"$XDG_RUNTIME_DIR defines the base directory relative to which user-specific
non-essential runtime files and other file objects (such as sockets,
named pipes, ...) should be stored. The directory MUST be owned by the
user, and he MUST be the only one having read and write access to it.
Its Unix access mode MUST be 0700."
https://specifications.freedesktop.org/basedir-spec/basedir-spec-latest.html
Up until now some error and warning messages were only logged out to the
system, not allowing the user know what was happening under the hood.
Now the following events are notified:
- eBPF related errors.
- netfilter queue errors.
- configuration errors.
WIP, we'll keep improving it and build new features on top of this one.
Up until now, the daemon communicated with the GUI via a unix socket,
stored in /tmp.
/tmp however can be erased at any time (tmpreaper, systemd-tmpfiles.d),
which may lead to remove our unix socket file, and hence losing
connectiong with the daemon.
Now the user has the option to store the socket file under
/run/user/$uid/opensnitch/
https://www.linuxbase.org/betaspecs/fhs/fhs.html#runRuntimeVariableData
In the future we may switch to this path by default.
Build eBPF modules whenever a change to the modules is pushed.
It'll fail if there're some warnings.
The action compiles *and publishes* the modules for several branches and
kernels.
Hopefully this will help to automate this process and be more transparent.
It'll also help on issues like this one: #454
Added a helper to easily allow inbound connections, just by selecting
the port where a service is listening on.
Especially useful when the inbound policy is drop and you want to allow a
service (ssh, nfs, etc).
It's a good practice to filter by command line + process path (and
others parameters), to limit what an application can do.
Thus, if the user selects "from this command line", and the command
launched is not an absolute path to the binary, we'll create a rule
to filter by process path + process cmdline.
Added more options to filter connections by packets' metainformation.
Added: uid, gid, l4proto, protocol and priority.
+ When filtering connections by in/out interface, list the available
interfaces in the system, only if the selected node is local.
Added more options to match connections against packets metainformation:
skuid, skgid, l4proto, protocol
Fixed setting mark on packets via meta (although it results in an error
-> [invalid type]).
- Allow to set quotas on connections.
(For example: drop packets if transmitted bytes to port 443 and
ip 1.2.3.4 is over 1GB.)
- Allow to configure log levels.
- Better errors when adding/editing rules.
If the table family where we're adding a daddr/saddr is inet, we need to
specify the protocol of the IP being added.
Otherwise, listing the rules they appear as:
@nh,128,32 3232235777 accept
instead of: daddr 192.168.1.111 accept
seen here: #704
Up until now we detected automatically if a rule was a regular
expression. But if the path or cmdline of a process had certain
characters (backslash), it was not easy to autodetect it, because the
backslash in particular is sent and received encoded (\\).
With this change the user will have to mark manually if the
path/cmdline of a process is a regular expression or no.
Closes#706
- Get cmdline arguments from kernel along with the absolute path to the
binary.
If the cmdline has more than 20 arguments, or one of the arguments is
longer than 256 bytes, get it from ProcFS.
- Improved stopping ebpf monitor method.
- TOP_EU_US_Ads_Trackers_HOST list is no longer available, and the new
list is not in hosts format.
- curben malware list moved to malware-filter.gitlab.io
- some improvements
Closes#695
Added option to reject new connections from the pop-ups:
- Configurable from the preferences, Default Action option.
- By default there're 2 buttons as always: Deny - Allow
- If the Default Action is Reject: Reject - Allow
- The Deny button now has an activable menu, from where you can select
non-default options (ex: reject connections while the Default Action
is Allow/Deny).
Closes#613#571
