How to really enable all traffic for a specified user?

[Bogdan107]

I have config:

{
    "Server": {
        "Address": "unix:///tmp/osui.sock",
        "LogFile": "/var/log/opensnitchd.log"
    },
    "DefaultAction": "deny",
    "DefaultDuration": "once",
    "InterceptUnknown": true,
    "ProcMonitorMethod": "ebpf",
    "LogLevel": 2,
    "Firewall": "nftables",
    "Stats": {
        "MaxEvents": 150,
        "MaxStats": 25
    }
}

I have next rule:

{
  "created": "2022-07-02T19:56:53.341481525+03:00",
  "updated": "2022-07-02T19:56:53.341530552+03:00",
  "name": "user: wifi (allow: all)",
  "enabled": true,
  "precedence": true,
  "action": "allow",
  "duration": "always",
  "operator": {
    "type": "simple",
    "operand": "user.id",
    "sensitive": false,
    "data": "1003",
    "list": []
  }
}

But commands, like ping 1.1.1.1 and mtr -t 8.8.8.8 are fails.

The only one trigger - is rules:

# nft list table ip mangle 
table ip mangle {
        chain output {
                type route hook output priority mangle; policy accept;
                ct state related,new queue flags bypass to 0
        }
}
# nft list table ip6 mangle 
table ip6 mangle {
        chain output {
                type route hook output priority mangle; policy accept;
                ct state related,new queue flags bypass to 0
        }
}

If I remove it nft delete table ip mangle && nft delete table ip6 mangle, then ping and mtr are worked.
But them work less than a minute.
After maximum of one minute - opensnitch re-add this mangle rules and ping/mtr commands stop working.

I have Preferences/Nodes/Default action when GUI is disconnected = deny, but this option has no effect - ping/mtr are blocked in any position of this option.

How to really enable full access to network for a specified user?

[gustavo-iniguez-goya]

Hi @Bogdan107 ,

Your rule to allow everything from that user is correct, but the daemon only intercepts TCP, UDP and UDPLITE, so if the DefaultAction is deny, the rest of the protocols are denied.

In order to allow ICMP for example, your /etc/opensnitchd/system-fw.json should have a rule like this one:

opensnitch/daemon/system-fw.json

Line 156 in 7347afd

"Description": "Allow ICMP",

And there should be a rule added to the nftables ruleset:

$ sudo nft list ruleset

table inet mangle {
	chain prerouting {
		type filter hook prerouting priority mangle; policy accept;
	}

	chain output {
		type filter hook output priority mangle; policy accept;
>>>>>>>>	icmp type { echo-reply, echo-request } accept
                ct state related,new queue flags bypass to 0

[gustavo-iniguez-goya]

Take a look at the logs to see if there's any errors loading the rules.

It works on all the systems I tried out (ubuntu 16-22, devuan, fedora 34-36, debian 10-11, opensuse 15), so be sure that the icmp rule is added to nftables.

$ sudo nft list ruleset

table inet mangle {
	chain output {
		type filter hook output priority mangle; policy accept;
		icmp type { echo-reply, echo-request } accept
		icmpv6 type { echo-request, echo-reply } accept
		ct state related,new queue flags bypass to 0
	}
}

[Bogdan107]

Show info about OS:

$ cat /etc/os-release 
NAME=Gentoo
ID=gentoo
PRETTY_NAME="Gentoo/Linux"
ANSI_COLOR="0;38;2;60;110;180"
HOME_URL="https://www.gentoo.org/"
SUPPORT_URL="https://www.gentoo.org/support/"
BUG_REPORT_URL="https://bugs.gentoo.org/"

Show version of program:

$ opensnitchd  |  head -n1
[2022-07-05 06:21:29]  IMP  Starting opensnitch-daemon v1.5.1

List rules:

$ nft list table ip mangle  
table ip mangle {
        chain output {
                type route hook output priority mangle; policy accept;
                ct state related,new queue flags bypass to 0
        }
}

$ nft list table ip6 mangle
table ip6 mangle {
        chain output {
                type route hook output priority mangle; policy accept;
                ct state related,new queue flags bypass to 0
        }
}

$ nft list table inet mangle
Error: No such file or directory
list table inet mangle
                ^^^^^^

May be table mangle not filled because table does not exists? Try to add table.

$ nft add table inet mangle

$ rc-service opensnitch restart
opensnitch                | * Stopping opensnitch ...                                    [ ok ]
opensnitch                | * Starting opensnitch ...                                    [ ok ]

$ nft list table inet mangle
table inet mangle {
}

Table still clean... So, opensnitchd service does not add rules into the table mangle.

Logs:

$ tail -n 4 /var/log/opensnitchd.log
[2022-07-05 06:16:35]  IMP  Got signal: terminated
[2022-07-05 06:16:40]  WAR  queue stuck, closing by timeout
[2022-07-05 06:16:40]  WAR  Queue.destroy(), nfq_close() not closed: -1
[2022-07-05 06:16:40]  IMP  Start writing logs to /var/log/opensnitchd.log

[gustavo-iniguez-goya]

May be table mangle not filled because table does not exists? Try to add table.

No, the table must exist, so please, use the file from the repo, without modifying it and try again:

https://github.com/evilsocket/opensnitch/blob/master/daemon/system-fw.json

Notice that by default there're tables only for the inet family. So it looks like you customized the file system-fw.json . If that's the case, post it please.

On the other hand, set log level to DEBUG (/etc/opensnitchd/default-config.json LogLevel: 0), restart the daemon, and post the log file /var/log/opensnitchd.log)

[Bogdan107]

Prepare default config file:

cd /etc/opensnitchd;
[[ ! -f system-fw.json.bak ]] && \
  mv system-fw.json system-fw.json.bak && \
  wget https://github.com/evilsocket/opensnitch/raw/master/daemon/system-fw.json && \
  chmod 644 system-fw.json

Test with default config:

rc-service opensnitch stop;
rm /var/log/opensnitch.log;
rc-service opensnitch start;
sleep 3;
nft list table inet mangle;

# Check, that table 'inet mangle' still does not exists, even with default system-fw.json file.

rc-service opensnitch stop;
cat /var/log/opensnitchd.log | clear-color-codes > /var/log/opensnitchd.log.1

Log file without color codes:

[2022-07-06 12:20:17]  IMP  Start writing logs to /var/log/opensnitchd.log
[2022-07-06 12:20:18]  DBG  new pid lookup took (17027): 29.0432ms
[2022-07-06 12:20:18]  DBG  Socket found in known pids 77.451µs, pid: 17027, inode: 85521, pos: 0, pids in cache: 1
[2022-07-06 12:20:18]  DBG  new pid lookup took (17028): 26.519432ms
[2022-07-06 12:20:18]  DBG  Socket found in known pids 24.234µs, pid: 17028, inode: 83504, pos: 0, pids in cache: 2
[2022-07-06 12:20:18]  DBG  Socket found in known pids 161.398µs, pid: 17027, inode: 85498, pos: 1, pids in cache: 2
[2022-07-06 12:20:18]  DBG  new pid lookup took (11515): 18.026674ms
[2022-07-06 12:20:18]  DBG  new pid lookup took (453827): 5.113603ms
[2022-07-06 12:20:18]  DBG  new pid lookup took (11295): 26.437372ms
[2022-07-06 12:20:18]  DBG  new pid lookup took (16836): 27.097419ms
[2022-07-06 12:20:18]  DBG  Socket found in known pids 255.959µs, pid: 453827, inode: 2289731, pos: 2, pids in cache: 6
[2022-07-06 12:20:18]  DBG  new pid lookup took (9795): 22.767338ms
[2022-07-06 12:20:18]  DBG  Socket found in known pids 1.449855ms, pid: 17028, inode: 87359, pos: 6, pids in cache: 7
[2022-07-06 12:20:18]  DBG  Socket found in known pids 38.272µs, pid: 17028, inode: 87361, pos: 0, pids in cache: 7
[2022-07-06 12:20:18]  DBG  new pid lookup took (13141): 21.925151ms
[2022-07-06 12:20:18]  INF  Process monitor method ebpf
[2022-07-06 12:20:18]  INF  fw configuration loaded
[2022-07-06 12:20:18]  DBG  UI service poller started for socket /tmp/osui.sock
[2022-07-06 12:20:18]  INF  Using nftables firewall
[2022-07-06 12:20:18]  INF  Running on netfilter queue #0 ...
[2022-07-06 12:20:19]  INF  Connected to the UI service on /tmp/osui.sock
[2022-07-06 12:20:19]  INF  Start receiving notifications
[2022-07-06 12:20:20]  DBG  new connection tcp => 44182:127.0.0.1 -> 127.0.0.1:45735 uid: 43
[2022-07-06 12:20:20]  DBG  ✔ /usr/bin/tor -> 127.0.0.1:45735 (app: tor)
[2022-07-06 12:20:20]  DBG  new connection tcp => 57908:192.168.0.102 -> 62.238.150.56:3304 uid: 43
[2022-07-06 12:20:20]  DBG  ✔ /usr/bin/obfs4proxy -> 62.238.150.56:3304 (app: obfs4proxy from tor)
[2022-07-06 12:20:20]  DBG  new connection tcp => 57908:192.168.0.102 -> 62.238.150.56:3304 uid: 43
[2022-07-06 12:20:20]  DBG  ✔ /usr/bin/obfs4proxy -> 62.238.150.56:3304 (app: obfs4proxy from tor)

