tunneling support - tap interface in --net option

author: netblue30 <netblue30@yahoo.com> 2018-07-11 06:42:59 -0400
committer: netblue30 <netblue30@yahoo.com> 2018-07-11 06:42:59 -0400
commit: 261d08d394559a05d804a76e52183f6e26d871f5 (patch)
tree: 0f17c4d61ad92290863590ed4347c5e14729eb20 /src
parent: Add documentation for keep-dev-shm option (diff)
download: firejail-261d08d394559a05d804a76e52183f6e26d871f5.tar.gz
firejail-261d08d394559a05d804a76e52183f6e26d871f5.tar.zst
firejail-261d08d394559a05d804a76e52183f6e26d871f5.zip
3 files changed, 25 insertions, 4 deletions
diff --git a/src/firejail/main.c b/src/firejail/main.c
index c57e5910a..ef8d8172f 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -264,7 +264,7 @@ static void check_network(Bridge *br) {
        assert(br);
        if (br->macvlan == 0) // for bridge devices check network range or arp-scan and assign address
                net_configure_sandbox_ip(br);
-        else if (br->ipsandbox) { // for macvlan check network range
+        else if (br->ipsandbox && br->ip && br->mask) { // for macvlan check network range
                char *rv = in_netrange(br->ipsandbox, br->ip, br->mask);
                if (rv) {
                        fprintf(stderr, "%s", rv);
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 767cf89f4..e29cf4f4b 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -589,16 +589,23 @@ configured as default gateway is the bridge device IP address. Up to four \-\-ne
 bridge devices can be defined. Mixing bridge and macvlan devices is allowed.
 .TP
-\fBnet ethernet_interface
+\fBnet ethernet_interface|wireless_interface
 Enable a new network namespace and connect it
-to this ethernet interface using the standard Linux macvlan
+to this ethernet interface using the standard Linux macvlan or ipvlan
 driver. Unless specified with option \-\-ip and \-\-defaultgw, an
 IP address and a default gateway will be assigned automatically
 to the sandbox. The IP address is verified using ARP before
 assignment. The address configured as default gateway is the
 default gateway of the host. Up to four \-\-net devices can
 be defined. Mixing bridge and macvlan devices is allowed.
-Note: wlan devices are not supported for this option.
+.TP
+\fBnet tap_interface
+Enable a new network namespace and connect it
+to this ethernet tap interface using the standard Linux macvlan
+driver.  If the tap interface is not configured, the sandbox
+will not try to configure the interface inside the sandbox.
+Please use ip, netmask and defaultgw to specify the configuration.
 .TP
 \fBnet none
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 74a9a9da9..f29d9cddf 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -816,6 +816,20 @@ $ firejail \-\-net=eth0 \-\-ip=192.168.1.80 \-\-dns=8.8.8.8 firefox
 $ firejail \-\-net=wlan0 firefox
 .TP
+\fB\-\-net=tap_interface
+Enable a new network namespace and connect it
+to this ethernet tap interface using the standard Linux macvlan
+driver. If the tap interface is not configured, the sandbox
+will not try to configure the interface inside the sandbox.
+Please use \-\-ip, \-\-netmask and \-\-defaultgw to specify the configuration.
+.br
+.br
+Example:
+.br
+$ firejail \-\-net=tap0 \-\-ip=10.10.20.80 \-\-netmask=255.255.255.0 \-\-defaultgw=10.10.20.1 firefox
+.TP
 \fB\-\-net=none
 Enable a new, unconnected network namespace. The only interface
 available in the new namespace is a new loopback interface (lo).
author	netblue30 <netblue30@yahoo.com>	2018-07-11 06:42:59 -0400
committer	netblue30 <netblue30@yahoo.com>	2018-07-11 06:42:59 -0400
commit	261d08d394559a05d804a76e52183f6e26d871f5 (patch)
tree	0f17c4d61ad92290863590ed4347c5e14729eb20 /src
parent	Add documentation for keep-dev-shm option (diff)
download	firejail-261d08d394559a05d804a76e52183f6e26d871f5.tar.gz firejail-261d08d394559a05d804a76e52183f6e26d871f5.tar.zst firejail-261d08d394559a05d804a76e52183f6e26d871f5.zip

diff --git a/src/firejail/main.c b/src/firejail/main.c index c57e5910a..ef8d8172f 100644 --- a/src/firejail/main.c +++ b/src/firejail/main.c
@@ -264,7 +264,7 @@ static void check_network(Bridge *br) {
264	assert(br);	264	assert(br);
265	if (br->macvlan == 0) // for bridge devices check network range or arp-scan and assign address	265	if (br->macvlan == 0) // for bridge devices check network range or arp-scan and assign address
266	net_configure_sandbox_ip(br);	266	net_configure_sandbox_ip(br);
267	else if (br->ipsandbox) { // for macvlan check network range	267	else if (br->ipsandbox && br->ip && br->mask) { // for macvlan check network range
268	char *rv = in_netrange(br->ipsandbox, br->ip, br->mask);	268	char *rv = in_netrange(br->ipsandbox, br->ip, br->mask);
269	if (rv) {	269	if (rv) {
270	fprintf(stderr, "%s", rv);	270	fprintf(stderr, "%s", rv);


diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 767cf89f4..e29cf4f4b 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -589,16 +589,23 @@ configured as default gateway is the bridge device IP address. Up to four \-\-ne
589	bridge devices can be defined. Mixing bridge and macvlan devices is allowed.	589	bridge devices can be defined. Mixing bridge and macvlan devices is allowed.
590		590
591	.TP	591	.TP
592	\fBnet ethernet_interface	592	\fBnet ethernet_interface\|wireless_interface
593	Enable a new network namespace and connect it	593	Enable a new network namespace and connect it
594	to this ethernet interface using the standard Linux macvlan	594	to this ethernet interface using the standard Linux macvlan or ipvlan
595	driver. Unless specified with option \-\-ip and \-\-defaultgw, an	595	driver. Unless specified with option \-\-ip and \-\-defaultgw, an
596	IP address and a default gateway will be assigned automatically	596	IP address and a default gateway will be assigned automatically
597	to the sandbox. The IP address is verified using ARP before	597	to the sandbox. The IP address is verified using ARP before
598	assignment. The address configured as default gateway is the	598	assignment. The address configured as default gateway is the
599	default gateway of the host. Up to four \-\-net devices can	599	default gateway of the host. Up to four \-\-net devices can
600	be defined. Mixing bridge and macvlan devices is allowed.	600	be defined. Mixing bridge and macvlan devices is allowed.
601	Note: wlan devices are not supported for this option.	601
		602	.TP
		603	\fBnet tap_interface
		604	Enable a new network namespace and connect it
		605	to this ethernet tap interface using the standard Linux macvlan
		606	driver. If the tap interface is not configured, the sandbox
		607	will not try to configure the interface inside the sandbox.
		608	Please use ip, netmask and defaultgw to specify the configuration.
602		609
603	.TP	610	.TP
604	\fBnet none	611	\fBnet none


diff --git a/src/man/firejail.txt b/src/man/firejail.txt index 74a9a9da9..f29d9cddf 100644 --- a/src/man/firejail.txt +++ b/src/man/firejail.txt
@@ -816,6 +816,20 @@ $ firejail \-\-net=eth0 \-\-ip=192.168.1.80 \-\-dns=8.8.8.8 firefox
816	$ firejail \-\-net=wlan0 firefox	816	$ firejail \-\-net=wlan0 firefox
817		817
818	.TP	818	.TP
		819	\fB\-\-net=tap_interface
		820	Enable a new network namespace and connect it
		821	to this ethernet tap interface using the standard Linux macvlan
		822	driver. If the tap interface is not configured, the sandbox
		823	will not try to configure the interface inside the sandbox.
		824	Please use \-\-ip, \-\-netmask and \-\-defaultgw to specify the configuration.
		825	.br
		826
		827	.br
		828	Example:
		829	.br
		830	$ firejail \-\-net=tap0 \-\-ip=10.10.20.80 \-\-netmask=255.255.255.0 \-\-defaultgw=10.10.20.1 firefox
		831
		832	.TP
819	\fB\-\-net=none	833	\fB\-\-net=none
820	Enable a new, unconnected network namespace. The only interface	834	Enable a new, unconnected network namespace. The only interface
821	available in the new namespace is a new loopback interface (lo).	835	available in the new namespace is a new loopback interface (lo).