programs: inetutils/iptables: sandbox

hosts/common/programs/assorted.nix

@@ -468,17 +468,9 @@ in
     iftop.sandbox.capabilities = [ "net_raw" ];
 
     # inetutils: ping, ifconfig, hostname, traceroute, whois, ....
-    # TODO: requires more than this;
-    # - also, sandboxed `ping` doesn't make it onto /run/current-system/sw/bin; unsandboxed `ping` does instead
-    # inetutils.sandbox.method = "landlock";  # want to keep the same netns, at least.
-    # inetutils.sandbox.wrapperType = "wrappedDerivation";
-
-    iotop.sandbox.method = "landlock";
-    iotop.sandbox.wrapperType = "wrappedDerivation";
-    iotop.sandbox.extraPaths = [
-      "/proc"
-    ];
-    iotop.sandbox.capabilities = [ "net_admin" ];
+    # N.B.: inetutils' `ping` is shadowed by iputils' ping (by nixos, intentionally).
+    inetutils.sandbox.method = "landlock";  # want to keep the same netns, at least.
+    inetutils.sandbox.wrapperType = "wrappedDerivation";
 
     inkscape.sandbox.method = "bwrap";
     inkscape.sandbox.wrapperType = "wrappedDerivation";
@@ -492,6 +484,18 @@ in
     ];
     inkscape.sandbox.autodetectCliPaths = true;
 
+    iotop.sandbox.method = "landlock";
+    iotop.sandbox.wrapperType = "wrappedDerivation";
+    iotop.sandbox.extraPaths = [
+      "/proc"
+    ];
+    iotop.sandbox.capabilities = [ "net_admin" ];
+
+    iptables.sandbox.method = "landlock";
+    iptables.sandbox.wrapperType = "wrappedDerivation";
+    iptables.sandbox.net = "all";
+    iptables.sandbox.capabilities = [ "net_admin" ];
+
     # jq.sandbox.autodetectCliPaths = true;  # liable to over-detect
 
     killall.sandbox.method = "landlock";