Can't figure out why a rule is being ignored. · evilsocket/opensnitch · Discussion #646 (original) (raw)

I set the settings for the log, restarted opensnitch, and checked the log, and I saw this:
�[2m[2022-03-31 17:23:15]�[0m �[97m�[104m IMP �[0m Start writing logs to /var/log/opensnitchd.log
�[2m[2022-03-31 17:23:15]�[0m �[97m�[41m ERR �[0m eBPF Failed to load /etc/opensnitchd/opensnitch.o: open /etc/opensnitchd/opensnitch.o: no such file or directory
�[2m[2022-03-31 17:23:15]�[0m �[97m�[43m WAR �[0m error starting ebpf monitor method: open /etc/opensnitchd/opensnitch.o: no such file or directory
�[2m[2022-03-31 17:23:15]�[0m �[97m�[43m WAR �[0m Unable to set new process monitor method from disk: open /etc/opensnitchd/opensnitch.o: no such file or directory

and it's right, /etc/opensnitchd/opensnitch.o doesn't exist, but I was confused, because it claims it's having trouble with eBPF, but I've had it set to proc for a long while... but /etc/opensnitchd/default-config.json begs to differ:
default-config.txt
"ProcMonitorMethod": "ebpf",
Should I just manually modify this to say "proc"?
Any idea why this wouldn't update, when my settings look like this:
image
...and have for some time?

I'm a bit baffled at this point.

Update:
Uploaded full default-config file, and after messing with things for a bit, I've found that my settings always report that "proc" is the "process monitor method", but that other settings like "default duration" reset in the GUI to report the (incorrect) value from default-config.json.

Still very confused. Any and all help would be greatly appreciated. Sorry if I'm being stupid, and thank you for all your help thus far.

Update 2:
I realized that the AUR Git version of the eBPF module was compatible with the mainline opensnitch release, so I reinstalled eBPF and changed the settings in the GUI to match (not that it seems that should've mattered). I also added .*\.com as the third line in the allowlist, but still got this:
image
Back under the "Events" tab, which tells me the rule is somehow not working correctly.
If you have any ideas as to why that might be, I'd also greatly appreciate it.

Here are the log lines I got after switching back to eBPF:
�[2m[2022-03-31 18:04:25]�[0m �[97m�[104m IMP �[0m Got signal: terminated
�[2m[2022-03-31 18:04:31]�[0m �[97m�[43m WAR �[0m queue stuck, closing by timeout
�[2m[2022-03-31 18:04:31]�[0m �[97m�[43m WAR �[0m Queue.destroy(), nfq_close() not closed: -1
I couldn't make much of them, but I'm betting you can, and hoping that the termination they refer to is perhaps the reason for the rule not working properly.

Also, after reinstalling the eBPF module, the default-config file updated itself so that "DefaultAction" and "DefaultDuration" matched what I set in the GUI. I think whatever was causing it to think that the eBPF module was still installed was preventing those settings (including "ProcMonitorMethod") from updating correctly, but at this point, that's a separate issue from the one preventing my allowlist rule from running properly.

Sorry for bombarding you with information, I'd just really like to get this solved after weeks of trying (and failing) to sort it out myself, and I know you are most likely of anyone to have the answers I need.