Incorrect popups

[Pheidologeton]

Please, check the FAQ and Known Problems pages before creating the bug report:
https://github.com/evilsocket/opensnitch/wiki/FAQs
https://github.com/evilsocket/opensnitch/wiki/Known-problems

Describe the bug
A process added to the whitelist still triggers in some cases. In this case, it is snowflake-pt-client, which is necessary for tor to work. According to the rule, it is allowed access to the network. But after some time, these popups appear. When I try to allow it, it just appears again.

Include the following information:

• OpenSnitch version. (Latest git)
• OS: (Arch linux)
• Version (Latest)
• Window Manager: (KDE)
• Kernel version: (Linux 5.18.9-262-tkg-cfs-llvm TKG SMP PREEMPT_DYNAMIC Sun, 03 Jul 2022 13:03:04 +0000 x86_64 GNU/Linux)

To Reproduce
Describe in detail as much as you can what happened.
This error occurs randomly and not with all processes

Steps to reproduce the behavior:

1. Wait some time

Post error logs:

• Post last 15 lines of the log file /var/log/opensnitchd.log

^[[2m[2022-07-06 15:16:41]^[[0m ^[[97m^[[41m ERR ^[[0m Invalid rule received, applying default action
^[[2m[2022-07-06 15:22:49]^[[0m ^[[97m^[[43m WAR ^[[0m Error while asking for rule: rpc error: code = DeadlineExceeded desc = Deadline Exceeded -  (1445948) -> 127.0.0.1:46333 (proto:tcp uid:43)
^[[2m[2022-07-06 15:22:49]^[[0m ^[[97m^[[41m ERR ^[[0m Invalid rule received, applying default action
^[[2m[2022-07-06 15:37:25]^[[0m ^[[97m^[[43m WAR ^[[0m Error while asking for rule: rpc error: code = DeadlineExceeded desc = Deadline Exceeded -  (1445948) -> 127.0.0.1:46333 (proto:tcp uid:43)
^[[2m[2022-07-06 15:37:25]^[[0m ^[[97m^[[41m ERR ^[[0m Invalid rule received, applying default action
^[[2m[2022-07-06 15:55:38]^[[0m ^[[97m^[[43m WAR ^[[0m Error while asking for rule: rpc error: code = DeadlineExceeded desc = Deadline Exceeded -  (1445948) -> 127.0.0.1:46333 (proto:tcp uid:43)
^[[2m[2022-07-06 15:55:38]^[[0m ^[[97m^[[41m ERR ^[[0m Invalid rule received, applying default action
^[[2m[2022-07-06 16:43:09]^[[0m ^[[97m^[[43m WAR ^[[0m Error while asking for rule: rpc error: code = DeadlineExceeded desc = Deadline Exceeded -  (1445948) -> 127.0.0.1:46333 (proto:tcp uid:43)
^[[2m[2022-07-06 16:43:09]^[[0m ^[[97m^[[41m ERR ^[[0m Invalid rule received, applying default action
^[[2m[2022-07-06 17:07:40]^[[0m ^[[97m^[[43m WAR ^[[0m Error while asking for rule: rpc error: code = DeadlineExceeded desc = Deadline Exceeded -  (1445948) -> 127.0.0.1:46333 (proto:tcp uid:43)
^[[2m[2022-07-06 17:07:40]^[[0m ^[[97m^[[41m ERR ^[[0m Invalid rule received, applying default action
^[[2m[2022-07-06 17:22:08]^[[0m ^[[97m^[[43m WAR ^[[0m Error while asking for rule: rpc error: code = DeadlineExceeded desc = Deadline Exceeded -  (1445948) -> 127.0.0.1:46333 (proto:tcp uid:43)
