New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incompatibility with newer kernels #41
Comments
Can you tell us more about your system? I need at least the following logs and information: First of all, set debug level to DEBUG.
Please, provide all this information or the most you can gather. You can email me it if you prefer rather than post it here. Lets see if we can find the problem, or a way to reproduce it. |
I'm running OpenSnitch on Arch w/ 5.7.4-1-ck-skylake kernel and it's working fine (nothing suspicious in logs, process monitor is /proc). |
By hardened kernel i mean linux-hardened package from the repo. And after further research it looks like DNS requests are causing the crashes/hangups. I got it working again by removing the following kernel command line options: Any DNS request with these options and running opensnitchd will cause the mentioned symptoms. So it's one (or more) of the kernel command line options. Didn't have yet time to find out which one is it. |
thank you very much for the information @deathtrip ! You're using libnetfilter_queue 1.0.5, and there have been a lot of changes from 1.0.3 to 1.0.5, I'm wondering if the problem also reproduces using libnetfilter_queue 1.0.3. A few days ago someone on the original repo also reported a kernel panic using kernel 5.6.16, with this backtrace:
If you could find the backtrace of your kernel panic we could compare both. Also If you have the time to identify the problematic kernel command line option don't doubt in update the issue. It's a very valuable information. Either way, I'm afraid I'm not much of a help here. In my opinion this problem could be a bug in libnetfilter_queue or newer kernels (>= 5.6.16). Probably we're triggering the bug somehow. |
On Arch Linux libnetfilter_queue was updated to 1.0.5 just a few days ago, while kernel 5.6.16 and newer have been around for a few weeks. So it started happening under libnetfilter_queue 1.0.3, but only after upgrading the kernels. Seems to be a problem with the kernel then. |
The problematic kernel command-line option seems to be slub_debug=FZP. This time also the UI started freezing, so i restarted it from the terminal, but got no errors when it started freezing again. |
Thank you @deathtrip ! I'll try to configure them and debug those DNS and daemon problems. |
On Debian, kernel 5.7.0, this cmdline parameters "kaslr pti=on slab_nomerge page_poison=1 slub_debug=FPZ nosmt" causes opensnitch to fail with the following error: removing |
Update to the current point release to see if it fixes anything. Also you should check if only one or two of the FZP options is responsible. |
not the freeze, but a BUG, like the one reported with kernel 5.6.16. There're some bug reports related to this parameter athk5 kmod, ext4, ibm mmfs16 I started to analyze it with valgrind, and it seems to be there some mem leaks. In any case, this parameter is also preventing opensnitch from running with the |
The error This only occurs when stopping the daemon with |
ok, so we're not closing the queue on exit.. and for some reason this problem has arised with kernels >= 5.7.x. I'll fix it soon. |
Still investigating this problem. Fortunately for me, the bug it's not freezing the PC. The daemon stops processing packets and a trace is dumped to dmesg. |
I've filed a bug on the netfilter bugzilla: https://bugzilla.netfilter.org/show_bug.cgi?id=1440 I think this is a problem in their library when allowing packets (ICMP in particular I think). |
Pablo Neira posted a patch for this problem, and as far as I can tell it fixes the bug: https://bugzilla.netfilter.org/show_bug.cgi?id=1440#c1 |
Some users have already confirmed that it's fixed by updating ArchLinux kernel. Thank you for reporting it! |
When the daemon is stopped, we need to close opened netfilter recurses. Otherwise we can fall into a situation where we leave NFQUEUE queues opened, which causes opensnitch to not run anymore until system restart or a manual intervention, because there's a NFQUEUE queue already created with the same ID. This is what was happening as a collateral effect of #41.
Newer kernel versions have broken opensnitch for me.
I used Arch Linux with the hardened kernel, and everything was fine until version 5.6.16 iirc. Since that version every attempt by any program to access the network causes the entire system to freeze, even things like ping, or even starting chromium. But the vanilla 5.6 kernel still worked fine.
When i updated the vanilla kernel to 5.7.2, all network requests were blocked (ping,dns etc.).
Disabling the opensnitchd service solved both the crashing on the hardened kernel, and restored network access on vanilla.
Since 5.7.4, even stopping the opensnitchd service won't restore network access, and i have to reboot to get it back.
I wonder if we have some people on new kernels, who can check it out.
The text was updated successfully, but these errors were encountered: