WIP.
Until now we used Qt's systray notifications. They couldn't be disabled
and didn't integrate well with non-Qt based Desktop Environments. Also
we depended on the system tray availability, which is not always
available (i3, phosh, ...).
Now the user can choose to use Qt's notifications, the system
notification service or disabled them completely.
Pros:
- The notification style is defined by the Desktop Environment.
- Can be configured globally from the system settings.
- In many DEs, the notifications are grouped into a single view. So if
you miss any event, you can go there and check out what happened.
- Now we can display notifications on DEs where we couldn't before.
- It's a standard supported by major DEs.
Cons:
- Sometimes we can't connect to the D-Bus mainloop instance. We need to
investigate it.
TODO:
- Deny/Allow new outgoing connections from the notifications,
replacing the current pop-ups.
Requested here: #468 , #476 and #477 .
Instead of the builtin buttons to increase the value of spin boxes, use
regular buttons. It'll be easier to use on touchable devices.
Note: This feature can also be achieved by customizing SpinBoxes' css
style.
- If sys.exit() fails, force exit after 10s.
- Close db connection on exit.
- When closing the GUI (server), set connected nodes to offline.
The status will be updated when nodes connect again / when the server
is available again.
Otherwise, we may end up with nodes marked as _online_ when in reality
they're not connected.
- Add nodes on the main thread.
Per IP listed in the Address view, display the ASN that the IP belongs
to.
The user must have installed the package python3-pyasn.
If the ASN DB files exist under user's opensnitch directory, we'll try
to load them:
- ~/.config/opensnitch/ipasn_db.dat.gz
- ~/.config/opensnitch/asnames.json
Otherwise we'll try to load the one shipped with the python3-pyasn
package (/usr/lib/python3/dist-packages/data/ipasn_20140513_v12.dat.gz)
The package python3-pyasn provides 3 utils to download latest data:
- pyasn_util_download.py --latest
- pyasn_util_convert.py --single rib.20211230.1600.bz2 ~/.config/opensnitch/ipasn_db.dat
- gzip ~/.config/opensnitch/ipasn_db.dat
More info: https://github.com/hadiasghari/pyasn
- Allow to keep a maximum number of events in the db, purging oldest
every hour.
- Perform db operations on the thread that created the connection with
the DB, to avoid segfaults.
- VACUUM db on exit.
- New db index on the rules' field time.
- Order detail views by Time column correctly.
- Fixed rules editor to apply a rule to All nodes when there's more
than one node connected.
- Added options to apply rules to a node (#576).
On the Rules tab select one or more rules, right click on them ->
Apply to: <node>
Needed for create the python package correctly: python setup.py build
Otherwise the build does not copy directories/files without that file.
Reported here: #565
- Fixed key navigation, scrollbars positioning and resizing event.
- Delegate rows painting operation to data().
- Emit dataChanged() only when the visible rows have changed.
The GUI was not usable when there were thousands of records. It used to
get frozen while loading large amount of data, specially when using a DB
stored on disk. Besides, when entering in the details view of an event
it was not possible to filter records by text.
Changes:
- Load by default 50 records instead of all records returned by a query.
- Improved/fixed detail views' queries.
New:
- Allow to filter data in all views, including detail views.
- Allow to limit records in all views.
- Added a help button to display a ballon message with useful
information.
Fixes:
- selection jumping continuously to row 256 when there were more than
256 rows.
https://github.com/evilsocket/opensnitch/issues/565#issuecomment-997346990
Even without setting query limits, the GUI is more usable than before,
but it needs more work. WIP.
As events are received from the daemon, the list of events is reloaded,
and the selection of rows was lost.
This caused several side effects: difficulty to delete multiple rules,
as well as analyze listed events because they were reloaded constantly.
Now if a row is selected, the new events are not loaded until rows
selection is not cleared.
closes#560
We had 3 options to filter connections by domain:
- www.domain.com
- *domain.com
- *.domain.com
The second option was a workaround to allow filter domain.com
Now we handle last 2 situations with a single option(/regular expression).
closes#536
The custom postinst and prerm scripts were preventing to use debhelpers
helpers, which in turn were causing installation failures on SysV
systems and not enabling the daemon service.
Closes#558
Under certain conditions, when we dumped inodes via netlink, we were
linking network connections to wrong applications.
- To improve this situation:
1) Use netfilter's UID by default:
Sometimes the UID reported via netlink was different than the one
reported by libnetfilter. libnetfilter UID is always correct.
If you had a rule that filtered by UID, this problem could cause to
prompt you again to allow the connection.
2) Use the netlink entry that matches exactly the properties of an
outgoing connection:
There're some in-kernel sockets that doesn't match 1:1 outgoing
connections (daemon/netlink/socket.go#L22).
In order to identify the applications that initiate these network
connections we use a workaround. But under certain conditions
(source port reuse), we were associating connections to wrong
applications.
So in order to avoid this problem, if there's a 1:1 match use that
netlink entry. If not, fallback to the workaround.
- misc: added more logs to better debug these issues.
Fixed GUI loading behaviour when DE's autologin is on.
Background:
Sometimes the system tray is not available, so our app's icon
does not show up. In this case we show the GUI to allow the user
manage the rules and view connections.
If the user activated the autologin option, on KDE (and probably others)
our service was launched before the panel was ready, so the system tray was
not available yet and we were showing the Events window.
Changes:
- Delay 10s the check to see if the system tray is available, to give it
time to load.
- Add X-KDE-Autostart-after=panel to kcm_opensnitch.desktop, to launch
the GUI only after the panel is loaded.
- Misc: removed OpenSnitch entry from System Settings on KDE, and update
the categories where the app is shown in the menus.
Closes#535
On Fedora 34, without the appindicator extension installed, when the GUI
was displayed it crashed with the following error:
TypeError: index 0 has type 'float' but 'int' is expected.
related: #526
This change allows to filter connections by PID.
Others have referred to this feature as "filter connections for this
instance/session" or similar, so maybe a better wording is needed.
Open a new discussion or send a PR if you have a better sentence that
describe this option please.
* Allow to intercept some kernel connections
Some connections are initiated from kernel space, like WireGuard
VPNs (#454), NFS or SMB connections (#502) and ip tunnels (#500).
Note: This feature is complete for x86_64, WIP for aarch64, and not supported for armhf and i386
https://github.com/evilsocket/opensnitch/pull/513#issuecomment-924400824
More information regarding this change: #493
Don't overwrite rules when adding or editing rules, to avoid losing
already added rules.
- When adding a rule, check if there's already a rule with the same
name.
- After adding a new rule, enter into EDIT mode, to allow changes to the
rule without closing the dialog.
- If the user changes the name after adding a rule, check if there's a
rule with the same name.
- When editing a rule and the user changes the name, check if there's a
rule with the same name.
issue #512
- Added lists of IPs and network ranges. One per line. Blank lines or
lines that start with # are ignored.
- Added lists of domains with regular expressions. One per line.
Blank lines or lines that start with # are ignored.
Until now you could use regular expressions with the fields
"To this host" or "To this IP", to match multiple domains or IPs.
But if you wanted to use more than 2-3 domains or IPs it was not really
user friendly.
Hopefully we'll be a little more versatile to cover use cases like #461
and #485.