^[[2m[2022-07-06 17:22:08]^[[0m ^[[97m^[[41m ERR ^[[0m Invalid rule received, applying default action
^[[2m[2022-07-06 17:24:51]^[[0m ^[[97m^[[43m WAR ^[[0m Error while asking for rule: rpc error: code = DeadlineExceeded desc = context deadline exceeded -  (1445948) -> 127.0.0.1:46333 (proto:tcp uid:43)
^[[2m[2022-07-06 17:24:51]^[[0m ^[[97m^[[41m ERR ^[[0m Invalid rule received, applying default action
^[[2m[2022-07-06 17:26:05]^[[0m ^[[97m^[[104m IMP ^[[0m Added new rule: ^[[31mdeny^[[0m if ^[[1mprocess.command^[[0m is '^[[33m/usr/bin/tor -f /etc/tor/torrc^[[0m'
^[[2m[2022-07-06 17:26:27]^[[0m ^[[97m^[[43m WAR ^[[0m Error while asking for rule: rpc error: code = Internal desc = Failed to serialize response! -  (1445964) -> stun.uls.co.za:53 (proto:udp uid:43)
^[[2m[2022-07-06 17:26:27]^[[0m ^[[97m^[[41m ERR ^[[0m Invalid rule received, applying default action
^[[2m[2022-07-06 17:28:29]^[[0m ^[[97m^[[43m WAR ^[[0m Error while asking for rule: rpc error: code = DeadlineExceeded desc = Deadline Exceeded -  (1445964) -> stun.uls.co.za:53 (proto:udp uid:43)
^[[2m[2022-07-06 17:28:29]^[[0m ^[[97m^[[41m ERR ^[[0m Invalid rule received, applying default action
^[[2m[2022-07-06 17:29:45]^[[0m ^[[97m^[[43m WAR ^[[0m Error while asking for rule: rpc error: code = Internal desc = Failed to serialize response! -  (1445964) -> stun.stunprotocol.org:53 (proto:udp uid:43)
^[[2m[2022-07-06 17:29:45]^[[0m ^[[97m^[[41m ERR ^[[0m Invalid rule received, applying default action
^[[2m[2022-07-06 17:29:57]^[[0m ^[[97m^[[43m WAR ^[[0m Error while asking for rule: rpc error: code = Internal desc = Failed to serialize response! -  (1445964) -> cdn.sstatic.net:53 (proto:udp uid:43)
^[[2m[2022-07-06 17:29:57]^[[0m ^[[97m^[[41m ERR ^[[0m Invalid rule received, applying default action
^[[2m[2022-07-06 17:30:02]^[[0m ^[[97m^[[43m WAR ^[[0m Error while asking for rule: rpc error: code = Internal desc = Failed to serialize response! -  (1445964) -> stun.stunprotocol.org:53 (proto:udp uid:43)
^[[2m[2022-07-06 17:30:02]^[[0m ^[[97m^[[41m ERR ^[[0m Invalid rule received, applying default action
^[[2m[2022-07-06 17:30:52]^[[0m ^[[97m^[[43m WAR ^[[0m Error while asking for rule: rpc error: code = Internal desc = Failed to serialize response! -  (1445964) -> stun.sonetel.com:53 (proto:udp uid:43)
^[[2m[2022-07-06 17:30:52]^[[0m ^[[97m^[[41m ERR ^[[0m Invalid rule received, applying default action
^[[2m[2022-07-06 17:31:15]^[[0m ^[[97m^[[43m WAR ^[[0m Error while asking for rule: rpc error: code = Internal desc = Failed to serialize response! -  (1445964) -> stun.stunprotocol.org:53 (proto:udp uid:43)
^[[2m[2022-07-06 17:31:15]^[[0m ^[[97m^[[41m ERR ^[[0m Invalid rule received, applying default action

