Package: firejail
Version: 0.9.42-1~bpo8+1
Severity: important
Dear Maintainer,
On my system, as of yesterday, firejails with a separate network
namespace are unable to reach any external hosts. For example,
$ /sbin/ifconfig
eth0 Link encap:Ethernet HWaddr 74:d4:35:1e:1a:c3
inet addr:192.168.1.233 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::76d4:35ff:fe1e:1ac3/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:96483 errors:0 dropped:0 overruns:0 frame:0
TX packets:53337 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:139321079 (132.8 MiB) TX bytes:4408696 (4.2 MiB)
Interrupt:20 Memory:f7100000-f7120000
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:396 errors:0 dropped:0 overruns:0 frame:0
TX packets:396 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:385244 (376.2 KiB) TX bytes:385244 (376.2 KiB)
$ firejail --noprofile --net=eth0
Parent pid 9079, child pid 9080
Interface MAC IP Mask Status
lo 127.0.0.1 255.0.0.0 UP
eth0-9079 96:6d:22:aa:e6:39 192.168.1.135 255.255.255.0 UP
Default gateway 192.168.1.1
Child process initialized
Cleanliness becomes more important when godliness is unlikely.
-- P. J. O'Rourke
$ w3m google.com
w3m: Can't load google.com.
$ /sbin/ifconfig
eth0-9079 Link encap:Ethernet HWaddr 96:6d:22:aa:e6:39
inet addr:192.168.1.135 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::946d:22ff:feaa:e639/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2 errors:0 dropped:0 overruns:0 frame:0
TX packets:8 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:228 (228.0 B) TX bytes:636 (636.0 B)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:65536 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
The only possibly relevant changes to my system that I can think of
(even after
consulting system logs) is that this occurred after I removed the package
iptables-persistent, but reinstalling this did not resolve the problem.
firejail with network namespaces work as expected for several minutes
immediately after a cold boot, but then even *already running* firejails
lose the ability to reach the outside world.
As shown below, I am running the jessie-backports kernel, but this
happens on the jessie kernel as well.
I realise it is likely this is not a firejail bug, but this is the only
tool I know how to use for setting up network namespaces.
Kind regards,
Aidan Gauland
-- System Information:
Debian Release: 8.6
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386, armhf
Kernel: Linux 4.7.0-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_NZ.UTF-8, LC_CTYPE=en_NZ.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages firejail depends on:
ii libapparmor1 2.9.0-3
ii libc6 2.19-18+deb8u6
Versions of packages firejail recommends:
ii xpra 0.14.10+dfsg-1
firejail suggests no packages.
-- no debconf information
