github-starred/firejail
2
0
Fork 0
mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00
Code Issues 531 Projects Packages Wiki Activity Actions 6

[GH-ISSUE #2046] RTNETLINK error using "--net" option #1382

New issue
Open
opened 2026-05-05 08:00:40 -06:00 by gitea-mirror · 20 comments
gitea-mirror commented 2026-05-05 08:00:40 -06:00
Owner
Copy link

Originally created by @zolfone on GitHub (Jul 16, 2018).
Original GitHub issue: https://github.com/netblue30/firejail/issues/2046

Hi,
I have two NICs and I'd like to sandbox firefox in a dedicated network interface, but if I try with firejail --net=eth1 firefox I get this error (this is run with --debug option):
https://pastebin.com/Xa9RNJE6
As mentioned here #1844 by @atlaua maybe I need a L2 eth interface, but I can't find any information on the manpage nor I am sure if my nic is of such family (how can I find out?).
My goal is to have a main NIC (eth0) with an active OpenVPN connection, and run firefox/other applications on eth1 outside the VPN.
During all of my tests the VPN was down so it can't be the cause of my problem.
I'm on firejail version 0.9.54, self-compiled on Gentoo, I first tried with the only stable version supported 0.9.50 and it failed too.
Maybe I'm missing a kernel module? Is there a list of (if) needed modules?

Thanks

Originally created by @zolfone on GitHub (Jul 16, 2018). Original GitHub issue: https://github.com/netblue30/firejail/issues/2046 Hi, I have two NICs and I'd like to sandbox firefox in a dedicated network interface, but if I try with ``firejail --net=eth1 firefox`` I get this error (this is run with --debug option): [https://pastebin.com/Xa9RNJE6](https://pastebin.com/Xa9RNJE6) As mentioned here #1844 by @atlaua maybe I need a L2 eth interface, but I can't find any information on the manpage nor I am sure if my nic is of such family (how can I find out?). My goal is to have a main NIC (eth0) with an active OpenVPN connection, and run firefox/other applications on eth1 outside the VPN. During all of my tests the VPN was down so it can't be the cause of my problem. I'm on firejail version 0.9.54, self-compiled on Gentoo, I first tried with the only stable version supported 0.9.50 and it failed too. Maybe I'm missing a kernel module? Is there a list of (if) needed modules? Thanks
gitea-mirror added the
enhancement
 label 2026-05-05 08:00:40 -06:00
gitea-mirror commented 2026-05-05 08:00:43 -06:00
Author
Owner
Copy link

@zolfone commented on GitHub (Jul 21, 2018):

@netblue30, any insight on this problem? thanks

<!-- gh-comment-id:406787972 --> @zolfone commented on GitHub (Jul 21, 2018): @netblue30, any insight on this problem? thanks
gitea-mirror commented 2026-05-05 08:00:47 -06:00
Author
Owner
Copy link

@netblue30 commented on GitHub (Jul 24, 2018):

I still have no idea what's going on. We added support for tap interfaces in --net command line option in the version here on github, still under heavy testing. You would need to configure OpenVPN in tap bridge mode, and you pass the tap device to --net. So far I couldn't firejail running on a OpenVPN tap device, that's kind of where I am now.

There is another similar discussion going on here: https://github.com/netblue30/firejail/issues/2032

<!-- gh-comment-id:407463639 --> @netblue30 commented on GitHub (Jul 24, 2018): I still have no idea what's going on. We added support for tap interfaces in --net command line option in the version here on github, still under heavy testing. You would need to configure OpenVPN in tap bridge mode, and you pass the tap device to --net. So far I couldn't firejail running on a OpenVPN tap device, that's kind of where I am now. There is another similar discussion going on here: https://github.com/netblue30/firejail/issues/2032
gitea-mirror commented 2026-05-05 08:00:49 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Jul 25, 2018):

I'm getting the same issue when I try using --net=wlp60s0 (my wireless interface). No idea if this is related at all to this issue, but I'm getting the exact same message.

<!-- gh-comment-id:407912866 --> @chiraag-nataraj commented on GitHub (Jul 25, 2018): I'm getting the same issue when I try using `--net=wlp60s0` (my wireless interface). No idea if this is related at all to this issue, but I'm getting the exact same message.
gitea-mirror commented 2026-05-05 08:00:53 -06:00
Author
Owner
Copy link

@zolfone commented on GitHub (Jul 26, 2018):

@netblue30, thanks for the reply but as I stated in my first post there's no vpn connection involved whatsoever at the moment, just two plain simple ethernet interfaces. I'm trying to use one of them inside a sandbox but I get that error message with both of them. One NIC is PCI (SysKonnect SK-9871, kernel module "skge"), the other one is integrated (Broadcom Limited NetXtreme BCM5754, kernel module "tg3").
I'm trying to be as much verbose as possible, if I'm not posting some useful information please let me know and I'll post them.
I still can't find any information on L2 NICs though.

<!-- gh-comment-id:408238897 --> @zolfone commented on GitHub (Jul 26, 2018): @netblue30, thanks for the reply but as I stated in my first post there's no vpn connection involved whatsoever at the moment, just two plain simple ethernet interfaces. I'm trying to use one of them inside a sandbox but I get that error message with both of them. One NIC is PCI (SysKonnect SK-9871, kernel module "skge"), the other one is integrated (Broadcom Limited NetXtreme BCM5754, kernel module "tg3"). I'm trying to be as much verbose as possible, if I'm not posting some useful information please let me know and I'll post them. I still can't find any information on L2 NICs though.
gitea-mirror commented 2026-05-05 08:00:55 -06:00
Author
Owner
Copy link

@chiraag-nataraj commented on GitHub (Sep 25, 2018):

Hmm, my error was fixed at some point.

<!-- gh-comment-id:424446348 --> @chiraag-nataraj commented on GitHub (Sep 25, 2018): Hmm, my error was fixed at some point.
gitea-mirror commented 2026-05-05 08:00:56 -06:00
Author
Owner
Copy link

@intika commented on GitHub (Apr 9, 2019):

@netblue30 duplicate of https://github.com/netblue30/firejail/issues/2387 i guess both issues should be closed

...

Had a similar issue, this can be caused by a kernel update without reboot or a lack of needed kernel modules, to fix it either use a classic (main distribution) kernel or add the missing modules to your kernel

Also this Error ioctl: interface.c:98 net_if_up: No such device is typically raising because of missing module CONFIG_IPVLAN and or CONFIG_IPV6 technically --net parameter require only ipvlan but ipvlan have a "false" dependency on ipv6 there is kernel patch to fix that here or here if you still want to keep ipv6 disabled while getting firejail network feature working otherwise just add ipv6 along with ipvlan

Alternatively ifup lo command can give more details on error/missing module that could affect "firejail --net"

Here are the required kernel modules for firejail networking features: (this is an exhaustive list to get everything working you should be good with just ipvlan)

CONFIG_IPVLAN=m
CONFIG_IPVTAP=m
CONFIG_VXLAN=m
CONFIG_NET_VRF=m
CONFIG_NF_TABLES=m
CONFIG_NF_TABLES_NETDEV=m
CONFIG_NFT_RT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_REJECT=m
CONFIG_NF_TABLES_IPV4=m
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_MASQ_IPV4=m
CONFIG_NFT_REDIR_IPV4=m
CONFIG_BRIDGE_EBT_VLAN=m
CONFIG_GARP=m
CONFIG_MRP=m
CONFIG_BRIDGE_VLAN_FILTERING=y
CONFIG_VLAN_8021Q=m
CONFIG_VLAN_8021Q_GVRP=y
CONFIG_VLAN_8021Q_MVRP=y
CONFIG_NET_L3_MASTER_DEV=y

Note that this also fix RTNETLINK answers: Operation not supported @netblue30 this info could may be added to the wiki or faq

<!-- gh-comment-id:481416363 --> @intika commented on GitHub (Apr 9, 2019): @netblue30 duplicate of https://github.com/netblue30/firejail/issues/2387 i guess both issues should be closed ... Had a similar issue, this can be caused by a kernel update without reboot or a lack of needed kernel modules, to fix it either use a classic (main distribution) kernel or add the missing modules to your kernel Also this `Error ioctl: interface.c:98 net_if_up: No such device` is typically raising because of missing module `CONFIG_IPVLAN` and or `CONFIG_IPV6` technically `--net` parameter require only `ipvlan` but `ipvlan` have a "false" dependency on `ipv6` there is kernel patch to fix that [here](https://patchwork.ozlabs.org/patch/873464/) or [here](https://patchwork.ozlabs.org/patch/874768/) if you still want to keep ipv6 disabled while getting firejail network feature working otherwise just add `ipv6` along with `ipvlan` Alternatively `ifup lo` command can give more details on error/missing module that could affect `"firejail --net"` Here are the required kernel modules for firejail networking features: (this is an exhaustive list to get everything working you should be good with just `ipvlan`) ``` CONFIG_IPVLAN=m CONFIG_IPVTAP=m CONFIG_VXLAN=m CONFIG_NET_VRF=m CONFIG_NF_TABLES=m CONFIG_NF_TABLES_NETDEV=m CONFIG_NFT_RT=m CONFIG_NFT_MASQ=m CONFIG_NFT_REDIR=m CONFIG_NFT_NAT=m CONFIG_NFT_REJECT=m CONFIG_NF_TABLES_IPV4=m CONFIG_NFT_REJECT_IPV4=m CONFIG_NFT_MASQ_IPV4=m CONFIG_NFT_REDIR_IPV4=m CONFIG_BRIDGE_EBT_VLAN=m CONFIG_GARP=m CONFIG_MRP=m CONFIG_BRIDGE_VLAN_FILTERING=y CONFIG_VLAN_8021Q=m CONFIG_VLAN_8021Q_GVRP=y CONFIG_VLAN_8021Q_MVRP=y CONFIG_NET_L3_MASTER_DEV=y ``` Note that this also fix `RTNETLINK answers: Operation not supported` @netblue30 this info could may be added to the wiki or faq
gitea-mirror commented 2026-05-05 08:00:58 -06:00
Author
Owner
Copy link

@zolfone commented on GitHub (Apr 30, 2019):

Hi @intika, I was almost givin' up on this... so first of all a big thanks for your answer!
But I'm having lots of troubles finding at least half of those modules in my kernel,
I usually edit my .config file and search for what I need to enable but in this case most of them are missing, e.g.:
CONFIG_NFT_RT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_MASQ_IPV4=m
CONFIG_NFT_REDIR_IPV4=m

I successfully enabled all the other modules, but after rebooting in the newly recompiled kernel Firejail still throws me the RTNETLINK error, and yes I loaded ipvlan and ipv6.
Any suggestion for the kernel config problem? Maybe you could write the exact sections under "make menuconfig" where to enable all the necessary modules.

Thanks

<!-- gh-comment-id:488047013 --> @zolfone commented on GitHub (Apr 30, 2019): Hi @intika, I was almost givin' up on this... so first of all a big thanks for your answer! But I'm having lots of troubles finding at least half of those modules in my kernel, I usually edit my .config file and search for what I need to enable but in this case most of them are missing, e.g.: CONFIG_NFT_RT=m CONFIG_NFT_MASQ=m CONFIG_NFT_REDIR=m CONFIG_NFT_NAT=m CONFIG_NFT_MASQ_IPV4=m CONFIG_NFT_REDIR_IPV4=m I successfully enabled all the other modules, but after rebooting in the newly recompiled kernel Firejail still throws me the RTNETLINK error, and yes I loaded ipvlan and ipv6. Any suggestion for the kernel config problem? Maybe you could write the exact sections under "make menuconfig" where to enable all the necessary modules. Thanks
gitea-mirror commented 2026-05-05 08:01:01 -06:00
Author
Owner
Copy link

@intika commented on GitHub (May 6, 2019):

My goal is to have a main NIC (eth0) with an active OpenVPN connection, and run firefox/other applications on eth1 outside the VPN.

Does your VPN provider have Wireguard ? if its the case Wireguard have some interesting sandbox (user space) features...

What kernel version are you using ? it's probably because of the used version that you are missing other modules... or may be it's just because those modules are neither enabled neither disabled (missing from the config file) you can may be just add them manually to the config file and see if the kernel get compiled otherwise you can search them with make menuconfig i think the shortcut for search is / or ? key.

You have a lot of solution that could match exactly what you want

  • Wireguard with user space (depend on your provider)
  • Setup a user space with ipvlan then initiate an openvpn connection inside the user space
  • Use firejail's routed solution but this require using ip_forward which make your box act ac a router and may introduce security risk if it's not correctly setup with iptables and firewall...
  • Use a bridge + user space solution.

