Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support wireguard interfaces on firejail's --net option #1844

Closed
Piraty opened this issue Mar 28, 2018 · 3 comments
Closed

Support wireguard interfaces on firejail's --net option #1844

Piraty opened this issue Mar 28, 2018 · 3 comments

Comments

@Piraty
Copy link

Piraty commented Mar 28, 2018

Using the --net=<interface> option does currently not work for wireguard interfaces.

I encountered this on a Void Linux System, x86_64 glibc.
linux 4.14.29 and lower
wireguard 0.0.20180304
firejail 0.9.52

# ip link add wg0 type wireguard
# ip address add dev wg0 192.168.2.1/24
$ firejail --net=wg0 /bin/bash
Reading profile /etc/firejail/default.profile
Reading profile /etc/firejail/disable-common.inc
Reading profile /etc/firejail/disable-passwdmgr.inc
Reading profile /etc/firejail/disable-programs.inc

** Note: you can use --noprofile to disable default.profile **

Parent pid 13726, child pid 13727
RTNETLINK answers: Invalid argument
Error: failed to run /usr/lib/firejail/fnet
Error ioctl: interface.c:98 net_if_up: No such device
Error: failed to run /usr/lib/firejail/fnet
Error: proc 13726 cannot sync with peer: unexpected EOF
Peer 13727 unexpectedly exited with status 1

Here is an strace of the process: <removed>

@atlaua
Copy link

atlaua commented Mar 28, 2018

Firejail's --net option uses macvlan under the hood and hence only works with L2 ethernet devices (as documented in the man page). Therefore, it can obviously not be used directly with a wireguard tunnel which operates at L3.

@Vincent43
Copy link
Collaborator

You can try firejail --netns with https://www.wireguard.com/netns/

@Piraty
Copy link
Author

Piraty commented Mar 29, 2018

Thanks, i will look into it.
Definetely missed the L2 part in the manpage...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants