Now you can add rules to allow multiple protocols.
For example you can add a rule to allow dport/sport for both TCP
and UDP.
There're two options to allow a port:
Statement {
Name: tcp
Values:
Key: dport
Value: 1234
}
Statement {
Name: meta
Values:
Key: l4proto
Value: tcp,udp
Key: dport
Value: 1234
}
Closes#951.
The helper dialog to allow inbound connections to a port was adding a
rule to source port, instead of destination port.
The source port is needed to allow the traffic of a *local service"
when the inbound policy is set to Deny.
The DNS rule to intercept DNS responses must always be at the top of
the (input-filter) rules, otherwise we won't receive DNS resolutions.
Adding, removing or changing system fw rules was removing the rule from 1st
position.
Another approach to this problem could be to remove&&add only the dns rule,
instead of disable-enable interception+rules monitor.
* i18n: initial support for Finnish
* i18n: add Finnish translations for rules
* i18n: add Finnish translations for rules
* i18n: translated using Weblate (Finnish)
Currently translated at 99.6% (516 of 518 strings)
Translation: Open Source/opensnitch
* i18n: finalize Finnish translations
* i18n: run Finnish translations through lrelease
---------
Co-authored-by: Toni Lähdekorpi <toni.lahdekorpi@neuvo.ai>
- When changing a policy, disable it until we receive a response.
Maybe we should even delay it a little bit more.
- When editing a fw rule, disable the Save button if the user didn't
change any field.
- Don't rename libbpf's bpf_map_def struct, and distribute the needed bpf
headers.
The bpf_map_def struct has been deprecated for quite some time now,
and it was been removed on >= 6.2 anyway.
We still need it, because we use gobpf.
- Improved compilation behaviour:
- We don't require the kernel sources anymore. We can just use the
kernel headers from the distribution.
- There's no need to copy the sources to the kernel tree, the modules
can be compiled from the ebpf_prog/ dir.
- Compiling against kernels 6.x seems to solve the problem we had with
VPNs, where connections were not intercepted with modules compiled
against 5.8, on kernels >= 5.19.
The modules has been tested on kernels 4.17, 5.4, 5.10, 5.15, 6.1 and
6.2 (kernel connections included).
Closes: #939
Some DEs and WMs don't support systray icons. In this situation we
display the GUI after 10s.
However many users were confused about this behaviour, thinking that
this delay displaying the GUI was a bug (#937).
Hopefully with a warning to the terminal and the desktop will help
them to know what's going on.
- Allow to copy rules to clipboard with CTRL-c
- Added contextual menus:
- edit to open the editor dialog.
- Action, to change the rule verdict without opening the rule dialog.
- Fixed error validating some meta expressions.
- Added option to enable/disable fw rules.
- Limit fw rules deletion to 1 rule for now, until a bug is fixed.
- Allow to filter connections by source IP/Network.
(it also may be useful filter by source port)
- Removed AlwaysOnTop Hint from rules editor dialog.
Closes#922
