Context

Following the CloudFlare thing my private IP appears to be one of those who can't see any itch pages anymore (at least from the client), so I set out to set up a network namespace with a VPN for exclusive use with itch.

Expected behaviour

itch should use the custom network namespace and it's VPN interface and resolv.conf file. Tests with other applications showed this to be working.

Actual behaviour

This did not work. DNS Resolution failed

Origin of unwanted behaviour

At first I thought this to be a flatpak issue and narrowed it down to missing the --share=network flag for the flatpak command and the bwrap/bubblewrap sandbox it uses.
This however unfortunately had no effect.

Testing further with the native version I found the behaviour to be the same.
Looking deeper into it again using strace I found the native client to be using bwrap/bubblewrap as well.

Proposed solution

I suggest adding an optional flag to the main executable to pass something like --share network to itch's own sandbox and/or to remove itchs own bwrap sandbox entirely for the flatpak version as flatpak would then add it's own sandbox around the already existing one which adds an unnecessary layer of extra calls to the system.

Tangentially related here is that firejail is not working inside the flatpak version but -unless I misremember- still enabled by default in it.

Addendum

Alternative origin of the problem

While this can be solved by working around bwrap as described above this could potentially also be an issue with how bwrap creates new network namespaces from the one (usually the default one) it has been run in. This would need further investigation though.