--- /dev/null
+opensnitch for Debian
+---------------------
+
+In order to build the packages from sources using gbp:
+
+ 1. git clone https://salsa.debian.org/go-team/packages/opensnitch.git
+ 2. cd opensnitch/ ; git checkout debian/sid
+ 3. origtargz
+
+ it'll download upstream sources according to the d/changelog
+ version, and the upstream tag if it exists.
+
+ 4. gbp buildpackage --git-debian-branch=debian/sid --git-tarball-dir=../ --git-no-pristine-tar
+
+ New debian-go's workflow specifies debian/sid as the default branch,
+ so you need to specify the branch, or configure it in your gbp.conf.
+ https://go-team.pages.debian.net/workflow-changes.html#wf-2017-11-pristine-tar
+
+ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Wed, 08 Jun 2023 17:18:40 +0200
--- /dev/null
+opensnitch (1.6.9-2) unstable; urgency=medium
+
+ * Team upload.
+
+ * Told lintian to accept EBPF objects in package.
+
+ -- Petter Reinholdtsen <pere@debian.org> Sat, 03 May 2025 05:50:32 +0200
+
+opensnitch (1.6.9-1) experimental; urgency=medium
+
+ * Team upload.
+
+ * New upstream release 1.6.9.
+ * Removed upstreamed patches:
+ - 0000-ui-finally-service.patch
+ - 0020-unknown-rules-operator-crash.patch
+ - 0030-daemon-visible-version.patch
+ - 0040-delete-all-generated-protobuffers-with-make-clean.patch
+ - 0050-allow-to-configure-GC-percentage.patch
+ - 0060-make-connections-flushing-configurable.patch
+
+ -- Petter Reinholdtsen <pere@debian.org> Tue, 29 Apr 2025 07:35:00 +0200
+
+opensnitch (1.6.8-11) unstable; urgency=medium
+
+ * Team upload.
+
+ * Corrected typo in patch metadata.
+
+ -- Petter Reinholdtsen <pere@debian.org> Tue, 29 Apr 2025 07:20:39 +0200
+
+opensnitch (1.6.8-10) experimental; urgency=medium
+
+ * Team upload.
+
+ * Added 1050-ebpf-s390x.patch to fix ebpf build problem on s390x.
+ * Renamed to 0030-daemon-visible-version.patch as this patch
+ is from upstream now.
+ * Removed already dropped 0010-experimental-1.5.9.1.patch.
+ * Added three patches from the upstream 1.6.0 branch.
+ * Changed opensnitch package behaviour to not reset TCP connections on
+ reload (Closes: #1103496).
+
+ -- Petter Reinholdtsen <pere@debian.org> Sat, 26 Apr 2025 07:45:17 +0200
+
+opensnitch (1.6.8-9) experimental; urgency=medium
+
+ * Team upoad.
+
+ * Added 2000-apt-not-pip.patch to recommend apt over pip.
+ * Passed patches upstream and introduced patch naming scheme.
+ * Added 1030-systemd-service-earlier.patch to start service earlier
+ and protect it from kernel OOM killer.
+ * Added 1040-daemon-visible-version.patch to correct visible daemon
+ version.
+ * Added 0020-unknown-rules-operator-crash.patch from upstream.
+ * Added needrestart conf to avoid opensnitch restarts.
+ * Added debian branch name to d/gbp.conf.
+
+ -- Petter Reinholdtsen <pere@debian.org> Thu, 24 Apr 2025 06:50:04 +0200
+
+opensnitch (1.6.8-8) unstable; urgency=medium
+
+ * Team upload.
+
+ * Made test-fw-rules.sh autopkgtest check more robust
+ and updated it to only look for nftables.
+
+ -- Petter Reinholdtsen <pere@debian.org> Fri, 18 Apr 2025 19:46:18 +0200
+
+opensnitch (1.6.8-7) unstable; urgency=medium
+
+ * Team upload.
+
+ * Upload to unstable.
+
+ -- Petter Reinholdtsen <pere@debian.org> Fri, 18 Apr 2025 01:32:00 +0200
+
+opensnitch (1.6.8-6) experimental; urgency=medium
+
+ * Team upload.
+
+ * Replaced uploaders, out with no longer active Gustavo Iñiguez Goya
+ and in with Charles Allhands and myself.
+ * Thank you, Gustavo, for the great initial work with this package.
+
+ -- Petter Reinholdtsen <pere@debian.org> Fri, 18 Apr 2025 00:38:08 +0200
+
+opensnitch (1.6.8-5) experimental; urgency=medium
+
+ * Team upload.
+
+ * Revert arch specific build dependency on golang-github-iovisor-gobpf-dev.
+ * Added 1010-ui-finally-service.patch to avoid python error on GUI exit.
+ * New upstream version available (Closes: #1051317).
+ * Uses corrected python regexes (Closes: #1085754).
+
+ -- Petter Reinholdtsen <pere@debian.org> Thu, 17 Apr 2025 16:34:43 +0200
+
+opensnitch (1.6.8-4) experimental; urgency=medium
+
+ * Team upload.
+
+ * Corrected linux header package name for armhf.
+ * Limit EBPF support to architectures provided by bpfcc.
+ * Adjusted opensnitch to only recommend opensnitch-ebpf-modules on archs
+ where it exist.
+ * Dropped incorrect runtime dependency on python3-setuptools
+ (Closes: #1095252).
+ * Dropped obsolete runtime dependency on python3-six (Closes: #1067722).
+
+ -- Petter Reinholdtsen <pere@debian.org> Thu, 17 Apr 2025 14:45:27 +0200
+
+opensnitch (1.6.8-3) experimental; urgency=medium
+
+ * Team upload.
+
+ * Switched to using kernel headers from debs, as local header copy
+ only worked on amd64.
+
+ -- Petter Reinholdtsen <pere@debian.org> Thu, 17 Apr 2025 12:54:58 +0200
+
+opensnitch (1.6.8-2) experimental; urgency=medium
+
+ * Team upload.
+
+ * Added missing golang-github-varlink-go-dev build dependency.
+
+ -- Petter Reinholdtsen <pere@debian.org> Thu, 17 Apr 2025 10:55:29 +0200
+
+opensnitch (1.6.8-1) experimental; urgency=medium
+
+ * Team upload.
+
+ * New upstream release.
+ * Updated Standards-Version from 4.6.2 to 4.7.2.
+ * List protoc-gen-go-1-3 as build depend alternative to protoc-gen-go-1-5
+ for easier backporting.
+
+ -- Petter Reinholdtsen <pere@debian.org> Thu, 17 Apr 2025 09:08:49 +0200
+
+opensnitch (1.5.9-4) experimental; urgency=medium
+
+ * Team upload.
+
+ * Added leftover build dependency protoc-gen-go-1-5.
+
+ -- Petter Reinholdtsen <pere@debian.org> Tue, 15 Apr 2025 06:18:52 +0200
+
+opensnitch (1.5.9-3) experimental; urgency=medium
+
+ * Team upload.
+
+ [ Gustavo Iñiguez Goya ]
+ * New upstream release.
+ * d/control: removed kernel headers dependency.
+
+ [ Petter Reinholdtsen ]
+ * Moved untagged upstream snapshot into 0010-experimental-1.5.9.1.patch.
+ * Adjusted build dependencies to work with current unstable.
+ * Correct roff notation for URLs in man pages.
+ * Renamed obsolete pkg-config build dependency to pkgconf.
+
+ -- Petter Reinholdtsen <pere@debian.org> Mon, 14 Apr 2025 18:43:07 +0200
+
+opensnitch (1.5.9-2) experimental; urgency=medium
+
+ [ Gustavo Iñiguez Goia ]
+ * d/control: fixed Build-Depends, kernel headers dep
+ * Upload sponsored by Petter Reinholdtsen.
+
+ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Sat, 10 Jun 2023 00:08:25 +0200
+
+opensnitch (1.5.9-1) experimental; urgency=medium
+
+ * New upstream release.
+ * d/control:
+ - New package opensnitch-ebpf-modules.
+ * d/man/:
+ - Updated dates.
+ - New page opensnitch-ebpf-modules.1
+ * Added README.Debian.
+
+ * Upload sponsored by Petter Reinholdtsen.
+
+ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Wed, 07 Jun 2023 23:18:40 +0200
+
+opensnitch (1.5.8.1-2) unstable; urgency=medium
+
+ * Team upload
+ * Update Build-Depends from golang-goprotobuf-dev to
+ golang-github-golang-protobuf-1-5-dev
+
+ -- Mathias Gibbens <gibmat@debian.org> Fri, 02 Aug 2024 07:08:08 +0000
+
+opensnitch (1.5.8.1-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Upload sponsored by Petter Reinholdtsen.
+
+ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Mon, 06 Mar 2023 12:37:24 +0100
+
+opensnitch (1.5.8-2) unstable; urgency=medium
+
+ * Upload to unstable.
+ * Upload sponsored by Petter Reinholdtsen.
+
+ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Tue, 21 Feb 2023 21:26:21 +0100
+
+opensnitch (1.5.8-1) experimental; urgency=medium
+
+ * New upstream release.
+
+ [ Gustavo Iñiguez Goia ]
+ * ui: added 64x64 icon.
+ * Added missing entry for GUI manual page.
+ * Updated appstream Summary field.
+ * Removed ftrace dependency from d/control.
+ * ui: updated appstream Summary field.
+ * Updated d/control Description.
+
+ [ Petter Reinholdtsen ]
+ * Added appstream content rating, no restrictions.
+ * Corrected appstream icon name.
+ * Documented appstream metadata license in d/copyright.
+ * Place manual pages in correct packages.
+
+ * Upload sponsored by Petter Reinholdtsen.
+
+ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Sun, 19 Feb 2023 10:26:46 +0100
+
+opensnitch (1.5.7-3) experimental; urgency=medium
+
+ [ Gustavo Iñiguez Goia ]
+ * fixed /etc/xdg/autostart/ link
+
+ * Upload sponsored by Petter Reinholdtsen.
+
+ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Wed, 15 Feb 2023 22:41:19 +0100
+
+opensnitch (1.5.7-2) experimental; urgency=medium
+
+ [ Gustavo Iñiguez Goia ]
+ * added opensnitchd manual page
+ * added new manual page, updated opensnitchd.1
+ * improved debian/tests/
+
+ * Upload sponsored by Petter Reinholdtsen.
+
+ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Mon, 13 Feb 2023 12:43:19 +0100
+
+opensnitch (1.5.7-1) unstable; urgency=medium
+
+ * New upstream release
+
+ [ Gustavo Iñiguez Goia ]
+ * Set test-fw-rules.sh as flaky.
+ * Make test-fw-rules.sh more verbose.
+
+ [ Petter Reinholdtsen ]
+ * Fixed typo in nb comment of desktop file.
+ * Added appstream desktop category to metadata XML.
+
+ * Upload sponsored by Petter Reinholdtsen.
+
+ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Fri, 10 Feb 2023 13:28:23 +0100
+
+opensnitch (1.5.6-1) unstable; urgency=medium
+
+ * New upstream release
+
+ [ Gustavo Iñiguez Goia ]
+ * tests: removed Architecture: restriction
+ * changed Maintainer: field to team+pkg-go
+ * added new test
+ * added Uploaders field
+ * updated Vcs* fields
+
+ [ Petter Reinholdtsen ]
+ * Added Debian package relation between opensnitch and
+ python3-opensnitch-ui.
+ * Handle autopkgtest scripts differently, as they have different
+ requirements.
+
+ * Upload sponsored by Petter Reinholdtsen.
+
+ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Tue, 07 Feb 2023 21:29:48 +0100
+
+opensnitch (1.5.5-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Bump Standards-Version to 4.6.2.
+ * Upload sponsored by Petter Reinholdtsen.
+
+ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Wed, 01 Feb 2023 22:37:12 +0100
+
+opensnitch (1.5.4-1) unstable; urgency=high
+
+ * New upstream release. (Closes: #1030115)
+ * debian/control:
+ - Updated packages description.
+ - Removed debconf and whiptail|dialog dependencies.
+ - Added xdg-user-dirs, gtk-update-icon-cache dependencies.
+ - Point Vcs-Git field to the 1.5.0 branch.
+ * debian/postinst:
+ - Fixed opensnitch_ui.desktop installation.
+ - Fixed updating icons cache.
+ * debian/postrm:
+ - Fixed removing opensnitch_ui.desktop
+ * debian/tests/:
+ - Added autopkgtests.
+ * Upload sponsored by Petter Reinholdtsen.
+
+ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Tue, 31 Jan 2023 23:48:58 +0100
+
+opensnitch (1.5.3-1) unstable; urgency=medium
+
+ * Added debian/upstream/metadata.
+ * Updated Homepage url.
+ * Updated Copyright years.
+
+ -- Gustavo-Iniguez-Goya <gustavo.iniguez.goya@gmail.com> Sun, 22 Jan 2023 21:30:45 +0100
+
+opensnitch (1.5.2.1-1) unstable; urgency=medium
+
+ * Initial release. (Closes: #909567)
+
+ -- Gustavo-Iniguez-Goya <gustavo.iniguez.goya@gmail.com> Fri, 20 Jan 2023 22:26:40 +0000
+
+opensnitch (1.5.2-1) unstable; urgency=medium
+
+ * try to mount debugfs on boot up
+
+ -- gustavo-iniguez-goya <gustavo.iniguez.goya@gmail.com> Wed, 27 Jul 2022 17:29:33 +0200
+
+opensnitch (1.5.1-1) unstable; urgency=medium
+
+ * Better eBPF cache.
+ * Fixed error resolving domains to localhost.
+ * Fixed error deleting our nftables rules.
+
+ -- gustavo-iniguez-goya <gustavo.iniguez.goya@gmail.com> Fri, 25 Feb 2022 01:21:38 +0100
+
+opensnitch (1.5.0-1) unstable; urgency=medium
+
+ * New release.
+ * Added Reject option.
+ * New lists types to block ads/malware/...
+ * Better connections interception.
+ * Better VPNs handling.
+ * Bug fixes.
+
+ -- gustavo-iniguez-goya <gustavo.iniguez.goya@gmail.com> Fri, 28 Jan 2022 23:20:38 +0100
+
+opensnitch (1.5.0~rc2-1) unstable; urgency=medium
+
+ * Better connections interception.
+ * Improvements.
+
+ -- gustavo-iniguez-goya <gustavo.iniguez.goya@gmail.com> Sun, 16 Jan 2022 23:15:12 +0100
+
+opensnitch (1.5.0~rc1-1) unstable; urgency=medium
+
+ * New features.
+
+ -- gustavo-iniguez-goya <gustavo.iniguez.goya@gmail.com> Thu, 07 Oct 2021 14:57:35 +0200
+
+opensnitch (1.4.0-1) unstable; urgency=medium
+
+ * final release.
+
+ -- gustavo-iniguez-goya <gustavo.iniguez.goya@gmail.com> Fri, 27 Aug 2021 13:33:07 +0200
+
+opensnitch (1.4.0~rc4-1) unstable; urgency=medium
+
+ * Bug fix release.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Wed, 11 Aug 2021 15:17:49 +0200
+
+opensnitch (1.4.0~rc3-1) unstable; urgency=medium
+
+ * Bug fix release.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Fri, 16 Jul 2021 23:28:52 +0200
+
+opensnitch (1.4.0~rc2-1) unstable; urgency=medium
+
+ * Added eBPF support.
+ * Fixes and improvements.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Fri, 07 May 2021 01:08:02 +0200
+
+opensnitch (1.4.0~rc-1) unstable; urgency=medium
+
+ * Bug fix and improvements release.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Thu, 25 Mar 2021 01:02:31 +0100
+
+opensnitch (1.3.6-1) unstable; urgency=medium
+
+ * Bug fix and improvements release.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Wed, 10 Feb 2021 10:17:43 +0100
+
+opensnitch (1.3.5-1) unstable; urgency=medium
+
+ * Bug fix and improvements release.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Mon, 11 Jan 2021 18:01:53 +0100
+
+opensnitch (1.3.0-1) unstable; urgency=medium
+
+ * Fixed how we check rules
+ * Fixed cpu spike after disable interception.
