/dev/pf is usable in vnet jails, so don't hide the node there.
We shouldn't expose /dev/pf in regular jails, as that gives them control
over the host (or parent vnet jail) firewall.
kp on Wed, Sep 23, 7:14 PM.Authored by
Did we ever fix this one?
jail (and ezjail) already make it possible to set the desired devise rules, so in that respect it's already done.