Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

RTNETLINK error using "--net" option #2046

Open
zolfone opened this issue Jul 16, 2018 · 20 comments
Open

RTNETLINK error using "--net" option #2046

zolfone opened this issue Jul 16, 2018 · 20 comments
Labels
enhancement New feature request

Comments

@zolfone
Copy link

zolfone commented Jul 16, 2018

Hi,
I have two NICs and I'd like to sandbox firefox in a dedicated network interface, but if I try with firejail --net=eth1 firefox I get this error (this is run with --debug option):
https://pastebin.com/Xa9RNJE6
As mentioned here #1844 by @atlaua maybe I need a L2 eth interface, but I can't find any information on the manpage nor I am sure if my nic is of such family (how can I find out?).
My goal is to have a main NIC (eth0) with an active OpenVPN connection, and run firefox/other applications on eth1 outside the VPN.
During all of my tests the VPN was down so it can't be the cause of my problem.
I'm on firejail version 0.9.54, self-compiled on Gentoo, I first tried with the only stable version supported 0.9.50 and it failed too.
Maybe I'm missing a kernel module? Is there a list of (if) needed modules?

Thanks

@zolfone
Copy link
Author

zolfone commented Jul 21, 2018

@netblue30, any insight on this problem? thanks

@netblue30
Copy link
Owner

I still have no idea what's going on. We added support for tap interfaces in --net command line option in the version here on github, still under heavy testing. You would need to configure OpenVPN in tap bridge mode, and you pass the tap device to --net. So far I couldn't firejail running on a OpenVPN tap device, that's kind of where I am now.

There is another similar discussion going on here: #2032

@netblue30 netblue30 added the enhancement New feature request label Jul 24, 2018
@chiraag-nataraj
Copy link
Collaborator

I'm getting the same issue when I try using --net=wlp60s0 (my wireless interface). No idea if this is related at all to this issue, but I'm getting the exact same message.

@zolfone
Copy link
Author

zolfone commented Jul 26, 2018

@netblue30, thanks for the reply but as I stated in my first post there's no vpn connection involved whatsoever at the moment, just two plain simple ethernet interfaces. I'm trying to use one of them inside a sandbox but I get that error message with both of them. One NIC is PCI (SysKonnect SK-9871, kernel module "skge"), the other one is integrated (Broadcom Limited NetXtreme BCM5754, kernel module "tg3").
I'm trying to be as much verbose as possible, if I'm not posting some useful information please let me know and I'll post them.
I still can't find any information on L2 NICs though.

@chiraag-nataraj
Copy link
Collaborator

Hmm, my error was fixed at some point.

@intika
Copy link
Contributor

intika commented Apr 9, 2019

@netblue30 duplicate of #2387 i guess both issues should be closed

...

Had a similar issue, this can be caused by a kernel update without reboot or a lack of needed kernel modules, to fix it either use a classic (main distribution) kernel or add the missing modules to your kernel

Also this Error ioctl: interface.c:98 net_if_up: No such device is typically raising because of missing module CONFIG_IPVLAN and or CONFIG_IPV6 technically --net parameter require only ipvlan but ipvlan have a "false" dependency on ipv6 there is kernel patch to fix that here or here if you still want to keep ipv6 disabled while getting firejail network feature working otherwise just add ipv6 along with ipvlan

Alternatively ifup lo command can give more details on error/missing module that could affect "firejail --net"

Here are the required kernel modules for firejail networking features: (this is an exhaustive list to get everything working you should be good with just ipvlan)

CONFIG_IPVLAN=m
CONFIG_IPVTAP=m
CONFIG_VXLAN=m
CONFIG_NET_VRF=m
CONFIG_NF_TABLES=m
CONFIG_NF_TABLES_NETDEV=m
CONFIG_NFT_RT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_REJECT=m
CONFIG_NF_TABLES_IPV4=m
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_MASQ_IPV4=m
CONFIG_NFT_REDIR_IPV4=m
CONFIG_BRIDGE_EBT_VLAN=m
CONFIG_GARP=m
CONFIG_MRP=m
CONFIG_BRIDGE_VLAN_FILTERING=y
CONFIG_VLAN_8021Q=m
CONFIG_VLAN_8021Q_GVRP=y
CONFIG_VLAN_8021Q_MVRP=y
CONFIG_NET_L3_MASTER_DEV=y

Note that this also fix RTNETLINK answers: Operation not supported @netblue30 this info could may be added to the wiki or faq

@zolfone
Copy link
Author

zolfone commented Apr 30, 2019

Hi @intika, I was almost givin' up on this... so first of all a big thanks for your answer!
But I'm having lots of troubles finding at least half of those modules in my kernel,
I usually edit my .config file and search for what I need to enable but in this case most of them are missing, e.g.:
CONFIG_NFT_RT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_MASQ_IPV4=m
CONFIG_NFT_REDIR_IPV4=m

I successfully enabled all the other modules, but after rebooting in the newly recompiled kernel Firejail still throws me the RTNETLINK error, and yes I loaded ipvlan and ipv6.
Any suggestion for the kernel config problem? Maybe you could write the exact sections under "make menuconfig" where to enable all the necessary modules.

Thanks

@intika
Copy link
Contributor

intika commented May 6, 2019

My goal is to have a main NIC (eth0) with an active OpenVPN connection, and run firefox/other applications on eth1 outside the VPN.

Does your VPN provider have Wireguard ? if its the case Wireguard have some interesting sandbox (user space) features...

What kernel version are you using ? it's probably because of the used version that you are missing other modules... or may be it's just because those modules are neither enabled neither disabled (missing from the config file) you can may be just add them manually to the config file and see if the kernel get compiled otherwise you can search them with make menuconfig i think the shortcut for search is / or ? key.

