Occasionally it complains about packets inside a netns, although not configured to.

planetoryd commented 1 year ago

Include the following information:

1.6.0rc5
- Version Ubuntu 23.04
- Window Manager kde
- Kernel version: Linux 6.2.0-20-generic SMP PREEMPT_DYNAMIC Thu Apr 6 07:48:48 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

Occasionally it intercepts packets inside a netns.

I manually nsentered the process according to its reported PID, and checked that it's inside the netns.

I don't know why It would intercept the DNS request inside the netns. I didn't configure it to catch netns traffic. It should NOT.

The DNS inside netns is handled by Adguard/dnsproxy, and it just sends the request to upstream like 8.8.8.8.

time,node,action,protocol,src_ip,src_port,dst_ip,dst_host,dst_port,uid,pid,process,process_args,process_cwd,rule
2023-06-03 13:11:17.277406,unix:/local,deny,udp,127.0.0.1,39906,127.0.0.53,ajax.aspnetcdn.com,53,1000,10198,/space/Apps/mullvad-browser/Browser/mullvadbrowser.real,./mullvadbrowser.real --class Mullvad Browser --name Mullvad Browser -p base_p,/space/Apps/mullvad-browser/Browser,deny-once-list-space-apps-mullvad-browser-browser-mullvadbrowser-real-ajax-aspnetcdn-com

time	node	action	protocol	src_ip	src_port	dst_ip	dst_host	dst_port	uid	pid	process	process_args	process_cwd	rule
2023-06-03 13:11:17.277406	unix:/local	deny	udp	127.0.0.1	39906	127.0.0.53	ajax.aspnetcdn.com	53	1000	10198	/space/Apps/mullvad-browser/Browser/mullvadbrowser.real	./mullvadbrowser.real --class Mullvad Browser --name Mullvad Browser -p base_p	/space/Apps/mullvad-browser/Browser	deny-once-list-space-apps-mullvad-browser-browser-mullvadbrowser-real-ajax-aspnetcdn-com

process is checked to be inside netns by sudo nsenter --target 10198 --net fish. output of ip link

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
2: s_tun: <POINTOPOINT,MULTICAST,NOARP,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP mode DEFAULT group default qlen 500
    link/none 
8: base_p_vn@if9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether de:89:fa:b5:10:34 brd ff:ff:ff:ff:ff:ff link-netnsid 0

netns is configured by https://github.com/planetoryd/netns-proxy

the only traffic that goes out should be the connection to socks proxy. no other stuff should go out, though not blackholed by firewall for now. the netns has default route to TUN.

gustavo-iniguez-goya commented 1 year ago

I need logs in DEBUG LogLevel. Try to reproduce it and post the logs when this behaviour occurs please.

Since your use case is a bit special, I recommend you, please, to set it always to DEBUG, so you can post the logs when something not expected occurs.

Otherwise it's impossible to analyze the problems.

I don't know why It would intercept the DNS request inside the netns. I didn't configure it to catch netns traffic. It should NOT.

From our point of view it doesn't matter if a connection is originated from a namespace or the host, netfilter redirects us the packets and we decide what to do with them, even if it's a localhost2localhost connection. If you don't want to intercept those connections create a rule to exclude them.

planetoryd commented 1 year ago

filtered the raw log by grep "ajax.aspnetcdn.com" ./opensnitchd.log.1 > ajax and located the rule-add in this file

[2023-06-03 05:10:02]  DBG  new connection udp => 39906:127.0.0.1 -> 127.0.0.53 (ajax.aspnetcdn.com):53 uid: 1000
[2023-06-03 05:10:02]  DBG  new connection udp => 39906:127.0.0.1 -> 127.0.0.53 (ajax.aspnetcdn.com):53 uid: 1000
[2023-06-03 05:10:05]  DBG  new connection udp => 39906:127.0.0.1 -> 127.0.0.53 (ajax.aspnetcdn.com):53 uid: 1000
[2023-06-03 05:10:05]  DBG  new connection udp => 39906:127.0.0.1 -> 127.0.0.53 (ajax.aspnetcdn.com):53 uid: 1000
[2023-06-03 05:11:17]  IMP  Added new rule: deny if list is '[{"type": "simple", "operand": "dest.host", "data": "ajax.aspnetcdn.com"}, {"type": "simple", "operand": "process.path", "data": "/space/Apps/mullvad-browser/Browser/mullvadbrowser.real"}]'
[2023-06-03 05:11:17]  DBG  ✘ /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> ajax.aspnetcdn.com:53 (deny-once-list-space-apps-mullvad-browser-browser-mullvadbrowser-real-ajax-aspnetcdn-com)

filtered the raw log by grep "39906" ./opensnitchd.log.1 -C 5. some are omitted but the rest are consecutive lines

[2023-06-03 05:10:02]  DBG  new connection udp => 39906:127.0.0.1 -> 127.0.0.53 (ajax.aspnetcdn.com):53 uid: 1000
[2023-06-03 05:10:02]  DBG  [ebpf conn] not in cache, NOR in execEvents: udp39906127.0.0.1127.0.0.5353, 10198 -> /space/Apps/mullvad-browser/Browser/mullvadbrowser.real
[2023-06-03 05:10:02]  DBG  [ebpf conn] adding item to cache: udp39906127.0.0.1127.0.0.5353
[2023-06-03 05:10:02]  DBG  new connection udp => 39906:127.0.0.1 -> 127.0.0.53 (ajax.aspnetcdn.com):53 uid: 1000
[2023-06-03 05:10:02]  DBG  [ebpf conn] in cache: udp39906127.0.0.1127.0.0.5353, 10198 -> /space/Apps/mullvad-browser/Browser/mullvadbrowser.real
[2023-06-03 05:10:02]  DBG  UI is not running or busy, connected: true, running: true
--
[2023-06-03 05:10:05]  DBG  new connection udp => 39906:127.0.0.1 -> 127.0.0.53 (ajax.aspnetcdn.com):53 uid: 1000
[2023-06-03 05:10:05]  DBG  [ebpf conn] in cache: udp39906127.0.0.1127.0.0.5353, 10198 -> /space/Apps/mullvad-browser/Browser/mullvadbrowser.real
[2023-06-03 05:10:05]  DBG  UI is not running or busy, connected: true, running: true
[2023-06-03 05:10:05]  DBG  new connection udp => 39906:127.0.0.1 -> 127.0.0.53 (ajax.aspnetcdn.com):53 uid: 1000
[2023-06-03 05:10:05]  DBG  [ebpf conn] in cache: udp39906127.0.0.1127.0.0.5353, 10198 -> /space/Apps/mullvad-browser/Browser/mullvadbrowser.real
[2023-06-03 05:10:05]  DBG  UI is not running or busy, connected: true, running: true
--

filtered by grep "mullvad" ./opensnitchd.log.1

[2023-06-03 03:34:39]  DBG  [eBPF exec event] ppid: 4294967295, pid: 621651, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 176 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 03:35:13]  DBG  [eBPF exec event] ppid: 4294967295, pid: 621721, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 177 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 03:35:19]  DBG  [eBPF exec event] ppid: 4294967295, pid: 621764, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 178 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 03:36:46]  DBG  [eBPF exec event] ppid: 4294967295, pid: 621841, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 179 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 03:36:56]  DBG  [eBPF exec event] ppid: 4294967295, pid: 621883, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 180 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 03:37:11]  DBG  [eBPF exec event] ppid: 4294967295, pid: 621923, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 181 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 03:37:17]  DBG  [eBPF exec event] ppid: 4294967295, pid: 621970, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 182 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 03:37:20]  DBG  [eBPF exec event] ppid: 4294967295, pid: 622009, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 183 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 03:37:57]  DBG  [eBPF exec event] ppid: 4294967295, pid: 622067, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 184 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 03:38:00]  DBG  [eBPF exec event] ppid: 4294967295, pid: 622108, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 185 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 03:38:03]  DBG  [eBPF exec event] ppid: 4294967295, pid: 622146, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 186 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 03:38:05]  DBG  [eBPF exec event] ppid: 4294967295, pid: 622184, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 187 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 03:38:30]  DBG  [eBPF exec event] ppid: 4294967295, pid: 622281, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 188 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 03:38:52]  DBG  [eBPF exec event] ppid: 4294967295, pid: 622326, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 189 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 03:38:59]  DBG  [eBPF exec event] ppid: 4294967295, pid: 622371, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 190 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 03:39:08]  DBG  [eBPF exec event] ppid: 4294967295, pid: 622421, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 191 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 03:43:02]  DBG  [eBPF exec event] ppid: 4294967295, pid: 622530, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 192 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 04:34:43]  DBG  [eBPF exec event] ppid: 4294967295, pid: 623375, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 193 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 04:35:12]  DBG  [eBPF exec event] ppid: 4294967295, pid: 623457, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 194 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 04:35:15]  DBG  [eBPF exec event] ppid: 4294967295, pid: 623499, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 195 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 04:35:21]  DBG  [eBPF exec event] ppid: 4294967295, pid: 623536, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 196 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 04:35:31]  DBG  [eBPF exec event] ppid: 4294967295, pid: 623605, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 197 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 04:36:08]  DBG  [eBPF exec event] ppid: 4294967295, pid: 623729, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 198 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 04:41:08]  DBG  [eBPF exec event] ppid: 4294967295, pid: 625980, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 199 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 04:44:05]  DBG  [eBPF exec event] ppid: 4294967295, pid: 626779, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 200 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 04:48:47]  DBG  [eBPF exec event] ppid: 4294967295, pid: 628014, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 201 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 04:49:06]  DBG  [eBPF exec event] ppid: 4294967295, pid: 628085, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 202 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 05:10:02]  DBG  [ebpf conn] not in cache, NOR in execEvents: udp39906127.0.0.1127.0.0.5353, 10198 -> /space/Apps/mullvad-browser/Browser/mullvadbrowser.real
[2023-06-03 05:10:02]  DBG  [ebpf conn] in cache: udp39906127.0.0.1127.0.0.5353, 10198 -> /space/Apps/mullvad-browser/Browser/mullvadbrowser.real
[2023-06-03 05:10:05]  DBG  [ebpf conn] in cache: udp39906127.0.0.1127.0.0.5353, 10198 -> /space/Apps/mullvad-browser/Browser/mullvadbrowser.real
[2023-06-03 05:10:05]  DBG  [ebpf conn] in cache: udp39906127.0.0.1127.0.0.5353, 10198 -> /space/Apps/mullvad-browser/Browser/mullvadbrowser.real
[2023-06-03 05:11:17]  IMP  Added new rule: deny if list is '[{"type": "simple", "operand": "dest.host", "data": "ajax.aspnetcdn.com"}, {"type": "simple", "operand": "process.path", "data": "/space/Apps/mullvad-browser/Browser/mullvadbrowser.real"}]'
[2023-06-03 05:11:17]  DBG  ✘ /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> ajax.aspnetcdn.com:53 (deny-once-list-space-apps-mullvad-browser-browser-mullvadbrowser-real-ajax-aspnetcdn-com)
[2023-06-03 05:11:31]  DBG  [eBPF exec event] ppid: 4294967295, pid: 629531, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 203 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 05:39:02]  DBG  [eBPF exec event] ppid: 4294967295, pid: 631437, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 204 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 05:42:18]  DBG  [eBPF exec event] ppid: 4294967295, pid: 631737, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 205 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 05:42:25]  DBG  [eBPF exec event] ppid: 4294967295, pid: 631775, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 206 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 05:42:53]  DBG  [eBPF exec event] ppid: 4294967295, pid: 631829, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 207 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 05:42:54]  DBG  [eBPF exec event] ppid: 4294967295, pid: 631877, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 208 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 05:43:52]  DBG  [eBPF exec event] ppid: 4294967295, pid: 631944, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 209 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 05:44:11]  DBG  [eBPF exec event] ppid: 4294967295, pid: 631992, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 210 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 05:49:06]  DBG  [eBPF exec event] ppid: 4294967295, pid: 632235, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 211 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 05:49:19]  DBG  [eBPF exec event] ppid: 4294967295, pid: 632278, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 212 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 05:52:55]  DBG  [eBPF exec event] ppid: 4294967295, pid: 632426, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 213 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 05:52:59]  DBG  [eBPF exec event] ppid: 4294967295, pid: 632498, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 214 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 05:52:59]  DBG  [eBPF exec event] ppid: 4294967295, pid: 632501, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 215 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 05:52:59]  DBG  [eBPF exec event] ppid: 4294967295, pid: 632505, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 216 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 05:53:09]  DBG  [eBPF exec event] ppid: 4294967295, pid: 632603, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 217 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 05:55:24]  DBG  [eBPF exec event] ppid: 4294967295, pid: 632701, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 218 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 06:05:09]  DBG  [eBPF exec event] ppid: 4294967295, pid: 633107, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 219 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 06:11:15]  DBG  [eBPF exec event] ppid: 4294967295, pid: 633585, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 220 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]
[2023-06-03 06:12:52]  DBG  [eBPF exec event] ppid: 4294967295, pid: 633769, /space/Apps/mullvad-browser/Browser/mullvadbrowser.real -> [/space/Apps/mullvad-browser/Browser/mullvadbrowser.real -contentproc -childID 221 -isForBrowser -prefsLen 28500 -prefMapSize 221613 -jsInitLen 277276 -parentBuildID 20230702070101 -appDir /space/Apps/mullvad-browser/Browser/browser 10198 tab]

note that I only encountered the popup once, until now. I'm using mullvad browser continually.

I noticed there are 21262 EBPF-DNS: Tracking Resolved Messages, nearly all of which are obviously in-netns lookups, but unlike this case they are not prompted.

experiment

I did a dig ajax.aspnetcdn.com in my netns. It succeeded and no popup.

I did the same outside my netns. Popups are shown repeated until I terminated dig.

Can it have a netns label in the popup, to avoid confusion and have better observability ?

evilsocket / opensnitch

Occasionally it complains about packets inside a netns, although not configured to. #957

experiment