG4tPY64HNgCfzKbdddLxvFf/5D4JUi5HHdtMxGCXz4yirlkNXoZe2Llh2ROhjF KRhRQbFkxJ8ItvLBxDcXWddxUufTDyDhlLDkbJXlPNQz1O66nMgWg9cPZRbjFsIzM8UM2f kqCRcInEhwaicpTVJnXOWEtbsR2PhptTZ3WM3nk2rrSw1WqZL2dNkvL1Mr2Fxh/oGzwE5t g41k0vSn+B9vhEZJTLYzbUiAR7Y9lhHwk5aF3tSG7MGiuWmYB+zxMu+j3/3FDw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1780911728; a=rsa-sha256; cv=none; b=k+4N8j2Tl8xqKpp3eTmpC4xd3YLtQn/mq7adaM5/sbGY6BZoBTEct8XB4NjzFTTgatd2tM xLJnWSeYzT538E6kpQQzhufHSeURLt9RWMKF6vMJxSIoR6dzxyv4FJOk5FQoJ8a+9k1Zlo OeHdPlPb59m3mxDK3YVcBz4Eajtu/UBNHLpykBcsPZP4Zb+DNxC3WRsRc5akhhH5jgUt4P NarjyBxj9loTOLkNrVSz0KiRnDPtQP6r+BXntWVfRMt0CXBWr+efL2wb/3IptDCo1NrImk RjjAyeq3/JrxRn933/hwoE6kdpl5MaB+efernmUuCRUzLUjArD+j3Zp2VOV09w== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1780911728; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=miigWiS6O0ldSWI0vXlzqEiEPQVU1nBZa4fa9XMrb6Y=; b=psLBvZxYUyD46Z0d2lcngz4W7OpCx9fsueJBDrv3yNDoA7k/ccP8/Y6mg6UFsDGpeOls2G pKtp+LZYwRf8OZOhSFcqHoFhO07zDf5BrSK6GMOMjhGUPN53IsuUjoGKGP5CSjPD8Adej4 g1sY6rrBaJbH/YE0YkwWvXBDBsvLJ9DwHhQKaPUE/BrXzfQCjH1rEJhvBRzbi+OXQUlvi3 wKY2vyTK0uusscac05/b/fJgdQJqOdPlETGRx9j9nIcjJdbDwG9Aa9YG/pN5XCxbwVHE6w MMctszRDLPNOdJoupVoWH57/xfOn/VwwoUQs5viO5Dd6gWts/M3RfThFW8wYYg== Received: from venus.codepro.be (venus.codepro.be [5.9.86.228]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "mx1.codepro.be", Issuer "R12" (not verified)) (Authenticated sender: kp) by smtp.freebsd.org (Postfix) with ESMTPSA id 4gYnBS4s3qzxXT; Mon, 08 Jun 2026 09:42:08 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: by venus.codepro.be (Postfix, authenticated sender kp) id 86B87223C7; Mon, 08 Jun 2026 11:42:06 +0200 (CEST) From: Kristof Provost To: Doug Rabson Cc: freebsd-jail@freebsd.org Subject: Re: Running pfctl inside a jail Date: Mon, 08 Jun 2026 11:42:04 +0200 X-Mailer: MailMate (2.0r6272) Message-ID: <745947DE-75CC-4B1B-A0E4-0FAC7FF8E221@FreeBSD.org> In-Reply-To: References: <96E80293-2013-452F-859C-B725EA7963CF@FreeBSD.org> <7C23D3B8-1A14-41B7-839A-580DB61E0403@FreeBSD.org> List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable On 8 Jun 2026, at 11:29, Doug Rabson wrote: > On Mon, 8 Jun 2026 at 09:37, Kristof Provost wrote: > >> On 8 Jun 2026, at 10:00, Doug Rabson wrote: >>> In my smallest test-case, the host and jail use the same root filesys= tem >>> and the host is running 15.0-RELEASE-p8. I haven't tested with stable= /15 >>> yet. This reproduces the problem for me: >>> >>> $ sudo pfctl -s nat >>> nat on bridge42 inet from to any -> (bridge42) round-robin >>> nat on bridge42 inet6 from to ! ff00::/8 -> (bridge42) >> round-robin >>> nat-anchor "cni-rdr/*" all >>> rdr-anchor "cni-rdr/*" all >>> $ cat jail-pfctl-15 >>> #! /bin/sh >>> j=3D$(jail -ic name=3Dpfctl-in-jail15 ip4=3Dinherit ip6=3Dinherit pat= h=3D/ persist) >>> jexec $j pfctl -s nat >>> jail -r $j >>> $ sudo ./jail-pfctl-15 >>> pfctl: DIOCGETRULES: Operation not permitted >>> $ freebsd-version -k >>> 15.0-RELEASE-p8 >>> >>> >>> Do the pf unit tests cover the case where the jail shares the host vn= et? >>> >> Oh. No, no they do not. That=E2=80=99s just plain not supposed to work= =2E >> > > Historically, though, it has always worked, at least as far back as > FreeBSD-13 so this is a regression. > > >> You only ever get to manage your own pf instance, never the one of a >> parent jail. >> > > It seems reasonable (to me at least) that if a jail inherits a vnet fro= m > its parent, it should be able to manage that vnet. I see some evidence = in > the history that at least parts of netlink are intended to work for jai= ls > which don't have their own vnet (e.g. > https://cgit.freebsd.org/src/commit/sys/netlink?id=3D04f75b980293d51755= 8990a7fda6900445edcac6). That=E2=80=99s explicitly only for a handful of GET calls, not full manag= ement. For full management we=E2=80=99d need some way for users to specif= y that this is allowed, which we currently don=E2=80=99t have. I suspect the check you=E2=80=99re running into is https://cgit.freebsd.o= rg/src/tree/sys/netlink/netlink_generic.c#n146 I actually raised the question of how to delegate these privs to regular = users (so not child jails, but that=E2=80=99s probably going to require t= he same mechanism) last year: https://lists.freebsd.org/archives/freebsd-= arch/2025-September/001042.html That didn=E2=80=99t get any response and I didn=E2=80=99t chase it furthe= r at the time. Best regards, Kristof From nobody Mon Jun 8 10:15:12 2026 X-Original-To: freebsd-jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gYnx03Hh1z6fmJB for ; Mon, 08 Jun 2026 10:15:32 +0000 (UTC) (envelope-from dfr@rabson.org) Received: from mail-lj1-x229.google.com (mail-lj1-x229.google.com [IPv6:2a00:1450:4864:20::229]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "WR4" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gYnx00ChLz3rZG for ; Mon, 08 Jun 2026 10:15:32 +0000 (UTC) (envelope-from dfr@rabson.org) Authentication-Results: mx1.freebsd.org; none Received: by mail-lj1-x229.google.com with SMTP id 38308e7fff4ca-39677c80386so44427261fa.3 for ; Mon, 08 Jun 2026 03:15:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1780913725; cv=none; d=google.com; s=arc-20240605; b=Dmh0HeFnpMNAQVuymlw1/Sa+dmIb/kChQohUGJF47CZIwuP30/67E/vePJO/Wff+JC a8p5PcE+Fpe9KVwWizx7/5rsKAXc/ztsVz+7HL2N4GNc1Kai1g9chVbskiNJNDe2HuwI MJjATUYO1JSlY3cwydiIBziP/CvDnKY/0tFDmQG3JAGnfi1HYlfli+txwyw96/Jhp4nE JPKlkc1I3r68G0yyLpm4TF1scArz0UTOgZYFGl22NZ+NQXPi44gmkQ2RCuT3XrmYQryi sk1APFbDxTnKGNqbjnUUT+X/fjF+FfqVzqzMhJZV7cXo4+ViIjKHag5juaN8xS5kX9Y6 ZPQw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:dkim-signature; bh=ZhpdAW6q0yS2J8qfA+n+nqqQi/VFB1Q7G/9u/0Ji+aY=; fh=vrw2Bj/2vkDrKQwNj2hfXSwlIIPVc8/6ZAUpHCGPyME=; b=bYWjnwJOAdl++0D2Jm/OYuT7Nj+HjYx/NxZNjm0IRrv6Ztps1b60YDucuaZAMhbBs/ XnlZIn8g9VDbFnCBeiMJ+RkQbpWEwC75n6OX52fUjg/rscSQMV/wOubNZabiDA2+hbGy TIz2EM+x2JHHIoseSqVqWdXa0jy9vA/OhNIZr4HU/N1nW6dvYwsUyBLW1CZ1+6YmegYj 1kJmTnKB/InbJxkxdr8PWf/zSMN5WLzuN2ifFUmvymz00IfQn3kEx2yU8EKgZkON50OW BU/lC21Bejl68bflQKsYitQuW4q8sBG6fnWUEePf8NmCKRmPNrdJxecryNVSRMSUNB05 URlw==; darn=freebsd.org ARC-Authentication-Results: i=1; mx.google.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rabson-org.20251104.gappssmtp.com; s=20251104; t=1780913725; x=1781518525; darn=freebsd.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=ZhpdAW6q0yS2J8qfA+n+nqqQi/VFB1Q7G/9u/0Ji+aY=; b=gXmpTMC8d63N3OpGu/gTrUJmkP/FFOfd9rJ3ejTFqqG/9IEawFEmF49I2Ph2YzbCDe QU0nt5bGMpo8m0D0M84IhX5bt7Jbxg+95TpsMNT2+hUKygFiSzC2fu5qGx9KoT9KYv3p t0M+qsYL/QzkcR68fsyF6jq+LVTbtNi7irAV+aoz8eT1LpeNG9Pf80ip5cpzvea8vc/Z A+474qMuKmTwqiycYfN1N1zskWBKjxD/0ELz17rQxoFslfANMpwjjQLlvKUmsRcicVxU ZkaZ8uqCkbsFh0zHhagbq6iQqvIzbOcs9Q5FZLNrqU8ybxMDTZTH/tyvZEtmeEo4TEVi n+Lw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780913725; x=1781518525; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=ZhpdAW6q0yS2J8qfA+n+nqqQi/VFB1Q7G/9u/0Ji+aY=; b=jwaJ7xjdt2wwEhnWuCSIISIaoUXHvWTkWI8WzS9wIGM4VSBR5B3nIWjVUqtyDaUmGU RMOQ1TAH+rIXBp3yK7mYbXxEuTeERIjGxKSQKrbAXX2EuLxuIZHcN57Vc3fLa5k13WOI zJuLPC3pVUjwX+B1GdqvOc2FNkMIMVAaIiaWDfCt9F985o7nvKbA3UrS6lbHCKYqHg7m 4PKx+UyjxGttt0WUiFZoDybQNyR92xpGuJuvfeoAhBB8SyFSG5Rr9fcjQ52qlrIYgyix aUnikq2HKGCyMA3DvBZ5TPi1PMM9jtOwd+0E2tWecUcZLb36AKLhIry5Bano7L5FJTcO A94Q== X-Gm-Message-State: AOJu0YwBnkvs6PjGW7bGbt50+Zy8wdSWIZkxd2AeQElLTqa/gL+EP1Bx uukVSfUN5WAbUjSNcq5uxKpanLMVFFXxD8xdfqYY3DJ4yK77zZRtqdpV6vHYUhm5Czs7HjaDSNq JE3o0OMJL0btho+zht+ds6VeA91fSihW32JXGAou/DA== X-Gm-Gg: Acq92OGlozMD2c/UNQ1jEh0ni0lZ3HalzoYqavCgjRtUofCRo76AesxA5GkJL+b5Y2j ZcXz1oRe16ds3AQglJKP8tLndV14cKtCyCa9bit6SwcZTvino96DaNKMHTyuoh+g1AMFlJsPh4v lq0XRVc4KowSxuGCWKi8Nmmi8FpRzQT1jMZz53vqUJq2xWjtfjEECNIoVVGeR7lgtedO8CHzos4 OTmUeQomy/24t8ti8BUUoBuiN7/V6p7F8D9GwyFWIpGrbswg0Q7FbtToQgJG/k3K2qWEXSi63Rl DNe8/Cf5CJwyPDjVuvMq2Av0kmjKnYoGFyE6vh9KxU49Z4f6lJ9WEK2twIOi9G3abAIEHXUuXw+ sPgjS90NG1mh28dJT6lEl3qUHHpKPX5zc2lGL9o8EyZs= X-Received: by 2002:a05:6512:3194:b0:5aa:8822:f27e with SMTP id 2adb3069b0e04-5aa8822f2b3mr4517799e87.46.1780913724403; Mon, 08 Jun 2026 03:15:24 -0700 (PDT) List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 References: <96E80293-2013-452F-859C-B725EA7963CF@FreeBSD.org> <7C23D3B8-1A14-41B7-839A-580DB61E0403@FreeBSD.org> <745947DE-75CC-4B1B-A0E4-0FAC7FF8E221@FreeBSD.org> In-Reply-To: <745947DE-75CC-4B1B-A0E4-0FAC7FF8E221@FreeBSD.org> From: Doug Rabson Date: Mon, 8 Jun 2026 11:15:12 +0100 X-Gm-Features: AVVi8Ce60xJ55-RavVI-o0c3Fnb6PobbjAlb_Dqs42XjTov4kakrz1hHMP7KT5Q Message-ID: Subject: Re: Running pfctl inside a jail To: Kristof Provost Cc: freebsd-jail@freebsd.org Content-Type: multipart/alternative; boundary="000000000000eb3f710653bb493f" X-Spamd-Result: default: False [-4.00 / 15.00]; REPLY(-4.00)[]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US] X-Rspamd-Queue-Id: 4gYnx00ChLz3rZG X-Spamd-Bar: ---- X-Rspamd-Pre-Result: action=no action; module=replies; Message is reply to one we originated --000000000000eb3f710653bb493f Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable On Mon, 8 Jun 2026 at 10:42, Kristof Provost wrote: > On 8 Jun 2026, at 11:29, Doug Rabson wrote: > > On Mon, 8 Jun 2026 at 09:37, Kristof Provost wrote: > > > >> On 8 Jun 2026, at 10:00, Doug Rabson wrote: > >>> In my smallest test-case, the host and jail use the same root > filesystem > >>> and the host is running 15.0-RELEASE-p8. I haven't tested with > stable/15 > >>> yet. This reproduces the problem for me: > >>> > >>> $ sudo pfctl -s nat > >>> nat on bridge42 inet from to any -> (bridge42) round-robin > >>> nat on bridge42 inet6 from to ! ff00::/8 -> (bridge42) > >> round-robin > >>> nat-anchor "cni-rdr/*" all > >>> rdr-anchor "cni-rdr/*" all > >>> $ cat jail-pfctl-15 > >>> #! /bin/sh > >>> j=3D$(jail -ic name=3Dpfctl-in-jail15 ip4=3Dinherit ip6=3Dinherit pat= h=3D/ > persist) > >>> jexec $j pfctl -s nat > >>> jail -r $j > >>> $ sudo ./jail-pfctl-15 > >>> pfctl: DIOCGETRULES: Operation not permitted > >>> $ freebsd-version -k > >>> 15.0-RELEASE-p8 > >>> > >>> > >>> Do the pf unit tests cover the case where the jail shares the host > vnet? > >>> > >> Oh. No, no they do not. That=E2=80=99s just plain not supposed to work= . > >> > > > > Historically, though, it has always worked, at least as far back as > > FreeBSD-13 so this is a regression. > > > > > >> You only ever get to manage your own pf instance, never the one of a > >> parent jail. > >> > > > > It seems reasonable (to me at least) that if a jail inherits a vnet fro= m > > its parent, it should be able to manage that vnet. I see some evidence = in > > the history that at least parts of netlink are intended to work for jai= ls > > which don't have their own vnet (e.g. > > > https://cgit.freebsd.org/src/commit/sys/netlink?id=3D04f75b980293d5175589= 90a7fda6900445edcac6 > ). > > That=E2=80=99s explicitly