VNET jails and PF service
Goran Mekić
meka at tilda.center
Thu Dec 13 11:35:10 UTC 2018
On Thu, Dec 13, 2018 at 09:30:12AM +0100, Kristof Provost wrote:
> On 2018-12-13 01:02:32 (+0100), Goran Mekić <meka at tilda.center> wrote:
> > I can't start PF as service from vnet jail. I have devfs rule to unhide
> > bpf (for dhclient) and pf that the jail is using. I can run "pfctl -e -f
> > /etc/pf.conf" but "service pf start" fails with:
> >
> > kldload: can't load pf: Operation not permitted
> > /etc/rc.d/pf: WARNING: Unable to load kernel module pf
> >
> Yes, jails can't load kernel modules, for obvious reasons.
> Your host needs to load the pf module, then the jail will be able to use
> it.
I did load it on the host, that's why "pfctl -e -f /etc/pf.conf" works
in the jail, but "service pf start" doesn't.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-pf/attachments/20181213/32c5365f/attachment.sig>
More information about the freebsd-pf
mailing list