[tor-bugs] #18100 [Core Tor/Tor]: src/or/connection_edge.c typo
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Mar 27 02:30:01 UTC 2017
#18100: src/or/connection_edge.c typo
-------------------------------------------------+-------------------------
Reporter: jirib | Owner:
Type: defect | Status:
| needs_revision
Priority: Medium | Milestone: Tor:
| unspecified
Component: Core Tor/Tor | Version: Tor:
| 0.2.9.9
Severity: Normal | Resolution:
Keywords: isaremoved, nickwants029, lorax, | Actual Points:
tor-03-unspecified-201612 |
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by d4fq0fQAgoJ):
System: Linux 4.10.5-1-ARCH x86_64, tor 0.2.9.9
It appears to me that TPROXYing only works for me when connection tracking
is active. When I apply the patch TPROXYing works for me no matter if
conntection tracking is active or not.
Steps to reproduce:
Make sure no conntrack modules are loaded.
# lsmod | grep conntrack
should print nothing.
Flush your firewall rules:
# iptables -t raw -F
# iptables -t mangle -F
# iptables -t nat -F
# iptables -t filter -F
Setup TPROXYing with iptables:
# iptables -t mangle -A PREROUTING -m socket --transparent -j ACCEPT
# iptables -t mangle -A PREROUTING -p tcp --syn -d 127.192.0.0/10 -j
TPROXY --on-port 9052
Start Tor with the following config:
SOCKSPort 0
TransPort 9052 IsolateClientProtocol IsolateDestAddr
TransProxyType TPROXY
DNSPort 9053
AutomapHostsOnResolve 1
Log notice stdout
DataDirectory /tmp/tor
User tor
# tor -f ./<TORRC>
[notice] Opening DNS listener on 127.0.0.1:9053
[notice] Opening Transparent pf/netfilter listener on 127.0.0.1:9052
Verify traffic to 127.192.0.0/10 is routed properly to localhost (should
always be):
# ip route get to 127.192.0.0/10 from 127.0.0.1
local 127.192.0.0 from 127.0.0.1 dev lo uid 0
cache <local>
Ask Tor to automap an onion for us:
# drill -p 9053 duskgytldkxiuqc6.onion @127.0.0.1
Make sure no conntrack modules are loaded (or more precisely: connection
tracking is not active for the path to 127.192.0.0/10), otherwise curl
will succeed! Use the IP address reported by drill.
# curl 127.192.A.B
Tor will report:
[warn] getsockopt() failed: No such file or directory
[warn] Fetching original destination failed. Closing.
Call curl again but this time with loaded conntrack modules.
# modprobe nf_conntrack_ipv4
# curl 127.192.A.B
It should succeed now.
Looking at the code it seems that getsockopt() is called. The patch
activates a code path where getsockname() is called instead which seems to
make it work even if no connection tracking is active. Maybe the author of
that code can shed more light into that?
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/18100#comment:20>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list