Opensnitch log has failed netlink entries every 15 seconds (like #688)

[cthulhubuddha]

PopOS 22.04, Opensnitch 1.6.0-rc.3-1

I am troubleshooting why regex domain lists are not working and have found these log entries appearing every 15 seconds, thinking it may be related. Using GUI for configuring. Issue #688 exists but was never resolved, here's a debug log sample:

[2022-12-21 16:05:28]  DBG  [ebpf] tcp map: 13 active items
[2022-12-21 16:05:28]  DBG  [ebpf] tcp6 map: 2 active items
[2022-12-21 16:05:28]  DBG  [ebpf] udp map: 373 active items
[2022-12-21 16:05:28]  DBG  [ebpf] udp6 map: 473 active items
[2022-12-21 16:05:32]  WAR  nfables filter rules not loaded: 1
[2022-12-21 16:05:32]  IMP  nftables firewall rules changed, reloading
[2022-12-21 16:05:32]  INF  exit checking firewall rules
[2022-12-21 16:05:33]  DBG  [ebpf] tcp map: 13 active items
[2022-12-21 16:05:33]  DBG  [ebpf] tcp6 map: 2 active items
[2022-12-21 16:05:33]  DBG  [ebpf] udp map: 373 active items
[2022-12-21 16:05:33]  DBG  [ebpf] udp6 map: 475 active items
[2022-12-21 16:05:33]  WAR  nftables: error applying changes: Receive: netlink receive: no such file or directory
[2022-12-21 16:05:33]  ERR  Error while running DNS nftables rule: Error adding DNS interception rules
[2022-12-21 16:05:33]  DBG  [eBPF exit event] -> 96454
[2022-12-21 16:05:33]  DBG  [eBPF exit event inCache] -> 96454
[2022-12-21 16:05:33]  DBG  [eBPF exit event] -> 96563
[2022-12-21 16:05:33]  DBG  [eBPF exit event] -> 7079
[2022-12-21 16:05:33]  DBG  [eBPF exit event] -> 7079
[2022-12-21 16:05:34]  DBG  [eBPF exit event] -> 6927

[gustavo-iniguez-goya]

Hi @cthulhubuddha ,

I've only reproduced this issue on Ubuntu 16. Could you post the output of $ nft list ruleset ?

Do you have other firewall configured? firewalld or ufw?

[cthulhubuddha]

Ah, yep, UFW is running. happy to securely send my ruleset somewhere, would prefer not to disclose on a forum. Is opensnitch using ufw and if so if i manually disable the instance i enabled prior to installing opensnitch will that break opensnitch?

[gustavo-iniguez-goya]

you can email me the rules + the log opensnitchd.log: gusi.xx [a] protonmail.com

For now, set Firewall option to "iptables" in /etc/opensnitchd/default-config.json, that should silence those logs.

Is opensnitch using ufw and if so if i manually disable the instance i enabled prior to installing opensnitch will that break opensnitch?

No, we don't use ufw. if Firewall option is "iptables" we use iptables binary to add the rules, and if it's "nftables" we add the rules directly to the kernel.

[cthulhubuddha]

A couple of updates in testing back and forth between iptables and nftables. When nftables is used the issues does not occur when the gui is first opened. however, if you disable opensnitch in the gui and then re-enable it, the errors start appearing (again, every 15 seconds).

when using iptables the errors do not occur as expected above. happy to help you troubleshoot it, but it looks like it is not related to the actual problem i am troubleshooting related to the list of domains not working, i'll open a separate issue for that.

[gustavo-iniguez-goya]

Thank you @cthulhubuddha !

if you disable opensnitch in the gui and then re-enable it, the errors start appearing

I'll try to reproduce it this way :+1:

Yes please, open a new issue. Things to look for in the logs regarding the domains list: https://github.com/evilsocket/opensnitch/wiki/block-lists#troubleshooting

If a domain is blocked by a list, it'll be appear in the logs as such:

[2022-12-21 19:18:37]  DBG  domain list match: geo.yahoo.com, /etc/opensnitchd/blocklists/domains/xxx/1hosts.tx
[2022-12-21 19:18:37]  DBG  ✘ /usr/lib/firefox-esr/firefox-esr, 33434:192.168.1.101 -> geo.yahoo.com:53 (000-block-domains)

A basic test would be to add www.example.org to a new list: 127.0.0.1 www.example.org

Create a new rule with name: 000-domain-list-test , check [x] Priority rule and [x] Reject, (*) Always

Verify tthat the list has been loaded:

[2022-12-21 19:31:19]  INF  monitor lists started: /tmp/list
[2022-12-21 19:31:19]  INF  clearing domains lists: 0 - /tmp/list
[2022-12-21 19:31:19]  INF  lists monitor stopped
[2022-12-21 19:31:19]  DBG  Loading domains list: /tmp/list/test-list.txt, size: 26
[2022-12-21 19:31:19]  INF  1 domains loaded, /tmp/list/test-list.txt
[2022-12-21 19:31:19]  INF  1 lists loaded, 1 domains, 0 duplicated

And see if it's blocked from the command line:

$ curl https://www.example.org
curl: (6) Could not resolve host: www.example.org

opensnitchd.log:

[2022-12-21 19:32:42]  DBG  new connection udp => 41235:192.168.1.101 -> 9.9.9.9:53 uid: 117
[2022-12-21 19:32:42]  DBG  [ebpf conn] not in cache, but in execEvents: udp41235192.168.1.1019.9.9.953, 1426481 -> /lib/systemd/systemd-resolved
[2022-12-21 19:32:42]  DBG  [ebpf conn] adding item to cache: udp41235192.168.1.1019.9.9.953
[2022-12-21 19:32:42]  DBG  domain list match: www.example.org, /tmp/list/test-list.txt
[2022-12-21 19:32:42]  DBG  ✘ /lib/systemd/systemd-resolved, 41235:192.168.1.101 -> www.example.org:53 (000-aaa)

(use ping, curl or wget to test it. firefox, chrome and other apps works in a different way)

Also try stopping systemd-resolved and change /etc/resolv.conf nameservers to point to 9.9.9.9, 1.1.1.1, etc. We had problems with systemd-resolved in the past, but as far as I can tell, it seems to work fine now.

[gustavo-iniguez-goya]

if you disable opensnitch in the gui and then re-enable it, the errors start appearing

I'll try to reproduce it this way +1

Reproduced. I'll try to fix it.

[gustavo-iniguez-goya]

ok, I think this issue is fixed. I need to test it on more systems (ubuntu 16), but at least it solves the problem on PopOS! 22 and works as expected on Debian Sid.

Thank you for reporting this problem @cthulhubuddha !

[gustavo-iniguez-goya]

New version released with this fix: https://github.com/evilsocket/opensnitch/releases/tag/v1.6.0-rc.4