Firewall not working
jorik392 opened this issue · 17 comments
Hello, I updated to latest git version but the firewall has stopped working for some reason. The GUI shows running and the service is running but rules take no effect and firewall seems to not be working.
Errors I find in /var/log/opensnitchd.log:
IMP . Start writing logs to %!(EXTRA string=/var/log/opensnitchd.log)
ERR . Error while running DNS firewall rule: exit status 1
ERR . Error while running firewall rule, ipv4 err: exit status 1, ipv6 err: exit status 3
ERR . rule: [-N opensnitch-filter-OUTPUT -t mangle]
IMP . firewall rules changed, reloading
ERR . Error while running DNS firewall rule: exit status 1
ERR . Error while running firewall rule, ipv4 err: exit status 1, ipv6 err: exit status 3
ERR . rule: [-N opensnitch-filter-OUTPUT -t mangle]
IMP . firewall rules changed, reloading
and repeat...
Thanks
I updated to latest git version
manually or via some package (AUR, etc)?
Does the file system-fw.json exist in /etc/opensnitchd/ ?
Ok, some questions:
- Could you post the output of
iptables -L OUTPUTwhile the issue is reproduced? - Insert please the problematic rule manually to see if it outputs any error:
iptables -I INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass - Check system logs to see if there are more errors related to iptables:
journalctl -ar|grep iptables
I'll try to reproduce this error.
thnak you!
Used aur and system-fw.json exists.
iptables -L OUTPUT
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
ufw-before-logging-output all -- anywhere anywhere
ufw-before-output all -- anywhere anywhere
ufw-after-output all -- anywhere anywhere
ufw-after-logging-output all -- anywhere anywhere
ufw-reject-output all -- anywhere anywhere
ufw-track-output all -- anywhere anywhere
No error when inserting the problematic rule.
There is a repeating iptables error like below in journalctl
kernel: audit: type=1325 audit(): table=mangle family=2 entries=133 op=xt_replace pid=2100 subj==unconfined comm="iptables"
audit[2100]: NETFILTER_CFG table=mangle family=2 entries=133 op=xt_replace pid=2100 subj==unconfined comm="iptables"
With different entries/pid values
Could you post the output of iptables -L OUTPUT while the issue is reproduced?
sorry, I meant iptables -t mangle -L and ip6tables -t mangle -L. Save the output in order to post it here.
After that, stop the service, clean the rules and start the service again:
service opensnitch stop
iptables -t mangle -F OUTPUT
iptables -t mangle -F opensnitch-filter-OUTPUT
iptables -t mangle -X opensnitch-filter-OUTPUT
ip6tables -t mangle -F OUTPUT
ip6tables -t mangle -F opensnitch-filter-OUTPUT
ip6tables -t mangle -X opensnitch-filter-OUTPUT
iptables -D INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
ip6tables -D INPUT --protocol udp --sport 53 -j NFQUEUE --queue-num 0 --queue-bypass
iptables -D OUTPUT -t mangle -m conntrack --ctstate NEW,RELATED -j NFQUEUE --queue-num 0 --queue-bypass
ip6tables -D OUTPUT -t mangle -m conntrack --ctstate NEW,RELATED -j NFQUEUE --queue-num 0 --queue-bypass
service opensnitch start
lets see if we can figure out what's going on here.
iptables -t mangle -L
Chain PREROUTING (policy ACCEPT)
target prot opt source destination
Chain INPUT (policy ACCEPT)
target prot opt source destination
Chain FORWARD (policy ACCEPT)
target prot opt source destination
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
opensnitch-filter-OUTPUT all -- anywhere anywhere
Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
Chain opensnitch-filter-OUTPUT (123 references)
target prot opt source destination
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere
ip6tables -t mangle -L
ip6tables v1.8.6 (legacy): can't initialize ip6tables table `mangle': Address family not supported by protocol
Perhaps ip6tables or your kernel needs to be upgraded.
