Up until now we loaded the eBPF modules from /etc/opensnitchd.
However there has been some problems upgrading the modules to newer
versions with the deb packages, because every file under /etc/ is
treated as a conffile, and whenever a conffile changes it prompt you to
update it or not. Some users decided to no upgrade it, ending up with
eBPF modules incompatible with the new daemon.
https://www.debian.org/doc/manuals/maint-guide/dother.en.html#conffiles
On the other hand, the FHS dictates that /etc/ is for configuration
files, and /usr/lib for object files:
"/usr/lib includes object files and libraries. [21] On some systems,
it may also include internal binaries that are not intended to be
executed directly by users or shell scripts."
https://refspecs.linuxfoundation.org/FHS_3.0/fhs/ch04s06.html
So now, we look for the eBPF modules under /usr/local/lib/opensnitchd/ebpf/
or /usr/lib/opensnitchd/ebpf/, and as a last resort under
/etc/opensnitchd/
"$XDG_RUNTIME_DIR defines the base directory relative to which user-specific
non-essential runtime files and other file objects (such as sockets,
named pipes, ...) should be stored. The directory MUST be owned by the
user, and he MUST be the only one having read and write access to it.
Its Unix access mode MUST be 0700."
https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
Up until now some error and warning messages were only logged out to the
system, not allowing the user know what was happening under the hood.
Now the following events are notified:
- eBPF related errors.
- netfilter queue errors.
- configuration errors.
WIP, we'll keep improving it and build new features on top of this one.
Up until now, the daemon communicated with the GUI via a unix socket,
stored in /tmp.
/tmp however can be erased at any time (tmpreaper, systemd-tmpfiles.d),
which may lead to remove our unix socket file, and hence losing
connectiong with the daemon.
Now the user has the option to store the socket file under
/run/user/$uid/opensnitch/
https://www.linuxbase.org/betaspecs/fhs/fhs.html#runRuntimeVariableData
In the future we may switch to this path by default.
Build eBPF modules whenever a change to the modules is pushed.
It'll fail if there're some warnings.
The action compiles *and publishes* the modules for several branches and
kernels.
Hopefully this will help to automate this process and be more transparent.
It'll also help on issues like this one: #454
Added a helper to easily allow inbound connections, just by selecting
the port where a service is listening on.
Especially useful when the inbound policy is drop and you want to allow a
service (ssh, nfs, etc).
It's a good practice to filter by command line + process path (and
others parameters), to limit what an application can do.
Thus, if the user selects "from this command line", and the command
launched is not an absolute path to the binary, we'll create a rule
to filter by process path + process cmdline.
Added more options to filter connections by packets' metainformation.
Added: uid, gid, l4proto, protocol and priority.
+ When filtering connections by in/out interface, list the available
interfaces in the system, only if the selected node is local.
Added more options to match connections against packets metainformation:
skuid, skgid, l4proto, protocol
Fixed setting mark on packets via meta (although it results in an error
-> [invalid type]).
- Allow to set quotas on connections.
(For example: drop packets if transmitted bytes to port 443 and
ip 1.2.3.4 is over 1GB.)
- Allow to configure log levels.
- Better errors when adding/editing rules.
