Re: pfctl requires root capabilites when checking pf rules

Reply: Peter Libassi : "Re: pfctl requires root capabilites when checking pf rules"
In reply to: Peter Libassi : "pfctl requires root capabilites when checking pf rules"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Kristof Provost <kp_at_FreeBSD.org>
Date: Wed, 24 Sep 2025 09:49:02 UTC

On 23 Sep 2025, at 9:30, Peter Libassi wrote:
> I've pkg upgraded 14.3 to 15.0-ALPHA3 and noticed a difference in pfctl.
>
> peter@smaug:~/pf $ uname -aUK
> FreeBSD smaug 15.0-ALPHA3 FreeBSD 15.0-ALPHA3 stable/15-n280233-26988773d1da GENERIC amd64 1500064 1500064
>
> peter@smaug:~/pf $ pfctl -nvf pf.conf
> pfctl: Failed to open netlink: Bad file descriptor
>
> peter@smaug:~/pf $ id
> uid=1001(peter) gid=1001(peter) groups=0(wheel),1001(peter)
>
> peter@smaug:~/pf $ doas pfctl -nvf pf.conf
> (works)
>
> Is this (new) expected behavior, incomplete upgrade or a bug?
>
It’s not quite new default behaviour, in the sense that /dev/pf defaults to 600, so by default you do need to be root even on 14.3. Presumably you have a devfs rule to change that.

The netlink calls all require PRIV_NET_PF now.
We could not require that for read calls, but that’d be a default change too.

As far as I know there’s no good way to get the equivalent of chmod xyz /dev/pf with netlink.
I posted about this issue on freebsd-arch: https://lists.freebsd.org/archives/freebsd-arch/2025-September/001042.html but haven’t had any suggestions yet.

—
Kristof