When running iptables -D OUTPUT -t mangle -m conntrack --ctstate NEW,RELATED -j NFQUEUE --queue-num 0 --queue-bypass there is error:
iptables: No chain/target/match by that name.
When running ip6tables -D OUTPUT -t mangle -m conntrack --ctstate NEW,RELATED -j NFQUEUE --queue-num 0 --queue-bypass there is error:
Could not open socket to kernel: Address family not supported by protocol
Could not open socket to kernel: Address family not supported by protocol
ok, so it looks like you don't have IPv6 enabled. I'll try to reproduce it without IPv6.
[edit] reproduced! fixing.
Thank you!
It should be fixed with this commit @jorik392 , it'd be cool if you could test it before it's packaged for Arch.
In either case, let me know please if it's fixed.
Thanks @gustavo-iniguez-goya, existing rules seem to be working and popups/connections are showing up now.
I did notice though that when I click a program popup action such as allow or deny the GUI crashes completely.
Errors in /var/log/opensnitchd.log:
IMP . Start writing logs to %!(EXTRA string=/var/log/opensnitchd.log)
WAR . Error while asking for rule: rpc error: code = Unavailable desc = transport is closing - /usr/bin/python3.8 (2115) -> github.com:53 (proto:udp uid:0)
ERR . Invalid rule received, applying default action
ERR . Connection to the UI service lost.
ERR . getting notifications: %!(EXTRA *status.statusError=rpc error: code = Unavailable desc = transport is closing, *protocol.Notification=)
ERR . Invalid rule received, applying default action
maybe you have different versions of GUI and daemon? both should be 1.3.0*.
Set logs to DEBUG, reproduce the problem and paste the output here please.
Daemon and GUI version are both 1.3.0*.
In the GUI the allowed/denied connections have corresponding rule as "ui.client.disconnected".
/var/log/opensnitchd.log after restarting service then clicking deny on popup which causes GUI to crash:
IMP . Start writing logs to %!(EXTRA string=/var/log/opensnitchd.log)
INF . Process monitor method /proc
DBG . UI service poller started for socket /tmp/osui.sock
INF . Running on netfilter queue #0 ...
DBG . client.disconnect()
DBG . client.disconnect()
DBG . client.disconnect()
DBG . client.disconnect()
DBG . client.disconnect()
INF . Connected to the UI service on /tmp/osui.sock
INF . Start receiving notifications
DBG . new connection udp => 21934:192.168.1.113 -> 192.168.1.1:53 uid: %!(EXTRA uint32=0)
DBG . [0/1] outgoing connection: 21934:192.168.1.113 -> 192.168.1.1:53 || netlink response: 21934:192.168.1.113 -> 192.168.1.1:53 inode: 32142 - loopback: false multicast: false unspecified: false linklocalunicast: false ifaceLocalMulticast: false GlobalUni: true
DBG . new pid lookup took%!(EXTRA int=559, time.Duration=29.120834ms)
DBG . [0] PID found 559
ERR . getting notifications: %!(EXTRA *status.statusError=rpc error: code = Unavailable desc = transport is closing, *protocol.Notification=)
INF . Stop receiving notifications
WAR . Error while asking for rule: rpc error: code = Unavailable desc = transport is closing - /usr/bin/python3.8 (559) -> github.com:53 (proto:udp uid:0)
ERR . Invalid rule received, applying default action
ERR . Connection to the UI service lost.
