--- /dev/null
+opensnitch (1.5.8.1-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Upload sponsored by Petter Reinholdtsen.
+
+ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Mon, 06 Mar 2023 12:37:24 +0100
+
+opensnitch (1.5.8-2) unstable; urgency=medium
+
+ * Upload to unstable.
+ * Upload sponsored by Petter Reinholdtsen.
+
+ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Tue, 21 Feb 2023 21:26:21 +0100
+
+opensnitch (1.5.8-1) experimental; urgency=medium
+
+ * New upstream release.
+
+ [ Gustavo Iñiguez Goia ]
+ * ui: added 64x64 icon.
+ * Added missing entry for GUI manual page.
+ * Updated appstream Summary field.
+ * Removed ftrace dependency from d/control.
+ * ui: updated appstream Summary field.
+ * Updated d/control Description.
+
+ [ Petter Reinholdtsen ]
+ * Added appstream content rating, no restrictions.
+ * Corrected appstream icon name.
+ * Documented appstream metadata license in d/copyright.
+ * Place manual pages in correct packages.
+
+ * Upload sponsored by Petter Reinholdtsen.
+
+ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Sun, 19 Feb 2023 10:26:46 +0100
+
+opensnitch (1.5.7-3) experimental; urgency=medium
+
+ [ Gustavo Iñiguez Goia ]
+ * fixed /etc/xdg/autostart/ link
+
+ * Upload sponsored by Petter Reinholdtsen.
+
+ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Wed, 15 Feb 2023 22:41:19 +0100
+
+opensnitch (1.5.7-2) experimental; urgency=medium
+
+ [ Gustavo Iñiguez Goia ]
+ * added opensnitchd manual page
+ * added new manual page, updated opensnitchd.1
+ * improved debian/tests/
+
+ * Upload sponsored by Petter Reinholdtsen.
+
+ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Mon, 13 Feb 2023 12:43:19 +0100
+
+opensnitch (1.5.7-1) unstable; urgency=medium
+
+ * New upstream release
+
+ [ Gustavo Iñiguez Goia ]
+ * Set test-fw-rules.sh as flaky.
+ * Make test-fw-rules.sh more verbose.
+
+ [ Petter Reinholdtsen ]
+ * Fixed typo in nb comment of desktop file.
+ * Added appstream desktop category to metadata XML.
+
+ * Upload sponsored by Petter Reinholdtsen.
+
+ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Fri, 10 Feb 2023 13:28:23 +0100
+
+opensnitch (1.5.6-1) unstable; urgency=medium
+
+ * New upstream release
+
+ [ Gustavo Iñiguez Goia ]
+ * tests: removed Architecture: restriction
+ * changed Maintainer: field to team+pkg-go
+ * added new test
+ * added Uploaders field
+ * updated Vcs* fields
+
+ [ Petter Reinholdtsen ]
+ * Added Debian package relation between opensnitch and
+ python3-opensnitch-ui.
+ * Handle autopkgtest scripts differently, as they have different
+ requirements.
+
+ * Upload sponsored by Petter Reinholdtsen.
+
+ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Tue, 07 Feb 2023 21:29:48 +0100
+
+opensnitch (1.5.5-1) unstable; urgency=medium
+
+ * New upstream release.
+ * Bump Standards-Version to 4.6.2.
+ * Upload sponsored by Petter Reinholdtsen.
+
+ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Wed, 01 Feb 2023 22:37:12 +0100
+
+opensnitch (1.5.4-1) unstable; urgency=high
+
+ * New upstream release. (Closes: #1030115)
+ * debian/control:
+ - Updated packages description.
+ - Removed debconf and whiptail|dialog dependencies.
+ - Added xdg-user-dirs, gtk-update-icon-cache dependencies.
+ - Point Vcs-Git field to the 1.5.0 branch.
+ * debian/postinst:
+ - Fixed opensnitch_ui.desktop installation.
+ - Fixed updating icons cache.
+ * debian/postrm:
+ - Fixed removing opensnitch_ui.desktop
+ * debian/tests/:
+ - Added autopkgtests.
+ * Upload sponsored by Petter Reinholdtsen.
+
+ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Tue, 31 Jan 2023 23:48:58 +0100
+
+opensnitch (1.5.3-1) unstable; urgency=medium
+
+ * Added debian/upstream/metadata.
+ * Updated Homepage url.
+ * Updated Copyright years.
+
+ -- Gustavo-Iniguez-Goya <gustavo.iniguez.goya@gmail.com> Sun, 22 Jan 2023 21:30:45 +0100
+
+opensnitch (1.5.2.1-1) unstable; urgency=medium
+
+ * Initial release. (Closes: #909567)
+
+ -- Gustavo-Iniguez-Goya <gustavo.iniguez.goya@gmail.com> Fri, 20 Jan 2023 22:26:40 +0000
+
+opensnitch (1.5.2-1) unstable; urgency=medium
+
+ * try to mount debugfs on boot up
+
+ -- gustavo-iniguez-goya <gustavo.iniguez.goya@gmail.com> Wed, 27 Jul 2022 17:29:33 +0200
+
+opensnitch (1.5.1-1) unstable; urgency=medium
+
+ * Better eBPF cache.
+ * Fixed error resolving domains to localhost.
+ * Fixed error deleting our nftables rules.
+
+ -- gustavo-iniguez-goya <gustavo.iniguez.goya@gmail.com> Fri, 25 Feb 2022 01:21:38 +0100
+
+opensnitch (1.5.0-1) unstable; urgency=medium
+
+ * New release.