only for a handful of GET calls, not full manag= ement. > For full management we=E2=80=99d need some way for users to specify that = this is > allowed, which we currently don=E2=80=99t have. > > I suspect the check you=E2=80=99re running into is > https://cgit.freebsd.org/src/tree/sys/netlink/netlink_generic.c#n146 > > I actually raised the question of how to delegate these privs to regular > users (so not child jails, but that=E2=80=99s probably going to require t= he same > mechanism) last year: > https://lists.freebsd.org/archives/freebsd-arch/2025-September/001042.htm= l > That didn=E2=80=99t get any response and I didn=E2=80=99t chase it furthe= r at the time. > I like the idea of adding PRIV_NETINET_PF_RO and presumably adding jail allow flag(s) to responsibly grant these privileges to a jail. I am not entirely sure how that would work for users, though. I guess the MAC framework sits in the right place but I don't understand MAC at all. Doug. --000000000000eb3f710653bb493f Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable


On Mon, 8 Jun 2= 026 at 10:42, Kristof Provost <kp@free= bsd.org> wrote:
On 8 Jun 2026, at 11:29, Doug Rabson wrote:
> On Mon, 8 Jun 2026 at 09:37, Kristof Provost <kp@freebsd.org> wrote:
>
>> On 8 Jun 2026, at 10:00, Doug Rabson wrote:
>>> In my smallest test-case, the host and jail use the same root = filesystem
>>> and the host is running 15.0-RELEASE-p8. I haven't tested = with stable/15
>>> yet.=C2=A0 This reproduces the problem for me:
>>>
>>> $ sudo pfctl -s nat
>>> nat on bridge42 inet from <cni-nat> to any -> (bridge= 42) round-robin
>>> nat on bridge42 inet6 from <cni-nat> to ! ff00::/8 ->= (bridge42)
>> round-robin
>>> nat-anchor "cni-rdr/*" all
>>> rdr-anchor "cni-rdr/*" all
>>> $ cat jail-pfctl-15
>>> #! /bin/sh
>>> j=3D$(jail -ic name=3Dpfctl-in-jail15 ip4=3Dinherit ip6=3Dinhe= rit path=3D/ persist)
>>> jexec $j pfctl -s nat
>>> jail -r $j
>>> $ sudo ./jail-pfctl-15
>>> pfctl: DIOCGETRULES: Operation not permitted
>>> $ freebsd-version -k
>>> 15.0-RELEASE-p8
>>>
>>>
>>> Do the pf unit tests cover the case where the jail shares the = host vnet?
>>>
>> Oh. No, no they do not. That=E2=80=99s just plain not supposed to = work.
>>
>
> Historically, though, it has always worked, at least as far back as > FreeBSD-13 so this is a regression.
>
>
>> You only ever get to manage your own pf instance, never the one of= a
>> parent jail.
>>
>
> It seems reasonable (to me at least) that if a jail inherits a vnet fr= om
> its parent, it should be able to manage that vnet. I see some evidence= in
> the history that at least parts of netlink are intended to work for ja= ils
> which don't have their own vnet (e.g.
