mirrors/opensnitch
1
0
Fork 0
mirror of https://github.com/evilsocket/opensnitch.git synced 2025-03-04 08:34:40 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 1
opensnitch/daemon/ui/client.go

379 lines
9.4 KiB
Go
Raw Normal View History

misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
package ui
import (
added ui ping/pong
2018-04-02 18:26:04 +02:00
"fmt"
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
"net"
"sync"
"time"
updated import paths
2020-12-09 18:18:42 +01:00
"github.com/evilsocket/opensnitch/daemon/conman"
allow to configure what firewall to use Before this change, we tried to determine what firewall to use based on the version of iptables (if -V legacy -> nftables, otherwise iptables). This caused problems (#455), and as there's no support yet for nftables system firewall rules, it can't be configured to workaround these errors. Now the default firewall to use will be iptables. If it's not available (installed), can't be used or the configuration option is empty/missing, we'll use nftables.
2021-08-09 00:21:43 +02:00
"github.com/evilsocket/opensnitch/daemon/firewall/iptables"
updated import paths
2020-12-09 18:18:42 +01:00
"github.com/evilsocket/opensnitch/daemon/log"
added way to send events to syslog Now you can send events to syslog, local or remote. This feature was requested here #638 This feature allows you to integrate opensnitch with your SIEM. Take a look at the above discussion to see examples with syslog-ng+promtail+loki+grafana. There's only one logger implemented (syslog), but it should be easily expandable to add more type of loggers (elastic, etc). The event format can be CSV or RFC5424. It sould also be easy to add more formats. - Allow to configure stats workers. They were hardcoded to 4.
2022-05-17 16:15:40 +02:00
"github.com/evilsocket/opensnitch/daemon/log/loggers"
allow to filter connections by process checksum Now you can create rules to filter processes by checksum. Only md5 is available at the moment. There's a global configuration option that you can use to enable or disable this feature, from the config file or from the Preferences dialog. As part of this feature there have been more changes: - New proc monitor method (PROCESS CONNECTOR) that listens for exec/exit events from the kernel. This feature depends on CONFIG_PROC_EVENTS kernel option. - Only one cache of active processes for ebpf and proc monitor methods. More info and details: #413.
2023-09-22 00:36:26 +02:00
"github.com/evilsocket/opensnitch/daemon/procmon"
updated import paths
2020-12-09 18:18:42 +01:00
"github.com/evilsocket/opensnitch/daemon/rule"
"github.com/evilsocket/opensnitch/daemon/statistics"
introducing daemon tasks daemon tasks are actions that are executed in background by the daemon. They're started from the GUI (server) via a Notification (protobuf), with the type TASK_START (protobuf). Once received in the daemon, the TaskManager starts the task in background. Tasks may run at interval times (every 5s, 2days, etc), until they finish an operation, until a timeout, etc. Each task has each own configuration options, which will customize the behaviour of its operations. In this version, if the GUI is closed, the daemon will stop all the running tasks. Each Task has a flag to ignore this behaviour, for example if they need to run until they finish and only send a notification to the GUI, instead of streaming data continuously to the GUI (server). - Up until now we only had one task that could be initiated from the GUI: the process monitor dialog. It has been migrated to a Task{}. - go.mod bumped to v1.20, to use unsafe string functions. - go.sum updated accordingly.
2024-09-25 01:00:38 +02:00
"github.com/evilsocket/opensnitch/daemon/tasks"
added option to secure channel communications Allow to cypher channel communications with certificates. There are 3 authentication types: simple, tls-simple and tls-mutual. - 'simple' wont't cypher communications. - 'tls-simple' uses a server key and certificate for the server, and a common CA certificate or the server certificate to authenticate all nodes. - 'tls-mutual' uses a server key and certificate for the server, and a client key and certificate per node. There are 2 options to verify how gRPC validates credentials: - SkipVerify: https://pkg.go.dev/crypto/tls#Config - ClientAuthType: https://pkg.go.dev/crypto/tls#ClientAuthType Example configuration: "Server": { "Address": "127.0.0.1:12345", "Authentication": { "Type": "tls-simple", "TLSOptions": { "CACert": "/etc/opensnitchd/auth/ca-cert.pem", "ServerCert": "/etc/opensnitchd/auth/server-cert.pem", "ClientCert": "/etc/opensnitchd/auth/client-cert.pem", "ClientKey": "/etc/opensnitchd/auth/client-key.pem", "SkipVerify": false, "ClientAuthType": "req-and-verify-cert" } } } More info: https://github.com/evilsocket/opensnitch/wiki/Nodes
2023-06-23 16:51:36 +02:00
"github.com/evilsocket/opensnitch/daemon/ui/auth"
"github.com/evilsocket/opensnitch/daemon/ui/config"
updated import paths
2020-12-09 18:18:42 +01:00
"github.com/evilsocket/opensnitch/daemon/ui/protocol"
misc: small fix or general refactoring i did not bother commenting
2018-04-02 18:11:36 +02:00
allow to configure unknown conns interception /etc/opensnitchd/default-config.json can now contain "intercept_unknown": true|false
2019-11-01 01:00:10 +01:00
"github.com/fsnotify/fsnotify"
Allow to change settings from the UI (1/2) We start receiving notifications from the UI, which allow us to change configurations and perform actions on the daemon. The concept of Node has also been introduced, which identifies every daemon (client) connected to the UI (server). These options has been added: - Enable/Disable firewall interception (for all nodes) - Change daemons (clients) configuration. globally or per node. - Change prompt dialog options. We have fixed some bugs along the way: - Close audit client connection gracefully. - Exclude our own connections from being intercepted. - Better handling of client connection status with the UI. We probably has also introduced some other bugs (not listed here).
2020-04-19 20:13:31 +02:00
"golang.org/x/net/context"
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
"google.golang.org/grpc"
misc: small fix or general refactoring i did not bother commenting
2018-04-02 18:11:36 +02:00
"google.golang.org/grpc/connectivity"
improved nodes connectivity handling problem: - after losing network connectivity node<->server, the node didn't restore the connection. In reality, the connection with the server was not closed, but the notifications channel was closed due to inactivity after 20s. set inactivity timeouts to 20s on both node and server. Previous timeouts were 2h for the main connection and 20s for the streaming channels (notifications). - get rid of the logic to determine if the server is alive or not based on sending pings. Instead, use the connection events when a node connects/disconnects (Subscribe). The Ping call is still used to send the statistics. other: - fixed exception when updating the status of a node.
2021-04-11 20:55:14 +02:00
"google.golang.org/grpc/keepalive"
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
)
support rules with type=regexp (closes #127)
2018-04-07 13:52:25 +02:00
var (
allow to configure process monitor method in daemon config Added ProcMonitorMethod, which can be "proc", "ftrace" or "audit". Parameters passed by command line take prevalence over default configuration. breaking changes: config options changed from xx_yy to XxYy. Config example: { "DefaultAction": "allow", "DefaultDuration": "once", "InterceptUnknown": true, "ProcMonitorMethod": "audit" }
2020-03-16 01:37:33 +01:00
configFile = "/etc/opensnitchd/default-config.json"
added option to set priority on the rules If a rule has the priority flag set, no others rules will be checked. So if you name the rule as 000-allow-xx and set the priority flag, the rule wil lbe the only one that will be checked if it matches a connection. See #36 to know more on this feature.
