There's a new way of blocking lists of domains:
https://github.com/evilsocket/opensnitch/wiki/block-lists
However the update of the lists is not implemented yet. You can use
this or other simple script to download and update the lists (in hosts
format).
Prior to v1.4.x versions, when a pop-up asked the user to allow or deny
a connection, the rest of the network traffic was dropped until an
action was taken.
We fixed it, but when a pop-up was asking to allow or deny a new connection,
we let it passing by if the daemon's DefaultAction option was set to
allow, even if the user hadn't taken an action on it yet.
It also caused some confusion if the users had configured the pop-up's
DefaultAction to deny, they were expecting to not allow the connection
until they had decided what to do.
Now the previous behaviour has been restored, having these usage
scenarios:
- If the GUI is connected + daemon DefaultAction set to allow or deny.
Result:
1. Prompt the user to allow or deny the new connection.
2. Deny the new connection until the user takes an action on it.
3. Allow the rest of traffic, allowing known connections, and
denying new ones until the active pop-up is closed and we can
prompt the user again.
- GUI disconnected.
Result:
1. Apply daemon's DefaultAction from the configuration file
default-config.json.
closes: #392
- Fixed refreshing rules list after delete a rule(s).
(There was an annoying delay).
- Added button to delete connections associated with a rule, from the
details view of a rule. (related: #334).
Some times, processes that establish connections to localhost are only
found in /proc/net/* files. So if we fail to get the PID of a
connection, fallback to legacy method to find it.
Added basic nftables support, which adds the needed rules to intercept
outgoing network traffic and DNS responses. System rules will be added
soon.
What netfilter subsystem to use is determined based on the following:
- nftables: if the _iptables_ binary is not present in the system, or
if the iptables version (iptables -V) is
"iptables vX.Y.Z (nf_tables)".
- iptables: in the rest of the cases.
When the Duration of a rule changed (from 1h to 5m, from 5m to until
restart, etc), the timer of the old rule was fired, causing deleting the
rule from the list.
This erroneous behaviour could be one of the reasons of #429
There was a race condition that caused several problems when editing or
adding rules.
for rules of type "list", the operand must be "list" as well.
related: #429#425
When enabling the eBPF monitor method we dump the active connections,
but in some cases there're no active connections, and because of this
we're failing enabling this monitor method.
If there're no connections established, netlink returns 0 entries. It's
not clear if it's an indication of error in some cases or the expected
result.
Either way:
- fail only if we're unable to load the eBPF module.
- dump TCP IPv6 connections only if IPv6 is enabled in the syste,-
It'd probably be a good idea to write a module and encapsulate all the
functionality of the fields in funcs(), to lock them properly
(get/set maps, etc).
TODO: replace monitorLocalAddress() by
netlink.AddrSubscribeWithoptions(), to receive addresses' events
asynchronously.
Sometimes when a new connection is about to be established, we don't get
the PID of the process using the eBPF proc monitor method. But in some
rare situations, the kernel still holds information about the connection
(sock_diag struct basically). We assume that these connections are
initiated from kernel space.
Per some debugging, this doesn't seem to be always the root cause, so
these connections will only be shown if InterceptUnknown config field is
set to true.
As we've added eBPF interception method, we need go iovisor ebpf package,
which is not packaged for Debian yet, so the way I was compiling it
differs a little bit (instead of using gbp buildpackage,
dpkg-buildpackage is used).
Aside from that, there'll be a new eBPF module (.o ELF), which must be
packaged with the packages. Will be compiled on the fly, but maybe it
could be hosted in the repo, because it won't change that much.
- disable clicks when the user enters into the details of an item
(process, host, user, etc).
- fixed displaying the button to inspect a process.
- improved listing connections of a process.
- By default there was no limit of events to display. If the user had
the GUI opened for a long period of time, that could lead to an
excessive CPU usage and thus a bad user experience. So by default
set it to 50.
- pop-ups: Fixed crash when getting malformed icons from .desktop
files.
My OS comes with grpcio-tools 1.36.1, which seems to work fine, so it
would be nice to allow the ui to use that instead of building 1.10.1
specifically for opensnitch.
- pop-ups: allow to configure if the "advanced view" is displayed
by default or not.
- pop-ups: allow to configure 3 more fields to filter connections by.
- services.py: fixed typo that caused an error when displaying a
message.
closes#399.
On systems that have been running for a long time (for example 552
days) we were failing parsing the starttime field:
```
Could not find or convert Starttime. This should never happen.
Please report this incident to the Opensnitch developers:
strconv.Atoi: parsing "4242026842": value out of range
```
- extra: fixed tests.
- Updates of the GUI must occur on the main thread of the app. AskRule,
Ping, Subscribe and Notifications runs on a different thread.
- Fixed paused state when the daemon is running (and paused) and the GUI
is launched.
- Moved functionality to its own file/class.
- removed unused import time.
- allow to pause/start interception from tray contextual menu.
- improved case when the daemon is in paused state, and the GUI is
launched.
There's more work yet to do to improve the states when there're several
nodes connected.
closes#398
