Does opensnitch support nftables? #370

morfikov · 2021-03-19T16:02:30Z

The opensnitch system daemon starts without issues:

# systemctl start opensnitch.service

Mar 19 16:53:39 morfikownia systemd[1]: Starting opensnitch.service...
Mar 19 16:53:39 morfikownia systemd[1]: Started opensnitch.service.
Mar 19 16:53:39 morfikownia opensnitchd[28623]: [2021-03-19 15:53:39]  IMP  Starting opensnitch-daemon v1.3.6
Mar 19 16:53:39 morfikownia opensnitchd[28623]: [2021-03-19 15:53:39]  INF  Loading rules from /etc/opensnitchd/rules ...

The GUI also works, but there's nothing there (just empty tables).
In the /var/log/opensnitchd.log file, I can see the following:

[2021-03-19 15:55:39]  IMP  Start writing logs to /var/log/opensnitchd.log
[2021-03-19 15:55:39]  ERR  Error while running firewall rule, ipv4 err: exit status 2
[2021-03-19 15:55:39]  ERR  rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
[2021-03-19 15:55:39]  ERR  Error while running firewall rule, ipv6 err: exit status 2
[2021-03-19 15:55:39]  ERR  rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
[2021-03-19 15:55:39]  ERR  Error while running DNS firewall rule: exit status 2 exit status 2

So it looks like it tries to put iptables rules and those aren't compatible with nftables. Is there anything that can be done here? Does opensnitch support nftables?

Opensnitch was installed via the deb package provided here on github. All other deps were installed from the Debian Sid official repo (the ones required to be installed via pip).

# cat /proc/version
Linux version 5.11.7-amd64 (morfik@morfikownia) (gcc (Debian 10.2.1-23) 10.2.1 20210312, GNU ld (GNU Binutils for Debian) 2.35.2) #10 SMP PREEMPT Fri Mar 19 15:37:49 CET 2021

The text was updated successfully, but these errors were encountered:

gustavo-iniguez-goya · 2021-03-19T16:40:33Z

I see that you use Debian 10.2. Unless something has changed, iptables is a symbolic link to nftables (iptables-nft) and should work just fine.
Can you check if the other rules have been inserted and that you have the package iptables installed? iptables -t mangle -L OUTPUT

Did you try to insert the problematic rule manually? iptables -I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass

morfikov · 2021-03-19T16:49:54Z

# iptables -t mangle -L OUTPUT
# Warning: iptables-legacy tables present, use iptables-legacy to see them
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination
opensnitch-filter-OUTPUT  all  --  anywhere             anywhere
mark-out   all  --  anywhere             anywhere

# iptables-legacy -t mangle -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

# iptables -I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
iptables v1.8.7 (nf_tables): unknown option "--sport"
Try `iptables -h' or 'iptables --help' for more information.

As you can see this doesn't work because I'm using nftables (the nft tool) to configure the FW, so the native nftables rules are required in this case.

gustavo-iniguez-goya · 2021-05-18T00:10:19Z

nftables support is WIP, I hope to add it in the comming weeks.

morfikov · 2021-05-18T05:32:02Z

You can count on me to test it.

gustavo-iniguez-goya · 2021-06-07T07:50:03Z

Added nftables support da23c82. If any of you can compile latest sources you can test it.

morfikov · 2021-06-08T06:45:45Z

It looks like some additional packages are needed to build opensnitch, which aren't packaged by debian. I think it needs the following:

https://github.com/google/nftables
https://github.com/iovisor/gobpf

So I'll have to build these manually. Does opensnitch need some other deps?

gustavo-iniguez-goya · 2021-06-08T08:22:47Z

mmh, those deps are added to the go.mod file, how are you compiling it? if go build -o opensnitchd does not compile it, try it with go mod vendor; go build -o opensnitchd ., from the daemon/ directory.

