RTNETLINK error using "--net" option

[zolfone]

Hi, I have two NICs and I'd like to sandbox firefox in a dedicated network interface, but if I try with firejail --net=eth1 firefox I get this error (this is run with --debug option): https://pastebin.com/Xa9RNJE6 As mentioned here #1844 by @atlaua maybe I need a L2 eth interface, but I can't find any information on the manpage nor I am sure if my nic is of such family (how can I find out?). My goal is to have a main NIC (eth0) with an active OpenVPN connection, and run firefox/other applications on eth1 outside the VPN. During all of my tests the VPN was down so it can't be the cause of my problem. I'm on firejail version 0.9.54, self-compiled on Gentoo, I first tried with the only stable version supported 0.9.50 and it failed too. Maybe I'm missing a kernel module? Is there a list of (if) needed modules?

Thanks

[zolfone]

@netblue30, any insight on this problem? thanks

[netblue30]

I still have no idea what's going on. We added support for tap interfaces in --net command line option in the version here on github, still under heavy testing. You would need to configure OpenVPN in tap bridge mode, and you pass the tap device to --net. So far I couldn't firejail running on a OpenVPN tap device, that's kind of where I am now.

There is another similar discussion going on here: https://github.com/netblue30/firejail/issues/2032

[chiraag-nataraj]

I'm getting the same issue when I try using --net=wlp60s0 (my wireless interface). No idea if this is related at all to this issue, but I'm getting the exact same message.

[zolfone]

@netblue30, thanks for the reply but as I stated in my first post there's no vpn connection involved whatsoever at the moment, just two plain simple ethernet interfaces. I'm trying to use one of them inside a sandbox but I get that error message with both of them. One NIC is PCI (SysKonnect SK-9871, kernel module "skge"), the other one is integrated (Broadcom Limited NetXtreme BCM5754, kernel module "tg3"). I'm trying to be as much verbose as possible, if I'm not posting some useful information please let me know and I'll post them. I still can't find any information on L2 NICs though.

[chiraag-nataraj]

Hmm, my error was fixed at some point.

[intika]

@netblue30 duplicate of https://github.com/netblue30/firejail/issues/2387 i guess both issues should be closed

...

Had a similar issue, this can be caused by a kernel update without reboot or a lack of needed kernel modules, to fix it either use a classic (main distribution) kernel or add the missing modules to your kernel

Also this Error ioctl: interface.c:98 net_if_up: No such device is typically raising because of missing module CONFIG_IPVLAN and or CONFIG_IPV6 technically --net parameter require only ipvlan but ipvlan have a "false" dependency on ipv6 there is kernel patch to fix that here or here if you still want to keep ipv6 disabled while getting firejail network feature working otherwise just add ipv6 along with ipvlan

Alternatively ifup lo command can give more details on error/missing module that could affect "firejail --net"

Here are the required kernel modules for firejail networking features: (this is an exhaustive list to get everything working you should be good with just ipvlan)

CONFIG_IPVLAN=m
CONFIG_IPVTAP=m
CONFIG_VXLAN=m
CONFIG_NET_VRF=m
CONFIG_NF_TABLES=m
CONFIG_NF_TABLES_NETDEV=m
CONFIG_NFT_RT=m
CONFIG_NFT_MASQ=m
CONFIG_NFT_REDIR=m
CONFIG_NFT_NAT=m
CONFIG_NFT_REJECT=m
CONFIG_NF_TABLES_IPV4=m
CONFIG_NFT_REJECT_IPV4=m
CONFIG_NFT_MASQ_IPV4=m
CONFIG_NFT_REDIR_IPV4=m
CONFIG_BRIDGE_EBT_VLAN=m
CONFIG_GARP=m
CONFIG_MRP=m
CONFIG_BRIDGE_VLAN_FILTERING=y
CONFIG_VLAN_8021Q=m
CONFIG_VLAN_8021Q_GVRP=y
CONFIG_VLAN_8021Q_MVRP=y
CONFIG_NET_L3_MASTER_DEV=y

Note that this also fix RTNETLINK answers: Operation not supported @netblue30 this info could may be added to the wiki or faq

[zolfone]

Hi @intika, I was almost givin' up on this... so first of all a big thanks for your answer! But I'm having lots of troubles finding at least half of those modules in my kernel, I usually edit my .config file and search for what I need to enable but in this case most of them are missing, e.g.: CONFIG_NFT_RT=m CONFIG_NFT_MASQ=m CONFIG_NFT_REDIR=m CONFIG_NFT_NAT=m CONFIG_NFT_MASQ_IPV4=m CONFIG_NFT_REDIR_IPV4=m

I successfully enabled all the other modules, but after rebooting in the newly recompiled kernel Firejail still throws me the RTNETLINK error, and yes I loaded ipvlan and ipv6. Any suggestion for the kernel config problem? Maybe you could write the exact sections under "make menuconfig" where to enable all the necessary modules.

Thanks

[intika]

My goal is to have a main NIC (eth0) with an active OpenVPN connection, and run firefox/other applications on eth1 outside the VPN.

Does your VPN provider have Wireguard ? if its the case Wireguard have some interesting sandbox (user space) features...

What kernel version are you using ? it's probably because of the used version that you are missing other modules... or may be it's just because those modules are neither enabled neither disabled (missing from the config file) you can may be just add them manually to the config file and see if the kernel get compiled otherwise you can search them with make menuconfig i think the shortcut for search is/ or ? key.

You have a lot of solution that could match exactly what you want

• Wireguard with user space (depend on your provider)
• Setup a user space with ipvlan then initiate an openvpn connection inside the user space
• Use firejail's routed solution but this require using ip_forward which make your box act ac a router and may introduce security risk if it's not correctly setup with iptables and firewall...
• Use a bridge + user space solution.

User space by it self require root you can not easily run firefox as a user under a different user space BUT firejail have an amazing option that let you use any "user space" without route firejail --netns=space-name

Here are some readings about what i suggested:

• What is ip masquerade
• Bridging an interface
• How to use vpn separately for different user
• Bind unix program to specific network interface
• Proxifier like solution for linux

With all that different informations you should for sure find a working solution with your current setup :)

[zolfone]

@intika I'm on kernel 5.0.7 (gentoo sources), what kernel are you running? I'll try to downgrade to some 4.* version to see if maybe something has changed. I'd like to keep going with firejail, I think I'm only missing these kernel modules to make it work, I'll let you know if I have any success.

[intika]

i still did not update to 5.xx have to update all my patches any way i tested with 4.14 and 4.20 ... what i sent before is kind a doing what firejail do but manually... firejail is using veth to accomplish name space separation you can still do it manually (following the video) to see where it exactly stuck... other solution are kind a doing it manually you can still use firejail after creating a user space... by the way i know you are using eth but bare in mind that this is not completely compatible with wlan ("network isolation", because wlan is a little different when it come to bridge/veth/macvlan etc) an other video https://www.youtube.com/watch?v=_WgUwUf1d34

[matu3ba]

@intika Please review FAQ.

[intika]

@matu3ba ohh cool i read that this was linked into https://github.com/netblue30/firejail/wiki/Frequently-Asked-Questions#RTNETLINK-error so i guess we are good :) ... let me know if you want me to edit the wiki ;)

[rusty-snake]

let me know if you want me to edit the wiki

if you have anything to improve, go ahead.

[davew-fj]

Well... I'm afraid my head is spinning and not getting anywhere. The several solutions offered above for connecting a vpn to firejailed browser are simple to many on this forum, but confusing to me.

If firejail is built around the idea of namespaces, why can't it include a special type of pre-configured namespace in which openvpn can run, and connect to the outside world, while providing connectivity to the vpn tunnel from other firejail namespaces?

I'm afraid the need for manual configuration of netns puts this beyond the reach of newbies.

[davew-fj]

Can macvlan or macvtap be used for connecting firejailed firefox via an openvpn service? If so, is there a guide for this?

Edit: My question was not clear... After creating a macvlan link, like so... sudo ip link add macvlan0 link eth0 type macvlan mode bridge ... and starting firejailed firefox, like so... firejail --net=macvlan0 --ip=192.168.227.10 --netmask=255.255.255.0 --defaultgw=192.168.227.1 --dns=10.4.0.1 firefox-esr ... firejailed firefox connects directly to internet via eth0. (Of course, it does that anyway, with the default firejail networking.)

But it will not connect via a vpn. I have tried using addresses for eth0 (as above) and also those for tun0. What am I missing?

[matu3ba]

I can reproduce a related issue after 1. a Kernel update and 2. a changed wifi interface (my distribution changed it from wlp3s0 or so to wlan0).

The fix is to reboot (maybe logout + login might also be sufficient).

@rusty-snake Would you accept changing the wiki on RNETLINK problems to 1. installing drivers and 2. reboot for closing this issue?

Either it should be written what needs to be fixed (in other projects) or put on the backlog. Personally I think firejail should not attempt to do stuff on the backlog better fix or wontfix upstream.

[rusty-snake]

I don't use firejail's networking features nor do I have followed all the RNETLINK issues. Therefore I cann't say anything here.

[aykevl]

I have enabled almost all modules listed in https://github.com/netblue30/firejail/issues/2046#issuecomment-481416363 but still I get this error. (The only modules missing are CONFIG_NFT_RT, CONFIG_BRIDGE_VLAN_FILTERING , and CONFIG_VLAN_8021Q_MVRP). The kernel is a standard Raspberry Pi OS (64-bit) kernel where I enabled CONFIG_IPVTAP in the hope that it would help (it didn't).

This happens when I try to use a WireGuard interface. The eth0 interface works fine.

[glitsj16]

@aykevl

You might want to have a look at LKDDb: Linux Kernel Driver DataBase for finding more info on how to get those missing modules. Or search for a similar site for Raspberry Pi OS kernel (if there is such a thing). It can be a bit of a pain to follow the config dependency chain but at least you can look up stuff without having to go through a build to discover the needed module isn't there...

CONFIG_NFT_RT The nft_rt module seems to be present in Linux kernels 4.10–4.17 only. Hopefully you can track what superseded it.

[aykevl]

@glitsj16 I tried on three different kernels: a stock Debian bookworm kernel, the Asahi Linux kernel, and the Raspberry Pi OS (64-bit) kernel. All of them have the same problem. I would be very surprised if it really is a problem with kernel modules - otherwise many more people would hit this issue. Rather, I think this bug is caused by something else (but because of the rather vague error message I have no idea where to look).

(Worth noting that all three kernels are arm64 kernels, but I wouldn't expect that to matter here).

For those wanting to reproduce this issue: basically just create a WireGuard network interface, and then run firejail --net=wg0 echo hello to see the error message.