Solved pf in not started inside jail

I've made an amazing discovery today. All of my firewalls inside jails are not started!
They work if I manually restart them with service pf restart inside jail.
Code:
abishai@artifactory:~ % doas service pf status
/etc/rc.d/pf: DEBUG: checkyesno: pf_enable is set to YES.
/etc/rc.d/pf: DEBUG: run_rc_command: doit: pf_status 
Status: Disabled Debug: Urgent
I added rc_debug to jail's rc.conf - looks like pf is not even analyzed.
 
Looks like pf has
Code:
# KEYWORD: nojail
I'll patch it for all of my jails to
Code:
# KEYWORD: nojailvnet
Probably, a bug.
 
The RC script has the correct keyword in head and stable12 (also all 12.X releases):
Stable11 does not have the correct keyword (also all 11.X releases):

Do you use mergemaster or any other tool to merge config files when you update your jails?
 
VNET is not (officially) supported in 11. There are too many bugs there for it to be safe to use. If you want VNET jails you really want to be running 12.
 
VNET is not (officially) supported in 11. There are too many bugs there for it to be safe to use. If you want VNET jails you really want to be running 12.
Unfortunately, looks like there are even more bugs in 12.1 with VNET jails. The system panics during jails stop.
 

Attachments

  • 1571848706.png
    1571848706.png
    13 KB · Views: 131
Back
Top