You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Using the --net=<interface> option does currently not work for wireguard interfaces.
I encountered this on a Void Linux System, x86_64 glibc. linux 4.14.29 and lower wireguard 0.0.20180304 firejail 0.9.52
# ip link add wg0 type wireguard
# ip address add dev wg0 192.168.2.1/24
$ firejail --net=wg0 /bin/bash
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc
** Note: you can use --noprofile to disable default.profile **
Parent pid 13726, child pid 13727
RTNETLINK answers: Invalid argument
Error: failed to run /usr/lib/firejail/fnet
Error ioctl: interface.c:98 net_if_up: No such device
Error: failed to run /usr/lib/firejail/fnet
Error: proc 13726 cannot sync with peer: unexpected EOF
Peer 13727 unexpectedly exited with status 1
Here is an strace of the process: <removed>
The text was updated successfully, but these errors were encountered:
Firejail's --net option uses macvlan under the hood and hence only works with L2 ethernet devices (as documented in the man page). Therefore, it can obviously not be used directly with a wireguard tunnel which operates at L3.
Using the
--net=<interface>
option does currently not work for wireguard interfaces.I encountered this on a Void Linux System, x86_64 glibc.
linux 4.14.29
and lowerwireguard 0.0.20180304
firejail 0.9.52
Here is an strace of the process:
<removed>
The text was updated successfully, but these errors were encountered: