-
Notifications
You must be signed in to change notification settings - Fork 455
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IPSec / L2TP connections broken #255
Comments
Normally AFWall only restricts outbound traffic. Are there any INPUT rules in your setup that could account for the errors you see? What do you see in the firewall log? |
There are no custom INPUT rules. I'm running AFWall+ defaults. The firewall log shows only that it's blocking packets from something running as root. No UID is shown. The box for recording UIDs is ticked. Is it possible that an application name has changed in 4.4.2 or in OmniROM? AFWall+ is supposedly configured to permit packets for "VPN networking" (and almost every other system app). Apart from disabling the firewall entirely, the only other way this works is if I tick the boxes for "all" applications running as UID 0. It's definitely AFWall+ blocking the VPN service. |
Could you please post the output from:
Thanks |
Nothing. grep returned with exitcode 1. |
Did you try immediately after seeing the blocked traffic problem? Does your afwall-reject chain use the LOG target, the NFLOG target, or neither? |
Ah. Wait, here we go. This is just after attempting to connect to the VPN provider.
|
To answer your other question... I think ...'iptables -n -L | grep -i log' returns this.
|
This looks like IPsec IKE traffic - do you see "racoon" in ps?
Our "VPN networking" option tries to match UID 1016 (vpn). I see that UID 1016 is used by ipsec-tools in AOSP 4.4.2:
But maybe we need to match GID 1016 too. |
This is the last time I could catch it running:
After a few quick searches, I'm not seeing an easy way to map user and group names to UIDs and GIDs. |
Hmm, this looks like UID vpn, but the log showed UID root. Can you look it up in /proc, e.g.
|
No cmdline contents, but I've got this. Notice that there are two processes running as the 'vpn' user:
|
...the connection failed last time, even with all root procs allowed. After deleting the rules again, I got this, after the connection succeeded:
|
The ordering is: (real, effective, saved, FS) uid/gid. I'm not sure why these processes would show UID=0 unless that is happening before it drops privilege.
Do you see any new denials logged in dmesg? |
Every time, unless AFWall+ is disabled. That hasn't changed. |
By the way, the privilege drop theory is interesting. One of these daemons (not sure which) must either be root or else using Android capabilities. After looking again at the characteristics of the dropped packets, they all have a source port of 500 as well as destination port of 500. |
So, is there anything else I can do to help get this fixed? |
If you're allowing root apps, I would not expect to see the UID=0 denials showing up in dmesg:
Can you figure out which rule(s) are causing the denials? The relevant counters in "iptables -nxvL" should increment for each packet. |
Well, again, the VPN processes are running as the 'vpn' user by the time I can get ps output. See my comment from 3 days ago. I'm not sure why it worked only the once when I allowed all UID 0 apps. I would treat that as a red herring for now. The only rule matches I'm certain of are these:
That matches up with the ICMP unreach packets I see going back to the VPN provider when I run tcpdump against my firewall's internal port. Now that I think about it, is there anything useful that I can provide in the way of firewall / router logs? I have a real router. |
That rejected 1 packet. Does that chain have RETURN entries for UID 0 and UID 1016? |
It does for 1016, but the closest rule for UID 0 is only:
|
Ah. Yep, there we go. Allowing all for UID 0 once again serves as a temporary workaround. One or more processes are changing UID. |
So... any updates? Plans to accommodate apps that drop UID 0? That seems to be the only way to resolve this permanently, short of an AOSP 4.4.2+ code change to ensure that UID 0 is dropped before any packets are sent on 500/udp. |
The netfilter "owner" module appears to match the fsuid that was in effect when the process created the socket. So this test case will succeed even if I add a REJECT rule for UID 1234:
but moving setfsuid() above the call to socket() changes the result. If your VPN client creates the IKE sockets as root (which may be done in order to use a source port under 1024) then the easiest way to whitelist it is to allow traffic from root apps. |
Yes, I know. However, I prefer fine-grained access control. Or are you saying that it's the only fix? |
Couple options here:
In general, if you are hesitant to whitelist root because you are running other root apps that you do not completely trust, that is a bigger problem that should be addressed first. |
I'm not exactly worried that I have malicious root-permissions apps installed on my device. Rather, I'm concerned about running a risk of leaking information, esp. from usage-tracking and crash-reporting code. Is this more or less what the custom AFWall script should look like in this case?
|
...answered my own question. 4500/udp is also required. I added '|| exit 1' to both lines to be on the safe side. |
I'm using OmniROM (4.4.2) nightlies. Either the OmniROM kernel does not support UDP connection tracking, AFWAll is failing to use connection tracking, or the default ruleset is breaking UDP connection tracking.
Enabling the "inbound" option in Preferences has no effect. AFWall has to be completely disabled to use the native VPN support.
In watching packet captures, I see that my device is returning ICMP unreachable when return packets arrive. The native Android client is using tunneled IPSec (4500/udp) as is common practice.
The text was updated successfully, but these errors were encountered: