[PR #3102] [MERGED] DHCP client support #4644

New issue

Closed

opened 2026-05-05 10:23:56 -06:00 by gitea-mirror · 0 comments

gitea-mirror commented

2026-05-05 10:23:56 -06:00

Owner

📋 Pull Request Information

Original PR: https://github.com/netblue30/firejail/pull/3102
Author: @kris7t
Created: 12/30/2019
Status: ✅ Merged
Merged: 1/7/2020
Merged by: @netblue30

Base: master ← Head: dhcp-client

📝 Commits (7)

a50e868 Add --ip=dhcp and --ip6=dhcp options
40d6081 Do not try to set up default gateway without an IP address
d3d806d Allow resolv.conf be written by dhclient
8dd73b2 Add sbox_run_v to run programs with explicit argument lists
02d09e8 Add capability filter for network services, additive filter
ce3c198 Run dhclient inside the sandbox
c082d90 Wait for link-local address for DHCPv6

📊 Changes

12 files changed (+410 additions, -43 deletions)

View changed files

➕ src/firejail/dhcp.c (+158 -0)
📝 src/firejail/firejail.h (+27 -0)
📝 src/firejail/fs_hostname.c (+7 -3)
📝 src/firejail/main.c (+17 -10)
📝 src/firejail/network_main.c (+4 -0)
📝 src/firejail/profile.c (+18 -12)
📝 src/firejail/sandbox.c (+7 -0)
📝 src/firejail/sbox.c (+40 -18)
📝 src/fnet/fnet.h (+1 -0)
📝 src/fnet/interface.c (+122 -0)
📝 src/fnet/main.c (+4 -0)
📝 src/include/rundefs.h (+5 -0)

📄 Description

As per my issue in #3026, I was trying to use DHCP to configure network interfaces in firejail. This patch implements integration with the ISC dhclient for both IPv4 and IPv6.

I left the commits as-is so that they can be reviewed individually, but I can squash them if that is preferred.