Expected behavior (optional)
Processes added to the whitelist are not triggering

Screenshots

Additional context
Add any other context about the problem here.

[gustavo-iniguez-goya]

hi @Pheidologeton , you need to regenerate the protobuffer, there has been a change recently that requires it:

~ $ git clone https:..../opensnitch
~ $ cd opensnitch
opensnitch $ make protocol
opensnitch $ cd ui
opensnitch/ui $ sed -i 's/^import ui_pb2/from . import ui_pb2/' opensnitch/ui_pb2*
opensnitch/ui $ sudo cp opensnitch/ui_pb2* /usr/lib/python3/dist-packages/opensnitch/

[gustavo-iniguez-goya]

Closing as regenerating the protobuffer should fix this problem. If it still fails drop a comment to further analyze it.

[pizzadude]

@gustavo-iniguez-goya I have the same problem with the opensnitch git version. Your instructions above didn't solve the issue, unfortunately. I had to compile the ebpf programs against linux kernel 5.18.9 because compiling them against 5.8 now results in an error. In latest opensnitch git version, Almost every program that tries to connect to the internet keeps popping up requests and If I allow them it won't work unless I allow the "command line" instead of the executable.

I had to revert to the Opensnitch stable RPMs for now.

[gustavo-iniguez-goya]

@pizzadude could you post the error compiling the modules?

Does the module opensnitch-procs load correctly? take a look a the logs please, there should be an error if it failed.

Also be sure that you don't have the above errors "Invalid rule received, applying default action".

[Pheidologeton]

Simply rebuilding the program and the ebpf module from scratch did not solve the problem, nor did the method described above.

[gustavo-iniguez-goya]

ok, I think I've reproduced it. I'll investigate it further.

Sorry. Latest git code works fine for me. I just cloned the repo -> make protocol -> compile daemon -> copy ui/opensnitch/ui* files to the GUI installation direcory -> compile eBPF modules.

Let's see if we can figure out what's going on:

• Be sure that your protobuf files are up to date following the steps described above: Additionally upload to this issue the files opensnitch/daemon/ui/protocol/ui* and opensnitch/ui/opensnitch/ui* so I can verify if they're ok.
• Verify that the opensnitch-proc module is loaded -> there should be an entry "execve" in /sys/kernel/debug/tracing/kprobe_events
  • If the module fails loading, there should be an error in /var/log/opensnitchd.log
  • Eitherway, even if this module is not loaded the app should work without error.

[Pheidologeton]

I would also like to add. Some programs are recognized and rules are created correctly. Others have an unknown executable and an error.

[pizzadude]

I noticed this in the logs.

[2022-07-07 11:23:34]  IMP  Start writing logs to /var/log/opensnitchd.log
[2022-07-07 11:23:35]  ERR  Error parsing firewall configuration /etc/opensnitchd/system-fw.json: json: cannot unmarshal string into Go struct field FwRule.SystemRules.Rule.Position of type uint64
[2022-07-07 11:23:38]  ERR  GetInfo() path can't be read

[pizzadude]

Also, this is the output of /sys/kernel/debug/tracing/kprobe_events

r10:kprobes/rtcp_v6_connect tcp_v6_connect
p:kprobes/pudp_sendmsg udp_sendmsg
p:kprobes/pudpv6_sendmsg udpv6_sendmsg
p:kprobes/piptunnel_xmit iptunnel_xmit
p:kprobes/ptcp_v4_connect tcp_v4_connect
r10:kprobes/rtcp_v4_connect tcp_v4_connect
p:kprobes/ptcp_v6_connect tcp_v6_connect
p:kprobes/p__x64_sys_execve __x64_sys_execve

This is /var/log/opensnitchd.log

[2022-07-07 17:01:03]  IMP  Start writing logs to /var/log/opensnitchd.log
[2022-07-07 17:01:04]  ERR  Error parsing firewall configuration /etc/opensnitchd/system-fw.json: json: cannot unmarshal string into Go struct field FwRule.SystemRules.Rule.Position of type uint64
[2022-07-07 17:01:05]  ERR  GetInfo() path can't be read
[2022-07-07 17:02:41]  WAR  Error while asking for rule: rpc error: code = Internal desc = Failed to serialize response! -  (48951) -> www.youtube.com:443 (proto:tcp uid:1000)
[2022-07-07 17:02:41]  ERR  Invalid rule received, applying default action
[2022-07-07 17:02:56]  WAR  Error while asking for rule: rpc error: code = Internal desc = Failed to serialize response! -  (48951) -> www.youtube.com:443 (proto:tcp uid:1000)
[2022-07-07 17:02:56]  ERR  Invalid rule received, applying default action
[2022-07-07 17:03:13]  WAR  Error while asking for rule: rpc error: code = Internal desc = Failed to serialize response! -  (48951) -> www.youtube.com:443 (proto:tcp uid:1000)
[2022-07-07 17:03:13]  ERR  Invalid rule received, applying default action
[2022-07-07 17:03:37]  WAR  Error while asking for rule: rpc error: code = Internal desc = Failed to serialize response! -  (48951) -> www.youtube.com:443 (proto:tcp uid:1000)
[2022-07-07 17:03:37]  ERR  Invalid rule received, applying default action
[2022-07-07 17:04:32]  IMP  Rule deleted allow-always-simple-home-pizzadude-net-downloadhelper-coapp-bin-net-downloadhelper-coapp-linux-64.json
[2022-07-07 17:04:49]  WAR  Error while asking for rule: rpc error: code = Internal desc = Failed to serialize response! -  (48951) -> www.youtube.com:443 (proto:tcp uid:1000)
[2022-07-07 17:04:49]  ERR  Invalid rule received, applying default action
[2022-07-07 17:05:11]  WAR  Error while asking for rule: rpc error: code = Internal desc = Failed to serialize response! -  (48951) -> www.youtube.com:443 (proto:tcp uid:1000)
[2022-07-07 17:05:11]  ERR  Invalid rule received, applying default action
[2022-07-07 17:05:27]  WAR  Error while asking for rule: rpc error: code = Internal desc = Failed to serialize response! -  (48951) -> www.youtube.com:443 (proto:tcp uid:1000)
[2022-07-07 17:05:27]  ERR  Invalid rule received, applying default action
[2022-07-07 17:05:46]  WAR  Error while asking for rule: rpc error: code = Internal desc = Failed to serialize response! -  (48951) -> www.youtube.com:443 (proto:tcp uid:1000)
[2022-07-07 17:05:46]  ERR  Invalid rule received, applying default action