2020-10-23 00:02:16 +02:00
dummyOperator, _ = rule.NewOperator(rule.Simple, false, rule.OpTrue, "", make([]rule.Operator, 0))
ui,rules: added option to exclude connection events New option to exclude connections from being logged. Closes #691
2022-07-04 11:14:26 +02:00
clientDisconnectedRule = rule.Create("ui.client.disconnected", "", true, false, false, rule.Allow, rule.Once, dummyOperator)
drop connections while a pop-up is running Prior to v1.4.x versions, when a pop-up asked the user to allow or deny a connection, the rest of the network traffic was dropped until an action was taken. We fixed it, but when a pop-up was asking to allow or deny a new connection, we let it passing by if the daemon's DefaultAction option was set to allow, even if the user hadn't taken an action on it yet. It also caused some confusion if the users had configured the pop-up's DefaultAction to deny, they were expecting to not allow the connection until they had decided what to do. Now the previous behaviour has been restored, having these usage scenarios: - If the GUI is connected + daemon DefaultAction set to allow or deny. Result: 1. Prompt the user to allow or deny the new connection. 2. Deny the new connection until the user takes an action on it. 3. Allow the rest of traffic, allowing known connections, and denying new ones until the active pop-up is closed and we can prompt the user again. - GUI disconnected. Result: 1. Apply daemon's DefaultAction from the configuration file default-config.json. closes: #392
2021-06-16 09:50:36 +02:00
// While the GUI is connected, deny by default everything until the user takes an action.
ui,rules: added option to exclude connection events New option to exclude connections from being logged. Closes #691
2022-07-04 11:14:26 +02:00
clientConnectedRule = rule.Create("ui.client.connected", "", true, false, false, rule.Deny, rule.Once, dummyOperator)
clientErrorRule = rule.Create("ui.client.error", "", true, false, false, rule.Allow, rule.Once, dummyOperator)
new feature: send alerts to the server/UI Up until now some error and warning messages were only logged out to the system, not allowing the user know what was happening under the hood. Now the following events are notified: - eBPF related errors. - netfilter queue errors. - configuration errors. WIP, we'll keep improving it and build new features on top of this one.
2022-10-12 13:31:45 +02:00
maxQueuedAlerts = 1024
introducing daemon tasks daemon tasks are actions that are executed in background by the daemon. They're started from the GUI (server) via a Notification (protobuf), with the type TASK_START (protobuf). Once received in the daemon, the TaskManager starts the task in background. Tasks may run at interval times (every 5s, 2days, etc), until they finish an operation, until a timeout, etc. Each task has each own configuration options, which will customize the behaviour of its operations. In this version, if the GUI is closed, the daemon will stop all the running tasks. Each Task has a flag to ignore this behaviour, for example if they need to run until they finish and only send a notification to the GUI, instead of streaming data continuously to the GUI (server). - Up until now we only had one task that could be initiated from the GUI: the process monitor dialog. It has been migrated to a Task{}. - go.mod bumped to v1.20, to use unsafe string functions. - go.sum updated accordingly.
2024-09-25 01:00:38 +02:00
TaskMgr = tasks.NewTaskManager()
support rules with type=regexp (closes #127)
2018-04-07 13:52:25 +02:00
)
misc: small fix or general refactoring i did not bother commenting
2018-04-02 18:11:36 +02:00
allow to configure process monitor method in daemon config Added ProcMonitorMethod, which can be "proc", "ftrace" or "audit". Parameters passed by command line take prevalence over default configuration. breaking changes: config options changed from xx_yy to XxYy. Config example: { "DefaultAction": "allow", "DefaultDuration": "once", "InterceptUnknown": true, "ProcMonitorMethod": "audit" }
2020-03-16 01:37:33 +01:00
// Client holds the connection information of a client.
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
type Client struct {
structs fields reorganized Structs' fields reorganized based on fieldalignment tool output
2024-01-14 20:44:49 +01:00
client protocol.UIClient
streamNotifications protocol.UI_NotificationsClient
clientCtx context.Context
clientCancel context.CancelFunc
more work on reloading configuration continuation of previous commit bde5d34deb5e5c5858991510c48fbd58913a193a - Allow to reconfigure stats limits (how many events we keep on the daemon, number of workers, ...) - Allow to reconfigure loggers.
2024-05-11 18:23:20 +02:00
config config.Config
structs fields reorganized Structs' fields reorganized based on fieldalignment tool output
2024-01-14 20:44:49 +01:00
reload more config options without restarting the daemon Reload the configuration without restarting the daemon when changing: - server authentication options. - GC percentage. - Rules path. - Loggers. - FW options. - eBPF modules path. Also, try to avoid unnecessary changes.
2024-05-02 21:14:59 +02:00
loggers *loggers.LoggerManager
structs fields reorganized Structs' fields reorganized based on fieldalignment tool output
2024-01-14 20:44:49 +01:00
stats *statistics.Statistics
rules *rule.Loader
con *grpc.ClientConn
configWatcher *fsnotify.Watcher
alertsChan chan protocol.Alert
isConnected chan bool
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
allow to secure (abstract) unix socket comms - Allow to use SSL certificates to secure unix sockets communications. - Allow to use abstract users sockets for server and nodes. Go gRPC doesn't seem to understand unix sockets addresses that start with "unix-abstract:", and python gRPC doesn't seem to understand "unix:@" addresses. Therefore, on the server (python gRPC) we use the format "unix:@" to specify the address where the server will listen on, and rewrite it to "unix-abstract:" before starting the server. Note about certs and abstract unix sockets: When creating the SSL certificates, you'll have to specify the address of the unix socket as the Common Name of the certificates: Address: "unix:@my-abstract-socket" Common Name: @my-abstract-socket
2023-07-19 01:17:49 +02:00
socketPath string
unixSockPrefix string
new feature: send alerts to the server/UI Up until now some error and warning messages were only logged out to the system, not allowing the user know what was happening under the hood. Now the following events are notified: - eBPF related errors. - netfilter queue errors. - configuration errors. WIP, we'll keep improving it and build new features on top of this one.
2022-10-12 13:31:45 +02:00
do not block connection processing when GUI popup is active.
