[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Linux kernel transproxy packet leak (w/ repro case + workaround)



Mike Perry:
> I've discovered that the Linux kernel appears to have a leak in how it
> applies transproxy rules to the TCP CLOSE_WAIT shutdown condition under
> certain circumstances.

Quite the bombshell!

I've reproduced those packets on kernel 3.13 using your iptables rules.
Strangely enough my own personal transproxy setup does not exhibit this
issue, but it's not yet in a releasable state.

Anyway, if someone wants to experiment on this bug without actually
sending out clearnet packets, current versions of corridor* have an
optional logging facility:

[1540.249244] corridor: reject IN=eth0 OUT=eth1 MACSRC=... MACDST=...
MACPROTO=0800 SRC=10.0.0.2 DST=74.125.28.104 LEN=52 TOS=0x00 PREC=0x00
TTL=63 ID=59190 DF PROTO=TCP SPT=33200 DPT=80 WINDOW=229 RES=0x00 ACK
FIN URGP=0
[1591.827163] corridor: reject IN=eth0 OUT=eth1 MACSRC=... MACDST=...
MACPROTO=0800 SRC=10.0.0.2 DST=74.125.28.104 LEN=52 TOS=0x00 PREC=0x00
TTL=63 ID=59198 DF PROTO=TCP SPT=33200 DPT=80 WINDOW=229 RES=0x00 ACK
FIN URGP=0

Rusty

* https://github.com/rustybird/corridor

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk