sanebox: fix missing dependency on iptables/iproute2

hosts/common/programs/sanebox.nix

@@ -18,8 +18,10 @@ in
   sane.programs.sanebox = {
     packageUnwrapped = (pkgs.sanebox.override {
       bubblewrap = cfg.bubblewrap.package;
-      passt = cfg.passt.package;
+      iproute2 = cfg.iproute2.package;
+      iptables = cfg.iptables.package;
       libcap = cfg.libcap.package;
+      passt = cfg.passt.package;
       landlock-sandboxer = pkgs.landlock-sandboxer.override {
         # not strictly necessary (landlock ABI is versioned), however when sandboxer version != kernel version,
         # the sandboxer may nag about one or the other wanting to be updated.

modules/programs/default.nix

@@ -469,9 +469,9 @@ let
         wrapPkg name config config.packageUnwrapped
       ;
       suggestedPrograms = lib.optionals (config.sandbox.method == "bwrap") [
-        "bubblewrap" "passt"
+        "bubblewrap" "passt" "iproute2" "iptables"
       ] ++ lib.optionals (config.sandbox.method == "pastaonly") [
-        "passt"
+        "passt" "iproute2" "iptables"
       ] ++ lib.optionals (config.sandbox.method == "capshonly") [
         "libcap"
       ];

pkgs/additional/sanebox/default.nix

@@ -2,9 +2,11 @@
 , bash
 , bubblewrap
 , coreutils
-, passt
+, iproute2
+, iptables
 , landlock-sandboxer
 , libcap
+, passt
 , substituteAll
 , profileDir ? "/share/sanebox/profiles"
 }:
@@ -23,10 +25,13 @@ stdenv.mkDerivation {
     runHook preBuild
     substitute $src sanebox \
       --replace-fail '@bwrap@' '${lib.getExe bubblewrap}' \
-      --replace-fail '@landlockSandboxer@' '${lib.getExe landlock-sandboxer}' \
       --replace-fail '@capsh@' '${lib.getExe' libcap "capsh"}' \
+      --replace-fail '@env@' '${lib.getExe' coreutils "env"}' \
+      --replace-fail '@ip@' '${lib.getExe' iproute2 "ip"}' \
+      --replace-fail '@iptables@' '${lib.getExe' iptables "iptables"}' \
+      --replace-fail '@landlockSandboxer@' '${lib.getExe landlock-sandboxer}' \
       --replace-fail '@pasta@' '${lib.getExe' passt "pasta"}' \
-      --replace-fail '@env@' '${lib.getExe' coreutils "env"}'
+
     runHook postBuild
   '';
 

pkgs/additional/sanebox/sanebox

@@ -3,10 +3,12 @@
 ## BUILD-TIME SUBSTITUTIONS
 ### <bin>_FALLBACK: if `<bin>` isn't on PATH, then use this instead
 BWRAP_FALLBACK='@bwrap@'
-LANDLOCK_SANDBOXER_FALLBACK='@landlockSandboxer@'
 CAPSH_FALLBACK='@capsh@'
-PASTA_FALLBACK='@pasta@'
 ENV_FALLBACK='@env@'
+IP_FALLBACK='@ip@'
+IPTABLES_FALLBACK='@iptables@'
+LANDLOCK_SANDBOXER_FALLBACK='@landlockSandboxer@'
+PASTA_FALLBACK='@pasta@'
 
 
 ## EARLY DEBUG HOOKS
@@ -888,10 +890,12 @@ pastaonlyIngestDns() {
       fi
       ;;
     (*)
+      locate _iptables "iptables" "$IPTABLES_FALLBACK"
+      locate _ip "ip" "$IP_FALLBACK"
       # NAT DNS requests to localhost to the VPN's DNS resolver
       # claim the whole 127.0.0.x space, because some setups place the DNS on a different address of localhost.
-      pastaNetSetup="iptables -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.1-127.0.0.255 -j DNAT --to-destination $1:53; $pastaNetSetup"
+      pastaNetSetup="$_iptables -A OUTPUT -t nat -p udp --dport 53 -m iprange --dst-range 127.0.0.1-127.0.0.255 -j DNAT --to-destination $1:53; $pastaNetSetup"
-      pastaNetSetup="ip addr del 127.0.0.1/8 dev lo; $pastaNetSetup"
+      pastaNetSetup="$_ip addr del 127.0.0.1/8 dev lo; $pastaNetSetup"
       ;;
   esac
 }