[1.6.0-1 manjaro] Allows traffic while Notification is showing #987
Closed
Description
Allows traffic while a notification is showing. default action is deny for everything
System:
- Kernel: 6.1.38-1-MANJARO
- KDE PLASMA Version: 5.27.6
- X11
- OpenSnitch 1.6.0-1
- Everything on latest versions via pamac-manager
Additional info:
Reports UI is not running or busy in logs during a notification
All processes waiting for notification, their traffic will be allowed
All rules work after notification has reached timeout or clicked deny/reject
All other pre-configured rules work during notification
Started after updating system with pamac:
[ALPM] upgraded opensnitch (1.5.8-2 -> 1.6.0-1)
[ALPM] warning: /etc/opensnitchd/default-config.json installed as /etc/opensnitchd/default-config.json.pacnew
ebpf is not supported by kernel after upgrade, so I'm forced to use proc
Logs & config:
�[2m[2023-07-10 23:38:00]�[0m �[97m�[41m ERR �[0m
unable to load eBPF module (opensnitch.o). Your kernel version (6.1.38-1-MANJARO) might not be compatible.
If this error persists, change process monitor method to 'proc'
�[2m[2023-07-10 23:38:00]�[0m �[97m�[41m ERR �[0m [eBPF]:
unable to load eBPF module (opensnitch.o). Your kernel version (6.1.38-1-MANJARO) might not be compatible.
If this error persists, change process monitor method to 'proc'
�[2m[2023-07-10 23:38:00]�[0m �[97m�[42m INF �[0m Process monitor method /proc
----
�[2m[2023-07-10 23:22:55]�[0m �[2m�[30m�[100m DBG �[0m new connection udp => 58666:192.168.1.21 -> 9.9.9.9 ():8443 uid: 62582, mark: 0
�[2m[2023-07-10 23:22:55]�[0m �[2m�[30m�[100m DBG �[0m [0/1] outgoing connection uid: 62582, 58666:192.168.1.21 -> 9.9.9.9:8443 || netlink response: 58666:192.168.1.21 -> 9.9.9.9:8443 inode: 48370 - loopback: false multicast: false unspecified: false linklocalunicast: false ifaceLocalMulticast: false GlobalUni: true
�[2m[2023-07-10 23:22:55]�[0m �[2m�[30m�[100m DBG �[0m new pid lookup took (3109): 3.53998ms
�[2m[2023-07-10 23:22:55]�[0m �[2m�[30m�[100m DBG �[0m [0] PID found 3109 [48370]
�[2m[2023-07-10 23:22:55]�[0m �[2m�[30m�[100m DBG �[0m new connection udp => 35058:192.168.1.21 -> 9.9.9.9 ():8443 uid: 62582, mark: 0
�[2m[2023-07-10 23:22:55]�[0m �[2m�[30m�[100m DBG �[0m [0/1] outgoing connection uid: 62582, 35058:192.168.1.21 -> 9.9.9.9:8443 || netlink response: 35058:192.168.1.21 -> 9.9.9.9:8443 inode: 46292 - loopback: false multicast: false unspecified: false linklocalunicast: false ifaceLocalMulticast: false GlobalUni: true
�[2m[2023-07-10 23:22:55]�[0m �[2m�[30m�[100m DBG �[0m Socket found in known pids 116.015µs, pid: 3109, inode: 46292, pos: 0, pids in cache: 1
�[2m[2023-07-10 23:22:55]�[0m �[2m�[30m�[100m DBG �[0m [0] PID found 3109 [46292]
�[2m[2023-07-10 23:22:55]�[0m �[2m�[30m�[100m DBG �[0m UI is not running or busy, connected: true, running: true
�[2m[2023-07-10 23:22:55]�[0m �[2m�[30m�[100m DBG �[0m new connection udp => 57469:192.168.1.21 -> 9.9.9.9 ():8443 uid: 62582, mark: 0
�[2m[2023-07-10 23:22:55]�[0m �[2m�[30m�[100m DBG �[0m [0/1] outgoing connection uid: 62582, 57469:192.168.1.21 -> 9.9.9.9:8443 || netlink response: 57469:192.168.1.21 -> 9.9.9.9:8443 inode: 48372 - loopback: false multicast: false unspecified: false linklocalunicast: false ifaceLocalMulticast: false GlobalUni: true
