25 files changed, 419 insertions, 244 deletions

diff --git a/RELNOTES b/RELNOTES
index c003c6185..c4cfea668 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -4,6 +4,8 @@ firejail (0.9.73) baseline; urgency=low
   * feature: Print the argument when failing with "too long arguments" (#5677)
   * feature: a random hostname is assigned to each sandbox unless
     overwritten using --hostname command
+  * feature: add IPv6 support for --net.print option
+  * modif: remove firemon --interface option (duplicating --net.print option)
   * modif: Stop forwarding own double-dash to the shell (#5599 #5600)
   * modif: Prevent sandbox name (--name=) and host name (--hostname=)
     from containing only digits (#5578)
diff --git a/etc/inc/disable-programs.inc b/etc/inc/disable-programs.inc
index a2e788f9b..40c123968 100644
--- a/etc/inc/disable-programs.inc
+++ b/etc/inc/disable-programs.inc
@@ -84,6 +84,7 @@ blacklist ${HOME}/.cache/Tox
 blacklist ${HOME}/.cache/Zeal
 blacklist ${HOME}/.cache/agenda
 blacklist ${HOME}/.cache/akonadi*
+blacklist ${HOME}/.cache/ani-cli
 blacklist ${HOME}/.cache/atril
 blacklist ${HOME}/.cache/attic
 blacklist ${HOME}/.cache/audacity
@@ -518,6 +519,7 @@ blacklist ${HOME}/.config/leafpad
 blacklist ${HOME}/.config/libreoffice
 blacklist ${HOME}/.config/liferea
 blacklist ${HOME}/.config/linphone
+blacklist ${HOME}/.config/lobster
 blacklist ${HOME}/.config/lugaru
 blacklist ${HOME}/.config/lutris
 blacklist ${HOME}/.config/lximage-qt
@@ -953,6 +955,7 @@ blacklist ${HOME}/.local/share/kwrite
 blacklist ${HOME}/.local/share/kxmlgui5/*
 blacklist ${HOME}/.local/share/liferea
 blacklist ${HOME}/.local/share/linphone
+blacklist ${HOME}/.local/share/lobster
 blacklist ${HOME}/.local/share/local-mail
 blacklist ${HOME}/.local/share/lollypop
 blacklist ${HOME}/.local/share/love
@@ -1028,6 +1031,7 @@ blacklist ${HOME}/.local/share/wormux
 blacklist ${HOME}/.local/share/xplayer
 blacklist ${HOME}/.local/share/xreader
 blacklist ${HOME}/.local/share/zathura
+blacklist ${HOME}/.local/state/ani-cli
 blacklist ${HOME}/.local/state/audacity
 blacklist ${HOME}/.local/state/pipewire
 blacklist ${HOME}/.lv2
diff --git a/etc/profile-a-l/ani-cli.profile b/etc/profile-a-l/ani-cli.profile
new file mode 100644
index 000000000..270dffaed
--- /dev/null
+++ b/etc/profile-a-l/ani-cli.profile
@@ -0,0 +1,41 @@
+# Firejail profile for ani-cli
+# Description: Shell script to watch Anime from the terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include ani-cli.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.cache/ani-cli
+noblacklist ${HOME}/.local/state/ani-cli
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+include disable-proc.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.cache/ani-cli
+mkdir ${HOME}/.local/state/ani-cli
+whitelist ${HOME}/.cache/ani-cli
+whitelist ${HOME}/.local/state/ani-cli
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+
+#machine-id
+nodvd
+noprinters
+notv
+
+disable-mnt
+private-bin ani-cli,aria2c,cat,cp,curl,cut,ffmpeg,fzf,grep,head,mkdir,mv,nl,sed,sh,sort,tput,tr,uname,wc
+#private-cache
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-tmp
+
+read-only ${HOME}/.config/mpv
+
+# Redirect
+include mpv.profile
diff --git a/etc/profile-a-l/lobster.profile b/etc/profile-a-l/lobster.profile
new file mode 100644
index 000000000..01928c775
--- /dev/null
+++ b/etc/profile-a-l/lobster.profile
@@ -0,0 +1,41 @@
+# Firejail profile for lobster
+# Description: Shell script to watch Movies/Webseries/Shows from the terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include lobster.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+noblacklist ${HOME}/.config/lobster
+noblacklist ${HOME}/.local/share/lobster
+
+# Allow /bin/sh (blacklisted by disable-shell.inc)
+include allow-bin-sh.inc
+
+include disable-proc.inc
+include disable-xdg.inc
+
+mkdir ${HOME}/.config/lobster
+mkdir ${HOME}/.local/share/lobster
+whitelist ${HOME}/.config/lobster
+whitelist ${HOME}/.local/share/lobster
+include whitelist-run-common.inc
+include whitelist-runuser-common.inc
+
+#machine-id
+nodvd
+noprinters
+notv
+
+disable-mnt
+private-bin curl,cut,fzf,grep,head,lobster,mv,patch,rm,sed,sh,tail,tput,tr,uname
+#private-cache
+private-etc alsa,alternatives,asound.conf,ca-certificates,crypto-policies,fonts,host.conf,hostname,hosts,ld.so.cache,ld.so.conf,ld.so.conf.d,ld.so.preload,locale,locale.alias,locale.conf,localtime,machine-id,mime.types,nsswitch.conf,pango,pki,protocols,pulse,resolv.conf,rpc,services,ssl,X11,xdg
+private-tmp
+
+read-only ${HOME}/.config/mpv
+
+# Redirect
+include mpv.profile
diff --git a/etc/profile-m-z/porn-cli.profile b/etc/profile-m-z/porn-cli.profile
new file mode 100644
index 000000000..f33ff439c
--- /dev/null
+++ b/etc/profile-m-z/porn-cli.profile
@@ -0,0 +1,14 @@
+# Firejail profile for porn-cli
+# Description: Python script for watching porn via the terminal
+# This file is overwritten after every install/update
+quiet
+# Persistent local customizations
+include porn-cli.local
+# Persistent global definitions
+# added by included profile
+#include globals.local
+
+private-bin porn-cli
+
+# Redirect
+include mov-cli.profile
diff --git a/gcov.sh b/gcov.sh
index 9b02d801c..0f2808ace 100755
--- a/gcov.sh
+++ b/gcov.sh
@@ -13,7 +13,7 @@ gcov_generate() {
         USER="$(whoami)"
         find . -exec sudo chown "$USER:$USER" '{}' +
         lcov -q --capture -d src/firejail -d src/lib -d src/firecfg -d src/firemon \
-                -d src/fnet -d src/fnetfilter --output-file gcov-file
+                -d src/fnet -d src/fnetfilter -d src/fcopy --output-file gcov-file
         genhtml -q gcov-file --output-directory gcov-dir
 }
 
@@ -21,29 +21,29 @@ rm -fr gcov-dir gcov-file
 firejail --version
 gcov_generate
 
-#make test-firecfg | grep TESTING
-#gcov_generate
-#make test-apparmor | grep TESTING
-#gcov_generate
+make test-firecfg | grep TESTING
+gcov_generate
+make test-apparmor | grep TESTING
+gcov_generate
 make test-network | grep TESTING
 gcov_generate
-#make test-appimage | grep TESTING
-#gcov_generate
-#make test-chroot | grep TESTING
-#gcov_generate
-#make test-sysutils | grep TESTING
-#gcov_generate
-#make test-private-etc | grep TESTING
-#gcov_generate
-#make test-profiles | grep TESTING
-#gcov_generate
-#make test-fcopy | grep TESTING
-#gcov_generate
+make test-appimage | grep TESTING
+gcov_generate
+make test-chroot | grep TESTING
+gcov_generate
+make test-sysutils | grep TESTING
+gcov_generate
+make test-private-etc | grep TESTING
+gcov_generate
+make test-profiles | grep TESTING
+gcov_generate
+make test-fcopy | grep TESTING
+gcov_generate
 make test-fnetfilter | grep TESTING
 gcov_generate
-#make test-fs | grep TESTING
-#gcov_generate
-#make test-utils | grep TESTING
-#gcov_generate
-#make test-environment | grep TESTING
-#gcov_generate
+make test-fs | grep TESTING
+gcov_generate
+make test-utils | grep TESTING
+gcov_generate
+make test-environment | grep TESTING
+gcov_generate
diff --git a/src/firecfg/firecfg.config b/src/firecfg/firecfg.config
index 45457fb47..7f85ea40a 100644
--- a/src/firecfg/firecfg.config
+++ b/src/firecfg/firecfg.config
@@ -44,6 +44,7 @@ amarok
 amule
 amuled
 android-studio
+ani-cli
 anydesk
 apktool
 apostrophe
@@ -483,6 +484,7 @@ linphone
 linuxqq
 lmms
 lobase
+lobster
 localc
 lodraw
 loffice
@@ -676,6 +678,7 @@ pluma
 plv
 pngquant
 polari
+porn-cli
 ppsspp
 pragha
 presentations18
diff --git a/src/firejail/netfilter.c b/src/firejail/netfilter.c
index b4deda562..32fdd6218 100644
--- a/src/firejail/netfilter.c
+++ b/src/firejail/netfilter.c
@@ -248,5 +248,5 @@ void netfilter_print(pid_t pid, int ipv6) {
                 exit(1);
         }
 
