Allow to cypher channel communications with certificates.
There are 3 authentication types: simple, tls-simple and tls-mutual.
- 'simple' wont't cypher communications.
- 'tls-simple' uses a server key and certificate for the server, and a
common CA certificate or the server certificate to authenticate all
nodes.
- 'tls-mutual' uses a server key and certificate for the server, and a
client key and certificate per node.
There are 2 options to verify how gRPC validates credentials:
- SkipVerify: https://pkg.go.dev/crypto/tls#Config
- ClientAuthType: https://pkg.go.dev/crypto/tls#ClientAuthType
Example configuration:
"Server": {
"Address": "127.0.0.1:12345",
"Authentication": {
"Type": "tls-simple",
"TLSOptions": {
"CACert": "/etc/opensnitchd/auth/ca-cert.pem",
"ServerCert": "/etc/opensnitchd/auth/server-cert.pem",
"ClientCert": "/etc/opensnitchd/auth/client-cert.pem",
"ClientKey": "/etc/opensnitchd/auth/client-key.pem",
"SkipVerify": false,
"ClientAuthType": "req-and-verify-cert"
}
}
}
More info: https://github.com/evilsocket/opensnitch/wiki/Nodes
- Use Message util.
Maybe it'd be better to display a desktop notification for a more
better experience, or a dialog box if notify2 is not installed.
- Translate warning message.
* require pyxdg
* extend xdg, introduce autostart
* use xdg_current_desktop from opensnitch.utils.xdg
* control autostart in tray
* dont use pkill anymore
* check if os-ui is already running
* don't require pyxdg (for now)
* simplify xdg_current_desktop
* do not use pyxdg (for now), use some code from there
* update autostart status when menu is open
* fix possible SameFileError
There have been some issues (#673) informing that the notifications
timeout were not working on KDE.
On 843412d I wrote that the timeout unit is millisecond, as stated on
the docs here:
https://notify2.readthedocs.io/en/latest/#notify2.Notification.set_timeout
But after some trial and error:
- set_timeout() units are in seconds, at least for KDE 5.26.3, Xfce
4.18 and GNOME 43.
- not specifying the timeout with set_timeout() lets the Desktop
Environment handle the timeout for us, from their respective
preferences window.
So at least now there're some DEs where the notifications are closed as
expected.
- Previously we only supported multiple ICMP types on the same rule
by adding multiple keys:
Key: type
Value: echo-request
Key: type
Value: echo-reply
Now it's possible to specify them using ',':
Key: type
Value: echo-request,echo-reply
- Validate ICMP types before adding them.
* There was a situation where the details of an app rule was not being
displayed correctly:
- on the tab rules select any system fw rule.
- go to the Events tab
- double click on the Rule column to view the details.
- instead of the app rules details, the list of system fw rules was
displayed.
* On the other hand, when going back from the details view, the list of
rules was not being refreshed correctly.
In this situation now we select the Application rules view.
- fsnotify notifies 2 WRITE events sometimes (known bug), which leads to
read 0 bytes one of the times.
As now we send these errors to the GUI, on some systems we were
displaying an error reading the config, which was not really the case.
- Only parse the config before writing it to disk, instead of call the
load() method.
make it more nftables style:
ip daddr 127.0.0.1 tcp dport 53 accept
instead of:
ip daddr == 127.0.0.1 tcp dport == 53 accept
It'll be easier to translate our rules to nftables rules in this way.
- Fixed setting the protocol of a dport/sport statement.
- Fixed translating ports to service name, and back (/etc/service).
- Enable Save button when modifying the description of a rule.