morfikov · 2021-06-08T11:49:59Z

Basically I get the following:

src/github.com/evilsocket/opensnitch/daemon/firewall/nftables/nftables.go:10:2: cannot find package "github.com/google/nftables" in any of:
        /usr/lib/go-1.15/src/github.com/google/nftables (from $GOROOT)
        /build/opensnitch-1.3.6+git20210607/_build/src/github.com/google/nftables (from $GOPATH)
src/github.com/evilsocket/opensnitch/daemon/firewall/nftables/rules.go:6:2: cannot find package "github.com/google/nftables/binaryutil" in any of:
        /usr/lib/go-1.15/src/github.com/google/nftables/binaryutil (from $GOROOT)
        /build/opensnitch-1.3.6+git20210607/_build/src/github.com/google/nftables/binaryutil (from $GOPATH)
src/github.com/evilsocket/opensnitch/daemon/firewall/nftables/rules.go:7:2: cannot find package "github.com/google/nftables/expr" in any of:
        /usr/lib/go-1.15/src/github.com/google/nftables/expr (from $GOROOT)
        /build/opensnitch-1.3.6+git20210607/_build/src/github.com/google/nftables/expr (from $GOPATH)
src/github.com/evilsocket/opensnitch/daemon/procmon/ebpf/debug.go:12:2: cannot find package "github.com/iovisor/gobpf/elf" in any of:
        /usr/lib/go-1.15/src/github.com/iovisor/gobpf/elf (from $GOROOT)
        /build/opensnitch-1.3.6+git20210607/_build/src/github.com/iovisor/gobpf/elf (from $GOPATH)

I'm using the Debian pbuilder/dpkg-buildpackage tools. So I have to install all needed deps manually before the build process starts. I'll try to make deb packages for the missing components.

gustavo-iniguez-goya · 2021-06-08T14:30:50Z

ah ok, then yes, you're right. I was using dh-golang + gbp to build the packages before adding eBPF support. But as the iovisor packages were not available in Debian I had to switch to dpkg-buildpackage + go mod vendor:

    # install dependencies
    apt install dh-golang protobuf-compiler etc ...
    # clone the repo
    git clone ...opensnitch.git
    cd opensnitch
    make protocol
    cd daemon; go mod vendor; cd ..
    dpkg-buildpackage -b -d

You'll need the ebpf module by the way, and put it inside opensnitch/ebpf_prog/ (if you don't compile it from sources you can get it from the deb packages (dpkg -x opensnitch_1.4.0.rc2-1_amd64.deb opns; ls opns/etc/opensnitchd/), or if you installed the v1.4.0rc2 version it'll be at /etc/opensnitchd/opensnitch.o)

gustavo-iniguez-goya · 2021-07-22T10:40:29Z

nftables support added da23c82

gustavo-iniguez-goya closed this as completed Jul 22, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Does opensnitch support nftables? #370

Does opensnitch support nftables? #370

morfikov commented Mar 19, 2021

gustavo-iniguez-goya commented Mar 19, 2021

morfikov commented Mar 19, 2021

gustavo-iniguez-goya commented May 18, 2021

morfikov commented May 18, 2021

gustavo-iniguez-goya commented Jun 7, 2021

morfikov commented Jun 8, 2021

gustavo-iniguez-goya commented Jun 8, 2021

morfikov commented Jun 8, 2021

gustavo-iniguez-goya commented Jun 8, 2021

gustavo-iniguez-goya commented Jul 22, 2021

Does opensnitch support nftables? #370

Does opensnitch support nftables? #370

Comments

morfikov commented Mar 19, 2021

gustavo-iniguez-goya commented Mar 19, 2021

morfikov commented Mar 19, 2021

gustavo-iniguez-goya commented May 18, 2021

morfikov commented May 18, 2021

gustavo-iniguez-goya commented Jun 7, 2021

morfikov commented Jun 8, 2021

gustavo-iniguez-goya commented Jun 8, 2021

morfikov commented Jun 8, 2021

gustavo-iniguez-goya commented Jun 8, 2021

gustavo-iniguez-goya commented Jul 22, 2021