[2022-07-06 12:20:23]  IMP  Got signal: terminated
[2022-07-06 12:20:23]  INF  Cleaning up ...
[2022-07-06 12:20:23]  DBG  worker channel closed 6
[2022-07-06 12:20:23]  DBG  worker #6 exit
[2022-07-06 12:20:23]  DBG  worker channel closed 5
[2022-07-06 12:20:23]  DBG  worker #5 exit
[2022-07-06 12:20:23]  DBG  worker channel closed 4
[2022-07-06 12:20:23]  DBG  worker #4 exit
[2022-07-06 12:20:23]  DBG  worker channel closed 3
[2022-07-06 12:20:23]  DBG  worker #3 exit
[2022-07-06 12:20:23]  DBG  worker channel closed 8
[2022-07-06 12:20:23]  DBG  worker #8 exit
[2022-07-06 12:20:23]  DBG  worker channel closed 9
[2022-07-06 12:20:23]  DBG  worker #9 exit
[2022-07-06 12:20:23]  DBG  worker channel closed 14
[2022-07-06 12:20:23]  DBG  worker #14 exit
[2022-07-06 12:20:23]  DBG  worker channel closed 1
[2022-07-06 12:20:23]  DBG  worker #1 exit
[2022-07-06 12:20:23]  DBG  worker channel closed 7
[2022-07-06 12:20:23]  DBG  worker #7 exit
[2022-07-06 12:20:23]  DBG  worker channel closed 11
[2022-07-06 12:20:23]  DBG  worker #11 exit
[2022-07-06 12:20:23]  INF  iptables, stop monitoring system fw rules
[2022-07-06 12:20:23]  DBG  worker channel closed 12
[2022-07-06 12:20:23]  DBG  worker #12 exit
[2022-07-06 12:20:23]  DBG  worker channel closed 15
[2022-07-06 12:20:23]  DBG  worker #15 exit
[2022-07-06 12:20:23]  DBG  worker channel closed 2
[2022-07-06 12:20:23]  DBG  worker #2 exit
[2022-07-06 12:20:23]  DBG  worker channel closed 13
[2022-07-06 12:20:23]  DBG  worker #13 exit
[2022-07-06 12:20:23]  DBG  stop monitoring firewall config file
[2022-07-06 12:20:23]  DBG  worker channel closed 10
[2022-07-06 12:20:23]  DBG  worker #10 exit
[2022-07-06 12:20:23]  DBG  worker channel closed 0
[2022-07-06 12:20:23]  DBG  worker #0 exit
[2022-07-06 12:20:23]  INF  exit checking iptables rules
[2022-07-06 12:20:23]  DBG  [ebpf] tcp map: 0 active items
[2022-07-06 12:20:23]  DBG  [ebpf] tcp6 map: 0 active items
[2022-07-06 12:20:23]  DBG  [ebpf] udp map: 0 active items
[2022-07-06 12:20:23]  DBG  [ebpf] udp6 map: 0 active items
[2022-07-06 12:20:23]  INF  Client.poller() exit, Done()
[2022-07-06 12:20:23]  INF  uiClient exit

I do not see in log, that opensnitch daemon read system-fw.json file...

I have table inet from firewalld:

$ nft list tables      
table ip filter
table ip6 filter
table ip mangle
table ip6 mangle
table inet firewalld

May be opensnitch does not add rules because table inet already exists?

$ nft list chains inet | sort | grep mangle
        chain mangle_PRE_block {
        chain mangle_PRE_block_allow {
        chain mangle_PRE_block_deny {
        chain mangle_PRE_block_log {
        chain mangle_PRE_block_post {
        chain mangle_PRE_block_pre {
        chain mangle_PRE_drop {
        chain mangle_PRE_drop_allow {
        chain mangle_PRE_drop_deny {
        chain mangle_PRE_drop_log {
        chain mangle_PRE_drop_post {
        chain mangle_PRE_drop_pre {
        chain mangle_PRE_policy_allow-host-ipv6 {
        chain mangle_PRE_policy_allow-host-ipv6_allow {
        chain mangle_PRE_policy_allow-host-ipv6_deny {
        chain mangle_PRE_policy_allow-host-ipv6_log {
        chain mangle_PRE_policy_allow-host-ipv6_post {
        chain mangle_PRE_policy_allow-host-ipv6_pre {
        chain mangle_PRE_public {
        chain mangle_PRE_public_allow {
        chain mangle_PRE_public_deny {
        chain mangle_PRE_public_log {
        chain mangle_PRE_public_post {
        chain mangle_PRE_public_pre {
        chain mangle_PREROUTING {
        chain mangle_PREROUTING_POLICIES_post {
        chain mangle_PREROUTING_POLICIES_pre {
        chain mangle_PREROUTING_ZONES {

[Bogdan107]

I change to system-fw.json/SystemRules/Enabled:true, but result the same - table inet mangle does not filled.

[Bogdan107]

How to enable really ALL traffic for a specified user, not a part of non-TCP/UDP/UDPLITE traffic?

[gustavo-iniguez-goya]

it's not possible at the moment.

[Bogdan107]

This is architecture limitations or feature just not realized?
Does developers have plans to realize this feature (control all network traffic only over UI, without needs to modify config files)?

[RokeJulianLockhart]

#690 (reply in thread)

Perhaps request it as an FR at https://github.com/evilsocket/opensnitch/issues/new?assignees=&labels=feature&projects=&template=feature-request.md&title=%5BFeature+Request%5D+%3Ctitle%3E, @Bogdan107?