fix: skip network namespace when domain filtering proxy is active

Change --unshare-net skip logic to trigger whenever filterProxy is set,
not just for wildcard allow configs. The filtering proxy always listens
on host 127.0.0.1 and requires sandboxed processes to reach the host
network via env-var-based proxying. Also upgrade golangci-lint-action to v7.

.gitea/workflows/main.yml

@@ -43,7 +43,7 @@ jobs:
         run: go mod download
 
       - name: Lint
-        uses: golangci/golangci-lint-action@v6
+        uses: golangci/golangci-lint-action@v7
         with:
           install-mode: binary
           version: v2.1.6

internal/sandbox/linux.go

@@ -637,14 +637,15 @@ func WrapCommandLinuxWithOptions(cfg *config.Config, command string, proxyBridge
 
 	// Always use --unshare-net when available (network namespace isolation)
 	// Inside the namespace, tun2socks will provide transparent proxy access.
-	// Skip network namespace when domain filtering with wildcard allow is active
-	// (the filtering proxy handles domain enforcement via env vars).
-	skipUnshareNet := filterProxy != nil && cfg != nil && cfg.Network.IsWildcardAllow()
+	// Skip network namespace when domain filtering proxy is active — the proxy
+	// listens on the host's 127.0.0.1 and uses env-var-based proxying, which
+	// requires the sandboxed process to reach the host network.
+	skipUnshareNet := filterProxy != nil
 	if features.CanUnshareNet && !skipUnshareNet {
 		bwrapArgs = append(bwrapArgs, "--unshare-net") // Network namespace isolation
 	} else if opts.Debug {
 		if skipUnshareNet {
-			fmt.Fprintf(os.Stderr, "[greywall:linux] Skipping --unshare-net (wildcard allow with domain filtering)\n")
+			fmt.Fprintf(os.Stderr, "[greywall:linux] Skipping --unshare-net (domain filtering proxy active)\n")
 		} else {
 			fmt.Fprintf(os.Stderr, "[greywall:linux] Skipping --unshare-net (network namespace unavailable in this environment)\n")
 		}