github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1721] Firejail does not work with an ipv6-only interface #1162

New issue

Closed

opened 2026-05-05 07:34:09 -06:00 by gitea-mirror · 4 comments

gitea-mirror commented

2026-05-05 07:34:09 -06:00

Owner

Originally created by @ghost on GitHub (Jan 9, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1721

This might be somehow related to #1236

Step to reproduce, assuming Ubuntu 16.04 (or kind of Debian derivative)

$ apt-get install bridge-utils

$ cat <<-EOF >>/etc/network/interfaces
auto vnet0
iface vnet0 inet6 static
  bridge_ports none
  bridge_maxwait 0
  address fe80::12/64
  scope link
  dad-attempts 0
EOF

$ ifup vnet0

$ ifconfig vnet0
vnet0     Link encap:Ethernet  HWaddr 06:27:28:07:79:52  
          adr inet6: fe80::12/64 Scope:Link
          adr inet6: fe80::427:28ff:fe07:7952/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          (...)

Now you see you have a working bridged interface with ipv6 only addresses.

$ firejail --version
firejail version 0.9.38.10

$ firejail --net=vnet0
Error: interface vnet0 is not configured

Not configured... come on! ifconfig says otherwise...

For the record, other software like VirtualBox are quite happy with that kind of bridged interface. You get an ipv6-only virtual machine. This could be used for example to simulate situations like your mobile provider offering ipv6-only since there is a shortage of ipv4.

Originally created by @ghost on GitHub (Jan 9, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1721 This might be somehow related to #1236 Step to reproduce, assuming Ubuntu 16.04 (or kind of Debian derivative) ``` $ apt-get install bridge-utils $ cat <<-EOF >>/etc/network/interfaces auto vnet0 iface vnet0 inet6 static bridge_ports none bridge_maxwait 0 address fe80::12/64 scope link dad-attempts 0 EOF $ ifup vnet0 $ ifconfig vnet0 vnet0 Link encap:Ethernet HWaddr 06:27:28:07:79:52 adr inet6: fe80::12/64 Scope:Link adr inet6: fe80::427:28ff:fe07:7952/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 (...) ``` Now you see you have a working bridged interface with ipv6 only addresses. ``` $ firejail --version firejail version 0.9.38.10 $ firejail --net=vnet0 Error: interface vnet0 is not configured ``` Not configured... come on! ifconfig says otherwise... For the record, other software like VirtualBox are quite happy with that kind of bridged interface. You get an ipv6-only virtual machine. This could be used for example to simulate situations like your mobile provider offering ipv6-only since there is a shortage of ipv4.

gitea-mirror

2026-05-05 07:34:09 -06:00

closed this issue
added the
bug

networking
labels

gitea-mirror commented

2026-05-05 07:34:14 -06:00

Author

Owner

@netblue30 commented on GitHub (Jan 17, 2018):

I run into a bug with setting up --ip6=address. It works fine on mainline now:

$ sudo brctl addbr br0
$ sudo /sbin/ifconfig br0 up

In this moment I have a bridge device up, without IP configured. I start the sandbox:

$ firejail --noprofile --net=br0 --ip6=2001:0db8:0:f101::1/64
Warning: the network interface br0 is not configured
Parent pid 5159, child pid 5160

Interface        MAC                IP               Mask             Status
lo                                  127.0.0.1        255.0.0.0        UP    

Child process initialized in 475.69 ms
$ ip addr show
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 46:d1:6f:55:4e:bb brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 2001:db8:0:f101::1/64 scope global 
       valid_lft forever preferred_lft forever
    inet6 fe80::44d1:6fff:fe55:4ebb/64 scope link 
       valid_lft forever preferred_lft forever

I'll bring in a fix for #1236.

@netblue30 commented on GitHub (Jan 17, 2018): I run into a bug with setting up --ip6=address. It works fine on mainline now: ````` $ sudo brctl addbr br0 $ sudo /sbin/ifconfig br0 up ````` In this moment I have a bridge device up, without IP configured. I start the sandbox: ````` $ firejail --noprofile --net=br0 --ip6=2001:0db8:0:f101::1/64 Warning: the network interface br0 is not configured Parent pid 5159, child pid 5160 Interface MAC IP Mask Status lo 127.0.0.1 255.0.0.0 UP Child process initialized in 475.69 ms $ ip addr show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0@if16: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether 46:d1:6f:55:4e:bb brd ff:ff:ff:ff:ff:ff link-netnsid 0 inet6 2001:db8:0:f101::1/64 scope global valid_lft forever preferred_lft forever inet6 fe80::44d1:6fff:fe55:4ebb/64 scope link valid_lft forever preferred_lft forever ````` I'll bring in a fix for #1236.

gitea-mirror commented

2026-05-05 07:34:15 -06:00

Author

Owner

@ghost commented on GitHub (Jan 17, 2018):

This is anyway less urgent that #1722 (fixed - to be tested) since running a sandbox with ipv6 only is mainly for test purpose. Unless you are in China where it could make sense, in Europe you will get only 20% of the internet that way... so sure: testing and being sure you have less internet sites possibly bothering you are great with ipv6-only!

@ghost commented on GitHub (Jan 17, 2018): This is anyway less urgent that #1722 (fixed - to be tested) since running a sandbox with ipv6 only is mainly for test purpose. Unless you are in China where it could make sense, in Europe you will get only 20% of the internet that way... so sure: testing and being sure you have less internet sites possibly bothering you are great with ipv6-only!

gitea-mirror commented

2026-05-05 07:34:18 -06:00

Author

Owner

@netblue30 commented on GitHub (Jan 18, 2018):

I'll drop the fix for #1236 for now, too much involved. Closing the issue for now. If you run into problems in you testing, open a new issue and reference the old one - it is easier for me to track them this way.

@netblue30 commented on GitHub (Jan 18, 2018): I'll drop the fix for #1236 for now, too much involved. Closing the issue for now. If you run into problems in you testing, open a new issue and reference the old one - it is easier for me to track them this way.

gitea-mirror commented

2026-05-05 07:34:20 -06:00

Author

Owner

@ghost commented on GitHub (Jan 18, 2018):

Ok, it works for me, thanks! The workaround being to have also an ipv4 stack alongside ipv6, since #1722 is supposed to be solved, there is no issue anymore.

If someone asks for an ipv6-only stack on project (https://github.com/Bylon/TOR_Middlebox) I'll reopen here.

@ghost commented on GitHub (Jan 18, 2018): Ok, it works for me, thanks! The workaround being to have also an ipv4 stack alongside ipv6, since #1722 is supposed to be solved, there is no issue anymore. If someone asks for an ipv6-only stack on project (https://github.com/Bylon/TOR_Middlebox) I'll reopen here.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1162

No description provided.

Rows
Columns