"$XDG_RUNTIME_DIR defines the base directory relative to which user-specific
non-essential runtime files and other file objects (such as sockets,
named pipes, ...) should be stored. The directory MUST be owned by the
user, and he MUST be the only one having read and write access to it.
Its Unix access mode MUST be 0700."
https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
Up until now some error and warning messages were only logged out to the
system, not allowing the user know what was happening under the hood.
Now the following events are notified:
- eBPF related errors.
- netfilter queue errors.
- configuration errors.
WIP, we'll keep improving it and build new features on top of this one.
Up until now, the daemon communicated with the GUI via a unix socket,
stored in /tmp.
/tmp however can be erased at any time (tmpreaper, systemd-tmpfiles.d),
which may lead to remove our unix socket file, and hence losing
connectiong with the daemon.
Now the user has the option to store the socket file under
/run/user/$uid/opensnitch/
https://www.linuxbase.org/betaspecs/fhs/fhs.html#runRuntimeVariableData
In the future we may switch to this path by default.
Added a helper to easily allow inbound connections, just by selecting
the port where a service is listening on.
Especially useful when the inbound policy is drop and you want to allow a
service (ssh, nfs, etc).
It's a good practice to filter by command line + process path (and
others parameters), to limit what an application can do.
Thus, if the user selects "from this command line", and the command
launched is not an absolute path to the binary, we'll create a rule
to filter by process path + process cmdline.
Added more options to filter connections by packets' metainformation.
Added: uid, gid, l4proto, protocol and priority.
+ When filtering connections by in/out interface, list the available
interfaces in the system, only if the selected node is local.
- Allow to set quotas on connections.
(For example: drop packets if transmitted bytes to port 443 and
ip 1.2.3.4 is over 1GB.)
- Allow to configure log levels.
- Better errors when adding/editing rules.
Up until now we detected automatically if a rule was a regular
expression. But if the path or cmdline of a process had certain
characters (backslash), it was not easy to autodetect it, because the
backslash in particular is sent and received encoded (\\).
With this change the user will have to mark manually if the
path/cmdline of a process is a regular expression or no.
Closes#706
Added option to reject new connections from the pop-ups:
- Configurable from the preferences, Default Action option.
- By default there're 2 buttons as always: Deny - Allow
- If the Default Action is Reject: Reject - Allow
- The Deny button now has an activable menu, from where you can select
non-default options (ex: reject connections while the Default Action
is Allow/Deny).
Closes#613#571
When loading and setting the query limit configured, it was causing to
fire an unwanted combobox event, resulting in a DB query without limits,
which in turns with a lot of events was causing slowdowns when displaying
the events window.
We were using insert() and append() to add rules to the list of rules.
However these methods are only available on protobuf => 3.8.0
In order to have a better user experience, we'll use extend() instead of
append(). If insert() is available, then we'll use it. This way the
users won't have to install manually a newer protobuf version.
Note: using extend() instead of insert() means that the rule won't be
added on top of all the rules of that chain. If a user with an older
protobuf version (<= 3.8.0) adds a rule, it'll be added to the bottom of
the list, and maybe there're other rules that take precedence.
In order to display icons on the GUI, we use the Icon Naming
Specification defined by freedesktop [0].
However these icons are not always available due to several reasons.
In this situation until now, we have relied on the Qt's built-in
icons [1].
It has worked fine until Fedora 36/Gnome 4x, where even some built-in Qt
icons are missing (SP_VistaShield in particular).
Since Gnome uses symbolic icons [2], falling back to these icons when
the original one doesn't load, helps to display the missing icon.
These icons have the same name than the ones defined by freedesktop, but
with "-symbolic" as a suffix.
Tested on u16, u18, pop22.04, tumbleweed 15.3, f36, devuan/debian 11
(lxqt, unity, gnome3/4, kde).
If you think that there's a better way of handling this situation,
please, open an issue or submit a PR with a fix.
[0] https://specifications.freedesktop.org/icon-naming-spec/icon-naming-spec-latest.html
[1] https://doc.qt.io/qtforpython-5/PySide2/QtWidgets/QStyle.html#PySide2.QtWidgets.PySide2.QtWidgets.QStyle.StandardPixmap
[2] https://wiki.ubuntu.com/SymbolicIcons
- Added ability to add a description to the rules.
- Display the description field on the Rules view, and remove the internal
fields (operator, operator_data, etc).
- Added DB migrations.
- Improved rules' executable path field tooltip (#661).
Closes#652#466
- Bump nftable version to depend on latest version with fixes.
- Include opensnitch-dns.o eBPF object when creating the deb package.
- Replaced Suggests by Recommends, to install addtional but not
essential packages (like python3-pyasnc, and others).
- Added python3-grpcio, python3-protobuf and python3-slugify as
dependencies.
For systems without these packages, we'll use the old debian/ dir.
* Allow to configure firewall rules from the GUI (WIP)
New features:
- Configure and list system firewall rules from the GUI (nftables).
- Configure chains' policies.
- Add simple rules to allow incoming ports.
- Add simple rules to exclude apps (ports) from being intercepted.
This feature is only available for nftables. iptables is still supported,
you can add rules to the configuration file and they'll be loaded, but
you can't configure them from the GUI.
More information: #592