Added the options --ip=dhcp and --ip6=dhcp for IPv4 and IPv6 configuration by DHCP.
--ip=dhcp is handled similarly to --ip=none. In particular, firejail does not do any network configuration on its own, not even setting up routing.
dhclient is invoked in forking mode. Its main process exits when it successfully acquired a lease, while the daemon keeps running in the background. This ensures that firejail only proceeds when the network is working inside the container (running dhclient as a foreground process and getting notified about leases would be a bit trickier).
I added a capability filter for CAP_NET_BIND_SERVICE so that dhclient can bind to low ports.
PID files and lease files are written to /run/firejail/mnt/dhclient. The PID file is read (hopefully without race conditions) to find the PID of the dhclient daemon process. The sandbox may terminate if only the dhlient daemons are running.
No effort is made to properly terminate (-x) dhlient or release the DHCP lease (-r), as neither is required by the DHCP protocol. The dclient processes just die when the sandbox terminates. It would be possible to release the lease properly (this is allegedly required by some ISPs, but not in the more common situation when the sandboxes are connected to a local virtual bridged network, such as libvirt), but would require keeping some privileges until container termination (either in the firejail main process, or an auxiliary process just for communicating with dhclient).
Especially when used solely for DHCPv6, dhclient may fail to bind to the network interface if it has no link-local IPv6 address (or the LL address is only tentative). When both DHCPv4 and DHCPv6 is in use, the delay caused by waiting for the DHCPv4 lease is virtually always enough for IPv6 LL address to become active. I added a subcommand to fnet to wait for IPv6 LL addresses. Unfortunately, I had to use the rather complex rtnetlink interface, because this is the only way to access the tenative flag of an address.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/netblue30/firejail/pull/3102 **Author:** [@kris7t](https://github.com/kris7t) **Created:** 12/30/2019 **Status:** ✅ Merged **Merged:** 1/7/2020 **Merged by:** [@netblue30](https://github.com/netblue30) **Base:** `master` ← **Head:** `dhcp-client` --- ### 📝 Commits (7) - [`a50e868`](https://github.com/netblue30/firejail/commit/a50e86844715442008ef75aff0d466e19e473f04) Add --ip=dhcp and --ip6=dhcp options - [`40d6081`](https://github.com/netblue30/firejail/commit/40d6081485d6f3e39f325cede1cef48f225c9cdc) Do not try to set up default gateway without an IP address - [`d3d806d`](https://github.com/netblue30/firejail/commit/d3d806ddb25249cf0c404904b3f5ffc7011204ce) Allow resolv.conf be written by dhclient - [`8dd73b2`](https://github.com/netblue30/firejail/commit/8dd73b29fd99aedf9000e9e0c3278de8cf89ac5d) Add sbox_run_v to run programs with explicit argument lists - [`02d09e8`](https://github.com/netblue30/firejail/commit/02d09e86293be87768e6f93560e012e4a02e8666) Add capability filter for network services, additive filter - [`ce3c198`](https://github.com/netblue30/firejail/commit/ce3c1988578f6b18488a91132d355cf13a37e522) Run dhclient inside the sandbox - [`c082d90`](https://github.com/netblue30/firejail/commit/c082d90be6396149404704e127f10ec7c9aa79ad) Wait for link-local address for DHCPv6 ### 📊 Changes **12 files changed** (+410 additions, -43 deletions) <details> <summary>View changed files</summary> ➕ `src/firejail/dhcp.c` (+158 -0) 📝 `src/firejail/firejail.h` (+27 -0) 📝 `src/firejail/fs_hostname.c` (+7 -3) 📝 `src/firejail/main.c` (+17 -10) 📝 `src/firejail/network_main.c` (+4 -0) 📝 `src/firejail/profile.c` (+18 -12) 📝 `src/firejail/sandbox.c` (+7 -0) 📝 `src/firejail/sbox.c` (+40 -18) 📝 `src/fnet/fnet.h` (+1 -0) 📝 `src/fnet/interface.c` (+122 -0) 📝 `src/fnet/main.c` (+4 -0) 📝 `src/include/rundefs.h` (+5 -0) </details> ### 📄 Description As per my issue in #3026, I was trying to use DHCP to configure network interfaces in firejail. This patch implements integration with the ISC dhclient for both IPv4 and IPv6. I left the commits as-is so that they can be reviewed individually, but I can squash them if that is preferred. * Added the options `--ip=dhcp` and `--ip6=dhcp` for IPv4 and IPv6 configuration by DHCP. * `--ip=dhcp` is handled similarly to `--ip=none`. In particular, firejail does not do any network configuration on its own, not even setting up routing. * dhclient is invoked in forking mode. Its main process exits when it successfully acquired a lease, while the daemon keeps running in the background. This ensures that firejail only proceeds when the network is working inside the container (running dhclient as a foreground process and getting notified about leases would be a bit trickier). * I added a capability filter for `CAP_NET_BIND_SERVICE` so that dhclient can bind to low ports. * PID files and lease files are written to `/run/firejail/mnt/dhclient`. The PID file is read (hopefully without race conditions) to find the PID of the dhclient daemon process. The sandbox may terminate if only the dhlient daemons are running. * No effort is made to properly terminate (`-x`) dhlient or release the DHCP lease (`-r`), as neither is required by the DHCP protocol. The dclient processes just die when the sandbox terminates. It would be possible to release the lease properly (this is allegedly required by some ISPs, but not in the more common situation when the sandboxes are connected to a local virtual bridged network, such as libvirt), but would require keeping some privileges until container termination (either in the firejail main process, or an auxiliary process just for communicating with dhclient). * Especially when used solely for DHCPv6, dhclient may fail to bind to the network interface if it has no link-local IPv6 address (or the LL address is only tentative). When both DHCPv4 and DHCPv6 is in use, the delay caused by waiting for the DHCPv4 lease is virtually always enough for IPv6 LL address to become active. I added a subcommand to `fnet` to wait for IPv6 LL addresses. Unfortunately, I had to use the rather complex rtnetlink interface, because this is the only way to access the tenative flag of an address. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>

gitea-mirror

2026-05-05 10:23:56 -06:00

closed this issue
added the
pull-request
label

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#4644

No description provided.

Rows
Columns