[Bug Report] OpenSnitch breaks DNS in Fedora 42 (eBPF incompatible with Kernel 6.14) #1343
Description
Hello everybody!
The issue appears to be related to the updated Kernel 6.14 and OpenSnitch (was not in 6.13).
Below is a detailed report.
Describe the bug:
If OpenSnitch works in eBPF mode on Fedora 42 (Kernel 6.14), the system cannot resolve DNS after boot.
Restarting the systemd-resolved service resolves the issue. Alternatively, changing the method to proc also resolves the issue.
Discussion at Fedora here
Bugzilla RedHat bug 2361468
Connected to that? #1340
- OpenSnitch version: 1.7.0-rc.2
- OS: Fedora Workstation
- OS version: 42
- Window Manager: KDE Plasma
- Kernel version:
Linux fedora 6.14.5-300.fc42.x86_64 #1 SMP PREEMPT_DYNAMIC Fri May 2 14:16:46 UTC 2025 x86_64 GNU/Linux(lockdown=integrity)
To Reproduce:
Steps to reproduce the behavior (100% reproductible):
- Install/Upgrade to Fedora 42
- Install OpenSnitch
- Boot the system
- DNS resolution will not work after boot
- Restart the systemd-resolved service using "systemctl restart systemd-resolved"
- DNS resolution should now be working.
Post error logs:
I'm sometimes able to find it in opensnitch's logs, but it's not persistent:
[0m [2m [30m[100m DBG [0m Rules watcher started on path /etc/opensnitchd/rules ...
[0m [2m [30m[100m DBG [0m [eBPF] trying to load /usr/local/lib/opensnitchd/ebpf/opensnitch-dns.o
[0m [2m [30m[100m DBG [0m [eBPF] trying to load /usr/lib/opensnitchd/ebpf/opensnitch-dns.o
[0m [97m [42m INF [0m Running on netfilter queue #0 ...
[0m [2m [30m[100m DBG [0m [DNS] systemd-resolved monitor response error: &{ [] [] false}
[0m [2m [30m[100m DBG [0m [eBPF] trying to load /etc/opensnitchd/opensnitch-dns.o
[0m [97m [43m WAR [0m [eBPF DNS]: unable to load eBPF module (opensnitch-dns.o). Your kernel version (6.14.5-300.fc42.x86_64) might not be compatible. If this error persists, change process monitor method to 'proc'
[0m [97m [43m WAR [0m EBPF-DNS: Unable to attach ebpf listener: unable to load eBPF module (opensnitch-dns.o). Your kernel version (6.14.5-300.fc42.x86_64) might not be compatible. If this error persists, change process monitor method to 'proc'
>> More logs <<
opensnitchd -check-requirements
Checking system requirements for kernel version 6.14.5-300.fc42.x86_64
Checking => CONFIG_KPROBES=y
Checking => CONFIG_KPROBES_ON_FTRACE=y
Checking => CONFIG_HAVE_KPROBES=y
Checking => CONFIG_HAVE_KPROBES_ON_FTRACE=y
Checking => CONFIG_KPROBE_EVENTS=y
* kprobes ✔
Checking => CONFIG_UPROBES=y
Checking => CONFIG_UPROBE_EVENTS=y
* uprobes ✔
Checking => CONFIG_FTRACE=y
* ftrace ✔
Checking => CONFIG_HAVE_SYSCALL_TRACEPOINTS=y
Checking => CONFIG_FTRACE_SYSCALLS=y
* syscalls ✔
Checking => CONFIG_NETFILTER_NETLINK_QUEUE=[my]
Checking => CONFIG_NFT_QUEUE=[my]
Checking => CONFIG_NETFILTER_XT_TARGET_NFQUEUE=[my]
* nfqueue ✔