These are the popups I get

Clicking "allow" does nothing.

@gustavo-iniguez-goya

[pizzadude]

Also, the above errors is with the EBPF programs compiled with Linux 5.18 sources. If I try to compile with 5.8 (like the instructions said), I get this error:

cd linux-5.8 && yes "" | make oldconfig && make prepare && make headers_install

In file included from help.c:12:
In function ‘xrealloc’,
    inlined from ‘add_cmdname’ at help.c:24:2:
subcmd-util.h:56:23: error: pointer may be used after ‘realloc’ [-Werror=use-after-free]
   56 |                 ret = realloc(ptr, size);
      |                       ^~~~~~~~~~~~~~~~~~
subcmd-util.h:52:21: note: call to ‘realloc’ here
   52 |         void *ret = realloc(ptr, size);
      |                     ^~~~~~~~~~~~~~~~~~
subcmd-util.h:58:31: error: pointer may be used after ‘realloc’ [-Werror=use-after-free]
   58 |                         ret = realloc(ptr, 1);
      |                               ^~~~~~~~~~~~~~~
subcmd-util.h:52:21: note: call to ‘realloc’ here
   52 |         void *ret = realloc(ptr, size);
      |                     ^~~~~~~~~~~~~~~~~~
cc1: all warnings being treated as errors
mv: cannot stat '/media/1TB/storage/src/opensnitch/linux-5.8/tools/objtool/.help.o.tmp': No such file or directory
make[4]: *** [/media/1TB/storage/src/opensnitch/linux-5.8/tools/build/Makefile.build:97: /media/1TB/storage/src/opensnitch/linux-5.8/tools/objtool/help.o] Error 1
make[3]: *** [Makefile:59: /media/1TB/storage/src/opensnitch/linux-5.8/tools/objtool/libsubcmd-in.o] Error 2
make[2]: *** [Makefile:71: /media/1TB/storage/src/opensnitch/linux-5.8/tools/objtool/libsubcmd.a] Error 2
make[1]: *** [Makefile:68: objtool] Error 2
make: *** [Makefile:1858: tools/objtool] Error 2

This is on Fedora 36.

[pizzadude]

As a test, I compiled the opensnitch EBPF programs against Linux kernel 5.8 in an ubuntu 20.04 podman/docker container using distrobox. Then I copied the EBPF .o files into /etc/opensnitchd. Same issue.

[gustavo-iniguez-goya]

thank you @pizzadude !

The real problem here is the error deserializing the rule. That's usually cause by differences between the GUI and daemon's protobuffer.

My recommendation is to delete the files /usr/lib/python3/dist-packages/opensnitch/ui_pb*.
Generate protobuffers as described here and recompile the daemon.

I assume that your GUI files under /usr/lib/python3/dist-packages/opensnitch/ are the latest from git. Otherwise you'll need also to update them.

The generated files, opensnitch/daemon/ui/protocol/ui* and opensnitch/ui/opensnitch/ui_pb*, should have references to the latest field added nolog:

$ grep nolog opensnitch/ui/opensnitch/ui_pb2*
opensnitch/ui/opensnitch/ui_pb2.py:      name='nolog', full_name='protocol.Rule.nolog', index=4,
$ grep -i nolog opensnitch/daemon/ui/protocol/ui.pb.go 
	Nolog                bool      `protobuf:"varint,5,opt,name=nolog,proto3" json:"nolog,omitempty"`
func (m *Rule) GetNolog() bool {
		return m.Nolog

Shall I generate new rpms to test?

