Re: pfctl requires root capabilites when checking pf rules
- In reply to: Kristof Provost : "Re: pfctl requires root capabilites when checking pf rules"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Wed, 24 Sep 2025 11:26:22 UTC
> 24 sep. 2025 kl. 11:49 skrev Kristof Provost <kp@freebsd.org>: > > On 23 Sep 2025, at 9:30, Peter Libassi wrote: >> I've pkg upgraded 14.3 to 15.0-ALPHA3 and noticed a difference in pfctl. >> >> peter@smaug:~/pf $ uname -aUK >> FreeBSD smaug 15.0-ALPHA3 FreeBSD 15.0-ALPHA3 stable/15-n280233-26988773d1da GENERIC amd64 1500064 1500064 >> >> peter@smaug:~/pf $ pfctl -nvf pf.conf >> pfctl: Failed to open netlink: Bad file descriptor >> >> peter@smaug:~/pf $ id >> uid=1001(peter) gid=1001(peter) groups=0(wheel),1001(peter) >> >> peter@smaug:~/pf $ doas pfctl -nvf pf.conf >> (works) >> >> Is this (new) expected behavior, incomplete upgrade or a bug? >> > It’s not quite new default behaviour, in the sense that /dev/pf defaults to 600, so by default you do need to be root even on 14.3. Presumably you have a devfs rule to change that. > > The netlink calls all require PRIV_NET_PF now. > We could not require that for read calls, but that’d be a default change too. > > As far as I know there’s no good way to get the equivalent of chmod xyz /dev/pf with netlink. > I posted about this issue on freebsd-arch: https://lists.freebsd.org/archives/freebsd-arch/2025-September/001042.html but haven’t had any suggestions yet. > > — > Kristof Thanks Kristof! I added below line to /etc/devfs.conf on my 15.0-ALPHA3 and restarted devfs: perm pf 0660 Now pfctl works with a group member of ’wheel’ However none of my production 14.3-RELEASE-p2 has any modifications to /etc/devfs.conf or /etc/devfs.rules and has 600 on /dev/pf’, and still pfctl works with a ordinary user. So I guess something broken just got fixed in 15.0-ALPHA3 ;-) /Peter