As events are received from the daemon, the list of events is reloaded,
and the selection of rows was lost.
This caused several side effects: difficulty to delete multiple rules,
as well as analyze listed events because they were reloaded constantly.
Now if a row is selected, the new events are not loaded until rows
selection is not cleared.
closes#560
We had 3 options to filter connections by domain:
- www.domain.com
- *domain.com
- *.domain.com
The second option was a workaround to allow filter domain.com
Now we handle last 2 situations with a single option(/regular expression).
closes#536
The custom postinst and prerm scripts were preventing to use debhelpers
helpers, which in turn were causing installation failures on SysV
systems and not enabling the daemon service.
Closes#558
Under certain conditions, when we dumped inodes via netlink, we were
linking network connections to wrong applications.
- To improve this situation:
1) Use netfilter's UID by default:
Sometimes the UID reported via netlink was different than the one
reported by libnetfilter. libnetfilter UID is always correct.
If you had a rule that filtered by UID, this problem could cause to
prompt you again to allow the connection.
2) Use the netlink entry that matches exactly the properties of an
outgoing connection:
There're some in-kernel sockets that doesn't match 1:1 outgoing
connections (daemon/netlink/socket.go#L22).
In order to identify the applications that initiate these network
connections we use a workaround. But under certain conditions
(source port reuse), we were associating connections to wrong
applications.
So in order to avoid this problem, if there's a 1:1 match use that
netlink entry. If not, fallback to the workaround.
- misc: added more logs to better debug these issues.
Fixed GUI loading behaviour when DE's autologin is on.
Background:
Sometimes the system tray is not available, so our app's icon
does not show up. In this case we show the GUI to allow the user
manage the rules and view connections.
If the user activated the autologin option, on KDE (and probably others)
our service was launched before the panel was ready, so the system tray was
not available yet and we were showing the Events window.
Changes:
- Delay 10s the check to see if the system tray is available, to give it
time to load.
- Add X-KDE-Autostart-after=panel to kcm_opensnitch.desktop, to launch
the GUI only after the panel is loaded.
- Misc: removed OpenSnitch entry from System Settings on KDE, and update
the categories where the app is shown in the menus.
Closes#535
On Fedora 34, without the appindicator extension installed, when the GUI
was displayed it crashed with the following error:
TypeError: index 0 has type 'float' but 'int' is expected.
related: #526
This change allows to filter connections by PID.
Others have referred to this feature as "filter connections for this
instance/session" or similar, so maybe a better wording is needed.
Open a new discussion or send a PR if you have a better sentence that
describe this option please.
* Allow to intercept some kernel connections
Some connections are initiated from kernel space, like WireGuard
VPNs (#454), NFS or SMB connections (#502) and ip tunnels (#500).
Note: This feature is complete for x86_64, WIP for aarch64, and not supported for armhf and i386
https://github.com/evilsocket/opensnitch/pull/513#issuecomment-924400824
More information regarding this change: #493
Don't overwrite rules when adding or editing rules, to avoid losing
already added rules.
- When adding a rule, check if there's already a rule with the same
name.
- After adding a new rule, enter into EDIT mode, to allow changes to the
rule without closing the dialog.
- If the user changes the name after adding a rule, check if there's a
rule with the same name.
- When editing a rule and the user changes the name, check if there's a
rule with the same name.
issue #512
- Added lists of IPs and network ranges. One per line. Blank lines or
lines that start with # are ignored.
- Added lists of domains with regular expressions. One per line.
Blank lines or lines that start with # are ignored.
Until now you could use regular expressions with the fields
"To this host" or "To this IP", to match multiple domains or IPs.
But if you wanted to use more than 2-3 domains or IPs it was not really
user friendly.
Hopefully we'll be a little more versatile to cover use cases like #461
and #485.
When blocking a connection via libnetfilter-queue using NF_DROP the
connection is discarded. If the blocked connection is a DNS query, the app
that initiated it will wait until it times out, which is ~30s.
This behaviour can for example cause slowdowns loading web pages: #481
This change adds the option to reject connections by killing the socket
that initiated them.
Denying:
$ time telnet 1.1.1.1 22
Trying 1.1.1.1...
telnet: Unable to connect to remote host: Connection timed out
real 2m10,039s
Rejecting:
$ time telnet 1.1.1.1 22
Trying 1.1.1.1...
telnet: Unable to connect to remote host: Software caused connection abort
real 0m0,005s
- Fixed reloading process monitor method if the configuration changes on
disk. This can occur in two situations: 1) if it's changed from the
UI, 2) if the user changes it manually.
- Ensure that we don't crash if there's an error changing the
method and ebpf is active.
- When changing monitor method to ebpf and it fails to start, stop it
anyway. It helps cleaning up kprobes and avoiding the error
"cannot write...: file exists".
When the daemon connects to the GUI, use the default action
configured on the GUI to apply a verdict on new connections.
We were using daemon's default action, so if it was Allow but the user
had configured Deny on the GUI it was allowing connections, causing some
confusion (#489)
TODO: apply this action not only on connecting to the GUI, but also when
saving the configuration from the GUI.
When adding a new rule we were getting the duration as it appeared on
the combo box. It was used to create a Golang time.
However translators were translating the duration strings (30s, 5m,
etc), causing errors when saving the rule.
Now we just look for the index of the selected duration.
- The firewall rules defined in /etc/opensnitchd/system-fw.json take
precedence over the interception rules, but we were inserting the
interception rules before the system's ones. With this change #455
should be fixed.
- On the other hand, the DefaultAction was not being applied correctly
in all cases. As of today the DefaultAction is applied in 2 scenarios:
* When the daemon is connected to the GUI and the user doesn't answer
a pop-up.
* When the daemon is not connected to the GUI.
However as we don't parse all network protocols, even if the GUI is
connected we may end up parsing a connection and don't know what to do
with it. In this case the DefaultAction was always Deny.
Now in the above scenario, i.e.: when the GUI is connected but we
can't parse a connection, we'll apply the DefaultAction configured by
the user.
Remove \r\n\t\s from the end of each line of a blocklist.
If the entries of a list had these characters caused to not match
connections and not apply the rule.
closes#429
Previous behaviour:
1) Before version 1.0.0b the daemon kept a list of processes that had
established connections. The list was displayed on the GUI as is, so
the maximum number of connections displayed were 100 (hardcoded).
2) When the intercepted connections reached 100, the last entry of the
list was removed, and a new one was inserted on the top.
After v1.0.0 we started saving connections to a DB on the GUI side, to
get rid of the hardcoded connections limit. However, the point 2) was
still present that caused some problems:
- When the backlog was full we kept inserting and deleting connections
from it continuously, one by one.
- If there was a connections burst we could end up missing some
connections.
New behaviour:
- The statisics are deleted from the daemon everytime we send them to
the GUI, because we don't need them on the daemon anymore.
- If the GUI is not connected, the connections will be added to the
backlog as in the point 2).
- When the backlog reaches the limit, it'll keep deleting the last
one in order to insert a new one.
- The number of connections to keep on the backlog is configurable.
- If the statistics configuration is missing, default values will be
150 (maxEvents) and 25 (maxStats).
Notes:
If the GUI is saving the data to memory (default), there won't be
any noticeable side effect.
If the GUI is configured to save the connections to a DB on disk, and
the daemon sends all the backlog at once, the GUI may experience a
delay and a high CPU spike. This can occur on connecting to the daemon
(because the backlog will be full), or when an app sends too many
connections per second (like nmap).