-        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-vL");
+        sbox_run(SBOX_ROOT | SBOX_CAPS_NETWORK | SBOX_SECCOMP, 2, iptables, "-nvL");
 }
diff --git a/src/firejail/network.c b/src/firejail/network.c
index 0d2d53fca..3da51e195 100644
--- a/src/firejail/network.c
+++ b/src/firejail/network.c
@@ -89,30 +89,6 @@ int net_get_mtu(const char *ifname) {
         return mtu;
 }
 
-//void net_set_mtu(const char *ifname, int mtu) {
-//      if (strlen(ifname) > IFNAMSIZ) {
-//              fprintf(stderr, "Error: invalid network device name %s\n", ifname);
-//              exit(1);
-//      }
-//
-//      if (arg_debug)
-//              printf("set interface %s MTU %d.\n", ifname, mtu);
-//
-//      int s;
-//      struct ifreq ifr;
-//
-//      if ((s = socket(AF_INET, SOCK_DGRAM, 0)) < 0)
-//              errExit("socket");
-//
-//      memset(&ifr, 0, sizeof(ifr));
-//      ifr.ifr_addr.sa_family = AF_INET;
-//      strncpy(ifr.ifr_name, ifname, IFNAMSIZ - 1);
-//      ifr.ifr_mtu = mtu;
-//      if (ioctl(s, SIOCSIFMTU, (caddr_t)&ifr) != 0)
-//              fwarning("cannot set mtu for interface %s\n", ifname);
-//      close(s);
-//}
-
 // return -1 if the interface was not found; if the interface was found return 0 and fill in IP address and mask
 int net_get_if_addr(const char *bridge, uint32_t *ip, uint32_t *mask, uint8_t mac[6], int *mtu) {
         assert(bridge);
diff --git a/src/firejail/sbox.c b/src/firejail/sbox.c
index 11ea5b036..ce43b4832 100644
--- a/src/firejail/sbox.c
+++ b/src/firejail/sbox.c
@@ -26,6 +26,7 @@
 #include <sys/resource.h>
 #include <sys/wait.h>
 #include "../include/seccomp.h"
+#include "../include/gcov_wrapper.h"
 
 #include <fcntl.h>
 #ifndef O_PATH
@@ -238,6 +239,7 @@ static int __attribute__((noreturn)) sbox_do_exec_v(unsigned filtermask, char *
                         fprintf(stderr, "Error: %s is world writable, refusing to execute\n", arg[0]);
                         exit(1);
                 }
+                __gcov_dump();
                 fexecve(fd, arg, new_environment);
         } else {
                 assert(0);
diff --git a/src/firemon/firemon.c b/src/firemon/firemon.c
index 01167e555..d82f387ff 100644
--- a/src/firemon/firemon.c
+++ b/src/firemon/firemon.c
@@ -30,7 +30,6 @@ int arg_debug = 0;
 static int arg_route = 0;
 static int arg_arp = 0;
 static int arg_tree = 0;
-static int arg_interface = 0;
 static int arg_seccomp = 0;
 static int arg_caps = 0;
 static int arg_cpu = 0;
@@ -178,13 +177,6 @@ int main(int argc, char **argv) {
                         arg_seccomp = 1;
                 else if (strcmp(argv[i], "--caps") == 0)
                         arg_caps = 1;
-                else if (strcmp(argv[i], "--interface") == 0) {
-                        if (getuid() != 0) {
-                                fprintf(stderr, "Error: you need to be root to run this command\n");
-                                exit(1);
-                        }
-                        arg_interface = 1;
-                }
 #ifdef HAVE_NETWORK
                 else if (strcmp(argv[i], "--route") == 0)
                         arg_route = 1;
@@ -261,13 +253,12 @@ int main(int argc, char **argv) {
 
         // if --name requested without other options, print all data
         if (pid && !arg_cpu && !arg_seccomp && !arg_caps && !arg_apparmor &&
-            !arg_x11 && !arg_interface && !arg_route && !arg_arp) {
+            !arg_x11  && !arg_route && !arg_arp) {
                 arg_tree = 1;
                 arg_cpu = 1;
                 arg_seccomp = 1;
                 arg_caps = 1;
                 arg_x11 = 1;
-                arg_interface = 1;
                 arg_route = 1;
                 arg_arp = 1;
                 arg_apparmor = 1;
@@ -295,10 +286,6 @@ int main(int argc, char **argv) {
                 x11((pid_t) pid, print_procs);
                 print_procs = 0;
         }
-        if (arg_interface && getuid() == 0) {
-                interface((pid_t) pid, print_procs);
-                print_procs = 0;
-        }
         if (arg_route) {
                 route((pid_t) pid, print_procs);
                 print_procs = 0;
diff --git a/src/firemon/firemon.h b/src/firemon/firemon.h
index dae071e89..8b6e75fc3 100644
--- a/src/firemon/firemon.h
+++ b/src/firemon/firemon.h
@@ -57,9 +57,6 @@ void top(void) __attribute__((noreturn));
 // list.c
 void list(void);
 
-// interface.c
-void interface(pid_t pid, int print_procs);
-
 // arp.c
 void arp(pid_t pid, int print_procs);
 
