[tor-talk] [tor-dev] Linux kernel transproxy packet leak (w/ repro case + workaround)

grarpamp grarpamp at gmail.com
Fri Mar 28 21:02:35 UTC 2014

On Fri, Mar 28, 2014 at 3:43 PM, Mike Perry <mikeperry at torproject.org> wrote:
> I've discovered that the Linux kernel appears to have a leak in how it
> applies transproxy rules to the TCP CLOSE_WAIT shutdown condition under
> certain circumstances.
> ...
> At this point, you will see a FIN ACK or RST ACK packet appear in your
> tcpdump window. That packet has leaked past the iptables firewall rules,
> and past the transproxy rules. It went straight to Google.

Good eye.

> This applies to both the kernels in use by common
> Android devices (Cyanogenmod 10.x and 11-M4), as well as the Linux
> kernel in Ubuntu 13.04 (3.8.0-35-generic).

It someone here can also verifiy and second it against a current stock
kernel, such as 3.12.15, why not submit it to Linux Bugzilla?

> For a workaround, I was able to prevent this issue with the addition
> of the following rules:

That is, if it's a bug and not a 'use a proper ruleset' issue.

> None of the transproxy documentation I could find mentions this issue

So that Tor and folks like Tails won't have to carry such docs and
workaround forever.

The ruleset seems to use uid based transproxy, what happens with
entire vm IP transproxy (perhaps like Tails)?

More information about the tor-talk mailing list