From: Petter Reinholdtsen Date: Tue, 24 Jun 2025 05:47:33 +0000 (+0200) Subject: opensnitch (1.6.9-3) unstable; urgency=medium X-Git-Tag: archive/raspbian/1.6.9-3+rpi1^2~7 X-Git-Url: https://dgit.raspbian.org/%22http://www.example.com/cgi/%22/%22http:/www.example.com/cgi/%22?a=commitdiff_plain;h=fdcb8e059ed4b8d931c40338f54a19ef85e63b01;p=opensnitch.git opensnitch (1.6.9-3) unstable; urgency=medium * Added python3-packaging as runtime dependency for python3-opensnitch-ui, seem to need it. * Corrected name of README.sources and updated to reflect new reality. [dgit import unpatched opensnitch 1.6.9-3] --- fdcb8e059ed4b8d931c40338f54a19ef85e63b01 diff --cc debian/README.sources index 0000000,0000000..e5c460b new file mode 100644 --- /dev/null +++ b/debian/README.sources @@@ -1,0 -1,0 +1,18 @@@ ++opensnitch for Debian ++--------------------- ++ ++In order to build the packages from sources using gbp: ++ ++ 1. git clone https://salsa.debian.org/go-team/packages/opensnitch.git ++ 2. cd opensnitch/ ; git checkout debian/sid ++ 3. origtargz ++ ++ it'll download upstream sources according to the d/changelog ++ version, and the upstream tag if it exists. ++ ++ 4. gbp buildpackage --git-tarball-dir=../ --git-no-pristine-tar ++ ++ Follow the new debian-go's workflow, ++ https://go-team.pages.debian.net/workflow-changes.html#wf-2017-11-pristine-tar ++ ++ -- Petter Reinholdtsen Thu, 15 May 2025 08:39:51 +0200 diff --cc debian/changelog index 0000000,0000000..bdbcfb6 new file mode 100644 --- /dev/null +++ b/debian/changelog @@@ -1,0 -1,0 +1,530 @@@ ++opensnitch (1.6.9-3) unstable; urgency=medium ++ ++ * Added python3-packaging as runtime dependency for ++ python3-opensnitch-ui, seem to need it. ++ * Corrected name of README.sources and updated to reflect new ++ reality. ++ ++ -- Petter Reinholdtsen Tue, 24 Jun 2025 07:47:33 +0200 ++ ++opensnitch (1.6.9-2) unstable; urgency=medium ++ ++ * Team upload. ++ ++ * Told lintian to accept EBPF objects in package. ++ ++ -- Petter Reinholdtsen Sat, 03 May 2025 05:50:32 +0200 ++ ++opensnitch (1.6.9-1) experimental; urgency=medium ++ ++ * Team upload. ++ ++ * New upstream release 1.6.9. ++ * Removed upstreamed patches: ++ - 0000-ui-finally-service.patch ++ - 0020-unknown-rules-operator-crash.patch ++ - 0030-daemon-visible-version.patch ++ - 0040-delete-all-generated-protobuffers-with-make-clean.patch ++ - 0050-allow-to-configure-GC-percentage.patch ++ - 0060-make-connections-flushing-configurable.patch ++ ++ -- Petter Reinholdtsen Tue, 29 Apr 2025 07:35:00 +0200 ++ ++opensnitch (1.6.8-11) unstable; urgency=medium ++ ++ * Team upload. ++ ++ * Corrected typo in patch metadata. ++ ++ -- Petter Reinholdtsen Tue, 29 Apr 2025 07:20:39 +0200 ++ ++opensnitch (1.6.8-10) experimental; urgency=medium ++ ++ * Team upload. ++ ++ * Added 1050-ebpf-s390x.patch to fix ebpf build problem on s390x. ++ * Renamed to 0030-daemon-visible-version.patch as this patch ++ is from upstream now. ++ * Removed already dropped 0010-experimental-1.5.9.1.patch. ++ * Added three patches from the upstream 1.6.0 branch. ++ * Changed opensnitch package behaviour to not reset TCP connections on ++ reload (Closes: #1103496). ++ ++ -- Petter Reinholdtsen Sat, 26 Apr 2025 07:45:17 +0200 ++ ++opensnitch (1.6.8-9) experimental; urgency=medium ++ ++ * Team upoad. ++ ++ * Added 2000-apt-not-pip.patch to recommend apt over pip. ++ * Passed patches upstream and introduced patch naming scheme. ++ * Added 1030-systemd-service-earlier.patch to start service earlier ++ and protect it from kernel OOM killer. ++ * Added 1040-daemon-visible-version.patch to correct visible daemon ++ version. ++ * Added 0020-unknown-rules-operator-crash.patch from upstream. ++ * Added needrestart conf to avoid opensnitch restarts. ++ * Added debian branch name to d/gbp.conf. ++ ++ -- Petter Reinholdtsen Thu, 24 Apr 2025 06:50:04 +0200 ++ ++opensnitch (1.6.8-8) unstable; urgency=medium ++ ++ * Team upload. ++ ++ * Made test-fw-rules.sh autopkgtest check more robust ++ and updated it to only look for nftables. ++ ++ -- Petter Reinholdtsen Fri, 18 Apr 2025 19:46:18 +0200 ++ ++opensnitch (1.6.8-7) unstable; urgency=medium ++ ++ * Team upload. ++ ++ * Upload to unstable. ++ ++ -- Petter Reinholdtsen Fri, 18 Apr 2025 01:32:00 +0200 ++ ++opensnitch (1.6.8-6) experimental; urgency=medium ++ ++ * Team upload. ++ ++ * Replaced uploaders, out with no longer active Gustavo Iñiguez Goya ++ and in with Charles Allhands and myself. ++ * Thank you, Gustavo, for the great initial work with this package. ++ ++ -- Petter Reinholdtsen Fri, 18 Apr 2025 00:38:08 +0200 ++ ++opensnitch (1.6.8-5) experimental; urgency=medium ++ ++ * Team upload. ++ ++ * Revert arch specific build dependency on golang-github-iovisor-gobpf-dev. ++ * Added 1010-ui-finally-service.patch to avoid python error on GUI exit. ++ * New upstream version available (Closes: #1051317). ++ * Uses corrected python regexes (Closes: #1085754). ++ ++ -- Petter Reinholdtsen Thu, 17 Apr 2025 16:34:43 +0200 ++ ++opensnitch (1.6.8-4) experimental; urgency=medium ++ ++ * Team upload. ++ ++ * Corrected linux header package name for armhf. ++ * Limit EBPF support to architectures provided by bpfcc. ++ * Adjusted opensnitch to only recommend opensnitch-ebpf-modules on archs ++ where it exist. ++ * Dropped incorrect runtime dependency on python3-setuptools ++ (Closes: #1095252). ++ * Dropped obsolete runtime dependency on python3-six (Closes: #1067722). ++ ++ -- Petter Reinholdtsen Thu, 17 Apr 2025 14:45:27 +0200 ++ ++opensnitch (1.6.8-3) experimental; urgency=medium ++ ++ * Team upload. ++ ++ * Switched to using kernel headers from debs, as local header copy ++ only worked on amd64. ++ ++ -- Petter Reinholdtsen Thu, 17 Apr 2025 12:54:58 +0200 ++ ++opensnitch (1.6.8-2) experimental; urgency=medium ++ ++ * Team upload. ++ ++ * Added missing golang-github-varlink-go-dev build dependency. ++ ++ -- Petter Reinholdtsen Thu, 17 Apr 2025 10:55:29 +0200 ++ ++opensnitch (1.6.8-1) experimental; urgency=medium ++ ++ * Team upload. ++ ++ * New upstream release. ++ * Updated Standards-Version from 4.6.2 to 4.7.2. ++ * List protoc-gen-go-1-3 as build depend alternative to protoc-gen-go-1-5 ++ for easier backporting. ++ ++ -- Petter Reinholdtsen Thu, 17 Apr 2025 09:08:49 +0200 ++ ++opensnitch (1.5.9-4) experimental; urgency=medium ++ ++ * Team upload. ++ ++ * Added leftover build dependency protoc-gen-go-1-5. ++ ++ -- Petter Reinholdtsen Tue, 15 Apr 2025 06:18:52 +0200 ++ ++opensnitch (1.5.9-3) experimental; urgency=medium ++ ++ * Team upload. ++ ++ [ Gustavo Iñiguez Goya ] ++ * New upstream release. ++ * d/control: removed kernel headers dependency. ++ ++ [ Petter Reinholdtsen ] ++ * Moved untagged upstream snapshot into 0010-experimental-1.5.9.1.patch. ++ * Adjusted build dependencies to work with current unstable. ++ * Correct roff notation for URLs in man pages. ++ * Renamed obsolete pkg-config build dependency to pkgconf. ++ ++ -- Petter Reinholdtsen Mon, 14 Apr 2025 18:43:07 +0200 ++ ++opensnitch (1.5.9-2) experimental; urgency=medium ++ ++ [ Gustavo Iñiguez Goia ] ++ * d/control: fixed Build-Depends, kernel headers dep ++ * Upload sponsored by Petter Reinholdtsen. ++ ++ -- Gustavo Iñiguez Goya Sat, 10 Jun 2023 00:08:25 +0200 ++ ++opensnitch (1.5.9-1) experimental; urgency=medium ++ ++ * New upstream release. ++ * d/control: ++ - New package opensnitch-ebpf-modules. ++ * d/man/: ++ - Updated dates. ++ - New page opensnitch-ebpf-modules.1 ++ * Added README.Debian. ++ ++ * Upload sponsored by Petter Reinholdtsen. ++ ++ -- Gustavo Iñiguez Goya Wed, 07 Jun 2023 23:18:40 +0200 ++ ++opensnitch (1.5.8.1-2) unstable; urgency=medium ++ ++ * Team upload ++ * Update Build-Depends from golang-goprotobuf-dev to ++ golang-github-golang-protobuf-1-5-dev ++ ++ -- Mathias Gibbens Fri, 02 Aug 2024 07:08:08 +0000 ++ ++opensnitch (1.5.8.1-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * Upload sponsored by Petter Reinholdtsen. ++ ++ -- Gustavo Iñiguez Goya Mon, 06 Mar 2023 12:37:24 +0100 ++ ++opensnitch (1.5.8-2) unstable; urgency=medium ++ ++ * Upload to unstable. ++ * Upload sponsored by Petter Reinholdtsen. ++ ++ -- Gustavo Iñiguez Goya Tue, 21 Feb 2023 21:26:21 +0100 ++ ++opensnitch (1.5.8-1) experimental; urgency=medium ++ ++ * New upstream release. ++ ++ [ Gustavo Iñiguez Goia ] ++ * ui: added 64x64 icon. ++ * Added missing entry for GUI manual page. ++ * Updated appstream Summary field. ++ * Removed ftrace dependency from d/control. ++ * ui: updated appstream Summary field. ++ * Updated d/control Description. ++ ++ [ Petter Reinholdtsen ] ++ * Added appstream content rating, no restrictions. ++ * Corrected appstream icon name. ++ * Documented appstream metadata license in d/copyright. ++ * Place manual pages in correct packages. ++ ++ * Upload sponsored by Petter Reinholdtsen. ++ ++ -- Gustavo Iñiguez Goya Sun, 19 Feb 2023 10:26:46 +0100 ++ ++opensnitch (1.5.7-3) experimental; urgency=medium ++ ++ [ Gustavo Iñiguez Goia ] ++ * fixed /etc/xdg/autostart/ link ++ ++ * Upload sponsored by Petter Reinholdtsen. ++ ++ -- Gustavo Iñiguez Goya Wed, 15 Feb 2023 22:41:19 +0100 ++ ++opensnitch (1.5.7-2) experimental; urgency=medium ++ ++ [ Gustavo Iñiguez Goia ] ++ * added opensnitchd manual page ++ * added new manual page, updated opensnitchd.1 ++ * improved debian/tests/ ++ ++ * Upload sponsored by Petter Reinholdtsen. ++ ++ -- Gustavo Iñiguez Goya Mon, 13 Feb 2023 12:43:19 +0100 ++ ++opensnitch (1.5.7-1) unstable; urgency=medium ++ ++ * New upstream release ++ ++ [ Gustavo Iñiguez Goia ] ++ * Set test-fw-rules.sh as flaky. ++ * Make test-fw-rules.sh more verbose. ++ ++ [ Petter Reinholdtsen ] ++ * Fixed typo in nb comment of desktop file. ++ * Added appstream desktop category to metadata XML. ++ ++ * Upload sponsored by Petter Reinholdtsen. ++ ++ -- Gustavo Iñiguez Goya Fri, 10 Feb 2023 13:28:23 +0100 ++ ++opensnitch (1.5.6-1) unstable; urgency=medium ++ ++ * New upstream release ++ ++ [ Gustavo Iñiguez Goia ] ++ * tests: removed Architecture: restriction ++ * changed Maintainer: field to team+pkg-go ++ * added new test ++ * added Uploaders field ++ * updated Vcs* fields ++ ++ [ Petter Reinholdtsen ] ++ * Added Debian package relation between opensnitch and ++ python3-opensnitch-ui. ++ * Handle autopkgtest scripts differently, as they have different ++ requirements. ++ ++ * Upload sponsored by Petter Reinholdtsen. ++ ++ -- Gustavo Iñiguez Goya Tue, 07 Feb 2023 21:29:48 +0100 ++ ++opensnitch (1.5.5-1) unstable; urgency=medium ++ ++ * New upstream release. ++ * Bump Standards-Version to 4.6.2. ++ * Upload sponsored by Petter Reinholdtsen. ++ ++ -- Gustavo Iñiguez Goya Wed, 01 Feb 2023 22:37:12 +0100 ++ ++opensnitch (1.5.4-1) unstable; urgency=high ++ ++ * New upstream release. (Closes: #1030115) ++ * debian/control: ++ - Updated packages description. ++ - Removed debconf and whiptail|dialog dependencies. ++ - Added xdg-user-dirs, gtk-update-icon-cache dependencies. ++ - Point Vcs-Git field to the 1.5.0 branch. ++ * debian/postinst: ++ - Fixed opensnitch_ui.desktop installation. ++ - Fixed updating icons cache. ++ * debian/postrm: ++ - Fixed removing opensnitch_ui.desktop ++ * debian/tests/: ++ - Added autopkgtests. ++ * Upload sponsored by Petter Reinholdtsen. ++ ++ -- Gustavo Iñiguez Goya Tue, 31 Jan 2023 23:48:58 +0100 ++ ++opensnitch (1.5.3-1) unstable; urgency=medium ++ ++ * Added debian/upstream/metadata. ++ * Updated Homepage url. ++ * Updated Copyright years. ++ ++ -- Gustavo-Iniguez-Goya Sun, 22 Jan 2023 21:30:45 +0100 ++ ++opensnitch (1.5.2.1-1) unstable; urgency=medium ++ ++ * Initial release. (Closes: #909567) ++ ++ -- Gustavo-Iniguez-Goya Fri, 20 Jan 2023 22:26:40 +0000 ++ ++opensnitch (1.5.2-1) unstable; urgency=medium ++ ++ * try to mount debugfs on boot up ++ ++ -- gustavo-iniguez-goya Wed, 27 Jul 2022 17:29:33 +0200 ++ ++opensnitch (1.5.1-1) unstable; urgency=medium ++ ++ * Better eBPF cache. ++ * Fixed error resolving domains to localhost. ++ * Fixed error deleting our nftables rules. ++ ++ -- gustavo-iniguez-goya Fri, 25 Feb 2022 01:21:38 +0100 ++ ++opensnitch (1.5.0-1) unstable; urgency=medium ++ ++ * New release. ++ * Added Reject option. ++ * New lists types to block ads/malware/... ++ * Better connections interception. ++ * Better VPNs handling. ++ * Bug fixes. ++ ++ -- gustavo-iniguez-goya Fri, 28 Jan 2022 23:20:38 +0100 ++ ++opensnitch (1.5.0~rc2-1) unstable; urgency=medium ++ ++ * Better connections interception. ++ * Improvements. ++ ++ -- gustavo-iniguez-goya Sun, 16 Jan 2022 23:15:12 +0100 ++ ++opensnitch (1.5.0~rc1-1) unstable; urgency=medium ++ ++ * New features. ++ ++ -- gustavo-iniguez-goya Thu, 07 Oct 2021 14:57:35 +0200 ++ ++opensnitch (1.4.0-1) unstable; urgency=medium ++ ++ * final release. ++ ++ -- gustavo-iniguez-goya Fri, 27 Aug 2021 13:33:07 +0200 ++ ++opensnitch (1.4.0~rc4-1) unstable; urgency=medium ++ ++ * Bug fix release. ++ ++ -- gustavo-iniguez-goya Wed, 11 Aug 2021 15:17:49 +0200 ++ ++opensnitch (1.4.0~rc3-1) unstable; urgency=medium ++ ++ * Bug fix release. ++ ++ -- gustavo-iniguez-goya Fri, 16 Jul 2021 23:28:52 +0200 ++ ++opensnitch (1.4.0~rc2-1) unstable; urgency=medium ++ ++ * Added eBPF support. ++ * Fixes and improvements. ++ ++ -- gustavo-iniguez-goya Fri, 07 May 2021 01:08:02 +0200 ++ ++opensnitch (1.4.0~rc-1) unstable; urgency=medium ++ ++ * Bug fix and improvements release. ++ ++ -- gustavo-iniguez-goya Thu, 25 Mar 2021 01:02:31 +0100 ++ ++opensnitch (1.3.6-1) unstable; urgency=medium ++ ++ * Bug fix and improvements release. ++ ++ -- gustavo-iniguez-goya Wed, 10 Feb 2021 10:17:43 +0100 ++ ++opensnitch (1.3.5-1) unstable; urgency=medium ++ ++ * Bug fix and improvements release. ++ ++ -- gustavo-iniguez-goya Mon, 11 Jan 2021 18:01:53 +0100 ++ ++opensnitch (1.3.0-1) unstable; urgency=medium ++ ++ * Fixed how we check rules ++ * Fixed cpu spike after disable interception. ++ * Fixed cleaning up fw rules on exit. ++ * make regexp rules case-insensitive by default ++ * allow to filter by dst network. ++ ++ -- gustavo-iniguez-goya Wed, 16 Dec 2020 01:15:03 +0100 ++ ++opensnitch (1.3.0~rc-1) unstable; urgency=medium ++ ++ * Non-maintainer upload. ++ ++ -- gustavo-iniguez-goya Fri, 13 Nov 2020 00:51:34 +0100 ++ ++opensnitch (1.2.0-1) unstable; urgency=medium ++ ++ * Fixed memleaks. ++ * Sort rules by name ++ * Added priority field to rules. ++ * Other fixes ++ ++ -- gustavo-iniguez-goya Mon, 09 Nov 2020 22:55:13 +0100 ++ ++opensnitch (1.0.1-1) unstable; urgency=medium ++ ++ * Fixed app exit when IPv6 is not supported. ++ * Other fixes. ++ ++ -- gustavo-iniguez-goya Thu, 30 Jul 2020 21:56:20 +0200 ++ ++opensnitch (1.0.0-1) unstable; urgency=medium ++ ++ * v1.0.0 released. ++ ++ -- gustavo-iniguez-goya Thu, 16 Jul 2020 00:19:26 +0200 ++ ++opensnitch (1.0.0rc11-1) unstable; urgency=medium ++ ++ * Fixed multiple race conditions. ++ * Fixed CWD parsing when using audit proc monitor method. ++ ++ -- gustavo-iniguez-goya Wed, 24 Jun 2020 00:10:38 +0200 ++ ++opensnitch (1.0.0rc10-1) unstable; urgency=medium ++ ++ * Fixed checking UID functions availability. ++ * Improved process path parsing. ++ * Fixed applying config from the UI. ++ * Fixed default log level. ++ * Gather CWD and process environment vars. ++ * Increase default timeout when asking for a rule. ++ ++ -- gustavo-iniguez-goya Sat, 13 Jun 2020 18:45:02 +0200 ++ ++opensnitch (1.0.0rc9-1) unstable; urgency=medium ++ ++ * Ignore malformed rules from loading. ++ * Allow to modify and add rules from the UI. ++ ++ -- gustavo-iniguez-goya Sun, 17 May 2020 18:18:24 +0200 ++ ++opensnitch (1.0.0rc8) unstable; urgency=medium ++ ++ * Allow to change settings from the UI. ++ * Improved connection handling with the UI. ++ ++ -- gustavo-iniguez-goya Wed, 29 Apr 2020 21:52:27 +0200 ++ ++opensnitch (1.0.0rc7-1) unstable; urgency=medium ++ ++ * Stability, performance and realiability improvements. ++ ++ -- gustavo-iniguez-goya Sun, 12 Apr 2020 23:25:41 +0200 ++ ++opensnitch (1.0.0rc6-1) unstable; urgency=medium ++ ++ * Fixed iptables rules deletion. ++ * Improved PIDs cache. ++ * Added audit process monitoring method. ++ * Added logrotate file. ++ * Added default configuration file. ++ ++ -- gustavo-iniguez-goya Sun, 08 Mar 2020 20:47:58 +0100 ++ ++opensnitch (1.0.0rc-5) unstable; urgency=medium ++ ++ * Fixed netlink socket querying. ++ * Added check to reload firewall rules if missing. ++ ++ -- gustavo-iniguez-goya Mon, 24 Feb 2020 19:55:06 +0100 ++ ++opensnitch (1.0.0rc-3) unstable; urgency=medium ++ ++ * @see: https://github.com/gustavo-iniguez-goya/opensnitch/releases ++ ++ -- gustavo-iniguez-goya Tue, 18 Feb 2020 10:09:45 +0100 ++ ++opensnitch (1.0.0rc-2) unstable; urgency=medium ++ ++ * UI minor changes ++ * Expand deb package compatibility. ++ ++ -- gustavo-iniguez-goya Wed, 05 Feb 2020 21:50:20 +0100 ++ ++opensnitch (1.0.0rc-1) unstable; urgency=medium ++ ++ * Initial release ++ ++ -- gustavo-iniguez-goya Fri, 22 Nov 2019 01:14:08 +0100 diff --cc debian/control index 0000000,0000000..a95ca97 new file mode 100644 --- /dev/null +++ b/debian/control @@@ -1,0 -1,0 +1,113 @@@ ++Source: opensnitch ++Maintainer: Debian Go Packaging Team ++Uploaders: ++ Charles Allhands , ++ Petter Reinholdtsen ++Section: devel ++Priority: optional ++Build-Depends: ++ debhelper-compat (= 11), ++ dh-golang, ++ dh-python, ++ golang-any, ++ golang-github-fsnotify-fsnotify-dev, ++ golang-github-google-gopacket-dev, ++ golang-github-google-nftables-dev, ++ golang-github-iovisor-gobpf-dev, ++ golang-github-varlink-go-dev, ++ golang-github-vishvananda-netlink-dev, ++ golang-golang-x-net-dev, ++ golang-google-grpc-dev, ++ golang-github-gogo-protobuf-dev | golang-goprotobuf-dev, ++ libmnl-dev, ++ libnetfilter-queue-dev, ++ linux-headers-amd64 [amd64] | linux-headers-arm64 [arm64] | linux-headers-armmp [armhf] | linux-headers-loong64 [loong64] | linux-headers-riscv64 [riscv64] | linux-headers-s390x [s390x] | linux-headers-generic, ++ pkgconf, ++ protoc-gen-go-1-5 | protoc-gen-go-1-3, ++ protoc-gen-go-grpc, ++ pyqt5-dev-tools, ++ qttools5-dev-tools, ++ python3-all, ++ python3-grpc-tools, ++ python3-setuptools, ++ clang, ++ llvm ++Standards-Version: 4.7.2 ++Vcs-Browser: https://salsa.debian.org/go-team/packages/opensnitch ++Vcs-Git: https://salsa.debian.org/go-team/packages/opensnitch.git ++Homepage: https://github.com/evilsocket/opensnitch ++Rules-Requires-Root: no ++XS-Go-Import-Path: github.com/evilsocket/opensnitch ++ ++Package: opensnitch ++Section: net ++Architecture: any ++Depends: ++ ${misc:Depends}, ++ ${shlibs:Depends}, ++Recommends: python3-opensnitch-ui, ++ opensnitch-ebpf-modules [amd64 arm64 riscv64 s390x loong64 ppc64] ++Built-Using: ${misc:Built-Using} ++Description: GNU/Linux interactive application firewall ++ Whenever a program makes a connection, it'll prompt the user to allow or deny ++ it. ++ . ++ The user can decide if block the outgoing connection based on properties of ++ the connection: by port, by uid, by dst ip, by program or a combination ++ of them. ++ . ++ These rules can last forever, until the app restart or just one time. ++ . ++ The GUI allows the user to view live outgoing connections, as well as search ++ by process, user, host or port. ++ . ++ OpenSnitch can also work as a system-wide domains blocker, by using lists ++ of domains, list of IPs or list of regular expressions. ++ ++ ++Package: python3-opensnitch-ui ++Architecture: all ++Section: net ++Depends: ++ ${misc:Depends}, ++ ${shlibs:Depends}, ++ libqt5sql5-sqlite, ++ python3-grpcio, ++ python3-notify2, ++ python3-packaging, ++ python3-pyinotify, ++ python3-pyqt5, ++ python3-pyqt5.qtsql, ++ python3-slugify, ++ python3:any, ++ xdg-user-dirs, ++ gtk-update-icon-cache ++Recommends: ++ python3-pyasn ++Suggests: opensnitch ++Description: GNU/Linux interactive application firewall GUI ++ opensnitch-ui is a GUI for opensnitch written in Python. ++ It allows the user to view live outgoing connections, as well as search ++ for details of the intercepted connections. ++ . ++ The user can decide if block outgoing connections based on properties of ++ the connection: by port, by uid, by dst ip, by program or a combination ++ of them. ++ . ++ These rules can last forever, until restart the daemon or just one time. ++ . ++ OpenSnitch can also work as a system-wide domains blocker, by using lists ++ of domains, list of IPs or list of regular expressions. ++ ++ ++Package: opensnitch-ebpf-modules ++Architecture: amd64 arm64 riscv64 s390x loong64 ppc64 ++Section: net ++Depends: ++ ${misc:Depends}, ++ ${shlibs:Depends}, ++Suggests: opensnitch ++Description: GNU/Linux interactive application firewall eBPF modules ++ opensnitch-ebpf-modules provides the eBPF modules. ++ It provides the functionality to intercept connections at kernel level, ++ offering better performance and reliability. diff --cc debian/copyright index 0000000,0000000..7054f76 new file mode 100644 --- /dev/null +++ b/debian/copyright @@@ -1,0 -1,0 +1,203 @@@ ++Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ ++Source: https://github.com/evilsocket/opensnitch ++Upstream-Contact: Gustavo Iñiguez Goia ++Upstream-Name: opensnitch ++Files-Excluded: ++ Godeps/_workspace ++ ++Files: * ++Copyright: ++ 2017-2018 evilsocket ++ 2019-2023 Gustavo Iñiguez Goia ++Comment: Debian packaging is licensed under the same terms as upstream ++License: GPL-3.0+ ++ This program is free software; you can redistribute it ++ and/or modify it under the terms of the GNU General Public ++ License as published by the Free Software Foundation; either ++ version 3 of the License, or (at your option) any later ++ version. ++ . ++ This program is distributed in the hope that it will be ++ useful, but WITHOUT ANY WARRANTY; without even the implied ++ warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR ++ PURPOSE. See the GNU General Public License for more ++ details. ++ . ++ You should have received a copy of the GNU General Public ++ License along with this program. If not, If not, see ++ http://www.gnu.org/licenses/. ++ . ++ On Debian systems, the full text of the GNU General Public ++ License version 3 can be found in the file ++ '/usr/share/common-licenses/GPL-3'. ++ ++Files: ui/resources/io.github.evilsocket.opensnitch.appdata.xml ++Copyright: ++ 2023 Gustavo Iñiguez Goia ++License: FTL ++ The FreeType Project LICENSE ++ ---------------------------- ++ . ++ 2006-Jan-27 ++ . ++ Copyright 1996-2002, 2006 by ++ David Turner, Robert Wilhelm, and Werner Lemberg ++ . ++ . ++ . ++ Introduction ++ ============ ++ . ++ The FreeType Project is distributed in several archive packages; ++ some of them may contain, in addition to the FreeType font engine, ++ various tools and contributions which rely on, or relate to, the ++ FreeType Project. ++ . ++ This license applies to all files found in such packages, and ++ which do not fall under their own explicit license. The license ++ affects thus the FreeType font engine, the test programs, ++ documentation and makefiles, at the very least. ++ . ++ This license was inspired by the BSD, Artistic, and IJG ++ (Independent JPEG Group) licenses, which all encourage inclusion ++ and use of free software in commercial and freeware products ++ alike. As a consequence, its main points are that: ++ . ++ o We don't promise that this software works. However, we will be ++ interested in any kind of bug reports. (`as is' distribution) ++ . ++ o You can use this software for whatever you want, in parts or ++ full form, without having to pay us. (`royalty-free' usage) ++ . ++ o You may not pretend that you wrote this software. If you use ++ it, or only parts of it, in a program, you must acknowledge ++ somewhere in your documentation that you have used the ++ FreeType code. (`credits') ++ . ++ We specifically permit and encourage the inclusion of this ++ software, with or without modifications, in commercial products. ++ We disclaim all warranties covering The FreeType Project and ++ assume no liability related to The FreeType Project. ++ . ++ . ++ Finally, many people asked us for a preferred form for a ++ credit/disclaimer to use in compliance with this license. We thus ++ encourage you to use the following text: ++ . ++ """ ++ Portions of this software are copyright © The FreeType ++ Project (www.freetype.org). All rights reserved. ++ """ ++ . ++ Please replace with the value from the FreeType version you ++ actually use. ++ . ++ . ++ Legal Terms ++ =========== ++ . ++ 0. Definitions ++ -------------- ++ . ++ Throughout this license, the terms `package', `FreeType Project', ++ and `FreeType archive' refer to the set of files originally ++ distributed by the authors (David Turner, Robert Wilhelm, and ++ Werner Lemberg) as the `FreeType Project', be they named as alpha, ++ beta or final release. ++ . ++ `You' refers to the licensee, or person using the project, where ++ `using' is a generic term including compiling the project's source ++ code as well as linking it to form a `program' or `executable'. ++ This program is referred to as `a program using the FreeType ++ engine'. ++ . ++ This license applies to all files distributed in the original ++ FreeType Project, including all source code, binaries and ++ documentation, unless otherwise stated in the file in its ++ original, unmodified form as distributed in the original archive. ++ If you are unsure whether or not a particular file is covered by ++ this license, you must contact us to verify this. ++ . ++ The FreeType Project is copyright (C) 1996-2000 by David Turner, ++ Robert Wilhelm, and Werner Lemberg. All rights reserved except as ++ specified below. ++ . ++ 1. No Warranty ++ -------------- ++ . ++ THE FREETYPE PROJECT IS PROVIDED `AS IS' WITHOUT WARRANTY OF ANY ++ KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, ++ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR ++ PURPOSE. IN NO EVENT WILL ANY OF THE AUTHORS OR COPYRIGHT HOLDERS ++ BE LIABLE FOR ANY DAMAGES CAUSED BY THE USE OR THE INABILITY TO ++ USE, OF THE FREETYPE PROJECT. ++ . ++ 2. Redistribution ++ ----------------- ++ . ++ This license grants a worldwide, royalty-free, perpetual and ++ irrevocable right and license to use, execute, perform, compile, ++ display, copy, create derivative works of, distribute and ++ sublicense the FreeType Project (in both source and object code ++ forms) and derivative works thereof for any purpose; and to ++ authorize others to exercise some or all of the rights granted ++ herein, subject to the following conditions: ++ . ++ o Redistribution of source code must retain this license file ++ (`FTL.TXT') unaltered; any additions, deletions or changes to ++ the original files must be clearly indicated in accompanying ++ documentation. The copyright notices of the unaltered, ++ original files must be preserved in all copies of source ++ files. ++ . ++ o Redistribution in binary form must provide a disclaimer that ++ states that the software is based in part of the work of the ++ FreeType Team, in the distribution documentation. We also ++ encourage you to put an URL to the FreeType web page in your ++ documentation, though this isn't mandatory. ++ . ++ These conditions apply to any software derived from or based on ++ the FreeType Project, not just the unmodified files. If you use ++ our work, you must acknowledge us. However, no fee need be paid ++ to us. ++ . ++ 3. Advertising ++ -------------- ++ . ++ Neither the FreeType authors and contributors nor you shall use ++ the name of the other for commercial, advertising, or promotional ++ purposes without specific prior written permission. ++ . ++ We suggest, but do not require, that you use one or more of the ++ following phrases to refer to this software in your documentation ++ or advertising materials: `FreeType Project', `FreeType Engine', ++ `FreeType library', or `FreeType Distribution'. ++ . ++ As you have not signed this license, you are not required to ++ accept it. However, as the FreeType Project is copyrighted ++ material, only this license, or another one contracted with the ++ authors, grants you the right to use, distribute, and modify it. ++ Therefore, by using, distributing, or modifying the FreeType ++ Project, you indicate that you understand and accept all the terms ++ of this license. ++ . ++ 4. Contacts ++ ----------- ++ . ++ There are two mailing lists related to FreeType: ++ . ++ o freetype@nongnu.org ++ . ++ Discusses general use and applications of FreeType, as well as ++ future and wanted additions to the library and distribution. ++ If you are looking for support, start in this list if you ++ haven't found anything to help you in the documentation. ++ . ++ o freetype-devel@nongnu.org ++ . ++ Discusses bugs, as well as engine internals, design issues, ++ specific licenses, porting, etc. ++ . ++ Our home page can be found at ++ . ++ https://www.freetype.org diff --cc debian/gbp.conf index 0000000,0000000..94e6b84 new file mode 100644 --- /dev/null +++ b/debian/gbp.conf @@@ -1,0 -1,0 +1,3 @@@ ++[DEFAULT] ++debian-branch = debian/sid ++pristine-tar = True diff --cc debian/gitlab-ci.yml index 0000000,0000000..91ff7ea new file mode 100644 --- /dev/null +++ b/debian/gitlab-ci.yml @@@ -1,0 -1,0 +1,27 @@@ ++# auto-generated, DO NOT MODIFY. ++# The authoritative copy of this file lives at: ++# https://salsa.debian.org/go-team/ci/blob/master/config/gitlabciyml.go ++ ++# TODO: publish under debian-go-team/ci ++image: stapelberg/ci2 ++ ++test_the_archive: ++ artifacts: ++ paths: ++ - before-applying-commit.json ++ - after-applying-commit.json ++ script: ++ # Create an overlay to discard writes to /srv/gopath/src after the build: ++ - "rm -rf /cache/overlay/{upper,work}" ++ - "mkdir -p /cache/overlay/{upper,work}" ++ - "mount -t overlay overlay -o lowerdir=/srv/gopath/src,upperdir=/cache/overlay/upper,workdir=/cache/overlay/work /srv/gopath/src" ++ - "export GOPATH=/srv/gopath" ++ - "export GOCACHE=/cache/go" ++ # Build the world as-is: ++ - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > before-applying-commit.json" ++ # Copy this package into the overlay: ++ - "GBP_CONF_FILES=:debian/gbp.conf gbp buildpackage --git-no-pristine-tar --git-ignore-branch --git-ignore-new --git-export-dir=/tmp/export --git-no-overlay --git-tarball-dir=/nonexistant --git-cleaner=/bin/true --git-builder='dpkg-buildpackage -S -d --no-sign'" ++ - "pgt-gopath -dsc /tmp/export/*.dsc" ++ # Rebuild the world: ++ - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > after-applying-commit.json" ++ - "ci-diff before-applying-commit.json after-applying-commit.json" diff --cc debian/man/opensnitch-ebpf-modules.1 index 0000000,0000000..018b4b6 new file mode 100644 --- /dev/null +++ b/debian/man/opensnitch-ebpf-modules.1 @@@ -1,0 -1,0 +1,59 @@@ ++.