safing
Many issues during development [develop branch]
Pre-Submit Checklist:
- Check applicable sources for existing issues:
What happened:
I'd made quite a lot of code modifications to the develop branch. Builds succeeded. But the internal code and the docs dont really correlate at times. It mentions like 817 is the listen port for UI. but the code I have seems to use 717. Also the listening ip mentioned in code is like 127.0.0.17. ports 717-ui/53-dns. So sometimes I feel confused how to deal with these, as I have the config.json to be updated like :
"core": {
"automaticIntelUpdates": false,
"automaticUpdates": false,
"devMode": true,
"enableProcessDetection": true,
"expertiseLevel": "developer",
"listenAddress": "127.0.0.17:717",
"log": {
"level": "error"
}
...
},
"dns": {
"listenAddress": "127.0.0.17:53",
...
Also facing errors like :
Unexpected Logs:
http://127.0.0.17:717/api/v1/debug/core
2025-10-05 20:05:50.265 ERR ess/module:032 ▶ 005 process: failed to get path of ui: file not found
251005 20:47:51.886 CURRENT TIME
but I never really modified anything in ./service/process/module.go :
func (pm *ProcessModule) Start() error {
identifier := "portmaster"
if runtime.GOOS == "windows" {
identifier += ".exe"
}
file, err := pm.instance.BinaryUpdates().GetFile(identifier)
if err != nil {
log.Errorf("process: failed to get path of ui: %s", err)
} else {
pm.portmasterUIPath = file.Path()
}
return nil
}
so I suppose this seems to check the /var/lib/portmaster/intel/index.json which doesnt have the expected file portmaster. But instead the expected updates seems to be in /var/lib/portmaster/download_binaries/index.json
This has caused a serious headache such that Im forced to keep updates to my UI or whatever even to simply really view my backend golang based changes take effect.
Why cant portmaster come up with a proper local structure which the services when run can fallback and run fine? even if updates arent actively pulled? Should some user needs to understand lots of the codebase portions to really see their changes take effect? I mean it has sha based code verification and all. I just feel confused how to make this UI work, after significant changes to backend. Though builds succeeds, finally anyways Im just unable to notice those changes from using the UI.
Im also yet to investigate why this shows like : Worker Status: 1/49 (2?):
only 1 of those workers seems to be running. Earlier during several modified builds I was able to notice UI become rendered fine, but during those times the listen address in config.json were 127.0.0.1:817/53. Though still the earlier codebase also had only 127.0.0.17 as the ipv4 listen address.
Also even though I noticed some fixes related to wireguard for some fwmarks earlier in some commits, still there are some serious issues which makes this tool unable to allow other tools to properly co-exist in parallel by preserving either of the halves of the fwmarks in 32-bit, so that other tools or programs can use those for them handling packets seamlessly.
Until this build I'd already created close to 10 to 15builds, and all successful. I was even able to view my changes take effect on UI. But I'd never really changed my listen ip/ports. Ideally the code must've been made such that it takes the configured ips/ports to override the existing config and render the UI, which I assumed until the recent build. But when I noticed the fwmarks changes, it mostly has hardcoded IPv4 addresses in iptables/nftables rulesets. Post which I tried changing my config.json to 127.0.0.17 which was earlier as 127.0.0.1. But as I'd made lot of builds, I'd made the /usr/lib/portmaster/{portmaster,portmaster-core} as symlinks earlier such that I could simply plug the new built binaries as and when I make changes. But sometimes my UI got affected due to this method. Only after the yesterday's build Im facing UI disruption/issues. Codebase is too vast to make myself familiarize with multiple portions.
What did you expect to happen?:
As I'd made quite a lot of changes, Im forced to not enable automatic updates which might override my changes. So whats the best approach or fixes for this to get this up and running ASAP?
How did you reproduce it?:
Debug Information:
OS - Linux [custom built kernel - 6.17 ].
Greetings and welcome to our community! As this is the first issue you opened here, we wanted to share some useful infos with you:
- 🗣️ Our community on Discord is super helpful and active. We also have an AI-enabled support bot that knows Portmaster well and can give you immediate help.
- 📖 The Wiki answers all common questions and has many important details. If you can't find an answer there, let us know, so we can add anything that's missing.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
Hi.
The Portmaster API (and UI) uses the local TCP port 817 — there were no changes here.
The address 127.0.0.17:717 is used for SPN, so please avoid configuring it as the API listen address.
