Request to add official "OpenSnitch eBPF module" package

Feedback Feature Request
1

I’m using OpenSnitch from the official repository and I always get a warning on startup that the eBPF module couldn’t be loaded.

The opensnitch-ebpf-module package from the AUR that solves this doesn’t work out of the box in Manjaro, because Manjaro has no /usr/src/linux symlink this package depends on (Manjaro discussion, AUR discussion).

I was wondering, if there is an official OpenSnitch package, why isn’t there a corresponding “OpenSnitch eBPF module” package to go along with it that’s compatible with Manjaro’s multi-kernel philosophy? Would it be possible to add one?

2

There is a reason for that - requires maintenance.

https://aur.archlinux.org/packages/opensnitch-ebpf-module#comment-965841

And

Further in a newer comment

https://aur.archlinux.org/packages/opensnitch-ebpf-module#comment-965976

DKMS is not an option here - this is an eBPF program and not a kernel module and hence this package does not use DKMS

3

I’m aware of these reasons. But they relate to why the AUR package doesn’t work. My question was, why is there no official Manjaro package to replace the AUR one?

(EDIT): To underline my argument:

  • OpenSnitch is in the official repository of Manjaro, but no eBPF module package is provided
  • Expecting users to use and manually alter an AUR package to make an officially provided app work, seems contradictory
  • Using AUR in Manjaro isn’t recommended by Manjaro’s own philosphy
  • There is no MUR (Manjaro User Repository) for the community to provide a Manjaro compatible package themselves
4

Please don’t take it personally, but I found this to be a funny spelling mistake.

You probably would not want to undermine your own argument,
you would want to support it, to … underline it :smiley:

5 Likes
5

:joy: fixed it. Thanks

2 Likes
6

I wasn’t just here for the slightly funny interaction - I was curious about opensnitch
and installed it.

First, I had to deal with a rather big update which was pending right now.

Afterwards I installed opensnitch.

I don’t really know what to do with it - but:
it starts up ok - no errors or missing modules.

What I did:
sudo pacman-mirrors -c Germany
to update the mirrors

sudo pacman -Syyu
to run the update

sudo pacman -Syu opensnitch
to install it

the GUI starts up
when invoked from terminal I see:

opensnitch-ui 
Themes not available. Install qt-material if you want to change GUI's appearance: pip3 install qt-material.
	 ~ OpenSnitch GUI - 1.6.5.1 ~
	protobuf: 5.27.2 - grpc: 1.64.2
-------------------------------------------------- 

GUI already running, opening its window and exiting.

and the GUI appears - no errors :man_shrugging:

This is a VM installation running Xfce4

1 Like
7

It’s a KDE Plasma notification popup that appears when you first run opensnitch. To retrigger it once opensnitch is already running, you can just restart the opensnitchd.service unit.

Following message will appear:

[eBPF]: Module not found (opensnitch.o) in any of the paths.
You may need to install the corresponding package

Unable to set new process monitor (ebpf) method from disk: [eBPF] Error loading opensnitch.o: Module not found (opensnitch.o) in any of the paths.
You may need to install the corresponding package

Screenshot_20240719_150546

8

I have a KDE Plasma VM as well
and will also update it
and then install opensnitch
just to see if I can replicate …

I didn’t start any service (in the Xfce4 example above)
I just typed opensnitch-ui
in a Terminal and the GUI started up with the messages I posted
and without errors

perhaps I’ll see something about that
… I didn’t start any service, as I said

9

AFAIK you can also just run the service and cat /var/log/opensnitchd.log to see the errors without the UI.

10

I’m right now about to install it - after having just finished the update and rebooted.

I don’t know anything about a service.

Did you update your system?
Are you just worried about a message?
Or is the thing not working?

What is the problem?

I’m installing it at this very moment …

a few seconds later …
the very same thing as above (Xfxce4 …) happens

no sign of any error or any message anywhere

… you are reading the log and are concerned about something in it?

Is the thing working or not?

11

You need eBPF if you want full, secure and fast system monitoring.

We can also intercept connections initiated from kernel space, like those initiated by rootkits or VPNs:

12

review my last post - I just edited it.
pay special attention to the last question and the line above it

I did not check any log - the GUI started up just fine and I had no reason to search for error or warning messages.

btw:

less /var/log/opensnitchd.log
/var/log/opensnitchd.log: No such file or directory

Does one have to start a service in order for it to actually work?

I saw no indication of it during installation.

13

Without eBPF it works, partially. That’s why it’s just a warning. Kernel space initiated connections aren’t monitored.

If the UI starts but shows nothing, you’re not running the service and the UI is just sitting there doing nothing. You need to run systemctl start opensnitchd.

14

… I see
with the service running, that message appears

15

Yeah, the UI is just a looking glass into the service. It doesn’t to anything on its own.

16

Can you elaborate, perhaps?

I just want to learn.

I know there is two variants of “firewall”
iptables and nftables

How is it working only partially?

I have no use case for this program - I have no idea about what someone would want to achieve with it. :man_shrugging:

17

opensnitch is an interactive firewall with popups where you actively accept or reject connections that are being initiated and for which there are no explicit rules yet. It uses an eBPF module for kernel-level monitoring (instead of just user-level monitoring). Without it, it falls back to using ProcFS (/proc/).

With iptables you can set firewall rules (opensnitch can use iptables and nftables), but you don’t get an interactive window asking you if you want to allow or reject a new kind of connection being established from your machine (think Anti-Virus firewall popups in Windows).

One could set opensnitch to always use proc by default instead of ebpf. The warning would go away, but then, you won’t have kernel level monitoring (you won’t see if a rootkit is trying to open a connection).

18

I’ll take that as a basis for my own education about the topic.
Thank you for the explanation!

It is not a priority for me, but I will study up and keep that in mind. :+1:

I guess my question is:
what doesn’t work as you would expect it to work?

What would you like to see happening instead of what you actually see happening?

IOW: what does that message tell you in terms of the function of the program?

Why are you worried about it?

1 Like
19

I think he explained it already, without eBPF he can not have kernel level monitoring, he could only have user level monitoring which monitors less. He doesn’t want only half monitoring, he wants full monitoring.

1 Like
20

I believe you are missing the OP’s point, that they would prefer the ‘full user experience’ that only the inclusion of the eBPF module would provide:

This particular module seems to be only available via the AUR, and it requires maintenance. If someone could fix it, maintain it, and perhaps add it to Manjaro’s arsenal, that could make OpenSnitch available as the ‘full-featured’ option that the OP desires.

I dare say, it’s fair wish to want OpenSnitch to be as effective as possible, but just how practical that is, I can’t say. Unless someone steps up to maintain the module along with OpenSnitch itself, I’m guessing it’s unlikely.

1 Like