[gustavo-iniguez-goya]

Regarding the new module: move it out from the /etc/opensnitchd/ directory , to your home for example.
Restart the daemon and see if the deserializing errors keep appearing.

[pizzadude]

I did both of those things multiple times, still same problem.

Here is my generated ui_pb2.py if that helps.

ui_pb2.zip

[gustavo-iniguez-goya]

Thank you @pizzadude , something is wrong with your protobuf file, there's a lot of code missing:

Could you replace these files with yours? ui_pb2-694.zip

What grpcio-tools do you have installed btw? $ pip3 show grpcio-tools

[pizzadude]

pip3 show grpcio-tools                                                                                                    
Name: grpcio-tools
Version: 1.47.0
Summary: Protobuf code generator for gRPC
Home-page: https://grpc.io
Author: The gRPC Authors
Author-email: grpc-io@googlegroups.com
License: Apache License 2.0
Location: /home/pizzadude/.local/lib/python3.10/site-packages
Requires: grpcio, protobuf, setuptools
Required-by: 

I will try replacing the file and report back.

[pizzadude]

I tried downgrading grpcio and grpcio-tools to both versions 1.40.0 and 1.42.0, rebuilding twice, and it didn't solve the issue.

I tried replacing the files with the ones you attached and it didn't solve it either.

:(

[gustavo-iniguez-goya]

ok , I'll build new packages against latest sources. On the other hand, I just upgraded an old v1.5.0 installation on Arch to latest sources and works fine, so I think it must be something related with the protobuffers.

Anyway, check also that the running opensnitchd binary (pgrep -a opensnitchd) is using latest protobuf definitions:

$ pgrep -a opensnitchd
12345 /usr/bin/opensnitchd -rules-path /etc/opensnitchd/rules
$ strings /usr/bin/opensnitchd | grep -i nolog
(...)
github.com/evilsocket/opensnitch/daemon/ui/protocol.(*Rule).GetNolog
Nolog@protobuf:"varint,5,opt,name=nolog,proto3" json:"nolog,omitempty"
(...)

And see if the pop-ups works as expected with the protobuf I posted with new rules (like ping github.com, and see if the rule is created and applied), or if it fails with any application or one application in particular (like the one you posted, net.downloaded.coapp). I'll download also that app to see if I can reproduce it with it.

[pizzadude]

strings opensnitchd | grep -i nolog                                                                             master  
GetNolog
Nolog
json:"nolog"
Nolog@protobuf:"varint,5,opt,name=nolog,proto3" json:"nolog,omitempty"
os.openFileNolog
os.statNolog
os.statNolog.func1
os.lstatNolog
os.lstatNolog.func1
github.com/evilsocket/opensnitch/daemon/ui/protocol.(*Rule).GetNolog
nolog
nolog
os.openFileNolog
os.statNolog
os.lstatNolog
github.com/evilsocket/opensnitch/daemon/ui/protocol.(*Rule).GetNolog

One program it always fails with is aria2c when downloading a video with yt-dlp.
yt-dlp --downloader aria2c -f "bestvideo[height<=?720][fps<=?30][vcodec!=?vp9]+bestaudio/best" 'https://www.youtube.com/watch?v=dWe7X88Vbys'

[gustavo-iniguez-goya]

ok @pizzadude , I've tested the procs module on opensuse 15, kernel 5.9, and it's not getting the path of the processes, so that can lead to these errors.

Could you replace this opensnitch-procs.o with yours, stop the daemon, and launch the daemon of the zip as:
# ./opensnitchd -rules-path /etc/opensnitchd/rules/

694.zip

You should see traces in the log like: IMP ::: EXEC EVENT -> READ_CMD_LINE ppid: 0, pid: 3542, /usr/bin/tail
Post some log lines like this one to see if it's getting the path correctly.

