mirror of
https://github.com/evilsocket/opensnitch.git
synced 2025-03-04 08:34:40 +01:00
added more logs for better issues debugging
- Log packet mark, which may help debugging VPN connections for example. - Log the nfqueue number when we fail to setup the queue. * Suggest to restart the computer on one particular case (#912).
This commit is contained in:
Gustavo Iñiguez Goia
parent
74b6bc2c29
commit
19890062ff
3 changed files with 16 additions and 10 deletions
|
|
@ -71,7 +71,7 @@ func newConnectionImpl(nfp *netfilter.Packet, c *Connection, protoType string) (
|
|||
if c.parseDirection(protoType) == false {
|
||||
return nil, nil
|
||||
}
|
||||
log.Debug("new connection %s => %d:%v -> %v (%s):%d uid: %d", c.Protocol, c.SrcPort, c.SrcIP, c.DstIP, c.DstHost, c.DstPort, nfp.UID)
|
||||
log.Debug("new connection %s => %d:%v -> %v (%s):%d uid: %d, mark: %x", c.Protocol, c.SrcPort, c.SrcIP, c.DstIP, c.DstHost, c.DstPort, nfp.UID, nfp.Mark)
|
||||
|
||||
c.Entry = &netstat.Entry{
|
||||
Proto: c.Protocol,
|
||||
|
|
|
|||
|
|
@ -441,14 +441,14 @@ func acceptOrDeny(packet *netfilter.Packet, con *conman.Connection) *rule.Rule {
|
|||
if r.Operator.Operand == rule.OpTrue {
|
||||
ruleName = log.Dim(r.Name)
|
||||
}
|
||||
log.Debug("%s %s -> %d:%s => %s:%d (%s)", log.Bold(log.Green("✔")), log.Bold(con.Process.Path), con.SrcPort, log.Bold(con.SrcIP.String()), log.Bold(con.To()), con.DstPort, ruleName)
|
||||
log.Debug("%s %s -> %d:%s => %s:%d, mark: %x (%s)", log.Bold(log.Green("✔")), log.Bold(con.Process.Path), con.SrcPort, log.Bold(con.SrcIP.String()), log.Bold(con.To()), con.DstPort, packet.Mark, ruleName)
|
||||
} else {
|
||||
if r.Action == rule.Reject {
|
||||
netlink.KillSocket(con.Protocol, con.SrcIP, con.SrcPort, con.DstIP, con.DstPort)
|
||||
}
|
||||
packet.SetVerdict(netfilter.NF_DROP)
|
||||
|
||||
log.Debug("%s %s -> %d:%s => %s:%d (%s)", log.Bold(log.Red("✘")), log.Bold(con.Process.Path), con.SrcPort, log.Bold(con.SrcIP.String()), log.Bold(con.To()), con.DstPort, log.Red(r.Name))
|
||||
log.Debug("%s %s -> %d:%s => %s:%d, mark: %x (%s)", log.Bold(log.Red("✘")), log.Bold(con.Process.Path), con.SrcPort, log.Bold(con.SrcIP.String()), log.Bold(con.To()), con.DstPort, packet.Mark, log.Red(r.Name))
|
||||
}
|
||||
|
||||
return r
|
||||
|
|
|
|||
|
|
@ -13,12 +13,14 @@ import (
|
|||
"fmt"
|
||||
"os"
|
||||
"sync"
|
||||
"syscall"
|
||||
"time"
|
||||
"unsafe"
|
||||
|
||||
"github.com/evilsocket/opensnitch/daemon/log"
|
||||
"github.com/google/gopacket"
|
||||
"github.com/google/gopacket/layers"
|
||||
"golang.org/x/sys/unix"
|
||||
)
|
||||
|
||||
const (
|
||||
|
|
@ -84,13 +86,17 @@ func (q *Queue) create(queueID uint16) (err error) {
|
|||
if q.h, err = C.nfq_open(); err != nil {
|
||||
return fmt.Errorf("Error opening Queue handle: %v", err)
|
||||
} else if ret, err = C.nfq_unbind_pf(q.h, AF_INET); err != nil || ret < 0 {
|
||||
return fmt.Errorf("Error unbinding existing q handler from AF_INET protocol family: %v", err)
|
||||
errmsg := fmt.Errorf("Error %d unbinding existing q handler from AF_INET protocol family: %v", ret, err)
|
||||
if syscall.Errno(ret) == unix.EINVAL {
|
||||
errmsg = fmt.Errorf("%s\nRestarting your computer may help to solve this error (see issues: #323 and #912 for more information)", errmsg)
|
||||
}
|
||||
return errmsg
|
||||
} else if ret, err = C.nfq_unbind_pf(q.h, AF_INET6); err != nil || ret < 0 {
|
||||
return fmt.Errorf("Error unbinding existing q handler from AF_INET6 protocol family: %v", err)
|
||||
return fmt.Errorf("Error (%d) unbinding existing q handler from AF_INET6 protocol family: %v", ret, err)
|
||||
} else if ret, err := C.nfq_bind_pf(q.h, AF_INET); err != nil || ret < 0 {
|
||||
return fmt.Errorf("Error binding to AF_INET protocol family: %v", err)
|
||||
return fmt.Errorf("Error (%d) binding to AF_INET protocol family: %v", ret, err)
|
||||
} else if ret, err := C.nfq_bind_pf(q.h, AF_INET6); err != nil || ret < 0 {
|
||||
return fmt.Errorf("Error binding to AF_INET6 protocol family: %v", err)
|
||||
return fmt.Errorf("Error (%d) binding to AF_INET6 protocol family: %v", ret, err)
|
||||
} else if q.qh, err = C.CreateQueue(q.h, C.uint16_t(queueID), C.uint32_t(q.idx)); err != nil || q.qh == nil {
|
||||
q.destroy()
|
||||
return fmt.Errorf("Error binding to queue: %v", err)
|
||||
|
|
@ -150,7 +156,7 @@ func (q *Queue) Close() {
|
|||
func (q *Queue) destroy() {
|
||||
// we'll try to exit cleanly, but sometimes nfqueue gets stuck
|
||||
time.AfterFunc(5*time.Second, func() {
|
||||
log.Warning("queue stuck, closing by timeout")
|
||||
log.Warning("queue (%d) stuck, closing by timeout", q.idx)
|
||||
if q != nil {
|
||||
C.close(q.fd)
|
||||
q.closeNfq()
|
||||
|
|
@ -161,7 +167,7 @@ func (q *Queue) destroy() {
|
|||
C.nfq_unbind_pf(q.h, AF_INET6)
|
||||
if q.qh != nil {
|
||||
if ret := C.nfq_destroy_queue(q.qh); ret != 0 {
|
||||
log.Warning("Queue.destroy(), nfq_destroy_queue() not closed: %d", ret)
|
||||
log.Warning("Queue.destroy() idx=%d, nfq_destroy_queue() not closed: %d", q.idx, ret)
|
||||
}
|
||||
}
|
||||
|
||||
|
|
@ -171,7 +177,7 @@ func (q *Queue) destroy() {
|
|||
func (q *Queue) closeNfq() {
|
||||
if q.h != nil {
|
||||
if ret := C.nfq_close(q.h); ret != 0 {
|
||||
log.Warning("Queue.destroy(), nfq_close() not closed: %d", ret)
|
||||
log.Warning("Queue.destroy() idx=%d, nfq_close() not closed: %d", q.idx, ret)
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Reference in a new issue