Before this change, we tried to determine what firewall to use based on
the version of iptables (if -V legacy -> nftables, otherwise iptables).
This caused problems (#455), and as there's no support yet for nftables
system firewall rules, it can't be configured to workaround these
errors.
Now the default firewall to use will be iptables.
If it's not available (installed), can't be used or the configuration
option is empty/missing, we'll use nftables.
One of the steps of PIDs discovering is knowing what's the socket inode
of a connection. The first try is to dump the active connections in the
kernel, using NETLINK_SOCK_DIAG via netlink.
Sometimes when a source port was reused, the kernel could return multiple
entries with the same source port, leading us to associate connections with
the wrong application.
This change fixes this problem, while allowing us to discover other
apps.
More information:
https://github.com/evilsocket/opensnitch/issues/387#issuecomment-888663121
Note: this problem shouldn't occur using the procs monitor method eBPF.
- Fixed multiple race conditions when using the cache of PIDs.
- Improved the chances to hit the cache of inodes, which helps to keep
down the times to get the PID of a connection to <= 30us.
These caches are mainly used when not using "ebpf" proc monitor method.
Prior to v1.4.x versions, when a pop-up asked the user to allow or deny
a connection, the rest of the network traffic was dropped until an
action was taken.
We fixed it, but when a pop-up was asking to allow or deny a new connection,
we let it passing by if the daemon's DefaultAction option was set to
allow, even if the user hadn't taken an action on it yet.
It also caused some confusion if the users had configured the pop-up's
DefaultAction to deny, they were expecting to not allow the connection
until they had decided what to do.
Now the previous behaviour has been restored, having these usage
scenarios:
- If the GUI is connected + daemon DefaultAction set to allow or deny.
Result:
1. Prompt the user to allow or deny the new connection.
2. Deny the new connection until the user takes an action on it.
3. Allow the rest of traffic, allowing known connections, and
denying new ones until the active pop-up is closed and we can
prompt the user again.
- GUI disconnected.
Result:
1. Apply daemon's DefaultAction from the configuration file
default-config.json.
closes: #392
Some times, processes that establish connections to localhost are only
found in /proc/net/* files. So if we fail to get the PID of a
connection, fallback to legacy method to find it.
Added basic nftables support, which adds the needed rules to intercept
outgoing network traffic and DNS responses. System rules will be added
soon.
What netfilter subsystem to use is determined based on the following:
- nftables: if the _iptables_ binary is not present in the system, or
if the iptables version (iptables -V) is
"iptables vX.Y.Z (nf_tables)".
- iptables: in the rest of the cases.
When the Duration of a rule changed (from 1h to 5m, from 5m to until
restart, etc), the timer of the old rule was fired, causing deleting the
rule from the list.
This erroneous behaviour could be one of the reasons of #429
When enabling the eBPF monitor method we dump the active connections,
but in some cases there're no active connections, and because of this
we're failing enabling this monitor method.
If there're no connections established, netlink returns 0 entries. It's
not clear if it's an indication of error in some cases or the expected
result.
Either way:
- fail only if we're unable to load the eBPF module.
- dump TCP IPv6 connections only if IPv6 is enabled in the syste,-
It'd probably be a good idea to write a module and encapsulate all the
functionality of the fields in funcs(), to lock them properly
(get/set maps, etc).
TODO: replace monitorLocalAddress() by
netlink.AddrSubscribeWithoptions(), to receive addresses' events
asynchronously.
Sometimes when a new connection is about to be established, we don't get
the PID of the process using the eBPF proc monitor method. But in some
rare situations, the kernel still holds information about the connection
(sock_diag struct basically). We assume that these connections are
initiated from kernel space.
Per some debugging, this doesn't seem to be always the root cause, so
these connections will only be shown if InterceptUnknown config field is
set to true.
As we've added eBPF interception method, we need go iovisor ebpf package,
which is not packaged for Debian yet, so the way I was compiling it
differs a little bit (instead of using gbp buildpackage,
dpkg-buildpackage is used).
Aside from that, there'll be a new eBPF module (.o ELF), which must be
packaged with the packages. Will be compiled on the fly, but maybe it
could be hosted in the repo, because it won't change that much.
On systems that have been running for a long time (for example 552
days) we were failing parsing the starttime field:
```
Could not find or convert Starttime. This should never happen.
Please report this incident to the Opensnitch developers:
strconv.Atoi: parsing "4242026842": value out of range
```
- extra: fixed tests.
- removed unused import time.
- allow to pause/start interception from tray contextual menu.
- improved case when the daemon is in paused state, and the GUI is
launched.