+ * Added Reject option.
+ * New lists types to block ads/malware/...
+ * Better connections interception.
+ * Better VPNs handling.
+ * Bug fixes.
+
+ -- gustavo-iniguez-goya <gustavo.iniguez.goya@gmail.com> Fri, 28 Jan 2022 23:20:38 +0100
+
+opensnitch (1.5.0~rc2-1) unstable; urgency=medium
+
+ * Better connections interception.
+ * Improvements.
+
+ -- gustavo-iniguez-goya <gustavo.iniguez.goya@gmail.com> Sun, 16 Jan 2022 23:15:12 +0100
+
+opensnitch (1.5.0~rc1-1) unstable; urgency=medium
+
+ * New features.
+
+ -- gustavo-iniguez-goya <gustavo.iniguez.goya@gmail.com> Thu, 07 Oct 2021 14:57:35 +0200
+
+opensnitch (1.4.0-1) unstable; urgency=medium
+
+ * final release.
+
+ -- gustavo-iniguez-goya <gustavo.iniguez.goya@gmail.com> Fri, 27 Aug 2021 13:33:07 +0200
+
+opensnitch (1.4.0~rc4-1) unstable; urgency=medium
+
+ * Bug fix release.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Wed, 11 Aug 2021 15:17:49 +0200
+
+opensnitch (1.4.0~rc3-1) unstable; urgency=medium
+
+ * Bug fix release.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Fri, 16 Jul 2021 23:28:52 +0200
+
+opensnitch (1.4.0~rc2-1) unstable; urgency=medium
+
+ * Added eBPF support.
+ * Fixes and improvements.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Fri, 07 May 2021 01:08:02 +0200
+
+opensnitch (1.4.0~rc-1) unstable; urgency=medium
+
+ * Bug fix and improvements release.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Thu, 25 Mar 2021 01:02:31 +0100
+
+opensnitch (1.3.6-1) unstable; urgency=medium
+
+ * Bug fix and improvements release.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Wed, 10 Feb 2021 10:17:43 +0100
+
+opensnitch (1.3.5-1) unstable; urgency=medium
+
+ * Bug fix and improvements release.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Mon, 11 Jan 2021 18:01:53 +0100
+
+opensnitch (1.3.0-1) unstable; urgency=medium
+
+ * Fixed how we check rules
+ * Fixed cpu spike after disable interception.
+ * Fixed cleaning up fw rules on exit.
+ * make regexp rules case-insensitive by default
+ * allow to filter by dst network.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Wed, 16 Dec 2020 01:15:03 +0100
+
+opensnitch (1.3.0~rc-1) unstable; urgency=medium
+
+ * Non-maintainer upload.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Fri, 13 Nov 2020 00:51:34 +0100
+
+opensnitch (1.2.0-1) unstable; urgency=medium
+
+ * Fixed memleaks.
+ * Sort rules by name
+ * Added priority field to rules.
+ * Other fixes
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Mon, 09 Nov 2020 22:55:13 +0100
+
+opensnitch (1.0.1-1) unstable; urgency=medium
+
+ * Fixed app exit when IPv6 is not supported.
+ * Other fixes.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Thu, 30 Jul 2020 21:56:20 +0200
+
+opensnitch (1.0.0-1) unstable; urgency=medium
+
+ * v1.0.0 released.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Thu, 16 Jul 2020 00:19:26 +0200
+
+opensnitch (1.0.0rc11-1) unstable; urgency=medium
+
+ * Fixed multiple race conditions.
+ * Fixed CWD parsing when using audit proc monitor method.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Wed, 24 Jun 2020 00:10:38 +0200
+
+opensnitch (1.0.0rc10-1) unstable; urgency=medium
+
+ * Fixed checking UID functions availability.
+ * Improved process path parsing.
+ * Fixed applying config from the UI.
+ * Fixed default log level.
+ * Gather CWD and process environment vars.
+ * Increase default timeout when asking for a rule.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Sat, 13 Jun 2020 18:45:02 +0200
+
+opensnitch (1.0.0rc9-1) unstable; urgency=medium
+
+ * Ignore malformed rules from loading.
+ * Allow to modify and add rules from the UI.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Sun, 17 May 2020 18:18:24 +0200
+
+opensnitch (1.0.0rc8) unstable; urgency=medium
+
+ * Allow to change settings from the UI.
+ * Improved connection handling with the UI.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Wed, 29 Apr 2020 21:52:27 +0200
+
+opensnitch (1.0.0rc7-1) unstable; urgency=medium
+
+ * Stability, performance and realiability improvements.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Sun, 12 Apr 2020 23:25:41 +0200
+
+opensnitch (1.0.0rc6-1) unstable; urgency=medium
+
+ * Fixed iptables rules deletion.
+ * Improved PIDs cache.
+ * Added audit process monitoring method.
+ * Added logrotate file.
+ * Added default configuration file.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Sun, 08 Mar 2020 20:47:58 +0100
+
+opensnitch (1.0.0rc-5) unstable; urgency=medium
+
+ * Fixed netlink socket querying.
+ * Added check to reload firewall rules if missing.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Mon, 24 Feb 2020 19:55:06 +0100
+
+opensnitch (1.0.0rc-3) unstable; urgency=medium
+
+ * @see: https://github.com/gustavo-iniguez-goya/opensnitch/releases
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Tue, 18 Feb 2020 10:09:45 +0100
+
+opensnitch (1.0.0rc-2) unstable; urgency=medium
+
+ * UI minor changes
+ * Expand deb package compatibility.
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Wed, 05 Feb 2020 21:50:20 +0100
+
+opensnitch (1.0.0rc-1) unstable; urgency=medium
+
+ * Initial release
+
+ -- gustavo-iniguez-goya <gooffy1@gmail.com> Fri, 22 Nov 2019 01:14:08 +0100
--- /dev/null
+Source: opensnitch
+Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
+Uploaders: Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com>
+Section: devel
+Priority: optional
+Build-Depends:
+ debhelper-compat (= 11),
+ dh-golang,
+ dh-python,
+ golang-any,
+ golang-github-fsnotify-fsnotify-dev,
+ golang-github-google-gopacket-dev,
+ golang-github-google-nftables-dev,
+ golang-github-iovisor-gobpf-dev,
+ golang-github-vishvananda-netlink-dev,
+ golang-golang-x-net-dev,
+ golang-google-grpc-dev,
+ golang-goprotobuf-dev,
+ libmnl-dev,
+ libnetfilter-queue-dev,
+ pkg-config,
+ protoc-gen-go-grpc,
+ pyqt5-dev-tools,
+ qttools5-dev-tools,
+ python3-all,
+ python3-grpc-tools,
+ python3-setuptools
+Standards-Version: 4.6.2
+Vcs-Browser: https://salsa.debian.org/go-team/packages/opensnitch
+Vcs-Git: https://salsa.debian.org/go-team/packages/opensnitch.git
+Homepage: https://github.com/evilsocket/opensnitch
+Rules-Requires-Root: no
+XS-Go-Import-Path: github.com/evilsocket/opensnitch
+
+Package: opensnitch
+Section: net
+Architecture: any
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+Recommends: python3-opensnitch-ui
+Built-Using: ${misc:Built-Using}
+Description: GNU/Linux interactive application firewall
+ Whenever a program makes a connection, it'll prompt the user to allow or deny
+ it.
+ .
+ The user can decide if block the outgoing connection based on properties of
+ the connection: by port, by uid, by dst ip, by program or a combination
+ of them.
+ .
+ These rules can last forever, until the app restart or just one time.
+ .
+ The GUI allows the user to view live outgoing connections, as well as search
+ by process, user, host or port.
+ .
+ OpenSnitch can also work as a system-wide domains blocker, by using lists
+ of domains, list of IPs or list of regular expressions.
+
+
+Package: python3-opensnitch-ui
+Architecture: all
+Section: net
+Depends:
+ ${misc:Depends},
+ ${shlibs:Depends},
+ libqt5sql5-sqlite,
+ python3-grpcio,
+ python3-notify2,
+ python3-pyinotify,
+ python3-pyqt5,
+ python3-pyqt5.qtsql,
+ python3-setuptools,
+ python3-six,
+ python3-slugify,
+ python3:any,
+ xdg-user-dirs,
+ gtk-update-icon-cache
+Recommends:
+ python3-pyasn
+Suggests: opensnitch
+Description: GNU/Linux interactive application firewall GUI
+ opensnitch-ui is a GUI for opensnitch written in Python.
+ It allows the user to view live outgoing connections, as well as search
+ for details of the intercepted connections.
+ .
+ The user can decide if block outgoing connections based on properties of
+ the connection: by port, by uid, by dst ip, by program or a combination
+ of them.
+ .
+ These rules can last forever, until restart the daemon or just one time.
+ .
+ OpenSnitch can also work as a system-wide domains blocker, by using lists
+ of domains, list of IPs or list of regular expressions.
--- /dev/null
+Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Source: https://github.com/evilsocket/opensnitch
+Upstream-Contact: Gustavo Iñiguez Goia <gooffy1@gmail.com>
+Upstream-Name: opensnitch
+Files-Excluded:
+ Godeps/_workspace
+
+Files: *
+Copyright:
+ 2017-2018 evilsocket
+ 2019-2023 Gustavo Iñiguez Goia
+Comment: Debian packaging is licensed under the same terms as upstream
+License: GPL-3.0+
+ This program is free software; you can redistribute it
+ and/or modify it under the terms of the GNU General Public
+ License as published by the Free Software Foundation; either
+ version 3 of the License, or (at your option) any later
+ version.
+ .
+ This program is distributed in the hope that it will be
+ useful, but WITHOUT ANY WARRANTY; without even the implied
+ warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
+ PURPOSE. See the GNU General Public License for more
+ details.
+ .
+ You should have received a copy of the GNU General Public
+ License along with this program. If not, If not, see
+ http://www.gnu.org/licenses/.
+ .
+ On Debian systems, the full text of the GNU General Public
+ License version 3 can be found in the file
+ '/usr/share/common-licenses/GPL-3'.
+
+Files: ui/resources/io.github.evilsocket.opensnitch.appdata.xml
+Copyright:
+ 2023 Gustavo Iñiguez Goia
+License: FTL
+ The FreeType Project LICENSE
+ ----------------------------
+ .
+ 2006-Jan-27
+ .
+ Copyright 1996-2002, 2006 by
+ David Turner, Robert Wilhelm, and Werner Lemberg
+ .
+ .
+ .
+ Introduction
+ ============
+ .
+ The FreeType Project is distributed in several archive packages;
+ some of them may contain, in addition to the FreeType font engine,
+ various tools and contributions which rely on, or relate to, the
+ FreeType Project.
+ .
+ This license applies to all files found in such packages, and
+ which do not fall under their own explicit license. The license
+ affects thus the FreeType font engine, the test programs,
+ documentation and makefiles, at the very least.
+ .
+ This license was inspired by the BSD, Artistic, and IJG
+ (Independent JPEG Group) licenses, which all encourage inclusion
+ and use of free software in commercial and freeware products
+ alike. As a consequence, its main points are that:
+ .
+ o We don't promise that this software works. However, we will be
+ interested in any kind of bug reports. (`as is' distribution)
+ .
+ o You can use this software for whatever you want, in parts or
+ full form, without having to pay us. (`royalty-free' usage)
+ .
+ o You may not pretend that you wrote this software. If you use
+ it, or only parts of it, in a program, you must acknowledge
+ somewhere in your documentation that you have used the
+ FreeType code. (`credits')
+ .
+ We specifically permit and encourage the inclusion of this
+ software, with or without modifications, in commercial products.
+ We disclaim all warranties covering The FreeType Project and
+ assume no liability related to The FreeType Project.
+ .
+ .
+ Finally, many people asked us for a preferred form for a
+ credit/disclaimer to use in compliance with this license. We thus
+ encourage you to use the following text:
+ .
+ """
+ Portions of this software are copyright © <year> The FreeType
+ Project (www.freetype.org). All rights reserved.
+ """
+ .
+ Please replace <year> with the value from the FreeType version you
+ actually use.
+ .
+ .
+ Legal Terms
+ ===========
+ .
+ 0. Definitions
+ --------------
+ .
+ Throughout this license, the terms `package', `FreeType Project',
+ and `FreeType archive' refer to the set of files originally
+ distributed by the authors (David Turner, Robert Wilhelm, and
+ Werner Lemberg) as the `FreeType Project', be they named as alpha,
+ beta or final release.
+ .
+ `You' refers to the licensee, or person using the project, where
+ `using' is a generic term including compiling the project's source
+ code as well as linking it to form a `program' or `executable'.
+ This program is referred to as `a program using the FreeType
+ engine'.
+ .
+ This license applies to all files distributed in the original
+ FreeType Project, including all source code, binaries and
+ documentation, unless otherwise stated in the file in its
+ original, unmodified form as distributed in the original archive.
+ If you are unsure whether or not a particular file is covered by
+ this license, you must contact us to verify this.
+ .
+ The FreeType Project is copyright (C) 1996-2000 by David Turner,
+ Robert Wilhelm, and Werner Lemberg. All rights reserved except as
+ specified below.
+ .
+ 1. No Warranty
+ --------------
+ .
+ THE FREETYPE PROJECT IS PROVIDED `AS IS' WITHOUT WARRANTY OF ANY
+ KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
+ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ PURPOSE. IN NO EVENT WILL ANY OF THE AUTHORS OR COPYRIGHT HOLDERS
+ BE LIABLE FOR ANY DAMAGES CAUSED BY THE USE OR THE INABILITY TO
+ USE, OF THE FREETYPE PROJECT.
+ .
+ 2. Redistribution
+ -----------------
+ .
+ This license grants a worldwide, royalty-free, perpetual and
+ irrevocable right and license to use, execute, perform, compile,
+ display, copy, create derivative works of, distribute and
+ sublicense the FreeType Project (in both source and object code
+ forms) and derivative works thereof for any purpose; and to
+ authorize others to exercise some or all of the rights granted
+ herein, subject to the following conditions:
+ .
+ o Redistribution of source code must retain this license file
+ (`FTL.TXT') unaltered; any additions, deletions or changes to
+ the original files must be clearly indicated in accompanying
+ documentation. The copyright notices of the unaltered,
+ original files must be preserved in all copies of source
+ files.
+ .
+ o Redistribution in binary form must provide a disclaimer that
+ states that the software is based in part of the work of the
+ FreeType Team, in the distribution documentation. We also
+ encourage you to put an URL to the FreeType web page in your
+ documentation, though this isn't mandatory.
+ .
+ These conditions apply to any software derived from or based on
+ the FreeType Project, not just the unmodified files. If you use
+ our work, you must acknowledge us. However, no fee need be paid
+ to us.
+ .
+ 3. Advertising
+ --------------
+ .
+ Neither the FreeType authors and contributors nor you shall use
+ the name of the other for commercial, advertising, or promotional
+ purposes without specific prior written permission.
+ .
+ We suggest, but do not require, that you use one or more of the
+ following phrases to refer to this software in your documentation
+ or advertising materials: `FreeType Project', `FreeType Engine',
+ `FreeType library', or `FreeType Distribution'.
+ .
+ As you have not signed this license, you are not required to
+ accept it. However, as the FreeType Project is copyrighted
+ material, only this license, or another one contracted with the
+ authors, grants you the right to use, distribute, and modify it.
+ Therefore, by using, distributing, or modifying the FreeType
+ Project, you indicate that you understand and accept all the terms
+ of this license.
+ .
+ 4. Contacts
+ -----------
+ .
+ There are two mailing lists related to FreeType:
+ .
+ o freetype@nongnu.org
+ .
+ Discusses general use and applications of FreeType, as well as
+ future and wanted additions to the library and distribution.
+ If you are looking for support, start in this list if you
+ haven't found anything to help you in the documentation.
+ .
+ o freetype-devel@nongnu.org
+ .
+ Discusses bugs, as well as engine internals, design issues,
+ specific licenses, porting, etc.
+ .
+ Our home page can be found at
+ .
+ https://www.freetype.org
--- /dev/null
+[DEFAULT]
+pristine-tar = True
--- /dev/null
+# auto-generated, DO NOT MODIFY.
+# The authoritative copy of this file lives at:
+# https://salsa.debian.org/go-team/ci/blob/master/config/gitlabciyml.go
+
+# TODO: publish under debian-go-team/ci
+image: stapelberg/ci2
+
+test_the_archive:
+ artifacts:
+ paths:
+ - before-applying-commit.json
+ - after-applying-commit.json
+ script:
+ # Create an overlay to discard writes to /srv/gopath/src after the build:
+ - "rm -rf /cache/overlay/{upper,work}"
+ - "mkdir -p /cache/overlay/{upper,work}"
+ - "mount -t overlay overlay -o lowerdir=/srv/gopath/src,upperdir=/cache/overlay/upper,workdir=/cache/overlay/work /srv/gopath/src"
+ - "export GOPATH=/srv/gopath"
+ - "export GOCACHE=/cache/go"
+ # Build the world as-is:
+ - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > before-applying-commit.json"
+ # Copy this package into the overlay:
+ - "GBP_CONF_FILES=:debian/gbp.conf gbp buildpackage --git-no-pristine-tar --git-ignore-branch --git-ignore-new --git-export-dir=/tmp/export --git-no-overlay --git-tarball-dir=/nonexistant --git-cleaner=/bin/true --git-builder='dpkg-buildpackage -S -d --no-sign'"
+ - "pgt-gopath -dsc /tmp/export/*.dsc"
+ # Rebuild the world:
+ - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > after-applying-commit.json"
+ - "ci-diff before-applying-commit.json after-applying-commit.json"
--- /dev/null
+.\" Copyright (c) 2023 Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com>
+.\" All rights reserved.
+.\"
+.\" SPDX-License-Identifier: GPL-3.0-or-later
+.de CW
+.sp
+.in +4n
+.nf
+.ft CW
+..
+.de CE
+.ft R
+.fi
+.in
+.sp
+..
+.\" Like .OP, but with ellipsis at the end in order to signify that option
+.\" can be provided multiple times. Based on .OP definition in groff's
+.\" an-ext.tmac.
+.de OM
+. ie \\n(.$-1 \
+. RI "[\fB\\$1\fP" "\ \\$2" "]...\&"
+. el \
+. RB "[" "\\$1" "]...\&"
+..
+.\" Required option.
+.de OR
+. ie \\n(.$-1 \
+. RI "\fB\\$1\fP" "\ \\$2"
+. el \
+. BR "\\$1"
+..
+.TH OPENSNITCH-UI 1 "2023-02-12" "opensnitchd 1.5.6"
+.SH NAME
+opensnitch-ui \- GNU/Linux interactive firewall application
+.SH SYNOPSIS
+.SY opensnitch-ui
+.OP \-\-socket path
+.OP \-\-max-clients num
+.YS
+.SH DESCRIPTION
+.LP
+opensnitch-ui is the OpenSnitch GUI to view events intercepted by the daemon,
+and to manage the rules.
+The GUI is composed of 2 components in the same script: a server and a GUI.
+Once the GUI is launched, an icon will appear on the system tray.
+If the system tray is not available or can't be used, the Events dialog will
+be launched.
+.LP
+The GUI (i.e.: the server) will listen for new connections from daemons. You
+can have the daemon installed on multiple machines, and manage them from a
+centralized GUI. https://github.com/evilsocket/opensnitch/wiki/Nodes
+.LP
+.SH OPTIONS
+.TP
+.BI "\--socket " path
+Specifies the path or network address where the GUI (i.e.: the server) will
+listen on.
+.PP
+ Examples:
+.PP
+ Default: unix:///tmp/osui.sock
+.PP
+ - Listening on a Unix socket:
+ $ opensnitch-ui --socket unix:///tmp/osui.sock
+ * Use unix:///run/user/YOUR_USER_ID/opensnitch/osui.sock for better privacy.
+.PP
+ - Listening on port 50051, all interfaces:
+ $ opensnitch-ui --socket "[::]:50051"
+.TP
+.BI "\--max-clients " num
+Maximum number of clients to allow (default: 10).
+.SH FILES
+.I /home/$USER/.config/opensnitch/
+.RS
+Path of the GUI configuration.
+.RE
+.SH DIAGNOSTICS
+If something goes wrong, like a crash, launch the GUI from a shell to view debugging messages:
+.LP
+.RS
+$ opensnitch-ui
+.RE
+.SH REPORTING BUGS
+Problems with
+.B opensnitch-ui
+should be reported on github https://github.com/evilsocket/opensnitch/issues
+.UR https://github.com/evilsocket/opensnitch/issues
+.SH "SEE ALSO"
+.PP
+.UR https://github.com/evilsocket/opensnitch
+.B OpenSnitch
+Home Page
+.UE
+.LP
+.SH HISTORY
+.B OpenSnitch
+was originally written by Simone Margaritelli (evilsocket) in 2017-2018.
+.LP
+In 2019, after some time of inactivity, Gustavo Iñiguez Goya started
+contributing, fixing bugs and adding new functionality, with
+the esential help of the community, and valuable contributions from themighty1 and
+calesanz among others.