diff --git a/src/firemon/interface.c b/src/firemon/interface.c
deleted file mode 100644
index a8e78133b..000000000
--- a/src/firemon/interface.c
+++ /dev/null
@@ -1,175 +0,0 @@
-/*
- * Copyright (C) 2014-2023 Firejail Authors
- *
- * This file is part of firejail project
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License along
- * with this program; if not, write to the Free Software Foundation, Inc.,
- * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
-*/
-#include "firemon.h"
-#include "../include/gcov_wrapper.h"
-#include <sys/types.h>
-#include <sys/wait.h>
-#include <netdb.h>
-#include <arpa/inet.h>
-#include <ifaddrs.h>
-#include <net/if.h>
-#include <linux/connector.h>
-#include <linux/netlink.h>
-#include <linux/if_link.h>
-#include <linux/sockios.h>
-#include <sys/ioctl.h>
-
-//#include <net/route.h>
-//#include <linux/if_bridge.h>
-
-// print IP addresses for all interfaces
-static void net_ifprint(void) {
-        uint32_t ip;
-        uint32_t mask;
-        struct ifaddrs *ifaddr, *ifa;
-
-        int fd;
-        if ((fd = socket(AF_INET, SOCK_DGRAM, 0)) < 0) {
-                fprintf(stderr, "Error: cannot open AF_INET socket\n");
-                exit(1);
-        }
-
-        if (getifaddrs(&ifaddr) == -1)
-                errExit("getifaddrs");
-
-        // walk through the linked list
-        printf("  Link status:\n");
-        for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
-                if (ifa->ifa_addr == NULL)
-                        continue;
-
-                if (ifa->ifa_addr->sa_family == AF_PACKET) {
-                        if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP) {
-                                if (ifa->ifa_data != NULL) {
-                                        struct rtnl_link_stats *stats = ifa->ifa_data;
-
-                                        // extract mac address
-                                        struct ifreq ifr;
-                                        memset(&ifr, 0, sizeof(ifr));
-                                        strncpy(ifr.ifr_name,  ifa->ifa_name, IFNAMSIZ - 1);
-                                        int rv = ioctl (fd, SIOCGIFHWADDR, &ifr);
-
-                                        if (rv == 0)
-                                                printf("     %s UP, %02x:%02x:%02x:%02x:%02x:%02x\n",
-                                                        ifa->ifa_name, PRINT_MAC((unsigned char *) &ifr.ifr_hwaddr.sa_data));
-                                        else
-                                                printf("     %s UP\n", ifa->ifa_name);
-
-                                        printf("          tx/rx: %u/%u packets,  %u/%u bytes\n",
-                                                stats->tx_packets, stats->rx_packets,
-                                                stats->tx_bytes, stats->rx_bytes);
-                                }
-                        }
-                        else
-                                printf("     %s DOWN\n", ifa->ifa_name);
-                }
-        }
-
-
-        // walk through the linked list
-        printf("  IPv4 status:\n");
-        for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
-                if (ifa->ifa_addr == NULL)
-                        continue;
-
-                if (ifa->ifa_addr->sa_family == AF_INET) {
-                        struct sockaddr_in *si = (struct sockaddr_in *) ifa->ifa_netmask;
-                        mask = ntohl(si->sin_addr.s_addr);
-                        si = (struct sockaddr_in *) ifa->ifa_addr;
-                        ip = ntohl(si->sin_addr.s_addr);
-
-                        char *status;
-                        if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP)
-                                status = "UP";
-                        else
-                                status = "DOWN";
-
-                        printf("     %s %s, %d.%d.%d.%d/%u\n",
-                                ifa->ifa_name, status, PRINT_IP(ip), mask2bits(mask));
-                }
-        }
-
-
-        // walk through the linked list
-        printf("  IPv6 status:\n");
-        for (ifa = ifaddr; ifa != NULL; ifa = ifa->ifa_next) {
-                if (ifa->ifa_addr == NULL)
-                        continue;
-
-                if (ifa->ifa_addr->sa_family == AF_INET6) {
-                        char host[NI_MAXHOST];
-                        int s = getnameinfo(ifa->ifa_addr, sizeof(struct sockaddr_in6),
-                                host, NI_MAXHOST, NULL, 0, NI_NUMERICHOST);
-                        if (s == 0) {
-                                char *ptr;
-                                if ((ptr = strchr(host, '%')) != NULL)
-                                        *ptr = '\0';
-                                char *status;
-                                if (ifa->ifa_flags & IFF_RUNNING && ifa->ifa_flags & IFF_UP)
-                                        status = "UP";
-                                else
-                                        status = "DOWN";
-
-                                printf("     %s %s, %s\n", ifa->ifa_name, status, host);
-                        }
-                }
-        }
-
-        freeifaddrs(ifaddr);
-        close(fd);
-}
-
-static void print_sandbox(pid_t pid) {
-        pid_t child = fork();
-        if (child == -1)
-                return;
-
-        if (child == 0) {
-                int rv = join_namespace(pid, "net");
-                if (rv)
-                        return;
-                net_ifprint();
-
-                __gcov_flush();
-
-                _exit(0);
-        }
-
-        // wait for the child to finish
-        waitpid(child, NULL, 0);
-}
-
-void interface(pid_t pid, int print_procs) {
-        pid_read(pid); // a pid of 0 will include all processes
-
-        // print processes
-        int i;
-        for (i = 0; i < max_pids; i++) {
-                if (pids[i].level == 1) {
-                        if (print_procs || pid == 0)
-                                pid_print_list(i, arg_wrap);
-                        int child = find_child(i);
-                        if (child != -1) {
-                                print_sandbox(child);
-                        }
-                }
-        }
-        printf("\n");
-}
diff --git a/src/fnet/interface.c b/src/fnet/interface.c
index ca7c744ed..50e1beaa0 100644
--- a/src/fnet/interface.c
+++ b/src/fnet/interface.c
@@ -213,6 +213,23 @@ void net_ifprint(int scan) {
                         fmessage("%-17.17s%-19.19s%-17.17s%-17.17s%-6.6s\n",
                                 ifa->ifa_name, macstr, ipstr, maskstr, status);
 
