[tor-dev] Help with pf and iOS

Eugene F. e.fryntov at psiphon.ca
Fri Sep 28 19:41:23 UTC 2012

<sid77 at ...> writes:

> ----- Original Message ----- From: "Ralf-Philipp Weinmann" <ralf at ...> To:
> tor-dev at ...  Sent: Thursday, 31 May, 2012 5:46:49 PM Subject: Re: [tor-dev]
> Help with pf and iOS
> > Whoohoo!
> LOL, thanks!
> > I expect that you really _DO NEED_ that second loopback interface for the
> > above config, otherwise your packets will just end up in one big loop. A
> > workaround might be to tag the packets when they are rdr'ed and make sure
> > that you only rdr packets that are non-tagged. I have to look up the exact
> > syntax on how to do that. I strongly suggest testing your pf rules on
> > another machine first (OpenBSD or FreeBSD VM) and then deploying in iOS.
> Yeah, I sense the loop there. I thought that
> pass quick on lo0 keep state pass out quick inet proto tcp user nobody flags
> S/SA modulate state
> was my "exit strategy", anyway. Looks like they never really work Tagging
> packets is a good idea! It's something I didn't think to try in first place
> as, usually, it's useless when it comes to iptables but it's pf here, so I
> should definitively try it.
> > Do you have the kernel crash log handy by any chance? It should be in
> > /Library/Logs/CrashReporter/Panics
> Gone, but I will try to replicate it. Looking for some 0days, are you? :-P
> _______________________________________________ tor-dev mailing list
> tor-dev at ...  https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

Hi sid77, 

I've got tor in transparent proxy mode working on jailbroken iPod 4 with iOS 6
installed.  I've started with iOS 5.1.1 but quickly found out that any
'route-to' rule results in kernel panic as soon as there is a match while the
same ruleset worked as expected on Mac OS X machine. My bet is on the fact that
the 'jailbreaking' is the culprit of this behaviour

Everything worked just fine on a jailbroken iOS 6 though, I'm not a pf guru, I
just needed a proof of concept, so my ruleset looked like this(I'm running tor
as root from command line, hence the allow root rule):

table <self> const { self }

rdr on lo0 proto tcp from any to ! <self> -> port 9040

#allow ssh on 22 pass in quick proto tcp from any to any port 22 pass out quick
proto tcp from any to any port 22

#allow root(tor) traffic pass out on ! lo0 proto tcp all user root tag "allowed"
keep state

pass out on ! lo0 route-to lo0 \ 
proto tcp all\ 
! tagged "allowed" \ 
tag "intercepted" \ 
keep state

As you can see the udp traffic bit is left out and furthermore, the whole
ruleset could be optimized but it works.

The second nasty bit was compiling tor for iOS 6. I'm pretty sure you know the
iOS SDK doesn't come with all required by transparent proxy functionality
include headers, net/pfvar.h in particular. Quick googling gave me

http://www.opensource.apple.com/source/xnu/xnu-1456.1.26/bsd/net/pfvar.h as well

as the other 2 missing and required by net/pfvar.h

http://www.opensource.apple.com/source/xnu/xnu-1456.1.26/bsd/sys/tree.h and

after downloading those I quickly figured the -DPRIVATE and
-DNO_APPLE_EXTENSIONS flags and compiled tor. Well, it didn't work with tor
giving me an ENODEV error over ioctl() call, so I suspected the headers were too
old. My kernel version was xnu-2107.2.33, but the latest available version of
xnu was 2050.9.2 (http://www.opensource.apple.com/source/xnu/xnu-2050.9.2), so I
crossed my fingers and downloaded the required headers from that tree.

Some locations have changed since v1456.1.26. My curl commands executed from
inside <SDK>/usr/include looked like this:

sudo curl -o libkern/tree.h \

sudo curl -o net/radix.h \
http://www.opensource.apple.com/source/xnu/xnu-2050.9.2/bsd/net/radix.h?txt sudo

curl -o net/pfvar.h \

I noticed that NO_APPLE_EXTENSIONS ifdefs were gone from the pfvar.h, so I
patched tor/src/or/connection_edge.c, replacing all instances of pnl.sport,
pnl.dport and pnl.rdport with pnl.sxport.port,  pnl.dxport.port and
pnl.rdxport.port respectively.

After compilation I ran tor from cl like: ./tor --User root --DataDirectory .
--TransPort 9040 --SocksPort 0 --Log debug making sure it works only in
Transparent Proxy mode with SOCKS disabled

Toggling pf rules in another terminal causes showmyip.com to show different IPs
while observing traffic flowing through tor.

Hope this information helps.

All the best, 

More information about the tor-dev mailing list