1.6.0rc3: Outgoing ping blocked when GUI running

[fmyhr]

Hi,

I'm running OpenSnitch 1.6.0rc3 on Kubuntu 22.04 (KDE, kernel 5.15.0-56-generic #62-Ubuntu x86_64) with eBPF. Working well, except I noticed today that outgoing ping is blocked. If I quit the GUI, then outgoing ping works.

Edit: Ping also works when I keep the GUI running but click the pause button so that Status is Disabled.

Found a few similar earlier bug reports, but nothing that seems to apply to 1.6.0rc3...?

Thanks, Frank

[gustavo-iniguez-goya]

Hi Frank!

I added support to intercept ICMP packets, so maybe the daemon is blocking it. Could you set log level to DEBUG, and filter by icmp to verify that it's intercepting?

$ tail -f /var/log/opensnitchd.log | grep -i icmp
new connection icmp => 0:192.168.1.104 -> 1.1.1.1:0 uid: 0
(...)
[0] PID found 123456

Anyway, by default you should have 2 fw rules to bypass interception and allow ICMP. They should be under Rules tab -> System Rules -> -> mangle-inet -> icmp type echo-request type echo-reply

 sudo nft list ruleset | grep -i icmp
                icmp type { echo-reply, echo-request } accept
                icmpv6 type { echo-request, echo-reply } accept

[fmyhr]

Hi Gustavo,

Thank you for replying so quickly with things to try.

The GUI shows the two Allow ICMP rules but I think they don't matter because I'm running with the OpenSnitch System Firewall off. I configure nft firewall using separate scripts. Sorry, I should have mentioned that before. Temporarily enabling the OpenSnitch System Firewall doesn't help.

Dumping nft ruleset with OpenSnitch disabled and then enabled (with System Firewall off) and diff-ing:

 table inet mangle {
+       chain output {
+               type route hook output priority mangle; policy accept;
+               ct state related,new queue flags bypass to 0
+       }
 }
 table inet filter {
+       chain input {
+               type filter hook input priority filter; policy accept;
+               udp sport 53 queue flags bypass to 0
+       }
 }

With OpenSnitch disabled outgoing ping works fine. With OpenSnitch enabled, Wireshark doesn't see any outgoing pings leaving the interface. UDP and TCP connections work as usual. Given the above mangle output chain, it looks to me like ICMP is getting eaten/dropped somewhere in userspace listening on netlink queue 0. And when nothing is listening on queue 0 (when OpenSnitch is disabled) the bypass rule lets ICMP (and everything else) through to the rest of the nft firewall.

Setting log level to DEBUG the following repeats every 5s, but otherwise I see nothing correlated with attempts to ping:

[2023-01-03 16:32:36]  DBG  [ebpf] tcp map: 2 active items
[2023-01-03 16:32:36]  DBG  [ebpf] tcp6 map: 0 active items
[2023-01-03 16:32:36]  DBG  [ebpf] udp map: 314 active items
[2023-01-03 16:32:36]  DBG  [ebpf] udp6 map: 0 active items
[2023-01-03 16:32:37]  DBG  eBPF error in dumping TCPv6 sockets via netlink: Warning, no message nor error from netlink, or no connections found
[2023-01-03 16:32:38]  DBG  eBPF error in dumping TCPv6 sockets via netlink: Warning, no message nor error from netlink, or no connections found
[2023-01-03 16:32:39]  DBG  eBPF error in dumping TCPv6 sockets via netlink: Warning, no message nor error from netlink, or no connections found
[2023-01-03 16:32:40]  DBG  eBPF error in dumping TCPv6 sockets via netlink: Warning, no message nor error from netlink, or no connections found
[2023-01-03 16:32:41]  DBG  eBPF error in dumping TCPv6 sockets via netlink: Warning, no message nor error from netlink, or no connections found

(I've disabled IPv6 on this host.)

Thanks for your help! Frank

[gustavo-iniguez-goya]

oops, I was wrong. Support for ICMP was added after v1.6.0rc3. For now, you'll have to insert rules to nftables to exclude ICMP from being intercepted, to mangle table -> chain output:

$ sudo nft insert rule inet mangle output icmp type { echo-reply, echo-request } accept

It's time for a new release.

[fmyhr]

That's a good work-around for now. Thanks!

[gustavo-iniguez-goya]

I've just realized that we'll need to add kernel hook to intercept ICMP. Relying on finding it via netlink is not enough on some kernels.

[fmyhr]

Thought I'd note an even easier work-around for now: cp -a /lib/systemd/system/opensnitch.service /etc/systemd/system

Edit /etc/systemd/system/opensnitch.service, add the following line, and save: ExecPost=nft insert rule inet mangle output meta l4proto icmp accept

Then: systemctl daemon-reload systemctl restart opensnitch

[gustavo-iniguez-goya]

I've released a new version that adds support for intercepting ICMP: https://github.com/evilsocket/opensnitch/releases/tag/v1.6.0-rc.4

It doesn't always work due to several factors, until I add it to eBPF, but maybe it works for you (at least on ubuntu 22, kernel 5.19 works)

[gustavo-iniguez-goya]

just for the record:

On newer kernels, ping doesn't use RAW_SOCKETs to send ICMP packets, it uses SOCK_DGRAM, so that's why querying the kernel for RAW connections doesn't return the connections.

socket(AF_INET, SOCK_DGRAM, IPPROT_ICMP) socket(AF_INET, SOCK_DGRAM, IPPROTO_IP)

https://lwn.net/Articles/443051/

[fmyhr]

Thanks for new RC, the explanation, and LWN link!