- Removed hardcoded sizes for buttons.
- Buttons horizontal layout adjusted to properly show the countdown
(#1274).
Note:
'Maximum' vertical policy does not seem to work with qt-material
and QToolButton, the button height is resized to 0. 'Preferred' seems
to work as expected.
The GUI and daemon versions are displayed in 2 different locations:
- ui: in the title of the main window.
- daemon: in the lower right corner.
Now instead of showing the daemon version as "Version: x.y.z", we
show "Daemon version: x.y.z".
Closes: #1278
We were not matching the end of the domain, which could lead to allow
more domains than expected.
kudos to @FWDekker for reporting this issue.
Closes: #1264
When saving the preferences, we check if the user changed the address of
the node. Usually the current node address is the same than the one
loaded, but some gRPC versions does not report it, so we use
"unix:/local" as the address of the node.
As this address is different than the one configured, we were displaying
unnecessary restart messages to the users.
- Minimize the risk of race conditions when we're prompting the user to
allow/deny a connection, while we're still reading proc's environ file.
(this was actually a leak).
- Preallocate the Env map with the expected environ vars.
Some use cases:
- Reject connections initiated by certain paths:
Deny all connections initiated by cron*:
/usr/sbin/cron
/usr/bin/curl
"action": "reject",
"operator: {
"type": "list",
"operand": "list",
"data": "",
"list": [
{
"type": "regexp",
"operand": "process.parent.path",
// /usr/bin/crond , /usr/bin/crontab, ...
"data": "^/usr/(s|)bin/cron"
}
]
}
- Reject or Allow connections of binaries launched by another app:
"action": "allow",
"operator": {
"type": "list",
"operand": "list",
"data": "",
"list": [
{
"type": "simple",
"operand": "process.parent.path",
"data": "/opt/spotify/bin/spotify"
},
{
"type": "simple",
"operand": "process.path",
"data": "/usr/bin/wget"
}
]
}
You can also combine multiple parent paths, to allow a command launched
from a specific chain of processes:
/usr/lib/systemd/systemd
/usr/sbin/cron
/bin/sh
/usr/bin/curl
The order is checked from the newest process to the oldest (curl -> sh
-> cron -> systemd)
The operand can be used with any of the existing types (simple, regexp,
etc).
Related: #406
In some distros like Ubuntu 25, we were not displaying the fw button
icon, which made the button practically hidden to the user.
We assumed that if 'document-new' or 'emblem' icons were available,
the rest of the icons would be available as well, so we wouldn't need
to fallback to Qt's builtin icons.
However on Ubuntu 25 for example, despite of 'document-new' being
available, the icon 'security-high' was not being displayed when it was
loaded from the stats.ui file.
Loading it from code with QIcon.fromTheme() works fine, and even if
it's not found (which sometimes happens), we'd fallback to Qt's builtin
icons.
Other icons may be optional, but icons without text need to have an
icon always.
- minor formatting change.
- removed unused code.
Disabled rules were part of the active rules. The fields were not
evaluated, but we still went through the entire list.
Not adding them to the list of active rules improves matching time,
especially when there're a lot of disabled rules.
It mainly affected when matching rules that were non-priority or
ordered alphabetically, with action Allow.
This commit does not change behaviour but reduces the multitude text
arguments of format() down to one.
Ref: c5e24c04f1 ("ui,netstat: allow to filter listed connections")
- daemon: Allow to dump XDP sockets from kernel.
- ui: Added options to filter by RAW protocol and AF_XDP family.
- Bumped vishvananda/netlink version to v1.3.0.
- Updated go.mod and go.sum
Sometimes we may receive a connection event after the exit of a
process:
[exec] /bin/xxx, pid 1234
[exit] /bin/xxx, pid 1234
[new conn] pid 1234 -> process unknown (on exec event and no /proc entry)
In these scenarios, we delay the deletion from cache a little
bit, to keep the PID available for a longer time.
We were failing adding system fw rules when the user selected a
destination port by service name.
We allow to specify port ranges with '-' (8080-8088), and as some
service names contain '-' in the name (ftp-data, netbios-ns), it was
failing.
- changed formatting.
- extract source IPs from UDP packets from ancillary messages.
- hook inet_dgram_connect to solve intercepting some apps (parsec).
- remove debugging / unused code.
More info on these changes:
fbdef1673d20a03e11fef44d3e896b93d1cefbc2Closes: #1246.
Fixes error when running `opensnitch-ui` again:
> if service:
> ^^^^^^^
> NameError: name 'service' is not defined. Did you mean: 'UIService'?
Fixes: cdf93c72c1 ("ui: fixed delay closing the GUI")