�[2m[2023-07-10 23:22:55]�[0m �[2m�[30m�[100m DBG �[0m Socket found in known pids 20.9µs, pid: 3109, inode: 48372, pos: 0, pids in cache: 1
�[2m[2023-07-10 23:22:55]�[0m �[2m�[30m�[100m DBG �[0m [0] PID found 3109 [48372]
�[2m[2023-07-10 23:22:55]�[0m �[2m�[30m�[100m DBG �[0m UI is not running or busy, connected: true, running: true
�[2m[2023-07-10 23:22:55]�[0m �[2m�[30m�[100m DBG �[0m new connection udp => 45180:192.168.1.21 -> 9.9.9.9 ():8443 uid: 62582, mark: 0
�[2m[2023-07-10 23:22:55]�[0m �[2m�[30m�[100m DBG �[0m [0/1] outgoing connection uid: 62582, 45180:192.168.1.21 -> 9.9.9.9:8443 || netlink response: 45180:192.168.1.21 -> 9.9.9.9:8443 inode: 46294 - loopback: false multicast: false unspecified: false linklocalunicast: false ifaceLocalMulticast: false GlobalUni: true
�[2m[2023-07-10 23:22:55]�[0m �[2m�[30m�[100m DBG �[0m Socket found in known pids 158.698µs, pid: 3109, inode: 46294, pos: 0, pids in cache: 1
�[2m[2023-07-10 23:22:55]�[0m �[2m�[30m�[100m DBG �[0m [0] PID found 3109 [46294]
�[2m[2023-07-10 23:22:55]�[0m �[2m�[30m�[100m DBG �[0m UI is not running or busy, connected: true, running: true
-------------------------------------
sudo cat /etc/opensnitchd/default-config.json
{
"Server": {
"Address": "unix:///tmp/osui.sock",
"LogFile": "/var/log/opensnitchd.log"
},
"DefaultAction": "deny",
"DefaultDuration": "once",
"InterceptUnknown": true,
"ProcMonitorMethod": "proc",
"LogLevel": 0,
"Firewall": "nftables",
"Stats": {
"MaxEvents": 150,
"MaxStats": 25
},
"LogUTC": true,
"LogMicro": false
}%
------------------------------------
sudo cat /etc/opensnitchd/default-config.json.pacnew
{
"Server":
{
"Address":"unix:///tmp/osui.sock",
"LogFile":"/var/log/opensnitchd.log"
},
"DefaultAction": "allow",
"DefaultDuration": "once",
"InterceptUnknown": false,
"ProcMonitorMethod": "ebpf",
"LogLevel": 2,
"LogUTC": true,
"LogMicro": false,
"Firewall": "nftables",
"Stats": {
"MaxEvents": 150,
"MaxStats": 25,
"Workers": 6
}
}
-----------------------------------
sudo cat /etc/opensnitchd/system-fw.json
{
"Enabled": true,
"Version": 1,
"SystemRules": [
{
"Rule": {
"Table": "mangle",
"Chain": "OUTPUT",
"UUID": "",
"Enabled": false,
"Position": "0",
"Description": "Allow icmp",
"Parameters": "-p icmp",
"Expressions": [
],
"Target": "ACCEPT",
"TargetParameters": ""
},
"Chains": [
]
},
{
"Rule": null,
"Chains": [
{
"Name": "forward",
"Table": "filter",
"Family": "inet",
"Priority": "",
"Type": "filter",
"Hook": "forward",
"Policy": "accept",
"Rules": [
]
},
{
"Name": "output",
"Table": "filter",
"Family": "inet",
"Priority": "",
"Type": "filter",
"Hook": "output",
"Policy": "accept",
"Rules": [
]
},
{
"Name": "input",
"Table": "filter",
"Family": "inet",
"Priority": "",
"Type": "filter",
"Hook": "input",
"Policy": "drop",
"Rules": [
{
"Table": "",
"Chain": "",
"UUID": "<removed for privacy>",
"Enabled": false,
"Position": "0",
"Description": "Allow SSH server connections when input policy is DROP",
"Parameters": "",
"Expressions": [
{
"Statement": {
"Op": "",
"Name": "tcp",
"Values": [
{
"Key": "dport",
"Value": "22"
}
]
}
}
],
"Target": "accept",
"TargetParameters": ""
},
{
"Table": "",
"Chain": "",
"UUID": "profile-drop-inbound-<removed for privacy>",
"Enabled": true,
"Position": "0",
"Description": "[profile-drop-inbound] allow localhost connections",
"Parameters": "",
"Expressions": [
{
"Statement": {
"Op": "",
