Skip to content

feat: Stop emitting iptables errors on dual-stack hosts; add IPv6 sandbox support#10

Open
machado144 wants to merge 3 commits into
mainfrom
fix/sandbox-ipv6
Open

feat: Stop emitting iptables errors on dual-stack hosts; add IPv6 sandbox support#10
machado144 wants to merge 3 commits into
mainfrom
fix/sandbox-ipv6

Conversation

@machado144
Copy link
Copy Markdown
Contributor

@machado144 machado144 commented May 21, 2026
edited
Loading

Closes #8.

What

  • Commit 1 — stop feeding IPv6 nameservers to iptables; closes the noise from ipv6 error with nftables #8.
  • Commit 2 — actually filter IPv6 egress: slirp4netns --enable-ipv6 + parallel ip6tables chain (loopback, DNS, allowed v6 nameservers, AAAA-resolved allow_net, final REJECT).
  • Commit 3 — README + user/AI docs updated to mention ip6tables.

Safety

  • v6 only enabled when kernel v6 is on and ip6tables is on PATH. Either missing → v4-only (status quo).
  • Refuses partial v6 (NAT without filter) — that would silently bypass allow_net.

Verified

  • 177 unit tests pass; bwrap+slirp smoke test exercises v6 on capable hosts.
  • Manual run on the issue ipv6 error with nftables #8 repro shape (Fedora, dual-stack resolv.conf): startup silent, both iptables and ip6tables OUTPUT chains end with REJECT.
  • dupehound: clones 122 → 118, no new prod dead code.

🤖 Generated with Claude Code

machado144 and others added 2 commits May 21, 2026 20:45
@machado144 @claude
fix: drop IPv6 nameservers before feeding iptables (#8)
6f06970 
Hosts with both v4 and v6 nameservers in resolv.conf (Fedora 43 + IPv6
routers being a common case) caused the sandbox startup script to run
`iptables -A OUTPUT -d <v6-addr>`, which iptables rejects with
"host/network not found". Sandbox still worked (v4 path was unaffected),
but two error lines printed at every launch.

Split the resolv.conf nameserver list by address family and only feed the
v4 entries to iptables. v6 entries are logged but otherwise dropped — the
sandbox is IPv4-only by design (slirp4netns IPv4 NAT only, iptables-only
rules), so those nameservers were never reachable from inside the
sandbox anyway.

This is the symptom fix. Adding actual IPv6 sandbox support is the
follow-up commit on this branch.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@machado144 @claude
feat: add IPv6 sandbox support via slirp4netns --enable-ipv6 + ip6tables
4471c47 
Extends the network-filtered sandbox to also filter IPv6 egress on hosts
that support it. The v4 path is unchanged; v6 is enabled when both
conditions hold:

  - kernel v6 is enabled (/proc/sys/net/ipv6/conf/all/disable_ipv6 == 0)
  - ip6tables is on PATH

Either missing → sandbox stays v4-only (status quo). A partial v6 filter
would leave the sandbox with v6 connectivity and no egress rules, which
is worse than no v6 at all.

Changes:
  - slirp4netns invoked with --enable-ipv6 when supported (both the
    unshare-orchestration shell path and the bwrap+exec.Command path)
  - resolv.conf inside sandbox gets `nameserver fd00::3` (slirp4netns v6
    forwarder) alongside 10.0.2.3 when v6 is on
  - parallel ip6tables ruleset mirroring iptables: loopback, DNS port 53,
    allowed v6 nameservers, AAAA-resolved AllowNet hosts (via getent
    ahostsv6), final REJECT with icmp6-adm-prohibited
  - doctor reports ip6tables and surfaces the chosen v6/v4-only mode
  - sandbox script prelude (tap0 wait, resolv.conf bind) extracted to
    shared helpers to cut duplication between the unshare and bwrap paths

Manually verified on Fedora 42 (host has v4+v6 nameservers in resolv.conf,
which was the issue #8 repro shape): startup is silent, ip6tables OUTPUT
chain ends with REJECT, iptables OUTPUT chain ends with REJECT.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 21, 2026

⚠️ Invalid PR Title

PR title must follow the Conventional Commits format since we use squash merge:

<type>[optional scope][!]: <description>

Allowed types: feat, fix, docs, style, refactor, test, chore, build, ci, perf, revert

Examples:

  • feat: add new feature
  • fix(sandbox): resolve namespace issue
  • feat!: breaking change
  • chore(deps): update dependencies

@github-actions
Copy link
Copy Markdown

github-actions Bot commented May 21, 2026
edited
Loading

StructLint — All checks passed

78 rules validated against .structlint.yaml. No violations found.

View full run · Powered by StructLint

@machado144 machado144 changed the title Stop emitting iptables errors on dual-stack hosts; add IPv6 sandbox support feat: Stop emitting iptables errors on dual-stack hosts; add IPv6 sandbox support May 21, 2026
@machado144 @claude
docs: note IPv6 egress filtering via ip6tables
bc9a9b3 
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

ipv6 error with nftables

1 participant

@machado144