TCP/UDP 127.0.0.17:53 is the default listener for the Portmaster internal DNS resolver.
Portmaster v2 binaries are located in the folder /usr/lib/portmaster (including index.json), while data files are stored in /var/lib/portmaster. Note: this structure differs from Portmaster v1.
Please note: Git branch names have changed:
- the Portmaster v1 branches
masteranddevelopare now namedv1-legacyandv1-legacy-develop. - the Portmaster v2 code is now in the
mainanddevelopmentbranches.
The v2 source code contains multiple changes (compared to v1), especially related to the UI and the update system. I suppose you have been using the v1 sources — merging your local v1 changes into the v2 branch may not be a straightforward task.
Im using the latest v2 [develop branch]. But Im missing that /usr/lib/portmaster/index.json . Following seems to be the debug output :
2025-10-08 00:02:46.925 BOF ▶
2025-10-08 00:02:46.925 running Portmaster dev build (linux/amd64; built with go1.24.7 [gc -cgo] from unknown [dirty] at unknown)
2025-10-08 00:02:46.971 ERR tes/module:220 ▶ 001 updates/Portmaster Binaries: invalid index file, falling back to dir scan: verify: signature 1 invalid: failed to verify signature (Ed25519) with ID c0df4db0-86e1-48f6-93f3-d1b8ed9963ae: signature invalid
2025-10-08 00:02:49.335 ERR /ui/module:029 ▶ 003 ui: process step1.1 New method
2025-10-08 00:02:49.335 ERR /ui/module:031 ▶ 005 ui: process step1.2 New method
2025-10-08 00:02:49.335 ERR /ui/module:038 ▶ 007 ui: process step1.3 New method
2025-10-08 00:02:49.335 ERR /ui/module:043 ▶ 009 ui: process step1.4 New method
2025-10-08 00:02:49.336 ERR /ui/module:047 ▶ 011 ui: process step1.5 New method
2025-10-08 00:02:49.346 DBG y/database:277 ▶ 013 creating table schema for database "main"
2025-10-08 00:02:49.351 DBG y/database:277 ▶ 014 creating table schema for database "history"
2025-10-08 00:02:49.381 DBG mgr/group.go:136 starting manager=Base
2025-10-08 00:02:49.382 INF mgr/group.go:155 started manager=Base time=24.842µs
2025-10-08 00:02:49.382 DBG mgr/group.go:136 starting manager=Rng
2025-10-08 00:02:49.387 INF mgr/group.go:155 started manager=Rng time=5.000852ms
2025-10-08 00:02:49.387 DBG mgr/group.go:136 starting manager=DBModule
2025-10-08 00:02:49.387 INF mgr/group.go:155 started manager=DBModule time=81.674µs
2025-10-08 00:02:49.387 DBG mgr/group.go:136 starting manager=Config
2025-10-08 00:02:49.399 INF mgr/group.go:155 started manager=Config time=11.344862ms
2025-10-08 00:02:49.399 DBG mgr/group.go:136 starting manager=API
2025-10-08 00:02:49.399 INF mgr/group.go:155 started manager=API time=198.513µs
2025-10-08 00:02:49.399 DBG mgr/group.go:136 starting manager=Metrics
2025-10-08 00:02:49.401 INF mgr/group.go:155 started manager=Metrics time=1.592249ms
2025-10-08 00:02:49.402 DBG mgr/group.go:136 starting manager=Runtime
2025-10-08 00:02:49.399 DBG entication:357 ▶ 015 api: importing possibly updated API keys from config
2025-10-08 00:02:49.400 INF api/router:088 ▶ 016 api: starting to listen on 127.0.0.1:817
2025-10-08 00:02:49.403 INF mgr/group.go:155 started manager=Runtime time=50.893µs
2025-10-08 00:02:49.403 DBG mgr/group.go:136 starting manager=Notifications
2025-10-08 00:02:49.403 INF mgr/group.go:155 started manager=Notifications time=53.709µs
2025-10-08 00:02:49.404 DBG mgr/group.go:136 starting manager=Core
2025-10-08 00:02:49.417 INF mgr/group.go:155 started manager=Core time=13.106206ms
2025-10-08 00:02:49.417 DBG mgr/group.go:136 starting manager="Binary Updater"
