[tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)
Rusty Bird
rustybird at openmailbox.org
Tue Apr 1 14:04:53 UTC 2014
Mike Perry:
> I've discovered that the Linux kernel appears to have a leak in how it
> applies transproxy rules to the TCP CLOSE_WAIT shutdown condition under
> certain circumstances.
Quite the bombshell!
I've reproduced those packets on kernel 3.13 using your iptables rules.
Strangely enough my own personal transproxy setup does not exhibit this
issue, but it's not yet in a releasable state.
Anyway, if someone wants to experiment on this bug without actually
sending out clearnet packets, current versions of corridor* have an
optional logging facility:
[1540.249244] corridor: reject IN=eth0 OUT=eth1 MACSRC=... MACDST=...
MACPROTO=0800 SRC=10.0.0.2 DST=74.125.28.104 LEN=52 TOS=0x00 PREC=0x00
TTL=63 ID=59190 DF PROTO=TCP SPT=33200 DPT=80 WINDOW=229 RES=0x00 ACK
FIN URGP=0
[1591.827163] corridor: reject IN=eth0 OUT=eth1 MACSRC=... MACDST=...
MACPROTO=0800 SRC=10.0.0.2 DST=74.125.28.104 LEN=52 TOS=0x00 PREC=0x00
TTL=63 ID=59198 DF PROTO=TCP SPT=33200 DPT=80 WINDOW=229 RES=0x00 ACK
FIN URGP=0
Rusty
* https://github.com/rustybird/corridor
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20140401/1a13c9e3/attachment.sig>
More information about the tor-talk
mailing list