"Name": "iifname",
"Values": [
{
"Key": "lo",
"Value": ""
}
]
}
}
],
"Target": "accept",
"TargetParameters": ""
},
{
"Table": "",
"Chain": "",
"UUID": "profile-drop-inbound-<removed for privacy>",
"Enabled": true,
"Position": "0",
"Description": "[profile-drop-inbound] allow established,related connections",
"Parameters": "",
"Expressions": [
{
"Statement": {
"Op": "",
"Name": "ct",
"Values": [
{
"Key": "state",
"Value": "related"
},
{
"Key": "state",
"Value": "established"
}
]
}
}
],
"Target": "accept",
"TargetParameters": ""
}
]
},
{
"Name": "filter-prerouting",
"Table": "nat",
"Family": "inet",
"Priority": "",
"Type": "filter",
"Hook": "prerouting",
"Policy": "accept",
"Rules": [
]
},
{
"Name": "prerouting",
"Table": "mangle",
"Family": "inet",
"Priority": "",
"Type": "mangle",
"Hook": "prerouting",
"Policy": "accept",
"Rules": [
]
},
{
"Name": "postrouting",
"Table": "mangle",
"Family": "inet",
"Priority": "",
"Type": "mangle",
"Hook": "postrouting",
"Policy": "accept",
"Rules": [
]
},
{
"Name": "prerouting",
"Table": "nat",
"Family": "inet",
"Priority": "",
"Type": "natdest",
"Hook": "prerouting",
"Policy": "accept",
"Rules": [
]
},
{
"Name": "postrouting",
"Table": "nat",
"Family": "inet",
"Priority": "",
"Type": "natsource",
"Hook": "postrouting",
"Policy": "accept",
"Rules": [
]
},
{
"Name": "input",
"Table": "nat",
"Family": "inet",
"Priority": "",
"Type": "natsource",
"Hook": "input",
"Policy": "accept",
"Rules": [
]
},
{
"Name": "output",
"Table": "nat",
"Family": "inet",
"Priority": "",
"Type": "natdest",
"Hook": "output",
"Policy": "accept",
"Rules": [
]
},
{
"Name": "output",
"Table": "mangle",
"Family": "inet",
"Priority": "",
"Type": "mangle",
"Hook": "output",
"Policy": "accept",
"Rules": [
{
"Table": "",
"Chain": "",
"UUID": "<removed for privacy>",
"Enabled": true,
"Position": "0",
"Description": "Allow ICMP",
"Parameters": "",
"Expressions": [
{
"Statement": {
"Op": "",
"Name": "icmp",
"Values": [
{
"Key": "type",
"Value": "echo-request"
},
{
"Key": "type",
"Value": "echo-reply"
}
]
}
}
],
"Target": "accept",
"TargetParameters": ""
},
{
"Table": "",
"Chain": "",
"UUID": "<removed for privacy>",
"Enabled": true,
"Position": "0",
"Description": "Allow ICMPv6",
"Parameters": "",
"Expressions": [
{
"Statement": {
"Op": "",
"Name": "icmpv6",
"Values": [
{
"Key": "type",
"Value": "echo-request"
},
{
"Key": "type",
"Value": "echo-reply"
}
]
}
}
],
"Target": "accept",
"TargetParameters": ""
},
{
"Table": "",
"Chain": "",
"UUID": "<removed for privacy>",
"Enabled": false,
"Position": "0",
"Description": "Exclude WireGuard VPN from being intercepted",
"Parameters": "",
"Expressions": [
{
"Statement": {
"Op": "",
"Name": "udp",
"Values": [
{
"Key": "dport",
"Value": "51820"
}
]
}
}
],
"Target": "accept",
"TargetParameters": ""
}
]
},
{
"Name": "forward",
"Table": "mangle",
"Family": "inet",
"Priority": "",
"Type": "mangle",
"Hook": "forward",
"Policy": "accept",
"Rules": [
{
"Table": "",
"Chain": "",
"UUID": "<removed for privacy>",
"Enabled": false,
"Position": "0",
"Description": "Intercept forwarded connections (docker, etc)",
"Parameters": "",
"Expressions": [
{
"Statement": {
"Op": "",
"Name": "ct",
"Values": [
{
"Key": "state",
"Value": "new"
}
]
}
}
],
"Target": "queue",
"TargetParameters": "num 0"
}
]
}
]
}
]
}
Metadata
Assignees
Labels
No labels