search

evilsocket / opensnitch

OpenSnitch is a GNU/Linux interactive application firewall inspired by Little Snitch.
GNU General Public License v3.0
9.92k stars 490 forks source link

No network connection when systemd-resolved is used #779

Closed gustavo-iniguez-goya closed 1 year ago

gustavo-iniguez-goya commented 1 year ago

Describe the bug When systemd-resolved is used to resolve DNS queries, internet connection may stop working.

Include the following information:

To Reproduce Install systemd-resolved. Default options.

Post error logs:

When this problem occurs, the following logs can be seen in DEBUG log level in /var/log/opensnitchd.log:

new connection tcp => 443:50.17.170.2 -> 192.168.1.101:41348 uid: 1000

The daemon receives a packet from the Mangle Output table with the fields swapped, like if it was a response from a connection.

Related bug reports

Some issues were reported in the past that could be related to this problem: #711

Workarounds

If the DstIP is a local address, swapping connection fields helps to identify the process and keep working as expected.

On the other hand, setting DNS= conf parameter in /etc/systemd/resolved.conf to a DNS server also helps to workaround this problem:

DNS=9.9.9.9

More info: https://github.com/systemd/systemd/issues/9243#issuecomment-536380474

This issue was already spotted by themighty1: https://github.com/evilsocket/opensnitch/blob/a45ba914e37d69ca94f18616d5d859a68ff54bd5/daemon/procmon/ebpf/find.go#L32-L39

gustavo-iniguez-goya commented 1 year ago

When this bug occurs, systemd-resolved stops writing debug messages:

dic 28 19:07:01 ono-sendai systemd-resolved[1866794]: varlink-24: Changing state pending-method → idle-server
dic 28 19:07:01 ono-sendai systemd-resolved[1866794]: Freeing transaction 36762.
dic 28 19:07:01 ono-sendai systemd-resolved[1866794]: varlink-24: Got POLLHUP from socket.
dic 28 19:07:01 ono-sendai systemd-resolved[1866794]: varlink-24: Changing state idle-server → pending-disconnect
dic 28 19:07:01 ono-sendai systemd-resolved[1866794]: varlink-24: Changing state pending-disconnect → processing-disconnect
dic 28 19:07:01 ono-sendai systemd-resolved[1866794]: varlink-24: Changing state processing-disconnect → disconnected

after several hours:

dic 28 21:26:32 ono-sendai systemd-resolved[1866794]: Got message type=method_call sender=:1.93692 destination=org.freedesktop.resolve1 path=/org/freedesktop/resolve1 interface=org.freedesktop.DBus.Properties member=GetAll cookie=2 reply_cookie=0 signature=s error-name=n/a error-message=n/a
dic 28 21:26:32 ono-sendai systemd-resolved[1866794]: Sent message type=method_return sender=n/a destination=:1.93692 path=n/a interface=n/a member=n/a cookie=1214 reply_cookie=2 signature=a{sv} error-name=n/a error-message=n/a

chromium stops resolving domains (Debian). Firefox works fine, and resolvectl seems to resolve domains:

$ resolvectl query github.com
github.com: 140.82.121.4                       -- link: wlp3s0

Related systemd-resolved issues: https://github.com/systemd/systemd/issues/21174 , https://github.com/systemd/systemd/issues/21123

All in all, this problem doesn't seem to be caused by opensnitch. Closing.