2025-10-08 00:02:49.417 INF mgr/group.go:155 started manager="Binary Updater" time=25.104µs
2025-10-08 00:02:49.417 DBG mgr/group.go:136 starting manager="Intel Updater"
2025-10-08 00:02:49.417 INF mgr/group.go:155 started manager="Intel Updater" time=16.348µs
2025-10-08 00:02:49.417 DBG mgr/group.go:136 starting manager=OSIntegration
2025-10-08 00:02:49.417 INF mgr/group.go:155 started manager=OSIntegration time=11.135µs
2025-10-08 00:02:49.417 DBG mgr/group.go:136 starting manager=geoip
2025-10-08 00:02:49.417 INF mgr/group.go:155 started manager=geoip time=10.033µs
2025-10-08 00:02:49.417 DBG mgr/group.go:136 starting manager=NetEnv
2025-10-08 00:02:49.417 INF mgr/group.go:155 started manager=NetEnv time=41.355µs
2025-10-08 00:02:49.418 DBG mgr/group.go:136 starting manager=ProcessModule
2025-10-08 00:02:49.418 DBG tes/module:635 ▶ 017 Artifact : u.cfg.Directory - /usr/lib/portmaster ; expected name - portmaster
2025-10-08 00:02:49.418 ERR ess/module:032 ▶ 018 process: failed to get path of ui: file not found
I added debug stmts in :
// GetFile returns the path of a file given the name. Returns ErrNotFound if file is not found.
func (u *Updater) GetFile(name string) (*Artifact, error) {
u.indexLock.Lock()
defer u.indexLock.Unlock()
log.Debugf("Artifact : u.cfg.Directory - %s ; expected name - %s ", u.cfg.Directory, name)
// Check if any index is active.
if u.index == nil {
return nil, ErrNotFound
}
for _, artifact := range u.index.Artifacts {
log.Debugf("Artifact : u.cfg.Directory - %s ; artifact.Filename - %s ; artifact.Platform - %s ", u.cfg.Directory, artifact.Filename, artifact.Platform)
switch {
case artifact.Filename != name:
// Name does not match.
case artifact.Platform != "" && artifact.Platform != u.cfg.Platform:
// Platform is defined and does not match.
// Platforms are usually pre-filtered, but just to be sure.
default:
// Artifact matches!
return artifact.export(u.cfg.Directory, u.index.versionNum), nil
}
}
return nil, ErrNotFound
}
// New returns a new UI module.
func New(instance instance) (*UI, error) {
log.Errorf("ui: process step1.1 New method")
m := mgr.New("UI")
log.Errorf("ui: process step1.2 New method")
ui := &UI{
mgr: m,
instance: instance,
archives: make(map[string]*zipfs.FileSystem),
}
log.Errorf("ui: process step1.3 New method")
if err := ui.registerAPIEndpoints(); err != nil {
return nil, err
}
log.Errorf("ui: process step1.4 New method")
if err := ui.registerRoutes(); err != nil {
return nil, err
}
log.Errorf("ui: process step1.5 New method")
return ui, nil
}
I suppose its unable to find that index.json. But I later tried manually added following index.json in /usr/lib/portmaster/index.json :
{
"Name": "Portmaster Binaries",
"Version": "2.0.25",
"Published": "2025-10-07T11:50:00.856184125+03:00",
"Artifacts": [
{
"Filename": "WebView2Loader.dll",
"SHA256": "609c974a8cdd6a76a745b3d81b62f321d79f2dc8f4929e1eea8469d9d78baf79",
"URLs": ["https://updates.safing.io/windows_amd64/app2/WebView2Loader_v2-0-25.dll"],
"Platform": "windows_amd64"
},
{
"Filename": "assets.zip",
"SHA256": "ddd23c929272df9f44c28e3d087d662d24e34b0b9a4ddc0f28fed716b677e2eb",
"URLs": ["https://updates.safing.io/all/ui/modules/assets_v0-3-6.zip"],
"Version": "0.3.6"
},
{
"Filename": "portmaster",
"SHA256": "09c2e6858a6373f9943d6ee5d84dc5229937f1a16a96b4571639d98ba4508ed4",
"URLs": ["https://updates.safing.io/linux_amd64/app2/portmaster_v2-0-25"],
"Platform": "linux_amd64"
},
{
"Filename": "portmaster-core",
