Related issue on firejail github repo. The proposed solution is a ./configure option, which would be much cleaner, but this is how I solved it for now (it’s running locally).
output of git format-patch HEAD^
From 2801a1b96662d7665ee06962cd32a23529ae7f37 Mon Sep 17 00:00:00 2001
From: Do Nix <um2iai+9g233t397b57k@sharklasers.com>
Date: Fri, 14 Feb 2025 22:37:40 +0100
Subject: [PATCH] firejail: fix --netfilter option
The option silently fails because it can't find iptables which has
its paths hardcoded in the application.
The relevant files to patch are dynamically found as between the
current version in nixpkgs and the master branch, the files are
moved.
---
pkgs/by-name/fi/firejail/package.nix | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/pkgs/by-name/fi/firejail/package.nix b/pkgs/by-name/fi/firejail/package.nix
index b998bf6f583a..953f96bf886a 100644
--- a/pkgs/by-name/fi/firejail/package.nix
+++ b/pkgs/by-name/fi/firejail/package.nix
@@ -2,6 +2,7 @@
lib,
stdenv,
fetchFromGitHub,
+ iptables,
pkg-config,
libapparmor,
which,
@@ -55,6 +56,17 @@ stdenv.mkDerivation rec {
--replace " && !arg_doubledash" ""
'';
+ postPatch = ''
+ # Work around to make iptables work in firejail
+ # The path is hardcoded and has to be updated to where iptables is
+ # https://github.com/netblue30/firejail/issues/6637
+ searchTerm="/sbin/iptables"
+ filesWithSearchTerm=$(grep -l "$searchTerm" $(find -name '*.c'))
+ substituteInPlace $filesWithSearchTerm \
+ --replace-fail "$searchTerm" "${iptables}/bin/iptables"
+ '';
+
+
preConfigure = ''
sed -e 's@/bin/bash@${stdenv.shell}@g' -i $( grep -lr /bin/bash .)
sed -e "s@/bin/cp@$(which cp)@g" -i $( grep -lr /bin/cp .)
--
2.47.2