added netfilter-default config option in /etc/firejail/firejail.config

RELNOTES

@@ -1,4 +1,4 @@
-firejail (0.9.42~rc1) baseline; urgency=low
+firejail (0.9.42~rc2) baseline; urgency=low
   * deprecated --user option, please use "sudo -u username firejail" instead
   * --read-write option rework
   * allow symlinks in home directory for --whitelist option
@@ -12,6 +12,7 @@ firejail (0.9.42~rc1) baseline; urgency=low
   * seccomp filter updated
   * compile time and run time support to disable whitelists
   * compile time support to disable global configuration file
+  * added netfilter-default config option in /etc/firejail/firejail.config
   * new profiles: Gitter, gThumb, mpv, Franz messenger, LibreOffice
   * new profiles: pix, audacity, strings, xz, xzdec, gzip, cpio, less
   * new profiles: Atom Beta, Atom, jitsi, eom

etc/firejail.config

@@ -27,6 +27,13 @@
 # --netfilter only to root user. Regular users are only allowed --net=none.
 # restricted-network no
 
+# Change default netfilter configuration. When using --netfilter option without
+# a file argument, the default filter is hardcoded (see man 1 firejail). This
+# configuration entry allows the user to change the default by specifying
+# a file containing the filter configuration. The filter file format is the
+# format of  iptables-save  and iptable-restore commands. Example:
+# netfilter-default /etc/iptables.iptables.rules
+
 # Enable or disable seccomp support, default enabled.
 # seccomp yes
 

etc/nolocal.net

@@ -4,7 +4,8 @@
 :OUTPUT ACCEPT [0:0]
 
 ###################################################################
-# Client filter rejecting local network traffic, with the exception of DNS traffic
+# Client filter rejecting local network traffic, with the exception of
+# DNS traffic
 #
 # Usage:
 #     firejail --net=eth0 --netfilter=/etc/firejail/nolocal.net firefox

src/firejail/checkcfg.c

@@ -26,6 +26,7 @@ static int initialized = 0;
 static int cfg_val[CFG_MAX];
 char *xephyr_screen = "800x600";
 char *xephyr_extra_params = "";
+char *netfilter_default = NULL;
 
 int checkcfg(int val) {
 	EUID_ASSERT();
@@ -159,6 +160,28 @@ int checkcfg(int val) {
 				else
 					goto errout;
 			}
+			// netfilter
+			else if (strncmp(ptr, "netfilter-default ", 18) == 0) {
+				char *fname = ptr + 18;
+				while (*fname == ' ' || *fname == '\t')
+					ptr++;
+				char *end = strchr(fname, ' ');
+				if (end)
+					*end = '\0';
+				
+				// is the file present?
+				struct stat s;
+				if (stat(fname, &s) == -1) {
+					fprintf(stderr, "Error: netfilter-default file %s not available\n", fname);
+					exit(1);
+				}
+				
+				netfilter_default = strdup(fname);
+				if (!netfilter_default)
+					errExit("strdup");
+				if (arg_debug)
+					printf("netfilter default file %s\n", fname);
+			}
 			
 			// Xephyr screen size
 			else if (strncmp(ptr, "xephyr-screen ", 14) == 0) {

src/firejail/firejail.h

@@ -582,6 +582,7 @@ void sandboxfs(int op, pid_t pid, const char *patqh);
 #define CFG_MAX 11 // this should always be the last entry
 extern char *xephyr_screen;
 extern char *xephyr_extra_params;
+extern char *netfilter_default;
 int checkcfg(int val);
 
 // appimage.c

src/firejail/netfilter.c

@@ -66,6 +66,8 @@ void netfilter(const char *fname) {
 
 	// custom filter
 	int allocated = 0;
+	if (netfilter_default)
+		fname = netfilter_default;
 	if (fname) {
 		// buffer the filter
 		struct stat s;