github-starred/firejail

Fork 0

mirror of https://github.com/netblue30/firejail.git synced 2026-05-15 14:16:14 -06:00

[GH-ISSUE #1406] ARP cache pollution when using net namespaces. #958

New issue

Closed

opened 2026-05-05 07:13:19 -06:00 by gitea-mirror · 3 comments

gitea-mirror commented

2026-05-05 07:13:19 -06:00

Owner

Originally created by @caoliver on GitHub (Jul 27, 2017).
Original GitHub issue: https://github.com/netblue30/firejail/issues/1406

On starting a jail with a network namespace, firejail sends an ARP request to determine if the chosen IP address is already in use, but it sends that request with the jail's MAC, but the host's IP. This pollutes the ARP cache on boxes that are listening to that broadcast with a bogus MAC/IP pair resulting in delays when trying to reach the host via the net. The free IP for the jail should be determined on the host and communicated to the jail subsequently upon its creation.

Originally created by @caoliver on GitHub (Jul 27, 2017). Original GitHub issue: https://github.com/netblue30/firejail/issues/1406 On starting a jail with a network namespace, firejail sends an ARP request to determine if the chosen IP address is already in use, but it sends that request with the jail's MAC, but the host's IP. This pollutes the ARP cache on boxes that are listening to that broadcast with a bogus MAC/IP pair resulting in delays when trying to reach the host via the net. The free IP for the jail should be determined on the host and communicated to the jail subsequently upon its creation.

gitea-mirror

2026-05-05 07:13:19 -06:00

closed this issue
added the
bug
label

gitea-mirror commented

2026-05-05 07:13:23 -06:00

Author

Owner

@netblue30 commented on GitHub (Jul 27, 2017):

I put a fix in, you can give it a try. I'm doing the probing with a IP address of 0.

@netblue30 commented on GitHub (Jul 27, 2017): I put a fix in, you can give it a try. I'm doing the probing with a IP address of 0.

gitea-mirror commented

2026-05-05 07:13:25 -06:00

Author

Owner

@caoliver commented on GitHub (Jul 28, 2017):

On Thu, 27 Jul 2017 17:20:25 +0000 (UTC)
netblue30 notifications@github.com wrote:

I put a fix in, you can give it a try. I'm doing the probing with a IP address of 0.

For my initial testing, this seems to work. I'll put this on the rest of my boxes and see how I go.

BTW: RFC 5227 didn't exist when I was last hacking TCP/IP; thanks for the reading material.

Sorry that I whinge so much, but I suppose that you get lots of whinging people when you write a generally useful tool. ;-)

Thanks and Cheers!

--
Christopher Oliver current.input.port@gmail.com

@caoliver commented on GitHub (Jul 28, 2017): On Thu, 27 Jul 2017 17:20:25 +0000 (UTC) netblue30 <notifications@github.com> wrote: > I put a fix in, you can give it a try. I'm doing the probing with a IP address of 0. For my initial testing, this seems to work. I'll put this on the rest of my boxes and see how I go. BTW: RFC 5227 didn't exist when I was last hacking TCP/IP; thanks for the reading material. Sorry that I whinge so much, but I suppose that you get lots of whinging people when you write a generally useful tool. ;-) Thanks and Cheers! -- Christopher Oliver <current.input.port@gmail.com>

gitea-mirror commented

2026-05-05 07:13:27 -06:00

Author

Owner

@netblue30 commented on GitHub (Jul 29, 2017):

Actually, I've just found about it now. Searching for the original ARP RFC, the new one came up in Google search. Keep an eye on it, we'll reopen it if necessary. Thanks for the bug.

@netblue30 commented on GitHub (Jul 29, 2017): Actually, I've just found about it now. Searching for the original ARP RFC, the new one came up in Google search. Keep an eye on it, we'll reopen it if necessary. Thanks for the bug.

No milestone

No project

No assignees

1 participant

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/firejail#958

No description provided.

Rows
Columns