From 1300cbacc97de0dce3affdea523da6b7618d0a78 Mon Sep 17 00:00:00 2001 From: Jose B Date: Tue, 17 Feb 2026 16:11:41 -0500 Subject: [PATCH] fix: skip network namespace when domain filtering proxy is active Change --unshare-net skip logic to trigger whenever filterProxy is set, not just for wildcard allow configs. The filtering proxy always listens on host 127.0.0.1 and requires sandboxed processes to reach the host network via env-var-based proxying. Also upgrade golangci-lint-action to v7. --- .gitea/workflows/main.yml | 2 +- internal/sandbox/linux.go | 9 +++++---- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.gitea/workflows/main.yml b/.gitea/workflows/main.yml index 4a6ad73..3ca4c37 100644 --- a/.gitea/workflows/main.yml +++ b/.gitea/workflows/main.yml @@ -43,7 +43,7 @@ jobs: run: go mod download - name: Lint - uses: golangci/golangci-lint-action@v6 + uses: golangci/golangci-lint-action@v7 with: install-mode: binary version: v2.1.6 diff --git a/internal/sandbox/linux.go b/internal/sandbox/linux.go index 4b9359e..c6adaf2 100644 --- a/internal/sandbox/linux.go +++ b/internal/sandbox/linux.go @@ -637,14 +637,15 @@ func WrapCommandLinuxWithOptions(cfg *config.Config, command string, proxyBridge // Always use --unshare-net when available (network namespace isolation) // Inside the namespace, tun2socks will provide transparent proxy access. - // Skip network namespace when domain filtering with wildcard allow is active - // (the filtering proxy handles domain enforcement via env vars). - skipUnshareNet := filterProxy != nil && cfg != nil && cfg.Network.IsWildcardAllow() + // Skip network namespace when domain filtering proxy is active — the proxy + // listens on the host's 127.0.0.1 and uses env-var-based proxying, which + // requires the sandboxed process to reach the host network. + skipUnshareNet := filterProxy != nil if features.CanUnshareNet && !skipUnshareNet { bwrapArgs = append(bwrapArgs, "--unshare-net") // Network namespace isolation } else if opts.Debug { if skipUnshareNet { - fmt.Fprintf(os.Stderr, "[greywall:linux] Skipping --unshare-net (wildcard allow with domain filtering)\n") + fmt.Fprintf(os.Stderr, "[greywall:linux] Skipping --unshare-net (domain filtering proxy active)\n") } else { fmt.Fprintf(os.Stderr, "[greywall:linux] Skipping --unshare-net (network namespace unavailable in this environment)\n") }