eBPF Failed to load /etc/opensnitchd/opensnitch.o: error while loading "kprobe/tcp_v4_connect" (permission denied):

[fraschm1998]

Please, check the FAQ and Known Problems pages before creating the bug report:
https://github.com/evilsocket/opensnitch/wiki/FAQs
https://github.com/evilsocket/opensnitch/wiki/Known-problems

Describe the bug
A clear and concise description of what the bug is.

Include the following information:

• OpenSnitch version: 1.5.8
• OS: Gentoo
• Version: [default/linux/amd64/17.1/hardened/selinux (stable)]
• Window Manager: DWL
• Kernel version: Linux asus-g14 6.2.0-gentoo-x86_64 Improved connection parsing #3 SMP PREEMPT_DYNAMIC Sun Feb 26 14:23:45 CET 2023 x86_64 AMD Ryzen 9 4900HS with Radeon Graphics AuthenticAMD GNU/Linux

To Reproduce
Describe in detail as much as you can what happened.

Steps to reproduce the behavior:

1. Start opensnitch daemon
2. Open opensnitch-ui
3. Check logs

Post error logs:
http://sprunge.us/NzuSey

^[[2m[2023-02-26 17:21:53]^[[0m ^[[97m^[[104m IMP ^[[0m Start writing logs to /var/log/opensnitchd.log                                                     
^[[2m[2023-02-26 17:21:53]^[[0m ^[[97m^[[41m ERR ^[[0m eBPF Failed to load /etc/opensnitchd/opensnitch.o: error while loading "kprobe/tcp_v4_connect" (permission denied): 
0: R1=ctx(off=0,imm=0) R10=fp0                                                                                   
0: (79) r1 = *(u64 *)(r1 +112)        ; R1_w=scalar()                                                                                    
1: (7b) *(u64 *)(r10 -8) = r1         ; R1_w=scalar() R10=fp0 fp-8_w=mmmmmmmm                                    
2: (85) call bpf_get_current_pid_tgid#14      ; R0_w=scalar()                                                                            
3: (7b) *(u64 *)(r10 -16) = r0        ; R0_w=scalar() R10=fp0 fp-16_w=mmmmmmmm                                           
4: (bf) r2 = r10                      ; R2_w=fp0 R10=fp0                                 
5: (07) r2 += -16                     ; R2_w=fp-16                                                               
6: (bf) r3 = r10                      ; R3_w=fp0 R10=fp0                                                                                 
7: (07) r3 += -8                      ; R3_w=fp-8                                                                
8: (18) r1 = 0x0                      ; R1_w=0                                                                                           
10: (b7) r4 = 0                       ; R4_w=0                                                                           
11: (85) call bpf_map_update_elem#2                                                      
R1 type=scalar expected=map_ptr                                                                                  
processed 11 insns (limit 1000000) max_states_per_insn 0 total_states 0 peak_states 0 mark_read 0
^[[2m[2023-02-26 17:22:23]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running firewall rule, ipv6 err: exit status 1
^[[2m[2023-02-26 17:22:23]^[[0m ^[[97m^[[41m ERR ^[[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
^[[2m[2023-02-26 17:22:23]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running DNS firewall rule: exit status 1 exit status 1
^[[2m[2023-02-26 17:22:53]^[[0m ^[[97m^[[104m IMP ^[[0m firewall rules changed, reloading
^[[2m[2023-02-26 17:22:53]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running firewall rule, ipv4 err: exit status 1
^[[2m[2023-02-26 17:22:53]^[[0m ^[[97m^[[41m ERR ^[[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
^[[2m[2023-02-26 17:22:53]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running firewall rule, ipv6 err: exit status 1
^[[2m[2023-02-26 17:22:53]^[[0m ^[[97m^[[41m ERR ^[[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
^[[2m[2023-02-26 17:22:53]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running DNS firewall rule: exit status 1 exit status 1
^[[2m[2023-02-26 17:23:23]^[[0m ^[[97m^[[104m IMP ^[[0m firewall rules changed, reloading
^[[2m[2023-02-26 17:23:23]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running firewall rule, ipv4 err: exit status 1
^[[2m[2023-02-26 17:23:23]^[[0m ^[[97m^[[41m ERR ^[[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
^[[2m[2023-02-26 17:23:23]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running firewall rule, ipv6 err: exit status 1
^[[2m[2023-02-26 17:23:23]^[[0m ^[[97m^[[41m ERR ^[[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
^[[2m[2023-02-26 17:23:23]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running DNS firewall rule: exit status 1 exit status 1
^[[2m[2023-02-26 17:23:53]^[[0m ^[[97m^[[104m IMP ^[[0m firewall rules changed, reloading
^[[2m[2023-02-26 17:23:53]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running firewall rule, ipv4 err: exit status 1
^[[2m[2023-02-26 17:23:53]^[[0m ^[[97m^[[41m ERR ^[[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
^[[2m[2023-02-26 17:23:53]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running firewall rule, ipv6 err: exit status 1
^[[2m[2023-02-26 17:23:53]^[[0m ^[[97m^[[41m ERR ^[[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
^[[2m[2023-02-26 17:23:53]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running DNS firewall rule: exit status 1 exit status 1
^[[2m[2023-02-26 17:24:23]^[[0m ^[[97m^[[104m IMP ^[[0m firewall rules changed, reloading
^[[2m[2023-02-26 17:24:23]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running firewall rule, ipv4 err: exit status 1
^[[2m[2023-02-26 17:24:23]^[[0m ^[[97m^[[41m ERR ^[[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
^[[2m[2023-02-26 17:24:23]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running firewall rule, ipv6 err: exit status 1
^[[2m[2023-02-26 17:24:23]^[[0m ^[[97m^[[41m ERR ^[[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
^[[2m[2023-02-26 17:24:23]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running DNS firewall rule: exit status 1 exit status 1
^[[2m[2023-02-26 17:24:53]^[[0m ^[[97m^[[104m IMP ^[[0m firewall rules changed, reloading
^[[2m[2023-02-26 17:24:53]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running firewall rule, ipv4 err: exit status 1
^[[2m[2023-02-26 17:24:53]^[[0m ^[[97m^[[41m ERR ^[[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
^[[2m[2023-02-26 17:24:53]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running firewall rule, ipv6 err: exit status 1
^[[2m[2023-02-26 17:24:53]^[[0m ^[[97m^[[41m ERR ^[[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
^[[2m[2023-02-26 17:24:53]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running DNS firewall rule: exit status 1 exit status 1
^[[2m[2023-02-26 17:25:23]^[[0m ^[[97m^[[104m IMP ^[[0m firewall rules changed, reloading
^[[2m[2023-02-26 17:25:23]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running firewall rule, ipv4 err: exit status 1
^[[2m[2023-02-26 17:25:23]^[[0m ^[[97m^[[41m ERR ^[[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
^[[2m[2023-02-26 17:25:23]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running firewall rule, ipv6 err: exit status 1
^[[2m[2023-02-26 17:25:23]^[[0m ^[[97m^[[41m ERR ^[[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
^[[2m[2023-02-26 17:25:23]^[[0m ^[[97m^[[41m ERR ^[[0m Error while running DNS firewall rule: exit status 1 exit status 1