> ht= tps://cgit.freebsd.org/src/commit/sys/netlink?id=3D04f75b980293d517558990a7= fda6900445edcac6).

That=E2=80=99s explicitly only for a handful of GET calls, not full managem= ent. For full management we=E2=80=99d need some way for users to specify th= at this is allowed, which we currently don=E2=80=99t have.

I suspect the check you=E2=80=99re running into is https://cgit.freebsd.org/src/tree/sys/netlink/netlink_ge= neric.c#n146

I actually raised the question of how to delegate these privs to regular us= ers (so not child jails, but that=E2=80=99s probably going to require the s= ame mechanism) last year: = https://lists.freebsd.org/archives/freebsd-arch/2025-September/001042.html<= /a>
That didn=E2=80=99t get any response and I didn=E2=80=99t chase it further = at the time.

--000000000000eb3f710653bb493f-- From nobody Wed Jun 10 04:01:25 2026 X-Original-To: jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsXQ012dz6gvFL for ; Wed, 10 Jun 2026 04:01:26 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsXP4Btsz3wbR for ; Wed, 10 Jun 2026 04:01:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064085; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WUxyxXOgbEvSTTZTmB8UnbWEHQfUWfYWiUn6sc7KGYE=; b=fkVOCaN+69woj1hOK3+uCVawRpZNyAYo+EoB6yWTgbd9qLrt6kTh7HFBCgu+/ldQfbWy+7 N1drfZlNbzQwq3cT4VwEznMae7qdTZFQIOWlnfTLvfoKolxCu0E6RhmF6MBkOd/Drr6eB+ ZkxOuTCHNdsZs6Rofp7GbmhJXSvT/Hi4wlgpqcSDLZzQSTF51IRka6fObmrR8/eWU4OMm2 c8TLcNbtkE/RmY2YIkAUC1LEtW9hqK6orjXcJ1cGvaudm5KfOUZI/pCoQeiEjqvCGFN+T9 3p3Gh4cVrkewJOedsNJ9O9/w2XrNrayTNfCf+cQlfDiQTZpX9IrKtAMzeZ1DSQ== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064085; a=rsa-sha256; cv=none; b=yIgKJuNnzP3+C70ma9IvD9+iI+47+lm4s+sqpzdt9dxN3F9YrsJyihcVTI33sCuaXK0agb rlzZHZTqytrb/GFkuVs/nWwIypvXXeHgkTk+hLGDX2Ze/5OBStp8OG5h/gdkT5jW2eUKTX 4X+3wM4uTPVOdCw3G6lNVf3xCUdZXlpanRPG5MPxDSAzRSsgrJLYFD80JiYz2D5lpbtJfb X+cHyhTuqkWsaEUb9JWsR4+ZcimwMA12k9LfbL5azvJs3g3uqc50BbAAg9pKgz73P0Ek11 2RNtQFlzLoVDnVv24SaIhj4B6KiDgYQM9jsyf7Mo3fqzO3lTM3eNa7SCfwLAfw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064085; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=WUxyxXOgbEvSTTZTmB8UnbWEHQfUWfYWiUn6sc7KGYE=; b=IUtpA9RMv/xZGazzhmXpibaWhaGe+6OET0bqK3+KjqpVv8ZyqVt4dlMjDRaBk3jbMUDSOY WeHjeze3CoHJEHdP/LC4qTBZnx56pLTXorU9qJJ2QRfCX+x3y5he7qad+Rb/bLY6gGJ0kA ss7F9MCEopNtFdYwGPeP5oUHZJA7MjIoE8w2Aj1F99+FJTeRmqyMVPNOhYEoq+ggQo5xLp s8WV+u1ZjSFfL5O995bB43iMxe+fzECowdrJARY8A50cx1dwU663HqAwlzKCTexOVXgMgy 34VLuJ9g9TWqTj/Nu9LpOcR0r5vna2VzEAvmpQCe1uA3VqzalQ2dUBhYm/0ccg== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4gZsXP3nSgz14dL for ; Wed, 10 Jun 2026 04:01:25 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 65A41PXr002540 for ; Wed, 10 Jun 2026 04:01:25 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 65A41Pni002539 for jail@FreeBSD.org; Wed, 10 Jun 2026 04:01:25 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: jail@FreeBSD.org Subject: [Bug 295052] The jail(8) command leaks potentially sensitive file descriptors to exec.