User space by it self require root you can not easily run firefox as a user under a different user space BUT firejail have an amazing option that let you use any "user space" without route firejail --netns=space-name

Here are some readings about what i suggested:

With all that different informations you should for sure find a working solution with your current setup :)

<!-- gh-comment-id:489571422 --> @intika commented on GitHub (May 6, 2019): > My goal is to have a main NIC (eth0) with an active OpenVPN connection, and run firefox/other applications on eth1 outside the VPN. Does your VPN provider have Wireguard ? if its the case Wireguard have some interesting sandbox (user space) features... What kernel version are you using ? it's probably because of the used version that you are missing other modules... or may be it's just because those modules are neither enabled neither disabled (missing from the config file) you can may be just add them manually to the config file and see if the kernel get compiled otherwise you can search them with `make menuconfig ` i think the shortcut for search is` /` or `?` key. **You have a lot of solution that could match exactly what you want** - Wireguard with user space (depend on your provider) - Setup a user space with ipvlan then initiate an openvpn connection inside the user space - [Use firejail's routed solution](https://firejail.wordpress.com/documentation-2/basic-usage/#routed) **but** this require using ip_forward which make your box act ac a router and may introduce security risk if it's not correctly setup with iptables and firewall... - Use a bridge + user space solution. User space by it self require root you can not easily run firefox as a user under a different user space **BUT** firejail have an amazing option that let you use any "user space" without route `firejail --netns=space-name` **Here are some readings about what i suggested:** - [What is ip masquerade](https://askubuntu.com/a/1133892/433960) - [Bridging an interface](https://serverfault.com/a/965742/296168) - [How to use vpn separately for different user](https://unix.stackexchange.com/a/516720/120919) - [Bind unix program to specific network interface](https://unix.stackexchange.com/a/498140/120919) - [Proxifier like solution for linux](https://unix.stackexchange.com/a/516047/120919) With all that different informations you should for sure find a working solution with your current setup :)
gitea-mirror commented 2026-05-05 08:01:02 -06:00
Author
Owner
Copy link

@zolfone commented on GitHub (May 6, 2019):

@intika I'm on kernel 5.0.7 (gentoo sources), what kernel are you running? I'll try to downgrade to some 4.* version to see if maybe something has changed. I'd like to keep going with firejail, I think I'm only missing these kernel modules to make it work, I'll let you know if I have any success.

<!-- gh-comment-id:489703309 --> @zolfone commented on GitHub (May 6, 2019): @intika I'm on kernel 5.0.7 (gentoo sources), what kernel are you running? I'll try to downgrade to some 4.* version to see if maybe something has changed. I'd like to keep going with firejail, I think I'm only missing these kernel modules to make it work, I'll let you know if I have any success.
gitea-mirror commented 2026-05-05 08:01:02 -06:00
Author
Owner
Copy link

@intika commented on GitHub (May 6, 2019):

i still did not update to 5.xx have to update all my patches any way i tested with 4.14 and 4.20 ... what i sent before is kind a doing what firejail do but manually... firejail is using veth to accomplish name space separation you can still do it manually (following the video) to see where it exactly stuck... other solution are kind a doing it manually you can still use firejail after creating a user space... by the way i know you are using eth but bare in mind that this is not completely compatible with wlan ("network isolation", because wlan is a little different when it come to bridge/veth/macvlan etc)
an other video https://www.youtube.com/watch?v=_WgUwUf1d34

<!-- gh-comment-id:489727662 --> @intika commented on GitHub (May 6, 2019): i still did not update to 5.xx have to update all my patches any way i tested with 4.14 and 4.20 ... what i sent before is kind a doing what firejail do but manually... firejail is using [veth](https://www.youtube.com/watch?v=FUHyWfRNhTk) to accomplish name space separation you can still do it manually (following the video) to see where it exactly stuck... other solution are kind a doing it manually you can still use firejail after creating a user space... by the way i know you are using eth but bare in mind that this is not completely compatible with wlan ("network isolation", because wlan is a little different when it come to bridge/veth/macvlan etc) an other video https://www.youtube.com/watch?v=_WgUwUf1d34
gitea-mirror commented 2026-05-05 08:01:04 -06:00
Author
Owner
Copy link

@matu3ba commented on GitHub (Jun 27, 2019):

@intika Please review FAQ.

