mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 08:34:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
opensnitch/daemon/netlink/socket_linux.go

261 lines
6.7 KiB
Go
Raw Permalink Normal View History

Lookup inode and uid via netlink It has some advantages over parsing /proc, like performance and reliability.
2019-12-01 20:10:49 +01:00
package netlink
import (
reformatted netlink/ sources, fixed typo
2020-03-06 21:02:34 +01:00
"encoding/binary"
Lookup inode and uid via netlink It has some advantages over parsing /proc, like performance and reliability.
2019-12-01 20:10:49 +01:00
"errors"
"fmt"
"net"
Fixed and improved netlink communications Fixed invalid uid. Fixed/improved netlink sockets querying.
2020-02-12 22:52:24 +01:00
"syscall"
Lookup inode and uid via netlink It has some advantages over parsing /proc, like performance and reliability.
2019-12-01 20:10:49 +01:00
updated import paths
2020-12-09 18:18:42 +01:00
"github.com/evilsocket/opensnitch/daemon/log"
Lookup inode and uid via netlink It has some advantages over parsing /proc, like performance and reliability.
2019-12-01 20:10:49 +01:00
"github.com/vishvananda/netlink/nl"
)
netlink: de/serialize ipv6, dump socket list - De/Serialize IPv6 connections. - Added SocketsDump() to list all sockets currently in the kernel. - [proc details] Resolve all the sockets an application has opened and translate them to network data, e.g: ``` ls -l /proc/1234/fd/ 0 ... 25 -> socket[12345678] ``` to ``` 0 .... 25 -> socket[12345678] - 54321:10.0.2.2 -> github.com:443, state: established ```
2020-11-20 00:53:29 +01:00
// This is a modification of https://github.com/vishvananda/netlink socket_linux.go - Apache2.0 license
// which adds support for query UDP, UDPLITE and IPv6 sockets to SocketGet()
Lookup inode and uid via netlink It has some advantages over parsing /proc, like performance and reliability.
2019-12-01 20:10:49 +01:00
const (
added action reject When blocking a connection via libnetfilter-queue using NF_DROP the connection is discarded. If the blocked connection is a DNS query, the app that initiated it will wait until it times out, which is ~30s. This behaviour can for example cause slowdowns loading web pages: #481 This change adds the option to reject connections by killing the socket that initiated them. Denying: $ time telnet 1.1.1.1 22 Trying 1.1.1.1... telnet: Unable to connect to remote host: Connection timed out real 2m10,039s Rejecting: $ time telnet 1.1.1.1 22 Trying 1.1.1.1... telnet: Unable to connect to remote host: Software caused connection abort real 0m0,005s
2021-09-12 10:54:24 +02:00
SOCK_DESTROY = 21
Lookup inode and uid via netlink It has some advantages over parsing /proc, like performance and reliability.
2019-12-01 20:10:49 +01:00
sizeofSocketID = 0x30
sizeofSocketRequest = sizeofSocketID + 0x8
sizeofSocket = sizeofSocketID + 0x18
)
netlink: de/serialize ipv6, dump socket list - De/Serialize IPv6 connections. - Added SocketsDump() to list all sockets currently in the kernel. - [proc details] Resolve all the sockets an application has opened and translate them to network data, e.g: ``` ls -l /proc/1234/fd/ 0 ... 25 -> socket[12345678] ``` to ``` 0 .... 25 -> socket[12345678] - 54321:10.0.2.2 -> github.com:443, state: established ```
2020-11-20 00:53:29 +01:00
// https://elixir.bootlin.com/linux/latest/source/include/net/tcp_states.h
netlink: get active connections by source port + protocol - Dump connections from kernel querying by source port + protocol. - Prioritize responses which match the outgoing connection. - If we don't get any response, apply the default action configured in /etc/opensnitchd/default-config.json -- A connection can be considered unique if: protocol + source port + source ip + destination ip + destination port We can be quite sure that only one process has created the connection. However, many times, querying the kernel for the connection details by all these parameters results in no response. A regular query and normal response would be: query: TCP:47344:192.168.1.106 -> 151.101.65.140:443 response: 47344:192.168.1.106 -> 151.101.65.140:443, inode: 1234567, ... But in another cases, the details of the outgoing connection differs from the kernel response, or it even doesn't exist. However, if we query by protocol+source port, we can get more entries, and somewhat guess what program opened the outgoing connection. Some examples of querying by outgoing connection and response from kernel: query: 8612:192.168.1.5 -> 192.168.1.255:8612 response: 8612:192.168.1.105 -> 0.0.0.0:0 query: 123:192.168.1.5 -> 217.144.138.234:123 response: 123:0.0.0.0 -> 0.0.0.0:0 query: 45015:127.0.0.1 -> 239.255.255.250:1900 response: 45015:127.0.0.1 -> 0.0.0.0:0 query: 50416:fe80::9fc2:ddcf:df22:aa50 -> fe80::1:53 response: 50416:254.128.0.0 -> 254.128.0.0:53 query: 51413:192.168.1.106 -> 103.224.182.250:1337 response: 51413:0.0.0.0 -> 0.0.0.0:0
2020-04-05 19:14:51 +02:00
const (
netlink: de/serialize ipv6, dump socket list - De/Serialize IPv6 connections. - Added SocketsDump() to list all sockets currently in the kernel. - [proc details] Resolve all the sockets an application has opened and translate them to network data, e.g: ``` ls -l /proc/1234/fd/ 0 ... 25 -> socket[12345678] ``` to ``` 0 .... 25 -> socket[12345678] - 54321:10.0.2.2 -> github.com:443, state: established ```
2020-11-20 00:53:29 +01:00
TCP_INVALID = iota
TCP_ESTABLISHED
netlink: get active connections by source port + protocol - Dump connections from kernel querying by source port + protocol. - Prioritize responses which match the outgoing connection. - If we don't get any response, apply the default action configured in /etc/opensnitchd/default-config.json -- A connection can be considered unique if: protocol + source port + source ip + destination ip + destination port We can be quite sure that only one process has created the connection. However, many times, querying the kernel for the connection details by all these parameters results in no response. A regular query and normal response would be: query: TCP:47344:192.168.1.106 -> 151.101.65.140:443 response: 47344:192.168.1.106 -> 151.101.65.140:443, inode: 1234567, ... But in another cases, the details of the outgoing connection differs from the kernel response, or it even doesn't exist. However, if we query by protocol+source port, we can get more entries, and somewhat guess what program opened the outgoing connection. Some examples of querying by outgoing connection and response from kernel: query: 8612:192.168.1.5 -> 192.168.1.255:8612 response: 8612:192.168.1.105 -> 0.0.0.0:0 query: 123:192.168.1.5 -> 217.144.138.234:123 response: 123:0.0.0.0 -> 0.0.0.0:0 query: 45015:127.0.0.1 -> 239.255.255.250:1900 response: 45015:127.0.0.1 -> 0.0.0.0:0 query: 50416:fe80::9fc2:ddcf:df22:aa50 -> fe80::1:53 response: 50416:254.128.0.0 -> 254.128.0.0:53 query: 51413:192.168.1.106 -> 103.224.182.250:1337 response: 51413:0.0.0.0 -> 0.0.0.0:0
2020-04-05 19:14:51 +02:00
TCP_SYN_SENT
TCP_SYN_RECV
TCP_FIN_WAIT1
TCP_FIN_WAIT2
TCP_TIME_WAIT
TCP_CLOSE
TCP_CLOSE_WAIT
TCP_LAST_ACK
TCP_LISTEN
TCP_CLOSING
netlink/ improvements - Structs fields alignment fixed. - Dump more sockets via netlink, in order to display them with the SocketsMonitor task (netstat). - Fixed serializing netlink data: https://github.com/vishvananda/netlink/commit/d237ee16c31705b9e77496749b761a5199c02ad6#diff-f7f6108a60b107adfb0930f5f73a6ae229f9943bb01949d1f8f3e247f869b2abL59-L60
2025-01-22 00:16:17 +01:00
TCP_NEW_SYN_RECV
netlink: de/serialize ipv6, dump socket list - De/Serialize IPv6 connections. - Added SocketsDump() to list all sockets currently in the kernel. - [proc details] Resolve all the sockets an application has opened and translate them to network data, e.g: ``` ls -l /proc/1234/fd/ 0 ... 25 -> socket[12345678] ``` to ``` 0 .... 25 -> socket[12345678] - 54321:10.0.2.2 -> github.com:443, state: established ```
2020-11-20 00:53:29 +01:00
TCP_MAX_STATES
netlink: get active connections by source port + protocol - Dump connections from kernel querying by source port + protocol. - Prioritize responses which match the outgoing connection. - If we don't get any response, apply the default action configured in /etc/opensnitchd/default-config.json -- A connection can be considered unique if: protocol + source port + source ip + destination ip + destination port We can be quite sure that only one process has created the connection. However, many times, querying the kernel for the connection details by all these parameters results in no response. A regular query and normal response would be: query: TCP:47344:192.168.1.106 -> 151.101.65.140:443 response: 47344:192.168.1.106 -> 151.101.65.140:443, inode: 1234567, ... But in another cases, the details of the outgoing connection differs from the kernel response, or it even doesn't exist. However, if we query by protocol+source port, we can get more entries, and somewhat guess what program opened the outgoing connection. Some examples of querying by outgoing connection and response from kernel: query: 8612:192.168.1.5 -> 192.168.1.255:8612 response: 8612:192.168.1.105 -> 0.0.0.0:0 query: 123:192.168.1.5 -> 217.144.138.234:123 response: 123:0.0.0.0 -> 0.0.0.0:0 query: 45015:127.0.0.1 -> 239.255.255.250:1900 response: 45015:127.0.0.1 -> 0.0.0.0:0 query: 50416:fe80::9fc2:ddcf:df22:aa50 -> fe80::1:53 response: 50416:254.128.0.0 -> 254.128.0.0:53 query: 51413:192.168.1.106 -> 103.224.182.250:1337 response: 51413:0.0.0.0 -> 0.0.0.0:0
2020-04-05 19:14:51 +02:00
)
netlink/ more improvements - Fixed serializing netlink data: https://github.com/vishvananda/netlink/commit/d237ee16c31705b9e77496749b761a5199c02ad6#diff-f7f6108a60b107adfb0930f5f73a6ae229f9943bb01949d1f8f3e247f869b2abL59-L60 - misc.
