readme example for Isolation with access to a private, cloned interface (requires root/setuid) not able to talk to internet

[danthegoodman1]

I've compiled nsjail on a fresh ubuntu 24.04 machine from hetzner cloud with the following network information:

root@ubuntu-8gb-hil-1:~# ifconfig
docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:3f:31:1c:83  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 5.78.132.181  netmask 255.255.255.255  broadcast 0.0.0.0
        inet6 fe80::9400:3ff:fefb:e47e  prefixlen 64  scopeid 0x20<link>
        inet6 2a01:4ff:1f0:cd3e::1  prefixlen 64  scopeid 0x0<global>
        ether 96:00:03:fb:e4:7e  txqueuelen 1000  (Ethernet)
        RX packets 97569  bytes 308814119 (308.8 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 51959  bytes 5833919 (5.8 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 268  bytes 33600 (33.6 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 268  bytes 33600 (33.6 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

When running the example provided at https://github.com/google/nsjail?tab=readme-ov-file#isolation-with-access-to-a-private-cloned-interface-requires-rootsetuid I am unable to connect to the server:

root@ubuntu-8gb-hil-1:~# nsjail --user 9999 --group 9999 --macvlan_iface eth0 --chroot / -Mo --macvlan_vs_ip 192.168.0.44 --macvlan_vs_nm 255.255.255.0 --macvlan_vs_gw 192.168.0.1 -- /bin/bash -i
[I][2025-01-12T19:48:41+0000] Mode: STANDALONE_ONCE
[I][2025-01-12T19:48:41+0000] Jail parameters: hostname:'NSJAIL', chroot:'/', process:'/bin/bash', bind:[::]:0, max_conns:0, max_conns_per_ip:0, time_limit:0, personality:0, daemonize:false, clone_newnet:true, clone_newuser:true, clone_newns:true, clone_newpid:true, clone_newipc:true, clone_newuts:true, clone_newcgroup:true, clone_newtime:false, keep_caps:false, disable_no_new_privs:false, max_cpus:0
[I][2025-01-12T19:48:41+0000] Mount: '/' -> '/' flags:MS_RDONLY|MS_BIND|MS_REC|MS_PRIVATE type:'' options:'' dir:true
[I][2025-01-12T19:48:41+0000] Mount: '/proc' flags:MS_RDONLY type:'proc' options:'' dir:true
[I][2025-01-12T19:48:41+0000] Uid map: inside_uid:9999 outside_uid:0 count:1 newuidmap:false
[W][2025-01-12T19:48:41+0000][4934] logParams():313 Process will be UID/EUID=0 in the global user namespace, and will have user root-level access to files
[I][2025-01-12T19:48:41+0000] Gid map: inside_gid:9999 outside_gid:0 count:1 newgidmap:false
[W][2025-01-12T19:48:41+0000][4934] logParams():323 Process will be GID/EGID=0 in the global user namespace, and will have group root-level access to files
[I][2025-01-12T19:48:41+0000] Executing '/bin/bash' for '[STANDALONE MODE]'
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
groups: cannot find name for group ID 9999
I have no name!@NSJAIL:/$ id
uid=9999 gid=9999 groups=9999
I have no name!@NSJAIL:/$ ip addr sh
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: vs@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 2a:fe:32:09:fe:4a brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 192.168.0.44/24 brd 192.168.0.255 scope global vs
       valid_lft forever preferred_lft forever
    inet6 fe80::28fe:32ff:fe09:fe4a/64 scope link
       valid_lft forever preferred_lft forever
I have no name!@NSJAIL:/$ nc 1.1.1.1 80
GET / HTTP/1.0

I have no name!@NSJAIL:/$ GET / HTTP/1.0
Command 'GET' not found, but can be installed with:
apt install libwww-perl
Please ask your administrator.

I observe the same issues with curl and wget as well.

On the base machine nc works as expected:

root@ubuntu-8gb-hil-1:~# nc 1.1.1.1 80
GET / HTTP/1.0

HTTP/1.1 400 Bad Request
Date: Sun, 12 Jan 2025 19:48:09 GMT
Content-Type: text/html
Content-Length: 155
Connection: close
Server: cloudflare
CF-RAY: 900fa9959e225ee9-PDX

<html>
<head><title>400 Bad Request</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<hr><center>cloudflare</center>
</body>
</html>

Is there a capability I'm missing?

For reference, my goal is that the jailed process will be able to talk to the outside world (e.g. the internet), but won't be able to access something also listening on the host (e.g. a server running on another process)