[GH-ISSUE #1912] Ping replies going to wrong jails #1282

New issue

Closed

opened 2026-05-05 07:47:18 -06:00 by gitea-mirror · 14 comments

gitea-mirror commented 2026-05-05 07:47:18 -06:00

Owner

Copy link

Originally created by @reinerh on GitHub (Apr 26, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1912

As reported here, when two ping processes are running in two separate jails, they BOTH receive ALL the replies.

Example (running both commands at the same time):

$ firejail ping ubuntu.com
PING ubuntu.com (91.189.94.40) 56(84) bytes of data.
64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=1 ttl=57 time=42.3 ms
64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=1 ttl=54 time=43.8 ms (DUP!)
64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=2 ttl=57 time=39.9 ms
64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=2 ttl=54 time=46.3 ms (DUP!)
64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=3 ttl=57 time=40.0 ms
64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=3 ttl=54 time=44.2 ms (DUP!)

$ firejail ping debian.org
PING debian.org (5.153.231.4) 56(84) bytes of data.
64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=1 ttl=54 time=43.8 ms
64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=2 ttl=57 time=39.9 ms
64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=2 ttl=54 time=46.3 ms
64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=3 ttl=57 time=40.0 ms
64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=3 ttl=54 time=44.2 ms
64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=4 ttl=57 time=41.6 ms
64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=4 ttl=54 time=42.4 ms

Originally created by @reinerh on GitHub (Apr 26, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/1912 As reported [here](https://bugs.debian.org/896989), when two ping processes are running in two separate jails, they BOTH receive ALL the replies. Example (running both commands at the same time): ``` $ firejail ping ubuntu.com PING ubuntu.com (91.189.94.40) 56(84) bytes of data. 64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=1 ttl=57 time=42.3 ms 64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=1 ttl=54 time=43.8 ms (DUP!) 64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=2 ttl=57 time=39.9 ms 64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=2 ttl=54 time=46.3 ms (DUP!) 64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=3 ttl=57 time=40.0 ms 64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=3 ttl=54 time=44.2 ms (DUP!) ``` ``` $ firejail ping debian.org PING debian.org (5.153.231.4) 56(84) bytes of data. 64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=1 ttl=54 time=43.8 ms 64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=2 ttl=57 time=39.9 ms 64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=2 ttl=54 time=46.3 ms 64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=3 ttl=57 time=40.0 ms 64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=3 ttl=54 time=44.2 ms 64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=4 ttl=57 time=41.6 ms 64 bytes from senfter.debian.org (5.153.231.4): icmp_seq=4 ttl=54 time=42.4 ms ```

gitea-mirror 2026-05-05 07:47:18 -06:00

• closed this issue
• added the
  bug
  label

gitea-mirror commented 2026-05-05 07:47:22 -06:00

Author

Owner

Copy link

@SkewedZeppelin commented on GitHub (Apr 26, 2018):

That seems pretty bad. Is this just limited to still having extra capabilities (net_raw)? ie. not a general flaw of firejail?

<!-- gh-comment-id:384794626 --> @SkewedZeppelin commented on GitHub (Apr 26, 2018): That seems pretty bad. Is this just limited to still having extra capabilities (net_raw)? ie. not a general flaw of firejail?

gitea-mirror commented 2026-05-05 07:47:24 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (Apr 26, 2018):

It doesn't behave that way when running both pings as root without firejail.
Maybe related to network namespaces?

<!-- gh-comment-id:384796282 --> @reinerh commented on GitHub (Apr 26, 2018): It doesn't behave that way when running both pings as root without firejail. Maybe related to network namespaces?

gitea-mirror commented 2026-05-05 07:47:25 -06:00

Author

Owner

Copy link

@netblue30 commented on GitHub (Apr 30, 2018):

Removed form firecfg, so we don't have a simlink for it under /usr/local/bin. I have no idea what's going on!

<!-- gh-comment-id:385430556 --> @netblue30 commented on GitHub (Apr 30, 2018): Removed form firecfg, so we don't have a simlink for it under /usr/local/bin. I have no idea what's going on!

gitea-mirror commented 2026-05-05 07:47:26 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (May 1, 2018):

I can't replicate on Arch but can on Ubuntu 18.04. Maybe a library difference?

<!-- gh-comment-id:385574758 --> @Fred-Barclay commented on GitHub (May 1, 2018): I can't replicate on Arch but can on Ubuntu 18.04. Maybe a library difference?

gitea-mirror commented 2026-05-05 07:47:28 -06:00

Author

Owner

Copy link

@SkewedZeppelin commented on GitHub (May 1, 2018):

@Fred-Barclay that is a bit weird. I just replicated again on both Arch and Fedora 27.

<!-- gh-comment-id:385578430 --> @SkewedZeppelin commented on GitHub (May 1, 2018): @Fred-Barclay that is a bit weird. I just replicated again on both Arch and Fedora 27.

gitea-mirror commented 2026-05-05 07:47:29 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (May 1, 2018):

@SkewedZeppelin What version of firejail did you use? I'm using firejail 0.9.53.

$ firejail ping ubuntu.com
PING ubuntu.com (91.189.94.40) 56(84) bytes of data.
64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=1 ttl=48 time=132 ms
64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=2 ttl=48 time=133 ms
64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=3 ttl=48 time=132 ms
64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=4 ttl=48 time=135 ms
64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=5 ttl=48 time=139 ms
64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=6 ttl=48 time=132 ms
64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=7 ttl=48 time=143 ms
64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=8 ttl=48 time=135 ms
64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=9 ttl=48 time=132 ms

$ firejail ping debian.org
PING debian.org(klecker-misc.debian.org (2001:67c:2564:a119::148:14)) 56 data bytes
64 bytes from klecker-misc.debian.org (2001:67c:2564:a119::148:14): icmp_seq=1 ttl=48 time=148 ms
64 bytes from klecker-misc.debian.org (2001:67c:2564:a119::148:14): icmp_seq=2 ttl=48 time=147 ms
64 bytes from klecker-misc.debian.org (2001:67c:2564:a119::148:14): icmp_seq=3 ttl=48 time=148 ms
64 bytes from klecker-misc.debian.org (2001:67c:2564:a119::148:14): icmp_seq=4 ttl=48 time=149 ms
64 bytes from klecker-misc.debian.org (2001:67c:2564:a119::148:14): icmp_seq=5 ttl=48 time=146 ms
64 bytes from klecker-misc.debian.org (2001:67c:2564:a119::148:14): icmp_seq=6 ttl=48 time=148 ms
64 bytes from klecker-misc.debian.org (2001:67c:2564:a119::148:14): icmp_seq=7 ttl=48 time=149 ms

<!-- gh-comment-id:385582431 --> @Fred-Barclay commented on GitHub (May 1, 2018): @SkewedZeppelin What version of firejail did you use? I'm using firejail 0.9.53. ``` $ firejail ping ubuntu.com PING ubuntu.com (91.189.94.40) 56(84) bytes of data. 64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=1 ttl=48 time=132 ms 64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=2 ttl=48 time=133 ms 64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=3 ttl=48 time=132 ms 64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=4 ttl=48 time=135 ms 64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=5 ttl=48 time=139 ms 64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=6 ttl=48 time=132 ms 64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=7 ttl=48 time=143 ms 64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=8 ttl=48 time=135 ms 64 bytes from ovinnik.canonical.com (91.189.94.40): icmp_seq=9 ttl=48 time=132 ms ``` ``` $ firejail ping debian.org PING debian.org(klecker-misc.debian.org (2001:67c:2564:a119::148:14)) 56 data bytes 64 bytes from klecker-misc.debian.org (2001:67c:2564:a119::148:14): icmp_seq=1 ttl=48 time=148 ms 64 bytes from klecker-misc.debian.org (2001:67c:2564:a119::148:14): icmp_seq=2 ttl=48 time=147 ms 64 bytes from klecker-misc.debian.org (2001:67c:2564:a119::148:14): icmp_seq=3 ttl=48 time=148 ms 64 bytes from klecker-misc.debian.org (2001:67c:2564:a119::148:14): icmp_seq=4 ttl=48 time=149 ms 64 bytes from klecker-misc.debian.org (2001:67c:2564:a119::148:14): icmp_seq=5 ttl=48 time=146 ms 64 bytes from klecker-misc.debian.org (2001:67c:2564:a119::148:14): icmp_seq=6 ttl=48 time=148 ms 64 bytes from klecker-misc.debian.org (2001:67c:2564:a119::148:14): icmp_seq=7 ttl=48 time=149 ms ```

gitea-mirror commented 2026-05-05 07:47:31 -06:00

Author

Owner

Copy link

@Fred-Barclay commented on GitHub (May 1, 2018):

Ah, scratch that. Apparently if I make sure the addresses I ping are both IPv4 or IPv6, I can duplicate.

$ firejail ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=55 time=26.5 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=55 time=27.5 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=55 time=28.4 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=55 time=25.7 ms
64 bytes from 8.8.8.8: icmp_seq=5 ttl=55 time=28.7 ms
64 bytes from 8.8.8.8: icmp_seq=6 ttl=55 time=27.0 ms
64 bytes from 8.8.8.8: icmp_seq=7 ttl=55 time=25.5 ms
64 bytes from 9.9.9.9: icmp_seq=1 ttl=52 time=26.0 ms (DUP!)
64 bytes from 8.8.8.8: icmp_seq=8 ttl=55 time=44.6 ms
64 bytes from 9.9.9.9: icmp_seq=2 ttl=52 time=28.3 ms (DUP!)
64 bytes from 8.8.8.8: icmp_seq=9 ttl=55 time=25.5 ms
64 bytes from 9.9.9.9: icmp_seq=3 ttl=52 time=30.3 ms (DUP!)

$ firejail ping 9.9.9.9
PING 9.9.9.9 (9.9.9.9) 56(84) bytes of data.
64 bytes from 9.9.9.9: icmp_seq=1 ttl=52 time=26.0 ms
64 bytes from 8.8.8.8: icmp_seq=8 ttl=55 time=44.6 ms
64 bytes from 9.9.9.9: icmp_seq=2 ttl=52 time=28.3 ms
64 bytes from 8.8.8.8: icmp_seq=9 ttl=55 time=25.5 ms
64 bytes from 9.9.9.9: icmp_seq=3 ttl=52 time=30.3 ms
64 bytes from 8.8.8.8: icmp_seq=10 ttl=55 time=25.5 ms
64 bytes from 9.9.9.9: icmp_seq=4 ttl=52 time=27.0 ms
64 bytes from 8.8.8.8: icmp_seq=11 ttl=55 time=25.7 ms
64 bytes from 9.9.9.9: icmp_seq=5 ttl=52 time=26.0 ms

