[Bug Report] OpenSnitch breaks DNS in Fedora 42 (eBPF incompatible with Kernel 6.14) (original) (raw)
Hello everybody!
The issue appears to be related to the updated Kernel 6.14 and OpenSnitch (was not in 6.13).
Below is a detailed report.
Describe the bug:
If OpenSnitch works in eBPF mode on Fedora 42 (Kernel 6.14), the system cannot resolve DNS after boot.
Restarting the systemd-resolved service resolves the issue. Alternatively, changing the method to proc also resolves the issue.
Discussion at Fedora here
Bugzilla RedHat bug 2361468
Connected to that? #1340
- OpenSnitch version: 1.7.0-rc.2
- OS: Fedora Workstation
- OS version: 42
- Window Manager: KDE Plasma
- Kernel version:
Linux fedora 6.14.5-300.fc42.x86_64 #1 SMP PREEMPT_DYNAMIC Fri May 2 14:16:46 UTC 2025 x86_64 GNU/Linux(lockdown=integrity)
To Reproduce:
Steps to reproduce the behavior (100% reproductible):
- Install/Upgrade to Fedora 42
- Install OpenSnitch
- Boot the system
- DNS resolution will not work after boot
- Restart the systemd-resolved service using "systemctl restart systemd-resolved"
- DNS resolution should now be working.
Post error logs:
I'm sometimes able to find it in opensnitch's logs, but it's not persistent:
[0m [2m [30m[100m DBG [0m Rules watcher started on path /etc/opensnitchd/rules ...
[0m [2m [30m[100m DBG [0m [eBPF] trying to load /usr/local/lib/opensnitchd/ebpf/opensnitch-dns.o
[0m [2m [30m[100m DBG [0m [eBPF] trying to load /usr/lib/opensnitchd/ebpf/opensnitch-dns.o
[0m [97m [42m INF [0m Running on netfilter queue #0 ...
[0m [2m [30m[100m DBG [0m [DNS] systemd-resolved monitor response error: &{ [] [] false}
[0m [2m [30m[100m DBG [0m [eBPF] trying to load /etc/opensnitchd/opensnitch-dns.o
[0m [97m [43m WAR [0m [eBPF DNS]: unable to load eBPF module (opensnitch-dns.o). Your kernel version (6.14.5-300.fc42.x86_64) might not be compatible. If this error persists, change process monitor method to 'proc'
[0m [97m [43m WAR [0m EBPF-DNS: Unable to attach ebpf listener: unable to load eBPF module (opensnitch-dns.o). Your kernel version (6.14.5-300.fc42.x86_64) might not be compatible. If this error persists, change process monitor method to 'proc'
>> More logs <<
opensnitchd -check-requirements
Checking system requirements for kernel version 6.14.5-300.fc42.x86_64
Checking => CONFIG_KPROBES=y
Checking => CONFIG_KPROBES_ON_FTRACE=y
Checking => CONFIG_HAVE_KPROBES=y
Checking => CONFIG_HAVE_KPROBES_ON_FTRACE=y
Checking => CONFIG_KPROBE_EVENTS=y
* kprobes ✔
Checking => CONFIG_UPROBES=y
Checking => CONFIG_UPROBE_EVENTS=y
* uprobes ✔
Checking => CONFIG_FTRACE=y
* ftrace ✔
Checking => CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
Checking => CONFIG_FTRACE_SYSCALLS=y
* syscalls ✔
Checking => CONFIG_NETFILTER_NETLINK_QUEUE=[my]
Checking => CONFIG_NFT_QUEUE=[my]
Checking => CONFIG_NETFILTER_XT_TARGET_NFQUEUE=[my]
* nfqueue ✔
Checking => CONFIG_NETFILTER_NETLINK=[my]
Checking => CONFIG_NETFILTER_NETLINK_QUEUE=[my]
Checking => CONFIG_NETFILTER_NETLINK_ACCT=[my]
Checking => CONFIG_PROC_EVENTS=[my]
* netlink ✔
Checking => CONFIG_INET_DIAG=[my]
Checking => CONFIG_INET_TCP_DIAG=[my]
Checking => CONFIG_INET_UDP_DIAG=[my]
Checking => CONFIG_INET_DIAG_DESTROY=[my]
* net diagnostics ✔
opensnitchd -debug
[2025-05-12 20:31:40] IMP Starting opensnitch-daemon v1.7.0
[2025-05-12 20:31:40] WAR Error loading network aliases: open /etc/opensnitchd/network_aliases.json: no such file or directory
[2025-05-12 20:31:40] INF Loading network aliases from /etc/opensnitchd/network_aliases.json
[2025-05-12 20:31:40] !!! Error loading configuration /etc/opensnitchd/default-config.json: open /etc/opensnitchd/default-config.json: permission denied
objdump -h /usr/lib/opensnitchd/ebpf/opensnitch-dns.o
/usr/lib/opensnitchd/ebpf/opensnitch-dns.o: file format elf64-bpfle
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 00000000 0000000000000000 0000000000000000 00000040 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 uretprobe/gethostbyname 00008a10 0000000000000000 0000000000000000 00000040 2**3
CONTENTS, ALLOC, LOAD, RELOC, READONLY, CODE
2 uprobe/getaddrinfo 000001d0 0000000000000000 0000000000000000 00008a50 2**3
CONTENTS, ALLOC, LOAD, RELOC, READONLY, CODE
3 uretprobe/getaddrinfo 000040d0 0000000000000000 0000000000000000 00008c20 2**3
CONTENTS, ALLOC, LOAD, RELOC, READONLY, CODE
4 maps/addrinfo_args_hash 00000118 0000000000000000 0000000000000000 0000ccf0 2**2
CONTENTS, ALLOC, LOAD, DATA
5 maps/events 00000118 0000000000000000 0000000000000000 0000ce08 2**2
CONTENTS, ALLOC, LOAD, DATA
6 license 00000004 0000000000000000 0000000000000000 0000cf20 2**0
CONTENTS, ALLOC, LOAD, DATA
7 version 00000004 0000000000000000 0000000000000000 0000cf24 2**2
CONTENTS, ALLOC, LOAD, DATA
8 .debug_loc 000078b0 0000000000000000 0000000000000000 0000cf28 2**0
CONTENTS, RELOC, READONLY, DEBUGGING, OCTETS
9 .debug_abbrev 00000166 0000000000000000 0000000000000000 000147d8 2**0
CONTENTS, READONLY, DEBUGGING, OCTETS
10 .debug_info 00000888 0000000000000000 0000000000000000 0001493e 2**0
CONTENTS, RELOC, READONLY, DEBUGGING, OCTETS
11 .debug_ranges 000017c0 0000000000000000 0000000000000000 000151c6 2**0
CONTENTS, RELOC, READONLY, DEBUGGING, OCTETS
12 .debug_str 0000053e 0000000000000000 0000000000000000 00016986 2**0
CONTENTS, READONLY, DEBUGGING, OCTETS
13 .BTF 00000f27 0000000000000000 0000000000000000 00016ec4 2**0
CONTENTS, RELOC, READONLY
14 .BTF.ext 0000ac50 0000000000000000 0000000000000000 00017deb 2**0
CONTENTS, RELOC, READONLY
15 .eh_frame 00000070 0000000000000000 0000000000000000 00022a40 2**3
CONTENTS, ALLOC, LOAD, RELOC, READONLY, DATA
16 .debug_line 00003d2b 0000000000000000 0000000000000000 00022ab0 2**0
CONTENTS, RELOC, READONLY, DEBUGGING, OCTETS
Appreciate any support!