"SHA256": "94364921f074ed317c5cb4d2a8e0861668ac6fb34998207b7b0b1175c41f0c44",
"URLs": ["https://updates.safing.io/linux_amd64/core/portmaster-core_v2-0-25"],
"Platform": "linux_amd64"
},
{
"Filename": "portmaster-core.dll",
"SHA256": "72e834d88720a805efb8194514d214b404fe69b3fd7e52036a535107a695b9d2",
"URLs": ["https://updates.safing.io/windows_amd64/dll/portmaster-core_v1-6-30.dll"],
"Platform": "windows_amd64",
"Version": "1.6.30"
},
{
"Filename": "portmaster-core.exe",
"SHA256": "341f8bed55657366c3271b6dc369b091fb24a39a445aa7795db3c90810c5a57a",
"URLs": ["https://updates.safing.io/windows_amd64/core/portmaster-core_v2-0-25.exe"],
"Platform": "windows_amd64"
},
{
"Filename": "portmaster-kext.sys",
"SHA256": "4d72a8b43a4a3f2e2b5598edbd64a28de8c47a4db546607164c5e48c07103329",
"URLs": ["https://updates.safing.io/windows_amd64/kext/portmaster-kext_v2-0-7.sys"],
"Platform": "windows_amd64",
"Version": "2.0.7"
},
{
"Filename": "portmaster.exe",
"SHA256": "ed9afffe733992c49ad3e75c5b263c2e0dd5231e600e7bb01c40373b27b1c4f5",
"URLs": ["https://updates.safing.io/windows_amd64/app2/portmaster_v2-0-25.exe"],
"Platform": "windows_amd64"
},
{
"Filename": "portmaster.zip",
"SHA256": "0011176f80ba498a87a86ba782bdf7896f3e0289debb53e05b071a177ee96b23",
"URLs": ["https://updates.safing.io/all/ui/modules/portmaster_v2-0-25.zip"]
}
],
"_jess-signature": "Q6RnVmVyc2lvbgFnU3VpdGVJRGtzaWduZmlsZV92MWVOb25jZUQmqNxZalNpZ25hdHVyZXOBo2ZTY2hlbWVnRWQyNTUxOWJJRHgkYzBkZjRkYjAtODZlMS00OGY2LTkzZjMtZDFiOGVkOTk2M2FlZVZhbHVlWECMS57C4vnBqn5eXfiFQmcoxb7o6yN5L8S1PlaT8VjeZxpNeYSrXKJYOEfbeemrHbnM3KqKZw2ho_5t5am_F9IP"
}
This was copied from some other path.
Otherwise which is the right approach for someone who might've added considerable changes to the local dev copy? As we cant keep delving down into every nitty gritties right? I expected the dist folder might've the ready-made binaries which should simply get up and runnign with simple plug-n-play approach. Never expected to analyze too deeper apart from the changes I made.
Even after these index.jsons its still complaining regarding the signature.
My dir contents :
<-Geek->$ ls -lt /usr/lib/portmaster/{portmaster-core,portmaster,assets*,index.json}
-rwxr-xr-x 1 root root 2550 Oct 8 00:02 /usr/lib/portmaster/index.json
-rwxr-xr-x 1 root root 44480557 Oct 7 23:23 /usr/lib/portmaster/portmaster-core
-rwxr-xr-x 1 root root 25883896 Oct 3 22:28 /usr/lib/portmaster/portmaster
-rw-r--r-- 1 root root 2643447 Aug 5 19:40 /usr/lib/portmaster/assets.zip
/usr/lib/portmaster/assets:
total 544
drwxr-xr-x 2 root root 4096 Jun 24 12:58 icons
drwxr-xr-x 2 root root 4096 Mar 11 2025 favicons
drwxr-xr-x 10 root root 4096 Mar 11 2025 fonts
drwxr-xr-x 4 root root 4096 Mar 11 2025 img
-rw-r--r-- 1 root root 538266 Mar 11 2025 world-50m.json
<-Geek->$
<-Geek->$ ls -lt /var/lib/portmaster/
total 200
drwx------ 5 root root 4096 Oct 8 00:02 databases
drwx------ 2 root root 139264 Oct 8 00:02 log
-rw-r--r-- 1 root root 10366 Oct 7 23:12 config.json
drwxr-xr-x 2 root root 4096 Oct 5 19:58 intel
drwxr-xr-x 2 root root 4096 Oct 1 06:17 download_intel
drwxr-xr-x 2 root root 4096 Aug 26 11:02 scripts
drwxr-xr-x 2 root root 4096 Aug 20 23:17 download_binaries
drwxrwxrwx 2 root root 4096 Aug 20 21:33 exec
drwxr-xr-x 2 root root 4096 Aug 20 21:33 plugins
-rw-r--r-- 1 root root 9677 Aug 20 21:24 config__bkup.json
-rw-r--r-- 1 root root 120 Dec 12 2024 plugins.json
<-Geek->$
As these dir contents are kindof inherited from v1. Im just not really damn sure whether will this structure stay consistent with v2.