+                        // print ipv6 address
+                        if (!scan) {
+                                struct ifaddrs *ptr = ifa->ifa_next;
+                                while (ptr) {
+                                        if (ptr->ifa_addr->sa_family == AF_INET6 && strcmp(ifa->ifa_name, ptr->ifa_name) == 0) {
+                                                struct sockaddr_in6 *s6 = (struct sockaddr_in6 *)ptr->ifa_addr;
+                                                struct in6_addr *in_addr = &s6->sin6_addr;
+                                                char buf[64];
+                                                if(inet_ntop(ptr->ifa_addr->sa_family, in_addr, buf, sizeof(buf))) {
+                                                        fmessage("%-35.35s %s\n", " ", buf);
+                                                        break;
+                                                }
+                                        }
+                                        ptr = ptr->ifa_next;
+                                }
+                        }
+
                         // network scanning
                         if (!scan)                              // scanning disabled
                                 continue;
diff --git a/src/man/firemon.txt b/src/man/firemon.txt
index 9d0785a4a..fb0cf1175 100644
--- a/src/man/firemon.txt
+++ b/src/man/firemon.txt
@@ -30,9 +30,6 @@ Print debug messages
 \fB\-?\fR, \fB\-\-help\fR
 Print options end exit.
 .TP
-\fB\-\-interface
-Print network interface information for each sandbox.
-.TP
 \fB\-\-list
 List all sandboxes.
 .TP
diff --git a/test/network/firemon-arp.exp b/test/network/firemon-arp.exp
new file mode 100755
index 000000000..87f0ddf4e
--- /dev/null
+++ b/test/network/firemon-arp.exp
@@ -0,0 +1,28 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test --net=br0 --ip=10.10.20.50\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --arp\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "firejail --name=test --net=br0 --ip=10.10.20.50"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "ARP Table:"
+}
+after 500
+puts "\nall done\n"
diff --git a/test/network/firemon-route.exp b/test/network/firemon-route.exp
new file mode 100755
index 000000000..2ca6f2fca
--- /dev/null
+++ b/test/network/firemon-route.exp
@@ -0,0 +1,40 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test --net=br0 --ip=10.10.20.50\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firemon --route\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "firejail --name=test --net=br0 --ip=10.10.20.50"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Route table:"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "0.0.0.0/0 via 10.10.20.1"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "10.10.20.0/24, dev eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "src 10.10.20.50"
+}
+after 500
+puts "\nall done\n"
diff --git a/test/network/ip6_netfilter.exp b/test/network/ip6_netfilter.exp
new file mode 100755
index 000000000..6c478d9e7
--- /dev/null
+++ b/test/network/ip6_netfilter.exp
@@ -0,0 +1,31 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+# check default netfilter on br0
+send -- "firejail --name=test --net=br0 --netfilter6=ip6_netfilter.profile\r"
+expect {
+        timeout {puts "TESTING ERROR 0\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 2
+spawn $env(SHELL)
+
+# check default netfilter no new network
+send -- "firejail --netfilter6.print=test\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "DROP"
+}
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "2001:db8:1f0a:3ec::2"
+}
+
+after 500
+puts "all done\n"
diff --git a/test/network/ip6_netfilter.profile b/test/network/ip6_netfilter.profile
new file mode 100644
index 000000000..cc8f22943
--- /dev/null
+++ b/test/network/ip6_netfilter.profile
@@ -0,0 +1,8 @@
+# Generated by ip6tables-save v1.4.14 on Wed Jan 13 10:53:40 2016
+*filter
+:INPUT ACCEPT [0:0]
+:FORWARD ACCEPT [0:0]
+:OUTPUT ACCEPT [0:0]
+-A INPUT -s 2001:db8:1f0a:3ec::2/128 -j DROP
+COMMIT
+# Completed on Wed Jan 13 10:53:40 2016
diff --git a/test/network/net_bandwidth.exp b/test/network/net_bandwidth.exp
new file mode 100755
index 000000000..0ec3b59ef
--- /dev/null
+++ b/test/network/net_bandwidth.exp
@@ -0,0 +1,51 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test --net=br0\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firejail --bandwidth=test set br0 10 20\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "Download speed  80kbps"
+}
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "Upload speed  160kbps"
+}
+expect {
+        timeout {puts "TESTING ERROR 4\n";exit}
+        "configuring tc ingress"
+}
+expect {
+        timeout {puts "TESTING ERROR 5\n";exit}
+        "configuring tc egress"
+}
+after 500
+
+send -- "firejail --bandwidth=test status\r"
+expect {
+        timeout {puts "TESTING ERROR 6\n";exit}
+        "rate 160Kbit burst 10Kb"
+}
+after 500
+
+send -- "firejail --bandwidth=test clear br0\r"
+expect {
+        timeout {puts "TESTING ERROR 7\n";exit}
+        "Removing bandwidth limits"
+}
+sleep 1
+
+puts "\nall done\n"
diff --git a/test/network/net_ip.exp b/test/network/net_ip.exp
index 251b55362..0cccf93a0 100755
--- a/test/network/net_ip.exp
+++ b/test/network/net_ip.exp
@@ -130,4 +130,44 @@ expect {
 }
 