2021-02-18 17:21:50 +03:00
//isAsking is set to true if the client is awaiting a decision from the GUI
structs fields reorganized Structs' fields reorganized based on fieldalignment tool output
2024-01-14 20:44:49 +01:00
isAsking bool
isUnixSocket bool
sync.RWMutex
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
}
allow to configure process monitor method in daemon config Added ProcMonitorMethod, which can be "proc", "ftrace" or "audit". Parameters passed by command line take prevalence over default configuration. breaking changes: config options changed from xx_yy to XxYy. Config example: { "DefaultAction": "allow", "DefaultDuration": "once", "InterceptUnknown": true, "ProcMonitorMethod": "audit" }
2020-03-16 01:37:33 +01:00
// NewClient creates and configures a new client.
allow to configure rules and config file paths - Added cli option -config-file to specify an alternate path to the config file. - Allow to configure rules path from the configuration file (cli option takes precedence). - Default options are now /etc/opensnitchd/rules and /etc/opensnitchd/default-config.json. Previously the default rules directory was "rules" (relative path). Closes #449
2023-12-17 00:22:07 +01:00
func NewClient(socketPath, localConfigFile string, stats *statistics.Statistics, rules *rule.Loader, loggers *loggers.LoggerManager) *Client {
if localConfigFile != "" {
configFile = localConfigFile
}
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
c := &Client{
reload more config options without restarting the daemon Reload the configuration without restarting the daemon when changing: - server authentication options. - GC percentage. - Rules path. - Loggers. - FW options. - eBPF modules path. Also, try to avoid unnecessary changes.
2024-05-02 21:14:59 +02:00
loggers: loggers,
allow to configure process monitor method in daemon config Added ProcMonitorMethod, which can be "proc", "ftrace" or "audit". Parameters passed by command line take prevalence over default configuration. breaking changes: config options changed from xx_yy to XxYy. Config example: { "DefaultAction": "allow", "DefaultDuration": "once", "InterceptUnknown": true, "ProcMonitorMethod": "audit" }
2020-03-16 01:37:33 +01:00
stats: stats,
Allow to configure if a rule is enabled or not.
2020-05-10 17:17:05 +02:00
rules: rules,
added support for a tcp listener (closes #119)
2018-04-07 01:52:43 +02:00
isUnixSocket: false,
do not block connection processing when GUI popup is active.
2021-02-18 17:21:50 +03:00
isAsking: false,
new feature: send alerts to the server/UI Up until now some error and warning messages were only logged out to the system, not allowing the user know what was happening under the hood. Now the following events are notified: - eBPF related errors. - netfilter queue errors. - configuration errors. WIP, we'll keep improving it and build new features on top of this one.
2022-10-12 13:31:45 +02:00
isConnected: make(chan bool),
alertsChan: make(chan protocol.Alert, maxQueuedAlerts),
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
}
improved rules reloading, cli parameters - When reloading rules from a path: stop existing (domains,ips,regexp) lists monitors, stop rules watcher and start watching the new dir for changes, delete existing rules from memory, etc. - Previously, cli parameters (queue number, log file, etc) were taking into account before loading the configuration. Now the configuration file is loaded first (default-config.json), and if any of the cli parameter has been specified, it'll overwrite the loaded configuration from file. This means for example that if you use "-process-monitor-method proc", and "ebpf" is configured in default-config.json, firstly "ebpf" will be configured, and later "proc". (-queue-num option for now requires to match config option cfg.FwOptions.QueueNumber)
2024-05-22 00:47:54 +02:00
c.config.Rules.Path = rules.Path
new feature: send alerts to the server/UI Up until now some error and warning messages were only logged out to the system, not allowing the user know what was happening under the hood. Now the following events are notified: - eBPF related errors. - netfilter queue errors. - configuration errors. WIP, we'll keep improving it and build new features on top of this one.
2022-10-12 13:31:45 +02:00
//for i := 0; i < 4; i++ {
go c.alertsDispatcher()
close nfqueue descriptors gracefully When the daemon is stopped, we need to close opened netfilter recurses. Otherwise we can fall into a situation where we leave NFQUEUE queues opened, which causes opensnitch to not run anymore until system restart or a manual intervention, because there's a NFQUEUE queue already created with the same ID. This is what was happening as a collateral effect of #41.
2020-07-17 01:29:58 +02:00
c.clientCtx, c.clientCancel = context.WithCancel(context.Background())
allow to configure unknown conns interception /etc/opensnitchd/default-config.json can now contain "intercept_unknown": true|false
2019-11-01 01:00:10 +01:00
if watcher, err := fsnotify.NewWatcher(); err == nil {
c.configWatcher = watcher
}
Allow to change settings from the UI (1/2) We start receiving notifications from the UI, which allow us to change configurations and perform actions on the daemon. The concept of Node has also been introduced, which identifies every daemon (client) connected to the UI (server). These options has been added: - Enable/Disable firewall interception (for all nodes) - Change daemons (clients) configuration. globally or per node. - Change prompt dialog options. We have fixed some bugs along the way: - Close audit client connection gracefully. - Exclude our own connections from being intercepted. - Better handling of client connection status with the UI. We probably has also introduced some other bugs (not listed here).
2020-04-19 20:13:31 +02:00
c.loadDiskConfiguration(false)
set server address and log file from the default config The server address and log file were hardcoded into the opensnitchd.service file, making it almost impossible to change. Soon we'll be able to change it from the UI.
2020-10-26 23:16:27 +01:00
if socketPath != "" {
fixes race condition setting server address
2020-10-30 22:06:33 +01:00
c.setSocketPath(c.getSocketPath(socketPath))
set server address and log file from the default config The server address and log file were hardcoded into the opensnitchd.service file, making it almost impossible to change. Soon we'll be able to change it from the UI.
2020-10-26 23:16:27 +01:00
}
more work on reloading configuration continuation of previous commit bde5d34deb5e5c5858991510c48fbd58913a193a - Allow to reconfigure stats limits (how many events we keep on the daemon, number of workers, ...) - Allow to reconfigure loggers.
2024-05-11 18:23:20 +02:00
procmon.EventsCache.SetComputeChecksums(c.config.Rules.EnableChecksums)
rules.EnableChecksums(c.config.Rules.EnableChecksums)
set server address and log file from the default config The server address and log file were hardcoded into the opensnitchd.service file, making it almost impossible to change. Soon we'll be able to change it from the UI.
2020-10-26 23:16:27 +01:00
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
return c
}
sys fw: allow to change fw type from the GUI - Configuration of system firewall rules from the GUI is not supported for iptables. Up until now only a warning was displayed, encouring to change fw type manually. Now if configured fw type is iptables (default-config.json, Firewall:), and the user opens the fw dialog, we'll ask the user to change it from the GUI. - Add fw rules before connecting to the GUI. Otherwise we send to the GUI an invalid fw state.
2022-12-16 17:03:36 +01:00
// Connect starts the connection poller
func (c *Client) Connect() {
go c.poller()
}
close nfqueue descriptors gracefully When the daemon is stopped, we need to close opened netfilter recurses. Otherwise we can fall into a situation where we leave NFQUEUE queues opened, which causes opensnitch to not run anymore until system restart or a manual intervention, because there's a NFQUEUE queue already created with the same ID. This is what was happening as a collateral effect of #41.
