diff --git a/sys/kern/kern_jail.c b/sys/kern/kern_jail.c
--- a/sys/kern/kern_jail.c
+++ b/sys/kern/kern_jail.c
@@ -3440,6 +3440,7 @@
 #endif
 	case AF_LOCAL:
 	case AF_ROUTE:
+	case AF_NETLINK:
 		break;
 	default:
 		if (!(pr->pr_allow & PR_ALLOW_SOCKET_AF))
diff --git a/sys/netlink/netlink_ctl.h b/sys/netlink/netlink_ctl.h
--- a/sys/netlink/netlink_ctl.h
+++ b/sys/netlink/netlink_ctl.h
@@ -81,6 +81,7 @@
 bool nl_has_listeners(int netlink_family, uint32_t groups_mask);
 bool nlp_has_priv(struct nlpcb *nlp, int priv);
 struct ucred *nlp_get_cred(struct nlpcb *nlp);
+bool nlp_unconstrained_vnet(const struct nlpcb *nlp);
 
 /* netlink_generic.c */
 struct genl_cmd {
diff --git a/sys/netlink/netlink_domain.c b/sys/netlink/netlink_domain.c
--- a/sys/netlink/netlink_domain.c
+++ b/sys/netlink/netlink_domain.c
@@ -36,6 +36,7 @@
 #include <sys/lock.h>
 #include <sys/rmlock.h>
 #include <sys/domain.h>
+#include <sys/jail.h>
 #include <sys/mbuf.h>
 #include <sys/protosw.h>
 #include <sys/proc.h>
@@ -111,6 +112,10 @@
 	MPASS(group_id <= NLP_MAX_GROUPS);
 	--group_id;
 
+	/* TODO: add family handler callback */
+	if (!nlp_unconstrained_vnet(nlp))
+		return;
+
 	nlp->nl_groups[group_id / 64] |= (uint64_t)1 << (group_id % 64);
 }
 
@@ -212,6 +217,12 @@
 	return (priv_check_cred(nlp->nl_cred, priv) == 0);
 }
 
+bool
+nlp_unconstrained_vnet(const struct nlpcb *nlp)
+{
+	return (nlp->nl_unconstrained_vnet);
+}
+
 struct ucred *
 nlp_get_cred(struct nlpcb *nlp)
 {
@@ -308,6 +319,7 @@
 	nlp->nl_process_id = curproc->p_pid;
 	nlp->nl_linux = is_linux;
 	nlp->nl_active = true;
+	nlp->nl_unconstrained_vnet = !jailed_without_vnet(so->so_cred);
 	NLP_LOCK_INIT(nlp);
 	refcount_init(&nlp->nl_refcount, 1);
 	nl_init_io(nlp);
diff --git a/sys/netlink/netlink_generic.c b/sys/netlink/netlink_generic.c
--- a/sys/netlink/netlink_generic.c
+++ b/sys/netlink/netlink_generic.c
@@ -31,6 +31,7 @@
 #include <sys/ck.h>
 #include <sys/epoch.h>
 #include <sys/kernel.h>
+#include <sys/jail.h>
 #include <sys/lock.h>
 #include <sys/malloc.h>
 #include <sys/priv.h>
diff --git a/sys/netlink/netlink_route.c b/sys/netlink/netlink_route.c
--- a/sys/netlink/netlink_route.c
+++ b/sys/netlink/netlink_route.c
@@ -93,6 +93,11 @@
 	} else if (cmd->priv != 0)
 		NLP_LOG(LOG_DEBUG3, nlp, "priv %d check passed for msg %s", cmd->priv, cmd->name);
 
+	if (!nlp_unconstrained_vnet(nlp) && (cmd->flags & RTNL_F_ALLOW_NONVNET_JAIL) == 0) {
+		NLP_LOG(LOG_DEBUG2, nlp, "jail check failed for msg %s", cmd->name);
+		return (EPERM);
+	}
+
 	bool need_epoch = !(cmd->flags & RTNL_F_NOEPOCH);
 
 	if (need_epoch)
diff --git a/sys/netlink/netlink_var.h b/sys/netlink/netlink_var.h
--- a/sys/netlink/netlink_var.h
+++ b/sys/netlink/netlink_var.h
@@ -61,6 +61,7 @@
         bool			nl_task_pending;
 	bool			nl_tx_blocked; /* No new requests accepted */
 	bool			nl_linux; /* true if running under compat */
+	bool			nl_unconstrained_vnet; /* true if running under VNET jail (or without jail) */
 	struct nl_io_queue	rx_queue;
 	struct nl_io_queue	tx_queue;
 	struct taskqueue	*nl_taskqueue;
diff --git a/sys/netlink/route/iface.c b/sys/netlink/route/iface.c
--- a/sys/netlink/route/iface.c
+++ b/sys/netlink/route/iface.c
@@ -32,6 +32,7 @@
 #include <sys/types.h>
 #include <sys/eventhandler.h>
 #include <sys/kernel.h>
+#include <sys/jail.h>
 #include <sys/malloc.h>
 #include <sys/socket.h>
 #include <sys/sockio.h>
@@ -61,6 +62,7 @@
 	struct nl_writer *nw;
 	struct nlmsghdr hdr;
 	struct nlpcb *so;
+	struct ucred *cred;
 	uint32_t fibnum;
 	int family;
 	int error;
@@ -833,6 +835,8 @@
 			continue;
 		if (ifa->ifa_addr->sa_family == AF_LINK)
 			continue;
+		if (prison_if(wa->cred, ifa->ifa_addr) != 0)
+			continue;
 		wa->count++;
 		if (!dump_iface_addr(wa->nw, ifp, ifa, &wa->hdr))
 			return (ENOMEM);
@@ -856,6 +860,7 @@
 	struct netlink_walkargs wa = {
 		.so = nlp,
 		.nw = npt->nw,
+		.cred = nlp_get_cred(nlp),
 		.family = attrs.ifa_family,
 		.hdr.nlmsg_pid = hdr->nlmsg_pid,
 		.hdr.nlmsg_seq = hdr->nlmsg_seq,
@@ -977,7 +982,7 @@
 		.cmd = NL_RTM_GETLINK,
 		.name = "RTM_GETLINK",
 		.cb = &rtnl_handle_getlink,
-		.flags = RTNL_F_NOEPOCH,
+		.flags = RTNL_F_NOEPOCH | RTNL_F_ALLOW_NONVNET_JAIL,
 	},
 	{
 		.cmd = NL_RTM_DELLINK,
@@ -997,6 +1002,7 @@
 		.cmd = NL_RTM_GETADDR,
 		.name = "RTM_GETADDR",
 		.cb = &rtnl_handle_getaddr,
+		.flags = RTNL_F_ALLOW_NONVNET_JAIL,
 	},
 	{
 		.cmd = NL_RTM_NEWADDR,
diff --git a/sys/netlink/route/route_var.h b/sys/netlink/route/route_var.h
--- a/sys/netlink/route/route_var.h
+++ b/sys/netlink/route/route_var.h
@@ -48,7 +48,8 @@
 	int		flags;
 };
 
-#define	RTNL_F_NOEPOCH	0x01
+#define	RTNL_F_NOEPOCH			0x01	/* Do not enter epoch when handling command */
+#define	RTNL_F_ALLOW_NONVNET_JAIL	0x02	/* Allow command execution inside non-VNET jail */
 
 bool rtnl_register_messages(const struct rtnl_cmd_handler *handlers, int count);
 
diff --git a/sys/netlink/route/rt.c b/sys/netlink/route/rt.c
--- a/sys/netlink/route/rt.c
+++ b/sys/netlink/route/rt.c
@@ -513,6 +513,8 @@
 	wa->count++;
 	if (wa->error != 0)
 		return (0);
+	if (!rt_is_exportable(rt, nlp_get_cred(wa->nlp)))
+		return (0);
 	wa->dumped++;
 
 	rt_get_rnd(rt, &wa->rnd);
@@ -606,6 +608,9 @@
 
 	RIB_RUNLOCK(rnh);
 
+	if (!rt_is_exportable(rt, nlp_get_cred(nlp)))
+		return (ESRCH);
+
 	IF_DEBUG_LEVEL(LOG_DEBUG2) {
 		char rtbuf[NHOP_PRINT_BUFSIZE] __unused, nhbuf[NHOP_PRINT_BUFSIZE] __unused;
 		FIB_LOG(LOG_DEBUG2, fibnum, family, "getroute completed: got %s for %s",
@@ -1026,6 +1031,7 @@
 		.cmd = NL_RTM_GETROUTE,
 		.name = "RTM_GETROUTE",
 		.cb = &rtnl_handle_getroute,
+		.flags = RTNL_F_ALLOW_NONVNET_JAIL,
 	},
 	{
 		.cmd = NL_RTM_DELROUTE,