+ * Fixed cleaning up fw rules on exit.
+ * make regexp rules case-insensitive by default
+ * allow to filter by dst network.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Wed, 16 Dec 2020 01:15:03 +0100
+
+opensnitch (1.3.0~rc-1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Fri, 13 Nov 2020 00:51:34 +0100
+
+opensnitch (1.2.0-1) unstable; urgency=medium
+
+ * Fixed memleaks.
+ * Sort rules by name
+ * Added priority field to rules.
+ * Other fixes
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Mon, 09 Nov 2020 22:55:13 +0100
+
+opensnitch (1.0.1-1) unstable; urgency=medium
+
+ * Fixed app exit when IPv6 is not supported.
+ * Other fixes.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Thu, 30 Jul 2020 21:56:20 +0200
+
+opensnitch (1.0.0-1) unstable; urgency=medium
+
+ * v1.0.0 released.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Thu, 16 Jul 2020 00:19:26 +0200
+
+opensnitch (1.0.0rc11-1) unstable; urgency=medium
+
+ * Fixed multiple race conditions.
+ * Fixed CWD parsing when using audit proc monitor method.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Wed, 24 Jun 2020 00:10:38 +0200
+
+opensnitch (1.0.0rc10-1) unstable; urgency=medium
+
+ * Fixed checking UID functions availability.
+ * Improved process path parsing.
+ * Fixed applying config from the UI.
+ * Fixed default log level.
+ * Gather CWD and process environment vars.
+ * Increase default timeout when asking for a rule.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Sat, 13 Jun 2020 18:45:02 +0200
+
+opensnitch (1.0.0rc9-1) unstable; urgency=medium
+
+ * Ignore malformed rules from loading.
+ * Allow to modify and add rules from the UI.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Sun, 17 May 2020 18:18:24 +0200
+
+opensnitch (1.0.0rc8) unstable; urgency=medium
+
+ * Allow to change settings from the UI.
+ * Improved connection handling with the UI.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Wed, 29 Apr 2020 21:52:27 +0200
+
+opensnitch (1.0.0rc7-1) unstable; urgency=medium
+
+ * Stability, performance and realiability improvements.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Sun, 12 Apr 2020 23:25:41 +0200
+
+opensnitch (1.0.0rc6-1) unstable; urgency=medium
+
+ * Fixed iptables rules deletion.
+ * Improved PIDs cache.
+ * Added audit process monitoring method.
+ * Added logrotate file.
+ * Added default configuration file.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Sun, 08 Mar 2020 20:47:58 +0100
+
+opensnitch (1.0.0rc-5) unstable; urgency=medium
+
+ * Fixed netlink socket querying.
+ * Added check to reload firewall rules if missing.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Mon, 24 Feb 2020 19:55:06 +0100
+
+opensnitch (1.0.0rc-3) unstable; urgency=medium
+
+ * @see: https://github.com/gustavo-iniguez-goya/opensnitch/releases
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Tue, 18 Feb 2020 10:09:45 +0100
+
+opensnitch (1.0.0rc-2) unstable; urgency=medium
+
+ * UI minor changes
+ * Expand deb package compatibility.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Wed, 05 Feb 2020 21:50:20 +0100
+
+opensnitch (1.0.0rc-1) unstable; urgency=medium
+
+ * Initial release
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Fri, 22 Nov 2019 01:14:08 +0100
--- /dev/null
+Source: opensnitch
+Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
+Uploaders:
+ Charles Allhands <cra@resistentialist.com>,
+ Petter Reinholdtsen <pere@debian.org>
+Section: devel
+Priority: optional
+Build-Depends:
+ debhelper-compat (= 11),
+ dh-golang,
+ dh-python,
+ golang-any,
+ golang-github-fsnotify-fsnotify-dev,
+ golang-github-google-gopacket-dev,
+ golang-github-google-nftables-dev,
+ golang-github-iovisor-gobpf-dev,
+ golang-github-varlink-go-dev,
+ golang-github-vishvananda-netlink-dev,
+ golang-golang-x-net-dev,
+ golang-google-grpc-dev,
+ golang-github-gogo-protobuf-dev | golang-goprotobuf-dev,
+ libmnl-dev,
+ libnetfilter-queue-dev,
+ linux-headers-amd64 [amd64] | linux-headers-arm64 [arm64] | linux-headers-armmp [armhf] | linux-headers-loong64 [loong64] | linux-headers-riscv64 [riscv64] | linux-headers-s390x [s390x] | linux-headers-generic,
+ pkgconf,
+ protoc-gen-go-1-5 | protoc-gen-go-1-3,
+ protoc-gen-go-grpc,
+ pyqt5-dev-tools,
+ qttools5-dev-tools,
+ python3-all,
+ python3-grpc-tools,
+ python3-setuptools,
+ clang,
+ llvm
+Standards-Version: 4.7.2
+Vcs-Browser: https://salsa.debian.org/go-team/packages/opensnitch
+Vcs-Git: https://salsa.debian.org/go-team/packages/opensnitch.git
+Homepage: https://github.com/evilsocket/opensnitch
+Rules-Requires-Root: no
+XS-Go-Import-Path: github.com/evilsocket/opensnitch
+
+Package: opensnitch
+Section: net
+Architecture: any
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends: python3-opensnitch-ui,
+ opensnitch-ebpf-modules [amd64 arm64 riscv64 s390x loong64 ppc64]
+Built-Using: ${misc:Built-Using}
+Description: GNU/Linux interactive application firewall
+ Whenever a program makes a connection, it'll prompt the user to allow or deny
+ it.
+ .
+ The user can decide if block the outgoing connection based on properties of
+ the connection: by port, by uid, by dst ip, by program or a combination
+ of them.
+ .
+ These rules can last forever, until the app restart or just one time.
+ .
+ The GUI allows the user to view live outgoing connections, as well as search
+ by process, user, host or port.
+ .
+ OpenSnitch can also work as a system-wide domains blocker, by using lists
+ of domains, list of IPs or list of regular expressions.
+
+
+Package: python3-opensnitch-ui
+Architecture: all
+Section: net
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+ libqt5sql5-sqlite,
+ python3-grpcio,
+ python3-notify2,
+ python3-pyinotify,
+ python3-pyqt5,
+ python3-pyqt5.qtsql,
+ python3-slugify,
+ python3:any,
+ xdg-user-dirs,
+ gtk-update-icon-cache
+Recommends:
+ python3-pyasn
+Suggests: opensnitch
+Description: GNU/Linux interactive application firewall GUI
+ opensnitch-ui is a GUI for opensnitch written in Python.
+ It allows the user to view live outgoing connections, as well as search
+ for details of the intercepted connections.
+ .
+ The user can decide if block outgoing connections based on properties of
+ the connection: by port, by uid, by dst ip, by program or a combination
+ of them.
+ .
+ These rules can last forever, until restart the daemon or just one time.
+ .
+ OpenSnitch can also work as a system-wide domains blocker, by using lists
+ of domains, list of IPs or list of regular expressions.
+
+
+Package: opensnitch-ebpf-modules
+Architecture: amd64 arm64 riscv64 s390x loong64 ppc64
+Section: net
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Suggests: opensnitch
+Description: GNU/Linux interactive application firewall eBPF modules
+ opensnitch-ebpf-modules provides the eBPF modules.
+ It provides the functionality to intercept connections at kernel level,
+ offering better performance and reliability.
--- /dev/null
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Source: https://github.com/evilsocket/opensnitch
+Upstream-Contact: Gustavo Iñiguez Goia <gooffy1@gmail.com>
+Upstream-Name: opensnitch
+Files-Excluded:
+ Godeps/_workspace
+
+Files: *
+Copyright:
+ 2017-2018 evilsocket
+ 2019-2023 Gustavo Iñiguez Goia
+Comment: Debian packaging is licensed under the same terms as upstream
+License: GPL-3.0+
+ This program is free software; you can redistribute it
+ and/or modify it under the terms of the GNU General Public
+ License as published by the Free Software Foundation; either
+ version 3 of the License, or (at your option) any later
+ version.
+ .
+ This program is distributed in the hope that it will be
+ useful, but WITHOUT ANY WARRANTY; without even the implied
+ warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ PURPOSE. See the GNU General Public License for more
+ details.
+ .
+ You should have received a copy of the GNU General Public
+ License along with this program. If not, If not, see
+ http://www.gnu.org/licenses/.
+ .
+ On Debian systems, the full text of the GNU General Public
+ License version 3 can be found in the file
+ '/usr/share/common-licenses/GPL-3'.
+
+Files: ui/resources/io.github.evilsocket.opensnitch.appdata.xml
+Copyright:
+ 2023 Gustavo Iñiguez Goia
+License: FTL
+ The FreeType Project LICENSE
+ ----------------------------
+ .
+ 2006-Jan-27
+ .
+ Copyright 1996-2002, 2006 by
+ David Turner, Robert Wilhelm, and Werner Lemberg
+ .
+ .
+ .
+ Introduction
+ ============
+ .
+ The FreeType Project is distributed in several archive packages;
+ some of them may contain, in addition to the FreeType font engine,
+ various tools and contributions which rely on, or relate to, the
+ FreeType Project.
+ .
+ This license applies to all files found in such packages, and
+ which do not fall under their own explicit license. The license
+ affects thus the FreeType font engine, the test programs,
+ documentation and makefiles, at the very least.
+ .
+ This license was inspired by the BSD, Artistic, and IJG
+ (Independent JPEG Group) licenses, which all encourage inclusion
+ and use of free software in commercial and freeware products
+ alike. As a consequence, its main points are that:
+ .
+ o We don't promise that this software works. However, we will be
+ interested in any kind of bug reports. (`as is' distribution)
+ .
+ o You can use this software for whatever you want, in parts or
+ full form, without having to pay us. (`royalty-free' usage)
+ .
+ o You may not pretend that you wrote this software. If you use
+ it, or only parts of it, in a program, you must acknowledge
+ somewhere in your documentation that you have used the
+ FreeType code. (`credits')
+ .
+ We specifically permit and encourage the inclusion of this
+ software, with or without modifications, in commercial products.
+ We disclaim all warranties covering The FreeType Project and
+ assume no liability related to The FreeType Project.
+ .
+ .
+ Finally, many people asked us for a preferred form for a
+ credit/disclaimer to use in compliance with this license. We thus
+ encourage you to use the following text:
+ .
+ """
+ Portions of this software are copyright © <year> The FreeType
+ Project (www.freetype.org). All rights reserved.
+ """
+ .
+ Please replace <year> with the value from the FreeType version you
+ actually use.
+ .
+ .
+ Legal Terms
+ ===========
+ .
+ 0. Definitions
+ --------------
+ .
+ Throughout this license, the terms `package', `FreeType Project',
+ and `FreeType archive' refer to the set of files originally
+ distributed by the authors (David Turner, Robert Wilhelm, and
+ Werner Lemberg) as the `FreeType Project', be they named as alpha,
+ beta or final release.
+ .
+ `You' refers to the licensee, or person using the project, where
+ `using' is a generic term including compiling the project's source
+ code as well as linking it to form a `program' or `executable'.
+ This program is referred to as `a program using the FreeType
+ engine'.
+ .
+ This license applies to all files distributed in the original
+ FreeType Project, including all source code, binaries and
+ documentation, unless otherwise stated in the file in its
+ original, unmodified form as distributed in the original archive.
+ If you are unsure whether or not a particular file is covered by
+ this license, you must contact us to verify this.
+ .
+ The FreeType Project is copyright (C) 1996-2000 by David Turner,
+ Robert Wilhelm, and Werner Lemberg. All rights reserved except as
+ specified below.
+ .
+ 1. No Warranty
+ --------------
+ .
+ THE FREETYPE PROJECT IS PROVIDED `AS IS' WITHOUT WARRANTY OF ANY
+ KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ PURPOSE. IN NO EVENT WILL ANY OF THE AUTHORS OR COPYRIGHT HOLDERS
+ BE LIABLE FOR ANY DAMAGES CAUSED BY THE USE OR THE INABILITY TO
+ USE, OF THE FREETYPE PROJECT.
+ .
+ 2. Redistribution
+ -----------------
+ .
+ This license grants a worldwide, royalty-free, perpetual and
+ irrevocable right and license to use, execute, perform, compile,
+ display, copy, create derivative works of, distribute and
+ sublicense the FreeType Project (in both source and object code
+ forms) and derivative works thereof for any purpose; and to
+ authorize others to exercise some or all of the rights granted
+ herein, subject to the following conditions:
+ .
+ o Redistribution of source code must retain this license file
+ (`FTL.TXT') unaltered; any additions, deletions or changes to
+ the original files must be clearly indicated in accompanying
+ documentation. The copyright notices of the unaltered,
+ original files must be preserved in all copies of source
+ files.
+ .
+ o Redistribution in binary form must provide a disclaimer that
+ states that the software is based in part of the work of the
+ FreeType Team, in the distribution documentation. We also
+ encourage you to put an URL to the FreeType web page in your
+ documentation, though this isn't mandatory.
+ .
+ These conditions apply to any software derived from or based on
+ the FreeType Project, not just the unmodified files. If you use
+ our work, you must acknowledge us. However, no fee need be paid
+ to us.
+ .
+ 3. Advertising
+ --------------
+ .
+ Neither the FreeType authors and contributors nor you shall use
+ the name of the other for commercial, advertising, or promotional
+ purposes without specific prior written permission.
+ .
+ We suggest, but do not require, that you use one or more of the
+ following phrases to refer to this software in your documentation
+ or advertising materials: `FreeType Project', `FreeType Engine',
+ `FreeType library', or `FreeType Distribution'.
+ .
+ As you have not signed this license, you are not required to
+ accept it. However, as the FreeType Project is copyrighted
+ material, only this license, or another one contracted with the
+ authors, grants you the right to use, distribute, and modify it.
+ Therefore, by using, distributing, or modifying the FreeType
+ Project, you indicate that you understand and accept all the terms
+ of this license.
+ .
+ 4. Contacts
+ -----------
+ .
+ There are two mailing lists related to FreeType:
+ .
+ o freetype@nongnu.org
+ .
+ Discusses general use and applications of FreeType, as well as
+ future and wanted additions to the library and distribution.
+ If you are looking for support, start in this list if you
+ haven't found anything to help you in the documentation.
+ .
+ o freetype-devel@nongnu.org
+ .
+ Discusses bugs, as well as engine internals, design issues,
+ specific licenses, porting, etc.
+ .
+ Our home page can be found at
+ .
+ https://www.freetype.org
--- /dev/null
+[DEFAULT]
+debian-branch = debian/sid
+pristine-tar = True
--- /dev/null
+# auto-generated, DO NOT MODIFY.
+# The authoritative copy of this file lives at:
+# https://salsa.debian.org/go-team/ci/blob/master/config/gitlabciyml.go
+
+# TODO: publish under debian-go-team/ci
+image: stapelberg/ci2
+
+test_the_archive:
+ artifacts:
+ paths:
+ - before-applying-commit.json
+ - after-applying-commit.json
+ script:
+ # Create an overlay to discard writes to /srv/gopath/src after the build:
+ - "rm -rf /cache/overlay/{upper,work}"
+ - "mkdir -p /cache/overlay/{upper,work}"
+ - "mount -t overlay overlay -o lowerdir=/srv/gopath/src,upperdir=/cache/overlay/upper,workdir=/cache/overlay/work /srv/gopath/src"
+ - "export GOPATH=/srv/gopath"
+ - "export GOCACHE=/cache/go"
+ # Build the world as-is:
+ - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > before-applying-commit.json"
+ # Copy this package into the overlay:
+ - "GBP_CONF_FILES=:debian/gbp.conf gbp buildpackage --git-no-pristine-tar --git-ignore-branch --git-ignore-new --git-export-dir=/tmp/export --git-no-overlay --git-tarball-dir=/nonexistant --git-cleaner=/bin/true --git-builder='dpkg-buildpackage -S -d --no-sign'"
+ - "pgt-gopath -dsc /tmp/export/*.dsc"
+ # Rebuild the world:
+ - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > after-applying-commit.json"
+ - "ci-diff before-applying-commit.json after-applying-commit.json"
--- /dev/null
+.\" Copyright (c) 2023 Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com>
+.\" All rights reserved.
+.\"
+.\" SPDX-License-Identifier: GPL-3.0-or-later
+.de CW
+.sp
+.in +4n
+.nf
+.ft CW
+..
+.de CE
+.ft R
+.fi
+.in
+.sp
+..
+.\" Like .OP, but with ellipsis at the end in order to signify that option
+.\" can be provided multiple times. Based on .OP definition in groff's
+.\" an-ext.tmac.
+.de OM
+. ie \\n(.$-1 \
+. RI "[\fB\\$1\fP" "\ \\$2" "]...\&"
+. el \
+. RB "[" "\\$1" "]...\&"
+..
+.\" Required option.
+.de OR
+. ie \\n(.$-1 \
+. RI "\fB\\$1\fP" "\ \\$2"
+. el \
+. BR "\\$1"
+..
+.TH OPENSNITCH-EBPF_MODULES 1 "2023-06-07" "opensnitch-ebpf-modules 1.5.9"
+.SH NAME
+opensnitch-ebpf-modules \- GNU/Linux interactive firewall application
+.SH DESCRIPTION
+.LP
+opensnitch-ebpf-modules provides the eBPF kernel modules to intercept
+network connections. It offers better performance and reliability.
+.LP
+The modules are installed under /usr/lib/opensnitchd/ebpf/
+.LP
+.SH KNOWN BUGS
+When coming back from suspend state, the eBPF modules stop working.
+.LP
+The only solution for now is to restart the daemon when the computer
+wakes up:
+.PP
+https://github.com/evilsocket/opensnitch/blob/master/utils/scripts/restart-opensnitch-onsleep.sh
+.SH "SEE ALSO"
+.PP
+.UR https://github.com/evilsocket/opensnitch/ebpf_prog/
+.B OpenSnitch
+Home Page
+.UE
+.SH AUTHORS
+The complete list of
+.B OpenSnitch
+contributors can be found on https://github.com/evilsocket/opensnitch
--- /dev/null
+.\" Copyright (c) 2023 Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com>
+.\" All rights reserved.
+.\"
+.\" SPDX-License-Identifier: GPL-3.0-or-later
+.de CW
+.sp
+.in +4n
+.nf
+.ft CW
+..
+.de CE
+.ft R
+.fi
+.in
+.sp
+..
+.\" Like .OP, but with ellipsis at the end in order to signify that option
+.\" can be provided multiple times. Based on .OP definition in groff's
+.\" an-ext.tmac.
+.de OM
+. ie \\n(.$-1 \
+. RI "[\fB\\$1\fP" "\ \\$2" "]...\&"
+. el \
+. RB "[" "\\$1" "]...\&"
+..
+.\" Required option.
+.de OR
+. ie \\n(.$-1 \
+. RI "\fB\\$1\fP" "\ \\$2"
+. el \
+. BR "\\$1"
+..
+.TH OPENSNITCH-UI 1 "2023-06-07" "opensnitchd 1.5.9"
+.SH NAME
+opensnitch-ui \- GNU/Linux interactive firewall application
+.SH SYNOPSIS
+.SY opensnitch-ui
+.OP \-\-socket path
+.OP \-\-max-clients num
+.YS
+.SH DESCRIPTION
+.LP
+opensnitch-ui is the OpenSnitch GUI to view events intercepted by the daemon,
+and to manage the rules.
+The GUI is composed of 2 components in the same script: a server and a GUI.
+Once the GUI is launched, an icon will appear on the system tray.
+If the system tray is not available or can't be used, the Events dialog will
+be launched.
+.LP
+The GUI (i.e.: the server) will listen for new connections from daemons. You
+can have the daemon installed on multiple machines, and manage them from a
+centralized GUI.
+.UR https://github.com/evilsocket/opensnitch/wiki/Nodes
+.UE
+.LP
+.SH OPTIONS
+.TP
+.BI "\--socket " path
+Specifies the path or network address where the GUI (i.e.: the server) will
+listen on.
+.PP
+ Examples:
+.PP
+ Default: unix:///tmp/osui.sock
+.PP
+ - Listening on a Unix socket:
+ $ opensnitch-ui --socket unix:///tmp/osui.sock
+ * Use unix:///run/user/YOUR_USER_ID/opensnitch/osui.sock for better privacy.
+.PP
+ - Listening on port 50051, all interfaces:
+ $ opensnitch-ui --socket "[::]:50051"
+.TP
+.BI "\--max-clients " num
+Maximum number of clients to allow (default: 10).
+.SH FILES
+.I /home/$USER/.config/opensnitch/
+.RS
+Path of the GUI configuration.
+.RE
+.SH DIAGNOSTICS
+If something goes wrong, like a crash, launch the GUI from a shell to view debugging messages:
+.LP
+.RS
+$ opensnitch-ui
+.RE
+.SH REPORTING BUGS
+Problems with
+.B opensnitch-ui
+should be reported on github
+.UR https://github.com/evilsocket/opensnitch/issues
+.UE
+.SH "SEE ALSO"
+.PP
+.B OpenSnitch
+Home Page
+.UR https://github.com/evilsocket/opensnitch
+.UE
+.LP
+.SH HISTORY
+.B OpenSnitch
+was originally written by Simone Margaritelli (evilsocket) in 2017-2018.
+.LP
+In 2019, after some time of inactivity, Gustavo Iñiguez Goya started
+contributing, fixing bugs and adding new functionality, with
+the esential help of the community, and valuable contributions from themighty1 and
+calesanz among others.
+.SH AUTHORS
+The complete list of
+.B OpenSnitch
+contributors can be found on
+.UR https://github.com/evilsocket/opensnitch
+.UE
--- /dev/null
+.\" Copyright (c) 2023 Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com>
+.\" All rights reserved.
+.\"
+.\" SPDX-License-Identifier: GPL-3.0-or-later
+.de CW
+.sp
+.in +4n
+.nf
+.ft CW
+..
+.de CE
+.ft R
+.fi
+.in
+.sp
+..
+.\" Like .OP, but with ellipsis at the end in order to signify that option
+.\" can be provided multiple times. Based on .OP definition in groff's
+.\" an-ext.tmac.
+.de OM
+. ie \\n(.$-1 \
+. RI "[\fB\\$1\fP" "\ \\$2" "]...\&"
+. el \
+. RB "[" "\\$1" "]...\&"
+..
+.\" Required option.
+.de OR
+. ie \\n(.$-1 \
+. RI "\fB\\$1\fP" "\ \\$2"
+. el \
+. BR "\\$1"
+..
+.TH OPENSNITCHD 1 "2023-06-07" "opensnitchd 1.5.9"
+.SH NAME
+opensnitchd \- GNU/Linux interactive firewall application
+.SH SYNOPSIS
+.SY opensnitchd
+.OP \-rules-path path
+.OP \-cpu-profile path
+.OP \-debug
+.OP \-error
+.OP \-warning
+.OP \-important
+.OM \-log-file path
+.OM \-mem-profile path
+.OP \-no-live-reload
+.OM \-process-monitor-method name
+.OM \-queue-num num
+.OM \-ui-socket path
+.OP \-version
+.OM \-workers num
+.YS
+.SH DESCRIPTION
+.LP
+opensnitchd is the OpenSnitch agent that intercepts outbound connections,
+and send them to the server. The server can be a GUI, a TUI, or a
+.I headless
+component to just log the network activity (a SIEM for example).
+By default it'll allow all connections, creating temporal rules for you
+so you can review them later.
+.LP
+.SH OPTIONS
+.TP
+.BI "\-rules-path " path
+Specifies where the rules will be written to. Default "rules".
+.TP
+.BI "\-cpu-profile " path
+A file path where the CPU data for later use will be written.
+.TP
+.BI "\-debug"
+Set LogLevel to DEBUG.
+.TP
+.BI "\-warning"
+Set LogLevel to WARNING.
+.TP
+.BI "\-important"
+Set LogLevel to IMPORTANT.
+.TP
+.BI "\-log-file " path
+A file path where the logs will be written to. This path can be a device file,
+like /dev/stdout to print logs to standard output.
+.TP
+.BI "\-mem-profile " path
+A file path where the memory data will be written once the daemon exits.
+.TP
+.BI "\-no-live-reload"
+By default daemon's rules and configuration is reloaded whenever it changes.
+This option disables this feature.
+.TP
+.BI "\-process-monitor-method " method
+Force process monitor method, overriding what is defined in the configuration.
+Valid methods: ebpf, audit, proc
+.TP
+.BI "\-queue-num " num
+Force to use this netfilter queue num. The default queue number is 0, but if
+it's already used by other software, you can set another queue number here.
+.TP
+.BI "\-ui-socket " path
+Force to use this socket path, instead of the one defined in the configuration.
+The path format is unix:///path/to/socket.sock or ip:port ("127.0.0.1:50051")
+.RS
+(
+.UR https://github.com/grpc/grpc/blob/master/doc/naming.md
+.UE
+)
+.RE
+.TP
+.BI "\-version"
+Prints out daemon version.
+.TP
+.BI "\-workers " num
+Change maximum number of workers to process outbound connections.
+By default 16 workers are launched, but if it's not enough increase this number.
+.SH FILES
+.I /etc/opensnitchd/rules/
+.RS
+Default daemon directory rules.
+.RE
+.I /etc/opensnitchd/default-config.json
+.RS
+Default daemon configuration.
+.RE
+.I /etc/opensnitchd/system-fw.json
+.RS
+Configuration of system firewall rules (iptables/nftables).
+.TP
+Firewall rules defined here bypasses OpenSnitch interception. Use it to allow VPNs or other services.
+.SH DIAGNOSTICS
+OpenSnitch needs at least one firewall rule to intercept outbound connections:
+.LP
+iptables -t mangle -L OUTPUT | grep NFQUEUE
+.RS
+NFQUEUE all -- anywhere anywhere ctstate NEW,RELATED NFQUEUE num 0 bypass
+.RE
+.LP
+If you suspect that OpenSnitch blocks an application and doesn't prompt you to allow or deny it,
+using the GUI enable the option
+.I [x] Debug invalid connections
+under Preferences -> Nodes.
+Or set the configuration option
+.B InterceptUnknown
+to true.
+.LP
+.I Tip:
+You can also add rules to the file /etc/opensnitchd/system-fw.json, to allow network services without being intercepted by the daemon.
+.LP
+Another way of debugging errors is by launching the daemon from the command line:
+.IP
+.PD 0
+.IP 1. 4
+Set LogLevel to DEBUG under Preferences -> Nodes (or LogLevel to 0 in the configuration)
+.IP 2. 4
+Stop the daemon: systemctl stop opensnitch
+.IP 3. 4
+Launch it from cli: /usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules/
+.PD
+.LP
+.SH REPORTING BUGS
+Problems with
+.B opensnitchd
+should be reported on github
+.UR https://github.com/evilsocket/opensnitch/issues
+.UE
+.SH HISTORY
+.B OpenSnitch
+was originally written by Simone Margaritelli (evilsocket) in 2017-2018.
+.LP
+In 2019, after some time of inactivity, Gustavo Iñiguez Goya started
+contributing, fixing bugs and adding new functionality, with
+the esential help of the community, and valuable contributions from themighty1 and
+calesanz among others.
+.SH "SEE ALSO"
+.PP
+.B OpenSnitch
+Home Page
+.UR https://github.com/evilsocket/opensnitch
+.UE
+.SH AUTHORS
+The complete list of
+.B OpenSnitch
+contributors can be found on
+.UR https://github.com/evilsocket/opensnitch
+.UE
--- /dev/null
+# These are EBPF objects.
+binary-from-other-architecture [usr/lib/opensnitchd/ebpf/opensnitch-dns.o]
+binary-from-other-architecture [usr/lib/opensnitchd/ebpf/opensnitch-procs.o]
+binary-from-other-architecture [usr/lib/opensnitchd/ebpf/opensnitch.o]
--- /dev/null
+debian/man/opensnitch-ebpf-modules.1
--- /dev/null
+#!/bin/sh
+
+### BEGIN INIT INFO
+# Provides: opensnitchd
+# Required-Start: $network $local_fs
+# Required-Stop: $network $local_fs
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: opensnitchd daemon
+# Description: opensnitch application firewall
+### END INIT INFO
+
+NAME=opensnitchd
+PIDDIR=/var/run/$NAME
+OPENSNITCHDPID=$PIDDIR/$NAME.pid
+
+# clear conflicting settings from the environment
+unset TMPDIR
+
+test -x /usr/bin/$NAME || exit 0
+
+. /lib/lsb/init-functions
+
+case $1 in
+ start)
+ log_daemon_msg "Starting opensnitch daemon" $NAME
+ if [ ! -d /etc/$NAME/rules ]; then
+ mkdir -p /etc/$NAME/rules &>/dev/null
+ fi
+
+ # Make sure we have our PIDDIR, even if it's on a tmpfs
+ install -o root -g root -m 755 -d $PIDDIR
+
+ if ! start-stop-daemon --start --quiet --oknodo --pidfile $OPENSNITCHDPID --background --exec /usr/bin/$NAME -- -rules-path /etc/$NAME/rules; then
+ log_end_msg 1
+ exit 1
+ fi
+
+ log_end_msg 0
+ ;;
+ stop)
+
+ log_daemon_msg "Stopping $NAME daemon" $NAME
+
+ start-stop-daemon --stop --quiet --signal QUIT --name $NAME
+ # Wait a little and remove stale PID file
+ sleep 1
+ if [ -f $OPENSNITCHDPID ] && ! ps h `cat $OPENSNITCHDPID` > /dev/null
+ then
+ rm -f $OPENSNITCHDPID
+ fi
+
+ log_end_msg 0
+
+ ;;
+ reload)
+ log_daemon_msg "Reloading $NAME" $NAME
+
+ start-stop-daemon --stop --quiet --signal HUP --pidfile $OPENSNITCHDPID
+
+ log_end_msg 0
+ ;;
+ restart|force-reload)
+ $0 stop
+ sleep 1
+ $0 start
+ ;;
+ status)
+ status_of_proc /usr/bin/$NAME $NAME
+ exit $?
+ ;;
+ *)
+ echo "Usage: /etc/init.d/opensnitchd {start|stop|reload|restart|force-reload|status}"
+ exit 1
+ ;;
+esac
+
+exit 0
--- /dev/null
+daemon/default-config.json etc/opensnitchd/
+daemon/system-fw.json etc/opensnitchd/
+#ebpf_prog/opensnitch.o etc/opensnitchd/
--- /dev/null
+/var/log/opensnitchd.log {
+ rotate 7
+# order of the fields is important
+ maxsize 50M
+# we need this option in order to keep logging
+ copytruncate
+ missingok
+ notifempty
+ delaycompress
+ compress
+ create 640 root root
+ weekly
+}
--- /dev/null
+rm_conffile /etc/needrestart/conf.d/no-opensnitch-restart.conf 1.6.8-9 opensnitch
--- /dev/null
+debian/man/opensnitchd.1
--- /dev/null
+[Unit]
+Description=OpenSnitch is a GNU/Linux application firewall.
+Documentation=https://github.com/gustavo-iniguez-goya/opensnitch/wiki
+Wants=network.target
+After=network.target
+
+[Service]
+Type=simple
+PermissionsStartOnly=true
+ExecStartPre=/bin/mkdir -p /etc/opensnitchd/rules
+ExecStart=/usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules
+Restart=always
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+Description: Changed how ebpf build find kernel headers from running to installed version.
+ The installed kernel do not match running kernel in chroots and containers.
+Author: Petter Reinholdtsen <pere@hungry.com>
+Forwarded: https://github.com/evilsocket/opensnitch/pull/1327
+Last-Update: 2025-04-20
+---
+Index: opensnitch-salsa/ebpf_prog/Makefile
+===================================================================
+--- opensnitch-salsa.orig/ebpf_prog/Makefile 2025-04-20 09:53:55.679288526 +0200
++++ opensnitch-salsa/ebpf_prog/Makefile 2025-04-20 09:54:12.000000000 +0200
+@@ -3,8 +3,9 @@
+ # On Debian based distros we need the following 2 directories.
+ # Otherwise, just use the kernel headers from the kernel sources.
+ #
+-KERNEL_DIR ?= /lib/modules/$(shell uname -r)/source
+-KERNEL_HEADERS ?= /usr/src/linux-headers-$(shell uname -r)/
++KERNEL_VER ?= $(shell ls -d /lib/modules/*/source | sort | tail -1 | cut -d/ -f4)
++KERNEL_DIR ?= /lib/modules/$(KERNEL_VER)/source
++KERNEL_HEADERS ?= /usr/src/linux-headers-$(KERNEL_VER)/
+ CLANG ?= clang
+ LLC ?= llc
+ LLVM_STRIP ?= llvm-strip -g
--- /dev/null
+Description: Added ebpf build rule mapping for armv8 to work with more armhf machines.
+Author: Petter Reinholdtsen <pere@hungry.com>
+Forwarded: https://github.com/evilsocket/opensnitch/pull/1326
+Last-Update: 2025-04-20
+---
+Index: opensnitch-salsa/ebpf_prog/Makefile
+===================================================================
+--- opensnitch-salsa.orig/ebpf_prog/Makefile 2025-04-20 09:53:55.739289007 +0200
++++ opensnitch-salsa/ebpf_prog/Makefile 2025-04-20 09:53:55.731288942 +0200
+@@ -19,6 +19,8 @@
+ ARCH := x86
+ else ifeq ($(ARCH),armv7l)
+ ARCH := arm
++else ifeq ($(ARCH),armv8l)
++ ARCH := arm
+ else ifeq ($(ARCH),aarch64)
+ ARCH := arm64
+ endif
--- /dev/null
+Description: Start firewall rules before network is brought up.
+ Also protect the firewall daemon from the kernel OOM killer. Partly
+ based on proposal from
+ https://github.com/evilsocket/opensnitch/pull/1019/.
+Author: Petter Reinholdtsen <pere@hungry.com>
+Forwarded: https://github.com/evilsocket/opensnitch/pull/1019
+Last-Update: 2025-04-20
+diff --git a/daemon/opensnitchd.service b/daemon/opensnitchd.service
+index 3f05fad2..3bfd94d6 100644
+--- a/daemon/opensnitchd.service
++++ b/daemon/opensnitchd.service
+@@ -1,6 +1,10 @@
+ [Unit]
+ Description=Application firewall OpenSnitch
+ Documentation=https://github.com/evilsocket/opensnitch/wiki
++DefaultDependencies=no
++Before=network-pre.target shutdown.target
++Wants=network-pre.target
++Conflicts=shutdown.target
+
+ [Service]
+ Type=simple
+@@ -10,6 +14,9 @@ ExecStart=/usr/local/bin/opensnitchd -rules-path /etc/opensnitchd/rules
+ Restart=always
+ RestartSec=30
+ TimeoutStopSec=10
++# Ensure it is not killed by the Linux kernel's Out-Of-Memory (OOM) killer.
++# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#OOMScoreAdjust=
++OOMScoreAdjust=-1000
+
+ [Install]
+-WantedBy=multi-user.target
++WantedBy=basic.target
--- /dev/null
+Description: Added ebpf build rule mapping for s390x to s390.
+ This ensure the kernel headers are found during compilation.
+Author: Petter Reinholdtsen <pere@hungry.com>
+Forwarded: https://github.com/evilsocket/opensnitch/pull/1333
+Last-Update: 2025-04-25
+---
+Index: opensnitch-salsa/ebpf_prog/Makefile
+===================================================================
+--- opensnitch-salsa.orig/ebpf_prog/Makefile 2025-04-25 07:58:50.785702284 +0200
++++ opensnitch-salsa/ebpf_prog/Makefile 2025-04-25 07:59:34.170084431 +0200
+@@ -23,6 +23,8 @@
+ ARCH := arm
+ else ifeq ($(ARCH),aarch64)
+ ARCH := arm64
++else ifeq ($(ARCH),s390x)
++ ARCH := s390
+ endif
+
+ ifeq ($(ARCH),arm)
--- /dev/null
+Description: Do not propose use of pip on Debian
+ Dependencies should be fetched from the curated Debian archive.
+Author: Petter Reinholdtsen <pere@debian.org>
+Forwarded: not-needed
+Last-Update: 2025-04-19
+---
+--- opensnitch-1.6.8.orig/ui/opensnitch/dialogs/firewall_rule.py
++++ opensnitch-1.6.8/ui/opensnitch/dialogs/firewall_rule.py
+@@ -377,7 +377,7 @@ The value must be in the format: VALUE/U
+ self._set_status_error(
+ QC.translate(
+ "firewall",
+- "Your protobuf version is incompatible, you need to install protobuf 3.8.0 or superior\n(pip3 install --ignore-installed protobuf==3.8.0)"
++ "Your protobuf version is incompatible, you need to install protobuf 3.8.0 or superior\n(apt install protobuf-api-32-0)"
+ )
+ )
+ return False
+--- opensnitch-1.6.8.orig/ui/opensnitch/dialogs/preferences.py
++++ opensnitch-1.6.8/ui/opensnitch/dialogs/preferences.py
+@@ -258,7 +258,7 @@ class PreferencesDialog(QtWidgets.QDialo
+ self._saved_theme = ""
+ self.labelThemeError.setStyleSheet('color: red')
+ self.labelThemeError.setVisible(True)
+- self.labelThemeError.setText(QC.translate("preferences", "Themes not available. Install qt-material: pip3 install qt-material"))
++ self.labelThemeError.setText(QC.translate("preferences", "Themes not available. Install qt-material: apt install python3-qt-material"))
+
+ self.comboUITheme.setCurrentIndex(theme_idx)
+ self._show_ui_density_widgets(theme_idx)
+--- opensnitch-1.6.8.orig/ui/opensnitch/utils/__init__.py
++++ opensnitch-1.6.8/ui/opensnitch/utils/__init__.py
+@@ -109,7 +109,7 @@ class Themes():
+ from qt_material import list_themes as qtmaterial_themes
+ AVAILABLE = True
+ except Exception:
+- print("Themes not available. Install qt-material if you want to change GUI's appearance: pip3 install qt-material.")
++ print("Themes not available. Install qt-material if you want to change GUI's appearance: apt install python3-qt-material.")
+
+ @staticmethod
+ def instance():
--- /dev/null
+Description: Tell opensnitch daemon to not flush al TCP connections on restart.
+ This avoid killing connections like SSH and IRC when upgrading or restarting
+ the service. See discussion in https://github.com/evilsocket/opensnitch/issues/1329 .
+Author: Petter Reinholdtsen <pere@hungry.com>
+Bug-Debian: https://bugs.debian.org/1103496
+Forwarded: not-needed
+Last-update: 2025-05-26
+---
+Index: opensnitch-salsa/daemon/default-config.json
+===================================================================
+--- opensnitch-salsa.orig/daemon/default-config.json 2025-04-26 07:33:06.345354492 +0200
++++ opensnitch-salsa/daemon/default-config.json 2025-04-26 07:33:52.681782972 +0200
+@@ -22,6 +22,6 @@
+ },
+ "Internal": {
+ "GCPercent": 100,
+- "FlushConnsOnStart": true
++ "FlushConnsOnStart": false
+ }
+ }
--- /dev/null
+0xxx: Grabbed from upstream development.
+1xxx: Possibly relevant for upstream adoption.
+2xxx: Only relevant for official Debian release.
--- /dev/null
+1000-installed-kernel-headers.patch
+1020-ebpf-armv8l.patch
+1030-systemd-service-earlier.patch
+1050-ebpf-s390x.patch
+2000-apt-not-pip.patch
+2010-no-tcp-flush-on-restart.patch
--- /dev/null
+debian/man/opensnitch-ui.1
--- /dev/null
+#!/bin/sh
+set -e
+
+autostart_by_default()
+{
+ deskfile=/etc/xdg/autostart/opensnitch_ui.desktop
+ if [ -d /etc/xdg/autostart -a ! -h $deskfile -a ! -f $deskfile ]; then
+ ln -s /usr/share/applications/opensnitch_ui.desktop /etc/xdg/autostart/
+ fi
+}
+
+if command -v gtk-update-icon-cache >/dev/null && test -f /usr/share/icons/hicolor/index.theme ; then
+ gtk-update-icon-cache --quiet /usr/share/icons/hicolor/
+fi
+
+case "$1" in
+ configure)
+ # first install
+ if [ -z $2 ]; then
+ autostart_by_default
+ elif dpkg --compare-versions "$2" le "1.5.7-2"; then
+ autostart_by_default
+ fi
+ ;;
+esac
+
+#DEBHELPER#
--- /dev/null
+#!/bin/sh
+set -e
+
+case "$1" in
+ purge)
+ deskfile=/etc/xdg/autostart/opensnitch_ui.desktop
+ if [ -f $deskfile -o -h $deskfile ];then
+ rm -f /etc/xdg/autostart/opensnitch_ui.desktop
+ fi
+ ;;
+ remove)
+ pkill -15 opensnitch-ui || true
+ ;;
+esac
+
+#DEBHELPER#
--- /dev/null
+#!/usr/bin/make -f
+export DH_VERBOSE = 1
+export DESTDIR := $(shell pwd)/debian/opensnitch
+export UIDESTDIR := $(shell pwd)/debian/python3-opensnitch-ui
+export EBPFDESTDIR := $(shell pwd)/debian/opensnitch-ebpf-modules
+
+ifeq ($(DEB_BUILD_ARCH),amd64)
+ WITH_EBPF := true
+else ifeq ($(DEB_BUILD_ARCH),arm64)
+ WITH_EBPF := true
+else ifeq ($(DEB_BUILD_ARCH),riscv64)
+ WITH_EBPF := true
+else ifeq ($(DEB_BUILD_ARCH),s390x)
+ WITH_EBPF := true
+else ifeq ($(DEB_BUILD_ARCH),loong64)
+ WITH_EBPF := true
+else ifeq ($(DEB_BUILD_ARCH),ppc64)
+ WITH_EBPF := true
+else
+ WITH_EBPF := false
+endif
+
+override_dh_installsystemd:
+ dh_installsystemd --restart-after-upgrade
+
+override_dh_auto_build:
+ $(MAKE) protocol
+# Workaround for Go build problem when building in _build
+ mkdir -p _build/src/github.com/evilsocket/opensnitch/daemon/ui/protocol/
+ cp daemon/ui/protocol/* _build/src/github.com/evilsocket/opensnitch/daemon/ui/protocol/
+ dh_auto_build
+ cd ui && python3 setup.py build --force
+ if $(WITH_EBPF) ; then make -C ebpf_prog; fi
+
+override_dh_auto_install:
+# daemon
+ mkdir -p $(DESTDIR)/usr/bin
+ cp _build/bin/daemon $(DESTDIR)/usr/bin/opensnitchd
+# GUI
+ make -C ui/i18n
+ cp -r ui/i18n/locales/ ui/opensnitch/i18n/
+ pyrcc5 -o ui/opensnitch/resources_rc.py ui/opensnitch/res/resources.qrc
+ sed -i 's/^import ui_pb2/from . import ui_pb2/' ui/opensnitch/ui_pb2*
+ cd ui && python3 setup.py install --force --root=$(UIDESTDIR) --no-compile -O0 --install-layout=deb
+
+# ebpf modules
+ if $(WITH_EBPF); then \
+ mkdir -p $(EBPFDESTDIR)/usr/lib/opensnitchd/ebpf ; \
+ make -C ebpf_prog && cp ebpf_prog/opensnitch*o $(EBPFDESTDIR)/usr/lib/opensnitchd/ebpf/ ; \
+ fi
+
+# daemon
+ dh_auto_install
+
+%:
+ dh $@ --builddirectory=_build --buildsystem=golang --with=golang,python3
+
+override_dh_auto_clean:
+ dh_auto_clean
+ $(MAKE) clean
+ $(RM) daemon/ui/protocol/ui_grpc.pb.go
+ $(RM) ui/opensnitch/resources_rc.py
+ $(RM) -r ui/opensnitch/i18n/
+ $(RM) ui/i18n/locales/*/*.qm
+ cd ui && python3 setup.py clean -a
+ $(RM) -r ui/opensnitch_ui.egg-info/
+ find ui -name \*.pyc -exec rm {} \;
+ $(MAKE) -C ebpf_prog/ clean
--- /dev/null
+3.0 (quilt)
--- /dev/null
+extend-diff-ignore="\.egg-info$"
\ No newline at end of file
--- /dev/null
+Tests: test-resources.sh
+Depends: opensnitch
+Restrictions: superficial
+
+Tests: test-fw-rules.sh
+Depends: nftables, opensnitch
+Restrictions: needs-root
--- /dev/null
+#!/bin/sh
+set -e
+
+retval=0
+
+# for some reason, go.exec.LookPath() fails to obtain the path of iptables
+# on the ci environment, even if $PATH is set correctly.
+echo "[+] PATH: $PATH"
+
+log="/var/log/opensnitchd.log"
+
+if [ -f /proc/modules ]; then
+ echo "[+] loaded modules:"
+ cat /proc/modules
+fi
+
+if [ -f $log ]; then
+ echo "[+] opensnitchd log:"
+ cat $log
+fi
+
+nft list ruleset
+if nft list ruleset | \
+ grep -q "ct state related,new queue flags bypass to 0" ; then
+ echo "[+] Interception rule (nftables): OK"
+else
+ echo "[!] Interception rule (nftables): Missing"
+ retval=1
+fi
+
+exit $retval
--- /dev/null
+#!/bin/sh
+set -e
+
+ophome="/etc/opensnitchd"
+
+ls -dl $ophome 1>/dev/null
+echo "installed OK: $ophome"
+ls -l $ophome/system-fw.json 1>/dev/null
+echo "installed OK: $ophome/system-fw.json"
+ls -l $ophome/default-config.json 1>/dev/null
+echo "installed OK: $ophome/default-config.json"
+ls -dl $ophome/rules 1>/dev/null
+echo "installed OK: $ophome/rules/"
--- /dev/null
+---
+Name: opensnitch
+Bug-Database: https://github.com/evilsocket/opensnitch/issues
+Bug-Submit: https://github.com/evilsocket/opensnitch/issues/new
+Contact: Gustavo Iñiguez Goia <gooffy1@gmail.com>
+Documentation: https://github.com/evilsocket/opensnitch/wiki
+CPE: cpe:/a:evilsocket:opensnitch
+Repository: https://github.com/evilsocket/opensnitch.git
+Repository-Browse: https://github.com/evilsocket/opensnitch
--- /dev/null
+version=4
+opts=filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/opensnitch-\$1\.tar\.gz/,\
+uversionmangle=s/(\d)[_\.\-\+]?(RC|rc|pre|dev|beta|alpha)[.]?(\d*)$/\$1~\$2\$3/ \
+ https://github.com/evilsocket/opensnitch/tags .*/v?(\d\S*)\.tar\.gz
projects / opensnitch.git / commitdiff