RTNETLINK error using "--net" option

[zolfone]

Hi,
I have two NICs and I'd like to sandbox firefox in a dedicated network interface, but if I try with firejail --net=eth1 firefox I get this error (this is run with --debug option):
https://pastebin.com/Xa9RNJE6
As mentioned here #1844 by @atlaua maybe I need a L2 eth interface, but I can't find any information on the manpage nor I am sure if my nic is of such family (how can I find out?).
My goal is to have a main NIC (eth0) with an active OpenVPN connection, and run firefox/other applications on eth1 outside the VPN.
During all of my tests the VPN was down so it can't be the cause of my problem.
I'm on firejail version 0.9.54, self-compiled on Gentoo, I first tried with the only stable version supported 0.9.50 and it failed too.
Maybe I'm missing a kernel module? Is there a list of (if) needed modules?

Thanks

[zolfone]

@netblue30, any insight on this problem? thanks

[netblue30]

I still have no idea what's going on. We added support for tap interfaces in --net command line option in the version here on github, still under heavy testing. You would need to configure OpenVPN in tap bridge mode, and you pass the tap device to --net. So far I couldn't firejail running on a OpenVPN tap device, that's kind of where I am now.

There is another similar discussion going on here: #2032

[chiraag-nataraj]

I'm getting the same issue when I try using --net=wlp60s0 (my wireless interface). No idea if this is related at all to this issue, but I'm getting the exact same message.

[zolfone]

@netblue30, thanks for the reply but as I stated in my first post there's no vpn connection involved whatsoever at the moment, just two plain simple ethernet interfaces. I'm trying to use one of them inside a sandbox but I get that error message with both of them. One NIC is PCI (SysKonnect SK-9871, kernel module "skge"), the other one is integrated (Broadcom Limited NetXtreme BCM5754, kernel module "tg3").
I'm trying to be as much verbose as possible, if I'm not posting some useful information please let me know and I'll post them.
I still can't find any information on L2 NICs though.

[chiraag-nataraj]

Hmm, my error was fixed at some point.

[intika]

@netblue30 duplicate of #2387 i guess both issues should be closed

...

Had a similar issue, this can be caused by a kernel update without reboot or a lack of needed kernel modules, to fix it either use a classic (main distribution) kernel or add the missing modules to your kernel

Also this Error ioctl: interface.c:98 net_if_up: No such device is typically raising because of missing module CONFIG_IPVLAN and or CONFIG_IPV6 technically --net parameter require only ipvlan but ipvlan have a "false" dependency on ipv6 there is kernel patch to fix that here or here if you still want to keep ipv6 disabled while getting firejail network feature working otherwise just add ipv6 along with ipvlan

Alternatively ifup lo command can give more details on error/missing module that could affect "firejail --net"

Here are the required kernel modules for firejail networking features: (this is an exhaustive list to get everything working you should be good with just ipvlan)

CONFIG_IPVLAN=m
CONFIG_IPVTAP=m
CONFIG_VXLAN=m
CONFIG_NET_VRF=m
CONFIG_NF_TABLES=m
CONFIG_NF_TABLES_NETDEV=m
CONFIG_NFT_RT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_REJECT=m
CONFIG_NF_TABLES_IPV4=m
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_MASQ_IPV4=m
CONFIG_NFT_REDIR_IPV4=m
CONFIG_BRIDGE_EBT_VLAN=m
CONFIG_GARP=m
CONFIG_MRP=m
CONFIG_BRIDGE_VLAN_FILTERING=y
CONFIG_VLAN_8021Q=m
CONFIG_VLAN_8021Q_GVRP=y
CONFIG_VLAN_8021Q_MVRP=y
CONFIG_NET_L3_MASTER_DEV=y

Note that this also fix RTNETLINK answers: Operation not supported @netblue30 this info could may be added to the wiki or faq

[zolfone]

Hi @intika, I was almost givin' up on this... so first of all a big thanks for your answer!
But I'm having lots of troubles finding at least half of those modules in my kernel,
I usually edit my .config file and search for what I need to enable but in this case most of them are missing, e.g.:
CONFIG_NFT_RT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_MASQ_IPV4=m
CONFIG_NFT_REDIR_IPV4=m

I successfully enabled all the other modules, but after rebooting in the newly recompiled kernel Firejail still throws me the RTNETLINK error, and yes I loaded ipvlan and ipv6.
Any suggestion for the kernel config problem? Maybe you could write the exact sections under "make menuconfig" where to enable all the necessary modules.

Thanks

[intika]

My goal is to have a main NIC (eth0) with an active OpenVPN connection, and run firefox/other applications on eth1 outside the VPN.

Does your VPN provider have Wireguard ? if its the case Wireguard have some interesting sandbox (user space) features...

What kernel version are you using ? it's probably because of the used version that you are missing other modules... or may be it's just because those modules are neither enabled neither disabled (missing from the config file) you can may be just add them manually to the config file and see if the kernel get compiled otherwise you can search them with make menuconfig i think the shortcut for search is / or ? key.

You have a lot of solution that could match exactly what you want

• Wireguard with user space (depend on your provider)
• Setup a user space with ipvlan then initiate an openvpn connection inside the user space
• Use firejail's routed solution but this require using ip_forward which make your box act ac a router and may introduce security risk if it's not correctly setup with iptables and firewall...
• Use a bridge + user space solution.

User space by it self require root you can not easily run firefox as a user under a different user space BUT firejail have an amazing option that let you use any "user space" without route firejail --netns=space-name

Here are some readings about what i suggested:

• What is ip masquerade
• Bridging an interface
• How to use vpn separately for different user
• Bind unix program to specific network interface
• Proxifier like solution for linux

With all that different informations you should for sure find a working solution with your current setup :)

[zolfone]

@intika I'm on kernel 5.0.7 (gentoo sources), what kernel are you running? I'll try to downgrade to some 4.* version to see if maybe something has changed. I'd like to keep going with firejail, I think I'm only missing these kernel modules to make it work, I'll let you know if I have any success.

[intika]

i still did not update to 5.xx have to update all my patches any way i tested with 4.14 and 4.20 ... what i sent before is kind a doing what firejail do but manually... firejail is using veth to accomplish name space separation you can still do it manually (following the video) to see where it exactly stuck... other solution are kind a doing it manually you can still use firejail after creating a user space... by the way i know you are using eth but bare in mind that this is not completely compatible with wlan ("network isolation", because wlan is a little different when it come to bridge/veth/macvlan etc)
an other video https://www.youtube.com/watch?v=_WgUwUf1d34