[fraschm1998]

grep CONFIG_FTRACE /boot/config-6.2.0-gentoo-x86_64

CONFIG_FTRACE=y
# CONFIG_FTRACE_SYSCALLS is not set
# CONFIG_FTRACE_STARTUP_TEST is not set

[gustavo-iniguez-goya]

hi @fraschm1998 ,

How did you obtain the file /etc/opensnitchd/opensnitch.o?

Please, post the information that appear here: #774

On the other hand, there're people running opensnitch on Gentoo, did you ask also on Gentoo forums?

[fraschm1998]

How did you obtain the file /etc/opensnitchd/opensnitch.o?

From the Pentoo's ebuild which gets it from: https://dev.pentoo.ch/~blshkv/distfiles/opensnitch_amd64.o

grep FTRACE /boot/config-$(uname -r)

CONFIG_KPROBES_ON_FTRACE=y
CONFIG_HAVE_KPROBES_ON_FTRACE=y
CONFIG_HAVE_DYNAMIC_FTRACE=y
CONFIG_HAVE_DYNAMIC_FTRACE_WITH_REGS=y
CONFIG_HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y
CONFIG_HAVE_DYNAMIC_FTRACE_WITH_ARGS=y
CONFIG_HAVE_DYNAMIC_FTRACE_NO_PATCHABLE=y
CONFIG_HAVE_FTRACE_MCOUNT_RECORD=y
CONFIG_FTRACE=y
CONFIG_DYNAMIC_FTRACE=y
CONFIG_DYNAMIC_FTRACE_WITH_REGS=y
CONFIG_DYNAMIC_FTRACE_WITH_DIRECT_CALLS=y
CONFIG_DYNAMIC_FTRACE_WITH_ARGS=y
CONFIG_FTRACE_SYSCALLS=y
CONFIG_FTRACE_MCOUNT_RECORD=y
CONFIG_FTRACE_MCOUNT_USE_CC=y
# CONFIG_FTRACE_RECORD_RECURSION is not set
# CONFIG_FTRACE_STARTUP_TEST is not set
# CONFIG_FTRACE_SORT_STARTUP_TEST is not set
CONFIG_HAVE_SAMPLE_FTRACE_DIRECT=y
CONFIG_HAVE_SAMPLE_FTRACE_DIRECT_MULTI=y

grep -E "(KPROBE|BPF)" /boot/config-6.2.0-gentoo-x86_64

CONFIG_BPF=y
CONFIG_HAVE_EBPF_JIT=y
CONFIG_ARCH_WANT_DEFAULT_BPF_JIT=y
# BPF subsystem
CONFIG_BPF_SYSCALL=y
# CONFIG_BPF_JIT is not set
CONFIG_BPF_UNPRIV_DEFAULT_OFF=y
# CONFIG_BPF_PRELOAD is not set
# end of BPF subsystem
CONFIG_CGROUP_BPF=y
CONFIG_KPROBES=y
CONFIG_KPROBES_ON_FTRACE=y
CONFIG_HAVE_KPROBES=y
CONFIG_HAVE_KPROBES_ON_FTRACE=y
# CONFIG_NETFILTER_XT_MATCH_BPF is not set
# CONFIG_BPFILTER is not set
# CONFIG_NET_CLS_BPF is not set
# CONFIG_NET_ACT_BPF is not set
# CONFIG_BPF_STREAM_PARSER is not set
CONFIG_KPROBE_EVENTS=y
# CONFIG_KPROBE_EVENTS_ON_NOTRACE is not set
CONFIG_BPF_EVENTS=y
# CONFIG_BPF_KPROBE_OVERRIDE is not set
# CONFIG_KPROBE_EVENT_GEN_TEST is not set
# CONFIG_TEST_BPF is not set

[gustavo-iniguez-goya]

thank you @fraschm1998 ,

stop the daemon, and see if /sys/kernel/debug/tracing/kprobe_events is populated after stopping the daemon. If it's not empty, empty it:
# > /sys/kernel/debug/tracing/kprobe_events

and start again the daemon.

Could you download this ebpf module and start the daemon with it?

https://github.com/evilsocket/opensnitch/actions/runs/4276068016/jobs/7443897035

It's the build 5.19, 1.5.0 from here: https://github.com/evilsocket/opensnitch/actions/runs/4276068016

[fraschm1998]

stop the daemon, and see if /sys/kernel/debug/tracing/kprobe_events is populated after stopping the daemon. If it's not empty, empty it: # > /sys/kernel/debug/tracing/kprobe_events

While the daemon is running, I can see that it's there by doing sudo ls /sys/kernel/debug/tracing/kprobe_events if done without sudo, I get "/sys/kernel/debug/tracing/kprobe_events": Permission denied (os error 13)

doas rm -f /sys/kernel/debug/tracing/kprobe_events
rm: cannot remove '/sys/kernel/debug/tracing/kprobe_events': Operation not permitted

Tried using the ebpf module as recommended, it seems like the error is no longer there in the logs, however, opensnitch still doesn't intercept any of the connections (just shows a blank opensnitch).

Log with new ebpf module:

