Before this change, we tried to determine what firewall to use based on
the version of iptables (if -V legacy -> nftables, otherwise iptables).
This caused problems (#455), and as there's no support yet for nftables
system firewall rules, it can't be configured to workaround these
errors.
Now the default firewall to use will be iptables.
If it's not available (installed), can't be used or the configuration
option is empty/missing, we'll use nftables.
Prior to v1.4.x versions, when a pop-up asked the user to allow or deny
a connection, the rest of the network traffic was dropped until an
action was taken.
We fixed it, but when a pop-up was asking to allow or deny a new connection,
we let it passing by if the daemon's DefaultAction option was set to
allow, even if the user hadn't taken an action on it yet.
It also caused some confusion if the users had configured the pop-up's
DefaultAction to deny, they were expecting to not allow the connection
until they had decided what to do.
Now the previous behaviour has been restored, having these usage
scenarios:
- If the GUI is connected + daemon DefaultAction set to allow or deny.
Result:
1. Prompt the user to allow or deny the new connection.
2. Deny the new connection until the user takes an action on it.
3. Allow the rest of traffic, allowing known connections, and
denying new ones until the active pop-up is closed and we can
prompt the user again.
- GUI disconnected.
Result:
1. Apply daemon's DefaultAction from the configuration file
default-config.json.
closes: #392
Added basic nftables support, which adds the needed rules to intercept
outgoing network traffic and DNS responses. System rules will be added
soon.
What netfilter subsystem to use is determined based on the following:
- nftables: if the _iptables_ binary is not present in the system, or
if the iptables version (iptables -V) is
"iptables vX.Y.Z (nf_tables)".
- iptables: in the rest of the cases.
problem:
- after losing network connectivity node<->server, the node didn't restore
the connection. In reality, the connection with the server was not
closed, but the notifications channel was closed due to inactivity
after 20s.
set inactivity timeouts to 20s on both node and server. Previous
timeouts were 2h for the main connection and 20s for the streaming
channels (notifications).
- get rid of the logic to determine if the server is alive or not based
on sending pings.
Instead, use the connection events when a node connects/disconnects
(Subscribe).
The Ping call is still used to send the statistics.
other:
- fixed exception when updating the status of a node.
If we change the monitor method from the GUI, and it fails to start
(eBPF, audit or ftrace), use the old configured method and don't save
the configuration to disk, to avoid configuring a monitor method that
doesn't work.
* Use ebpf program to find PID of new connections.
before running the branch you have to compile ebpf_prog/opensnitch.c
opensnitch.c is an eBPF program. Compilation requires getting kernel source.
cd opensnitch
wget https://github.com/torvalds/linux/archive/v5.8.tar.gz
tar -xf v5.8.tar.gz
patch linux-5.8/tools/lib/bpf/bpf_helpers.h < ebpf_prog/file.patch
cp ebpf_prog/opensnitch.c ebpf_prog/Makefile linux-5.8/samples/bpf
cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install # (1 min)
cd samples/bpf && make
objdump -h opensnitch.o #you should see many section, number 1 should be called kprobe/tcp_v4_connect
llvm-strip -g opensnitch.o #remove debug info
sudo cp opensnitch.o /etc/opensnitchd
cd ../../../daemon
--opensnitchd expects to find opensnitch.o in /etc/opensnitchd/
--start opensnitchd with:
opensnitchd -rules-path /etc/opensnitchd/rules -process-monitor-method ebpf
Co-authored-by: themighty1 <you@example.com>
Co-authored-by: Gustavo Iñiguez Goia <gooffy1@gmail.com>
- ui: fixed error getting the icon of an app.
- ui: fixed getting the list of pids of an app.
- ui: improved proc details start/stop icon behaviour.
- daemon: improved error message when we fail getting the details of a
process.
others:
- changed icon search by system-search.
rename, remove unused targets
trigger targets only when relevant files actually are changed
git:
do not track files which are generated during make
github actions fix to not rely on a pre-built ui.pb.go
New dialog added to display details of a process in realtime, gathered
from ProcFS.
Process tab -> double click on an app -> click on the button with the
search icon.
We have also improved the discovery of apps icons and names. It should
work better on systems where the DE is not properly configured.
Tested, but not bulletproof, still in beta.
The server address and log file were hardcoded into the
opensnitchd.service file, making it almost impossible to change.
Soon we'll be able to change it from the UI.
we were not switching between process monitor methods properly, so we're
falling back to proc method in some cases.
Besides, there's seems to be a descriptors leaking problem in ftrace package
when closing resources.
If a rule has the priority flag set, no others rules will be checked.
So if you name the rule as 000-allow-xx and set the priority flag, the
rule wil lbe the only one that will be checked if it matches a
connection.
See #36 to know more on this feature.
When the daemon is stopped, we need to close opened netfilter recurses.
Otherwise we can fall into a situation where we leave NFQUEUE queues
opened, which causes opensnitch to not run anymore until system restart
or a manual intervention, because there's a NFQUEUE queue already created
with the same ID.
This is what was happening as a collateral effect of #41.
(1/2)
We start receiving notifications from the UI, which allow us to change
configurations and perform actions on the daemon.
The concept of Node has also been introduced, which identifies every
daemon (client) connected to the UI (server).
These options has been added:
- Enable/Disable firewall interception (for all nodes)
- Change daemons (clients) configuration. globally or per node.
- Change prompt dialog options.
We have fixed some bugs along the way:
- Close audit client connection gracefully.
- Exclude our own connections from being intercepted.
- Better handling of client connection status with the UI.
We probably has also introduced some other bugs (not listed here).
Added ProcMonitorMethod, which can be "proc", "ftrace" or "audit".
Parameters passed by command line take prevalence over default
configuration.
breaking changes: config options changed from xx_yy to XxYy.
Config example:
{
"DefaultAction": "allow",
"DefaultDuration": "once",
"InterceptUnknown": true,
"ProcMonitorMethod": "audit"
}
If we can't communicate with the server (UI), apply the default
configured action. For example, if the UI is doing too much work and it
reaches the timeout, or if there's a programming error (python exception
for instance).
If the file /etc/opensnitchd/default-config.json exists,
read it and apply the options to the default rule when there's no client
connected.
If it doesn't exist, just apply the default rule, allow connections
once.
Config example: {"default_action": "deny", "default_duration": "once"}