2020-07-17 01:29:58 +02:00
// Close cancels the running tasks: pinging the server and (re)connection poller.
func (c *Client) Close() {
c.clientCancel()
}
allow to configure process monitor method in daemon config Added ProcMonitorMethod, which can be "proc", "ftrace" or "audit". Parameters passed by command line take prevalence over default configuration. breaking changes: config options changed from xx_yy to XxYy. Config example: { "DefaultAction": "allow", "DefaultDuration": "once", "InterceptUnknown": true, "ProcMonitorMethod": "audit" }
2020-03-16 01:37:33 +01:00
// ProcMonitorMethod returns the monitor method configured.
Fix random typos Found via `codespell v2.1.dev0` `codespell -q 3 -L ans`
2020-12-23 13:24:59 -05:00
// If it's not present in the config file, it'll return an empty string.
allow to configure process monitor method in daemon config Added ProcMonitorMethod, which can be "proc", "ftrace" or "audit". Parameters passed by command line take prevalence over default configuration. breaking changes: config options changed from xx_yy to XxYy. Config example: { "DefaultAction": "allow", "DefaultDuration": "once", "InterceptUnknown": true, "ProcMonitorMethod": "audit" }
2020-03-16 01:37:33 +01:00
func (c *Client) ProcMonitorMethod() string {
more work on reloading configuration continuation of previous commit bde5d34deb5e5c5858991510c48fbd58913a193a - Allow to reconfigure stats limits (how many events we keep on the daemon, number of workers, ...) - Allow to reconfigure loggers.
2024-05-11 18:23:20 +02:00
c.RLock()
defer c.RUnlock()
return c.config.ProcMonitorMethod
allow to configure process monitor method in daemon config Added ProcMonitorMethod, which can be "proc", "ftrace" or "audit". Parameters passed by command line take prevalence over default configuration. breaking changes: config options changed from xx_yy to XxYy. Config example: { "DefaultAction": "allow", "DefaultDuration": "once", "InterceptUnknown": true, "ProcMonitorMethod": "audit" }
2020-03-16 01:37:33 +01:00
}
// InterceptUnknown returns
allow to configure unknown conns interception /etc/opensnitchd/default-config.json can now contain "intercept_unknown": true|false
2019-11-01 01:00:10 +01:00
func (c *Client) InterceptUnknown() bool {
more work on reloading configuration continuation of previous commit bde5d34deb5e5c5858991510c48fbd58913a193a - Allow to reconfigure stats limits (how many events we keep on the daemon, number of workers, ...) - Allow to reconfigure loggers.
2024-05-11 18:23:20 +02:00
c.RLock()
defer c.RUnlock()
return c.config.InterceptUnknown
Allow to configure daemon's default action rule If the file /etc/opensnitchd/default-config.json exists, read it and apply the options to the default rule when there's no client connected. If it doesn't exist, just apply the default rule, allow connections once. Config example: {"default_action": "deny", "default_duration": "once"}
2019-07-02 23:41:41 +02:00
}
allow to configure what firewall to use Before this change, we tried to determine what firewall to use based on the version of iptables (if -V legacy -> nftables, otherwise iptables). This caused problems (#455), and as there's no support yet for nftables system firewall rules, it can't be configured to workaround these errors. Now the default firewall to use will be iptables. If it's not available (installed), can't be used or the configuration option is empty/missing, we'll use nftables.
2021-08-09 00:21:43 +02:00
// GetFirewallType returns the firewall to use
func (c *Client) GetFirewallType() string {
more work on reloading configuration continuation of previous commit bde5d34deb5e5c5858991510c48fbd58913a193a - Allow to reconfigure stats limits (how many events we keep on the daemon, number of workers, ...) - Allow to reconfigure loggers.
2024-05-11 18:23:20 +02:00
c.RLock()
defer c.RUnlock()
if c.config.Firewall == "" {
allow to configure what firewall to use Before this change, we tried to determine what firewall to use based on the version of iptables (if -V legacy -> nftables, otherwise iptables). This caused problems (#455), and as there's no support yet for nftables system firewall rules, it can't be configured to workaround these errors. Now the default firewall to use will be iptables. If it's not available (installed), can't be used or the configuration option is empty/missing, we'll use nftables.
2021-08-09 00:21:43 +02:00
return iptables.Name
}
more work on reloading configuration continuation of previous commit bde5d34deb5e5c5858991510c48fbd58913a193a - Allow to reconfigure stats limits (how many events we keep on the daemon, number of workers, ...) - Allow to reconfigure loggers.
2024-05-11 18:23:20 +02:00
return c.config.Firewall
allow to configure what firewall to use Before this change, we tried to determine what firewall to use based on the version of iptables (if -V legacy -> nftables, otherwise iptables). This caused problems (#455), and as there's no support yet for nftables system firewall rules, it can't be configured to workaround these errors. Now the default firewall to use will be iptables. If it's not available (installed), can't be used or the configuration option is empty/missing, we'll use nftables.
2021-08-09 00:21:43 +02:00
}
allow to configure process monitor method in daemon config Added ProcMonitorMethod, which can be "proc", "ftrace" or "audit". Parameters passed by command line take prevalence over default configuration. breaking changes: config options changed from xx_yy to XxYy. Config example: { "DefaultAction": "allow", "DefaultDuration": "once", "InterceptUnknown": true, "ProcMonitorMethod": "audit" }
2020-03-16 01:37:33 +01:00
// DefaultAction returns the default configured action for
fixed missing funcs declarations and non used var
2019-10-21 00:04:15 +02:00
func (c *Client) DefaultAction() rule.Action {
drop connections while a pop-up is running Prior to v1.4.x versions, when a pop-up asked the user to allow or deny a connection, the rest of the network traffic was dropped until an action was taken. We fixed it, but when a pop-up was asking to allow or deny a new connection, we let it passing by if the daemon's DefaultAction option was set to allow, even if the user hadn't taken an action on it yet. It also caused some confusion if the users had configured the pop-up's DefaultAction to deny, they were expecting to not allow the connection until they had decided what to do. Now the previous behaviour has been restored, having these usage scenarios: - If the GUI is connected + daemon DefaultAction set to allow or deny. Result: 1. Prompt the user to allow or deny the new connection. 2. Deny the new connection until the user takes an action on it. 3. Allow the rest of traffic, allowing known connections, and denying new ones until the active pop-up is closed and we can prompt the user again. - GUI disconnected. Result: 1. Apply daemon's DefaultAction from the configuration file default-config.json. closes: #392
2021-06-16 09:50:36 +02:00
isConnected := c.Connected()
fixed race condition when reading default config
2020-11-03 15:29:08 +01:00
c.RLock()
defer c.RUnlock()
drop connections while a pop-up is running Prior to v1.4.x versions, when a pop-up asked the user to allow or deny a connection, the rest of the network traffic was dropped until an action was taken. We fixed it, but when a pop-up was asking to allow or deny a new connection, we let it passing by if the daemon's DefaultAction option was set to allow, even if the user hadn't taken an action on it yet. It also caused some confusion if the users had configured the pop-up's DefaultAction to deny, they were expecting to not allow the connection until they had decided what to do. Now the previous behaviour has been restored, having these usage scenarios: - If the GUI is connected + daemon DefaultAction set to allow or deny. Result: 1. Prompt the user to allow or deny the new connection. 2. Deny the new connection until the user takes an action on it. 3. Allow the rest of traffic, allowing known connections, and denying new ones until the active pop-up is closed and we can prompt the user again. - GUI disconnected. Result: 1. Apply daemon's DefaultAction from the configuration file default-config.json. closes: #392
2021-06-16 09:50:36 +02:00
if isConnected {
return clientConnectedRule.Action
}
fixed missing funcs declarations and non used var
2019-10-21 00:04:15 +02:00
return clientDisconnectedRule.Action
}
allow to configure process monitor method in daemon config Added ProcMonitorMethod, which can be "proc", "ftrace" or "audit". Parameters passed by command line take prevalence over default configuration. breaking changes: config options changed from xx_yy to XxYy. Config example: { "DefaultAction": "allow", "DefaultDuration": "once", "InterceptUnknown": true, "ProcMonitorMethod": "audit" }
2020-03-16 01:37:33 +01:00
// DefaultDuration returns the default duration configured for a rule.
