Skip to content

fix: make ip-forward best-effort #180

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
evgeniy-scherbina merged 1 commit into from
Feb 18, 2026
Merged

fix: make ip-forward best-effort #180

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions nsjail_manager/nsjail/networking_host.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,11 +61,13 @@ func (l *LinuxJail) configureIptables() error {
// Enable IPv4 packet forwarding so the host can route packets between
// the jail's veth interface and the outside network. Without this,
// NAT and forwarding rules would have no effect because the kernel
// would drop transit packets.
newCommand(
// would drop transit packets. Best-effort: in restricted environments
// (e.g. read-only sysctl) we continue; TCP through the proxy may still work.
newCommandWithIgnoreErr(
"enable IP forwarding",
exec.Command("sysctl", "-w", "net.ipv4.ip_forward=1"),
[]uintptr{},
"*",
),
// Apply source NAT (MASQUERADE) for all traffic leaving the jail’s
// private subnet. This rewrites the source IP of packets originating
Expand Down
Loading