We had an OUTPUT rule to drop marked packets. Packets are marked with a
mark when a user defined rule denies a connection.
The thing is that we only intercept NEW connections, and when we deny a
connnection using NF_DROP, the packets doesn't flow to the next iptables
rule or chain. So it'd be rare to see a packet on the OUTPUT chain marked
with the DropMark.
Besides, nfq_set_verdict2() doesn't seem to place the mark on the
packets (libnetfilter-queue 1.0.5).
This OUTPUT rule had 0 hits on different systems and users.
- Fixed 100% CPU spike when pausing interception from the GUI
gustavo-iniguez-goya/opensnitch/issues/104
- Fixed monitoring fw rules after re-enabling interception.
- Fixed cleaning up interception and system rules.
Added option to let the users define iptables rules.
The system rules are added in the file /etc/opensnitchd/system-fw.json
with this format:
```
{
"SystemRules": [
{
"Rule": {
"Description": "Allow pptp VPN",
"Table": "mangle",
"Chain": "OUTPUT",
"Parameters": "-p gre",
"Target": "ACCEPT",
"TargetParameters": ""
}
}
]
}
```
On the mangle table, OUTPUT chain, these rules are added before
the NFQUEUE interception rule, so any rule you add there bypasses the
interception. Useful to allow traffic you don't want to intercept.
This feature solves in some way the issue some users have connecting to
VPNs when the Default Action configured in the daemon is Deny.
For example:
- OpenVPN when keepalive is configured and ICMP is used.
- PPTP because the GRE routing protocol is blocked.
- probably others like IPSEC.
(regarding WireGuard, as far as I can tell it works just fine, see #61).
closes#47
Some systems has the IPV6 protocol disabled, so we failed starting up
with the error "Address family not supported by protocol" (#52).
Now we don't exist even if we can't insert the needed rules, we'll just
log the error.
We must intercept RELATED packets, not only for intercept protocols like
ftp-data, but also to handle connection errors (ICMP errors), like the
ones originated when dis/connecting from a wifi network.
In some scenarios (#47) may be useful to have a set of rules handled from
OpenSnitch, although you can accomplish it with other software (ufw,...).
This rules will sit just above default intercetion, so if you want to
allow or deny something, just place it here.
These priority rules are defined in /etc/opensnitchd/fw.json, with the
following format (example):
{
"PriorityRules": {
"out": {
"allow": [
],
"deny": [
"-m conntrack --ctstate INVALID",
"-p tcp ! --syn -m conntrack --ctstate NEW"
]
}
}
}
The structure must exist even if you haven't defined any rule, for
example:
{
"PriorityRules": {
"out": {
"allow": [
],
"deny": [
]
}
}
}
(1/2)
We start receiving notifications from the UI, which allow us to change
configurations and perform actions on the daemon.
The concept of Node has also been introduced, which identifies every
daemon (client) connected to the UI (server).
These options has been added:
- Enable/Disable firewall interception (for all nodes)
- Change daemons (clients) configuration. globally or per node.
- Change prompt dialog options.
We have fixed some bugs along the way:
- Close audit client connection gracefully.
- Exclude our own connections from being intercepted.
- Better handling of client connection status with the UI.
We probably has also introduced some other bugs (not listed here).
Sometimes the INPUT rule for to queue DNS responses was not deleted.
The code has also been reorganized.
And a minor tweak to make an if{} more idiomatic.