You have a lot of solution that could match exactly what you want

  • Wireguard with user space (depend on your provider)
  • Setup a user space with ipvlan then initiate an openvpn connection inside the user space
  • Use firejail's routed solution but this require using ip_forward which make your box act ac a router and may introduce security risk if it's not correctly setup with iptables and firewall...
  • Use a bridge + user space solution.

User space by it self require root you can not easily run firefox as a user under a different user space BUT firejail have an amazing option that let you use any "user space" without route firejail --netns=space-name

Here are some readings about what i suggested:

With all that different informations you should for sure find a working solution with your current setup :)

@zolfone
Copy link
Author

zolfone commented May 6, 2019

@intika I'm on kernel 5.0.7 (gentoo sources), what kernel are you running? I'll try to downgrade to some 4.* version to see if maybe something has changed. I'd like to keep going with firejail, I think I'm only missing these kernel modules to make it work, I'll let you know if I have any success.

@intika
Copy link
Contributor

intika commented May 6, 2019

i still did not update to 5.xx have to update all my patches any way i tested with 4.14 and 4.20 ... what i sent before is kind a doing what firejail do but manually... firejail is using veth to accomplish name space separation you can still do it manually (following the video) to see where it exactly stuck... other solution are kind a doing it manually you can still use firejail after creating a user space... by the way i know you are using eth but bare in mind that this is not completely compatible with wlan ("network isolation", because wlan is a little different when it come to bridge/veth/macvlan etc)
an other video https://www.youtube.com/watch?v=_WgUwUf1d34

@matu3ba
Copy link
Contributor

matu3ba commented Jun 27, 2019

@intika Please review FAQ.

@intika
Copy link
Contributor

intika commented Jun 27, 2019

@matu3ba ohh cool i read that this was linked into https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#RTNETLINK-error so i guess we are good :) ... let me know if you want me to edit the wiki ;)

@rusty-snake
Copy link
Collaborator

let me know if you want me to edit the wiki

if you have anything to improve, go ahead.

@davew-fj
Copy link

davew-fj commented Mar 9, 2020

Well... I'm afraid my head is spinning and not getting anywhere. The several solutions offered above for connecting a vpn to firejailed browser are simple to many on this forum, but confusing to me.

If firejail is built around the idea of namespaces, why can't it include a special type of pre-configured namespace in which openvpn can run, and connect to the outside world, while providing connectivity to the vpn tunnel from other firejail namespaces?

I'm afraid the need for manual configuration of netns puts this beyond the reach of newbies.

@davew-fj
Copy link

davew-fj commented Apr 6, 2020

Can macvlan or macvtap be used for connecting firejailed firefox via an openvpn service? If so, is there a guide for this?

Edit: My question was not clear... After creating a macvlan link, like so...
sudo ip link add macvlan0 link eth0 type macvlan mode bridge
... and starting firejailed firefox, like so...
firejail --net=macvlan0 --ip=192.168.227.10 --netmask=255.255.255.0 --defaultgw=192.168.227.1 --dns=10.4.0.1 firefox-esr
... firejailed firefox connects directly to internet via eth0. (Of course, it does that anyway, with the default firejail networking.)

But it will not connect via a vpn. I have tried using addresses for eth0 (as above) and also those for tun0. What am I missing?

@matu3ba
Copy link
Contributor

matu3ba commented May 18, 2021

I can reproduce a related issue after 1. a Kernel update and 2. a changed wifi interface (my distribution changed it from wlp3s0 or so to wlan0).

The fix is to reboot (maybe logout + login might also be sufficient).

@rusty-snake Would you accept changing the wiki on RNETLINK problems to 1. installing drivers and 2. reboot for closing this issue?

Either it should be written what needs to be fixed (in other projects) or put on the backlog. Personally I think firejail should not attempt to do stuff on the backlog better fix or wontfix upstream.

@rusty-snake
Copy link
Collaborator

I don't use firejail's networking features nor do I have followed all the RNETLINK issues. Therefore I cann't say anything here.

@aykevl
Copy link

aykevl commented Jul 20, 2023

I have enabled almost all modules listed in #2046 (comment) but still I get this error. (The only modules missing are CONFIG_NFT_RT, CONFIG_BRIDGE_VLAN_FILTERING , and CONFIG_VLAN_8021Q_MVRP). The kernel is a standard Raspberry Pi OS (64-bit) kernel where I enabled CONFIG_IPVTAP in the hope that it would help (it didn't).

This happens when I try to use a WireGuard interface. The eth0 interface works fine.

@glitsj16
Copy link
Collaborator

@aykevl

You might want to have a look at LKDDb: Linux Kernel Driver DataBase for finding more info on how to get those missing modules. Or search for a similar site for Raspberry Pi OS kernel (if there is such a thing).
It can be a bit of a pain to follow the config dependency chain but at least you can look up stuff without having to go through a build to discover the needed module isn't there...

CONFIG_NFT_RT
The nft_rt module seems to be present in Linux kernels 4.10–4.17 only. Hopefully you can track what superseded it.

@aykevl
Copy link

aykevl commented Jul 20, 2023

@glitsj16 I tried on three different kernels: a stock Debian bookworm kernel, the Asahi Linux kernel, and the Raspberry Pi OS (64-bit) kernel. All of them have the same problem. I would be very surprised if it really is a problem with kernel modules - otherwise many more people would hit this issue. Rather, I think this bug is caused by something else (but because of the rather vague error message I have no idea where to look).

(Worth noting that all three kernels are arm64 kernels, but I wouldn't expect that to matter here).

For those wanting to reproduce this issue: basically just create a WireGuard network interface, and then run firejail --net=wg0 echo hello to see the error message.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature request
Projects
None yet
Development

No branches or pull requests

10 participants