1 files changed, 179 insertions, 23 deletions
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 9045c1122..fa522c154 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -44,7 +44,7 @@ To disable default profile loading, use --noprofile command option. Example:
 .RS
 $ firejail
 .br
-Reading profile /etc/firejail/generic.profile
+Reading profile /etc/firejail/default.profile
 .br
 Parent pid 8553, child pid 8554
 .br
@@ -93,11 +93,17 @@ If the file name matches file_name, the file will not be blacklisted in any blac
 Example: "noblacklist ${HOME}/.mozilla"
 .TP
-\fBignore command
+\fBignore
 Ignore command.
 Example: "ignore seccomp"
+.TP
+\fBquiet
+Disable Firejail's output. This should be the first uncommented command in the profile file.
+Example: "quiet"
 .SH Filesystem
 These profile entries define a chroot filesystem built on top of the existing
 host filesystem. Each line describes a file element that is removed from
@@ -122,11 +128,16 @@ blacklist ${PATH}/ifconfig
 blacklist ${HOME}/.ssh
 .TP
-\fBread-only file_or_directory
+\fBblacklist-nolog file_or_directory
-Make directory or file read-only.
+When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory.
-.TP
+blacklist-nolog command disables syslog messages for this particular file or directory. Examples:
-\fBtmpfs directory
+.br
-Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
+.br
+blacklist-nolog /usr/bin
+.br
+blacklist-nolog /usr/bin/gcc*
 .TP
 \fBbind directory1,directory2
 Mount-bind directory1 on top of directory2. This option is only available when running as root.
@@ -135,8 +146,14 @@ Mount-bind directory1 on top of directory2. This option is only available when r
 Mount-bind file1 on top of file2. This option is only available when running as root.
 .TP
 \fBmkdir directory
-Create a directory in user home. Use this command for whitelisted directories you need to preserve
+Create a directory in user home before the sandbox is started.
-when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from
+The directory is created if it doesn't already exist.
+.br
+.br
+Use this command for whitelisted directories you need to preserve
+when the sandbox is closed. Without it, the application will create the directory, and the directory
+will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from
 firefox profile:
 .br
@@ -145,14 +162,17 @@ mkdir ~/.mozilla
 .br
 whitelist ~/.mozilla
 .br
-mkdir ~/.cache
-.br
-mkdir ~/.cache/mozilla
-.br
 mkdir ~/.cache/mozilla/firefox
 .br
 whitelist ~/.cache/mozilla/firefox
 .TP
+\fBmkfile file
+Similar to mkdir, this command creates a file in user home before the sandbox is started.
+The file is created if it doesn't already exist, but it's target directory has to exist.
+.TP
+\fBnoexec file_or_directory
+Remount the file or the directory noexec, nodev and nosuid.
+.TP
 \fBprivate
 Mount new /root and /home/user directories in temporary
 filesystems. All modifications are discarded when the sandbox is
@@ -161,6 +181,12 @@ closed.
 \fBprivate directory
 Use directory as user home.
 .TP
+\fBprivate-home file,directory
+Build a new user home in a temporary
+filesystem, and copy the files and directories in the list in the
+new home. All modifications are discarded when the sandbox is
+closed.
+.TP
 \fBprivate-bin file,file
 Build a new /bin in a temporary filesystem, and copy the programs in the list.
 The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
@@ -173,20 +199,54 @@ Build a new /etc in a temporary
 filesystem, and copy the files and directories in the list.
 All modifications are discarded when the sandbox is closed.
 .TP
+\fBprivate-opt file,directory
+Build a new /optin a temporary
+filesystem, and copy the files and directories in the list.
+All modifications are discarded when the sandbox is closed.
+.TP
+\fBprivate-srv file,directory
+Build a new /srv in a temporary
+filesystem, and copy the files and directories in the list.
+All modifications are discarded when the sandbox is closed.
+.TP
 \fBprivate-tmp
-Mount an empty temporary filesystem on top of /tmp directory.
+Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
 .TP
-\fBwhitelist file_or_directory
+\fBread-only file_or_directory
-Build a new user home in a temporary filesystem, and mount-bind file_or_directory.
+Make directory or file read-only.
-The modifications to file_or_directory are persistent, everything else is discarded
+.TP
-when the sandbox is closed.