2025-01-22 00:33:10 +01:00
var (
native = nl.NativeEndian()
networkOrder = binary.BigEndian
TCP_ALL = uint32(1<<TCP_ESTABLISHED | 1<<TCP_SYN_SENT | 1<<TCP_SYN_RECV | 1<<TCP_FIN_WAIT1 | 1<<TCP_FIN_WAIT2 | 1<<TCP_TIME_WAIT | 1<<TCP_CLOSE | 1<<TCP_CLOSE_WAIT | 1<<TCP_LAST_ACK | 1<<TCP_LISTEN | 1<<TCP_CLOSING | 1<<TCP_NEW_SYN_RECV | 0x2001)
)
netlink: get active connections by source port + protocol - Dump connections from kernel querying by source port + protocol. - Prioritize responses which match the outgoing connection. - If we don't get any response, apply the default action configured in /etc/opensnitchd/default-config.json -- A connection can be considered unique if: protocol + source port + source ip + destination ip + destination port We can be quite sure that only one process has created the connection. However, many times, querying the kernel for the connection details by all these parameters results in no response. A regular query and normal response would be: query: TCP:47344:192.168.1.106 -> 151.101.65.140:443 response: 47344:192.168.1.106 -> 151.101.65.140:443, inode: 1234567, ... But in another cases, the details of the outgoing connection differs from the kernel response, or it even doesn't exist. However, if we query by protocol+source port, we can get more entries, and somewhat guess what program opened the outgoing connection. Some examples of querying by outgoing connection and response from kernel: query: 8612:192.168.1.5 -> 192.168.1.255:8612 response: 8612:192.168.1.105 -> 0.0.0.0:0 query: 123:192.168.1.5 -> 217.144.138.234:123 response: 123:0.0.0.0 -> 0.0.0.0:0 query: 45015:127.0.0.1 -> 239.255.255.250:1900 response: 45015:127.0.0.1 -> 0.0.0.0:0 query: 50416:fe80::9fc2:ddcf:df22:aa50 -> fe80::1:53 response: 50416:254.128.0.0 -> 254.128.0.0:53 query: 51413:192.168.1.106 -> 103.224.182.250:1337 response: 51413:0.0.0.0 -> 0.0.0.0:0
2020-04-05 19:14:51 +02:00
// TCPStatesMap holds the list of TCP states
var TCPStatesMap = map[uint8]string{
netlink: de/serialize ipv6, dump socket list - De/Serialize IPv6 connections. - Added SocketsDump() to list all sockets currently in the kernel. - [proc details] Resolve all the sockets an application has opened and translate them to network data, e.g: ``` ls -l /proc/1234/fd/ 0 ... 25 -> socket[12345678] ``` to ``` 0 .... 25 -> socket[12345678] - 54321:10.0.2.2 -> github.com:443, state: established ```
2020-11-20 00:53:29 +01:00
TCP_INVALID: "invalid",
netlink: get active connections by source port + protocol - Dump connections from kernel querying by source port + protocol. - Prioritize responses which match the outgoing connection. - If we don't get any response, apply the default action configured in /etc/opensnitchd/default-config.json -- A connection can be considered unique if: protocol + source port + source ip + destination ip + destination port We can be quite sure that only one process has created the connection. However, many times, querying the kernel for the connection details by all these parameters results in no response. A regular query and normal response would be: query: TCP:47344:192.168.1.106 -> 151.101.65.140:443 response: 47344:192.168.1.106 -> 151.101.65.140:443, inode: 1234567, ... But in another cases, the details of the outgoing connection differs from the kernel response, or it even doesn't exist. However, if we query by protocol+source port, we can get more entries, and somewhat guess what program opened the outgoing connection. Some examples of querying by outgoing connection and response from kernel: query: 8612:192.168.1.5 -> 192.168.1.255:8612 response: 8612:192.168.1.105 -> 0.0.0.0:0 query: 123:192.168.1.5 -> 217.144.138.234:123 response: 123:0.0.0.0 -> 0.0.0.0:0 query: 45015:127.0.0.1 -> 239.255.255.250:1900 response: 45015:127.0.0.1 -> 0.0.0.0:0 query: 50416:fe80::9fc2:ddcf:df22:aa50 -> fe80::1:53 response: 50416:254.128.0.0 -> 254.128.0.0:53 query: 51413:192.168.1.106 -> 103.224.182.250:1337 response: 51413:0.0.0.0 -> 0.0.0.0:0
2020-04-05 19:14:51 +02:00
TCP_ESTABLISHED: "established",
TCP_SYN_SENT: "syn_sent",
TCP_SYN_RECV: "syn_recv",
TCP_FIN_WAIT1: "fin_wait1",
TCP_FIN_WAIT2: "fin_wait2",
TCP_TIME_WAIT: "time_wait",
TCP_CLOSE: "close",
TCP_CLOSE_WAIT: "close_wait",
TCP_LAST_ACK: "last_ack",
TCP_LISTEN: "listen",
TCP_CLOSING: "closing",
}
// SocketID holds the socket information of a request/response to the kernel
Lookup inode and uid via netlink It has some advantages over parsing /proc, like performance and reliability.
2019-12-01 20:10:49 +01:00
type SocketID struct {
Source net.IP
Destination net.IP
Cookie [2]uint32
netlink/ improvements - Structs fields alignment fixed. - Dump more sockets via netlink, in order to display them with the SocketsMonitor task (netstat). - Fixed serializing netlink data: https://github.com/vishvananda/netlink/commit/d237ee16c31705b9e77496749b761a5199c02ad6#diff-f7f6108a60b107adfb0930f5f73a6ae229f9943bb01949d1f8f3e247f869b2abL59-L60
2025-01-22 00:16:17 +01:00
Interface uint32
SourcePort uint16
DestinationPort uint16
Lookup inode and uid via netlink It has some advantages over parsing /proc, like performance and reliability.
2019-12-01 20:10:49 +01:00
}
// Socket represents a netlink socket.
type Socket struct {
ID SocketID
Expires uint32
RQueue uint32
WQueue uint32
reformatted netlink/ sources, fixed typo
2020-03-06 21:02:34 +01:00
UID uint32
Lookup inode and uid via netlink It has some advantages over parsing /proc, like performance and reliability.
2019-12-01 20:10:49 +01:00
INode uint32
netlink/ improvements - Structs fields alignment fixed. - Dump more sockets via netlink, in order to display them with the SocketsMonitor task (netstat). - Fixed serializing netlink data: https://github.com/vishvananda/netlink/commit/d237ee16c31705b9e77496749b761a5199c02ad6#diff-f7f6108a60b107adfb0930f5f73a6ae229f9943bb01949d1f8f3e247f869b2abL59-L60
2025-01-22 00:16:17 +01:00
Family uint8
State uint8
Timer uint8
Retrans uint8
Lookup inode and uid via netlink It has some advantages over parsing /proc, like performance and reliability.