<!-- gh-comment-id:506097220 --> @matu3ba commented on GitHub (Jun 27, 2019): @intika Please review FAQ.
gitea-mirror commented 2026-05-05 08:01:06 -06:00
Author
Owner
Copy link

@intika commented on GitHub (Jun 27, 2019):

@matu3ba ohh cool i read that this was linked into https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#RTNETLINK-error so i guess we are good :) ... let me know if you want me to edit the wiki ;)

<!-- gh-comment-id:506136034 --> @intika commented on GitHub (Jun 27, 2019): @matu3ba ohh cool i read that this was linked into https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#RTNETLINK-error so i guess we are good :) ... let me know if you want me to edit the wiki ;)
gitea-mirror commented 2026-05-05 08:01:07 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (Jun 27, 2019):

let me know if you want me to edit the wiki

if you have anything to improve, go ahead.

<!-- gh-comment-id:506219913 --> @rusty-snake commented on GitHub (Jun 27, 2019): > let me know if you want me to edit the wiki if you have anything to improve, go ahead.
gitea-mirror commented 2026-05-05 08:01:08 -06:00
Author
Owner
Copy link

@davew-fj commented on GitHub (Mar 9, 2020):

Well... I'm afraid my head is spinning and not getting anywhere. The several solutions offered above for connecting a vpn to firejailed browser are simple to many on this forum, but confusing to me.

If firejail is built around the idea of namespaces, why can't it include a special type of pre-configured namespace in which openvpn can run, and connect to the outside world, while providing connectivity to the vpn tunnel from other firejail namespaces?

I'm afraid the need for manual configuration of netns puts this beyond the reach of newbies.

<!-- gh-comment-id:596747729 --> @davew-fj commented on GitHub (Mar 9, 2020): Well... I'm afraid my head is spinning and not getting anywhere. The several solutions offered above for connecting a vpn to firejailed browser are simple to many on this forum, but confusing to me. If firejail is built around the idea of namespaces, why can't it include a special type of pre-configured namespace in which openvpn can run, and connect to the outside world, while providing connectivity to the vpn tunnel from other firejail namespaces? I'm afraid the need for manual configuration of netns puts this beyond the reach of newbies.
gitea-mirror commented 2026-05-05 08:01:09 -06:00
Author
Owner
Copy link

@davew-fj commented on GitHub (Apr 6, 2020):

Can macvlan or macvtap be used for connecting firejailed firefox via an openvpn service? If so, is there a guide for this?

Edit: My question was not clear... After creating a macvlan link, like so...
sudo ip link add macvlan0 link eth0 type macvlan mode bridge
... and starting firejailed firefox, like so...
firejail --net=macvlan0 --ip=192.168.227.10 --netmask=255.255.255.0 --defaultgw=192.168.227.1 --dns=10.4.0.1 firefox-esr
... firejailed firefox connects directly to internet via eth0. (Of course, it does that anyway, with the default firejail networking.)

But it will not connect via a vpn. I have tried using addresses for eth0 (as above) and also those for tun0. What am I missing?

<!-- gh-comment-id:610000899 --> @davew-fj commented on GitHub (Apr 6, 2020): Can macvlan or macvtap be used for connecting firejailed firefox via an openvpn service? If so, is there a guide for this? Edit: My question was not clear... After creating a macvlan link, like so... `sudo ip link add macvlan0 link eth0 type macvlan mode bridge` ... and starting firejailed firefox, like so... `firejail --net=macvlan0 --ip=192.168.227.10 --netmask=255.255.255.0 --defaultgw=192.168.227.1 --dns=10.4.0.1 firefox-esr` ... firejailed firefox connects directly to internet via eth0. (Of course, it does that anyway, with the default firejail networking.) But it will not connect via a vpn. I have tried using addresses for eth0 (as above) and also those for tun0. What am I missing?
gitea-mirror commented 2026-05-05 08:01:12 -06:00
Author
Owner
Copy link

@matu3ba commented on GitHub (May 18, 2021):

I can reproduce a related issue after 1. a Kernel update and 2. a changed wifi interface (my distribution changed it from wlp3s0 or so to wlan0).