Also due to this custom built kernel 6.17, Im confused of how to solve this eBPF related issues. As whenever I try to install something like linux-tools-generic or something. Then when I try bpftool --help, it complains to download for my custom "uname -r" which wont be available in upstream common generic repos.
It always complains like its unable to attach for ebpf and the resource is busy.
Also why does the debug page say like workers are in waiting? :
**Worker Status: 1/49 (2?)**:
49 Workers: 1 running, 47 waiting
# State Module Name Worker Func Current Line Extra Info
1 running API http request github.com/safing/portmaster/base/api.(*mainHandler).ServeHTTP.func1 github.com/safing/portmaster/service/debug.go:58
1 chan receive Resolver mdns handler github.com/safing/portmaster/service/resolver.listenToMDNS github.com/safing/portmaster/service/resolver/resolver-mdns.go:147
2 select Rng feeder github.com/safing/portmaster/base/rng.(*Feeder).run github.com/safing/portmaster/base/rng/entropy.go:117
1 select DNSMonitor systemd-resolver-event-listener github.com/safing/portmaster/service/firewall/interception/dnsmonitor.newListener.func1 github.com/safing/portmaster/service/firewall/interception/dnsmonitor/eventlistener_linux.go:74
1 select Firewall bandwidth update handler github.com/safing/portmaster/service/firewall.bandwidthUpdateHandler github.com/safing/portmaster/service/firewall/packet_handler.go:840
1 select Firewall packet handler github.com/safing/portmaster/service/firewall.packetHandler github.com/safing/portmaster/service/firewall/packet_handler.go:825
1 select Interception nfqueue packet handler github.com/safing/portmaster/service/firewall/interception.StartNfqueueInterception.func1 github.com/safing/portmaster/service/firewall/interception/nfqueue_linux.go:455
1 select NetEnv monitor network changes github.com/safing/portmaster/service/netenv.monitorNetworkChanges github.com/safing/portmaster/service/netenv/network-change.go:52
1 select NetEnv monitor online status github.com/safing/portmaster/service/netenv.monitorOnlineStatus github.com/safing/portmaster/service/netenv/online-status.go:363
1 select NetQuery netquery connection feed handler github.com/safing/portmaster/service/netquery.(*NetQuery).Start.func2 github.com/safing/portmaster/service/netquery/manager.go:101
1 select NetQuery netquery connection feed listener github.com/safing/portmaster/service/netquery.(*NetQuery).Start.func1 github.com/safing/portmaster/service/netquery/module_api.go:194
mostly always it says like most of the workers are in waiting.
Will my custom sysctl OS kernel settings impact these workers? or whether is this how this app workers are normally scheduled and they dont run concurrently? Whether the above behavior is the expected behavior? Just curious.
Main Queries to be answered :
- What should be added as /usr/lib/portmaster/index.json [if at all anything has to be added or expected for the UI to function fine]. Mainly by someone who did local builds and maybe could've turned off auto-updates. [mainly develop branch].
- Why so many workers inactive?
- How about the OS kernel sysctl options? can they cause issues or conflicts.
- When can we expect stable fixes for fwmarks? which almost allows other tools to parallely modify atleast half of the 32-bit mark? Portmaster should modify its code such that it retains those half of those marks which it currently doesnt, which causes compatibility issues.
Also do let me know if at all can I get a yearly SPN subscription for free [maybe I could think about pushing my advanced changes I made in my develop branch].
**Note - Even though all above issues exists as of now, still I was able to successfully build almost 10builds and notice my changes take effect earlier. Only post the most recent build Im facing above issues. Theres been quite a bit of issues related to fwmarks, which could've been handled much more elegantly.
This issue has been automatically marked as inactive because it has not had activity in the past two months.
If no further activity occurs, this issue will be automatically closed in one week in order to increase our focus on active topics.