// For example it can be: once, always, "until restart".
fixed missing funcs declarations and non used var
2019-10-21 00:04:15 +02:00
func (c *Client) DefaultDuration() rule.Duration {
fixed race condition when reading default config
2020-11-03 15:29:08 +01:00
c.RLock()
defer c.RUnlock()
fixed missing funcs declarations and non used var
2019-10-21 00:04:15 +02:00
return clientDisconnectedRule.Duration
}
allow to configure process monitor method in daemon config Added ProcMonitorMethod, which can be "proc", "ftrace" or "audit". Parameters passed by command line take prevalence over default configuration. breaking changes: config options changed from xx_yy to XxYy. Config example: { "DefaultAction": "allow", "DefaultDuration": "once", "InterceptUnknown": true, "ProcMonitorMethod": "audit" }
2020-03-16 01:37:33 +01:00
// Connected checks if the client has established a connection with the server.
make the daemon log when the UI socket is available or goes down (closes #123)
2018-04-06 14:48:43 +02:00
func (c *Client) Connected() bool {
do not block connection processing when GUI popup is active.
2021-02-18 17:21:50 +03:00
c.RLock()
defer c.RUnlock()
make the daemon log when the UI socket is available or goes down (closes #123)
2018-04-06 14:48:43 +02:00
if c.con == nil || c.con.GetState() != connectivity.Ready {
return false
}
return true
}
do not block connection processing when GUI popup is active.
2021-02-18 17:21:50 +03:00
//GetIsAsking returns the isAsking flag
func (c *Client) GetIsAsking() bool {
c.RLock()
defer c.RUnlock()
return c.isAsking
}
//SetIsAsking sets the isAsking flag
func (c *Client) SetIsAsking(flag bool) {
c.Lock()
defer c.Unlock()
c.isAsking = flag
}
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
func (c *Client) poller() {
log.Debug("UI service poller started for socket %s", c.socketPath)
make the daemon log when the UI socket is available or goes down (closes #123)
2018-04-06 14:48:43 +02:00
wasConnected := false
close nfqueue descriptors gracefully When the daemon is stopped, we need to close opened netfilter recurses. Otherwise we can fall into a situation where we leave NFQUEUE queues opened, which causes opensnitch to not run anymore until system restart or a manual intervention, because there's a NFQUEUE queue already created with the same ID. This is what was happening as a collateral effect of #41.
2020-07-17 01:29:58 +02:00
for {
select {
case <-c.clientCtx.Done():
set server address and log file from the default config The server address and log file were hardcoded into the opensnitchd.service file, making it almost impossible to change. Soon we'll be able to change it from the UI.
2020-10-26 23:16:27 +01:00
log.Info("Client.poller() exit, Done()")
close nfqueue descriptors gracefully When the daemon is stopped, we need to close opened netfilter recurses. Otherwise we can fall into a situation where we leave NFQUEUE queues opened, which causes opensnitch to not run anymore until system restart or a manual intervention, because there's a NFQUEUE queue already created with the same ID. This is what was happening as a collateral effect of #41.
2020-07-17 01:29:58 +02:00
goto Exit
default:
isConnected := c.Connected()
if wasConnected != isConnected {
c.onStatusChange(isConnected)
wasConnected = isConnected
}
make the daemon log when the UI socket is available or goes down (closes #123)
2018-04-06 14:48:43 +02:00
close nfqueue descriptors gracefully When the daemon is stopped, we need to close opened netfilter recurses. Otherwise we can fall into a situation where we leave NFQUEUE queues opened, which causes opensnitch to not run anymore until system restart or a manual intervention, because there's a NFQUEUE queue already created with the same ID. This is what was happening as a collateral effect of #41.
2020-07-17 01:29:58 +02:00
if c.Connected() == false {
// connect and create the client if needed
if err := c.connect(); err != nil {
log.Warning("Error while connecting to UI service: %s", err)
}
Merge branch 'fix_grpc_sockets_leaks' into main
2019-10-20 23:25:21 +02:00
}
close nfqueue descriptors gracefully When the daemon is stopped, we need to close opened netfilter recurses. Otherwise we can fall into a situation where we leave NFQUEUE queues opened, which causes opensnitch to not run anymore until system restart or a manual intervention, because there's a NFQUEUE queue already created with the same ID. This is what was happening as a collateral effect of #41.
2020-07-17 01:29:58 +02:00
if c.Connected() == true {
// if the client is connected and ready, send a ping
if err := c.ping(time.Now()); err != nil {
improved nodes connectivity handling problem: - after losing network connectivity node<->server, the node didn't restore the connection. In reality, the connection with the server was not closed, but the notifications channel was closed due to inactivity after 20s. set inactivity timeouts to 20s on both node and server. Previous timeouts were 2h for the main connection and 20s for the streaming channels (notifications). - get rid of the logic to determine if the server is alive or not based on sending pings. Instead, use the connection events when a node connects/disconnects (Subscribe). The Ping call is still used to send the statistics. other: - fixed exception when updating the status of a node.
2021-04-11 20:55:14 +02:00
log.Warning("Error while pinging UI service: %s, state: %v", err, c.con.GetState())
close nfqueue descriptors gracefully When the daemon is stopped, we need to close opened netfilter recurses. Otherwise we can fall into a situation where we leave NFQUEUE queues opened, which causes opensnitch to not run anymore until system restart or a manual intervention, because there's a NFQUEUE queue already created with the same ID. This is what was happening as a collateral effect of #41.
2020-07-17 01:29:58 +02:00
}
added ui ping/pong
2018-04-02 18:26:04 +02:00
}
misc: small fix or general refactoring i did not bother commenting
2018-04-06 18:34:33 +02:00
close nfqueue descriptors gracefully When the daemon is stopped, we need to close opened netfilter recurses. Otherwise we can fall into a situation where we leave NFQUEUE queues opened, which causes opensnitch to not run anymore until system restart or a manual intervention, because there's a NFQUEUE queue already created with the same ID. This is what was happening as a collateral effect of #41.