2019-12-01 20:10:49 +01:00
}
netlink: get active connections by source port + protocol - Dump connections from kernel querying by source port + protocol. - Prioritize responses which match the outgoing connection. - If we don't get any response, apply the default action configured in /etc/opensnitchd/default-config.json -- A connection can be considered unique if: protocol + source port + source ip + destination ip + destination port We can be quite sure that only one process has created the connection. However, many times, querying the kernel for the connection details by all these parameters results in no response. A regular query and normal response would be: query: TCP:47344:192.168.1.106 -> 151.101.65.140:443 response: 47344:192.168.1.106 -> 151.101.65.140:443, inode: 1234567, ... But in another cases, the details of the outgoing connection differs from the kernel response, or it even doesn't exist. However, if we query by protocol+source port, we can get more entries, and somewhat guess what program opened the outgoing connection. Some examples of querying by outgoing connection and response from kernel: query: 8612:192.168.1.5 -> 192.168.1.255:8612 response: 8612:192.168.1.105 -> 0.0.0.0:0 query: 123:192.168.1.5 -> 217.144.138.234:123 response: 123:0.0.0.0 -> 0.0.0.0:0 query: 45015:127.0.0.1 -> 239.255.255.250:1900 response: 45015:127.0.0.1 -> 0.0.0.0:0 query: 50416:fe80::9fc2:ddcf:df22:aa50 -> fe80::1:53 response: 50416:254.128.0.0 -> 254.128.0.0:53 query: 51413:192.168.1.106 -> 103.224.182.250:1337 response: 51413:0.0.0.0 -> 0.0.0.0:0
2020-04-05 19:14:51 +02:00
// SocketRequest holds the request/response of a connection to the kernel
Fixed and improved netlink communications Fixed invalid uid. Fixed/improved netlink sockets querying.
2020-02-12 22:52:24 +01:00
type SocketRequest struct {
netlink/ improvements - Structs fields alignment fixed. - Dump more sockets via netlink, in order to display them with the SocketsMonitor task (netstat). - Fixed serializing netlink data: https://github.com/vishvananda/netlink/commit/d237ee16c31705b9e77496749b761a5199c02ad6#diff-f7f6108a60b107adfb0930f5f73a6ae229f9943bb01949d1f8f3e247f869b2abL59-L60
2025-01-22 00:16:17 +01:00
ID SocketID
States uint32
Lookup inode and uid via netlink It has some advantages over parsing /proc, like performance and reliability.
2019-12-01 20:10:49 +01:00
Family uint8
Protocol uint8
Ext uint8
pad uint8
}
type writeBuffer struct {
Bytes []byte
pos int
}
func (b *writeBuffer) Write(c byte) {
b.Bytes[b.pos] = c
b.pos++
}
func (b *writeBuffer) Next(n int) []byte {
s := b.Bytes[b.pos : b.pos+n]
b.pos += n
return s
}
netlink: get active connections by source port + protocol - Dump connections from kernel querying by source port + protocol. - Prioritize responses which match the outgoing connection. - If we don't get any response, apply the default action configured in /etc/opensnitchd/default-config.json -- A connection can be considered unique if: protocol + source port + source ip + destination ip + destination port We can be quite sure that only one process has created the connection. However, many times, querying the kernel for the connection details by all these parameters results in no response. A regular query and normal response would be: query: TCP:47344:192.168.1.106 -> 151.101.65.140:443 response: 47344:192.168.1.106 -> 151.101.65.140:443, inode: 1234567, ... But in another cases, the details of the outgoing connection differs from the kernel response, or it even doesn't exist. However, if we query by protocol+source port, we can get more entries, and somewhat guess what program opened the outgoing connection. Some examples of querying by outgoing connection and response from kernel: query: 8612:192.168.1.5 -> 192.168.1.255:8612 response: 8612:192.168.1.105 -> 0.0.0.0:0 query: 123:192.168.1.5 -> 217.144.138.234:123 response: 123:0.0.0.0 -> 0.0.0.0:0 query: 45015:127.0.0.1 -> 239.255.255.250:1900 response: 45015:127.0.0.1 -> 0.0.0.0:0 query: 50416:fe80::9fc2:ddcf:df22:aa50 -> fe80::1:53 response: 50416:254.128.0.0 -> 254.128.0.0:53 query: 51413:192.168.1.106 -> 103.224.182.250:1337 response: 51413:0.0.0.0 -> 0.0.0.0:0
2020-04-05 19:14:51 +02:00
// Serialize convert SocketRequest struct to bytes.
Fixed and improved netlink communications Fixed invalid uid. Fixed/improved netlink sockets querying.
2020-02-12 22:52:24 +01:00
func (r *SocketRequest) Serialize() []byte {
Lookup inode and uid via netlink It has some advantages over parsing /proc, like performance and reliability.
2019-12-01 20:10:49 +01:00
b := writeBuffer{Bytes: make([]byte, sizeofSocketRequest)}
b.Write(r.Family)
b.Write(r.Protocol)
b.Write(r.Ext)
b.Write(r.pad)
native.PutUint32(b.Next(4), r.States)
networkOrder.PutUint16(b.Next(2), r.ID.SourcePort)
networkOrder.PutUint16(b.Next(2), r.ID.DestinationPort)
netlink: de/serialize ipv6, dump socket list - De/Serialize IPv6 connections. - Added SocketsDump() to list all sockets currently in the kernel. - [proc details] Resolve all the sockets an application has opened and translate them to network data, e.g: ``` ls -l /proc/1234/fd/ 0 ... 25 -> socket[12345678] ``` to ``` 0 .... 25 -> socket[12345678] - 54321:10.0.2.2 -> github.com:443, state: established ```
2020-11-20 00:53:29 +01:00
if r.Family == syscall.AF_INET6 {
copy(b.Next(16), r.ID.Source)
copy(b.Next(16), r.ID.Destination)
} else {
netlink/ more improvements - Fixed serializing netlink data: https://github.com/vishvananda/netlink/commit/d237ee16c31705b9e77496749b761a5199c02ad6#diff-f7f6108a60b107adfb0930f5f73a6ae229f9943bb01949d1f8f3e247f869b2abL59-L60 - misc.
2025-01-22 00:33:10 +01:00
copy(b.Next(16), r.ID.Source.To4())
copy(b.Next(16), r.ID.Destination.To4())
netlink: de/serialize ipv6, dump socket list - De/Serialize IPv6 connections. - Added SocketsDump() to list all sockets currently in the kernel. - [proc details] Resolve all the sockets an application has opened and translate them to network data, e.g: ``` ls -l /proc/1234/fd/ 0 ... 25 -> socket[12345678] ``` to ``` 0 .... 25 -> socket[12345678] - 54321:10.0.2.2 -> github.com:443, state: established ```
2020-11-20 00:53:29 +01:00
}
Lookup inode and uid via netlink It has some advantages over parsing /proc, like performance and reliability.
2019-12-01 20:10:49 +01:00
native.PutUint32(b.Next(4), r.ID.Interface)
native.PutUint32(b.Next(4), r.ID.Cookie[0])
native.PutUint32(b.Next(4), r.ID.Cookie[1])
return b.Bytes
}
netlink: get active connections by source port + protocol - Dump connections from kernel querying by source port + protocol. - Prioritize responses which match the outgoing connection. - If we don't get any response, apply the default action configured in /etc/opensnitchd/default-config.json -- A connection can be considered unique if: protocol + source port + source ip + destination ip + destination port We can be quite sure that only one process has created the connection. However, many times, querying the kernel for the connection details by all these parameters results in no response. A regular query and normal response would be: query: TCP:47344:192.168.1.106 -> 151.101.65.140:443 response: 47344:192.168.1.106 -> 151.101.65.140:443, inode: 1234567, ... But in another cases, the details of the outgoing connection differs from the kernel response, or it even doesn't exist. However, if we query by protocol+source port, we can get more entries, and somewhat guess what program opened the outgoing connection. Some examples of querying by outgoing connection and response from kernel: query: 8612:192.168.1.5 -> 192.168.1.255:8612 response: 8612:192.168.1.105 -> 0.0.0.0:0 query: 123:192.168.1.5 -> 217.144.138.234:123 response: 123:0.0.0.0 -> 0.0.0.0:0 query: 45015:127.0.0.1 -> 239.255.255.250:1900 response: 45015:127.0.0.1 -> 0.0.0.0:0 query: 50416:fe80::9fc2:ddcf:df22:aa50 -> fe80::1:53 response: 50416:254.128.0.0 -> 254.128.0.0:53 query: 51413:192.168.1.106 -> 103.224.182.250:1337 response: 51413:0.0.0.0 -> 0.0.0.0:0
2020-04-05 19:14:51 +02:00
// Len returns the size of a socket request
Fixed and improved netlink communications Fixed invalid uid. Fixed/improved netlink sockets querying.
2020-02-12 22:52:24 +01:00
func (r *SocketRequest) Len() int { return sizeofSocketRequest }
Lookup inode and uid via netlink It has some advantages over parsing /proc, like performance and reliability.
2019-12-01 20:10:49 +01:00
type readBuffer struct {
Bytes []byte
pos int
}
func (b *readBuffer) Read() byte {
c := b.Bytes[b.pos]
b.pos++
return c
}
func (b *readBuffer) Next(n int) []byte {
s := b.Bytes[b.pos : b.pos+n]
b.pos += n
return s
}
func (s *Socket) deserialize(b []byte) error {
if len(b) < sizeofSocket {
return fmt.Errorf("socket data short read (%d); want %d", len(b), sizeofSocket)
}
rb := readBuffer{Bytes: b}
s.Family = rb.Read()
s.State = rb.Read()
s.Timer = rb.Read()
s.Retrans = rb.Read()
s.ID.SourcePort = networkOrder.Uint16(rb.Next(2))
s.ID.DestinationPort = networkOrder.Uint16(rb.Next(2))
netlink: de/serialize ipv6, dump socket list - De/Serialize IPv6 connections. - Added SocketsDump() to list all sockets currently in the kernel. - [proc details] Resolve all the sockets an application has opened and translate them to network data, e.g: ``` ls -l /proc/1234/fd/ 0 ... 25 -> socket[12345678] ``` to ``` 0 .... 25 -> socket[12345678] - 54321:10.0.2.2 -> github.com:443, state: established ```
2020-11-20 00:53:29 +01:00
if s.Family == syscall.AF_INET6 {
s.ID.Source = net.IP(rb.Next(16))
s.ID.Destination = net.IP(rb.Next(16))
} else {
s.ID.Source = net.IPv4(rb.Read(), rb.Read(), rb.Read(), rb.Read())
rb.Next(12)
s.ID.Destination = net.IPv4(rb.Read(), rb.Read(), rb.Read(), rb.Read())
rb.Next(12)
}
Lookup inode and uid via netlink It has some advantages over parsing /proc, like performance and reliability.