Checking => CONFIG_NETFILTER_NETLINK=[my]
Checking => CONFIG_NETFILTER_NETLINK_QUEUE=[my]
Checking => CONFIG_NETFILTER_NETLINK_ACCT=[my]
Checking => CONFIG_PROC_EVENTS=[my]
* netlink ✔
Checking => CONFIG_INET_DIAG=[my]
Checking => CONFIG_INET_TCP_DIAG=[my]
Checking => CONFIG_INET_UDP_DIAG=[my]
Checking => CONFIG_INET_DIAG_DESTROY=[my]
* net diagnostics ✔
opensnitchd -debug
[2025-05-12 20:31:40] IMP Starting opensnitch-daemon v1.7.0
[2025-05-12 20:31:40] WAR Error loading network aliases: open /etc/opensnitchd/network_aliases.json: no such file or directory
[2025-05-12 20:31:40] INF Loading network aliases from /etc/opensnitchd/network_aliases.json
[2025-05-12 20:31:40] !!! Error loading configuration /etc/opensnitchd/default-config.json: open /etc/opensnitchd/default-config.json: permission denied
objdump -h /usr/lib/opensnitchd/ebpf/opensnitch-dns.o
/usr/lib/opensnitchd/ebpf/opensnitch-dns.o: file format elf64-bpfle
Sections:
Idx Name Size VMA LMA File off Algn
0 .text 00000000 0000000000000000 0000000000000000 00000040 2**2
CONTENTS, ALLOC, LOAD, READONLY, CODE
1 uretprobe/gethostbyname 00008a10 0000000000000000 0000000000000000 00000040 2**3
CONTENTS, ALLOC, LOAD, RELOC, READONLY, CODE
2 uprobe/getaddrinfo 000001d0 0000000000000000 0000000000000000 00008a50 2**3
CONTENTS, ALLOC, LOAD, RELOC, READONLY, CODE
3 uretprobe/getaddrinfo 000040d0 0000000000000000 0000000000000000 00008c20 2**3
CONTENTS, ALLOC, LOAD, RELOC, READONLY, CODE
4 maps/addrinfo_args_hash 00000118 0000000000000000 0000000000000000 0000ccf0 2**2
CONTENTS, ALLOC, LOAD, DATA
5 maps/events 00000118 0000000000000000 0000000000000000 0000ce08 2**2
CONTENTS, ALLOC, LOAD, DATA
6 license 00000004 0000000000000000 0000000000000000 0000cf20 2**0
CONTENTS, ALLOC, LOAD, DATA
7 version 00000004 0000000000000000 0000000000000000 0000cf24 2**2
CONTENTS, ALLOC, LOAD, DATA
8 .debug_loc 000078b0 0000000000000000 0000000000000000 0000cf28 2**0
CONTENTS, RELOC, READONLY, DEBUGGING, OCTETS
9 .debug_abbrev 00000166 0000000000000000 0000000000000000 000147d8 2**0
CONTENTS, READONLY, DEBUGGING, OCTETS
10 .debug_info 00000888 0000000000000000 0000000000000000 0001493e 2**0
CONTENTS, RELOC, READONLY, DEBUGGING, OCTETS
11 .debug_ranges 000017c0 0000000000000000 0000000000000000 000151c6 2**0
CONTENTS, RELOC, READONLY, DEBUGGING, OCTETS
12 .debug_str 0000053e 0000000000000000 0000000000000000 00016986 2**0
CONTENTS, READONLY, DEBUGGING, OCTETS
13 .BTF 00000f27 0000000000000000 0000000000000000 00016ec4 2**0
CONTENTS, RELOC, READONLY
14 .BTF.ext 0000ac50 0000000000000000 0000000000000000 00017deb 2**0
CONTENTS, RELOC, READONLY
15 .eh_frame 00000070 0000000000000000 0000000000000000 00022a40 2**3
CONTENTS, ALLOC, LOAD, RELOC, READONLY, DATA
16 .debug_line 00003d2b 0000000000000000 0000000000000000 00022ab0 2**0
CONTENTS, RELOC, READONLY, DEBUGGING, OCTETS
Appreciate any support!