https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=289234
Kristof Provost <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #1 from Kristof Provost <[email protected]> --- I suspect you're mis-identifying the problem. It's not that you're running in a jail (which works just fine, because that's how the pf tests work), but that you're not running as root. (Or to be pedantic, which we all enjoy, as a user without the NETINET_PF privilege.) By default /dev/pf has mode 600, so arguably nothing has changed, but it's true that users can make the choice to allow regular users to access certain pf calls (mostly read operations) with the old style ioctl interface and can't really do that with the new netlink interface. We could remove the NETINET_PF requirement for those read calls, but that'd be equivalent to changing the default on /dev/pf to 666, which I also don't think is a good idea. I'm not quite sure what the best way forward is, in that regard. I'm inclined to say users should grant the NETINET_PF privilege to any account they want to give pf access to. Perhaps we should also introduce NETINET_PF_RO (i.e. read-only) for the read calls, so that it's possible to allow read access without giving full firewall access. -- You are receiving this mail because: You are the assignee for the bug.
