search

evilsocket / opensnitch

OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.
GNU General Public License v3.0
10.74k stars 498 forks source link

deny-network rule: panic: interface conversion: interface {} is net.IP, not string #333

Closed phil294 closed 3 years ago

phil294 commented 3 years ago

Hello,

Describe the bug I was just getting to use opensnitch (it's awesome) and tried various rules, when "Status" in the UI somehow started saying "not running" even though the service was active. opensnitchd crashes and is not recoverable via UI.

To Reproduce All via UI:

Post error logs: journalctl -u opensnitchd:

Jan 16 19:09:35 pc opensnitchd[10903]: [2021-01-16 18:09:35]  INF  Loading rules from /etc/opensnitchd/rules ...
Jan 16 19:09:40 pc opensnitchd[10903]: panic: interface conversion: interface {} is net.IP, not string
Jan 16 19:09:40 pc opensnitchd[10903]: goroutine 27 [running]:
Jan 16 19:09:40 pc opensnitchd[10903]: github.com/evilsocket/opensnitch/daemon/rule.(*Operator).reCmp(0xc00055b318, 0x55d85bec55a0, 0xc0005e3c20, 0xc0005e3c20)
Jan 16 19:09:40 pc opensnitchd[10903]:         github.com/evilsocket/opensnitch/daemon/rule/operator.go:126 +0x16f
Jan 16 19:09:40 pc opensnitchd[10903]: github.com/evilsocket/opensnitch/daemon/rule.(*Operator).Match(0xc00055b318, 0xc0005fa400, 0xc000558300)
Jan 16 19:09:40 pc opensnitchd[10903]:         github.com/evilsocket/opensnitch/daemon/rule/operator.go:178 +0x31a
Jan 16 19:09:40 pc opensnitchd[10903]: github.com/evilsocket/opensnitch/daemon/rule.(*Rule).Match(...)
Jan 16 19:09:40 pc opensnitchd[10903]:         github.com/evilsocket/opensnitch/daemon/rule/rule.go:65
Jan 16 19:09:40 pc opensnitchd[10903]: github.com/evilsocket/opensnitch/daemon/rule.(*Loader).FindFirstMatch(0xc000566000, 0xc0005fa400, 0x0)
Jan 16 19:09:40 pc opensnitchd[10903]:         github.com/evilsocket/opensnitch/daemon/rule/loader.go:311 +0x125
Jan 16 19:09:40 pc opensnitchd[10903]: main.acceptOrDeny(0xc00159ff18, 0xc0005fa400, 0x0)
Jan 16 19:09:40 pc opensnitchd[10903]:         github.com/evilsocket/opensnitch/daemon/main.go:215 +0xa5
Jan 16 19:09:40 pc opensnitchd[10903]: main.onPacket(0x55d85bf0b200, 0xc000768000, 0x0, 0xc00073c5a0, 0x4000003d3)
Jan 16 19:09:40 pc opensnitchd[10903]:         github.com/evilsocket/opensnitch/daemon/main.go:193 +0x14e
Jan 16 19:09:40 pc opensnitchd[10903]: main.worker(0x0)
Jan 16 19:09:40 pc opensnitchd[10903]:         github.com/evilsocket/opensnitch/daemon/main.go:131 +0xc9
Jan 16 19:09:40 pc opensnitchd[10903]: created by main.setupWorkers
Jan 16 19:09:40 pc opensnitchd[10903]:         github.com/evilsocket/opensnitch/daemon/main.go:143 +0xe5
Jan 16 19:09:40 pc systemd[1]: opensnitchd.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Jan 16 19:09:40 pc systemd[1]: opensnitchd.service: Failed with result 'exit-code'.

If the daemon doesn't start:

Expected behavior (optional) The reason for all this is probably (?) that the updated regex IP needs to be written as operator.operand dest.ip but is instead saved as dest.network.

OS (please complete the following information):

gustavo-iniguez-goya commented 3 years ago

thank you @phil294 , reproduced. I'll fix it soon.

In any case, what were you trying to achieve with that rule? I mean, 127.0.0.0/8 is the same than ^127.0.0.0, no? any IP in the network range will start with 127, so there's no need to use a regexp.

phil294 commented 3 years ago

thank you @phil294 , reproduced. I'll fix it soon.

In any case, what was you trying to achieve with that rule? I mean, 127.0.0.0/8 is the same than ^127.0.0.0, no? any IP in the network range will start with 127, so there's no need to use a regexp.

Nice, thank you! The above IP addresses did not really mean anything. What I was trying to achieve was to allow all traffic from a process except for local IPs where I want to be asked. That's what I need regexp for. Dont yet know how to do this:

Allow
IP: *NOT* ^(127\.0\..*|192\.168\..*|::1)$

But I havent looked into it any further. Except for the docs:

However you can use negated chars classes. For example, block all outgoing connections, except those to localhost:

[x] Action: deny [x] To this destination IP: [^:127.0.0.1:]

Are you sure about that? This regex only matches one single character that is not in 1270:., I think, and the rule would also allow for an IP like 123.456.789.1.

gustavo-iniguez-goya commented 3 years ago

ah, I see. mm, I think that we don't support this scenario at the moment. There's no way to negate a field like !127.0.0.1, or that you be asked when a certain rule matches a connection.

Maybe you can filter by port, for example if the connections you want to allow usually goes through the ports 80 and 443:

000-allow-my-program

Action: Allow
to this port: ^(80|443)$

then, you'll be prompted to allow/deny any other connection.

Are you sure about that? This regex only matches one single character that is not in 1270:., I think, and the rule would also allow for an IP like 123.456.789.1.

I tested it long time ago and as far as I can remember it worked, but can't tell you for sure now if it works.

gustavo-iniguez-goya commented 3 years ago

oops, I've realized that there's an error when a regexp is used on the dst ip/network field. I'll fixed that as well.

gustavo-iniguez-goya commented 3 years ago

@phil294 I think both issues are fixed. I don't know if the manjaro package maintainer pulls latest changes from this repo, or if it only packages our releases. So if you can't or don't want to compile it, you'll have to wait to test it.

gustavo-iniguez-goya commented 3 years ago

I consider this issue fixed. Thank you for reporting it!