From 0c245e9e1c4fc287facff6aebf0bb0f873b90555 Mon Sep 17 00:00:00 2001 From: pptx704 Date: Wed, 11 Mar 2026 06:02:31 +0600 Subject: [PATCH] Fix guest VM outbound networking and DNS resolution Add resolv.conf to wrenn-init so guests can resolve DNS, and fix the host MASQUERADE rule to match vpeerIP (the actual source after namespace SNAT) instead of hostIP. --- images/wrenn-init.sh | 4 ++++ internal/network/setup.go | 6 ++++-- 2 files changed, 8 insertions(+), 2 deletions(-) diff --git a/images/wrenn-init.sh b/images/wrenn-init.sh index ec088ff..6e45e24 100644 --- a/images/wrenn-init.sh +++ b/images/wrenn-init.sh @@ -19,5 +19,9 @@ mount -t cgroup2 cgroup2 /sys/fs/cgroup 2>/dev/null || true # Set hostname hostname sandbox +# Configure DNS resolver. +echo "nameserver 8.8.8.8" > /etc/resolv.conf +echo "nameserver 8.8.4.4" >> /etc/resolv.conf + # Exec envd as the main process (replaces this script, keeps PID 1). exec /usr/local/bin/envd diff --git a/internal/network/setup.go b/internal/network/setup.go index 412154d..60212d9 100644 --- a/internal/network/setup.go +++ b/internal/network/setup.go @@ -278,9 +278,11 @@ func CreateNetwork(slot *Slot) error { } // MASQUERADE for outbound traffic from sandbox. + // After SNAT inside the namespace, outbound packets arrive on the host + // with source = vpeerIP, so we match on that (not hostIP). if err := iptablesHost( "-t", "nat", "-A", "POSTROUTING", - "-s", fmt.Sprintf("%s/32", slot.HostIP.String()), + "-s", fmt.Sprintf("%s/32", slot.VpeerIP.String()), "-o", defaultIface, "-j", "MASQUERADE", ); err != nil { @@ -314,7 +316,7 @@ func RemoveNetwork(slot *Slot) error { ) iptablesHost( "-t", "nat", "-D", "POSTROUTING", - "-s", fmt.Sprintf("%s/32", slot.HostIP.String()), + "-s", fmt.Sprintf("%s/32", slot.VpeerIP.String()), "-o", defaultIface, "-j", "MASQUERADE", )