- Added ability to add a description to the rules.
- Display the description field on the Rules view, and remove the internal
fields (operator, operator_data, etc).
- Added DB migrations.
- Improved rules' executable path field tooltip (#661).
Closes#652#466
Rules of type lists [domains, IPs, network ranges] are reloaded
whenever a file containing the data changes.
One could expect to update these files once or twice a day, but
by updating the files continuously it was possible to cause a leak,
leading to a crash.
- Added lists of IPs and network ranges. One per line. Blank lines or
lines that start with # are ignored.
- Added lists of domains with regular expressions. One per line.
Blank lines or lines that start with # are ignored.
Until now you could use regular expressions with the fields
"To this host" or "To this IP", to match multiple domains or IPs.
But if you wanted to use more than 2-3 domains or IPs it was not really
user friendly.
Hopefully we'll be a little more versatile to cover use cases like #461
and #485.
When blocking a connection via libnetfilter-queue using NF_DROP the
connection is discarded. If the blocked connection is a DNS query, the app
that initiated it will wait until it times out, which is ~30s.
This behaviour can for example cause slowdowns loading web pages: #481
This change adds the option to reject connections by killing the socket
that initiated them.
Denying:
$ time telnet 1.1.1.1 22
Trying 1.1.1.1...
telnet: Unable to connect to remote host: Connection timed out
real 2m10,039s
Rejecting:
$ time telnet 1.1.1.1 22
Trying 1.1.1.1...
telnet: Unable to connect to remote host: Software caused connection abort
real 0m0,005s
Remove \r\n\t\s from the end of each line of a blocklist.
If the entries of a list had these characters caused to not match
connections and not apply the rule.
closes#429
When the Duration of a rule changed (from 1h to 5m, from 5m to until
restart, etc), the timer of the old rule was fired, causing deleting the
rule from the list.
This erroneous behaviour could be one of the reasons of #429
- Delete lists of domains if the rule about to change is of type Lists.
- Monitor the lists of domains, and reload them if they're modified.
- Delete rules from disk when the Duration changes from
Always (saved on disk) to !Always (temporary).
- After the above operation a fsnotify Remove event is fired. Don't
delete the rule from memory if it's temporary.
- Rules are only compiled if they're enabled, avoiding unnecessary
allocations.
Any rule changed on disk caused reloading of all rules, usually
up to three times. This caused some problems.
- Don't compile Operators if the rule is disabled.
- Empty lists of domains if the user disables the rule.
- Delete rule from disk if the duration is not Always anymore.
There're some situations where we need to delete loaded lists:
- When an enabled rule of type Lists is disabled (after changed on
disk, or when configured from the GUI).
- When an enabled rule of type List with an Operator of type Lists is
disabled.
Initial support to filter connections using lists of domains.
The lists must be in hosts format:
- 0.0.0.0 www.domain.com
- 127.0.0.1 www.domain.com
From the rules editor, create a new rule, and select
[x] To this lists of domains
Select a directory with files in hosts format, select [x] Priority rule,
select [x] Deny and click on Apply.
An example of a list in hosts format:
https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
Note: you can also add a list of domains to allow, not only domains to
block.
TODOs:
- support for URLs besides directories (local lists).
- support for scheduled updates of the above URLs.
related #298
Every rule has an entry point besides a constructor, which configures
all it needs to match connections, based on user defined criteria (ip,
regexp, etc).
This only needs to be done the first time we load a rule, because the
fields of a rule are static. However for rules of type "lists" we were
iniatializing each rule of this type once per connection that it
matched.
- ui, ruleseditor: added missing operator when using a regular
expression on the DstIP/Net field.
- daemon, rules: ensure that regular expressions are of type string
before evaluating them.
reported here: #333
* unittest: test live reloading of rules
* data files for the previous commit
* tests: move files under /testdata; give better names to rules
Co-authored-by: themighty1 <themighty1>
- Rules are checked in alphabetical order.
- Deny and Priority rules must take precedence.
- If a rule matches and it's Allow-NoPriority, then return the rule.
- Otherwise we'll return nil.
Now you can filter by destination network, for example:
- 127.0.0.1/8
- 192.168.1.0/24
This will ease to solve the request #89 .
Some common network ranges have also been added so you can select them
from a combo box. More info #73.
Added process.id operator operand for future use, in order to filter by
PID.
If a rule has the priority flag set, no others rules will be checked.
So if you name the rule as 000-allow-xx and set the priority flag, the
rule wil lbe the only one that will be checked if it matches a
connection.
See #36 to know more on this feature.
Sort rules by name, so they're checked in alphabetical order.
This way, you can place deny rules at the top of the list to get better
performance, since it won't check the rest of the rules.
Discussion: #36
Destination host, process path and process arguments are now case
insensitive by default.
There's a new rule operator field (sensitive), to change this behaviour:
```
{
"type": "simple",
"operand": "dest.host",
"sensitive": false,
"data": "opensnitch.io",
"list": null
}
```
Rules without this field will evaluate as false by default.
closes#45
If for some reason a Regex type rule can not be parsed, opensnitchd
panics and exit. We drop regex.MustCompile() in favor of
regex.Compile(), and in case of failure we just drop the packet.
In either case, the daemon should not panic but it should not received
an invalid rule either, specially from the UI.
Closes#4