+\fBread-write file_or_directory
+Make directory or file read-write.
+.TP
+\fBtmpfs directory
+Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
 .TP
 \fBtracelog
 Blacklist violations logged to syslog.
+.TP
+\fBwhitelist file_or_directory
+Whitelist directory or file. A temporary file system is mounted on the top directory, and the
+whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
+everything else is discarded when the sandbox is closed. The top directory could be 
+user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp.
+.br
+.br
+Symbolic link handling: with the exception of user home, both the link and the real file should be in
+the same top directory. For user home, both the link and the real file should be owned by the user.
+.TP
+\fBwritable-etc
+Mount /etc directory read-write.
+.TP
+\fBwritable-var
+Mount /var directory read-write.
 .SH Security filters
 The following security filters are currently implemented:
 .TP
+\fBapparmor
+Enable AppArmor confinement.
+.TP
 \fBcaps
 Enable default Linux capabilities filter.
 .TP
@@ -205,10 +265,7 @@ first argument to socket system call. Recognized values: \fBunix\fR,
 \fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR.
 .TP
 \fBseccomp
-Enable default seccomp filter.  The default list is as follows:
+Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
-mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,
-iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev,
-sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.
 .TP
 \fBseccomp syscall,syscall,syscall
 Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
@@ -219,9 +276,32 @@ Enable seccomp filter and blacklist  the system calls in the list.
 \fBseccomp.keep syscall,syscall,syscall
 Enable seccomp filter and whitelist the system calls in the list.
 .TP
+\fBnonewprivs
+Sets the NO_NEW_PRIVS prctl.  This ensures that child processes
+cannot acquire new privileges using execve(2);  in particular,
+this means that calling a suid binary (or one with file capabilities)
+does not result in an increase of privilege.
+.TP
 \fBnoroot
 Use this command  to enable an user namespace. The namespace has only one user, the current user.
 There is no root account (uid 0) defined in the namespace.
+.TP
+\fBx11
+Enable X11 sandboxing.
+.TP
+\fBx11 none
+Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.
+Remove DISPLAY and XAUTHORITY environment variables.
+Stop with error message if X11 abstract socket will be accessible in jail.
+.TP
+\fBx11 xephyr
+Enable X11 sandboxing with xephyr.
+.TP
+\fBx11 xorg
+Enable X11 sandboxing with X11 security extension.
+.TP
+\fBx11 xpra
+Enable X11 sandboxing with xpra.
 .SH Resource limits, CPU affinity, Control Groups
 These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
@@ -255,6 +335,10 @@ The sandbox is placed in g1 control group.
 .SH User Environment
 .TP
+\fBallusers
+All user home directories are visible inside the sandbox. By default, only current user home directory is visible.
+.TP
 \fBname sandboxname
 Set sandbox name. Example:
 .br
@@ -284,9 +368,18 @@ Enable IPC namespace.
 .TP
 \fBnosound
 Disable sound system.
+.TP
+\fBno3d
+Disable 3D hardware acceleration.
 .SH Networking
 Networking features available in profile files.
+.TP
+\fBdefaultgw address
+Use this address as default gateway in the new network namespace.
+.TP
 \fBdns address
 Set a DNS server for the sandbox. Up to three DNS servers can be defined.
@@ -295,6 +388,45 @@ Set a DNS server for the sandbox. Up to three DNS servers can be defined.
 Set a hostname for the sandbox.
 .TP
+\fBip address
+Assign IP addresses to the last network interface defined by a net command. A
+default gateway is assigned by default.
+.br
+.br
+Example:
+.br
+net eth0
+.br
+ip 10.10.20.56
+.TP
+\fBip none
+No IP address and no default gateway are configured for the last interface
+defined by a net command. Use this option
+in case you intend to start an external DHCP client in the sandbox.
+.br
+.br
+Example:
+.br
+net eth0
+.br
+ip none
+.TP
+\fBip6 address
+Assign IPv6 addresses to the last network interface defined by a net command.
+.br
+.br
+Example:
+.br
+net eth0
+.br
+ip6 2001:0db8:0:f101::1/64
+.TP
 \fBiprange address,address
 Assign  an  IP address in the provided range to the last network
 interface defined by  a  net command.  A  default  gateway  is assigned by default.
@@ -311,6 +443,20 @@ iprange 192.168.1.150,192.168.1.160
 .br
 .TP
+\fBmac address
+Assign MAC addresses to the last network interface defined by a net command.
+.TP
+\fBmachine-id
+Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
+.TP
+\fBmtu number
+Assign a MTU value to the last network interface defined by a net command.
+.TP
 \fBnetfilter
 If a new network namespace is created, enabled default network filter.
@@ -345,6 +491,17 @@ available in the new namespace is a new loopback interface (lo).
 Use this option to deny network access to programs that don't
 really need network access.
+.TP
+\fBveth-name name
+Use this name for the interface connected to the bridge for --net=bridge_interface commands, 
+instead of the default one.
+.SH Other
+.TP
+\fBjoin-or-start sandboxname
+Join the sandbox identified by name or start a new one.
+Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname".
 .SH RELOCATING PROFILES
 For various reasons some users might want to keep the profile files in a different directory.
 Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles
@@ -388,7 +545,6 @@ Homepage: http://firejail.wordpress.com
 \&\flfiremon\fR\|(1),
 \&\flfirecfg\fR\|(1),
 \&\flfirejail-login\fR\|(5)
-\&\flfirejail-config\fR\|(5)

diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt index 9045c1122..fa522c154 100644 --- a/src/man/firejail-profile.txt +++ b/src/man/firejail-profile.txt
@@ -44,7 +44,7 @@ To disable default profile loading, use --noprofile command option. Example:
44	.RS	44	.RS
45	$ firejail	45	$ firejail
46	.br	46	.br
47	Reading profile /etc/firejail/generic.profile	47	Reading profile /etc/firejail/default.profile
48	.br	48	.br
49	Parent pid 8553, child pid 8554	49	Parent pid 8553, child pid 8554
50	.br	50	.br
@@ -93,11 +93,17 @@ If the file name matches file_name, the file will not be blacklisted in any blac
93	Example: "noblacklist ${HOME}/.mozilla"	93	Example: "noblacklist ${HOME}/.mozilla"
94		94
95	.TP	95	.TP
96	\fBignore command	96	\fBignore
97	Ignore command.	97	Ignore command.
98		98
99	Example: "ignore seccomp"	99	Example: "ignore seccomp"
100		100
		101	.TP
		102	\fBquiet
		103	Disable Firejail's output. This should be the first uncommented command in the profile file.
		104
		105	Example: "quiet"
		106
101	.SH Filesystem	107	.SH Filesystem
102	These profile entries define a chroot filesystem built on top of the existing	108	These profile entries define a chroot filesystem built on top of the existing
103	host filesystem. Each line describes a file element that is removed from	109	host filesystem. Each line describes a file element that is removed from
@@ -122,11 +128,16 @@ blacklist ${PATH}/ifconfig
122	blacklist ${HOME}/.ssh	128	blacklist ${HOME}/.ssh
123		129
124	.TP	130	.TP
125	\fBread-only file_or_directory	131	\fBblacklist-nolog file_or_directory
126	Make directory or file read-only.	132	When --tracelog flag is set, blacklisting generates syslog messages if the sandbox tries to access the file or directory.
127	.TP	133	blacklist-nolog command disables syslog messages for this particular file or directory. Examples:
128	\fBtmpfs directory	134	.br
129	Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.	135
		136	.br
		137	blacklist-nolog /usr/bin
		138	.br
		139	blacklist-nolog /usr/bin/gcc*
		140
130	.TP	141	.TP
131	\fBbind directory1,directory2	142	\fBbind directory1,directory2
132	Mount-bind directory1 on top of directory2. This option is only available when running as root.	143	Mount-bind directory1 on top of directory2. This option is only available when running as root.
@@ -135,8 +146,14 @@ Mount-bind directory1 on top of directory2. This option is only available when r
135	Mount-bind file1 on top of file2. This option is only available when running as root.	146	Mount-bind file1 on top of file2. This option is only available when running as root.
136	.TP	147	.TP
137	\fBmkdir directory	148	\fBmkdir directory
138	Create a directory in user home. Use this command for whitelisted directories you need to preserve	149	Create a directory in user home before the sandbox is started.
139	when the sandbox is closed. Subdirectories also need to be created using mkdir. Example from	150	The directory is created if it doesn't already exist.
		151	.br
		152
		153	.br
		154	Use this command for whitelisted directories you need to preserve
		155	when the sandbox is closed. Without it, the application will create the directory, and the directory
		156	will be deleted when the sandbox is closed. Subdirectories are recursively created. Example from
140	firefox profile:	157	firefox profile:
141	.br	158	.br
142		159
@@ -145,14 +162,17 @@ mkdir ~/.mozilla
145	.br	162	.br
146	whitelist ~/.mozilla	163	whitelist ~/.mozilla
147	.br	164	.br
148	mkdir ~/.cache
149	.br
150	mkdir ~/.cache/mozilla
151	.br
152	mkdir ~/.cache/mozilla/firefox	165	mkdir ~/.cache/mozilla/firefox
153	.br	166	.br
154	whitelist ~/.cache/mozilla/firefox	167	whitelist ~/.cache/mozilla/firefox
155	.TP	168	.TP
		169	\fBmkfile file
		170	Similar to mkdir, this command creates a file in user home before the sandbox is started.
		171	The file is created if it doesn't already exist, but it's target directory has to exist.
		172	.TP
		173	\fBnoexec file_or_directory
		174	Remount the file or the directory noexec, nodev and nosuid.
		175	.TP
156	\fBprivate	176	\fBprivate
157	Mount new /root and /home/user directories in temporary	177	Mount new /root and /home/user directories in temporary
158	filesystems. All modifications are discarded when the sandbox is	178	filesystems. All modifications are discarded when the sandbox is
@@ -161,6 +181,12 @@ closed.
161	\fBprivate directory	181	\fBprivate directory
162	Use directory as user home.	182	Use directory as user home.
163	.TP	183	.TP
		184	\fBprivate-home file,directory
		185	Build a new user home in a temporary
		186	filesystem, and copy the files and directories in the list in the
		187	new home. All modifications are discarded when the sandbox is
		188	closed.
		189	.TP
164	\fBprivate-bin file,file	190	\fBprivate-bin file,file
165	Build a new /bin in a temporary filesystem, and copy the programs in the list.	191	Build a new /bin in a temporary filesystem, and copy the programs in the list.
166	The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.	192	The same directory is also bind-mounted over /sbin, /usr/bin and /usr/sbin.
@@ -173,20 +199,54 @@ Build a new /etc in a temporary
173	filesystem, and copy the files and directories in the list.	199	filesystem, and copy the files and directories in the list.
174	All modifications are discarded when the sandbox is closed.	200	All modifications are discarded when the sandbox is closed.
175	.TP	201	.TP
		202	\fBprivate-opt file,directory
		203	Build a new /optin a temporary
		204	filesystem, and copy the files and directories in the list.
		205	All modifications are discarded when the sandbox is closed.
		206	.TP
		207	\fBprivate-srv file,directory
		208	Build a new /srv in a temporary
		209	filesystem, and copy the files and directories in the list.
		210	All modifications are discarded when the sandbox is closed.
		211	.TP
176	\fBprivate-tmp	212	\fBprivate-tmp
177	Mount an empty temporary filesystem on top of /tmp directory.	213	Mount an empty temporary filesystem on top of /tmp directory whitelisting /tmp/.X11-unix.
178	.TP	214	.TP
179	\fBwhitelist file_or_directory	215	\fBread-only file_or_directory
180	Build a new user home in a temporary filesystem, and mount-bind file_or_directory.	216	Make directory or file read-only.
181	The modifications to file_or_directory are persistent, everything else is discarded	217	.TP
182	when the sandbox is closed.	218	\fBread-write file_or_directory
		219	Make directory or file read-write.
		220	.TP
		221	\fBtmpfs directory
		222	Mount an empty tmpfs filesystem on top of directory. This option is available only when running the sandbox as root.
183	.TP	223	.TP
184	\fBtracelog	224	\fBtracelog
185	Blacklist violations logged to syslog.	225	Blacklist violations logged to syslog.
		226	.TP
		227	\fBwhitelist file_or_directory
		228	Whitelist directory or file. A temporary file system is mounted on the top directory, and the
		229	whitelisted files are mount-binded inside. Modifications to whitelisted files are persistent,
		230	everything else is discarded when the sandbox is closed. The top directory could be
		231	user home, /dev, /media, /mnt, /opt, /srv, /var, and /tmp.