DBG . client.disconnect()
DBG . new connection udp => 5115:192.168.1.113 -> 192.168.1.1:53 uid: %!(EXTRA uint32=985)
DBG . [0/1] outgoing connection: 5115:192.168.1.113 -> 192.168.1.1:53 || netlink response: 5115:0.0.0.0 -> 0.0.0.0:0 inode: 13925 - loopback: false multicast: false unspecified: false linklocalunicast: false ifaceLocalMulticast: false GlobalUni: true
DBG . GetSocketInfo() invalid: 53:0.0.0.0 -> 0.0.0.0:0
DBG . netlink socket not found, adding entry: 5115:192.168.1.113 -> 192.168.1.1:53 || 53:0.0.0.0 -> 0.0.0.0:0 inode: 13925 state: close
DBG . Inode found in cache%!(EXTRA time.Duration=5.665µs, *procmon.Inode=&{559 /proc/559/fd/12}, int=13925, string=13925 192.168.1.113 5115 192.168.1.1 53)
DBG . new pid lookup took%!(EXTRA int=559, time.Duration=14.104271ms)
DBG . [0] PID found 559
DBG . ... /usr/bin/python3.8 -> github.com:53 (ui.client.disconnected)
DBG . client.disconnect()
DBG . client.disconnect()
DBG . client.disconnect()
DBG . new connection udp => 30722:192.168.1.113 -> 192.168.1.1:53 uid: %!(EXTRA uint32=0)
DBG . [0/1] outgoing connection: 30722:192.168.1.113 -> 192.168.1.1:53 || netlink response: 30722:192.168.1.113 -> 192.168.1.1:53 inode: 39370 - loopback: false multicast: false unspecified: false linklocalunicast: false ifaceLocalMulticast: false GlobalUni: true
DBG . Socket found in known pids 244.11µs, pid: 559, inode: 39370, pids in cache: %!d(string=pos)%!(EXTRA int=0, int=2)
DBG . [0] PID found 559
DBG . ... /usr/bin/python3.8 -> github.com:53 (ui.client.disconnected)
DBG . client.disconnect()
DBG . client.disconnect()
DBG . client.disconnect()
DBG . client.disconnect()
clicking deny on popup which causes GUI to crash:
mmh, can you launch the GUI from a terminal and see if it outputs any error? opensnitch-ui
On the other hand, I see that you have a python app talking to github (/usr/bin/python3.8 -> github.com:53) , can you post what is it? If you open a connection with telnet/firefox/ping and allow/deny it, does the GUI also crash?
I tried telnet/firefox/ping but the GUI still crashes.
After launching GUI from terminal until GUI crashes:
new node connected, listening for client responses... /tmp/osui.sock
Traceback (most recent call last):
File "/usr/lib/python3.8/site-packages/opensnitch/dialogs/prompt.py", line 364, in _on_deny_clicked
self._send_rule()
File "/usr/lib/python3.8/site-packages/opensnitch/dialogs/prompt.py", line 390, in _send_rule
rule_temp_name = self._get_rule_name()
File "/usr/lib/python3.8/site-packages/opensnitch/dialogs/prompt.py", line 371, in _get_rule_name
rule_temp_name = slugify("%s %s" % (self._rule.action, self._rule.duration))
TypeError: 'module' object is not callable
Aborted (core dumped)
ha! there it is.
I'll try to reproduce and fix it. Thank you!
Please, execute this line in a terminal and see if it works or if it outputs the same error:
python3.8 -c 'from slugify import slugify; print(slugify("test aa bb cc dd"))'
it should return test-aa-bb-cc-dd
If that works, can you replace the attched prompt.py.txt by yours /usr/lib/python3.8/site-packages/opensnitch/dialogs/prompt.py and try again?
if it crashes paste the stacktrace again please.
After running command:
Traceback (most recent call last):
File "", line 1, in
TypeError: 'module' object is not callable
oops, so it's something related to slugify.
The package should be installed under /usr/lib/python3.8/site-packages/slugify/
https://www.archlinux.org/packages/community/any/python-slugify/files/
Reinstall it or ask on the Arch forums.
I checked and slugify is installed under /usr/lib/python3.8/site-packages/slugify/.
I noticed the aur package changed few months ago from using python-unicode-slugify to python-slugify. Do you think that could have something to do with this issue?
in theory no, otherwise other users would have noticed it. But I can't tell for sure.