There's more work yet to do to improve the states when there're several
nodes connected.
closes#398
problem:
- after losing network connectivity node<->server, the node didn't restore
the connection. In reality, the connection with the server was not
closed, but the notifications channel was closed due to inactivity
after 20s.
set inactivity timeouts to 20s on both node and server. Previous
timeouts were 2h for the main connection and 20s for the streaming
channels (notifications).
- get rid of the logic to determine if the server is alive or not based
on sending pings.
Instead, use the connection events when a node connects/disconnects
(Subscribe).
The Ping call is still used to send the statistics.
other:
- fixed exception when updating the status of a node.
If we change the monitor method from the GUI, and it fails to start
(eBPF, audit or ftrace), use the old configured method and don't save
the configuration to disk, to avoid configuring a monitor method that
doesn't work.
* Use ebpf program to find PID of new connections.
before running the branch you have to compile ebpf_prog/opensnitch.c
opensnitch.c is an eBPF program. Compilation requires getting kernel source.
cd opensnitch
wget https://github.com/torvalds/linux/archive/v5.8.tar.gz
tar -xf v5.8.tar.gz
patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch
cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf
cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min)
cd samples/bpf && make
objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect
llvm-strip -g opensnitch.o #remove debug info
sudo cp opensnitch.o /etc/opensnitchd
cd ../../../daemon
--opensnitchd expects to find opensnitch.o in /etc/opensnitchd/
--start opensnitchd with:
opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf
Co-authored-by: themighty1 <you@example.com>
Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
- ui: fixed error getting the icon of an app.
- ui: fixed getting the list of pids of an app.
- ui: improved proc details start/stop icon behaviour.
- daemon: improved error message when we fail getting the details of a
process.
others:
- changed icon search by system-search.
When building the project with protoc-gen-go version 1.5.1,
it fails with the following:
```
protoc -I. ui.proto --go_out=plugins=grpc:../daemon/ui/protocol/
protoc-gen-go: unable to determine Go import path for "ui.proto"
Please specify either:
• a "go_package" option in the .proto source file, or
• a "M" argument on the command line.
See https://developers.google.com/protocol-buffers/docs/reference/go-generated#package for more information.
--go_out: protoc-gen-go: Plugin failed with status code 1.
```
This can be fixed by adding the full go package as an option in the
proto file. To make sure the code is generated to the correct path,
we also have to add add the `paths=source_relative` option to the
protoc plugin.
After this, the code is generated correctly, but the generated code
references classes like grpc.ClientConnInterface which were introduced
in 1.27.0.
- don't clean cache by number of items.
- clean inodes from cache every 2' if the descriptor symlink doesn't exist
anymore, or if the lastSeen time is more than 5 minutes.
- launch cache cleaners before start a new process monitoring method,
and start it only once for the life time of the daemon.
- do not store in cache the Time objects, only the nanoseconds of
the last updated time.
- if the inode of a connection is found in cache, reorder the
descriptors to push the descritptor to the top of the list.
Also add cached the inode.
It turns out that when a new connection is about to be established,
when the process resolves the domain, the same inode is used to open the
tcp connection to the target. So if it's cached we save CPU cycles.
This also occurs when we block a connection and the process retries it,
or when a connection timeouts and the process retries it
(telnet 1.1.1.1).
- update the descriptors/inodes of a PID when it's found in cache.
- when a descriptor/inode is found in cache, push it to the top
of the descriptors list. The next time it's found in cache it'll be in
the 1st position of the list, saving CPU time.
- added test cases and benchmark helpers to help analyzing performance.
- Delete lists of domains if the rule about to change is of type Lists.
- Monitor the lists of domains, and reload them if they're modified.
- Delete rules from disk when the Duration changes from
Always (saved on disk) to !Always (temporary).
- After the above operation a fsnotify Remove event is fired. Don't
delete the rule from memory if it's temporary.
- Rules are only compiled if they're enabled, avoiding unnecessary
allocations.
Any rule changed on disk caused reloading of all rules, usually
up to three times. This caused some problems.
- Don't compile Operators if the rule is disabled.
- Empty lists of domains if the user disables the rule.
- Delete rule from disk if the duration is not Always anymore.
There're some situations where we need to delete loaded lists:
- When an enabled rule of type Lists is disabled (after changed on
disk, or when configured from the GUI).
- When an enabled rule of type List with an Operator of type Lists is
disabled.
Initial support to filter connections using lists of domains.
The lists must be in hosts format:
- 0.0.0.0 www.domain.com
- 127.0.0.1 www.domain.com
From the rules editor, create a new rule, and select
[x] To this lists of domains
Select a directory with files in hosts format, select [x] Priority rule,
select [x] Deny and click on Apply.
An example of a list in hosts format:
https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
Note: you can also add a list of domains to allow, not only domains to
block.
TODOs:
- support for URLs besides directories (local lists).
- support for scheduled updates of the above URLs.
related #298
