diff --git a/.gitea/workflows/main.yml b/.gitea/workflows/main.yml
index 4a6ad73..3ca4c37 100644
--- a/.gitea/workflows/main.yml
+++ b/.gitea/workflows/main.yml
@@ -43,7 +43,7 @@ jobs:
         run: go mod download
 
       - name: Lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v7
         with:
           install-mode: binary
           version: v2.1.6
diff --git a/internal/sandbox/linux.go b/internal/sandbox/linux.go
index 4b9359e..c6adaf2 100644
--- a/internal/sandbox/linux.go
+++ b/internal/sandbox/linux.go
@@ -637,14 +637,15 @@ func WrapCommandLinuxWithOptions(cfg *config.Config, command string, proxyBridge
 
 	// Always use --unshare-net when available (network namespace isolation)
 	// Inside the namespace, tun2socks will provide transparent proxy access.
-	// Skip network namespace when domain filtering with wildcard allow is active
-	// (the filtering proxy handles domain enforcement via env vars).
-	skipUnshareNet := filterProxy != nil && cfg != nil && cfg.Network.IsWildcardAllow()
+	// Skip network namespace when domain filtering proxy is active — the proxy
+	// listens on the host's 127.0.0.1 and uses env-var-based proxying, which
+	// requires the sandboxed process to reach the host network.
+	skipUnshareNet := filterProxy != nil
 	if features.CanUnshareNet && !skipUnshareNet {
 		bwrapArgs = append(bwrapArgs, "--unshare-net") // Network namespace isolation
 	} else if opts.Debug {
 		if skipUnshareNet {
-			fmt.Fprintf(os.Stderr, "[greywall:linux] Skipping --unshare-net (wildcard allow with domain filtering)\n")
+			fmt.Fprintf(os.Stderr, "[greywall:linux] Skipping --unshare-net (domain filtering proxy active)\n")
 		} else {
 			fmt.Fprintf(os.Stderr, "[greywall:linux] Skipping --unshare-net (network namespace unavailable in this environment)\n")
 		}