The major steps are:
- take advantage of sqlite's default autoincremented rowid column
- add index of the db columns
- when a filter is applied, we build a map of rowids corresponding to the filter
- when user scrolls the view, query the db only for that portion of db which contains the rows to be displayed
- because sqlite cannot use an index when a wildcard is at the start of the LIKE expression, e.g. "process LIKE '%sbin%'", use a workaround:
- keep track of all distinct values in each column
- check in python if any of the distinct values contain the filter string
- reconstruct the query string: instead of "process LIKE '%sbin%'" we use "process IN (<list of distinct values containing 'sbin'>)"
Minor steps:
- mimic some QSqlQueryModel's methods so that our model can be a drop-in replacement
- disable view's default scrollbar and use our own scrollbar which is aware of how many rows are in the db
A common api/lib that other tools can use in order to commnicate with
nodes: a GUI, a TUI, a proxy that sends stats to a remote DB, etc...
In future versions we may add it back.
- Rules are checked in alphabetical order.
- Deny and Priority rules must take precedence.
- If a rule matches and it's Allow-NoPriority, then return the rule.
- Otherwise we'll return nil.
- Fixed 100% CPU spike when pausing interception from the GUI
gustavo-iniguez-goya/opensnitch/issues/104
- Fixed monitoring fw rules after re-enabling interception.
- Fixed cleaning up interception and system rules.
- Fixed network rules types.
- Fixed typo when resetting expanded view.
- Limit rule name length. It was causing errors saving the file to disk
it it was too long.
- Allow to filter connections by destination network. closes#89
- Do not send a rule if the operator data is empty.
- Fixed displaying the path of a process, if it's not in the command
line, e.g.:
binary: /usr/bin/curl
cmdline: curl -L github.com
Now you can filter by destination network, for example:
- 127.0.0.1/8
- 192.168.1.0/24
This will ease to solve the request #89 .
Some common network ranges have also been added so you can select them
from a combo box. More info #73.
Added process.id operator operand for future use, in order to filter by
PID.
python3-slugify is not available in all rpm based distributions.
Adding it as weak dependency will install it if the package is
available, thus avoiding to install it using pip.
The path and arguments of a process were not displayed correctly.
closes#93
On the other hand, the combo box option (allow/deny) "from this process"
was misleading. Changed by "from this executable". #94
We were checking several times if a packet was IPv6.
Additionally we were itereating over all the layers of the packet, when
in reality we're only interested in network layer and transport layer.
This change brings down packets parsing from ~200µs to ~2µs.
- De/Serialize IPv6 connections.
- Added SocketsDump() to list all sockets currently in the kernel.
- [proc details] Resolve all the sockets an application has opened
and translate them to network data, e.g:
```
ls -l /proc/1234/fd/
0 ... 25 -> socket[12345678]
```
to
```
0 .... 25 -> socket[12345678] - 54321:10.0.2.2 -> github.com:443,
state: established
```
There're several situations where the icons of the app don't show up:
- icon theme not configured.
- icon theme configured but lacks standard icons defined by the
standard (freedesktop).
- icon theme configured but Qt doesn't load it.
If we fall into any of these cases, use the Qt built-in icons .
More information on this issue: #53
* removed non-used imports.
- Allow to monitor applications having the dialog open.
- If an application has multiple pids, but some are already closed and
others are still running, don't close the dialog so you can select
which pid to monitor.
New dialog added to display details of a process in realtime, gathered
from ProcFS.
Process tab -> double click on an app -> click on the button with the
search icon.
We have also improved the discovery of apps icons and names. It should
work better on systems where the DE is not properly configured.
Tested, but not bulletproof, still in beta.
Added option to let the users define iptables rules.
The system rules are added in the file /etc/opensnitchd/system-fw.json
with this format:
```
{
"SystemRules": [
{
"Rule": {
"Description": "Allow pptp VPN",
"Table": "mangle",
"Chain": "OUTPUT",
"Parameters": "-p gre",
"Target": "ACCEPT",
"TargetParameters": ""
}
}
]
}
```
On the mangle table, OUTPUT chain, these rules are added before
the NFQUEUE interception rule, so any rule you add there bypasses the
interception. Useful to allow traffic you don't want to intercept.
This feature solves in some way the issue some users have connecting to
VPNs when the Default Action configured in the daemon is Deny.
For example:
- OpenVPN when keepalive is configured and ICMP is used.
- PPTP because the GRE routing protocol is blocked.
- probably others like IPSEC.
(regarding WireGuard, as far as I can tell it works just fine, see #61).
closes#47
