-
Notifications
You must be signed in to change notification settings - Fork 221
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tor plugin "Hidden Service Access Only" broken #427
Comments
r45424 - iptables: remove layer7 support..... |
Thanks for pointing this out I'll try to address this ASAP. I'll work on getting layer7 back in. The number of times the OpenWRT devs just rip out a useful feature so that not only isn't it in there by default, but there's no way to build it at all... it's really irritating. |
layer7 has its (increasing) limitations. I wonder if there is another way to address this particular issue without the need for layer7 support. |
layer7 functionality is significantly more important than saving space. I'd rather ditch all 4M routers than layer7 support. |
one user on the forum a while ago suggested the use of nDPI as layer7 functionality. It used to be available as a kmod. nDPI includes an SSL decoder so it doesn't break with encrypted connections. I expect the library will be huge though. Just a suggestion anyway. |
Alternative non layer7 solution on forum by Spine Also another approach would be to add the entire private subnet to the ipset already used by tor |
If it were just the Tor hidden services, that solution would work great, but layer7 is absolutely required for qos and access restrictions. |
And yet .... L7 was removed 8 months ago and almost no-one has noticed And those that have are using Tor |
Should now be fixed in 3209523 |
Unfortunately not fixed [EDIT It seems that the issue is a little more far reaching than expected and also affects Tor Client: Enabled, Toggled By Each Host. I did not think that this option relied on L7, but maybe? I will look into replacing Tors use of L7 by some other method (see above) and see if the Tor issues is resolved. Then the L7 problems (QoS use of L7 causes reboot loop) can be dealt with independently] |
This removes the dependence of Tor on L7 and solves the router stability issues discussed in issue ericpaulbishop#427
[EDIT I now suspect these errors were limited to my build environment] I recently cleared (most of) my downloads directory and now get build errors related to L7
|
Setting the Tor client to "Enabled For All Hosts" or "Hidden Service Access Only" fails to set the required iptables rules. Reported by forum user cs_privat
tor.firewall
iptables -t nat -A tor_client -p udp --dport 53 -m layer7 --l7proto oniondns -j REDIRECT --to-ports $dns_port
iptables -t nat -A tor_client -p tcp --dport 53 -m layer7 --l7proto oniondns -j REDIRECT --to-ports $dns_port
fails with
iptables v1.4.21: Couldn't load match 'layer7':No such file or directory
The text was updated successfully, but these errors were encountered: