--- /dev/null
--- /dev/null
++opensnitch for Debian
++---------------------
++
++In order to build the packages from sources using gbp:
++
++ 1. git clone https://salsa.debian.org/go-team/packages/opensnitch.git
++ 2. cd opensnitch/ ; git checkout debian/sid
++ 3. origtargz
++
++ it'll download upstream sources according to the d/changelog
++ version, and the upstream tag if it exists.
++
++ 4. gbp buildpackage --git-tarball-dir=../ --git-no-pristine-tar
++
++ Follow the new debian-go's workflow,
++ https://go-team.pages.debian.net/workflow-changes.html#wf-2017-11-pristine-tar
++
++ -- Petter Reinholdtsen <pere@debian.org> Thu, 15 May 2025 08:39:51 +0200
--- /dev/null
--- /dev/null
++opensnitch (1.6.9-3) unstable; urgency=medium
++
++ * Added python3-packaging as runtime dependency for
++ python3-opensnitch-ui, seem to need it.
++ * Corrected name of README.sources and updated to reflect new
++ reality.
++
++ -- Petter Reinholdtsen <pere@debian.org> Tue, 24 Jun 2025 07:47:33 +0200
++
++opensnitch (1.6.9-2) unstable; urgency=medium
++
++ * Team upload.
++
++ * Told lintian to accept EBPF objects in package.
++
++ -- Petter Reinholdtsen <pere@debian.org> Sat, 03 May 2025 05:50:32 +0200
++
++opensnitch (1.6.9-1) experimental; urgency=medium
++
++ * Team upload.
++
++ * New upstream release 1.6.9.
++ * Removed upstreamed patches:
++ - 0000-ui-finally-service.patch
++ - 0020-unknown-rules-operator-crash.patch
++ - 0030-daemon-visible-version.patch
++ - 0040-delete-all-generated-protobuffers-with-make-clean.patch
++ - 0050-allow-to-configure-GC-percentage.patch
++ - 0060-make-connections-flushing-configurable.patch
++
++ -- Petter Reinholdtsen <pere@debian.org> Tue, 29 Apr 2025 07:35:00 +0200
++
++opensnitch (1.6.8-11) unstable; urgency=medium
++
++ * Team upload.
++
++ * Corrected typo in patch metadata.
++
++ -- Petter Reinholdtsen <pere@debian.org> Tue, 29 Apr 2025 07:20:39 +0200
++
++opensnitch (1.6.8-10) experimental; urgency=medium
++
++ * Team upload.
++
++ * Added 1050-ebpf-s390x.patch to fix ebpf build problem on s390x.
++ * Renamed to 0030-daemon-visible-version.patch as this patch
++ is from upstream now.
++ * Removed already dropped 0010-experimental-1.5.9.1.patch.
++ * Added three patches from the upstream 1.6.0 branch.
++ * Changed opensnitch package behaviour to not reset TCP connections on
++ reload (Closes: #1103496).
++
++ -- Petter Reinholdtsen <pere@debian.org> Sat, 26 Apr 2025 07:45:17 +0200
++
++opensnitch (1.6.8-9) experimental; urgency=medium
++
++ * Team upoad.
++
++ * Added 2000-apt-not-pip.patch to recommend apt over pip.
++ * Passed patches upstream and introduced patch naming scheme.
++ * Added 1030-systemd-service-earlier.patch to start service earlier
++ and protect it from kernel OOM killer.
++ * Added 1040-daemon-visible-version.patch to correct visible daemon
++ version.
++ * Added 0020-unknown-rules-operator-crash.patch from upstream.
++ * Added needrestart conf to avoid opensnitch restarts.
++ * Added debian branch name to d/gbp.conf.
++
++ -- Petter Reinholdtsen <pere@debian.org> Thu, 24 Apr 2025 06:50:04 +0200
++
++opensnitch (1.6.8-8) unstable; urgency=medium
++
++ * Team upload.
++
++ * Made test-fw-rules.sh autopkgtest check more robust
++ and updated it to only look for nftables.
++
++ -- Petter Reinholdtsen <pere@debian.org> Fri, 18 Apr 2025 19:46:18 +0200
++
++opensnitch (1.6.8-7) unstable; urgency=medium
++
++ * Team upload.
++
++ * Upload to unstable.
++
++ -- Petter Reinholdtsen <pere@debian.org> Fri, 18 Apr 2025 01:32:00 +0200
++
++opensnitch (1.6.8-6) experimental; urgency=medium
++
++ * Team upload.
++
++ * Replaced uploaders, out with no longer active Gustavo Iñiguez Goya
++ and in with Charles Allhands and myself.
++ * Thank you, Gustavo, for the great initial work with this package.
++
++ -- Petter Reinholdtsen <pere@debian.org> Fri, 18 Apr 2025 00:38:08 +0200
++
++opensnitch (1.6.8-5) experimental; urgency=medium
++
++ * Team upload.
++
++ * Revert arch specific build dependency on golang-github-iovisor-gobpf-dev.
++ * Added 1010-ui-finally-service.patch to avoid python error on GUI exit.
++ * New upstream version available (Closes: #1051317).
++ * Uses corrected python regexes (Closes: #1085754).
++
++ -- Petter Reinholdtsen <pere@debian.org> Thu, 17 Apr 2025 16:34:43 +0200
++
++opensnitch (1.6.8-4) experimental; urgency=medium
++
++ * Team upload.
++
++ * Corrected linux header package name for armhf.
++ * Limit EBPF support to architectures provided by bpfcc.
++ * Adjusted opensnitch to only recommend opensnitch-ebpf-modules on archs
++ where it exist.
++ * Dropped incorrect runtime dependency on python3-setuptools
++ (Closes: #1095252).
++ * Dropped obsolete runtime dependency on python3-six (Closes: #1067722).
++
++ -- Petter Reinholdtsen <pere@debian.org> Thu, 17 Apr 2025 14:45:27 +0200
++
++opensnitch (1.6.8-3) experimental; urgency=medium
++
++ * Team upload.
++
++ * Switched to using kernel headers from debs, as local header copy
++ only worked on amd64.
++
++ -- Petter Reinholdtsen <pere@debian.org> Thu, 17 Apr 2025 12:54:58 +0200
++
++opensnitch (1.6.8-2) experimental; urgency=medium
++
++ * Team upload.
++
++ * Added missing golang-github-varlink-go-dev build dependency.
++
++ -- Petter Reinholdtsen <pere@debian.org> Thu, 17 Apr 2025 10:55:29 +0200
++
++opensnitch (1.6.8-1) experimental; urgency=medium
++
++ * Team upload.
++
++ * New upstream release.
++ * Updated Standards-Version from 4.6.2 to 4.7.2.
++ * List protoc-gen-go-1-3 as build depend alternative to protoc-gen-go-1-5
++ for easier backporting.
++
++ -- Petter Reinholdtsen <pere@debian.org> Thu, 17 Apr 2025 09:08:49 +0200
++
++opensnitch (1.5.9-4) experimental; urgency=medium
++
++ * Team upload.
++
++ * Added leftover build dependency protoc-gen-go-1-5.
++
++ -- Petter Reinholdtsen <pere@debian.org> Tue, 15 Apr 2025 06:18:52 +0200
++
++opensnitch (1.5.9-3) experimental; urgency=medium
++
++ * Team upload.
++
++ [ Gustavo Iñiguez Goya ]
++ * New upstream release.
++ * d/control: removed kernel headers dependency.
++
++ [ Petter Reinholdtsen ]
++ * Moved untagged upstream snapshot into 0010-experimental-1.5.9.1.patch.
++ * Adjusted build dependencies to work with current unstable.
++ * Correct roff notation for URLs in man pages.
++ * Renamed obsolete pkg-config build dependency to pkgconf.
++
++ -- Petter Reinholdtsen <pere@debian.org> Mon, 14 Apr 2025 18:43:07 +0200
++
++opensnitch (1.5.9-2) experimental; urgency=medium
++
++ [ Gustavo Iñiguez Goia ]
++ * d/control: fixed Build-Depends, kernel headers dep
++ * Upload sponsored by Petter Reinholdtsen.
++
++ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Sat, 10 Jun 2023 00:08:25 +0200
++
++opensnitch (1.5.9-1) experimental; urgency=medium
++
++ * New upstream release.
++ * d/control:
++ - New package opensnitch-ebpf-modules.
++ * d/man/:
++ - Updated dates.
++ - New page opensnitch-ebpf-modules.1
++ * Added README.Debian.
++
++ * Upload sponsored by Petter Reinholdtsen.
++
++ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Wed, 07 Jun 2023 23:18:40 +0200
++
++opensnitch (1.5.8.1-2) unstable; urgency=medium
++
++ * Team upload
++ * Update Build-Depends from golang-goprotobuf-dev to
++ golang-github-golang-protobuf-1-5-dev
++
++ -- Mathias Gibbens <gibmat@debian.org> Fri, 02 Aug 2024 07:08:08 +0000
++
++opensnitch (1.5.8.1-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Upload sponsored by Petter Reinholdtsen.
++
++ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Mon, 06 Mar 2023 12:37:24 +0100
++
++opensnitch (1.5.8-2) unstable; urgency=medium
++
++ * Upload to unstable.
++ * Upload sponsored by Petter Reinholdtsen.
++
++ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Tue, 21 Feb 2023 21:26:21 +0100
++
++opensnitch (1.5.8-1) experimental; urgency=medium
++
++ * New upstream release.
++
++ [ Gustavo Iñiguez Goia ]
++ * ui: added 64x64 icon.
++ * Added missing entry for GUI manual page.
++ * Updated appstream Summary field.
++ * Removed ftrace dependency from d/control.
++ * ui: updated appstream Summary field.
++ * Updated d/control Description.
++
++ [ Petter Reinholdtsen ]
++ * Added appstream content rating, no restrictions.
++ * Corrected appstream icon name.
++ * Documented appstream metadata license in d/copyright.
++ * Place manual pages in correct packages.
++
++ * Upload sponsored by Petter Reinholdtsen.
++
++ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Sun, 19 Feb 2023 10:26:46 +0100
++
++opensnitch (1.5.7-3) experimental; urgency=medium
++
++ [ Gustavo Iñiguez Goia ]
++ * fixed /etc/xdg/autostart/ link
++
++ * Upload sponsored by Petter Reinholdtsen.
++
++ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Wed, 15 Feb 2023 22:41:19 +0100
++
++opensnitch (1.5.7-2) experimental; urgency=medium
++
++ [ Gustavo Iñiguez Goia ]
++ * added opensnitchd manual page
++ * added new manual page, updated opensnitchd.1
++ * improved debian/tests/
++
++ * Upload sponsored by Petter Reinholdtsen.
++
++ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Mon, 13 Feb 2023 12:43:19 +0100
++
++opensnitch (1.5.7-1) unstable; urgency=medium
++
++ * New upstream release
++
++ [ Gustavo Iñiguez Goia ]
++ * Set test-fw-rules.sh as flaky.
++ * Make test-fw-rules.sh more verbose.
++
++ [ Petter Reinholdtsen ]
++ * Fixed typo in nb comment of desktop file.
++ * Added appstream desktop category to metadata XML.
++
++ * Upload sponsored by Petter Reinholdtsen.
++
++ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Fri, 10 Feb 2023 13:28:23 +0100
++
++opensnitch (1.5.6-1) unstable; urgency=medium
++
++ * New upstream release
++
++ [ Gustavo Iñiguez Goia ]
++ * tests: removed Architecture: restriction
++ * changed Maintainer: field to team+pkg-go
++ * added new test
++ * added Uploaders field
++ * updated Vcs* fields
++
++ [ Petter Reinholdtsen ]
++ * Added Debian package relation between opensnitch and
++ python3-opensnitch-ui.
++ * Handle autopkgtest scripts differently, as they have different
++ requirements.
++
++ * Upload sponsored by Petter Reinholdtsen.
++
++ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Tue, 07 Feb 2023 21:29:48 +0100
++
++opensnitch (1.5.5-1) unstable; urgency=medium
++
++ * New upstream release.
++ * Bump Standards-Version to 4.6.2.
++ * Upload sponsored by Petter Reinholdtsen.
++
++ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Wed, 01 Feb 2023 22:37:12 +0100
++
++opensnitch (1.5.4-1) unstable; urgency=high
++
++ * New upstream release. (Closes: #1030115)
++ * debian/control:
++ - Updated packages description.
++ - Removed debconf and whiptail|dialog dependencies.
++ - Added xdg-user-dirs, gtk-update-icon-cache dependencies.
++ - Point Vcs-Git field to the 1.5.0 branch.
++ * debian/postinst:
++ - Fixed opensnitch_ui.desktop installation.
++ - Fixed updating icons cache.
++ * debian/postrm:
++ - Fixed removing opensnitch_ui.desktop
++ * debian/tests/:
++ - Added autopkgtests.
++ * Upload sponsored by Petter Reinholdtsen.
++
++ -- Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com> Tue, 31 Jan 2023 23:48:58 +0100
++
++opensnitch (1.5.3-1) unstable; urgency=medium
++
++ * Added debian/upstream/metadata.
++ * Updated Homepage url.
++ * Updated Copyright years.
++
++ -- Gustavo-Iniguez-Goya <gustavo.iniguez.goya@gmail.com> Sun, 22 Jan 2023 21:30:45 +0100
++
++opensnitch (1.5.2.1-1) unstable; urgency=medium
++
++ * Initial release. (Closes: #909567)
++
++ -- Gustavo-Iniguez-Goya <gustavo.iniguez.goya@gmail.com> Fri, 20 Jan 2023 22:26:40 +0000
++
++opensnitch (1.5.2-1) unstable; urgency=medium
++
++ * try to mount debugfs on boot up
++
++ -- gustavo-iniguez-goya <gustavo.iniguez.goya@gmail.com> Wed, 27 Jul 2022 17:29:33 +0200
++
++opensnitch (1.5.1-1) unstable; urgency=medium
++
++ * Better eBPF cache.
++ * Fixed error resolving domains to localhost.
++ * Fixed error deleting our nftables rules.
++
++ -- gustavo-iniguez-goya <gustavo.iniguez.goya@gmail.com> Fri, 25 Feb 2022 01:21:38 +0100
++
++opensnitch (1.5.0-1) unstable; urgency=medium
++
++ * New release.
++ * Added Reject option.
++ * New lists types to block ads/malware/...
++ * Better connections interception.
++ * Better VPNs handling.
++ * Bug fixes.
++
++ -- gustavo-iniguez-goya <gustavo.iniguez.goya@gmail.com> Fri, 28 Jan 2022 23:20:38 +0100
++
++opensnitch (1.5.0~rc2-1) unstable; urgency=medium
++
++ * Better connections interception.
++ * Improvements.
++
++ -- gustavo-iniguez-goya <gustavo.iniguez.goya@gmail.com> Sun, 16 Jan 2022 23:15:12 +0100
++
++opensnitch (1.5.0~rc1-1) unstable; urgency=medium
++
++ * New features.
++
++ -- gustavo-iniguez-goya <gustavo.iniguez.goya@gmail.com> Thu, 07 Oct 2021 14:57:35 +0200
++
++opensnitch (1.4.0-1) unstable; urgency=medium
++
++ * final release.
++
++ -- gustavo-iniguez-goya <gustavo.iniguez.goya@gmail.com> Fri, 27 Aug 2021 13:33:07 +0200
++
++opensnitch (1.4.0~rc4-1) unstable; urgency=medium
++
++ * Bug fix release.
++
++ -- gustavo-iniguez-goya <gooffy1@gmail.com> Wed, 11 Aug 2021 15:17:49 +0200
++
++opensnitch (1.4.0~rc3-1) unstable; urgency=medium
++
++ * Bug fix release.
++
++ -- gustavo-iniguez-goya <gooffy1@gmail.com> Fri, 16 Jul 2021 23:28:52 +0200
++
++opensnitch (1.4.0~rc2-1) unstable; urgency=medium
++
++ * Added eBPF support.
++ * Fixes and improvements.
++
++ -- gustavo-iniguez-goya <gooffy1@gmail.com> Fri, 07 May 2021 01:08:02 +0200
++
++opensnitch (1.4.0~rc-1) unstable; urgency=medium
++
++ * Bug fix and improvements release.
++
++ -- gustavo-iniguez-goya <gooffy1@gmail.com> Thu, 25 Mar 2021 01:02:31 +0100
++
++opensnitch (1.3.6-1) unstable; urgency=medium
++
++ * Bug fix and improvements release.
++
++ -- gustavo-iniguez-goya <gooffy1@gmail.com> Wed, 10 Feb 2021 10:17:43 +0100
++
++opensnitch (1.3.5-1) unstable; urgency=medium
++
++ * Bug fix and improvements release.
++
++ -- gustavo-iniguez-goya <gooffy1@gmail.com> Mon, 11 Jan 2021 18:01:53 +0100
++
++opensnitch (1.3.0-1) unstable; urgency=medium
++
++ * Fixed how we check rules
++ * Fixed cpu spike after disable interception.
++ * Fixed cleaning up fw rules on exit.
++ * make regexp rules case-insensitive by default
++ * allow to filter by dst network.
++
++ -- gustavo-iniguez-goya <gooffy1@gmail.com> Wed, 16 Dec 2020 01:15:03 +0100
++
++opensnitch (1.3.0~rc-1) unstable; urgency=medium
++
++ * Non-maintainer upload.
++
++ -- gustavo-iniguez-goya <gooffy1@gmail.com> Fri, 13 Nov 2020 00:51:34 +0100
++
++opensnitch (1.2.0-1) unstable; urgency=medium
++
++ * Fixed memleaks.
++ * Sort rules by name
++ * Added priority field to rules.
++ * Other fixes
++
++ -- gustavo-iniguez-goya <gooffy1@gmail.com> Mon, 09 Nov 2020 22:55:13 +0100
++
++opensnitch (1.0.1-1) unstable; urgency=medium
++
++ * Fixed app exit when IPv6 is not supported.
++ * Other fixes.
++
++ -- gustavo-iniguez-goya <gooffy1@gmail.com> Thu, 30 Jul 2020 21:56:20 +0200
++
++opensnitch (1.0.0-1) unstable; urgency=medium
++
++ * v1.0.0 released.
++
++ -- gustavo-iniguez-goya <gooffy1@gmail.com> Thu, 16 Jul 2020 00:19:26 +0200
++
++opensnitch (1.0.0rc11-1) unstable; urgency=medium
++
++ * Fixed multiple race conditions.
++ * Fixed CWD parsing when using audit proc monitor method.
++
++ -- gustavo-iniguez-goya <gooffy1@gmail.com> Wed, 24 Jun 2020 00:10:38 +0200
++
++opensnitch (1.0.0rc10-1) unstable; urgency=medium
++
++ * Fixed checking UID functions availability.
++ * Improved process path parsing.
++ * Fixed applying config from the UI.
++ * Fixed default log level.
++ * Gather CWD and process environment vars.
++ * Increase default timeout when asking for a rule.
++
++ -- gustavo-iniguez-goya <gooffy1@gmail.com> Sat, 13 Jun 2020 18:45:02 +0200
++
++opensnitch (1.0.0rc9-1) unstable; urgency=medium
++
++ * Ignore malformed rules from loading.
++ * Allow to modify and add rules from the UI.
++
++ -- gustavo-iniguez-goya <gooffy1@gmail.com> Sun, 17 May 2020 18:18:24 +0200
++
++opensnitch (1.0.0rc8) unstable; urgency=medium
++
++ * Allow to change settings from the UI.
++ * Improved connection handling with the UI.
++
++ -- gustavo-iniguez-goya <gooffy1@gmail.com> Wed, 29 Apr 2020 21:52:27 +0200
++
++opensnitch (1.0.0rc7-1) unstable; urgency=medium
++
++ * Stability, performance and realiability improvements.
++
++ -- gustavo-iniguez-goya <gooffy1@gmail.com> Sun, 12 Apr 2020 23:25:41 +0200
++
++opensnitch (1.0.0rc6-1) unstable; urgency=medium
++
++ * Fixed iptables rules deletion.
++ * Improved PIDs cache.
++ * Added audit process monitoring method.
++ * Added logrotate file.
++ * Added default configuration file.
++
++ -- gustavo-iniguez-goya <gooffy1@gmail.com> Sun, 08 Mar 2020 20:47:58 +0100
++
++opensnitch (1.0.0rc-5) unstable; urgency=medium
++
++ * Fixed netlink socket querying.
++ * Added check to reload firewall rules if missing.
++
++ -- gustavo-iniguez-goya <gooffy1@gmail.com> Mon, 24 Feb 2020 19:55:06 +0100
++
++opensnitch (1.0.0rc-3) unstable; urgency=medium
++
++ * @see: https://github.com/gustavo-iniguez-goya/opensnitch/releases
++
++ -- gustavo-iniguez-goya <gooffy1@gmail.com> Tue, 18 Feb 2020 10:09:45 +0100
++
++opensnitch (1.0.0rc-2) unstable; urgency=medium
++
++ * UI minor changes
++ * Expand deb package compatibility.
++
++ -- gustavo-iniguez-goya <gooffy1@gmail.com> Wed, 05 Feb 2020 21:50:20 +0100
++
++opensnitch (1.0.0rc-1) unstable; urgency=medium
++
++ * Initial release
++
++ -- gustavo-iniguez-goya <gooffy1@gmail.com> Fri, 22 Nov 2019 01:14:08 +0100
--- /dev/null
--- /dev/null
++Source: opensnitch
++Maintainer: Debian Go Packaging Team <team+pkg-go@tracker.debian.org>
++Uploaders:
++ Charles Allhands <cra@resistentialist.com>,
++ Petter Reinholdtsen <pere@debian.org>
++Section: devel
++Priority: optional
++Build-Depends:
++ debhelper-compat (= 11),
++ dh-golang,
++ dh-python,
++ golang-any,
++ golang-github-fsnotify-fsnotify-dev,
++ golang-github-google-gopacket-dev,
++ golang-github-google-nftables-dev,
++ golang-github-iovisor-gobpf-dev,
++ golang-github-varlink-go-dev,
++ golang-github-vishvananda-netlink-dev,
++ golang-golang-x-net-dev,
++ golang-google-grpc-dev,
++ golang-github-gogo-protobuf-dev | golang-goprotobuf-dev,
++ libmnl-dev,
++ libnetfilter-queue-dev,
++ linux-headers-amd64 [amd64] | linux-headers-arm64 [arm64] | linux-headers-armmp [armhf] | linux-headers-loong64 [loong64] | linux-headers-riscv64 [riscv64] | linux-headers-s390x [s390x] | linux-headers-generic,
++ pkgconf,
++ protoc-gen-go-1-5 | protoc-gen-go-1-3,
++ protoc-gen-go-grpc,
++ pyqt5-dev-tools,
++ qttools5-dev-tools,
++ python3-all,
++ python3-grpc-tools,
++ python3-setuptools,
++ clang,
++ llvm
++Standards-Version: 4.7.2
++Vcs-Browser: https://salsa.debian.org/go-team/packages/opensnitch
++Vcs-Git: https://salsa.debian.org/go-team/packages/opensnitch.git
++Homepage: https://github.com/evilsocket/opensnitch
++Rules-Requires-Root: no
++XS-Go-Import-Path: github.com/evilsocket/opensnitch
++
++Package: opensnitch
++Section: net
++Architecture: any
++Depends:
++ ${misc:Depends},
++ ${shlibs:Depends},
++Recommends: python3-opensnitch-ui,
++ opensnitch-ebpf-modules [amd64 arm64 riscv64 s390x loong64 ppc64]
++Built-Using: ${misc:Built-Using}
++Description: GNU/Linux interactive application firewall
++ Whenever a program makes a connection, it'll prompt the user to allow or deny
++ it.
++ .
++ The user can decide if block the outgoing connection based on properties of
++ the connection: by port, by uid, by dst ip, by program or a combination
++ of them.
++ .
++ These rules can last forever, until the app restart or just one time.
++ .
++ The GUI allows the user to view live outgoing connections, as well as search
++ by process, user, host or port.
++ .
++ OpenSnitch can also work as a system-wide domains blocker, by using lists
++ of domains, list of IPs or list of regular expressions.
++
++
++Package: python3-opensnitch-ui
++Architecture: all
++Section: net
++Depends:
++ ${misc:Depends},
++ ${shlibs:Depends},
++ libqt5sql5-sqlite,
++ python3-grpcio,
++ python3-notify2,
++ python3-packaging,
++ python3-pyinotify,
++ python3-pyqt5,
++ python3-pyqt5.qtsql,
++ python3-slugify,
++ python3:any,
++ xdg-user-dirs,
++ gtk-update-icon-cache
++Recommends:
++ python3-pyasn
++Suggests: opensnitch
++Description: GNU/Linux interactive application firewall GUI
++ opensnitch-ui is a GUI for opensnitch written in Python.
++ It allows the user to view live outgoing connections, as well as search
++ for details of the intercepted connections.
++ .