* hooks. Date: Wed, 10 Jun 2026 04:01:25 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 15.0-RELEASE X-Bugzilla-Keywords: security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: kevans@freebsd.org X-Bugzilla-Flags: mfc-stable15? mfc-stable14? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D295052 --- Comment #19 from commit-hook@FreeBSD.org --- A commit in branch stable/14 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3Dee07da0c1e95d307d5120ac6a8a0ea5cc= b88e61b commit ee07da0c1e95d307d5120ac6a8a0ea5ccb88e61b Author: Jan Bramkamp AuthorDate: 2026-05-06 23:28:53 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:47 +0000 jail: open the fstab files with fopen("re") This protects against accidentally leaking them past fork()+exec() in future refactorings. PR: 295052 Reviewed by: kevans (cherry picked from commit 58811b0ae096c134af372bcf475aea1d8d0e3c08) usr.sbin/jail/config.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --=20 You are receiving this mail because: You are on the CC list for the bug.= From nobody Wed Jun 10 04:02:34 2026 X-Original-To: jail@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4gZsYk3zJwz6gvLC for ; Wed, 10 Jun 2026 04:02:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R13" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4gZsYk27Tfz40lF for ; Wed, 10 Jun 2026 04:02:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064154; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7YvmdElx9Py71Ohv3exSKKTzkB8wde+VplUnZBiGEz8=; b=tN8lN3bMj9e4s4yYsjo2vKO6YhnM7qAwt0EdaRwV2NjbHDbemqLlRLtp/+aChJUpyUR5uh vfO7J0jh3ddwRAN/wDsYQu/rZSca03feZ3f/u0DExyahsZXXTXHUNQb+kPdaMa8Jv4cohU LAOgZ6XDc9ZuY0PKXjQj4yq6fwLlVBihsk5iT2y1Pk03B1beYYeTXJjz7sQ3my0NuLcUCt ciHubTqvvIz8i6ydf2/YUFJ0pq0kuu5SSTiGWk4OFoWT5pNF3ML6Sh4v3Y4D8hzEtPtiyL uhBKvplUmM2/qEnzGdulkdwov6IyTs6Vd76YEtAz5pbPUzEwJnx0u6SaGsO8Ow== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1781064154; a=rsa-sha256; cv=none; b=MMneOuL9enkB68dMzZMzsiwIiWweaYOIln7bhh878cs2HalEXQinfUHveeiz9JkKLaJgfD 5jkc7zJGlteaQwkgoOXyJwcVBqeoLlK8tvrZsSqBNnesbhhvsRHfzXTv9Ij3aAlDsgnEIw Z3D5nSt5ssVn1In02r3dI66AJh1fT+7pqR5C1mrhap/yDoGTK5/ioJ+UGk8BHtSvizs2T2 jIDhLtv2WTkvaH/TimHAEZiN8UvOlMYx4LcVJYdruTmE/+niNlV/qdeNUXAXjT+hUWZJdN jVJzgTnkOZXIO0do++MIL/y2LjGSJhayVdqD1QBMb4WG1jSTK9HMn5rlyk/JUw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1781064154; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=7YvmdElx9Py71Ohv3exSKKTzkB8wde+VplUnZBiGEz8=; b=FQaCRiC5j2EantC2UDFuHj2XiA0mkfwuZfLXh3y/vTLEHNTWEn4dhQBg43rRayWEFi5gUV nRu8mDZ+PMMJXUnha0N9yeYNc63nHYL6CLJ/CWMVzbQ3TllgVhqt9Tsa/2+4veu3Mkk2bh fflM4sY8I2wi9Y+tl2TDOaU4Y/cFlmuZ9HKuMDH9I+sgmneSbNb/lHS6u8oN7y786ZKCeH /gVd8xYpfTksfRP7fieZSJ1IEwlyCGcQDtdAL/CXTGk4etfb9gya43rQnN7eZtw05dI3P9 syYbgTZTqTiMNAzLZaVdvWxXv2HLZRXJtGSo71Kg4C/l09VgmaAXO87zyOeVSQ== Received: from kenobi.freebsd.org (kenobi.freebsd.org [IPv6:2610:1c1:1:606c::50:1d]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4gZsYk1bFpz14Mn for ; Wed, 10 Jun 2026 04:02:34 +0000 (UTC) (envelope-from bugzilla-noreply@freebsd.org) Received: from kenobi.freebsd.org ([127.0.1.5]) by kenobi.freebsd.org (8.15.2/8.15.2) with ESMTP id 65A42Yju009427 for ; Wed, 10 Jun 2026 04:02:34 GMT (envelope-from bugzilla-noreply@freebsd.org) Received: (from bugzilla@localhost) by kenobi.freebsd.org (8.15.2/8.15.2/Submit) id 65A42YQJ009426 for jail@FreeBSD.org; Wed, 10 Jun 2026 04:02:34 GMT (envelope-from bugzilla-noreply@freebsd.org) X-Authentication-Warning: kenobi.freebsd.org: bugzilla set sender to bugzilla-noreply@freebsd.org using -f From: bugzilla-noreply@freebsd.org To: jail@FreeBSD.org Subject: [Bug 295052] The jail(8) command leaks potentially sensitive file descriptors to exec.* hooks. Date: Wed, 10 Jun 2026 04:02:34 +0000 X-Bugzilla-Reason: CC X-Bugzilla-Type: changed X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Base System X-Bugzilla-Component: conf X-Bugzilla-Version: 15.0-RELEASE X-Bugzilla-Keywords: security X-Bugzilla-Severity: Affects Many People X-Bugzilla-Who: commit-hook@FreeBSD.org X-Bugzilla-Status: In Progress X-Bugzilla-Resolution: X-Bugzilla-Priority: --- X-Bugzilla-Assigned-To: kevans@freebsd.org X-Bugzilla-Flags: mfc-stable15? mfc-stable14? X-Bugzilla-Changed-Fields: Message-ID: In-Reply-To: References: Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="UTF-8" X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/ Auto-Submitted: auto-generated List-Id: Discussion about FreeBSD jail(8) List-Archive: https://lists.freebsd.org/archives/freebsd-jail List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-jail@FreeBSD.org List-Id: List-Post: List-Help: List-Subscribe: List-Unsubscribe: List-Owner: Precedence: list MIME-Version: 1.0 https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=3D295052 --- Comment #20 from commit-hook@FreeBSD.org --- A commit in branch stable/15 references this bug: URL: https://cgit.FreeBSD.org/src/commit/?id=3Da03b45d38f8fc312a7a86c3ac2e4bdcbb= ad9f4d3 commit a03b45d38f8fc312a7a86c3ac2e4bdcbbad9f4d3 Author: Jan Bramkamp AuthorDate: 2026-05-06 23:28:53 +0000 Commit: Kyle Evans CommitDate: 2026-06-10 04:00:36 +0000 jail: open the fstab files with fopen("re") This protects against accidentally leaking them past fork()+exec() in future refactorings. PR: 295052 Reviewed by: kevans (cherry picked from commit 58811b0ae096c134af372bcf475aea1d8d0e3c08) usr.sbin/jail/config.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --=20 You are receiving this mail because: You are on the CC list for the bug.=