[pizzadude]

[2022-07-08 10:48:51]  IMP  Ruleset changed due to allow-always-simple-homepizzadudenpm-packagesbinaria2c.json, reloading ...
[2022-07-08 10:48:51]  IMP  Saved new rule: allow if process.path is '/home/pizzadude/.npm-packages/bin/aria2c'

[2022-07-08 10:46:25]  IMP  Saved new rule: allow if process.path is '/home/pizzadude/.local/bin/aria2c'
[2022-07-08 10:46:25]  IMP  Ruleset changed due to allow-always-simple-homepizzadudelocalbinaria2c.json, reloading ...

Weird... Those aren't the actual paths of aria2c. The actual path is /usr/bin/aria2c.

Regardless, the download worked when I allowed it...but the path is wrong?

It did get some other paths correctly:

[2022-07-08 10:48:32]  IMP  ::: EXEC EVENT -> READ_CMD_LINE ppid: 0, pid: 286972, /usr/bin/nmcli
[2022-07-08 10:48:32]  IMP  ::: EXEC EVENT -> READ_CMD_LINE ppid: 0, pid: 286973, /usr/bin/grep
[2022-07-08 10:48:33]  IMP  ::: EXEC EVENT -> READ_CMD_LINE ppid: 0, pid: 286978, /home/pizzadude/.local/bin/yt-dlp

[gustavo-iniguez-goya]

good news then!

Yes, I expect that kind of behaviour. There'll be some rules that you'll have to update.

Without this module we were not able to detect connections initiated by short-lived processes like fwknop, it's more accurate now.

Anyway, I'll also check if the path is empty, to avoid these errors.

[gustavo-iniguez-goya]

I've pushed a change to solve these issues. @pizzadude could you compile the daemon + modules against latest sources?

[pizzadude]

I compiled the ebpf modules against kernel 5.18 (and I downgraded grpcio and grpcio-tools to version 1.42.0 via pip or else I get an incorrect "ui_pb2.py")...

Latest git, so far so good! Thank you for the help. :)

^That process path is incorrect, but it still works.

[pizzadude]

Unfortunately I spoke too soon... Every electron application is detected as /proc/self/exe

[gustavo-iniguez-goya]

yeah, sorry. I added a workaround for that problem but I removed it on the last commit. Readded now.

What should be the correct path of that npm package? What was the path reported before these changes?

[pizzadude]

The correct path is /usr/bin/aria2c, it's not actually an npm package, idk why it picks it up as one.

[gustavo-iniguez-goya]

but does that path exist? ~/.npm-packages/bin/aria2c . See if any of both is a symlink: ls -l ~/.npm-packages/bin/aria2c /usr/bin/aria2c

[pizzadude]

Nope, there is no file at ~/.npm-packages/bin/aria2c or ~/.local/bin/aria2c. Only /usr/bin/aria2c. And it's a program written in C++.

BTW the /proc/self/exe fix seems to work.

[gustavo-iniguez-goya]

great! please, if you see more quirks report them because it's really useful, thank you very much!

sorry if I already asked this, but is the aria2c binary launched by another app? or do you launch it directly? Would be interesting to strace it if it's launched by another app.

[pizzadude]

It is launched by another app, yt-dlp (youtube downloader). When run manually it seems to have the correct path.

[gustavo-iniguez-goya]

despite all new quirks, as far as I can tell now:

• we're able to intercept short-lived processes.
• we're more performant. I don't now in your case but on my system the difference is noticeable even if we use 1% CPU more.
• I don't see connections falling back to reading /proc/net/*, which means less I/O ops and less procs discovery times. (this in particular is not strictly related to the procs module)

Of course this is in its infancy and there's plenty of room for improvements. We'll see how it works out on others environments.

@Pheidologeton how about you? did you compile latest sources?

[Pheidologeton]

I built opensnitch and ebpf module. So far everything is working fine. I will be testing more. opensnitchd uses 0.025-0.05% CPU. I have hundreds of connections per second. If there are any problems I will contact you.

[gustavo-iniguez-goya]

thank you @Pheidologeton :)

[gustavo-iniguez-goya]

time to break master branch again! sorry, just kidding. I've added the ability to get cmdline arguments directly from kernel.
That way we don't need to read /proc//cmdline. It has its caveats though, but overall I think that is a good improvement.

Tested on kernels 5.18, 5.13, 5.11, 5.10, 5.9 and 5.6.6. But please, if you can test it and report any problem it'd very useful.

Thank you!

[pizzadude]

I did some light testing and the latest changes seem to work ok so far.