Live (re)loading of rules for namespace tracking

[hashkool]

Two questions

1. I am confused about how opensnitch can do live (re)load rule files from /etc/opensnitchd/rules/.

   I see there is a monitor option, but that is just monitoring changes in nftables? When I change a rule on disk, opensnitch 1.6.6 does not load the change automatically.

2. When I do a systemctl restart opensnitch the internet is open again, right? So how do I keep the everything locked down?

Some background

I would like to dynamically update the opensnitch rules in order to track network activity for Linux namespaces (sandboxing).
With slirp4netns opensnitch@host does just see a program+args. The namespace number ends up in the args, so that is something I could keep track of. When launching one or more sandboxes that way I would like to insert some rules in opensnitch per sandbox type.

Opensnitch can see the name of the tap device, because on the host you launch slirp4netns like this

slirp4netns --configure 24853 tap0

(24853 is the net namespace, tap0 the interface inside 24853)

So yes, in theory I could regex filter on tap0 (and use a name that is a bit better than tap0), but the approach feels a bit like duct-taping. But afaik, network device names are heavily restricted.

[gustavo-iniguez-goya]

I see there is a monitor option, but that is just monitoring changes in nftables? When I change a rule on disk, opensnitch 1.6.6 does not load the change automatically.

It should reload the files (unless the rule is malformed). Change the LogLevel to DEBUG, and edit a rule manually from /etc/opensnitchd/rules. There should be log entries similar to these ones in /var/log/opensnitch.log

[2025-04-23 19:39:17.187893]  IMP  Ruleset changed due to 999-deny-dnsmasq.json, reloading ...
[2025-04-23 19:39:17.188027]  DBG  Operator compiled: process.path is '/usr/sbin/dnsmasq'
[2025-04-23 19:39:17.188049]  DBG  Loaded rule from /tmp/r2/999-deny-dnsmasq.json: [Enabled] 999-deny-dnsmasq: if(process.path is '/usr/sbin/dnsmasq'){ reject always }
[2025-04-23 19:39:17.188083]  IMP  Ruleset changed due to 999-deny-dnsmasq.json, reloading ...

dropping or deleting rules under /etc/opensnitchd/rules should also reload the ruleset.

Regarding filtering by namespaces details, for now it's not possible. I have in my TODO list to obtain the namespaces of a process if any, ideally from the kernel, to offer more context about the connections.
Filtering by or displaying the hostname (uts_namespace) will help identifying the container that originated the connection.

So if you created a new uts_namespace along with the net namespace, it should help to filter these connections.

[hashkool]

Filtering by or displaying the hostname (uts_namespace) will help identifying the container that originated the connection.

That is a great idea, which I guess would also have worked indeed.

dropping or deleting rules under /etc/opensnitchd/rules should also reload the ruleset.

I edited the file, but I assume the problem was something else. I can confirm that in any case rules that watch a directory pick up live changes in the watched directory.