difficulty packaging the 1.7.0.0 update · evilsocket/opensnitch · Discussion #1356 (original) (raw)
I recently started work on the 1.7.0.0 update for opensnitch.
I have bisected opensnitch since merge base between 1.6.9 and 1.7.0.0, and found the first failing commit is ffb7668.
Commenting out the part that gives the config-defined ebpf module preference (
| if path != "" { |
|---|
| paths = []string{path} |
| } |
) does make it work, and this has me very very confused.
Adding a logger entry there reveals path is /nix/store/9zfg9wqmx408nbza8h81cka7yzpsfxlj-opensnitch_ebpf-1.6.9-merge-6.12.31/etc/opensnitchd, which contains the files opensnitch-dns.o, opensnitch-procs.o, and opensnitch.o. However, later opensnitch throws an error: [eBPF DNS]: Module not found (opensnitch-dns.o) in any of the paths (with the path in there set), and soon after a warning EBPF-DNS: Unable to attach ebpf listener: Module not found (opensnitch-dns.o) in any of the paths. It then goes on to fail our VM test.
Notably, only the ebpf tests fail. Also notable, the exact same setup worked on opensnitch 1.6.9. And lastly: setting Ebpf.ModulesPath to an empty string also works (including on the final 1.7.0.0 release), suggesting ebpf is being pulled from somewhere else. I am not exactly sure what i am missing here. Indeed, "just making tests work" would work, i suppose. But the goal is to "do it properly", and unsetting the module path feels wrong.
Working config (1.7.0.0):
{ "DefaultAction": "deny", "DefaultDuration": "once", "Ebpf": { "EventsWorkers": 8, "ModulesPath": "", "QueueEventsSize": 0 }, "Firewall": "nftables", "FwOptions": { "ConfigPath": "/etc/opensnitchd/system-fw.json", "MonitorInterval": "15s", "QueueBypass": true }, "InterceptUnknown": false, "Internal": { "FlushConnsOnStart": true, "GCPercent": 100 }, "LogLevel": 4, "LogMicro": false, "LogUTC": true, "ProcMonitorMethod": "ebpf", "Rules": { "EnableChecksums": false, "Path": "/etc/opensnitchd/rules/" }, "Server": { "Address": "unix:///tmp/osui.sock", "Authentication": { "Type": "simple" }, "LogFile": "/dev/stdout" }, "Stats": { "MaxEvents": 250, "MaxStats": 25, "Workers": 6 } }
Working config (1.6.9, broken on 1.7.0.0):
{ "DefaultAction": "deny", "DefaultDuration": "once", "Ebpf": { "EventsWorkers": 8, "ModulesPath": "/nix/store/7483vclalibdqkraxwnvb33pp71qxraw-opensnitch_ebpf-1.7.0.0-6.12.31/etc/opensnitchd", "QueueEventsSize": 0 }, "Firewall": "nftables", "FwOptions": { "ConfigPath": "/etc/opensnitchd/system-fw.json", "MonitorInterval": "15s", "QueueBypass": true }, "InterceptUnknown": false, "Internal": { "FlushConnsOnStart": true, "GCPercent": 100 }, "LogLevel": 2, "LogMicro": false, "LogUTC": true, "ProcMonitorMethod": "ebpf", "Rules": { "EnableChecksums": false, "Path": "/etc/opensnitchd/rules/" }, "Server": { "Address": "unix:///tmp/osui.sock", "Authentication": { "Type": "simple" }, "LogFile": "/dev/stdout" }, "Stats": { "MaxEvents": 250, "MaxStats": 25, "Workers": 6 } }