diff --git a/modules/programs/make-sandbox-args.nix b/modules/programs/make-sandbox-args.nix
index e5f9634dd..702645edb 100644
--- a/modules/programs/make-sandbox-args.nix
+++ b/modules/programs/make-sandbox-args.nix
@@ -34,6 +34,7 @@ let
   bunpenGenerators = {
     autodetectCliPaths = style: [ "--bunpen-autodetect" style ];
     capability = cap: [ "--bunpen-cap" cap ];
+    dns = addr: [ "--bunpen-dns" addr ];
     keepIpc = [ "--bunpen-keep-ipc" ];
     keepPids = [ "--bunpen-keep-pid" ];
     method = m: assert m == "bunpen";
@@ -53,7 +54,8 @@ let
         "stderr"
         # bwrap also does some stuff for /dev/{console,core,ptmx,pts,shm}, i don't need those (yet?)
       ]);
-    netDev = n: assert n == "all"; [ "--bunpen-keep-net" ];
+    netDev = n: if n == "all" then [ "--bunpen-keep-net" ] else [ "--bunpen-net-dev" n ];
+    netGateway = netGateway: [ "--bunpen-net-gateway" netGateway ];
     path = p: [ "--bunpen-path" p ];
     path-home = p: [ "--bunpen-home-path" p ];
     path-run = p: [ "--bunpen-run-path" p ];