++ The user can decide if block outgoing connections based on properties of
++ the connection: by port, by uid, by dst ip, by program or a combination
++ of them.
++ .
++ These rules can last forever, until restart the daemon or just one time.
++ .
++ OpenSnitch can also work as a system-wide domains blocker, by using lists
++ of domains, list of IPs or list of regular expressions.
++
++
++Package: opensnitch-ebpf-modules
++Architecture: amd64 arm64 riscv64 s390x loong64 ppc64
++Section: net
++Depends:
++ ${misc:Depends},
++ ${shlibs:Depends},
++Suggests: opensnitch
++Description: GNU/Linux interactive application firewall eBPF modules
++ opensnitch-ebpf-modules provides the eBPF modules.
++ It provides the functionality to intercept connections at kernel level,
++ offering better performance and reliability.
--- /dev/null
--- /dev/null
++Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
++Source: https://github.com/evilsocket/opensnitch
++Upstream-Contact: Gustavo Iñiguez Goia <gooffy1@gmail.com>
++Upstream-Name: opensnitch
++Files-Excluded:
++ Godeps/_workspace
++
++Files: *
++Copyright:
++ 2017-2018 evilsocket
++ 2019-2023 Gustavo Iñiguez Goia
++Comment: Debian packaging is licensed under the same terms as upstream
++License: GPL-3.0+
++ This program is free software; you can redistribute it
++ and/or modify it under the terms of the GNU General Public
++ License as published by the Free Software Foundation; either
++ version 3 of the License, or (at your option) any later
++ version.
++ .
++ This program is distributed in the hope that it will be
++ useful, but WITHOUT ANY WARRANTY; without even the implied
++ warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR
++ PURPOSE. See the GNU General Public License for more
++ details.
++ .
++ You should have received a copy of the GNU General Public
++ License along with this program. If not, If not, see
++ http://www.gnu.org/licenses/.
++ .
++ On Debian systems, the full text of the GNU General Public
++ License version 3 can be found in the file
++ '/usr/share/common-licenses/GPL-3'.
++
++Files: ui/resources/io.github.evilsocket.opensnitch.appdata.xml
++Copyright:
++ 2023 Gustavo Iñiguez Goia
++License: FTL
++ The FreeType Project LICENSE
++ ----------------------------
++ .
++ 2006-Jan-27
++ .
++ Copyright 1996-2002, 2006 by
++ David Turner, Robert Wilhelm, and Werner Lemberg
++ .
++ .
++ .
++ Introduction
++ ============
++ .
++ The FreeType Project is distributed in several archive packages;
++ some of them may contain, in addition to the FreeType font engine,
++ various tools and contributions which rely on, or relate to, the
++ FreeType Project.
++ .
++ This license applies to all files found in such packages, and
++ which do not fall under their own explicit license. The license
++ affects thus the FreeType font engine, the test programs,
++ documentation and makefiles, at the very least.
++ .
++ This license was inspired by the BSD, Artistic, and IJG
++ (Independent JPEG Group) licenses, which all encourage inclusion
++ and use of free software in commercial and freeware products
++ alike. As a consequence, its main points are that:
++ .
++ o We don't promise that this software works. However, we will be
++ interested in any kind of bug reports. (`as is' distribution)
++ .
++ o You can use this software for whatever you want, in parts or
++ full form, without having to pay us. (`royalty-free' usage)
++ .
++ o You may not pretend that you wrote this software. If you use
++ it, or only parts of it, in a program, you must acknowledge
++ somewhere in your documentation that you have used the
++ FreeType code. (`credits')
++ .
++ We specifically permit and encourage the inclusion of this
++ software, with or without modifications, in commercial products.
++ We disclaim all warranties covering The FreeType Project and
++ assume no liability related to The FreeType Project.
++ .
++ .
++ Finally, many people asked us for a preferred form for a
++ credit/disclaimer to use in compliance with this license. We thus
++ encourage you to use the following text:
++ .
++ """
++ Portions of this software are copyright © <year> The FreeType
++ Project (www.freetype.org). All rights reserved.
++ """
++ .
++ Please replace <year> with the value from the FreeType version you
++ actually use.
++ .
++ .
++ Legal Terms
++ ===========
++ .
++ 0. Definitions
++ --------------
++ .
++ Throughout this license, the terms `package', `FreeType Project',
++ and `FreeType archive' refer to the set of files originally
++ distributed by the authors (David Turner, Robert Wilhelm, and
++ Werner Lemberg) as the `FreeType Project', be they named as alpha,
++ beta or final release.
++ .
++ `You' refers to the licensee, or person using the project, where
++ `using' is a generic term including compiling the project's source
++ code as well as linking it to form a `program' or `executable'.
++ This program is referred to as `a program using the FreeType
++ engine'.
++ .
++ This license applies to all files distributed in the original
++ FreeType Project, including all source code, binaries and
++ documentation, unless otherwise stated in the file in its
++ original, unmodified form as distributed in the original archive.
++ If you are unsure whether or not a particular file is covered by
++ this license, you must contact us to verify this.
++ .
++ The FreeType Project is copyright (C) 1996-2000 by David Turner,
++ Robert Wilhelm, and Werner Lemberg. All rights reserved except as
++ specified below.
++ .
++ 1. No Warranty
++ --------------
++ .
++ THE FREETYPE PROJECT IS PROVIDED `AS IS' WITHOUT WARRANTY OF ANY
++ KIND, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO,
++ WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
++ PURPOSE. IN NO EVENT WILL ANY OF THE AUTHORS OR COPYRIGHT HOLDERS
++ BE LIABLE FOR ANY DAMAGES CAUSED BY THE USE OR THE INABILITY TO
++ USE, OF THE FREETYPE PROJECT.
++ .
++ 2. Redistribution
++ -----------------
++ .
++ This license grants a worldwide, royalty-free, perpetual and
++ irrevocable right and license to use, execute, perform, compile,
++ display, copy, create derivative works of, distribute and
++ sublicense the FreeType Project (in both source and object code
++ forms) and derivative works thereof for any purpose; and to
++ authorize others to exercise some or all of the rights granted
++ herein, subject to the following conditions:
++ .
++ o Redistribution of source code must retain this license file
++ (`FTL.TXT') unaltered; any additions, deletions or changes to
++ the original files must be clearly indicated in accompanying
++ documentation. The copyright notices of the unaltered,
++ original files must be preserved in all copies of source
++ files.
++ .
++ o Redistribution in binary form must provide a disclaimer that
++ states that the software is based in part of the work of the
++ FreeType Team, in the distribution documentation. We also
++ encourage you to put an URL to the FreeType web page in your
++ documentation, though this isn't mandatory.
++ .
++ These conditions apply to any software derived from or based on
++ the FreeType Project, not just the unmodified files. If you use
++ our work, you must acknowledge us. However, no fee need be paid
++ to us.
++ .
++ 3. Advertising
++ --------------
++ .
++ Neither the FreeType authors and contributors nor you shall use
++ the name of the other for commercial, advertising, or promotional
++ purposes without specific prior written permission.
++ .
++ We suggest, but do not require, that you use one or more of the
++ following phrases to refer to this software in your documentation
++ or advertising materials: `FreeType Project', `FreeType Engine',
++ `FreeType library', or `FreeType Distribution'.
++ .
++ As you have not signed this license, you are not required to
++ accept it. However, as the FreeType Project is copyrighted
++ material, only this license, or another one contracted with the
++ authors, grants you the right to use, distribute, and modify it.
++ Therefore, by using, distributing, or modifying the FreeType
++ Project, you indicate that you understand and accept all the terms
++ of this license.
++ .
++ 4. Contacts
++ -----------
++ .
++ There are two mailing lists related to FreeType:
++ .
++ o freetype@nongnu.org
++ .
++ Discusses general use and applications of FreeType, as well as
++ future and wanted additions to the library and distribution.
++ If you are looking for support, start in this list if you
++ haven't found anything to help you in the documentation.
++ .
++ o freetype-devel@nongnu.org
++ .
++ Discusses bugs, as well as engine internals, design issues,
++ specific licenses, porting, etc.
++ .
++ Our home page can be found at
++ .
++ https://www.freetype.org
--- /dev/null
--- /dev/null
++[DEFAULT]
++debian-branch = debian/sid
++pristine-tar = True
--- /dev/null
--- /dev/null
++# auto-generated, DO NOT MODIFY.
++# The authoritative copy of this file lives at:
++# https://salsa.debian.org/go-team/ci/blob/master/config/gitlabciyml.go
++
++# TODO: publish under debian-go-team/ci
++image: stapelberg/ci2
++
++test_the_archive:
++ artifacts:
++ paths:
++ - before-applying-commit.json
++ - after-applying-commit.json
++ script:
++ # Create an overlay to discard writes to /srv/gopath/src after the build:
++ - "rm -rf /cache/overlay/{upper,work}"
++ - "mkdir -p /cache/overlay/{upper,work}"
++ - "mount -t overlay overlay -o lowerdir=/srv/gopath/src,upperdir=/cache/overlay/upper,workdir=/cache/overlay/work /srv/gopath/src"
++ - "export GOPATH=/srv/gopath"
++ - "export GOCACHE=/cache/go"
++ # Build the world as-is:
++ - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > before-applying-commit.json"
++ # Copy this package into the overlay:
++ - "GBP_CONF_FILES=:debian/gbp.conf gbp buildpackage --git-no-pristine-tar --git-ignore-branch --git-ignore-new --git-export-dir=/tmp/export --git-no-overlay --git-tarball-dir=/nonexistant --git-cleaner=/bin/true --git-builder='dpkg-buildpackage -S -d --no-sign'"
++ - "pgt-gopath -dsc /tmp/export/*.dsc"
++ # Rebuild the world:
++ - "ci-build -exemptions=/var/lib/ci-build/exemptions.json > after-applying-commit.json"
++ - "ci-diff before-applying-commit.json after-applying-commit.json"
--- /dev/null
--- /dev/null
++.\" Copyright (c) 2023 Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com>
++.\" All rights reserved.
++.\"
++.\" SPDX-License-Identifier: GPL-3.0-or-later
++.de CW
++.sp
++.in +4n
++.nf
++.ft CW
++..
++.de CE
++.ft R
++.fi
++.in
++.sp
++..
++.\" Like .OP, but with ellipsis at the end in order to signify that option
++.\" can be provided multiple times. Based on .OP definition in groff's
++.\" an-ext.tmac.
++.de OM
++. ie \\n(.$-1 \
++. RI "[\fB\\$1\fP" "\ \\$2" "]...\&"
++. el \
++. RB "[" "\\$1" "]...\&"
++..
++.\" Required option.
++.de OR
++. ie \\n(.$-1 \
++. RI "\fB\\$1\fP" "\ \\$2"
++. el \
++. BR "\\$1"
++..
++.TH OPENSNITCH-EBPF_MODULES 1 "2023-06-07" "opensnitch-ebpf-modules 1.5.9"
++.SH NAME
++opensnitch-ebpf-modules \- GNU/Linux interactive firewall application
++.SH DESCRIPTION
++.LP
++opensnitch-ebpf-modules provides the eBPF kernel modules to intercept
++network connections. It offers better performance and reliability.
++.LP
++The modules are installed under /usr/lib/opensnitchd/ebpf/
++.LP
++.SH KNOWN BUGS
++When coming back from suspend state, the eBPF modules stop working.
++.LP
++The only solution for now is to restart the daemon when the computer
++wakes up:
++.PP
++https://github.com/evilsocket/opensnitch/blob/master/utils/scripts/restart-opensnitch-onsleep.sh
++.SH "SEE ALSO"
++.PP
++.UR https://github.com/evilsocket/opensnitch/ebpf_prog/
++.B OpenSnitch
++Home Page
++.UE
++.SH AUTHORS
++The complete list of
++.B OpenSnitch
++contributors can be found on https://github.com/evilsocket/opensnitch
--- /dev/null
--- /dev/null
++.\" Copyright (c) 2023 Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com>
++.\" All rights reserved.
++.\"
++.\" SPDX-License-Identifier: GPL-3.0-or-later
++.de CW
++.sp
++.in +4n
++.nf
++.ft CW
++..
++.de CE
++.ft R
++.fi
++.in
++.sp
++..
++.\" Like .OP, but with ellipsis at the end in order to signify that option
++.\" can be provided multiple times. Based on .OP definition in groff's
++.\" an-ext.tmac.
++.de OM
++. ie \\n(.$-1 \
++. RI "[\fB\\$1\fP" "\ \\$2" "]...\&"
++. el \
++. RB "[" "\\$1" "]...\&"
++..
++.\" Required option.
++.de OR
++. ie \\n(.$-1 \
++. RI "\fB\\$1\fP" "\ \\$2"
++. el \
++. BR "\\$1"
++..
++.TH OPENSNITCH-UI 1 "2023-06-07" "opensnitchd 1.5.9"
++.SH NAME
++opensnitch-ui \- GNU/Linux interactive firewall application
++.SH SYNOPSIS
++.SY opensnitch-ui
++.OP \-\-socket path
++.OP \-\-max-clients num
++.YS
++.SH DESCRIPTION
++.LP
++opensnitch-ui is the OpenSnitch GUI to view events intercepted by the daemon,
++and to manage the rules.
++The GUI is composed of 2 components in the same script: a server and a GUI.
++Once the GUI is launched, an icon will appear on the system tray.
++If the system tray is not available or can't be used, the Events dialog will
++be launched.
++.LP
++The GUI (i.e.: the server) will listen for new connections from daemons. You
++can have the daemon installed on multiple machines, and manage them from a
++centralized GUI.
++.UR https://github.com/evilsocket/opensnitch/wiki/Nodes
++.UE
++.LP
++.SH OPTIONS
++.TP
++.BI "\--socket " path
++Specifies the path or network address where the GUI (i.e.: the server) will
++listen on.
++.PP
++ Examples:
++.PP
++ Default: unix:///tmp/osui.sock
++.PP
++ - Listening on a Unix socket:
++ $ opensnitch-ui --socket unix:///tmp/osui.sock
++ * Use unix:///run/user/YOUR_USER_ID/opensnitch/osui.sock for better privacy.
++.PP
++ - Listening on port 50051, all interfaces:
++ $ opensnitch-ui --socket "[::]:50051"
++.TP
++.BI "\--max-clients " num
++Maximum number of clients to allow (default: 10).
++.SH FILES
++.I /home/$USER/.config/opensnitch/
++.RS
++Path of the GUI configuration.
++.RE
++.SH DIAGNOSTICS
++If something goes wrong, like a crash, launch the GUI from a shell to view debugging messages:
++.LP
++.RS
++$ opensnitch-ui
++.RE
++.SH REPORTING BUGS
++Problems with
++.B opensnitch-ui
++should be reported on github
++.UR https://github.com/evilsocket/opensnitch/issues
++.UE
++.SH "SEE ALSO"
++.PP
++.B OpenSnitch
++Home Page
++.UR https://github.com/evilsocket/opensnitch
++.UE
++.LP
++.SH HISTORY
++.B OpenSnitch
++was originally written by Simone Margaritelli (evilsocket) in 2017-2018.
++.LP
++In 2019, after some time of inactivity, Gustavo Iñiguez Goya started
++contributing, fixing bugs and adding new functionality, with
++the esential help of the community, and valuable contributions from themighty1 and
++calesanz among others.
++.SH AUTHORS
++The complete list of
++.B OpenSnitch
++contributors can be found on
++.UR https://github.com/evilsocket/opensnitch
++.UE
--- /dev/null
--- /dev/null
++.\" Copyright (c) 2023 Gustavo Iñiguez Goya <gustavo.iniguez.goya@gmail.com>
++.\" All rights reserved.
++.\"
++.\" SPDX-License-Identifier: GPL-3.0-or-later
++.de CW
++.sp
++.in +4n
++.nf
++.ft CW
++..
++.de CE
++.ft R
++.fi
++.in
++.sp
++..
++.\" Like .OP, but with ellipsis at the end in order to signify that option
++.\" can be provided multiple times. Based on .OP definition in groff's
++.\" an-ext.tmac.
++.de OM
++. ie \\n(.$-1 \
++. RI "[\fB\\$1\fP" "\ \\$2" "]...\&"
++. el \
++. RB "[" "\\$1" "]...\&"
++..
++.\" Required option.
++.de OR
++. ie \\n(.$-1 \
++. RI "\fB\\$1\fP" "\ \\$2"
++. el \
++. BR "\\$1"
++..
++.TH OPENSNITCHD 1 "2023-06-07" "opensnitchd 1.5.9"
++.SH NAME
++opensnitchd \- GNU/Linux interactive firewall application
++.SH SYNOPSIS
++.SY opensnitchd
++.OP \-rules-path path
++.OP \-cpu-profile path
++.OP \-debug
++.OP \-error
++.OP \-warning
++.OP \-important
++.OM \-log-file path
++.OM \-mem-profile path
++.OP \-no-live-reload
++.OM \-process-monitor-method name
++.OM \-queue-num num
++.OM \-ui-socket path
++.OP \-version
++.OM \-workers num
++.YS
++.SH DESCRIPTION
++.LP
++opensnitchd is the OpenSnitch agent that intercepts outbound connections,
++and send them to the server. The server can be a GUI, a TUI, or a
++.I headless
++component to just log the network activity (a SIEM for example).
++By default it'll allow all connections, creating temporal rules for you
++so you can review them later.
++.LP
++.SH OPTIONS
++.TP
++.BI "\-rules-path " path
++Specifies where the rules will be written to. Default "rules".
++.TP
++.BI "\-cpu-profile " path
++A file path where the CPU data for later use will be written.
++.TP
++.BI "\-debug"
++Set LogLevel to DEBUG.
++.TP
++.BI "\-warning"
++Set LogLevel to WARNING.
++.TP
++.BI "\-important"
++Set LogLevel to IMPORTANT.
++.TP
++.BI "\-log-file " path
++A file path where the logs will be written to. This path can be a device file,
++like /dev/stdout to print logs to standard output.
++.TP
++.BI "\-mem-profile " path
++A file path where the memory data will be written once the daemon exits.
++.TP
++.BI "\-no-live-reload"
++By default daemon's rules and configuration is reloaded whenever it changes.
++This option disables this feature.
++.TP
++.BI "\-process-monitor-method " method
++Force process monitor method, overriding what is defined in the configuration.
++Valid methods: ebpf, audit, proc
++.TP
++.BI "\-queue-num " num
++Force to use this netfilter queue num. The default queue number is 0, but if
++it's already used by other software, you can set another queue number here.
++.TP
++.BI "\-ui-socket " path
++Force to use this socket path, instead of the one defined in the configuration.
++The path format is unix:///path/to/socket.sock or ip:port ("127.0.0.1:50051")
++.RS
++(
++.UR https://github.com/grpc/grpc/blob/master/doc/naming.md
++.UE
++)
++.RE
++.TP
++.BI "\-version"
++Prints out daemon version.
++.TP
++.BI "\-workers " num
++Change maximum number of workers to process outbound connections.
++By default 16 workers are launched, but if it's not enough increase this number.
++.SH FILES
++.I /etc/opensnitchd/rules/
++.RS
++Default daemon directory rules.
++.RE
++.I /etc/opensnitchd/default-config.json
++.RS
++Default daemon configuration.
++.RE
++.I /etc/opensnitchd/system-fw.json
++.RS
++Configuration of system firewall rules (iptables/nftables).
++.TP
++Firewall rules defined here bypasses OpenSnitch interception. Use it to allow VPNs or other services.
++.SH DIAGNOSTICS
++OpenSnitch needs at least one firewall rule to intercept outbound connections:
++.LP
++iptables -t mangle -L OUTPUT | grep NFQUEUE
++.RS
++NFQUEUE all -- anywhere anywhere ctstate NEW,RELATED NFQUEUE num 0 bypass
++.RE
++.LP
++If you suspect that OpenSnitch blocks an application and doesn't prompt you to allow or deny it,
++using the GUI enable the option
++.I [x] Debug invalid connections
++under Preferences -> Nodes.
++Or set the configuration option
++.B InterceptUnknown
++to true.
++.LP
++.I Tip:
++You can also add rules to the file /etc/opensnitchd/system-fw.json, to allow network services without being intercepted by the daemon.
++.LP
++Another way of debugging errors is by launching the daemon from the command line:
++.IP
++.PD 0
++.IP 1. 4
++Set LogLevel to DEBUG under Preferences -> Nodes (or LogLevel to 0 in the configuration)
++.IP 2. 4
++Stop the daemon: systemctl stop opensnitch
++.IP 3. 4
++Launch it from cli: /usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules/
++.PD
++.LP
++.SH REPORTING BUGS
++Problems with
++.B opensnitchd
++should be reported on github
++.UR https://github.com/evilsocket/opensnitch/issues
++.UE
++.SH HISTORY
++.B OpenSnitch
++was originally written by Simone Margaritelli (evilsocket) in 2017-2018.
++.LP
++In 2019, after some time of inactivity, Gustavo Iñiguez Goya started
++contributing, fixing bugs and adding new functionality, with
++the esential help of the community, and valuable contributions from themighty1 and
++calesanz among others.
++.SH "SEE ALSO"
++.PP
++.B OpenSnitch
++Home Page
++.UR https://github.com/evilsocket/opensnitch
++.UE
++.SH AUTHORS
++The complete list of
++.B OpenSnitch
++contributors can be found on
++.UR https://github.com/evilsocket/opensnitch
++.UE
--- /dev/null
--- /dev/null
++# These are EBPF objects.
++binary-from-other-architecture [usr/lib/opensnitchd/ebpf/opensnitch-dns.o]
++binary-from-other-architecture [usr/lib/opensnitchd/ebpf/opensnitch-procs.o]
++binary-from-other-architecture [usr/lib/opensnitchd/ebpf/opensnitch.o]
--- /dev/null
--- /dev/null
++debian/man/opensnitch-ebpf-modules.1
--- /dev/null
--- /dev/null
++#!/bin/sh
++
++### BEGIN INIT INFO
++# Provides: opensnitchd
++# Required-Start: $network $local_fs
++# Required-Stop: $network $local_fs
++# Default-Start: 2 3 4 5
++# Default-Stop: 0 1 6
++# Short-Description: opensnitchd daemon
++# Description: opensnitch application firewall
++### END INIT INFO
++
++NAME=opensnitchd
++PIDDIR=/var/run/$NAME
++OPENSNITCHDPID=$PIDDIR/$NAME.pid
++
++# clear conflicting settings from the environment
++unset TMPDIR
++
++test -x /usr/bin/$NAME || exit 0
++
++. /lib/lsb/init-functions
++
++case $1 in
++ start)
++ log_daemon_msg "Starting opensnitch daemon" $NAME
++ if [ ! -d /etc/$NAME/rules ]; then
++ mkdir -p /etc/$NAME/rules &>/dev/null
++ fi
++
++ # Make sure we have our PIDDIR, even if it's on a tmpfs
++ install -o root -g root -m 755 -d $PIDDIR
++
++ if ! start-stop-daemon --start --quiet --oknodo --pidfile $OPENSNITCHDPID --background --exec /usr/bin/$NAME -- -rules-path /etc/$NAME/rules; then
++ log_end_msg 1
++ exit 1
++ fi
++
++ log_end_msg 0
++ ;;
++ stop)
++
++ log_daemon_msg "Stopping $NAME daemon" $NAME
++
++ start-stop-daemon --stop --quiet --signal QUIT --name $NAME
++ # Wait a little and remove stale PID file
++ sleep 1
++ if [ -f $OPENSNITCHDPID ] && ! ps h `cat $OPENSNITCHDPID` > /dev/null
++ then
++ rm -f $OPENSNITCHDPID
++ fi
++
++ log_end_msg 0
++
++ ;;
++ reload)
++ log_daemon_msg "Reloading $NAME" $NAME
++
++ start-stop-daemon --stop --quiet --signal HUP --pidfile $OPENSNITCHDPID
++
++ log_end_msg 0
++ ;;
++ restart|force-reload)
++ $0 stop
++ sleep 1
++ $0 start
++ ;;
++ status)
++ status_of_proc /usr/bin/$NAME $NAME
++ exit $?
++ ;;
++ *)
++ echo "Usage: /etc/init.d/opensnitchd {start|stop|reload|restart|force-reload|status}"
++ exit 1
++ ;;
++esac
++
++exit 0
--- /dev/null
--- /dev/null
++daemon/default-config.json etc/opensnitchd/
++daemon/system-fw.json etc/opensnitchd/
++#ebpf_prog/opensnitch.o etc/opensnitchd/
--- /dev/null
--- /dev/null
++/var/log/opensnitchd.log {
++ rotate 7
++# order of the fields is important
++ maxsize 50M
++# we need this option in order to keep logging
++ copytruncate
++ missingok
++ notifempty
++ delaycompress
++ compress
++ create 640 root root
++ weekly
++}
--- /dev/null
--- /dev/null
++rm_conffile /etc/needrestart/conf.d/no-opensnitch-restart.conf 1.6.8-9 opensnitch
--- /dev/null
--- /dev/null
++debian/man/opensnitchd.1
--- /dev/null
--- /dev/null
++[Unit]
++Description=OpenSnitch is a GNU/Linux application firewall.
++Documentation=https://github.com/gustavo-iniguez-goya/opensnitch/wiki
++Wants=network.target
++After=network.target
++
++[Service]
++Type=simple
++PermissionsStartOnly=true
++ExecStartPre=/bin/mkdir -p /etc/opensnitchd/rules
++ExecStart=/usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules
++Restart=always
++RestartSec=30
++
++[Install]
++WantedBy=multi-user.target
--- /dev/null
--- /dev/null
++Description: Changed how ebpf build find kernel headers from running to installed version.
++ The installed kernel do not match running kernel in chroots and containers.
++Author: Petter Reinholdtsen <pere@hungry.com>
++Forwarded: https://github.com/evilsocket/opensnitch/pull/1327
++Last-Update: 2025-04-20
++---
++Index: opensnitch-salsa/ebpf_prog/Makefile
++===================================================================
++--- opensnitch-salsa.orig/ebpf_prog/Makefile 2025-04-20 09:53:55.679288526 +0200
+++++ opensnitch-salsa/ebpf_prog/Makefile 2025-04-20 09:54:12.000000000 +0200
++@@ -3,8 +3,9 @@
++ # On Debian based distros we need the following 2 directories.
++ # Otherwise, just use the kernel headers from the kernel sources.
++ #
++-KERNEL_DIR ?= /lib/modules/$(shell uname -r)/source
++-KERNEL_HEADERS ?= /usr/src/linux-headers-$(shell uname -r)/
+++KERNEL_VER ?= $(shell ls -d /lib/modules/*/source | sort | tail -1 | cut -d/ -f4)
+++KERNEL_DIR ?= /lib/modules/$(KERNEL_VER)/source
+++KERNEL_HEADERS ?= /usr/src/linux-headers-$(KERNEL_VER)/
++ CLANG ?= clang
++ LLC ?= llc
++ LLVM_STRIP ?= llvm-strip -g
--- /dev/null
--- /dev/null
++Description: Added ebpf build rule mapping for armv8 to work with more armhf machines.
++Author: Petter Reinholdtsen <pere@hungry.com>
++Forwarded: https://github.com/evilsocket/opensnitch/pull/1326
++Last-Update: 2025-04-20
++---
++Index: opensnitch-salsa/ebpf_prog/Makefile
++===================================================================
++--- opensnitch-salsa.orig/ebpf_prog/Makefile 2025-04-20 09:53:55.739289007 +0200
+++++ opensnitch-salsa/ebpf_prog/Makefile 2025-04-20 09:53:55.731288942 +0200
++@@ -19,6 +19,8 @@
++ ARCH := x86
++ else ifeq ($(ARCH),armv7l)
++ ARCH := arm
+++else ifeq ($(ARCH),armv8l)
+++ ARCH := arm
++ else ifeq ($(ARCH),aarch64)
++ ARCH := arm64
++ endif
--- /dev/null
--- /dev/null
++Description: Start firewall rules before network is brought up.
++ Also protect the firewall daemon from the kernel OOM killer. Partly
++ based on proposal from
++ https://github.com/evilsocket/opensnitch/pull/1019/.
++Author: Petter Reinholdtsen <pere@hungry.com>
++Forwarded: https://github.com/evilsocket/opensnitch/pull/1019
++Last-Update: 2025-04-20
++diff --git a/daemon/opensnitchd.service b/daemon/opensnitchd.service
++index 3f05fad2..3bfd94d6 100644
++--- a/daemon/opensnitchd.service
+++++ b/daemon/opensnitchd.service
++@@ -1,6 +1,10 @@
++ [Unit]
++ Description=Application firewall OpenSnitch
++ Documentation=https://github.com/evilsocket/opensnitch/wiki
+++DefaultDependencies=no
+++Before=network-pre.target shutdown.target
+++Wants=network-pre.target
+++Conflicts=shutdown.target
++
++ [Service]
++ Type=simple
++@@ -10,6 +14,9 @@ ExecStart=/usr/local/bin/opensnitchd -rules-path /etc/opensnitchd/rules
++ Restart=always
++ RestartSec=30
++ TimeoutStopSec=10
+++# Ensure it is not killed by the Linux kernel's Out-Of-Memory (OOM) killer.
+++# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#OOMScoreAdjust=
+++OOMScoreAdjust=-1000
++
++ [Install]
++-WantedBy=multi-user.target
+++WantedBy=basic.target
--- /dev/null
--- /dev/null
++Description: Added ebpf build rule mapping for s390x to s390.
++ This ensure the kernel headers are found during compilation.
++Author: Petter Reinholdtsen <pere@hungry.com>
++Forwarded: https://github.com/evilsocket/opensnitch/pull/1333
++Last-Update: 2025-04-25
++---
++Index: opensnitch-salsa/ebpf_prog/Makefile
++===================================================================
++--- opensnitch-salsa.orig/ebpf_prog/Makefile 2025-04-25 07:58:50.785702284 +0200
+++++ opensnitch-salsa/ebpf_prog/Makefile 2025-04-25 07:59:34.170084431 +0200
++@@ -23,6 +23,8 @@
++ ARCH := arm
++ else ifeq ($(ARCH),aarch64)
++ ARCH := arm64
+++else ifeq ($(ARCH),s390x)
+++ ARCH := s390
++ endif
++
++ ifeq ($(ARCH),arm)
--- /dev/null
--- /dev/null
++Description: Do not propose use of pip on Debian
++ Dependencies should be fetched from the curated Debian archive.
++Author: Petter Reinholdtsen <pere@debian.org>
++Forwarded: not-needed
++Last-Update: 2025-04-19
++---
++--- opensnitch-1.6.8.orig/ui/opensnitch/dialogs/firewall_rule.py
+++++ opensnitch-1.6.8/ui/opensnitch/dialogs/firewall_rule.py
++@@ -377,7 +377,7 @@ The value must be in the format: VALUE/U
++ self._set_status_error(
++ QC.translate(
++ "firewall",
++- "Your protobuf version is incompatible, you need to install protobuf 3.8.0 or superior\n(pip3 install --ignore-installed protobuf==3.8.0)"
+++ "Your protobuf version is incompatible, you need to install protobuf 3.8.0 or superior\n(apt install protobuf-api-32-0)"
++ )
++ )
++ return False
++--- opensnitch-1.6.8.orig/ui/opensnitch/dialogs/preferences.py
+++++ opensnitch-1.6.8/ui/opensnitch/dialogs/preferences.py
++@@ -258,7 +258,7 @@ class PreferencesDialog(QtWidgets.QDialo
++ self._saved_theme = ""
++ self.labelThemeError.setStyleSheet('color: red')
++ self.labelThemeError.setVisible(True)
++- self.labelThemeError.setText(QC.translate("preferences", "Themes not available. Install qt-material: pip3 install qt-material"))
+++ self.labelThemeError.setText(QC.translate("preferences", "Themes not available. Install qt-material: apt install python3-qt-material"))
++
++ self.comboUITheme.setCurrentIndex(theme_idx)
++ self._show_ui_density_widgets(theme_idx)
++--- opensnitch-1.6.8.orig/ui/opensnitch/utils/__init__.py
+++++ opensnitch-1.6.8/ui/opensnitch/utils/__init__.py
++@@ -109,7 +109,7 @@ class Themes():
++ from qt_material import list_themes as qtmaterial_themes
++ AVAILABLE = True
++ except Exception:
++- print("Themes not available. Install qt-material if you want to change GUI's appearance: pip3 install qt-material.")
+++ print("Themes not available. Install qt-material if you want to change GUI's appearance: apt install python3-qt-material.")
++
++ @staticmethod
++ def instance():
--- /dev/null
--- /dev/null
++Description: Tell opensnitch daemon to not flush al TCP connections on restart.
++ This avoid killing connections like SSH and IRC when upgrading or restarting
++ the service. See discussion in https://github.com/evilsocket/opensnitch/issues/1329 .
++Author: Petter Reinholdtsen <pere@hungry.com>
++Bug-Debian: https://bugs.debian.org/1103496
++Forwarded: not-needed
++Last-update: 2025-05-26
++---
++Index: opensnitch-salsa/daemon/default-config.json
++===================================================================
++--- opensnitch-salsa.orig/daemon/default-config.json 2025-04-26 07:33:06.345354492 +0200
+++++ opensnitch-salsa/daemon/default-config.json 2025-04-26 07:33:52.681782972 +0200
++@@ -22,6 +22,6 @@
++ },
++ "Internal": {
++ "GCPercent": 100,
++- "FlushConnsOnStart": true
+++ "FlushConnsOnStart": false
++ }
++ }
--- /dev/null
--- /dev/null
++0xxx: Grabbed from upstream development.
++1xxx: Possibly relevant for upstream adoption.
++2xxx: Only relevant for official Debian release.
--- /dev/null
--- /dev/null
++1000-installed-kernel-headers.patch
++1020-ebpf-armv8l.patch
++1030-systemd-service-earlier.patch
++1050-ebpf-s390x.patch
++2000-apt-not-pip.patch
++2010-no-tcp-flush-on-restart.patch
--- /dev/null
--- /dev/null
++debian/man/opensnitch-ui.1
--- /dev/null
--- /dev/null
++#!/bin/sh
++set -e
++
++autostart_by_default()
++{
++ deskfile=/etc/xdg/autostart/opensnitch_ui.desktop
++ if [ -d /etc/xdg/autostart -a ! -h $deskfile -a ! -f $deskfile ]; then
++ ln -s /usr/share/applications/opensnitch_ui.desktop /etc/xdg/autostart/
++ fi
++}
++
++if command -v gtk-update-icon-cache >/dev/null && test -f /usr/share/icons/hicolor/index.theme ; then
++ gtk-update-icon-cache --quiet /usr/share/icons/hicolor/
++fi
++
++case "$1" in
++ configure)
++ # first install
++ if [ -z $2 ]; then
++ autostart_by_default
++ elif dpkg --compare-versions "$2" le "1.5.7-2"; then
++ autostart_by_default
++ fi
++ ;;
++esac
++
++#DEBHELPER#
--- /dev/null
--- /dev/null
++#!/bin/sh
++set -e
++
++case "$1" in
++ purge)
++ deskfile=/etc/xdg/autostart/opensnitch_ui.desktop
++ if [ -f $deskfile -o -h $deskfile ];then
++ rm -f /etc/xdg/autostart/opensnitch_ui.desktop
++ fi
++ ;;
++ remove)
++ pkill -15 opensnitch-ui || true
++ ;;
++esac
++
++#DEBHELPER#
--- /dev/null
--- /dev/null
++#!/usr/bin/make -f
++export DH_VERBOSE = 1
++export DESTDIR := $(shell pwd)/debian/opensnitch
++export UIDESTDIR := $(shell pwd)/debian/python3-opensnitch-ui
++export EBPFDESTDIR := $(shell pwd)/debian/opensnitch-ebpf-modules
++
++ifeq ($(DEB_BUILD_ARCH),amd64)
++ WITH_EBPF := true
++else ifeq ($(DEB_BUILD_ARCH),arm64)
++ WITH_EBPF := true
++else ifeq ($(DEB_BUILD_ARCH),riscv64)
++ WITH_EBPF := true
++else ifeq ($(DEB_BUILD_ARCH),s390x)
++ WITH_EBPF := true
++else ifeq ($(DEB_BUILD_ARCH),loong64)
++ WITH_EBPF := true
++else ifeq ($(DEB_BUILD_ARCH),ppc64)
++ WITH_EBPF := true
++else
++ WITH_EBPF := false
++endif
++
++override_dh_installsystemd:
++ dh_installsystemd --restart-after-upgrade
++
++override_dh_auto_build:
++ $(MAKE) protocol
++# Workaround for Go build problem when building in _build
++ mkdir -p _build/src/github.com/evilsocket/opensnitch/daemon/ui/protocol/
++ cp daemon/ui/protocol/* _build/src/github.com/evilsocket/opensnitch/daemon/ui/protocol/
++ dh_auto_build
++ cd ui && python3 setup.py build --force
++ if $(WITH_EBPF) ; then make -C ebpf_prog; fi
++
++override_dh_auto_install:
++# daemon
++ mkdir -p $(DESTDIR)/usr/bin
++ cp _build/bin/daemon $(DESTDIR)/usr/bin/opensnitchd
++# GUI
++ make -C ui/i18n
++ cp -r ui/i18n/locales/ ui/opensnitch/i18n/
++ pyrcc5 -o ui/opensnitch/resources_rc.py ui/opensnitch/res/resources.qrc
++ sed -i 's/^import ui_pb2/from . import ui_pb2/' ui/opensnitch/ui_pb2*
++ cd ui && python3 setup.py install --force --root=$(UIDESTDIR) --no-compile -O0 --install-layout=deb
++
++# ebpf modules
++ if $(WITH_EBPF); then \
++ mkdir -p $(EBPFDESTDIR)/usr/lib/opensnitchd/ebpf ; \
++ make -C ebpf_prog && cp ebpf_prog/opensnitch*o $(EBPFDESTDIR)/usr/lib/opensnitchd/ebpf/ ; \
++ fi
++
++# daemon
++ dh_auto_install
++
++%:
++ dh $@ --builddirectory=_build --buildsystem=golang --with=golang,python3
++
++override_dh_auto_clean:
++ dh_auto_clean
++ $(MAKE) clean
++ $(RM) daemon/ui/protocol/ui_grpc.pb.go
++ $(RM) ui/opensnitch/resources_rc.py
++ $(RM) -r ui/opensnitch/i18n/
++ $(RM) ui/i18n/locales/*/*.qm
++ cd ui && python3 setup.py clean -a
++ $(RM) -r ui/opensnitch_ui.egg-info/
++ find ui -name \*.pyc -exec rm {} \;
++ $(MAKE) -C ebpf_prog/ clean
--- /dev/null
--- /dev/null
++3.0 (quilt)
--- /dev/null
--- /dev/null
++extend-diff-ignore="\.egg-info$"
--- /dev/null
--- /dev/null
++Tests: test-resources.sh
++Depends: opensnitch
++Restrictions: superficial
++
++Tests: test-fw-rules.sh
++Depends: nftables, opensnitch
++Restrictions: needs-root
--- /dev/null
--- /dev/null
++#!/bin/sh
++set -e
++
++retval=0
++
++# for some reason, go.exec.LookPath() fails to obtain the path of iptables
++# on the ci environment, even if $PATH is set correctly.
++echo "[+] PATH: $PATH"
++
++log="/var/log/opensnitchd.log"
++
++if [ -f /proc/modules ]; then
++ echo "[+] loaded modules:"
++ cat /proc/modules
++fi
++
++if [ -f $log ]; then
++ echo "[+] opensnitchd log:"
++ cat $log
++fi
++
++nft list ruleset
++if nft list ruleset | \
++ grep -q "ct state related,new queue flags bypass to 0" ; then
++ echo "[+] Interception rule (nftables): OK"
++else
++ echo "[!] Interception rule (nftables): Missing"
++ retval=1
++fi
++
++exit $retval
--- /dev/null
--- /dev/null
++#!/bin/sh
++set -e
++
++ophome="/etc/opensnitchd"
++
++ls -dl $ophome 1>/dev/null
++echo "installed OK: $ophome"
++ls -l $ophome/system-fw.json 1>/dev/null
++echo "installed OK: $ophome/system-fw.json"
++ls -l $ophome/default-config.json 1>/dev/null
++echo "installed OK: $ophome/default-config.json"
++ls -dl $ophome/rules 1>/dev/null
++echo "installed OK: $ophome/rules/"
--- /dev/null
--- /dev/null
++---
++Name: opensnitch
++Bug-Database: https://github.com/evilsocket/opensnitch/issues
++Bug-Submit: https://github.com/evilsocket/opensnitch/issues/new
++Contact: Gustavo Iñiguez Goia <gooffy1@gmail.com>
++Documentation: https://github.com/evilsocket/opensnitch/wiki
++CPE: cpe:/a:evilsocket:opensnitch
++Repository: https://github.com/evilsocket/opensnitch.git
++Repository-Browse: https://github.com/evilsocket/opensnitch
--- /dev/null
--- /dev/null
++version=4
++opts=filenamemangle=s/.+\/v?(\d\S*)\.tar\.gz/opensnitch-\$1\.tar\.gz/,\
++uversionmangle=s/(\d)[_\.\-\+]?(RC|rc|pre|dev|beta|alpha)[.]?(\d*)$/\$1~\$2\$3/ \
++ https://github.com/evilsocket/opensnitch/tags .*/v?(\d\S*)\.tar\.gz
projects / opensnitch.git / commitdiff