When there were no nodes connected, we disabled the global fw button
that enables/disables the fw.
Unfortunately when a node connected to the GUI, this button was not
clickable anymore.
When disabling the fw, we change the default input and output policy to
Accept, not to block connections.
Due to a problem reloading the fw in the daemon, the policy was not
changed as expected.
This problem must be fixed in the daemon, but for the time being,
sending two configuration changes solves the issue (one for changing the
policy, and another one for disabling the fw).
Closes: #1225
When the Process Connector is used to intercept exec events, get and
build the process tree of a process.
PROCESS CONNECTOR feature was added here: 7a9bb17829
When a popup was displayed to the user, if they took more than 120s to
respond, the address of the node was lost.
This is because the daemon has hardcoded a max timeout of 120s. If it
fires, the call to AskRule is closed and the context is lost.
In this situation, save the address of the node at the start of AskRule,
so we can reuse it later.
Closes: #1219
Nfqueue bypass option skips the enqueue of packets to userspace
if no application is listening to the queue.
https://wiki.nftables.org/wiki-nftables/index.php/Queueing_to_userspace
If this flag is not specified, and for example the daemon dies
unexpectedly, all the outbound traffic will be blocked.
Up until now we've been using this flag by default not to block network
traffic if the daemon dies or is killed for some reason. But some users
want to use precisely this behaviour (#884, #1183, #1201).
Now you can configure it, to block connections if the daemon
unexpectedly dies.
The option is on by default in the configuration (QueueBypass: true).
If this item is not present in the daemon config file, then it'll be
false.
- Calculate the ram usage of a process in the daemon, using the page
size of the system.
- Added new functions to read some details of a process, so we can use
them in other parts of the code.
Added new task to monitor the resources of remote nodes, like
ram, swap, number of processes or load average of the system.
The task is initiated when the user selects a node, and the data
received from the node is added to the right panel of the Nodes tab.
The task is stopped when changing to another tab, or when deselecting a
node.
Particularly useful for monitoring remote nodes.
daemon tasks are actions that are executed in background by the daemon.
They're started from the GUI (server) via a Notification (protobuf),
with the type TASK_START (protobuf).
Once received in the daemon, the TaskManager starts the task in
background.
Tasks may run at interval times (every 5s, 2days, etc), until they
finish an operation, until a timeout, etc.
Each task has each own configuration options, which will customize the
behaviour of its operations.
In this version, if the GUI is closed, the daemon will stop all the
running tasks.
Each Task has a flag to ignore this behaviour, for example if they need
to run until they finish and only send a notification to the GUI,
instead of streaming data continuously to the GUI (server).
- Up until now we only had one task that could be initiated from the GUI:
the process monitor dialog. It has been migrated to a Task{}.
- go.mod bumped to v1.20, to use unsafe string functions.
- go.sum updated accordingly.
When filtering by checksum and the checksum of a rule changes, we
display a warning on the popup, indicating that something happened.
The user had the option to update the checksum of one rule, directly
from the popup.
Now there's a new button to update all the rules that have a checksum as
filtering parameter.
When creating/editing rules to filter by lists of nets/IPs/domains, we
check if the path entered is a directory.
However on remote nodes, the path may not exist where the GUI is
running, but be valid where the daemon is running.
Now we only check the path if the node where it's being configured is
local.
Closes#1174
Up until now we had a way of customizing the views, by defining
"actions". See for context cba52cf3d8
The configuration syntax has not changed, but now every "action" is a
python plugin, for example when loading this configuration:
{
"name": "commonDelegateConfig",
"actions": {
"highlight": {
"enabled": true,
"cells": [
{
"text": ["allow", "✓ online"],
"color": "white",
"bgcolor: "green",
we'll try to load "highlight" as plugin, which should exist under
opensnitch/plugins/highligh/highlight.py
Three new plugins has been added:
- Highlight: colorize cells or rows based on patterns.
- Downloader: a simple downloader which downloads files to local
directories, for example to download blocklists.
- Virustotal: a plugin to analyze IPs, domains and checksums with the
API of virustotal when a new popup is fired.
There're 3 points where the plugins are configured and executed:
- opensnitch/service.py - _load_plugins() (background/global plugins)
- opensnitch/dialogs/prompt/__init__.py - _configure_plugins(), _post_popup_plugins()
- opensnitch/dialogs/processdetails.py - _configure_plugins()
Plugins can't be configured from the GUI (yet).
For more details, read:
opensnitch/plugins/__init__.py
opensnitch/actions/__init__.py
opensnitch/plugins/downloader/downloader.py
opensnitch/plugins/virustotal/virustotal.py
Since the name of the rule is used for the file name on the disk,
certain characters caused issues when saving the rule, like '/'.
Now if the user types or pastes '/' in the name field, a warning is
displayed, indicating that some characters are not allowed.
Closes#1166
google.golang.org/protobuf/cmd/protoc-gen-go@v1.34.2 generates
protobuffers incompatible with go1.17, it fails with the error:
"ui/protocol/ui.pb.go:2716:47: predeclared any requires go1.18 or later
(-lang was set to go1.17; check go.mod)"
Notes:
- consider using go1.18 as min required version if there's no problem
compiling the daemon on Debian <= 13 and other distros.
- github.com/golang/protobuf is deprecated and we should get rid of
it.