2019-12-01 20:10:49 +01:00
s.ID.Interface = native.Uint32(rb.Next(4))
s.ID.Cookie[0] = native.Uint32(rb.Next(4))
s.ID.Cookie[1] = native.Uint32(rb.Next(4))
s.Expires = native.Uint32(rb.Next(4))
s.RQueue = native.Uint32(rb.Next(4))
s.WQueue = native.Uint32(rb.Next(4))
s.UID = native.Uint32(rb.Next(4))
s.INode = native.Uint32(rb.Next(4))
return nil
}
added action reject When blocking a connection via libnetfilter-queue using NF_DROP the connection is discarded. If the blocked connection is a DNS query, the app that initiated it will wait until it times out, which is ~30s. This behaviour can for example cause slowdowns loading web pages: #481 This change adds the option to reject connections by killing the socket that initiated them. Denying: $ time telnet 1.1.1.1 22 Trying 1.1.1.1... telnet: Unable to connect to remote host: Connection timed out real 2m10,039s Rejecting: $ time telnet 1.1.1.1 22 Trying 1.1.1.1... telnet: Unable to connect to remote host: Software caused connection abort real 0m0,005s
2021-09-12 10:54:24 +02:00
// SocketKill kills a connection
force to reestablish non-local connections on start When we start to intercept connections, we flush out the conntrack table, to force already established connections reconnect again so we can intercept them, and let the user choose if allow or deny them. Since we no longer use conntrack states to intercept TCP connections, we now close existing connections, leaving to the applications reestablish them again. Local connections are excluded, because it may cause problems with some local servers. Both options interfere with the established connections, so you may experience ocasional network interruptions when enabling the interception for the first time. Discussion: #995
2023-07-25 01:42:54 +02:00
func SocketKill(family, proto uint8, sockID SocketID) error {
added action reject When blocking a connection via libnetfilter-queue using NF_DROP the connection is discarded. If the blocked connection is a DNS query, the app that initiated it will wait until it times out, which is ~30s. This behaviour can for example cause slowdowns loading web pages: #481 This change adds the option to reject connections by killing the socket that initiated them. Denying: $ time telnet 1.1.1.1 22 Trying 1.1.1.1... telnet: Unable to connect to remote host: Connection timed out real 2m10,039s Rejecting: $ time telnet 1.1.1.1 22 Trying 1.1.1.1... telnet: Unable to connect to remote host: Software caused connection abort real 0m0,005s
2021-09-12 10:54:24 +02:00
sockReq := &SocketRequest{
Family: family,
Protocol: proto,
ID: sockID,
}
req := nl.NewNetlinkRequest(SOCK_DESTROY, syscall.NLM_F_REQUEST|syscall.NLM_F_ACK)
req.AddData(sockReq)
_, err := req.Execute(syscall.NETLINK_INET_DIAG, 0)
if err != nil {
return err
}
return nil
}
netlink: get active connections by source port + protocol - Dump connections from kernel querying by source port + protocol. - Prioritize responses which match the outgoing connection. - If we don't get any response, apply the default action configured in /etc/opensnitchd/default-config.json -- A connection can be considered unique if: protocol + source port + source ip + destination ip + destination port We can be quite sure that only one process has created the connection. However, many times, querying the kernel for the connection details by all these parameters results in no response. A regular query and normal response would be: query: TCP:47344:192.168.1.106 -> 151.101.65.140:443 response: 47344:192.168.1.106 -> 151.101.65.140:443, inode: 1234567, ... But in another cases, the details of the outgoing connection differs from the kernel response, or it even doesn't exist. However, if we query by protocol+source port, we can get more entries, and somewhat guess what program opened the outgoing connection. Some examples of querying by outgoing connection and response from kernel: query: 8612:192.168.1.5 -> 192.168.1.255:8612 response: 8612:192.168.1.105 -> 0.0.0.0:0 query: 123:192.168.1.5 -> 217.144.138.234:123 response: 123:0.0.0.0 -> 0.0.0.0:0 query: 45015:127.0.0.1 -> 239.255.255.250:1900 response: 45015:127.0.0.1 -> 0.0.0.0:0 query: 50416:fe80::9fc2:ddcf:df22:aa50 -> fe80::1:53 response: 50416:254.128.0.0 -> 254.128.0.0:53 query: 51413:192.168.1.106 -> 103.224.182.250:1337 response: 51413:0.0.0.0 -> 0.0.0.0:0
2020-04-05 19:14:51 +02:00
// SocketGet returns the list of active connections in the kernel
// filtered by several fields. Currently it returns connections
// filtered by source port and protocol.
func SocketGet(family uint8, proto uint8, srcPort, dstPort uint16, local, remote net.IP) ([]*Socket, error) {
reformatted netlink/ sources, fixed typo
2020-03-06 21:02:34 +01:00
_Id := SocketID{
netlink: get active connections by source port + protocol - Dump connections from kernel querying by source port + protocol. - Prioritize responses which match the outgoing connection. - If we don't get any response, apply the default action configured in /etc/opensnitchd/default-config.json -- A connection can be considered unique if: protocol + source port + source ip + destination ip + destination port We can be quite sure that only one process has created the connection. However, many times, querying the kernel for the connection details by all these parameters results in no response. A regular query and normal response would be: query: TCP:47344:192.168.1.106 -> 151.101.65.140:443 response: 47344:192.168.1.106 -> 151.101.65.140:443, inode: 1234567, ... But in another cases, the details of the outgoing connection differs from the kernel response, or it even doesn't exist. However, if we query by protocol+source port, we can get more entries, and somewhat guess what program opened the outgoing connection. Some examples of querying by outgoing connection and response from kernel: query: 8612:192.168.1.5 -> 192.168.1.255:8612 response: 8612:192.168.1.105 -> 0.0.0.0:0 query: 123:192.168.1.5 -> 217.144.138.234:123 response: 123:0.0.0.0 -> 0.0.0.0:0 query: 45015:127.0.0.1 -> 239.255.255.250:1900 response: 45015:127.0.0.1 -> 0.0.0.0:0 query: 50416:fe80::9fc2:ddcf:df22:aa50 -> fe80::1:53 response: 50416:254.128.0.0 -> 254.128.0.0:53 query: 51413:192.168.1.106 -> 103.224.182.250:1337 response: 51413:0.0.0.0 -> 0.0.0.0:0
2020-04-05 19:14:51 +02:00
SourcePort: srcPort,
Cookie: [2]uint32{nl.TCPDIAG_NOCOOKIE, nl.TCPDIAG_NOCOOKIE},
Added netlink IPv6 uid/inode lookup support
2019-12-02 23:53:41 +01:00
}
netlink: get active connections by source port + protocol - Dump connections from kernel querying by source port + protocol. - Prioritize responses which match the outgoing connection. - If we don't get any response, apply the default action configured in /etc/opensnitchd/default-config.json -- A connection can be considered unique if: protocol + source port + source ip + destination ip + destination port We can be quite sure that only one process has created the connection. However, many times, querying the kernel for the connection details by all these parameters results in no response. A regular query and normal response would be: query: TCP:47344:192.168.1.106 -> 151.101.65.140:443 response: 47344:192.168.1.106 -> 151.101.65.140:443, inode: 1234567, ... But in another cases, the details of the outgoing connection differs from the kernel response, or it even doesn't exist. However, if we query by protocol+source port, we can get more entries, and somewhat guess what program opened the outgoing connection. Some examples of querying by outgoing connection and response from kernel: query: 8612:192.168.1.5 -> 192.168.1.255:8612 response: 8612:192.168.1.105 -> 0.0.0.0:0 query: 123:192.168.1.5 -> 217.144.138.234:123 response: 123:0.0.0.0 -> 0.0.0.0:0 query: 45015:127.0.0.1 -> 239.255.255.250:1900 response: 45015:127.0.0.1 -> 0.0.0.0:0 query: 50416:fe80::9fc2:ddcf:df22:aa50 -> fe80::1:53 response: 50416:254.128.0.0 -> 254.128.0.0:53 query: 51413:192.168.1.106 -> 103.224.182.250:1337 response: 51413:0.0.0.0 -> 0.0.0.0:0
2020-04-05 19:14:51 +02:00
netlink: fixed connections querying also code simplified.
2020-02-18 02:05:15 +01:00
sockReq := &SocketRequest{
Lookup inode and uid via netlink It has some advantages over parsing /proc, like performance and reliability.
2019-12-01 20:10:49 +01:00
Family: family,
Protocol: proto,
Fixed errors Typos were made.
2020-02-13 23:19:15 +01:00
States: TCP_ALL,
reformatted netlink/ sources, fixed typo
2020-03-06 21:02:34 +01:00
ID: _Id,
netlink: fixed connections querying also code simplified.
2020-02-18 02:05:15 +01:00
}
netlink: de/serialize ipv6, dump socket list - De/Serialize IPv6 connections. - Added SocketsDump() to list all sockets currently in the kernel. - [proc details] Resolve all the sockets an application has opened and translate them to network data, e.g: ``` ls -l /proc/1234/fd/ 0 ... 25 -> socket[12345678] ``` to ``` 0 .... 25 -> socket[12345678] - 54321:10.0.2.2 -> github.com:443, state: established ```
2020-11-20 00:53:29 +01:00
return netlinkRequest(sockReq, family, proto, srcPort, dstPort, local, remote)
}
// SocketsDump returns the list of all connections from the kernel
func SocketsDump(family uint8, proto uint8) ([]*Socket, error) {
sockReq := &SocketRequest{
Family: family,
Protocol: proto,
States: TCP_ALL,
}
netlink/ more improvements - Fixed serializing netlink data: https://github.com/vishvananda/netlink/commit/d237ee16c31705b9e77496749b761a5199c02ad6#diff-f7f6108a60b107adfb0930f5f73a6ae229f9943bb01949d1f8f3e247f869b2abL59-L60 - misc.
2025-01-22 00:33:10 +01:00
return netlinkRequest(sockReq, family, proto, 0, 0, nil, nil)
netlink: de/serialize ipv6, dump socket list - De/Serialize IPv6 connections. - Added SocketsDump() to list all sockets currently in the kernel. - [proc details] Resolve all the sockets an application has opened and translate them to network data, e.g: ``` ls -l /proc/1234/fd/ 0 ... 25 -> socket[12345678] ``` to ``` 0 .... 25 -> socket[12345678] - 54321:10.0.2.2 -> github.com:443, state: established ```
2020-11-20 00:53:29 +01:00
}
func netlinkRequest(sockReq *SocketRequest, family uint8, proto uint8, srcPort, dstPort uint16, local, remote net.IP) ([]*Socket, error) {
netlink/ more improvements - Fixed serializing netlink data: https://github.com/vishvananda/netlink/commit/d237ee16c31705b9e77496749b761a5199c02ad6#diff-f7f6108a60b107adfb0930f5f73a6ae229f9943bb01949d1f8f3e247f869b2abL59-L60 - misc.
2025-01-22 00:33:10 +01:00
req := nl.NewNetlinkRequest(nl.SOCK_DIAG_BY_FAMILY, syscall.NLM_F_REQUEST|syscall.NLM_F_DUMP)
netlink: fixed connections querying also code simplified.
2020-02-18 02:05:15 +01:00
req.AddData(sockReq)
Fixed and improved netlink communications Fixed invalid uid. Fixed/improved netlink sockets querying.
2020-02-12 22:52:24 +01:00
msgs, err := req.Execute(syscall.NETLINK_INET_DIAG, 0)
Lookup inode and uid via netlink It has some advantages over parsing /proc, like performance and reliability.
