-
Notifications
You must be signed in to change notification settings - Fork 573
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
RTNETLINK error using "--net" option #2046
Comments
@netblue30, any insight on this problem? thanks |
I still have no idea what's going on. We added support for tap interfaces in --net command line option in the version here on github, still under heavy testing. You would need to configure OpenVPN in tap bridge mode, and you pass the tap device to --net. So far I couldn't firejail running on a OpenVPN tap device, that's kind of where I am now. There is another similar discussion going on here: #2032 |
I'm getting the same issue when I try using |
@netblue30, thanks for the reply but as I stated in my first post there's no vpn connection involved whatsoever at the moment, just two plain simple ethernet interfaces. I'm trying to use one of them inside a sandbox but I get that error message with both of them. One NIC is PCI (SysKonnect SK-9871, kernel module "skge"), the other one is integrated (Broadcom Limited NetXtreme BCM5754, kernel module "tg3"). |
Hmm, my error was fixed at some point. |
@netblue30 duplicate of #2387 i guess both issues should be closed ... Had a similar issue, this can be caused by a kernel update without reboot or a lack of needed kernel modules, to fix it either use a classic (main distribution) kernel or add the missing modules to your kernel Also this Alternatively Here are the required kernel modules for firejail networking features: (this is an exhaustive list to get everything working you should be good with just
Note that this also fix |
Hi @intika, I was almost givin' up on this... so first of all a big thanks for your answer! I successfully enabled all the other modules, but after rebooting in the newly recompiled kernel Firejail still throws me the RTNETLINK error, and yes I loaded ipvlan and ipv6. Thanks |
Does your VPN provider have Wireguard ? if its the case Wireguard have some interesting sandbox (user space) features... What kernel version are you using ? it's probably because of the used version that you are missing other modules... or may be it's just because those modules are neither enabled neither disabled (missing from the config file) you can may be just add them manually to the config file and see if the kernel get compiled otherwise you can search them with You have a lot of solution that could match exactly what you want
User space by it self require root you can not easily run firefox as a user under a different user space BUT firejail have an amazing option that let you use any "user space" without route Here are some readings about what i suggested:
With all that different informations you should for sure find a working solution with your current setup :) |
@intika I'm on kernel 5.0.7 (gentoo sources), what kernel are you running? I'll try to downgrade to some 4.* version to see if maybe something has changed. I'd like to keep going with firejail, I think I'm only missing these kernel modules to make it work, I'll let you know if I have any success. |
i still did not update to 5.xx have to update all my patches any way i tested with 4.14 and 4.20 ... what i sent before is kind a doing what firejail do but manually... firejail is using veth to accomplish name space separation you can still do it manually (following the video) to see where it exactly stuck... other solution are kind a doing it manually you can still use firejail after creating a user space... by the way i know you are using eth but bare in mind that this is not completely compatible with wlan ("network isolation", because wlan is a little different when it come to bridge/veth/macvlan etc) |
@intika Please review FAQ. |
@matu3ba ohh cool i read that this was linked into https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#RTNETLINK-error so i guess we are good :) ... let me know if you want me to edit the wiki ;) |
if you have anything to improve, go ahead. |
Well... I'm afraid my head is spinning and not getting anywhere. The several solutions offered above for connecting a vpn to firejailed browser are simple to many on this forum, but confusing to me. If firejail is built around the idea of namespaces, why can't it include a special type of pre-configured namespace in which openvpn can run, and connect to the outside world, while providing connectivity to the vpn tunnel from other firejail namespaces? I'm afraid the need for manual configuration of netns puts this beyond the reach of newbies. |
Can macvlan or macvtap be used for connecting firejailed firefox via an openvpn service? If so, is there a guide for this? Edit: My question was not clear... After creating a macvlan link, like so... But it will not connect via a vpn. I have tried using addresses for eth0 (as above) and also those for tun0. What am I missing? |
I can reproduce a related issue after 1. a Kernel update and 2. a changed wifi interface (my distribution changed it from wlp3s0 or so to wlan0). The fix is to reboot (maybe logout + login might also be sufficient). @rusty-snake Would you accept changing the wiki on Either it should be written what needs to be fixed (in other projects) or put on the backlog. Personally I think firejail should not attempt to do stuff on the backlog better fix or wontfix upstream. |
I don't use firejail's networking features nor do I have followed all the RNETLINK issues. Therefore I cann't say anything here. |
I have enabled almost all modules listed in #2046 (comment) but still I get this error. (The only modules missing are This happens when I try to use a WireGuard interface. The eth0 interface works fine. |
You might want to have a look at LKDDb: Linux Kernel Driver DataBase for finding more info on how to get those missing modules. Or search for a similar site for Raspberry Pi OS kernel (if there is such a thing). CONFIG_NFT_RT |
@glitsj16 I tried on three different kernels: a stock Debian bookworm kernel, the Asahi Linux kernel, and the Raspberry Pi OS (64-bit) kernel. All of them have the same problem. I would be very surprised if it really is a problem with kernel modules - otherwise many more people would hit this issue. Rather, I think this bug is caused by something else (but because of the rather vague error message I have no idea where to look). (Worth noting that all three kernels are arm64 kernels, but I wouldn't expect that to matter here). For those wanting to reproduce this issue: basically just create a WireGuard network interface, and then run |
Hi,
I have two NICs and I'd like to sandbox firefox in a dedicated network interface, but if I try with
firejail --net=eth1 firefox
I get this error (this is run with --debug option):https://pastebin.com/Xa9RNJE6
As mentioned here #1844 by @atlaua maybe I need a L2 eth interface, but I can't find any information on the manpage nor I am sure if my nic is of such family (how can I find out?).
My goal is to have a main NIC (eth0) with an active OpenVPN connection, and run firefox/other applications on eth1 outside the VPN.
During all of my tests the VPN was down so it can't be the cause of my problem.
I'm on firejail version 0.9.54, self-compiled on Gentoo, I first tried with the only stable version supported 0.9.50 and it failed too.
Maybe I'm missing a kernel module? Is there a list of (if) needed modules?
Thanks
The text was updated successfully, but these errors were encountered: