[GH-ISSUE #1058] Feature request: join network namespace created by 'ip netns create' #718

New issue

Closed

opened 2026-05-05 06:31:16 -06:00 by gitea-mirror · 1 comment

gitea-mirror commented

2026-05-05 06:31:16 -06:00

Owner

Originally created by @zackw on GitHub (Jan 19, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1058

The ip utility has a subcommand to create persistent network namespaces, and to run processes in these namespaces. It would be really handy if firejail could put processes into network namespaces created in this manner. I specifically want this because I have scripts that bring up VPN tunnels and associate them with these namespaces, and then run specific programs in those namespaces (so, at the same time, process A can be talking to VPN proxy X, process B to proxy Y, etc) and I'd like to have reliable sandboxing for these processes.

In addition to setting the network namespace itself, ip netns exec NAMESPACE puts the process into a fresh mount namespace, and then remounts /sys (so that its contents reflect the network namespace) and bind-mounts /etc/netns/NAMESPACE/whatever over /etc/whatever for all whatever (so, for instance, you can override /etc/resolv.conf this way). And it also does a vrf_reset(), which I don't know what that means.

For more information on the ip feature:

Originally created by @zackw on GitHub (Jan 19, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1058 The `ip` utility has a subcommand to create persistent network namespaces, and to run processes in these namespaces. It would be really handy if firejail could put processes into network namespaces created in this manner. I specifically want this because I have scripts that bring up VPN tunnels and associate them with these namespaces, and then run specific programs in those namespaces (so, at the same time, process A can be talking to VPN proxy X, process B to proxy Y, etc) and I'd like to have reliable sandboxing for these processes. In addition to setting the network namespace itself, `ip netns exec NAMESPACE` puts the process into a fresh mount namespace, and then remounts `/sys` (so that its contents reflect the network namespace) and bind-mounts `/etc/netns/NAMESPACE/whatever` over `/etc/whatever` for all whatever (so, for instance, you can override `/etc/resolv.conf` this way). And it also does a `vrf_reset()`, which I don't know what that means. For more information on the `ip` feature: * [`ip netns` manpage source](https://git.kernel.org/cgit/linux/kernel/git/shemminger/iproute2.git/tree/man/man8/ip-netns.8) * [core implementation of the "put a process into a network namespace" operation](https://git.kernel.org/cgit/linux/kernel/git/shemminger/iproute2.git/tree/lib/namespace.c) * [implementation of the `ip netns` command line](https://git.kernel.org/cgit/linux/kernel/git/shemminger/iproute2.git/tree/ip/ipnetns.c)

gitea-mirror

2026-05-05 06:31:16 -06:00

closed this issue
added the
enhancement
label

gitea-mirror commented

2026-05-05 06:31:21 -06:00

Author

Owner

@netblue30 commented on GitHub (Jan 22, 2017):

all merged.

@netblue30 commented on GitHub (Jan 22, 2017): all merged.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#718

No description provided.

Rows
Columns