2019-12-01 20:10:49 +01:00
if err != nil {
return nil, err
}
if len(msgs) == 0 {
eBPF: ignore netlink errors if there're no connections When enabling the eBPF monitor method we dump the active connections, but in some cases there're no active connections, and because of this we're failing enabling this monitor method. If there're no connections established, netlink returns 0 entries. It's not clear if it's an indication of error in some cases or the expected result. Either way: - fail only if we're unable to load the eBPF module. - dump TCP IPv6 connections only if IPv6 is enabled in the syste,-
2021-05-29 00:16:18 +02:00
return nil, errors.New("Warning, no message nor error from netlink, or no connections found")
Lookup inode and uid via netlink It has some advantages over parsing /proc, like performance and reliability.
2019-12-01 20:10:49 +01:00
}
netlink/ improvements - Structs fields alignment fixed. - Dump more sockets via netlink, in order to display them with the SocketsMonitor task (netstat). - Fixed serializing netlink data: https://github.com/vishvananda/netlink/commit/d237ee16c31705b9e77496749b761a5199c02ad6#diff-f7f6108a60b107adfb0930f5f73a6ae229f9943bb01949d1f8f3e247f869b2abL59-L60
2025-01-22 00:16:17 +01:00
sock := make([]*Socket, len(msgs))
netlink: get active connections by source port + protocol - Dump connections from kernel querying by source port + protocol. - Prioritize responses which match the outgoing connection. - If we don't get any response, apply the default action configured in /etc/opensnitchd/default-config.json -- A connection can be considered unique if: protocol + source port + source ip + destination ip + destination port We can be quite sure that only one process has created the connection. However, many times, querying the kernel for the connection details by all these parameters results in no response. A regular query and normal response would be: query: TCP:47344:192.168.1.106 -> 151.101.65.140:443 response: 47344:192.168.1.106 -> 151.101.65.140:443, inode: 1234567, ... But in another cases, the details of the outgoing connection differs from the kernel response, or it even doesn't exist. However, if we query by protocol+source port, we can get more entries, and somewhat guess what program opened the outgoing connection. Some examples of querying by outgoing connection and response from kernel: query: 8612:192.168.1.5 -> 192.168.1.255:8612 response: 8612:192.168.1.105 -> 0.0.0.0:0 query: 123:192.168.1.5 -> 217.144.138.234:123 response: 123:0.0.0.0 -> 0.0.0.0:0 query: 45015:127.0.0.1 -> 239.255.255.250:1900 response: 45015:127.0.0.1 -> 0.0.0.0:0 query: 50416:fe80::9fc2:ddcf:df22:aa50 -> fe80::1:53 response: 50416:254.128.0.0 -> 254.128.0.0:53 query: 51413:192.168.1.106 -> 103.224.182.250:1337 response: 51413:0.0.0.0 -> 0.0.0.0:0
2020-04-05 19:14:51 +02:00
for n, m := range msgs {
s := &Socket{}
if err = s.deserialize(m); err != nil {
log.Error("[%d] netlink socket error: %s, %d:%v -> %v:%d - %d:%v -> %v:%d",
n, TCPStatesMap[s.State],
srcPort, local, remote, dstPort,
s.ID.SourcePort, s.ID.Source, s.ID.Destination, s.ID.DestinationPort)
continue
}
netlink/ improvements - Structs fields alignment fixed. - Dump more sockets via netlink, in order to display them with the SocketsMonitor task (netstat). - Fixed serializing netlink data: https://github.com/vishvananda/netlink/commit/d237ee16c31705b9e77496749b761a5199c02ad6#diff-f7f6108a60b107adfb0930f5f73a6ae229f9943bb01949d1f8f3e247f869b2abL59-L60
2025-01-22 00:16:17 +01:00
// INode can be zero for some connections states, like TCP_FIN_WAT, TCP_TIME_WAIT, etc.
// so don't exclude those entries, in order to get all sockets.
sock[n] = s
Lookup inode and uid via netlink It has some advantages over parsing /proc, like performance and reliability.
2019-12-01 20:10:49 +01:00
}
netlink: get active connections by source port + protocol - Dump connections from kernel querying by source port + protocol. - Prioritize responses which match the outgoing connection. - If we don't get any response, apply the default action configured in /etc/opensnitchd/default-config.json -- A connection can be considered unique if: protocol + source port + source ip + destination ip + destination port We can be quite sure that only one process has created the connection. However, many times, querying the kernel for the connection details by all these parameters results in no response. A regular query and normal response would be: query: TCP:47344:192.168.1.106 -> 151.101.65.140:443 response: 47344:192.168.1.106 -> 151.101.65.140:443, inode: 1234567, ... But in another cases, the details of the outgoing connection differs from the kernel response, or it even doesn't exist. However, if we query by protocol+source port, we can get more entries, and somewhat guess what program opened the outgoing connection. Some examples of querying by outgoing connection and response from kernel: query: 8612:192.168.1.5 -> 192.168.1.255:8612 response: 8612:192.168.1.105 -> 0.0.0.0:0 query: 123:192.168.1.5 -> 217.144.138.234:123 response: 123:0.0.0.0 -> 0.0.0.0:0 query: 45015:127.0.0.1 -> 239.255.255.250:1900 response: 45015:127.0.0.1 -> 0.0.0.0:0 query: 50416:fe80::9fc2:ddcf:df22:aa50 -> fe80::1:53 response: 50416:254.128.0.0 -> 254.128.0.0:53 query: 51413:192.168.1.106 -> 103.224.182.250:1337 response: 51413:0.0.0.0 -> 0.0.0.0:0
2020-04-05 19:14:51 +02:00
return sock, err
Lookup inode and uid via netlink It has some advantages over parsing /proc, like performance and reliability.
2019-12-01 20:10:49 +01:00
}
Reference in a new issue Copy permalink