[tor-commits] [orbot/master] allows UDP packets to localhost for DNS

n8fr8 at torproject.org n8fr8 at torproject.org
Thu Oct 4 06:19:03 UTC 2012 

commit 6e45cab8ee8b221f15899ae101fc9bf90e6e1311
Author: n8fr8 <nathan at freitas.net>
Date:   Thu Oct 4 11:27:17 2012 +0530

    allows UDP packets to localhost for DNS
---
 .../torproject/android/service/TorTransProxy.java  |   16 +++++++++++++++-
 1 files changed, 15 insertions(+), 1 deletions(-)

diff --git a/src/org/torproject/android/service/TorTransProxy.java b/src/org/torproject/android/service/TorTransProxy.java
index 6db0437..bd2c58a 100644
--- a/src/org/torproject/android/service/TorTransProxy.java
+++ b/src/org/torproject/android/service/TorTransProxy.java
@@ -309,6 +309,7 @@ public class TorTransProxy implements TorServiceConstants {
 				script.append(" || exit\n");
 				
 				// Reject DNS that is not from Tor (order is important - first matched rule counts!)
+				/*
 				script.append(ipTablesPath);
 				script.append(modCmd);
 				script.append(" -t filter");
@@ -319,6 +320,7 @@ public class TorTransProxy implements TorServiceConstants {
 				script.append(STANDARD_DNS_PORT);
 				script.append(" -j REJECT");
 				script.append(" || exit\n");
+				*/
 				
 				// Reject all other outbound TCP packets
 				script.append(ipTablesPath);
@@ -327,6 +329,7 @@ public class TorTransProxy implements TorServiceConstants {
 				script.append(" -m owner --uid-owner ");
 				script.append(tApp.getUid());
 				script.append(" -p tcp");
+				script.append(" ! -d 127.0.0.1"); //allow access to localhost
 				script.append(" -j REJECT");
 				script.append(" || exit\n");
 				
@@ -337,6 +340,7 @@ public class TorTransProxy implements TorServiceConstants {
 				script.append(" -m owner --uid-owner ");
 				script.append(tApp.getUid());
 				script.append(" -p udp");
+				script.append(" ! -d 127.0.0.1"); //allow access to localhost
 				script.append(" -j REJECT");
 				script.append(" || exit\n");
 				
@@ -493,7 +497,7 @@ public class TorTransProxy implements TorServiceConstants {
     	//flushIptables(context);
     	
     	int torUid = context.getApplicationInfo().uid;
-
+    	
     	// Set up port redirection
     	script.append(ipTablesPath);
     	script.append(" -" + cmd + " OUTPUT");
@@ -580,20 +584,27 @@ public class TorTransProxy implements TorServiceConstants {
 		}
 		
 		// Reject DNS that is not from Tor (order is important - first matched rule counts!)
+		/*
 		script.append(ipTablesPath);
     	script.append(" -" + cmd + " OUTPUT");
 		script.append(" -t filter");
+		script.append(" -m owner ! --uid-owner ");
+		script.append(torUid);
 		script.append(" -p udp");
 		script.append(" --dport ");
 		script.append(STANDARD_DNS_PORT);
 		script.append(" -j REJECT");
 		script.append(" || exit\n");
+		*/
 		
 		// Reject all other outbound TCP packets
 		script.append(ipTablesPath);
     	script.append(" -" + cmd + " OUTPUT");
 		script.append(" -t filter");
+		script.append(" -m owner ! --uid-owner ");
+		script.append(torUid);
 		script.append(" -p tcp");
+		script.append(" ! -d 127.0.0.1"); //allow access to localhost
 		script.append(" -j REJECT");
 		script.append(" || exit\n");
 
@@ -601,7 +612,10 @@ public class TorTransProxy implements TorServiceConstants {
 		script.append(ipTablesPath);
     	script.append(" -" + cmd + " OUTPUT");
 		script.append(" -t filter");
+		script.append(" -m owner ! --uid-owner ");
+		script.append(torUid);
 		script.append(" -p udp");
+		script.append(" ! -d 127.0.0.1"); //allow access to localhost
 		script.append(" -j REJECT");
 		script.append(" || exit\n");

More information about the tor-commits mailing list