2020-07-17 01:29:58 +02:00
time.Sleep(1 * time.Second)
}
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
}
close nfqueue descriptors gracefully When the daemon is stopped, we need to close opened netfilter recurses. Otherwise we can fall into a situation where we leave NFQUEUE queues opened, which causes opensnitch to not run anymore until system restart or a manual intervention, because there's a NFQUEUE queue already created with the same ID. This is what was happening as a collateral effect of #41.
2020-07-17 01:29:58 +02:00
Exit:
log.Info("uiClient exit")
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
}
make the daemon log when the UI socket is available or goes down (closes #123)
2018-04-06 14:48:43 +02:00
func (c *Client) onStatusChange(connected bool) {
if connected {
log.Info("Connected to the UI service on %s", c.socketPath)
Allow to change settings from the UI (1/2) We start receiving notifications from the UI, which allow us to change configurations and perform actions on the daemon. The concept of Node has also been introduced, which identifies every daemon (client) connected to the UI (server). These options has been added: - Enable/Disable firewall interception (for all nodes) - Change daemons (clients) configuration. globally or per node. - Change prompt dialog options. We have fixed some bugs along the way: - Close audit client connection gracefully. - Exclude our own connections from being intercepted. - Better handling of client connection status with the UI. We probably has also introduced some other bugs (not listed here).
2020-04-19 20:13:31 +02:00
go c.Subscribe()
new feature: send alerts to the server/UI Up until now some error and warning messages were only logged out to the system, not allowing the user know what was happening under the hood. Now the following events are notified: - eBPF related errors. - netfilter queue errors. - configuration errors. WIP, we'll keep improving it and build new features on top of this one.
2022-10-12 13:31:45 +02:00
select {
case c.isConnected <- true:
default:
}
make the daemon log when the UI socket is available or goes down (closes #123)
2018-04-06 14:48:43 +02:00
} else {
log.Error("Connection to the UI service lost.")
set server address and log file from the default config The server address and log file were hardcoded into the opensnitchd.service file, making it almost impossible to change. Soon we'll be able to change it from the UI.
2020-10-26 23:16:27 +01:00
c.disconnect()
make the daemon log when the UI socket is available or goes down (closes #123)
2018-04-06 14:48:43 +02:00
}
}
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
make the daemon log when the UI socket is available or goes down (closes #123)
2018-04-06 14:48:43 +02:00
func (c *Client) connect() (err error) {
if c.Connected() {
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
return
}
Fix grpc sockets leaking when connecting to a UI Failured connections to a UI were not being closed, so we ended up with > 1024 opened sockets, which caused the error Too many files open.
2019-06-29 13:55:44 +02:00
Merge branch 'fix_grpc_sockets_leaks' into main
2019-10-20 23:25:21 +02:00
if c.con != nil {
if c.con.GetState() == connectivity.TransientFailure || c.con.GetState() == connectivity.Shutdown {
set server address and log file from the default config The server address and log file were hardcoded into the opensnitchd.service file, making it almost impossible to change. Soon we'll be able to change it from the UI.
2020-10-26 23:16:27 +01:00
c.disconnect()
Merge branch 'fix_grpc_sockets_leaks' into main
2019-10-20 23:25:21 +02:00
} else {
return
}
}
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
fixes race condition setting server address
2020-10-30 22:06:33 +01:00
if err := c.openSocket(); err != nil {
allow to secure (abstract) unix socket comms - Allow to use SSL certificates to secure unix sockets communications. - Allow to use abstract users sockets for server and nodes. Go gRPC doesn't seem to understand unix sockets addresses that start with "unix-abstract:", and python gRPC doesn't seem to understand "unix:@" addresses. Therefore, on the server (python gRPC) we use the format "unix:@" to specify the address where the server will listen on, and rewrite it to "unix-abstract:" before starting the server. Note about certs and abstract unix sockets: When creating the SSL certificates, you'll have to specify the address of the unix socket as the Common Name of the certificates: Address: "unix:@my-abstract-socket" Common Name: @my-abstract-socket
2023-07-19 01:17:49 +02:00
log.Debug("connect() %s", err)
fixes race condition setting server address
2020-10-30 22:06:33 +01:00
c.disconnect()
return err
}
if c.client == nil {
c.client = protocol.NewUIClient(c.con)
}
return nil
}
func (c *Client) openSocket() (err error) {
c.Lock()
defer c.Unlock()
more work on reloading configuration continuation of previous commit bde5d34deb5e5c5858991510c48fbd58913a193a - Allow to reconfigure stats limits (how many events we keep on the daemon, number of workers, ...) - Allow to reconfigure loggers.
2024-05-11 18:23:20 +02:00
dialOption, err := auth.New(&c.config)
allow to secure (abstract) unix socket comms - Allow to use SSL certificates to secure unix sockets communications. - Allow to use abstract users sockets for server and nodes. Go gRPC doesn't seem to understand unix sockets addresses that start with "unix-abstract:", and python gRPC doesn't seem to understand "unix:@" addresses. Therefore, on the server (python gRPC) we use the format "unix:@" to specify the address where the server will listen on, and rewrite it to "unix-abstract:" before starting the server. Note about certs and abstract unix sockets: When creating the SSL certificates, you'll have to specify the address of the unix socket as the Common Name of the certificates: Address: "unix:@my-abstract-socket" Common Name: @my-abstract-socket
2023-07-19 01:17:49 +02:00
if err != nil {
return fmt.Errorf("Invalid client auth options: %s", err)
}
added support for a tcp listener (closes #119)
2018-04-07 01:52:43 +02:00
if c.isUnixSocket {
allow to secure (abstract) unix socket comms - Allow to use SSL certificates to secure unix sockets communications. - Allow to use abstract users sockets for server and nodes. Go gRPC doesn't seem to understand unix sockets addresses that start with "unix-abstract:", and python gRPC doesn't seem to understand "unix:@" addresses. Therefore, on the server (python gRPC) we use the format "unix:@" to specify the address where the server will listen on, and rewrite it to "unix-abstract:" before starting the server. Note about certs and abstract unix sockets: When creating the SSL certificates, you'll have to specify the address of the unix socket as the Common Name of the certificates: Address: "unix:@my-abstract-socket" Common Name: @my-abstract-socket
2023-07-19 01:17:49 +02:00
c.con, err = grpc.Dial(c.socketPath, dialOption,
added support for a tcp listener (closes #119)
2018-04-07 01:52:43 +02:00
grpc.WithDialer(func(addr string, timeout time.Duration) (net.Conn, error) {
allow to secure (abstract) unix socket comms - Allow to use SSL certificates to secure unix sockets communications. - Allow to use abstract users sockets for server and nodes. Go gRPC doesn't seem to understand unix sockets addresses that start with "unix-abstract:", and python gRPC doesn't seem to understand "unix:@" addresses. Therefore, on the server (python gRPC) we use the format "unix:@" to specify the address where the server will listen on, and rewrite it to "unix-abstract:" before starting the server. Note about certs and abstract unix sockets: When creating the SSL certificates, you'll have to specify the address of the unix socket as the Common Name of the certificates: Address: "unix:@my-abstract-socket" Common Name: @my-abstract-socket
2023-07-19 01:17:49 +02:00
return net.DialTimeout(c.unixSockPrefix, addr, timeout)
added support for a tcp listener (closes #119)
2018-04-07 01:52:43 +02:00
}))
} else {
improved nodes connectivity handling problem: - after losing network connectivity node<->server, the node didn't restore the connection. In reality, the connection with the server was not closed, but the notifications channel was closed due to inactivity after 20s. set inactivity timeouts to 20s on both node and server. Previous timeouts were 2h for the main connection and 20s for the streaming channels (notifications). - get rid of the logic to determine if the server is alive or not based on sending pings. Instead, use the connection events when a node connects/disconnects (Subscribe). The Ping call is still used to send the statistics. other: - fixed exception when updating the status of a node.