		232	.br
		233
		234	.br
		235	Symbolic link handling: with the exception of user home, both the link and the real file should be in
		236	the same top directory. For user home, both the link and the real file should be owned by the user.
		237	.TP
		238	\fBwritable-etc
		239	Mount /etc directory read-write.
		240	.TP
		241	\fBwritable-var
		242	Mount /var directory read-write.
186	.SH Security filters	243	.SH Security filters
187	The following security filters are currently implemented:	244	The following security filters are currently implemented:
188		245
189	.TP	246	.TP
		247	\fBapparmor
		248	Enable AppArmor confinement.
		249	.TP
190	\fBcaps	250	\fBcaps
191	Enable default Linux capabilities filter.	251	Enable default Linux capabilities filter.
192	.TP	252	.TP
@@ -205,10 +265,7 @@ first argument to socket system call. Recognized values: \fBunix\fR,
205	\fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR.	265	\fBinet\fR, \fBinet6\fR, \fBnetlink\fR and \fBpacket\fR.
206	.TP	266	.TP
207	\fBseccomp	267	\fBseccomp
208	Enable default seccomp filter. The default list is as follows:	268	Enable seccomp filter and blacklist the syscalls in the default list. See man 1 firejail for more details.
209	mount, umount2, ptrace, kexec_load, open_by_handle_at, init_module, finit_module, delete_module,
210	iopl, ioperm, swapon, swapoff, syslog, process_vm_readv and process_vm_writev,
211	sysfs,_sysctl, adjtimex, clock_adjtime, lookup_dcookie, perf_event_open, fanotify_init and kcmp.
212	.TP	269	.TP
213	\fBseccomp syscall,syscall,syscall	270	\fBseccomp syscall,syscall,syscall
214	Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.	271	Enable seccomp filter and blacklist the system calls in the list on top of default seccomp filter.
@@ -219,9 +276,32 @@ Enable seccomp filter and blacklist the system calls in the list.
219	\fBseccomp.keep syscall,syscall,syscall	276	\fBseccomp.keep syscall,syscall,syscall
220	Enable seccomp filter and whitelist the system calls in the list.	277	Enable seccomp filter and whitelist the system calls in the list.
221	.TP	278	.TP
		279	\fBnonewprivs
		280	Sets the NO_NEW_PRIVS prctl. This ensures that child processes
		281	cannot acquire new privileges using execve(2); in particular,
		282	this means that calling a suid binary (or one with file capabilities)
		283	does not result in an increase of privilege.
		284	.TP
222	\fBnoroot	285	\fBnoroot
223	Use this command to enable an user namespace. The namespace has only one user, the current user.	286	Use this command to enable an user namespace. The namespace has only one user, the current user.
224	There is no root account (uid 0) defined in the namespace.	287	There is no root account (uid 0) defined in the namespace.
		288	.TP
		289	\fBx11
		290	Enable X11 sandboxing.
		291	.TP
		292	\fBx11 none
		293	Blacklist /tmp/.X11-unix directory, ${HOME}/.Xauthority and file specified in ${XAUTHORITY} environment variable.
		294	Remove DISPLAY and XAUTHORITY environment variables.
		295	Stop with error message if X11 abstract socket will be accessible in jail.
		296	.TP
		297	\fBx11 xephyr
		298	Enable X11 sandboxing with xephyr.
		299	.TP
		300	\fBx11 xorg
		301	Enable X11 sandboxing with X11 security extension.
		302	.TP
		303	\fBx11 xpra
		304	Enable X11 sandboxing with xpra.
225		305
226	.SH Resource limits, CPU affinity, Control Groups	306	.SH Resource limits, CPU affinity, Control Groups
227	These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.	307	These profile entries define the limits on system resources (rlimits) for the processes inside the sandbox.
@@ -255,6 +335,10 @@ The sandbox is placed in g1 control group.
255		335
256	.SH User Environment	336	.SH User Environment
257	.TP	337	.TP
		338	\fBallusers
		339	All user home directories are visible inside the sandbox. By default, only current user home directory is visible.
		340
		341	.TP
258	\fBname sandboxname	342	\fBname sandboxname
259	Set sandbox name. Example:	343	Set sandbox name. Example:
260	.br	344	.br
@@ -284,9 +368,18 @@ Enable IPC namespace.