+.SH AUTHORS
+The complete list of
+.B OpenSnitch
+contributors can be found on https://github.com/evilsocket/opensnitch
--- /dev/null
+.\" Copyright (c) 2023 Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com>
+.\" All rights reserved.
+.\"
+.\" SPDX-License-Identifier: GPL-3.0-or-later
+.de CW
+.sp
+.in +4n
+.nf
+.ft CW
+..
+.de CE
+.ft R
+.fi
+.in
+.sp
+..
+.\" Like .OP, but with ellipsis at the end in order to signify that option
+.\" can be provided multiple times. Based on .OP definition in groff's
+.\" an-ext.tmac.
+.de OM
+. ie \\n(.$-1 \
+. RI "[\fB\\$1\fP" "\ \\$2" "]...\&"
+. el \
+. RB "[" "\\$1" "]...\&"
+..
+.\" Required option.
+.de OR
+. ie \\n(.$-1 \
+. RI "\fB\\$1\fP" "\ \\$2"
+. el \
+. BR "\\$1"
+..
+.TH OPENSNITCHD 1 "2023-02-12" "opensnitchd 1.5.6"
+.SH NAME
+opensnitchd \- GNU/Linux interactive firewall application
+.SH SYNOPSIS
+.SY opensnitchd
+.OP \-rules-path path
+.OP \-cpu-profile path
+.OP \-debug
+.OP \-error
+.OP \-warning
+.OP \-important
+.OM \-log-file path
+.OM \-mem-profile path
+.OP \-no-live-reload
+.OM \-process-monitor-method name
+.OM \-queue-num num
+.OM \-ui-socket path
+.OP \-version
+.OM \-workers num
+.YS
+.SH DESCRIPTION
+.LP
+opensnitchd is the OpenSnitch agent that intercepts outbound connections,
+and send them to the server. The server can be a GUI, a TUI, or a
+.I headless
+component to just log the network activity (a SIEM for example).
+By default it'll allow all connections, creating temporal rules for you
+so you can review them later.
+.LP
+.SH OPTIONS
+.TP
+.BI "\-rules-path " path
+Specifies where the rules will be written to. Default "rules".
+.TP
+.BI "\-cpu-profile " path
+A file path where the CPU data for later use will be written.
+.TP
+.BI "\-debug"
+Set LogLevel to DEBUG.
+.TP
+.BI "\-warning"
+Set LogLevel to WARNING.
+.TP
+.BI "\-important"
+Set LogLevel to IMPORTANT.
+.TP
+.BI "\-log-file " path
+A file path where the logs will be written to. This path can be a device file,
+like /dev/stdout to print logs to standard output.
+.TP
+.BI "\-mem-profile " path
+A file path where the memory data will be written once the daemon exits.
+.TP
+.BI "\-no-live-reload"
+By default daemon's rules and configuration is reloaded whenever it changes.
+This option disables this feature.
+.TP
+.BI "\-process-monitor-method " method
+Force process monitor method, overriding what is defined in the configuration.
+Valid methods: ebpf, audit, proc
+.TP
+.BI "\-queue-num " num
+Force to use this netfilter queue num. The default queue number is 0, but if
+it's already used by other software, you can set another queue number here.
+.TP
+.BI "\-ui-socket " path
+Force to use this socket path, instead of the one defined in the configuration.
+The path format is unix:///path/to/socket.sock or ip:port ("127.0.0.1:50051")
+.RS
+(https://github.com/grpc/grpc/blob/master/doc/naming.md)
+.RE
+.TP
+.BI "\-version"
+Prints out daemon version.
+.TP
+.BI "\-workers " num
+Change maximum number of workers to process outbound connections.
+By default 16 workers are launched, but if it's not enough increase this number.
+.SH FILES
+.I /etc/opensnitchd/rules/
+.RS
+Default daemon directory rules.
+.RE
+.I /etc/opensnitchd/default-config.json
+.RS
+Default daemon configuration.
+.RE
+.I /etc/opensnitchd/system-fw.json
+.RS
+Configuration of system firewall rules (iptables/nftables).
+.TP
+Firewall rules defined here bypasses OpenSnitch interception. Use it to allow VPNs or other services.
+.SH DIAGNOSTICS
+OpenSnitch needs at least one firewall rule to intercept outbound connections:
+.LP
+iptables -t mangle -L OUTPUT | grep NFQUEUE
+.RS
+NFQUEUE all -- anywhere anywhere ctstate NEW,RELATED NFQUEUE num 0 bypass
+.RE
+.LP
+If you suspect that OpenSnitch blocks an application and doesn't prompt you to allow or deny it,
+using the GUI enable the option
+.I [x] Debug invalid connections
+under Preferences -> Nodes.
+Or set the configuration option
+.B InterceptUnknown
+to true.
+.LP
+.I Tip:
+You can also add rules to the file /etc/opensnitchd/system-fw.json, to allow network services without being intercepted by the daemon.
+.LP
+Another way of debugging errors is by launching the daemon from the command line:
+.IP
+.PD 0
+.IP 1. 4
+Set LogLevel to DEBUG under Preferences -> Nodes (or LogLevel to 0 in the configuration)
+.IP 2. 4
+Stop the daemon: systemctl stop opensnitch
+.IP 3. 4
+Launch it from cli: /usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules/
+.PD
+.LP
+.SH REPORTING BUGS
+Problems with
+.B opensnitchd
+should be reported on github https://github.com/evilsocket/opensnitch/issues
+.UR https://github.com/evilsocket/opensnitch/issues
+.SH HISTORY
+.B OpenSnitch
+was originally written by Simone Margaritelli (evilsocket) in 2017-2018.
+.LP
+In 2019, after some time of inactivity, Gustavo Iñiguez Goya started
+contributing, fixing bugs and adding new functionality, with
+the esential help of the community, and valuable contributions from themighty1 and
+calesanz among others.
+.SH "SEE ALSO"
+.PP
+.UR https://github.com/evilsocket/opensnitch
+.B OpenSnitch
+Home Page
+.UE
+.SH AUTHORS
+The complete list of
+.B OpenSnitch
+contributors can be found on https://github.com/evilsocket/opensnitch
--- /dev/null
+#!/bin/sh
+
+### BEGIN INIT INFO
+# Provides: opensnitchd
+# Required-Start: $network $local_fs
+# Required-Stop: $network $local_fs
+# Default-Start: 2 3 4 5
+# Default-Stop: 0 1 6
+# Short-Description: opensnitchd daemon
+# Description: opensnitch application firewall
+### END INIT INFO
+
+NAME=opensnitchd
+PIDDIR=/var/run/$NAME
+OPENSNITCHDPID=$PIDDIR/$NAME.pid
+
+# clear conflicting settings from the environment
+unset TMPDIR
+
+test -x /usr/bin/$NAME || exit 0
+
+. /lib/lsb/init-functions
+
+case $1 in
+ start)
+ log_daemon_msg "Starting opensnitch daemon" $NAME
+ if [ ! -d /etc/$NAME/rules ]; then
+ mkdir -p /etc/$NAME/rules &>/dev/null
+ fi
+
+ # Make sure we have our PIDDIR, even if it's on a tmpfs
+ install -o root -g root -m 755 -d $PIDDIR
+
+ if ! start-stop-daemon --start --quiet --oknodo --pidfile $OPENSNITCHDPID --background --exec /usr/bin/$NAME -- -rules-path /etc/$NAME/rules; then
+ log_end_msg 1
+ exit 1
+ fi
+
+ log_end_msg 0
+ ;;
+ stop)
+
+ log_daemon_msg "Stopping $NAME daemon" $NAME
+
+ start-stop-daemon --stop --quiet --signal QUIT --name $NAME
+ # Wait a little and remove stale PID file
+ sleep 1
+ if [ -f $OPENSNITCHDPID ] && ! ps h `cat $OPENSNITCHDPID` > /dev/null
+ then
+ rm -f $OPENSNITCHDPID
+ fi
+
+ log_end_msg 0
+
+ ;;
+ reload)
+ log_daemon_msg "Reloading $NAME" $NAME
+
+ start-stop-daemon --stop --quiet --signal HUP --pidfile $OPENSNITCHDPID
+
+ log_end_msg 0
+ ;;
+ restart|force-reload)
+ $0 stop
+ sleep 1
+ $0 start
+ ;;
+ status)
+ status_of_proc /usr/bin/$NAME $NAME
+ exit $?
+ ;;
+ *)
+ echo "Usage: /etc/init.d/opensnitchd {start|stop|reload|restart|force-reload|status}"
+ exit 1
+ ;;
+esac
+
+exit 0
--- /dev/null
+daemon/default-config.json etc/opensnitchd/
+daemon/system-fw.json etc/opensnitchd/
+#ebpf_prog/opensnitch.o etc/opensnitchd/
--- /dev/null
+/var/log/opensnitchd.log {
+ rotate 7
+# order of the fields is important
+ maxsize 50M
+# we need this option in order to keep logging
+ copytruncate
+ missingok
+ notifempty
+ delaycompress
+ compress
+ create 640 root root
+ weekly
+}
--- /dev/null
+debian/man/opensnitchd.1
--- /dev/null
+[Unit]
+Description=OpenSnitch is a GNU/Linux application firewall.
+Documentation=https://github.com/gustavo-iniguez-goya/opensnitch/wiki
+Wants=network.target
+After=network.target
+
+[Service]
+Type=simple
+PermissionsStartOnly=true
+ExecStartPre=/bin/mkdir -p /etc/opensnitchd/rules
+ExecStart=/usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules
+Restart=always
+RestartSec=30
+
+[Install]
+WantedBy=multi-user.target
--- /dev/null
+debian/man/opensnitch-ui.1
--- /dev/null
+#!/bin/sh
+set -e
+
+autostart_by_default()
+{
+ deskfile=/etc/xdg/autostart/opensnitch_ui.desktop
+ if [ -d /etc/xdg/autostart -a ! -h $deskfile -a ! -f $deskfile ]; then
+ ln -s /usr/share/applications/opensnitch_ui.desktop /etc/xdg/autostart/
+ fi
+}
+
+if command -v gtk-update-icon-cache >/dev/null && test -f /usr/share/icons/hicolor/index.theme ; then
+ gtk-update-icon-cache --quiet /usr/share/icons/hicolor/
+fi
+
+case "$1" in
+ configure)
+ # first install
+ if [ -z $2 ]; then
+ autostart_by_default
+ elif dpkg --compare-versions "$2" le "1.5.7-2"; then
+ autostart_by_default
+ fi
+ ;;
+esac
+
+#DEBHELPER#
--- /dev/null
+#!/bin/sh
+set -e
+
+case "$1" in
+ purge)
+ deskfile=/etc/xdg/autostart/opensnitch_ui.desktop
+ if [ -f $deskfile -o -h $deskfile ];then
+ rm -f /etc/xdg/autostart/opensnitch_ui.desktop
+ fi
+ ;;
+ remove)
+ pkill -15 opensnitch-ui || true
+ ;;
+esac
+
+#DEBHELPER#
--- /dev/null
+#!/usr/bin/make -f
+export DH_VERBOSE = 1
+export DESTDIR := $(shell pwd)/debian/opensnitch
+export UIDESTDIR := $(shell pwd)/debian/python3-opensnitch-ui
+
+override_dh_installsystemd:
+ dh_installsystemd --restart-after-upgrade
+
+override_dh_auto_build:
+ $(MAKE) protocol
+# Workaround for Go build problem when building in _build
+ mkdir -p _build/src/github.com/evilsocket/opensnitch/daemon/ui/protocol/
+ cp daemon/ui/protocol/* _build/src/github.com/evilsocket/opensnitch/daemon/ui/protocol/
+ dh_auto_build
+ cd ui && python3 setup.py build --force
+
+override_dh_auto_install:
+# daemon
+ mkdir -p $(DESTDIR)/usr/bin
+ cp _build/bin/daemon $(DESTDIR)/usr/bin/opensnitchd
+# GUI
+ make -C ui/i18n
+ cp -r ui/i18n/locales/ ui/opensnitch/i18n/
+ pyrcc5 -o ui/opensnitch/resources_rc.py ui/opensnitch/res/resources.qrc
+ sed -i 's/^import ui_pb2/from . import ui_pb2/' ui/opensnitch/ui_pb2*
+ cd ui && python3 setup.py install --force --root=$(UIDESTDIR) --no-compile -O0 --install-layout=deb
+
+# daemon
+ dh_auto_install
+
+%:
+ dh $@ --builddirectory=_build --buildsystem=golang --with=golang,python3
+
+override_dh_auto_clean:
+ dh_auto_clean
+ $(MAKE) clean
+ $(RM) ui/opensnitch/resources_rc.py
+ $(RM) -r ui/opensnitch/i18n/
+ $(RM) ui/i18n/locales/*/*.qm
+ cd ui && python3 setup.py clean -a
+ $(RM) -r ui/opensnitch_ui.egg-info/
+ find ui -name \*.pyc -exec rm {} \;
--- /dev/null
+3.0 (quilt)
--- /dev/null
+extend-diff-ignore="\.egg-info$"
\ No newline at end of file
--- /dev/null
+Tests: test-resources.sh
+Depends: opensnitch
+Restrictions: superficial
+
+Tests: test-fw-rules.sh
+Depends: iptables, nftables, opensnitch
+Restrictions: needs-root
--- /dev/null
+#!/bin/sh
+set -e
+
+# for some reason, go.exec.LookPath() fails to obtain the path of iptables
+# on the ci environment, even if $PATH is set correctly.
+echo "[+] PATH: $PATH"
+
+log="/var/log/opensnitchd.log"
+
+if [ -f /proc/modules ]; then
+ echo "[+] loaded modules:"
+ cat /proc/modules
+fi
+
+if [ -f $log ]; then
+ echo "[+] opensnitchd log:"
+ cat $log
+fi
+if grep "iptables not available" $log >/dev/null; then
+ echo "[!] iptables not available, falling back to nftables"
+ nft list ruleset | grep "ct state related,new queue flags bypass to 0"
+ echo "[+] Interception rule (nftables): OK"
+else
+ /usr/sbin/iptables -t mangle -L OUTPUT
+ /usr/sbin/iptables -t mangle -L OUTPUT | grep "NFQUEUE.*ctstate NEW,RELATED.*NFQUEUE num.*bypass"
+ echo "[+] Interception rule (iptables): OK"
+fi
--- /dev/null
+#!/bin/sh
+set -e
+
+ophome="/etc/opensnitchd"
+
+ls -dl $ophome 1>/dev/null
+echo "installed OK: $ophome"
+ls -l $ophome/system-fw.json 1>/dev/null
+echo "installed OK: $ophome/system-fw.json"
+ls -l $ophome/default-config.json 1>/dev/null
+echo "installed OK: $ophome/default-config.json"
+ls -dl $ophome/rules 1>/dev/null
+echo "installed OK: $ophome/rules/"
--- /dev/null
+---
+Name: opensnitch
+Bug-Database: https://github.com/evilsocket/opensnitch/issues
+Bug-Submit: https://github.com/evilsocket/opensnitch/issues/new
+Contact: Gustavo Iñiguez Goia <gooffy1@gmail.com>
+Documentation: https://github.com/evilsocket/opensnitch/wiki
+CPE: cpe:/a:evilsocket:opensnitch
+Repository: https://github.com/evilsocket/opensnitch.git
+Repository-Browse: https://github.com/evilsocket/opensnitch
--- /dev/null
+version=4
+opts=filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/opensnitch-\$1\.tar\.gz/,\
+uversionmangle=s/(\d)[_\.\-\+]?(RC|rc|pre|dev|beta|alpha)[.]?(\d*)$/\$1~\$2\$3/ \
+ https://github.com/evilsocket/opensnitch/tags .*/v?(\d\S*)\.tar\.gz
projects / opensnitch.git / commitdiff