No Rules shown in UI since 1.6.0

[christianhauff]

I've been using opensnitch for a while now and have quite a few rules, but since the update to 1.6.0 which was installed two days ago, the list of rules is just empty. It's exactly the same behavior as described in #739 for version 1.6.0rc2, but there it says it was fixed. I got quite similar opensnitch-instances running on two computers both running manjaro, and they both got the exact same issue since that update. I am using the monitor method proc, since that was relevant in the referenced issue. I couldn't get ebpf to work in the past.

In the Nodes-Tab of the UI, it says correctly that my node has 193 rules, so they are definitely loaded from /etc/opensnitchd/rules and it seems like they are correctly applied.

There is nothing unusual in the logs, starting opensnitchd and opensnitch-ui manually from the terminal also leads to the same result.

I am running Manjaro Linux with xfce4, Kernel Version 6.1.38-1-MANJARO

And I don't know if that's relevant, but with the version update, a new node has been created in the Nodes-Tab, the old one is offline, the timestamp in LastConnection was the next shutdown of my system after getting updates.

[gustavo-iniguez-goya]

Hi @christianhauff ,

This is a different issue than #739 (note that your GUI status is Running, but the other one no), most probably related to the grpcio libs (due to /local vs unix:/local). You can change the monitor method back to ebpf.

I think that the rules were created and assigned to the node "/local" but under v1.6.0 the local node address is called "unix:/local", so when listing rules for "unix:/local" don't find any. What happens if you click on the item Rules tab -> Nodes -> "unix:/local" ?

Are you saving events to a DB on disk?

[christianhauff]

okay, I missed that difference, you're right! 👍 unfortunately, I was never able to switch to ebpf (still not sure what the difference is anyways), I'm getting a notification that says "unable to load eBPF module (opensnitch-procs.o). Your Kernel Version (6.1.38-1-MANJARO) might not be compatible". I got the opensnitch-ebpf-module installed via AUR, but still. As it always did it's job with proc, I did not follow that topic further.

I noticed that the node has probably been renamed someway, but as both nodes show that they have a similar number of rules loaded, I guessed the rules were migrated too.

Under Nodes -> unix:/local I am getting events logged just fine, they even have the name of the corresponding rule in the back.

And yes, I am using logging to a database file with logrotate configured, that has always been running fine.

[gustavo-iniguez-goya]

That looks fine to me. The only doubt is why it doesn't display the rules when clicking on Apps rules, permanent or temporary.
I've got 4 nodes disconnected, with different addresses and I can list the rules of all nodes.

I'll try to reproduce it by upgrading to 1.6.0 from 1.5.8. Or perhaps if you could send me your DB I could try to reproduce the scenario more easily (to gooffy1 - gmail dot com).

I'm getting a notification that says "unable to load eBPF module (opensnitch-procs.o).

See if you have that file under /usr/lib/opensnitchd/ebpf/ . Also, change the LogLevel to DEBUG (Preferences->Nodes) and after starting the daemon it should dump to /var/log/opensnitchd.log the reason of why it can't load the module (some cryptic logs with hexadecimals, etc.)

[christianhauff]

Thank you for looking into it! One update, on one of my laptops, it is working again, I don't know why and I can't remember to change any settings. Most of the fiddling for finding a solution, I did on my work laptop, and now suddenly opensnitch on my private laptop works like there has never been a problem. I'll dig into the differences on monday.

But about your advice, I don't even have a directory /usr/lib/opensnitchd, don't know why. But I'll try the rest of your hints on monday when I have access to my other laptop again. Maybe the problem has been also magically solved...

[christianhauff]

Okay, that's strange! Everything is working fine on my work laptop too. I had several reboots already when investigating the problem last week, and suddenly now everything is working when booting it today. Hopefully it's solved! Thank you anyways, @gustavo-iniguez-goya

[thegranddesign]

Just for others that might come here and need help, if you're storing your data in a database file, the upgrade to 1.6 will cause the UI to completely mess up. The following steps worked for me. Do not @ me if they mess up your install 😉

1. Copy your database file (usually ~/.config/opensnitch/database) for backup
2. Exit OpenSnitch UI
3. Stop the OpenSnitch service (eg on Ubuntu/Debian systemctl stop opensnitch)
4. Delete the database file rm -f ~/.config/opensnitch/database
5. Start OpenSnitch (eg systemctl start opensnitch)
6. Open The UI
7. If all looks good, you can delete the database backup

You should see your rules appear again after OpenSnitch loads them from the on-disk JSON files.

[gustavo-iniguez-goya]

hey @thegranddesign , thank you for reporting this info!

Did you upgrade from 1.5 to 1.6? I'll see if I can reproduce this scenario, and fix whatever problem it causes.

[elwin013]

hey @gustavo-iniguez-goya I can confirm that removing database fixes the issue with not visible rules in the UI and that it started to behave like that after upgrading from 1.5.x to 1.6.x.

Rules are working in the background and you can add new (or remove existing on local machine by removing them from /etc/opensnitchd/rules).

Additional stuff that is not working after update is exporting rules - error is shown and in the logs contains:

[2023-07-30 18:35:04]  WAR  Error while pinging UI service: rpc error: code = Internal desc = Exception deserializing request!, state: READY
[2023-07-30 18:35:04]  ERR  Subscribing to GUI rpc error: code = Internal desc = Exception deserializing request!

[gustavo-iniguez-goya]

Reproduced and fixed! (hopefully). what a facepalm, sorry for that.