284	.TP	368	.TP
285	\fBnosound	369	\fBnosound
286	Disable sound system.	370	Disable sound system.
		371	.TP
		372	\fBno3d
		373	Disable 3D hardware acceleration.
		374
287	.SH Networking	375	.SH Networking
288	Networking features available in profile files.	376	Networking features available in profile files.
289		377
		378	.TP
		379	\fBdefaultgw address
		380	Use this address as default gateway in the new network namespace.
		381
		382	.TP
290	\fBdns address	383	\fBdns address
291	Set a DNS server for the sandbox. Up to three DNS servers can be defined.	384	Set a DNS server for the sandbox. Up to three DNS servers can be defined.
292		385
@@ -295,6 +388,45 @@ Set a DNS server for the sandbox. Up to three DNS servers can be defined.
295	Set a hostname for the sandbox.	388	Set a hostname for the sandbox.
296		389
297	.TP	390	.TP
		391	\fBip address
		392	Assign IP addresses to the last network interface defined by a net command. A
		393	default gateway is assigned by default.
		394	.br
		395
		396	.br
		397	Example:
		398	.br
		399	net eth0
		400	.br
		401	ip 10.10.20.56
		402
		403	.TP
		404	\fBip none
		405	No IP address and no default gateway are configured for the last interface
		406	defined by a net command. Use this option
		407	in case you intend to start an external DHCP client in the sandbox.
		408	.br
		409
		410	.br
		411	Example:
		412	.br
		413	net eth0
		414	.br
		415	ip none
		416
		417	.TP
		418	\fBip6 address
		419	Assign IPv6 addresses to the last network interface defined by a net command.
		420	.br
		421
		422	.br
		423	Example:
		424	.br
		425	net eth0
		426	.br
		427	ip6 2001:0db8:0:f101::1/64
		428
		429	.TP
298	\fBiprange address,address	430	\fBiprange address,address
299	Assign an IP address in the provided range to the last network	431	Assign an IP address in the provided range to the last network
300	interface defined by a net command. A default gateway is assigned by default.	432	interface defined by a net command. A default gateway is assigned by default.
@@ -311,6 +443,20 @@ iprange 192.168.1.150,192.168.1.160
311	.br	443	.br
312		444
313	.TP	445	.TP
		446	\fBmac address
		447	Assign MAC addresses to the last network interface defined by a net command.
		448
		449	.TP
		450	\fBmachine-id
		451	Preserve id number in /etc/machine-id file. By default a new random id is generated inside the sandbox.
		452
		453	.TP
		454	\fBmtu number
		455	Assign a MTU value to the last network interface defined by a net command.
		456
		457
		458
		459	.TP
314	\fBnetfilter	460	\fBnetfilter
315	If a new network namespace is created, enabled default network filter.	461	If a new network namespace is created, enabled default network filter.
316		462
@@ -345,6 +491,17 @@ available in the new namespace is a new loopback interface (lo).
345	Use this option to deny network access to programs that don't	491	Use this option to deny network access to programs that don't
346	really need network access.	492	really need network access.
347		493
		494	.TP
		495	\fBveth-name name
		496	Use this name for the interface connected to the bridge for --net=bridge_interface commands,
		497	instead of the default one.
		498
		499	.SH Other
		500	.TP
		501	\fBjoin-or-start sandboxname
		502	Join the sandbox identified by name or start a new one.
		503	Same as "firejail --join=sandboxname" command if sandbox with specified name exists, otherwise same as "name sandboxname".
		504
348	.SH RELOCATING PROFILES	505	.SH RELOCATING PROFILES
349	For various reasons some users might want to keep the profile files in a different directory.	506	For various reasons some users might want to keep the profile files in a different directory.
350	Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles	507	Using \fB--profile-path\fR command line option, Firejail can be instructed to look for profiles
@@ -388,7 +545,6 @@ Homepage: http://firejail.wordpress.com
388	\&\flfiremon\fR\\|(1),	545	\&\flfiremon\fR\\|(1),
389	\&\flfirecfg\fR\\|(1),	546	\&\flfirecfg\fR\\|(1),
390	\&\flfirejail-login\fR\\|(5)	547	\&\flfirejail-login\fR\\|(5)
391	\&\flfirejail-config\fR\\|(5)
392		548
393		549
394		550