 after 500
+
+send -- "firejail --profile=net_ip.profile ip addr show\r"
+expect {
+        timeout {puts "TESTING ERROR 26\n";exit}
+        "eth0"
+}
+expect {
+        timeout {puts "TESTING ERROR 27\n";exit}
+        "00:11:22:33:44:55"
+}
+expect {
+        timeout {puts "TESTING ERROR 28\n";exit}
+        "10.10.20.55"
+}
+expect {
+        timeout {puts "TESTING ERROR 29\n";exit}
+        "Default gateway 10.10.20.9"
+}
+expect {
+        timeout {puts "TESTING ERROR 30\n";exit}
+        "00:11:22:33:44:55"
+}
+expect {
+        timeout {puts "TESTING ERROR 31\n";exit}
+        "10.10.20.55"
+}
+after 500
+
+send -- "firejail --profile=net_ip.profile ip route  show\r"
+expect {
+        timeout {puts "TESTING ERROR 32\n";exit}
+        "default via 10.10.20.9"
+}
+expect {
+        timeout {puts "TESTING ERROR 33\n";exit}
+        "10.10.20.0/24 dev eth0 proto kernel scope link src 10.10.20.55"
+}
+after 500
+
+
 puts "\nall done\n"
diff --git a/test/network/net_ip.profile b/test/network/net_ip.profile
new file mode 100644
index 000000000..72910d77e
--- /dev/null
+++ b/test/network/net_ip.profile
@@ -0,0 +1,6 @@
+net br0
+ip 10.10.20.55
+defaultgw 10.10.20.9
+mac 00:11:22:33:44:55
+mtu 1000
+
diff --git a/test/network/net_netfilter.exp b/test/network/net_netfilter.exp
index 56480251e..ac144e19d 100755
--- a/test/network/net_netfilter.exp
+++ b/test/network/net_netfilter.exp
@@ -20,7 +20,27 @@ spawn $env(SHELL)
 send -- "firejail --netfilter.print=test\r"
 expect {
         timeout {puts "TESTING ERROR 1\n";exit}
-        "ACCEPT     all  --  any    any     anywhere             anywhere             state RELATED,ESTABLISHED"
+        "ACCEPT"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "lo"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "ACCEPT"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "state RELATED,ESTABLISHED"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "ACCEPT"
+}
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        "icmptype 8"
 }
 
 after 500
diff --git a/test/network/netstats.exp b/test/network/netstats.exp
new file mode 100755
index 000000000..0d1bc4c2c
--- /dev/null
+++ b/test/network/netstats.exp
@@ -0,0 +1,30 @@
+#!/usr/bin/expect -f
+# This file is part of Firejail project
+# Copyright (C) 2014-2023 Firejail Authors
+# License GPL v2
+
+set timeout 10
+spawn $env(SHELL)
+match_max 100000
+
+send -- "firejail --name=test --net=br0\r"
+expect {
+        timeout {puts "TESTING ERROR 1\n";exit}
+        -re "Child process initialized in \[0-9\]+.\[0-9\]+ ms"
+}
+sleep 2
+
+spawn $env(SHELL)
+send -- "firejail --netstats\r"
+expect {
+        timeout {puts "TESTING ERROR 2\n";exit}
+        "statistics only for sandboxes using a new network namespace"
+}
+sleep 4
+
+expect {
+        timeout {puts "TESTING ERROR 3\n";exit}
+        "firejail --name=test --net=br0"
+}
+after 500
+puts "\nall done\n"
diff --git a/test/network/network.sh b/test/network/network.sh
index 877f16156..e029722ba 100755
--- a/test/network/network.sh
+++ b/test/network/network.sh
@@ -33,8 +33,23 @@ echo "TESTING: print network (net-print.exp)"
 echo "TESTING: print dns (dns-print.exp)"
 ./dns-print.exp
 
+echo "TESTING: bandwidth (net_bandwidth.exp)"
+./net_bandwidth.exp
+
 echo "TESTING: ipv6 (ip6.exp)"
 ./ip6.exp
 
+echo "TESTING: ipv6 netfilter (ip6_netfilter.exp)"
+./ip6_netfilter.exp
+
+echo "TESTING: netstats (netstats.exp)"
+./netstats.exp
+
+echo "TESTING: firemon arp (firemon-arp.exp)"
+./firemon-arp.exp
+
+echo "TESTING: firemon route (firemon-route.exp)"
+./firemon-route.exp
+
 sudo ip link set br0 down
 sudo brctl delbr br0