Hi all, On Thu, 1 Jun 2023 at 18:25, Pijgn <pi...@riseup.net> wrote: > > [Petter Reinholdtsen] > > I believe this is a misunderstanding. Even if the default setting is > > ebpf, it will fall back to using proc when it fail to find the ebpf > > module. > > My testing suggests this is not reliable with the default eBPF setting.
Petter is correct: we fall back to proc when ebpf can't be used. There's no difference in setting it to proc or let it fail. > Applying the 'Debug invalid connections' setting (in the absence of the > module) only produces an error message about the file not existing. The error is "open /etc/opensnitchd/opensnitch.o: no such file or directory" This causes the settings not to be saved, because the default monitor method is 'ebpf' and it fails loading the module. Changing it to 'proc' applies the configuration. > > Clicking the Save button allows the option state to persist between > invocations of the settings dialog, but it does not survive a reboot and > wireguard is silently denied regardless. I suppose that could be a bug > against the GUI package; I did not test it headless. It fails applying the configuration, so the settings are not saved to disk. Changing the option in /etc/opensnitchd/default-config.json works as expected. On the other hand, this error only applies to the Node tab. Changing the rest of the settings (from their respective tabs) works as expected. > > It may be possible to use /etc/opensnitchd/system-fw.json as a > workaround, but I did not try that since I was satisfied with the results > of the procedure outlined at the beginning of this bug report. > > > I believe upstream would be pleased with help with this even if it do > > not make it into bookworm. > > I think I used the 'upstream' tag wrong. The eBPF build process has > already received a Debian-specific fix upstream, which will be part of > OpenSnitch 1.6.0 when it is released. In this case, any patches would > only be meaningful for bookworm, to exclude unrelated changes. > > I am interested in working on the patches to implement this fix, but if > the change will not be compliant with bookworm update policy then the > default monitor should be set to proc instead before it is too late. > The main problem is to decide how the modules should be distributed: precompiled or compiled on every machine. The latter would add extra dependencies: clang, llvm, kernel headers, etc. And as part of the 'opensnitch' package or as a new package? -- Clave Pública: gpg --keyserver pgp.rediris.es --recv-keys BCF6BE9C