�[2m[2023-02-26 22:00:39]�[0m �[97m�[104m IMP �[0m Start writing logs to /var/log/opensnitchd.log
�[2m[2023-02-26 22:00:39]�[0m �[97m�[41m ERR �[0m Error while running firewall rule, ipv4 err: exit status 1
�[2m[2023-02-26 22:00:39]�[0m �[97m�[41m ERR �[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
�[2m[2023-02-26 22:00:39]�[0m �[97m�[41m ERR �[0m Error while running firewall rule, ipv6 err: exit status 1
�[2m[2023-02-26 22:00:39]�[0m �[97m�[41m ERR �[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
�[2m[2023-02-26 22:00:39]�[0m �[97m�[41m ERR �[0m Error while running DNS firewall rule: exit status 1 exit status 1
�[2m[2023-02-26 22:00:53]�[0m �[97m�[41m ERR �[0m getting notifications: rpc error: code = Unavailable desc = transport is closing <nil>
�[2m[2023-02-26 22:00:54]�[0m �[97m�[41m ERR �[0m Connection to the UI service lost.
�[2m[2023-02-26 22:01:09]�[0m �[97m�[104m IMP �[0m firewall rules changed, reloading
�[2m[2023-02-26 22:01:09]�[0m �[97m�[41m ERR �[0m Error while running firewall rule, ipv4 err: exit status 1
�[2m[2023-02-26 22:01:09]�[0m �[97m�[41m ERR �[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
�[2m[2023-02-26 22:01:09]�[0m �[97m�[41m ERR �[0m Error while running firewall rule, ipv6 err: exit status 1
�[2m[2023-02-26 22:01:09]�[0m �[97m�[41m ERR �[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
�[2m[2023-02-26 22:01:09]�[0m �[97m�[41m ERR �[0m Error while running DNS firewall rule: exit status 1 exit status 1
�[2m[2023-02-26 22:01:39]�[0m �[97m�[104m IMP �[0m firewall rules changed, reloading
�[2m[2023-02-26 22:01:39]�[0m �[97m�[41m ERR �[0m Error while running firewall rule, ipv4 err: exit status 1
�[2m[2023-02-26 22:01:39]�[0m �[97m�[41m ERR �[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
�[2m[2023-02-26 22:01:39]�[0m �[97m�[41m ERR �[0m Error while running firewall rule, ipv6 err: exit status 1
�[2m[2023-02-26 22:01:39]�[0m �[97m�[41m ERR �[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
�[2m[2023-02-26 22:01:39]�[0m �[97m�[41m ERR �[0m Error while running DNS firewall rule: exit status 1 exit status 1
�[2m[2023-02-26 22:02:09]�[0m �[97m�[104m IMP �[0m firewall rules changed, reloading
�[2m[2023-02-26 22:02:09]�[0m �[97m�[41m ERR �[0m Error while running firewall rule, ipv4 err: exit status 1
�[2m[2023-02-26 22:02:09]�[0m �[97m�[41m ERR �[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
�[2m[2023-02-26 22:02:09]�[0m �[97m�[41m ERR �[0m Error while running firewall rule, ipv6 err: exit status 1
�[2m[2023-02-26 22:02:09]�[0m �[97m�[41m ERR �[0m rule: [-I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass]
�[2m[2023-02-26 22:02:09]�[0m �[97m�[41m ERR �[0m Error while running DNS firewall rule: exit status 1 exit status 1

[gustavo-iniguez-goya]

Tried using the ebpf module as recommended, it seems like the error is no longer there in the logs

good! login as root via doas/sudo (sudo su, or su -), and cat the kprobe_events file to see the content while the daemon is running:
# cat /sys/kernel/debug/tracing/kprobe_events

Once the daemon is stopped, that file should be empty.

You can't delete that file by the way, it's handled by the kernel. You can modify it but only if it's not locked by any process.

Could you post the output of the following command on the "old" eBPF module? objdump -h /path/to/module.o
Does the module work for others Gentoo users?

regarding the others errors:
try adding the rule manually: iptables -I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass

(I assume that the iptables binary is installed.)

I'm interested in knowing the cause of this error, maybe the NFQUEUE module is not autoloaded by iptables, or the iptables binary is not installed.

[fraschm1998]

good! login as root via doas/sudo (sudo su, or su -), and cat the kprobe_events file to see the content while the daemon is running: # cat /sys/kernel/debug/tracing/kprobe_events

Once the daemon is stopped, that file should be empty.

You can't delete that file by the way, it's handled by the kernel. You can modify it but only if it's not locked by any process.

It is running and when the daemon is stopped, it's empty.

r32:kprobes/rtcp_v4_connect tcp_v4_connect
p:kprobes/ptcp_v6_connect tcp_v6_connect
r32:kprobes/rtcp_v6_connect tcp_v6_connect
p:kprobes/pudp_sendmsg udp_sendmsg
p:kprobes/pudpv6_sendmsg udpv6_sendmsg
p:kprobes/piptunnel_xmit iptunnel_xmit
p:kprobes/ptcp_v4_connect tcp_v4_connect

Output of the "old" eBPF module:

Sections:
Idx Name          Size      VMA               LMA               File off  Algn
  0 .text         000000d0  0000000000000000  0000000000000000  00000040  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  1 kprobe/tcp_v4_connect 00000070  0000000000000000  0000000000000000  00000110  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  2 kretprobe/tcp_v4_connect 00000278  0000000000000000  0000000000000000  00000180  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  3 kprobe/tcp_v6_connect 00000070  0000000000000000  0000000000000000  000003f8  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  4 kretprobe/tcp_v6_connect 00000298  0000000000000000  0000000000000000  00000468  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  5 kprobe/udp_sendmsg 000003b8  0000000000000000  0000000000000000  00000700  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  6 kprobe/udpv6_sendmsg 000003d8  0000000000000000  0000000000000000  00000ab8  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  7 kprobe/iptunnel_xmit 00000408  0000000000000000  0000000000000000  00000e90  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, CODE
  8 maps/tcpMap   00000118  0000000000000000  0000000000000000  00001298  2**2
                  CONTENTS, ALLOC, LOAD, DATA
  9 maps/tcpv6Map 00000118  0000000000000000  0000000000000000  000013b0  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 10 maps/udpMap   00000118  0000000000000000  0000000000000000  000014c8  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 11 maps/udpv6Map 00000118  0000000000000000  0000000000000000  000015e0  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 12 maps/tcpsock  00000118  0000000000000000  0000000000000000  000016f8  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 13 maps/tcpv6sock 00000118  0000000000000000  0000000000000000  00001810  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 14 maps/tcpcounter 00000118  0000000000000000  0000000000000000  00001928  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 15 maps/tcpv6counter 00000118  0000000000000000  0000000000000000  00001a40  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 16 maps/udpcounter 00000118  0000000000000000  0000000000000000  00001b58  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 17 maps/udpv6counter 00000118  0000000000000000  0000000000000000  00001c70  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 18 maps/debugcounter 00000118  0000000000000000  0000000000000000  00001d88  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 19 maps/bytes    00000118  0000000000000000  0000000000000000  00001ea0  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 20 maps/debug    00000118  0000000000000000  0000000000000000  00001fb8  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 21 license       00000004  0000000000000000  0000000000000000  000020d0  2**0
                  CONTENTS, ALLOC, LOAD, DATA
 22 version       00000004  0000000000000000  0000000000000000  000020d4  2**2
                  CONTENTS, ALLOC, LOAD, DATA
 23 .eh_frame     00000110  0000000000000000  0000000000000000  000020d8  2**3
                  CONTENTS, ALLOC, LOAD, READONLY, DATA

It seems to have worked previously for v1.5.3 according to this thread: https://forums.gentoo.org/viewtopic-p-8777076.html?sid=24a64e0c424278b00bb91f756fc4f581 assuming he's using the pentoo ebuild which provides the .o file.

[gustavo-iniguez-goya]

ok, the kprobes and the module (in principle) looks fine to me. The fact that "our" module works at least discards a problem with kernel 6.2.x.

regarding the interception, there should be at least 1 rule in the mangle table:
iptables -t mangle -L OUTPUT

If it's empty try adding it manually: # iptables -t mangle -I OUTPUT -m conntrack --ctstate NEW -j NFQUEUE --queue-num 1 --queue-bypass

some modules should be loaded for this rule to work:

grep -i nfqueue /proc/modules 
xt_NFQUEUE 16384 4 - Live 
x_tables 61440 14 xt_NFQUEUE,xt_nat,xt_MASQUERADE,ip6t_REJECT,xt_hl,ip6_tables,ip6t_rt,ipt_REJECT,xt_limit,xt_addrtype,xt_tcpudp,xt_conntrack,nft_compat,ip_tables, Live 

[fraschm1998]

I'm interested in knowing the cause of this error, maybe the NFQUEUE module is not autoloaded by iptables, or the iptables binary is not installed.

This was the issue, I recompiled my kernel with CONFIG_NETFILTER_XT_TARGET_NFQUEUE=y and opensnitch now works!

[gustavo-iniguez-goya]

closing as it seems to be resolved. Besides adding it to the wiki I'll add an option to check needed requirements.
I had it already on my TODO list but forgot about it.