Similar when both are ping -6

<!-- gh-comment-id:385582899 --> @Fred-Barclay commented on GitHub (May 1, 2018): Ah, scratch that. Apparently if I make sure the addresses I ping are **both** IPv4 or IPv6, I can duplicate. ``` $ firejail ping 8.8.8.8 PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data. 64 bytes from 8.8.8.8: icmp_seq=1 ttl=55 time=26.5 ms 64 bytes from 8.8.8.8: icmp_seq=2 ttl=55 time=27.5 ms 64 bytes from 8.8.8.8: icmp_seq=3 ttl=55 time=28.4 ms 64 bytes from 8.8.8.8: icmp_seq=4 ttl=55 time=25.7 ms 64 bytes from 8.8.8.8: icmp_seq=5 ttl=55 time=28.7 ms 64 bytes from 8.8.8.8: icmp_seq=6 ttl=55 time=27.0 ms 64 bytes from 8.8.8.8: icmp_seq=7 ttl=55 time=25.5 ms 64 bytes from 9.9.9.9: icmp_seq=1 ttl=52 time=26.0 ms (DUP!) 64 bytes from 8.8.8.8: icmp_seq=8 ttl=55 time=44.6 ms 64 bytes from 9.9.9.9: icmp_seq=2 ttl=52 time=28.3 ms (DUP!) 64 bytes from 8.8.8.8: icmp_seq=9 ttl=55 time=25.5 ms 64 bytes from 9.9.9.9: icmp_seq=3 ttl=52 time=30.3 ms (DUP!) ``` ``` $ firejail ping 9.9.9.9 PING 9.9.9.9 (9.9.9.9) 56(84) bytes of data. 64 bytes from 9.9.9.9: icmp_seq=1 ttl=52 time=26.0 ms 64 bytes from 8.8.8.8: icmp_seq=8 ttl=55 time=44.6 ms 64 bytes from 9.9.9.9: icmp_seq=2 ttl=52 time=28.3 ms 64 bytes from 8.8.8.8: icmp_seq=9 ttl=55 time=25.5 ms 64 bytes from 9.9.9.9: icmp_seq=3 ttl=52 time=30.3 ms 64 bytes from 8.8.8.8: icmp_seq=10 ttl=55 time=25.5 ms 64 bytes from 9.9.9.9: icmp_seq=4 ttl=52 time=27.0 ms 64 bytes from 8.8.8.8: icmp_seq=11 ttl=55 time=25.7 ms 64 bytes from 9.9.9.9: icmp_seq=5 ttl=52 time=26.0 ms ``` Similar when both are `ping -6`

gitea-mirror commented 2026-05-05 07:47:34 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (May 2, 2018):

I just replicated this in Debian sid/experimental with firejail 0.9.53.

<!-- gh-comment-id:385856757 --> @chiraag-nataraj commented on GitHub (May 2, 2018): I just replicated this in Debian sid/experimental with firejail 0.9.53.

gitea-mirror commented 2026-05-05 07:47:35 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Jul 24, 2018):

Y'all, this is still an issue. How can we go about debugging this?

<!-- gh-comment-id:407244354 --> @chiraag-nataraj commented on GitHub (Jul 24, 2018): Y'all, this is still an issue. How can we go about debugging this?

gitea-mirror commented 2026-05-05 07:47:37 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (Oct 3, 2018):

Okay, if this helps, I'm not seeing this when I create two separate network namespaces, but I still see the issue with the current firejail version (0.9.57 from master).

<!-- gh-comment-id:426512052 --> @chiraag-nataraj commented on GitHub (Oct 3, 2018): Okay, if this helps, I'm not seeing this when I create two separate network namespaces, but I still see the issue with the current `firejail` version (`0.9.57` from `master`).

gitea-mirror commented 2026-05-05 07:47:38 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (May 21, 2019):

Still seeing this with current git master. How should we go about addressing this?

<!-- gh-comment-id:494350022 --> @chiraag-nataraj commented on GitHub (May 21, 2019): Still seeing this with current git master. How should we go about addressing this?

gitea-mirror commented 2026-05-05 07:47:39 -06:00

Author

Owner

Copy link

@chiraag-nataraj commented on GitHub (May 21, 2019):

As I replied earlier, when I create new network namespaces, I'm not seeing the issue. Is this issue specific to ping or does it apply to other programs as well?

<!-- gh-comment-id:494402510 --> @chiraag-nataraj commented on GitHub (May 21, 2019): As I replied earlier, when I create new network namespaces, I'm not seeing the issue. Is this issue specific to ping or does it apply to other programs as well?

gitea-mirror commented 2026-05-05 07:47:40 -06:00

Author

Owner

Copy link

@matu3ba commented on GitHub (Sep 9, 2020):

On arch I can not reproduce with current master and the following commands:

firejail ping 8.8.8.8
firejail ping 9.9.9.9

Closing or testing against other distros?

<!-- gh-comment-id:689203013 --> @matu3ba commented on GitHub (Sep 9, 2020): On arch I can not reproduce with current master and the following commands: ``` firejail ping 8.8.8.8 firejail ping 9.9.9.9 ``` Closing or testing against other distros?

gitea-mirror commented 2026-05-05 07:47:41 -06:00

Author

Owner

Copy link

@reinerh commented on GitHub (Sep 9, 2020):

I can confirm that I can no longer reproduce it.
Not even with the originally reported version (0.9.52).
So I guess it has been fixed somewhere else (kernel, glibc?).

I'll close it, as nothing needs to be fixed on the firejail side.

<!-- gh-comment-id:689680960 --> @reinerh commented on GitHub (Sep 9, 2020): I can confirm that I can no longer reproduce it. Not even with the originally reported version (0.9.52). So I guess it has been fixed somewhere else (kernel, glibc?). I'll close it, as nothing needs to be fixed on the firejail side.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

master

serialize_remounts_v2

landlock_v4

landlock

release-0.9.64

release-0.9.62

gitlab_ci

LTSbase

fred_ctests

docs

0.9.80

0.9.80-rc1

0.9.78

0.9.76

0.9.76-rc4

0.9.76-rc3

0.9.76-rc2

0.9.76-rc1

0.9.74

landlock-split

0.9.72

0.9.72rc1

0.9.70

0.9.68

0.9.68rc1

0.9.66

0.9.66rc1

0.9.64.4

0.9.64.2

0.9.64

0.9.64rc1

0.9.62.4

0.9.62.2

0.9.62

0.9.56.2-LTS

0.9.60

0.9.60-rc1

0.9.58.2

0.9.58

0.9.58-rc1

0.9.56-LTS-release

0.9.56-LTS

0.9.56

0.9.56-rc1

0.9.54

0.9.54-rc2

0.9.54-rc1

0.9.52

0.9.38.12

0.9.50

0.9.50-rc1

0.9.48

0.9.46

0.9.46-rc1

0.9.44.10

0.9.44.8

0.9.44.6

0.9.38.10

0.9.44.4

0.9.38.8

0.9.44.2

0.9.44

0.9.44-rc1

0.9.38.4

0.9.42

0.9.42-rc2

0.9.38.2

0.9.42-rc1

disable-globalcfg

0.9.40

0.9.40-rc1

0.9.38

0.9.38-rc1

0.9.36

0.9.36-rc1

0.9.34

0.9.34-rc1

0.9.32

0.9.32-rc1

0.9.30

0.9.30-rc1

Labels

Clear labels   

LTS merge

  

LTS merge

  

bug

  

bug

  

converted-to-discussion

  

doc-todo

  

documentation

  

duplicate

  

enhancement

  

file-transfer

  

firecfg

  

firejail-in-firejail

  

firetools

  

graphics

  

help wanted

  

information_old

  

installation

  

invalid

  

modif

  

moved

  

needinfo

  

networking

  

notabug

  

notourbug

  

old-version

  

overlayfs

  

packaging

  

profile-request

  

pull-request

Mirrored from GitHub Pull Request

  

question

  

question_old

  

removal

  

runtime-permissions

  

sandbox-ipc

  

security

  

stale

  

wiki

  

wiki

  

wontfix

  

wordpress

  

workaround

No labels

LTS merge

LTS merge

bug

bug

converted-to-discussion

doc-todo

documentation

duplicate

enhancement

file-transfer

firecfg

firejail-in-firejail

firetools

graphics

help wanted

information_old

installation

invalid

modif

moved

needinfo

networking

notabug

notourbug

old-version

overlayfs

packaging

profile-request

pull-request

question

question_old

removal

runtime-permissions

sandbox-ipc

security

stale

wiki

wiki

wontfix

wordpress

workaround

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1282

No description provided.