github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #974] gateway in sandbox depends on --net parameters order #663

New issue

Closed

opened 2026-05-05 06:23:42 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 06:23:42 -06:00

Owner

Originally created by @djfd on GitHub (Dec 13, 2016).
Original GitHub issue: https://github.com/netblue30/firejail/issues/974

Hi,

not sure if it is a bug or feature, but gateway it being taken from the first specified --net argument

when there is two interfaces (eg wired and wireless) it is possible that only one is active (or has gateway to external nets), say wired one. under these conditions host networking is still okay, and, also it works for a sandbox if running it as
firejail --net=wired --net=wireless ...
joining to sandboxed network shows

$ sudo firejail --join-network=bro ip route show
[sudo] password for aa: 
Switching to pid 2725, the first child process inside the sandbox
Child process initialized
default via 10.0.3.2 dev eth0-2724 
10.0.3.0/24 dev eth0-2724 proto kernel scope link src 10.0.3.95 
192.168.56.0/24 dev eth1-2724 proto kernel scope link src 192.168.56.31

however if we run it with a reversed params, ie.
firejail --net=wireless --net=wired ...

then there is not any default gw at all

$ sudo firejail --join-network=bro ip route show
[sudo] password for aa: 
Switching to pid 2402, the first child process inside the sandbox
Child process initialized
10.0.3.0/24 dev eth1-2401 proto kernel scope link src 10.0.3.123 
192.168.56.0/24 dev eth0-2401 proto kernel scope link src 192.168.56.238

For me it looks as a bug, but if it is actually feature, then could you please extend --defaultgw parameter to support something like to inherited

thanks

Originally created by @djfd on GitHub (Dec 13, 2016). Original GitHub issue: https://github.com/netblue30/firejail/issues/974 Hi, not sure if it is a bug or feature, but gateway it being taken from the first specified ```--net``` argument when there is two interfaces (eg ```wired``` and ```wireless```) it is possible that only one is active (or has gateway to external nets), say ```wired``` one. under these conditions host networking is still okay, and, also it works for a sandbox if running it as ```firejail --net=wired --net=wireless ...``` joining to sandboxed network shows ``` $ sudo firejail --join-network=bro ip route show [sudo] password for aa: Switching to pid 2725, the first child process inside the sandbox Child process initialized default via 10.0.3.2 dev eth0-2724 10.0.3.0/24 dev eth0-2724 proto kernel scope link src 10.0.3.95 192.168.56.0/24 dev eth1-2724 proto kernel scope link src 192.168.56.31 ``` however if we run it with a reversed params, ie. ```firejail --net=wireless --net=wired ...``` then there is not any default gw at all ``` $ sudo firejail --join-network=bro ip route show [sudo] password for aa: Switching to pid 2402, the first child process inside the sandbox Child process initialized 10.0.3.0/24 dev eth1-2401 proto kernel scope link src 10.0.3.123 192.168.56.0/24 dev eth0-2401 proto kernel scope link src 192.168.56.238 ``` **For me it looks as a bug**, but if it is actually feature, then could you please extend ```--defaultgw``` parameter to support something like to ```inherited``` thanks

gitea-mirror

2026-05-05 06:23:42 -06:00

closed this issue
added the
information_old
label

gitea-mirror commented

2026-05-05 06:23:49 -06:00

Author

Owner

@netblue30 commented on GitHub (Dec 13, 2016):

The problem is you can have several default gateways defined in your routing table, and not all of the make sense in the new network namespace. Currently, the code picks up a default gateway associated with the first --net interface. I would say you need to specify your gateway with --defaultgw=10.0.3.2. I'll mark it as an enhancement, maybe I can come up with something better.

Question: is --net=wireless working? Can you get any traffic on it?

@netblue30 commented on GitHub (Dec 13, 2016): The problem is you can have several default gateways defined in your routing table, and not all of the make sense in the new network namespace. Currently, the code picks up a default gateway associated with the first --net interface. I would say you need to specify your gateway with --defaultgw=10.0.3.2. I'll mark it as an enhancement, maybe I can come up with something better. Question: is --net=wireless working? Can you get any traffic on it?

gitea-mirror commented

2026-05-05 06:23:51 -06:00

Author

Owner

@djfd commented on GitHub (Dec 13, 2016):

yes, both networks are working.

I need to say that this all is under virtual box, one of the interfaces is attached to host-only adapter (used for ssh-ing the guest, and similar), and second one is NAT interface to host (this way internet is accessible to the guest)

there is that I can see under /proc/self/net/route

Iface   Destination     Gateway         Flags   RefCnt  Use     Metric  Mask            MTU     Window  IRTT                                                       
wired1  00000000        0203000A        0003    0       0       100     00000000        0       0       0                                                                           
wired1  0003000A        00000000        0001    0       0       100     00FFFFFF        0       0       0                                                                           
wired0  0038A8C0        00000000        0001    0       0       100     00FFFFFF        0       0       0

but issue will arise when I move that guest image to real hardware, with ethernet and wireless adapters: I cannot predict when what of them is in use thus cannot create simple shortcut for launching the sandbox... that is why

UPD
An ideally, there have to be some watchdog waiting for a host gateway changes to propagate them to a sandbox. I mean if I set the gateway to be inherited (or leave it empty), then updating of sandbox gw need to be done transparently. just IMHO

@djfd commented on GitHub (Dec 13, 2016): yes, both networks are working. I need to say that this all is under virtual box, one of the interfaces is attached to host-only adapter (used for ssh-ing the guest, and similar), and second one is NAT interface to host (this way internet is accessible to the guest) there is that I can see under ```/proc/self/net/route``` ``` Iface Destination Gateway Flags RefCnt Use Metric Mask MTU Window IRTT wired1 00000000 0203000A 0003 0 0 100 00000000 0 0 0 wired1 0003000A 00000000 0001 0 0 100 00FFFFFF 0 0 0 wired0 0038A8C0 00000000 0001 0 0 100 00FFFFFF 0 0 0 ``` but issue will arise when I move that guest image to real hardware, with ethernet and wireless adapters: I cannot predict when what of them is in use thus cannot create simple shortcut for launching the sandbox... that is why **UPD** An ideally, there have to be some watchdog waiting for a host gateway changes to propagate them to a sandbox. I mean if I set the gateway to be inherited (or leave it empty), then updating of sandbox gw need to be done transparently. just IMHO

gitea-mirror commented

2026-05-05 06:23:54 -06:00

Author

Owner

@netblue30 commented on GitHub (Dec 14, 2016):

In this moment we support for --net command only wired ethernet and bridge kernel interfaces. Wireless interfaces are not supported - it would probably require some sort of kernel macvlan module for wireless. This is why is breaking when you move from VirtualBox to the real driver. Anyway, you rise some valid points, I will probably have to rework the assignment of default gateway.

@netblue30 commented on GitHub (Dec 14, 2016): In this moment we support for --net command only wired ethernet and bridge kernel interfaces. Wireless interfaces are not supported - it would probably require some sort of kernel macvlan module for wireless. This is why is breaking when you move from VirtualBox to the real driver. Anyway, you rise some valid points, I will probably have to rework the assignment of default gateway.

gitea-mirror referenced this issue

2026-05-05 10:06:28 -06:00

[PR #663] [MERGED] Include mkuid.sh in "make dist" #3709

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#663

No description provided.

Rows
Columns