From 261d08d394559a05d804a76e52183f6e26d871f5 Mon Sep 17 00:00:00 2001
From: netblue30 <netblue30@yahoo.com>
Date: Wed, 11 Jul 2018 06:42:59 -0400
Subject: tunneling support - tap interface in --net option

---
 README.md                    | 19 ++++++++++++++++++-
 RELNOTES                     |  1 +
 src/firejail/main.c          |  2 +-
 src/man/firejail-profile.txt | 13 ++++++++++---
 src/man/firejail.txt         | 14 ++++++++++++++
 5 files changed, 44 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 616930e8a..b6e6fb89e 100644
--- a/README.md
+++ b/README.md
@@ -118,6 +118,17 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
               $ firejail --net=eth0 --ip=192.168.1.80 --dns=8.8.8.8 firefox
               $ firejail --net=wlan0 firefox
 
+      --net=tap_interface
+              Enable a new network namespace and connect it to this  ethernet
+              tap  interface  using the standard Linux macvlan driver. If the
+              tap interface is not configured, the sandbox will  not  try  to
+              configure  the  interface inside the sandbox.  Please use --ip,
+              --netmask and --defaultgw to specify the configuration.
+
+              Example:
+              $ firejail --net=tap0 --ip=10.10.20.80  --netmask=255.255.255.0
+              --defaultgw=10.10.20.1 firefox
+
        --netmask=address
               Use this option when you want to assign an IP address in a  new
               namespace  and  the  parent interface specified by --net is not
@@ -131,7 +142,13 @@ We also keep a list of profile fixes for previous released versions in [etc-fixe
               $     firejail     --ip=10.10.20.67     --netmask=255.255.255.0
               --defaultgw=10.10.20.1
 
-      --nou2f
+       --keep-dev-shm
+              /dev/shm directory is untouched (even with --private-dev)
+
+              Example:
+              $ firejail --keep-dev-shm --private-dev
+
+     --nou2f
               Disable U2F devices.
 
               Example:
diff --git a/RELNOTES b/RELNOTES
index e5c9b0fc1..7eb075e4c 100644
--- a/RELNOTES
+++ b/RELNOTES
@@ -2,6 +2,7 @@ firejail (0.9.55) baseline; urgency=low
   * work in progress
   * modif: removed CFG_CHROOT_DESKTOP configuration option
   * support wireless devices in --net option
+  * support tap devices in --net option (tunneling support)
   * allow IP address configuration if the parent interface specified
      by --net is not configured (--netmask)
   * disable U2F devices (--nou2f)
diff --git a/src/firejail/main.c b/src/firejail/main.c
index c57e5910a..ef8d8172f 100644
--- a/src/firejail/main.c
+++ b/src/firejail/main.c
@@ -264,7 +264,7 @@ static void check_network(Bridge *br) {
 	assert(br);
 	if (br->macvlan == 0) // for bridge devices check network range or arp-scan and assign address
 		net_configure_sandbox_ip(br);
-	else if (br->ipsandbox) { // for macvlan check network range
+	else if (br->ipsandbox && br->ip && br->mask) { // for macvlan check network range
 		char *rv = in_netrange(br->ipsandbox, br->ip, br->mask);
 		if (rv) {
 			fprintf(stderr, "%s", rv);
diff --git a/src/man/firejail-profile.txt b/src/man/firejail-profile.txt
index 767cf89f4..e29cf4f4b 100644
--- a/src/man/firejail-profile.txt
+++ b/src/man/firejail-profile.txt
@@ -589,16 +589,23 @@ configured as default gateway is the bridge device IP address. Up to four \-\-ne
 bridge devices can be defined. Mixing bridge and macvlan devices is allowed.
 
 .TP
-\fBnet ethernet_interface
+\fBnet ethernet_interface|wireless_interface
 Enable a new network namespace and connect it
-to this ethernet interface using the standard Linux macvlan
+to this ethernet interface using the standard Linux macvlan or ipvlan
 driver. Unless specified with option \-\-ip and \-\-defaultgw, an
 IP address and a default gateway will be assigned automatically
 to the sandbox. The IP address is verified using ARP before
 assignment. The address configured as default gateway is the
 default gateway of the host. Up to four \-\-net devices can
 be defined. Mixing bridge and macvlan devices is allowed.
-Note: wlan devices are not supported for this option.
+
+.TP
+\fBnet tap_interface
+Enable a new network namespace and connect it
+to this ethernet tap interface using the standard Linux macvlan
+driver.  If the tap interface is not configured, the sandbox
+will not try to configure the interface inside the sandbox.
+Please use ip, netmask and defaultgw to specify the configuration.
 
 .TP
 \fBnet none
diff --git a/src/man/firejail.txt b/src/man/firejail.txt
index 74a9a9da9..f29d9cddf 100644
--- a/src/man/firejail.txt
+++ b/src/man/firejail.txt
@@ -815,6 +815,20 @@ $ firejail \-\-net=eth0 \-\-ip=192.168.1.80 \-\-dns=8.8.8.8 firefox
 .br
 $ firejail \-\-net=wlan0 firefox
 
+.TP
+\fB\-\-net=tap_interface
+Enable a new network namespace and connect it
+to this ethernet tap interface using the standard Linux macvlan
+driver. If the tap interface is not configured, the sandbox
+will not try to configure the interface inside the sandbox.
+Please use \-\-ip, \-\-netmask and \-\-defaultgw to specify the configuration.
+.br
+
+.br
+Example:
+.br
+$ firejail \-\-net=tap0 \-\-ip=10.10.20.80 \-\-netmask=255.255.255.0 \-\-defaultgw=10.10.20.1 firefox
+
 .TP
 \fB\-\-net=none
 Enable a new, unconnected network namespace. The only interface
-- 
cgit v1.2.3-54-g00ecf