2021-04-11 20:55:14 +02:00
// https://pkg.go.dev/google.golang.org/grpc/keepalive#ClientParameters
var kacp = keepalive.ClientParameters{
Time: 5 * time.Second,
// if there's no activity after ^, wait 20s and close
// server timeout is 20s by default.
Timeout: 22 * time.Second,
// send pings even without active streams
PermitWithoutStream: true,
}
added option to secure channel communications Allow to cypher channel communications with certificates. There are 3 authentication types: simple, tls-simple and tls-mutual. - 'simple' wont't cypher communications. - 'tls-simple' uses a server key and certificate for the server, and a common CA certificate or the server certificate to authenticate all nodes. - 'tls-mutual' uses a server key and certificate for the server, and a client key and certificate per node. There are 2 options to verify how gRPC validates credentials: - SkipVerify: https://pkg.go.dev/crypto/tls#Config - ClientAuthType: https://pkg.go.dev/crypto/tls#ClientAuthType Example configuration: "Server": { "Address": "127.0.0.1:12345", "Authentication": { "Type": "tls-simple", "TLSOptions": { "CACert": "/etc/opensnitchd/auth/ca-cert.pem", "ServerCert": "/etc/opensnitchd/auth/server-cert.pem", "ClientCert": "/etc/opensnitchd/auth/client-cert.pem", "ClientKey": "/etc/opensnitchd/auth/client-key.pem", "SkipVerify": false, "ClientAuthType": "req-and-verify-cert" } } } More info: https://github.com/evilsocket/opensnitch/wiki/Nodes
2023-06-23 16:51:36 +02:00
c.con, err = grpc.Dial(c.socketPath, dialOption, grpc.WithKeepaliveParams(kacp))
added support for a tcp listener (closes #119)
2018-04-07 01:52:43 +02:00
}
fixes race condition setting server address
2020-10-30 22:06:33 +01:00
return err
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
}
set server address and log file from the default config The server address and log file were hardcoded into the opensnitchd.service file, making it almost impossible to change. Soon we'll be able to change it from the UI.
2020-10-26 23:16:27 +01:00
func (c *Client) disconnect() {
fixes race condition setting server address
2020-10-30 22:06:33 +01:00
c.Lock()
defer c.Unlock()
new feature: send alerts to the server/UI Up until now some error and warning messages were only logged out to the system, not allowing the user know what was happening under the hood. Now the following events are notified: - eBPF related errors. - netfilter queue errors. - configuration errors. WIP, we'll keep improving it and build new features on top of this one.
2022-10-12 13:31:45 +02:00
select {
case c.isConnected <- false:
default:
}
set server address and log file from the default config The server address and log file were hardcoded into the opensnitchd.service file, making it almost impossible to change. Soon we'll be able to change it from the UI.
2020-10-26 23:16:27 +01:00
if c.con != nil {
c.con.Close()
c.con = nil
fixed typo
2020-10-27 01:40:03 +01:00
log.Debug("client.disconnect()")
set server address and log file from the default config The server address and log file were hardcoded into the opensnitchd.service file, making it almost impossible to change. Soon we'll be able to change it from the UI.
2020-10-26 23:16:27 +01:00
}
new feature: send alerts to the server/UI Up until now some error and warning messages were only logged out to the system, not allowing the user know what was happening under the hood. Now the following events are notified: - eBPF related errors. - netfilter queue errors. - configuration errors. WIP, we'll keep improving it and build new features on top of this one.
2022-10-12 13:31:45 +02:00
c.client = nil
set server address and log file from the default config The server address and log file were hardcoded into the opensnitchd.service file, making it almost impossible to change. Soon we'll be able to change it from the UI.
2020-10-26 23:16:27 +01:00
}
added ui ping/pong
2018-04-02 18:26:04 +02:00
func (c *Client) ping(ts time.Time) (err error) {
make the daemon log when the UI socket is available or goes down (closes #123)
2018-04-06 14:48:43 +02:00
if c.Connected() == false {
allow to configure process monitor method in daemon config Added ProcMonitorMethod, which can be "proc", "ftrace" or "audit". Parameters passed by command line take prevalence over default configuration. breaking changes: config options changed from xx_yy to XxYy. Config example: { "DefaultAction": "allow", "DefaultDuration": "once", "InterceptUnknown": true, "ProcMonitorMethod": "audit" }
2020-03-16 01:37:33 +01:00
return fmt.Errorf("service is not connected")
added ui ping/pong
2018-04-02 18:26:04 +02:00
}
make the daemon log when the UI socket is available or goes down (closes #123)
2018-04-06 14:48:43 +02:00
c.Lock()
defer c.Unlock()
added ui ping/pong
2018-04-02 18:26:04 +02:00
ctx, cancel := context.WithTimeout(context.Background(), time.Second)
defer cancel()
allow to configure process monitor method in daemon config Added ProcMonitorMethod, which can be "proc", "ftrace" or "audit". Parameters passed by command line take prevalence over default configuration. breaking changes: config options changed from xx_yy to XxYy. Config example: { "DefaultAction": "allow", "DefaultDuration": "once", "InterceptUnknown": true, "ProcMonitorMethod": "audit" }
2020-03-16 01:37:33 +01:00
reqID := uint64(ts.UnixNano())
misc: small fix or general refactoring i did not bother commenting
2018-04-06 01:44:15 +02:00
Merge branch 'fix_grpc_sockets_leaks' into main
2019-10-20 23:25:21 +02:00
pReq := &protocol.PingRequest{
allow to configure process monitor method in daemon config Added ProcMonitorMethod, which can be "proc", "ftrace" or "audit". Parameters passed by command line take prevalence over default configuration. breaking changes: config options changed from xx_yy to XxYy. Config example: { "DefaultAction": "allow", "DefaultDuration": "once", "InterceptUnknown": true, "ProcMonitorMethod": "audit" }
2020-03-16 01:37:33 +01:00
Id: reqID,
when the thc kicks in and you find a better logic, better naming, better design and new ideas
2018-04-08 15:32:20 +02:00
Stats: c.stats.Serialize(),
Fixed race when reading and collecting stats When reading stats, a race can occur when sending them to remote UI via Ping()s if at the same time more stats are being collected(written).
