[tor-talk] tor/netfilter: packets without uid
Jacob Appelbaum
jacob at appelbaum.net
Sat May 12 03:13:27 UTC 2012
On 05/11/2012 11:09 PM, coderman wrote:
> On Fri, May 11, 2012 at 7:52 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
>> ...
>> If this is actually the case, I'd say that this is a kernel bug. :(
>
> some would call it a kernel "feature" to conserve memory space already
> wasted on TIME_WAIT. not everything is designed around your
> particular use case. (it is not uncommon to find systems with 32k to
> 100k's of connections in time wait state at high throughout. a few
> more bytes each adds up!)
>
The netfilter uid code is imposing this overhead - I think it's
reasonable to tag and stick with a UID rather than leave it blank.
>
>> The best bet is probably to ensure that _all_ packets, regardless of UID
>> are sent over Tor and only specific UID's are _excepted_ from the policy.
>
> this is the better option, and fails safe.
Indeed.
>
> it's been years and still transparent proxy modes are black magic. one
> day we'll figure this out, right?
Doubtful.
All the best,
Jacob
More information about the tor-talk
mailing list