The fix is to reboot (maybe logout + login might also be sufficient).

@rusty-snake Would you accept changing the wiki on RNETLINK problems to 1. installing drivers and 2. reboot for closing this issue?

Either it should be written what needs to be fixed (in other projects) or put on the backlog. Personally I think firejail should not attempt to do stuff on the backlog better fix or wontfix upstream.

<!-- gh-comment-id:843204222 --> @matu3ba commented on GitHub (May 18, 2021): I can reproduce a related issue after 1. a Kernel update and 2. a changed wifi interface (my distribution changed it from wlp3s0 or so to wlan0). The fix is to reboot (maybe logout + login might also be sufficient). @rusty-snake Would you accept changing the wiki on `RNETLINK` problems to 1. installing drivers and 2. reboot for closing this issue? Either it should be written what needs to be fixed (in other projects) or put on the backlog. Personally I think firejail should not attempt to do stuff on the backlog better fix or wontfix upstream.
gitea-mirror commented 2026-05-05 08:01:13 -06:00
Author
Owner
Copy link

@rusty-snake commented on GitHub (May 19, 2021):

I don't use firejail's networking features nor do I have followed all the RNETLINK issues. Therefore I cann't say anything here.

<!-- gh-comment-id:844333081 --> @rusty-snake commented on GitHub (May 19, 2021): I don't use firejail's networking features nor do I have followed all the RNETLINK issues. Therefore I cann't say anything here.
gitea-mirror commented 2026-05-05 08:01:13 -06:00
Author
Owner
Copy link

@aykevl commented on GitHub (Jul 20, 2023):

I have enabled almost all modules listed in https://github.com/netblue30/firejail/issues/2046#issuecomment-481416363 but still I get this error. (The only modules missing are CONFIG_NFT_RT, CONFIG_BRIDGE_VLAN_FILTERING , and CONFIG_VLAN_8021Q_MVRP). The kernel is a standard Raspberry Pi OS (64-bit) kernel where I enabled CONFIG_IPVTAP in the hope that it would help (it didn't).

This happens when I try to use a WireGuard interface. The eth0 interface works fine.

<!-- gh-comment-id:1644196870 --> @aykevl commented on GitHub (Jul 20, 2023): I have enabled almost all modules listed in https://github.com/netblue30/firejail/issues/2046#issuecomment-481416363 but still I get this error. (The only modules missing are `CONFIG_NFT_RT`, `CONFIG_BRIDGE_VLAN_FILTERING` , and `CONFIG_VLAN_8021Q_MVRP`). The kernel is a standard Raspberry Pi OS (64-bit) kernel where I enabled `CONFIG_IPVTAP` in the hope that it would help (it didn't). This happens when I try to use a WireGuard interface. The eth0 interface works fine.
gitea-mirror commented 2026-05-05 08:01:15 -06:00
Author
Owner
Copy link

@ghost commented on GitHub (Jul 20, 2023):

@aykevl

You might want to have a look at LKDDb: Linux Kernel Driver DataBase for finding more info on how to get those missing modules. Or search for a similar site for Raspberry Pi OS kernel (if there is such a thing).
It can be a bit of a pain to follow the config dependency chain but at least you can look up stuff without having to go through a build to discover the needed module isn't there...

CONFIG_NFT_RT
The nft_rt module seems to be present in Linux kernels 4.10–4.17 only. Hopefully you can track what superseded it.

<!-- gh-comment-id:1644345945 --> @ghost commented on GitHub (Jul 20, 2023): @aykevl You might want to have a look at [LKDDb: Linux Kernel Driver DataBase](https://cateee.net/lkddb/web-lkddb/) for finding more info on how to get those missing modules. Or search for a similar site for Raspberry Pi OS kernel (if there is such a thing). It can be a bit of a pain to follow the config dependency chain but at least you can look up stuff without having to go through a build to discover the needed module isn't there... [CONFIG_NFT_RT](https://cateee.net/lkddb/web-lkddb/NFT_RT.html) The nft_rt module seems to be present in Linux kernels 4.10–4.17 only. Hopefully you can track what superseded it.
gitea-mirror commented 2026-05-05 08:01:18 -06:00
Author
Owner
Copy link

@aykevl commented on GitHub (Jul 20, 2023):

@glitsj16 I tried on three different kernels: a stock Debian bookworm kernel, the Asahi Linux kernel, and the Raspberry Pi OS (64-bit) kernel. All of them have the same problem. I would be very surprised if it really is a problem with kernel modules - otherwise many more people would hit this issue. Rather, I think this bug is caused by something else (but because of the rather vague error message I have no idea where to look).