2019-06-29 13:46:26 +02:00
}
Merge branch 'fix_grpc_sockets_leaks' into main
2019-10-20 23:25:21 +02:00
c.stats.RLock()
pong, err := c.client.Ping(ctx, pReq)
c.stats.RUnlock()
added ui ping/pong
2018-04-02 18:26:04 +02:00
if err != nil {
return err
}
allow to configure process monitor method in daemon config Added ProcMonitorMethod, which can be "proc", "ftrace" or "audit". Parameters passed by command line take prevalence over default configuration. breaking changes: config options changed from xx_yy to XxYy. Config example: { "DefaultAction": "allow", "DefaultDuration": "once", "InterceptUnknown": true, "ProcMonitorMethod": "audit" }
2020-03-16 01:37:33 +01:00
if pong.Id != reqID {
return fmt.Errorf("Expected pong with id 0x%x, got 0x%x", reqID, pong.Id)
added ui ping/pong
2018-04-02 18:26:04 +02:00
}
return nil
}
allow to configure process monitor method in daemon config Added ProcMonitorMethod, which can be "proc", "ftrace" or "audit". Parameters passed by command line take prevalence over default configuration. breaking changes: config options changed from xx_yy to XxYy. Config example: { "DefaultAction": "allow", "DefaultDuration": "once", "InterceptUnknown": true, "ProcMonitorMethod": "audit" }
2020-03-16 01:37:33 +01:00
// Ask sends a request to the server, with the values of a connection to be
// allowed or denied.
do not block connection processing when GUI popup is active.
2021-02-18 17:21:50 +03:00
func (c *Client) Ask(con *conman.Connection) *rule.Rule {
improved nodes connectivity handling problem: - after losing network connectivity node<->server, the node didn't restore the connection. In reality, the connection with the server was not closed, but the notifications channel was closed due to inactivity after 20s. set inactivity timeouts to 20s on both node and server. Previous timeouts were 2h for the main connection and 20s for the streaming channels (notifications). - get rid of the logic to determine if the server is alive or not based on sending pings. Instead, use the connection events when a node connects/disconnects (Subscribe). The Ping call is still used to send the statistics. other: - fixed exception when updating the status of a node.
2021-04-11 20:55:14 +02:00
if c.client == nil {
return nil
}
increase default timeout to ask for a rule Explained here: https://github.com/gustavo-iniguez-goya/opensnitch/issues/28#issuecomment-637484501
2020-06-04 00:38:11 +02:00
// FIXME: if timeout is fired, the rule is not added to the list in the GUI
ctx, cancel := context.WithTimeout(context.Background(), time.Second*120)
misc: small fix or general refactoring i did not bother commenting
2018-04-02 18:11:36 +02:00
defer cancel()
when the thc kicks in and you find a better logic, better naming, better design and new ideas
2018-04-08 15:32:20 +02:00
reply, err := c.client.AskRule(ctx, con.Serialize())
misc: small fix or general refactoring i did not bother commenting
2018-04-02 18:11:36 +02:00
if err != nil {
increase default timeout to ask for a rule Explained here: https://github.com/gustavo-iniguez-goya/opensnitch/issues/28#issuecomment-637484501
2020-06-04 00:38:11 +02:00
log.Warning("Error while asking for rule: %s - %v", err, con)
do not block connection processing when GUI popup is active.
2021-02-18 17:21:50 +03:00
return nil
misc: small fix or general refactoring i did not bother commenting
2018-04-02 18:11:36 +02:00
}
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
return better errors if a regexp rule fails to compile If a regexp rule fails to compile, return the reason instead of a generic error. It'll help to debug problems.
2020-06-19 18:02:09 +02:00
r, err := rule.Deserialize(reply)
if err != nil {
do not block connection processing when GUI popup is active.
2021-02-18 17:21:50 +03:00
return nil
return better errors if a regexp rule fails to compile If a regexp rule fails to compile, return the reason instead of a generic error. It'll help to debug problems.
2020-06-19 18:02:09 +02:00
}
do not block connection processing when GUI popup is active.
2021-02-18 17:21:50 +03:00
return r
misc: small fix or general refactoring i did not bother commenting
2018-04-02 05:25:32 +02:00
}
allow to configure unknown conns interception /etc/opensnitchd/default-config.json can now contain "intercept_unknown": true|false
2019-11-01 01:00:10 +01:00
new feature: send alerts to the server/UI Up until now some error and warning messages were only logged out to the system, not allowing the user know what was happening under the hood. Now the following events are notified: - eBPF related errors. - netfilter queue errors. - configuration errors. WIP, we'll keep improving it and build new features on top of this one.
2022-10-12 13:31:45 +02:00
// PostAlert queues a new message to be delivered to the server
func (c *Client) PostAlert(atype protocol.Alert_Type, awhat protocol.Alert_What, action protocol.Alert_Action, prio protocol.Alert_Priority, data interface{}) {
if len(c.alertsChan) > maxQueuedAlerts-1 {
// pop oldest alert if channel is full
log.Debug("PostAlert() queue full, popping alert (%d)", len(c.alertsChan))
<-c.alertsChan
}
if c.Connected() == false {
log.Debug("UI not connected, queueing alert: %d", len(c.alertsChan))
}
c.alertsChan <- *NewAlert(atype, awhat, action, prio, data)
}
allow to configure process monitor method in daemon config Added ProcMonitorMethod, which can be "proc", "ftrace" or "audit". Parameters passed by command line take prevalence over default configuration. breaking changes: config options changed from xx_yy to XxYy. Config example: { "DefaultAction": "allow", "DefaultDuration": "once", "InterceptUnknown": true, "ProcMonitorMethod": "audit" }
2020-03-16 01:37:33 +01:00
func (c *Client) monitorConfigWorker() {
allow to configure unknown conns interception /etc/opensnitchd/default-config.json can now contain "intercept_unknown": true|false
2019-11-01 01:00:10 +01:00
for {
select {
case event := <-c.configWatcher.Events:
if (event.Op&fsnotify.Write == fsnotify.Write) || (event.Op&fsnotify.Remove == fsnotify.Remove) {
Allow to change settings from the UI (1/2) We start receiving notifications from the UI, which allow us to change configurations and perform actions on the daemon. The concept of Node has also been introduced, which identifies every daemon (client) connected to the UI (server). These options has been added: - Enable/Disable firewall interception (for all nodes) - Change daemons (clients) configuration. globally or per node. - Change prompt dialog options. We have fixed some bugs along the way: - Close audit client connection gracefully. - Exclude our own connections from being intercepted. - Better handling of client connection status with the UI. We probably has also introduced some other bugs (not listed here).
2020-04-19 20:13:31 +02:00
c.loadDiskConfiguration(true)
allow to configure unknown conns interception /etc/opensnitchd/default-config.json can now contain "intercept_unknown": true|false
2019-11-01 01:00:10 +01:00
}
}
}
}
Reference in a new issue Copy permalink