\" Copyright (c) 2023 Gustavo Iñiguez Goya ++.\" All rights reserved. ++.\" ++.\" SPDX-License-Identifier: GPL-3.0-or-later ++.de CW ++.sp ++.in +4n ++.nf ++.ft CW ++.. ++.de CE ++.ft R ++.fi ++.in ++.sp ++.. ++.\" Like .OP, but with ellipsis at the end in order to signify that option ++.\" can be provided multiple times. Based on .OP definition in groff's ++.\" an-ext.tmac. ++.de OM ++. ie \\n(.$-1 \ ++. RI "[\fB\\$1\fP" "\ \\$2" "]...\&" ++. el \ ++. RB "[" "\\$1" "]...\&" ++.. ++.\" Required option. ++.de OR ++. ie \\n(.$-1 \ ++. RI "\fB\\$1\fP" "\ \\$2" ++. el \ ++. BR "\\$1" ++.. ++.TH OPENSNITCH-EBPF_MODULES 1 "2023-06-07" "opensnitch-ebpf-modules 1.5.9" ++.SH NAME ++opensnitch-ebpf-modules \- GNU/Linux interactive firewall application ++.SH DESCRIPTION ++.LP ++opensnitch-ebpf-modules provides the eBPF kernel modules to intercept ++network connections. It offers better performance and reliability. ++.LP ++The modules are installed under /usr/lib/opensnitchd/ebpf/ ++.LP ++.SH KNOWN BUGS ++When coming back from suspend state, the eBPF modules stop working. ++.LP ++The only solution for now is to restart the daemon when the computer ++wakes up: ++.PP ++https://github.com/evilsocket/opensnitch/blob/master/utils/scripts/restart-opensnitch-onsleep.sh ++.SH "SEE ALSO" ++.PP ++.UR https://github.com/evilsocket/opensnitch/ebpf_prog/ ++.B OpenSnitch ++Home Page ++.UE ++.SH AUTHORS ++The complete list of ++.B OpenSnitch ++contributors can be found on https://github.com/evilsocket/opensnitch diff --cc debian/man/opensnitch-ui.1 index 0000000,0000000..b9ab2d9 new file mode 100644 --- /dev/null +++ b/debian/man/opensnitch-ui.1 @@@ -1,0 -1,0 +1,112 @@@ ++.\" Copyright (c) 2023 Gustavo Iñiguez Goya ++.\" All rights reserved. ++.\" ++.\" SPDX-License-Identifier: GPL-3.0-or-later ++.de CW ++.sp ++.in +4n ++.nf ++.ft CW ++.. ++.de CE ++.ft R ++.fi ++.in ++.sp ++.. ++.\" Like .OP, but with ellipsis at the end in order to signify that option ++.\" can be provided multiple times. Based on .OP definition in groff's ++.\" an-ext.tmac. ++.de OM ++. ie \\n(.$-1 \ ++. RI "[\fB\\$1\fP" "\ \\$2" "]...\&" ++. el \ ++. RB "[" "\\$1" "]...\&" ++.. ++.\" Required option. ++.de OR ++. ie \\n(.$-1 \ ++. RI "\fB\\$1\fP" "\ \\$2" ++. el \ ++. BR "\\$1" ++.. ++.TH OPENSNITCH-UI 1 "2023-06-07" "opensnitchd 1.5.9" ++.SH NAME ++opensnitch-ui \- GNU/Linux interactive firewall application ++.SH SYNOPSIS ++.SY opensnitch-ui ++.OP \-\-socket path ++.OP \-\-max-clients num ++.YS ++.SH DESCRIPTION ++.LP ++opensnitch-ui is the OpenSnitch GUI to view events intercepted by the daemon, ++and to manage the rules. ++The GUI is composed of 2 components in the same script: a server and a GUI. ++Once the GUI is launched, an icon will appear on the system tray. ++If the system tray is not available or can't be used, the Events dialog will ++be launched. ++.LP ++The GUI (i.e.: the server) will listen for new connections from daemons. You ++can have the daemon installed on multiple machines, and manage them from a ++centralized GUI. ++.UR https://github.com/evilsocket/opensnitch/wiki/Nodes ++.UE ++.LP ++.SH OPTIONS ++.TP ++.BI "\--socket " path ++Specifies the path or network address where the GUI (i.e.: the server) will ++listen on. ++.PP ++ Examples: ++.PP ++ Default: unix:///tmp/osui.sock ++.PP ++ - Listening on a Unix socket: ++ $ opensnitch-ui --socket unix:///tmp/osui.sock ++ * Use unix:///run/user/YOUR_USER_ID/opensnitch/osui.sock for better privacy. ++.PP ++ - Listening on port 50051, all interfaces: ++ $ opensnitch-ui --socket "[::]:50051" ++.TP ++.BI "\--max-clients " num ++Maximum number of clients to allow (default: 10). ++.SH FILES ++.I /home/$USER/.config/opensnitch/ ++.RS ++Path of the GUI configuration. ++.RE ++.SH DIAGNOSTICS ++If something goes wrong, like a crash, launch the GUI from a shell to view debugging messages: ++.LP ++.RS ++$ opensnitch-ui ++.RE ++.SH REPORTING BUGS ++Problems with ++.B opensnitch-ui ++should be reported on github ++.UR https://github.com/evilsocket/opensnitch/issues ++.UE ++.SH "SEE ALSO" ++.PP ++.B OpenSnitch ++Home Page ++.UR https://github.com/evilsocket/opensnitch ++.UE ++.LP ++.SH HISTORY ++.B OpenSnitch ++was originally written by Simone Margaritelli (evilsocket) in 2017-2018. ++.LP ++In 2019, after some time of inactivity, Gustavo Iñiguez Goya started ++contributing, fixing bugs and adding new functionality, with ++the esential help of the community, and valuable contributions from themighty1 and ++calesanz among others. ++.SH AUTHORS ++The complete list of ++.B OpenSnitch ++contributors can be found on ++.UR https://github.com/evilsocket/opensnitch ++.UE diff --cc debian/man/opensnitchd.1 index 0000000,0000000..a5e108f new file mode 100644 --- /dev/null +++ b/debian/man/opensnitchd.1 @@@ -1,0 -1,0 +1,183 @@@ ++.\" Copyright (c) 2023 Gustavo Iñiguez Goya ++.\" All rights reserved. ++.\" ++.\" SPDX-License-Identifier: GPL-3.0-or-later ++.de CW ++.sp ++.in +4n ++.nf ++.ft CW ++.. ++.de CE ++.ft R ++.fi ++.in ++.sp ++.. ++.\" Like .OP, but with ellipsis at the end in order to signify that option ++.\" can be provided multiple times. Based on .OP definition in groff's ++.\" an-ext.tmac. ++.de OM ++. ie \\n(.$-1 \ ++. RI "[\fB\\$1\fP" "\ \\$2" "]...\&" ++. el \ ++. RB "[" "\\$1" "]...\&" ++.. ++.\" Required option. ++.de OR ++. ie \\n(.$-1 \ ++. RI "\fB\\$1\fP" "\ \\$2" ++. el \ ++. BR "\\$1" ++.. ++.TH OPENSNITCHD 1 "2023-06-07" "opensnitchd 1.5.9" ++.SH NAME ++opensnitchd \- GNU/Linux interactive firewall application ++.SH SYNOPSIS ++.SY opensnitchd ++.OP \-rules-path path ++.OP \-cpu-profile path ++.OP \-debug ++.OP \-error ++.OP \-warning ++.OP \-important ++.OM \-log-file path ++.OM \-mem-profile path ++.OP \-no-live-reload ++.OM \-process-monitor-method name ++.OM \-queue-num num ++.OM \-ui-socket path ++.OP \-version ++.OM \-workers num ++.YS ++.SH DESCRIPTION ++.LP ++opensnitchd is the OpenSnitch agent that intercepts outbound connections, ++and send them to the server. The server can be a GUI, a TUI, or a ++.I headless ++component to just log the network activity (a SIEM for example). ++By default it'll allow all connections, creating temporal rules for you ++so you can review them later. ++.LP ++.SH OPTIONS ++.TP ++.BI "\-rules-path " path ++Specifies where the rules will be written to. Default "rules". ++.TP ++.BI "\-cpu-profile " path ++A file path where the CPU data for later use will be written. ++.TP ++.BI "\-debug" ++Set LogLevel to DEBUG. ++.TP ++.BI "\-warning" ++Set LogLevel to WARNING. ++.TP ++.BI "\-important" ++Set LogLevel to IMPORTANT. ++.TP ++.BI "\-log-file " path ++A file path where the logs will be written to. This path can be a device file, ++like /dev/stdout to print logs to standard output. ++.TP ++.BI "\-mem-profile " path ++A file path where the memory data will be written once the daemon exits. ++.TP ++.BI "\-no-live-reload" ++By default daemon's rules and configuration is reloaded whenever it changes. ++This option disables this feature. ++.TP ++.BI "\-process-monitor-method " method ++Force process monitor method, overriding what is defined in the configuration. ++Valid methods: ebpf, audit, proc ++.TP ++.BI "\-queue-num " num ++Force to use this netfilter queue num. The default queue number is 0, but if ++it's already used by other software, you can set another queue number here. ++.TP ++.BI "\-ui-socket " path ++Force to use this socket path, instead of the one defined in the configuration. ++The path format is unix:///path/to/socket.sock or ip:port ("127.0.0.1:50051") ++.RS ++( ++.UR https://github.com/grpc/grpc/blob/master/doc/naming.md ++.UE ++) ++.RE ++.TP ++.BI "\-version" ++Prints out daemon version. ++.TP ++.BI "\-workers " num ++Change maximum number of workers to process outbound connections. ++By default 16 workers are launched, but if it's not enough increase this number. ++.SH FILES ++.I /etc/opensnitchd/rules/ ++.RS ++Default daemon directory rules. ++.RE ++.I /etc/opensnitchd/default-config.json ++.RS ++Default daemon configuration. ++.RE ++.I /etc/opensnitchd/system-fw.json ++.RS ++Configuration of system firewall rules (iptables/nftables). ++.TP ++Firewall rules defined here bypasses OpenSnitch interception. Use it to allow VPNs or other services. ++.SH DIAGNOSTICS ++OpenSnitch needs at least one firewall rule to intercept outbound connections: ++.LP ++iptables -t mangle -L OUTPUT | grep NFQUEUE ++.RS ++NFQUEUE all -- anywhere anywhere ctstate NEW,RELATED NFQUEUE num 0 bypass ++.RE ++.LP ++If you suspect that OpenSnitch blocks an application and doesn't prompt you to allow or deny it, ++using the GUI enable the option ++.I [x] Debug invalid connections ++under Preferences -> Nodes. ++Or set the configuration option ++.B InterceptUnknown ++to true. ++.LP ++.I Tip: ++You can also add rules to the file /etc/opensnitchd/system-fw.json, to allow network services without being intercepted by the daemon. ++.LP ++Another way of debugging errors is by launching the daemon from the command line: ++.IP ++.PD 0 ++.IP 1. 4 ++Set LogLevel to DEBUG under Preferences -> Nodes (or LogLevel to 0 in the configuration) ++.IP 2. 4 ++Stop the daemon: systemctl stop opensnitch ++.IP 3. 4 ++Launch it from cli: /usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules/ ++.PD ++.LP ++.SH REPORTING BUGS ++Problems with ++.B opensnitchd ++should be reported on github ++.UR https://github.com/evilsocket/opensnitch/issues ++.UE ++.SH HISTORY ++.B OpenSnitch ++was originally written by Simone Margaritelli (evilsocket) in 2017-2018. ++.LP ++In 2019, after some time of inactivity, Gustavo Iñiguez Goya started ++contributing, fixing bugs and adding new functionality, with ++the esential help of the community, and valuable contributions from themighty1 and ++calesanz among others. ++.SH "SEE ALSO" ++.PP ++.B OpenSnitch ++Home Page ++.UR https://github.com/evilsocket/opensnitch ++.UE ++.SH AUTHORS ++The complete list of ++.B OpenSnitch ++contributors can be found on ++.UR https://github.com/evilsocket/opensnitch ++.UE diff --cc debian/opensnitch-ebpf-modules.lintian-overrides index 0000000,0000000..9ae16b6 new file mode 100644 --- /dev/null +++ b/debian/opensnitch-ebpf-modules.lintian-overrides @@@ -1,0 -1,0 +1,4 @@@ ++# These are EBPF objects. ++binary-from-other-architecture [usr/lib/opensnitchd/ebpf/opensnitch-dns.o] ++binary-from-other-architecture [usr/lib/opensnitchd/ebpf/opensnitch-procs.o] ++binary-from-other-architecture [usr/lib/opensnitchd/ebpf/opensnitch.o] diff --cc debian/opensnitch-ebpf-modules.manpages index 0000000,0000000..fcad479 new file mode 100644 --- /dev/null +++ b/debian/opensnitch-ebpf-modules.manpages @@@ -1,0 -1,0 +1,1 @@@ ++debian/man/opensnitch-ebpf-modules.1 diff --cc debian/opensnitch.init index 0000000,0000000..77ce353 new file mode 100644 --- /dev/null +++ b/debian/opensnitch.init @@@ -1,0 -1,0 +1,78 @@@ ++#!/bin/sh ++ ++### BEGIN INIT INFO ++# Provides: opensnitchd ++# Required-Start: $network $local_fs ++# Required-Stop: $network $local_fs ++# Default-Start: 2 3 4 5 ++# Default-Stop: 0 1 6 ++# Short-Description: opensnitchd daemon ++# Description: opensnitch application firewall ++### END INIT INFO ++ ++NAME=opensnitchd ++PIDDIR=/var/run/$NAME ++OPENSNITCHDPID=$PIDDIR/$NAME.pid ++ ++# clear conflicting settings from the environment ++unset TMPDIR ++ ++test -x /usr/bin/$NAME || exit 0 ++ ++. /lib/lsb/init-functions ++ ++case $1 in ++ start) ++ log_daemon_msg "Starting opensnitch daemon" $NAME ++ if [ ! -d /etc/$NAME/rules ]; then ++ mkdir -p /etc/$NAME/rules &>/dev/null ++ fi ++ ++ # Make sure we have our PIDDIR, even if it's on a tmpfs ++ install -o root -g root -m 755 -d $PIDDIR ++ ++ if ! start-stop-daemon --start --quiet --oknodo --pidfile $OPENSNITCHDPID --background --exec /usr/bin/$NAME -- -rules-path /etc/$NAME/rules; then ++ log_end_msg 1 ++ exit 1 ++ fi ++ ++ log_end_msg 0 ++ ;; ++ stop) ++ ++ log_daemon_msg "Stopping $NAME daemon" $NAME ++ ++ start-stop-daemon --stop --quiet --signal QUIT --name $NAME ++ # Wait a little and remove stale PID file ++ sleep 1 ++ if [ -f $OPENSNITCHDPID ] && ! ps h `cat $OPENSNITCHDPID` > /dev/null ++ then ++ rm -f $OPENSNITCHDPID ++ fi ++ ++ log_end_msg 0 ++ ++ ;; ++ reload) ++ log_daemon_msg "Reloading $NAME" $NAME ++ ++ start-stop-daemon --stop --quiet --signal HUP --pidfile $OPENSNITCHDPID ++ ++ log_end_msg 0 ++ ;; ++ restart|force-reload) ++ $0 stop ++ sleep 1 ++ $0 start ++ ;; ++ status) ++ status_of_proc /usr/bin/$NAME $NAME ++ exit $? ++ ;; ++ *) ++ echo "Usage: /etc/init.d/opensnitchd {start|stop|reload|restart|force-reload|status}" ++ exit 1 ++ ;; ++esac ++ ++exit 0 diff --cc debian/opensnitch.install index 0000000,0000000..751664c new file mode 100644 --- /dev/null +++ b/debian/opensnitch.install @@@ -1,0 -1,0 +1,3 @@@ ++daemon/default-config.json etc/opensnitchd/ ++daemon/system-fw.json etc/opensnitchd/ ++#ebpf_prog/opensnitch.o etc/opensnitchd/ diff --cc debian/opensnitch.logrotate index 0000000,0000000..7e1d486 new file mode 100644 --- /dev/null +++ b/debian/opensnitch.logrotate @@@ -1,0 -1,0 +1,13 @@@ ++/var/log/opensnitchd.log { ++ rotate 7 ++# order of the fields is important ++ maxsize 50M ++# we need this option in order to keep logging ++ copytruncate ++ missingok ++ notifempty ++ delaycompress ++ compress ++ create 640 root root ++ weekly ++} diff --cc debian/opensnitch.maintscript index 0000000,0000000..3967ebd new file mode 100644 --- /dev/null +++ b/debian/opensnitch.maintscript @@@ -1,0 -1,0 +1,1 @@@ ++rm_conffile /etc/needrestart/conf.d/no-opensnitch-restart.conf 1.6.8-9 opensnitch diff --cc debian/opensnitch.manpages index 0000000,0000000..89a1536 new file mode 100644 --- /dev/null +++ b/debian/opensnitch.manpages @@@ -1,0 -1,0 +1,1 @@@ ++debian/man/opensnitchd.1 diff --cc debian/opensnitch.service index 0000000,0000000..8d1b52f new file mode 100644 --- /dev/null +++ b/debian/opensnitch.service @@@ -1,0 -1,0 +1,16 @@@ ++[Unit] ++Description=OpenSnitch is a GNU/Linux application firewall. ++Documentation=https://github.com/gustavo-iniguez-goya/opensnitch/wiki ++Wants=network.target ++After=network.target ++ ++[Service] ++Type=simple ++PermissionsStartOnly=true ++ExecStartPre=/bin/mkdir -p /etc/opensnitchd/rules ++ExecStart=/usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules ++Restart=always ++RestartSec=30 ++ ++[Install] ++WantedBy=multi-user.target diff --cc debian/patches/1000-installed-kernel-headers.patch index 0000000,0000000..59fb30e new file mode 100644 --- /dev/null +++ b/debian/patches/1000-installed-kernel-headers.patch @@@ -1,0 -1,0 +1,22 @@@ ++Description: Changed how ebpf build find kernel headers from running to installed version. ++ The installed kernel do not match running kernel in chroots and containers. ++Author: Petter Reinholdtsen ++Forwarded: https://github.com/evilsocket/opensnitch/pull/1327 ++Last-Update: 2025-04-20 ++--- ++Index: opensnitch-salsa/ebpf_prog/Makefile ++=================================================================== ++--- opensnitch-salsa.orig/ebpf_prog/Makefile 2025-04-20 09:53:55.679288526 +0200 +++++ opensnitch-salsa/ebpf_prog/Makefile 2025-04-20 09:54:12.000000000 +0200 ++@@ -3,8 +3,9 @@ ++ # On Debian based distros we need the following 2 directories. ++ # Otherwise, just use the kernel headers from the kernel sources. ++ # ++-KERNEL_DIR ?= /lib/modules/$(shell uname -r)/source ++-KERNEL_HEADERS ?= /usr/src/linux-headers-$(shell uname -r)/ +++KERNEL_VER ?= $(shell ls -d /lib/modules/*/source | sort | tail -1 | cut -d/ -f4) +++KERNEL_DIR ?= /lib/modules/$(KERNEL_VER)/source +++KERNEL_HEADERS ?= /usr/src/linux-headers-$(KERNEL_VER)/ ++ CLANG ?= clang ++ LLC ?= llc ++ LLVM_STRIP ?= llvm-strip -g diff --cc debian/patches/1020-ebpf-armv8l.patch index 0000000,0000000..1483114 new file mode 100644 --- /dev/null +++ b/debian/patches/1020-ebpf-armv8l.patch @@@ -1,0 -1,0 +1,18 @@@ ++Description: Added ebpf build rule mapping for armv8 to work with more armhf machines. ++Author: Petter Reinholdtsen ++Forwarded: https://github.com/evilsocket/opensnitch/pull/1326 ++Last-Update: 2025-04-20 ++--- ++Index: opensnitch-salsa/ebpf_prog/Makefile ++=================================================================== ++--- opensnitch-salsa.orig/ebpf_prog/Makefile 2025-04-20 09:53:55.739289007 +0200 +++++ opensnitch-salsa/ebpf_prog/Makefile 2025-04-20 09:53:55.731288942 +0200 ++@@ -19,6 +19,8 @@ ++ ARCH := x86 ++ else ifeq ($(ARCH),armv7l) ++ ARCH := arm +++else ifeq ($(ARCH),armv8l) +++ ARCH := arm ++ else ifeq ($(ARCH),aarch64) ++ ARCH := arm64 ++ endif diff --cc debian/patches/1030-systemd-service-earlier.patch index 0000000,0000000..2ab42d9 new file mode 100644 --- /dev/null +++ b/debian/patches/1030-systemd-service-earlier.patch @@@ -1,0 -1,0 +1,33 @@@ ++Description: Start firewall rules before network is brought up. ++ Also protect the firewall daemon from the kernel OOM killer. Partly ++ based on proposal from ++ https://github.com/evilsocket/opensnitch/pull/1019/. ++Author: Petter Reinholdtsen ++Forwarded: https://github.com/evilsocket/opensnitch/pull/1019 ++Last-Update: 2025-04-20 ++diff --git a/daemon/opensnitchd.service b/daemon/opensnitchd.service ++index 3f05fad2..3bfd94d6 100644 ++--- a/daemon/opensnitchd.service +++++ b/daemon/opensnitchd.service ++@@ -1,6 +1,10 @@ ++ [Unit] ++ Description=Application firewall OpenSnitch ++ Documentation=https://github.com/evilsocket/opensnitch/wiki +++DefaultDependencies=no +++Before=network-pre.target shutdown.target +++Wants=network-pre.target +++Conflicts=shutdown.target ++ ++ [Service] ++ Type=simple ++@@ -10,6 +14,9 @@ ExecStart=/usr/local/bin/opensnitchd -rules-path /etc/opensnitchd/rules ++ Restart=always ++ RestartSec=30 ++ TimeoutStopSec=10 +++# Ensure it is not killed by the Linux kernel's Out-Of-Memory (OOM) killer. +++# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#OOMScoreAdjust= +++OOMScoreAdjust=-1000 ++ ++ [Install] ++-WantedBy=multi-user.target +++WantedBy=basic.target diff --cc debian/patches/1050-ebpf-s390x.patch index 0000000,0000000..d2284fc new file mode 100644 --- /dev/null +++ b/debian/patches/1050-ebpf-s390x.patch @@@ -1,0 -1,0 +1,19 @@@ ++Description: Added ebpf build rule mapping for s390x to s390. ++ This ensure the kernel headers are found during compilation. ++Author: Petter Reinholdtsen ++Forwarded: https://github.com/evilsocket/opensnitch/pull/1333 ++Last-Update: 2025-04-25 ++--- ++Index: opensnitch-salsa/ebpf_prog/Makefile ++=================================================================== ++--- opensnitch-salsa.orig/ebpf_prog/Makefile 2025-04-25 07:58:50.785702284 +0200 +++++ opensnitch-salsa/ebpf_prog/Makefile 2025-04-25 07:59:34.170084431 +0200 ++@@ -23,6 +23,8 @@ ++ ARCH := arm ++ else ifeq ($(ARCH),aarch64) ++ ARCH := arm64 +++else ifeq ($(ARCH),s390x) +++ ARCH := s390 ++ endif ++ ++ ifeq ($(ARCH),arm) diff --cc debian/patches/2000-apt-not-pip.patch index 0000000,0000000..15e4820 new file mode 100644 --- /dev/null +++ b/debian/patches/2000-apt-not-pip.patch @@@ -1,0 -1,0 +1,39 @@@ ++Description: Do not propose use of pip on Debian ++ Dependencies should be fetched from the curated Debian archive. ++Author: Petter Reinholdtsen ++Forwarded: not-needed ++Last-Update: 2025-04-19 ++--- ++--- opensnitch-1.6.8.orig/ui/opensnitch/dialogs/firewall_rule.py +++++ opensnitch-1.6.8/ui/opensnitch/dialogs/firewall_rule.py ++@@ -377,7 +377,7 @@ The value must be in the format: VALUE/U ++ self._set_status_error( ++ QC.translate( ++ "firewall", ++- "Your protobuf version is incompatible, you need to install protobuf 3.8.0 or superior\n(pip3 install --ignore-installed protobuf==3.8.0)" +++ "Your protobuf version is incompatible, you need to install protobuf 3.8.0 or superior\n(apt install protobuf-api-32-0)" ++ ) ++ ) ++ return False ++--- opensnitch-1.6.8.orig/ui/opensnitch/dialogs/preferences.py +++++ opensnitch-1.6.8/ui/opensnitch/dialogs/preferences.py ++@@ -258,7 +258,7 @@ class PreferencesDialog(QtWidgets.QDialo ++ self._saved_theme = "" ++ self.labelThemeError.setStyleSheet('color: red') ++ self.labelThemeError.setVisible(True) ++- self.labelThemeError.setText(QC.translate("preferences", "Themes not available. Install qt-material: pip3 install qt-material")) +++ self.labelThemeError.setText(QC.translate("preferences", "Themes not available. Install qt-material: apt install python3-qt-material")) ++ ++ self.comboUITheme.setCurrentIndex(theme_idx) ++ self._show_ui_density_widgets(theme_idx) ++--- opensnitch-1.6.8.orig/ui/opensnitch/utils/__init__.py +++++ opensnitch-1.6.8/ui/opensnitch/utils/__init__.py ++@@ -109,7 +109,7 @@ class Themes(): ++ from qt_material import list_themes as qtmaterial_themes ++ AVAILABLE = True ++ except Exception: ++- print("Themes not available. Install qt-material if you want to change GUI's appearance: pip3 install qt-material.") +++ print("Themes not available. Install qt-material if you want to change GUI's appearance: apt install python3-qt-material.") ++ ++ @staticmethod ++ def instance(): diff --cc debian/patches/2010-no-tcp-flush-on-restart.patch index 0000000,0000000..4af9c7c new file mode 100644 --- /dev/null +++ b/debian/patches/2010-no-tcp-flush-on-restart.patch @@@ -1,0 -1,0 +1,20 @@@ ++Description: Tell opensnitch daemon to not flush al TCP connections on restart. ++ This avoid killing connections like SSH and IRC when upgrading or restarting ++ the service. See discussion in https://github.com/evilsocket/opensnitch/issues/1329 . ++Author: Petter Reinholdtsen ++Bug-Debian: https://bugs.debian.org/1103496 ++Forwarded: not-needed ++Last-update: 2025-05-26 ++--- ++Index: opensnitch-salsa/daemon/default-config.json ++=================================================================== ++--- opensnitch-salsa.orig/daemon/default-config.json 2025-04-26 07:33:06.345354492 +0200 +++++ opensnitch-salsa/daemon/default-config.json 2025-04-26 07:33:52.681782972 +0200 ++@@ -22,6 +22,6 @@ ++ }, ++ "Internal": { ++ "GCPercent": 100, ++- "FlushConnsOnStart": true +++ "FlushConnsOnStart": false ++ } ++ } diff --cc debian/patches/README index 0000000,0000000..80c1584 new file mode 100644 --- /dev/null +++ b/debian/patches/README @@@ -1,0 -1,0 +1,3 @@@ ++0xxx: Grabbed from upstream development. ++1xxx: Possibly relevant for upstream adoption. ++2xxx: Only relevant for official Debian release. diff --cc debian/patches/series index 0000000,0000000..c74a6bc new file mode 100644 --- /dev/null +++ b/debian/patches/series @@@ -1,0 -1,0 +1,6 @@@ ++1000-installed-kernel-headers.patch ++1020-ebpf-armv8l.patch ++1030-systemd-service-earlier.patch ++1050-ebpf-s390x.patch ++2000-apt-not-pip.patch ++2010-no-tcp-flush-on-restart.patch diff --cc debian/python3-opensnitch-ui.manpages index 0000000,0000000..3392b6a new file mode 100644 --- /dev/null +++ b/debian/python3-opensnitch-ui.manpages @@@ -1,0 -1,0 +1,1 @@@ ++debian/man/opensnitch-ui.1 diff --cc debian/python3-opensnitch-ui.postinst index 0000000,0000000..dea2517 new file mode 100755 --- /dev/null +++ b/debian/python3-opensnitch-ui.postinst @@@ -1,0 -1,0 +1,27 @@@ ++#!/bin/sh ++set -e ++ ++autostart_by_default() ++{ ++ deskfile=/etc/xdg/autostart/opensnitch_ui.desktop ++ if [ -d /etc/xdg/autostart -a ! -h $deskfile -a ! -f $deskfile ]; then ++ ln -s /usr/share/applications/opensnitch_ui.desktop /etc/xdg/autostart/ ++ fi ++} ++ ++if command -v gtk-update-icon-cache >/dev/null && test -f /usr/share/icons/hicolor/index.theme ; then ++ gtk-update-icon-cache --quiet /usr/share/icons/hicolor/ ++fi ++ ++case "$1" in ++ configure) ++ # first install ++ if [ -z $2 ]; then ++ autostart_by_default ++ elif dpkg --compare-versions "$2" le "1.5.7-2"; then ++ autostart_by_default ++ fi ++ ;; ++esac ++ ++#DEBHELPER# diff --cc debian/python3-opensnitch-ui.postrm index 0000000,0000000..cb17ba5 new file mode 100755 --- /dev/null +++ b/debian/python3-opensnitch-ui.postrm @@@ -1,0 -1,0 +1,16 @@@ ++#!/bin/sh ++set -e ++ ++case "$1" in ++ purge) ++ deskfile=/etc/xdg/autostart/opensnitch_ui.desktop ++ if [ -f $deskfile -o -h $deskfile ];then ++ rm -f /etc/xdg/autostart/opensnitch_ui.desktop ++ fi ++ ;; ++ remove) ++ pkill -15 opensnitch-ui || true ++ ;; ++esac ++ ++#DEBHELPER# diff --cc debian/rules index 0000000,0000000..d516373 new file mode 100755 --- /dev/null +++ b/debian/rules @@@ -1,0 -1,0 +1,68 @@@ ++#!/usr/bin/make -f ++export DH_VERBOSE = 1 ++export DESTDIR := $(shell pwd)/debian/opensnitch ++export UIDESTDIR := $(shell pwd)/debian/python3-opensnitch-ui ++export EBPFDESTDIR := $(shell pwd)/debian/opensnitch-ebpf-modules ++ ++ifeq ($(DEB_BUILD_ARCH),amd64) ++ WITH_EBPF := true ++else ifeq ($(DEB_BUILD_ARCH),arm64) ++ WITH_EBPF := true ++else ifeq ($(DEB_BUILD_ARCH),riscv64) ++ WITH_EBPF := true ++else ifeq ($(DEB_BUILD_ARCH),s390x) ++ WITH_EBPF := true ++else ifeq ($(DEB_BUILD_ARCH),loong64) ++ WITH_EBPF := true ++else ifeq ($(DEB_BUILD_ARCH),ppc64) ++ WITH_EBPF := true ++else ++ WITH_EBPF := false ++endif ++ ++override_dh_installsystemd: ++ dh_installsystemd --restart-after-upgrade ++ ++override_dh_auto_build: ++ $(MAKE) protocol ++# Workaround for Go build problem when building in _build ++ mkdir -p _build/src/github.com/evilsocket/opensnitch/daemon/ui/protocol/ ++ cp daemon/ui/protocol/* _build/src/github.com/evilsocket/opensnitch/daemon/ui/protocol/ ++ dh_auto_build ++ cd ui && python3 setup.py build --force ++ if $(WITH_EBPF) ; then make -C ebpf_prog; fi ++ ++override_dh_auto_install: ++# daemon ++ mkdir -p $(DESTDIR)/usr/bin ++ cp _build/bin/daemon $(DESTDIR)/usr/bin/opensnitchd ++# GUI ++ make -C ui/i18n ++ cp -r ui/i18n/locales/ ui/opensnitch/i18n/ ++ pyrcc5 -o ui/opensnitch/resources_rc.py ui/opensnitch/res/resources.qrc ++ sed -i 's/^import ui_pb2/from . import ui_pb2/' ui/opensnitch/ui_pb2* ++ cd ui && python3 setup.py install --force --root=$(UIDESTDIR) --no-compile -O0 --install-layout=deb ++ ++# ebpf modules ++ if $(WITH_EBPF); then \ ++ mkdir -p $(EBPFDESTDIR)/usr/lib/opensnitchd/ebpf ; \ ++ make -C ebpf_prog && cp ebpf_prog/opensnitch*o $(EBPFDESTDIR)/usr/lib/opensnitchd/ebpf/ ; \ ++ fi ++ ++# daemon ++ dh_auto_install ++ ++%: ++ dh $@ --builddirectory=_build --buildsystem=golang --with=golang,python3 ++ ++override_dh_auto_clean: ++ dh_auto_clean ++ $(MAKE) clean ++ $(RM) daemon/ui/protocol/ui_grpc.pb.go ++ $(RM) ui/opensnitch/resources_rc.py ++ $(RM) -r ui/opensnitch/i18n/ ++ $(RM) ui/i18n/locales/*/*.qm ++ cd ui && python3 setup.py clean -a ++ $(RM) -r ui/opensnitch_ui.egg-info/ ++ find ui -name \*.pyc -exec rm {} \; ++ $(MAKE) -C ebpf_prog/ clean diff --cc debian/source/format index 0000000,0000000..163aaf8 new file mode 100644 --- /dev/null +++ b/debian/source/format @@@ -1,0 -1,0 +1,1 @@@ ++3.0 (quilt) diff --cc debian/source/options index 0000000,0000000..bcc4bbb new file mode 100644 --- /dev/null +++ b/debian/source/options @@@ -1,0 -1,0 +1,1 @@@ ++extend-diff-ignore="\.egg-info$" diff --cc debian/tests/control index 0000000,0000000..c9752e7 new file mode 100644 --- /dev/null +++ b/debian/tests/control @@@ -1,0 -1,0 +1,7 @@@ ++Tests: test-resources.sh ++Depends: opensnitch ++Restrictions: superficial ++ ++Tests: test-fw-rules.sh ++Depends: nftables, opensnitch ++Restrictions: needs-root diff --cc debian/tests/test-fw-rules.sh index 0000000,0000000..a03f00e new file mode 100755 --- /dev/null +++ b/debian/tests/test-fw-rules.sh @@@ -1,0 -1,0 +1,31 @@@ ++#!/bin/sh ++set -e ++ ++retval=0 ++ ++# for some reason, go.exec.LookPath() fails to obtain the path of iptables ++# on the ci environment, even if $PATH is set correctly. ++echo "[+] PATH: $PATH" ++ ++log="/var/log/opensnitchd.log" ++ ++if [ -f /proc/modules ]; then ++ echo "[+] loaded modules:" ++ cat /proc/modules ++fi ++ ++if [ -f $log ]; then ++ echo "[+] opensnitchd log:" ++ cat $log ++fi ++ ++nft list ruleset ++if nft list ruleset | \ ++ grep -q "ct state related,new queue flags bypass to 0" ; then ++ echo "[+] Interception rule (nftables): OK" ++else ++ echo "[!] Interception rule (nftables): Missing" ++ retval=1 ++fi ++ ++exit $retval diff --cc debian/tests/test-resources.sh index 0000000,0000000..560d7c5 new file mode 100755 --- /dev/null +++ b/debian/tests/test-resources.sh @@@ -1,0 -1,0 +1,13 @@@ ++#!/bin/sh ++set -e ++ ++ophome="/etc/opensnitchd" ++ ++ls -dl $ophome 1>/dev/null ++echo "installed OK: $ophome" ++ls -l $ophome/system-fw.json 1>/dev/null ++echo "installed OK: $ophome/system-fw.json" ++ls -l $ophome/default-config.json 1>/dev/null ++echo "installed OK: $ophome/default-config.json" ++ls -dl $ophome/rules 1>/dev/null ++echo "installed OK: $ophome/rules/" diff --cc debian/upstream/metadata index 0000000,0000000..556a1cf new file mode 100644 --- /dev/null +++ b/debian/upstream/metadata @@@ -1,0 -1,0 +1,9 @@@ ++--- ++Name: opensnitch ++Bug-Database: https://github.com/evilsocket/opensnitch/issues ++Bug-Submit: https://github.com/evilsocket/opensnitch/issues/new ++Contact: Gustavo Iñiguez Goia ++Documentation: https://github.com/evilsocket/opensnitch/wiki ++CPE: cpe:/a:evilsocket:opensnitch ++Repository: https://github.com/evilsocket/opensnitch.git ++Repository-Browse: https://github.com/evilsocket/opensnitch diff --cc debian/watch index 0000000,0000000..383dd73 new file mode 100644 --- /dev/null +++ b/debian/watch @@@ -1,0 -1,0 +1,4 @@@ ++version=4 ++opts=filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/opensnitch-\$1\.tar\.gz/,\ ++uversionmangle=s/(\d)[_\.\-\+]?(RC|rc|pre|dev|beta|alpha)[.]?(\d*)$/\$1~\$2\$3/ \ ++ https://github.com/evilsocket/opensnitch/tags .*/v?(\d\S*)\.tar\.gz