(Worth noting that all three kernels are arm64 kernels, but I wouldn't expect that to matter here).

For those wanting to reproduce this issue: basically just create a WireGuard network interface, and then run firejail --net=wg0 echo hello to see the error message.

<!-- gh-comment-id:1644486900 --> @aykevl commented on GitHub (Jul 20, 2023): @glitsj16 I tried on three different kernels: a stock Debian bookworm kernel, the Asahi Linux kernel, and the Raspberry Pi OS (64-bit) kernel. All of them have the same problem. I would be very surprised if it really is a problem with kernel modules - otherwise many more people would hit this issue. Rather, I think this bug is caused by something else (but because of the rather vague error message I have no idea where to look). (Worth noting that all three kernels are arm64 kernels, but I wouldn't expect that to matter here). For those wanting to reproduce this issue: basically just create a WireGuard network interface, and then run `firejail --net=wg0 echo hello` to see the error message.
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
master
serialize_remounts_v2
landlock_v4
landlock
release-0.9.64
release-0.9.62
gitlab_ci
LTSbase
fred_ctests
docs
0.9.80
0.9.80-rc1
0.9.78
0.9.76
0.9.76-rc4
0.9.76-rc3
0.9.76-rc2
0.9.76-rc1
0.9.74
landlock-split
0.9.72
0.9.72rc1
0.9.70
0.9.68
0.9.68rc1
0.9.66
0.9.66rc1
0.9.64.4
0.9.64.2
0.9.64
0.9.64rc1
0.9.62.4
0.9.62.2
0.9.62
0.9.56.2-LTS
0.9.60
0.9.60-rc1
0.9.58.2
0.9.58
0.9.58-rc1
0.9.56-LTS-release
0.9.56-LTS
0.9.56
0.9.56-rc1
0.9.54
0.9.54-rc2
0.9.54-rc1
0.9.52
0.9.38.12
0.9.50
0.9.50-rc1
0.9.48
0.9.46
0.9.46-rc1
0.9.44.10
0.9.44.8
0.9.44.6
0.9.38.10
0.9.44.4
0.9.38.8
0.9.44.2
0.9.44
0.9.44-rc1
0.9.38.4
0.9.42
0.9.42-rc2
0.9.38.2
0.9.42-rc1
disable-globalcfg
0.9.40
0.9.40-rc1
0.9.38
0.9.38-rc1
0.9.36
0.9.36-rc1
0.9.34
0.9.34-rc1
0.9.32
0.9.32-rc1
0.9.30
0.9.30-rc1
Labels
Clear labels   
LTS merge

   
LTS merge

   
bug

   
bug

   
converted-to-discussion

   
doc-todo

   
documentation

   
duplicate

   
enhancement

   
file-transfer

   
firecfg

   
firejail-in-firejail

   
firetools

   
graphics

   
help wanted

   
information_old

   
installation

   
invalid

   
modif

   
moved

   
needinfo

   
networking

   
notabug

   
notourbug

   
old-version

   
overlayfs

   
packaging

   
profile-request

   
pull-request

Mirrored from GitHub Pull Request

  
question

   
question_old

   
removal

   
runtime-permissions

   
sandbox-ipc

   
security

   
stale

   
wiki

   
wiki

   
wontfix

   
wordpress

   
workaround
No labels
LTS merge
LTS merge
bug
bug
converted-to-discussion
doc-todo
documentation
duplicate
enhancement
file-transfer
firecfg
firejail-in-firejail
firetools
graphics
help wanted
information_old
installation
invalid
modif
moved
needinfo
networking
notabug
notourbug
old-version
overlayfs
packaging
profile-request
pull-request
question
question_old
removal
runtime-permissions
sandbox-ipc
security
stale
wiki
wiki
wontfix
wordpress
workaround
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#1382
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?