diff options
Diffstat (limited to 'internal/wireguard')
| -rw-r--r-- | internal/wireguard/wireguard.go | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/internal/wireguard/wireguard.go b/internal/wireguard/wireguard.go index 5bbc518..48bd562 100644 --- a/internal/wireguard/wireguard.go +++ b/internal/wireguard/wireguard.go @@ -297,7 +297,10 @@ func (h *HostBind) Open(port uint16) (fns []conn.ReceiveFunc, actualPort uint16, // Switch this thread back to the isolated network namespace if err := unix.Setns(isolatedFd, unix.CLONE_NEWNET); err != nil { _ = h.inner.Close() - return nil, 0, fmt.Errorf("failed to restore isolated netns: %w", err) + // CRITICAL: The thread is stuck in the host network namespace. Returning it to the Go runtime pool + // will cause other goroutines to run in the host namespace, breaching isolation. We must panic + // immediately to abort the process and prevent a namespace escape. + panic(fmt.Sprintf("CRITICAL: failed to restore isolated netns: %v", err)) } return fns, actualPort, nil |