distribute default rules with the pkgs

gustavo-iniguez-goya · gustavo-iniguez-goya · commit 8c3fa40cf476 · 2025-08-08T13:45:26.000+02:00
- distribute daemon/data/rules/ with the daemon packages. - added a new system fw rule to allow localhost connections (disabled by default). Closes: #965.
diff --git a/daemon/Makefile b/daemon/Makefile
@@ -16,6 +16,7 @@ install:
 		-t $(DESTDIR)/etc/opensnitchd/
 	@install -Dm644 network_aliases.json \
 		-t $(DESTDIR)/etc/opensnitchd/
+	@install -Dm600 data/rules/* $(DESTDIR)/etc/opensnitchd/rules/
 	@systemctl daemon-reload
 
 opensnitchd: $(SRC)
diff --git a/daemon/system-fw.json b/daemon/system-fw.json
@@ -150,6 +150,28 @@
           "Hook": "output",
           "Policy": "accept",
           "Rules": [
+            {
+              "Enabled": false,
+              "Position": "0",
+              "Description": "allow localhost connections",
+              "Parameters": "",
+              "Expressions": [
+                {
+                  "Statement": {
+                    "Op": "==",
+                    "Name": "ip",
+                    "Values": [
+                      {
+                        "Key": "daddr",
+                        "Value": "127.0.0.0-127.255.255.255"
+                      }
+                    ]
+                  }
+                }
+              ],
+              "Target": "accept",
+              "TargetParameters": ""
+            },
             {
               "Enabled": true,
               "Position": "0",
diff --git a/utils/packaging/daemon/deb/debian/opensnitch.install b/utils/packaging/daemon/deb/debian/opensnitch.install
@@ -1,6 +1,7 @@
 daemon/default-config.json etc/opensnitchd/
 daemon/system-fw.json etc/opensnitchd/
-daemon//network_aliases.json etc/opensnitchd/
+daemon/network_aliases.json etc/opensnitchd/
+daemon/data/rules/* etc/opensnitchd/rules/
 ebpf_prog/opensnitch.o usr/lib/opensnitchd/ebpf/
 ebpf_prog/opensnitch-dns.o usr/lib/opensnitchd/ebpf/
 ebpf_prog/opensnitch-procs.o usr/lib/opensnitchd/ebpf/
diff --git a/utils/packaging/daemon/rpm/opensnitch.spec b/utils/packaging/daemon/rpm/opensnitch.spec
@@ -69,6 +69,19 @@ install -m 644 ebpf_prog/opensnitch.o %{buildroot}/usr/lib/opensnitchd/ebpf/open
 install -m 644 ebpf_prog/opensnitch-dns.o %{buildroot}/usr/lib/opensnitchd/ebpf/opensnitch-dns.o
 install -m 644 ebpf_prog/opensnitch-procs.o %{buildroot}/usr/lib/opensnitchd/ebpf/opensnitch-procs.o
 
+B=""
+r="/etc/opensnitchd/rules/000-allow-localhost.json"
+if [ -f $r ]; then
+    B="-b"
+fi
+install -m 600 $B daemon/data/rules/000-allow-localhost.json %{buildroot}$r
+B=""
+r="/etc/opensnitchd/rules/000-allow-localhost6.json"
+if [ -f $r ]; then
+    B="-b"
+fi
+install -m 600 $B daemon/data/rules/000-allow-localhost6.json %{buildroot}$r
+
 # upgrade, uninstall
 %preun
 systemctl stop opensnitch.service || true
