[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] tor/netfilter: packets without uid

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] tor/netfilter: packets without uid
From: Marsh Ray <marsh@xxxxxxxxxxxxxxxxxx>
Date: Thu, 10 May 2012 22:52:08 -0500
Delivered-to: archiver@xxxxxxxx
Delivery-date: Fri, 11 May 2012 00:14:28 -0400
In-reply-to: <N1R-AGMzapz9RD@xxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
References: <N1R-AGMzapz9RD@xxxxxxxxxxxxx>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:12.0) Gecko/20120430 Thunderbird/12.0.1

On 05/10/2012 09:11 PM, johnmurphy323@xxxxxxxxxxxxx wrote:

Hi List,

I am trying to tweak my transparent netfilter setup (Tor Stable,
Debian Wheezy, GNU/Linux, iptables v1.4.12.2, Kernel 3.2.0-amd64). So
far, redirection and torification works fine. I have have several
users, some of them have their TCP traffic forwarded to Tor, some are
allowed to send packets directly. It works splendid.

There is just one issue. About every once or twice a second there is
a tcp packet running along my filter (that is the iptables -t filter)
table that has no associated UID.

This is what they look like:

IN= OUT=eth0 SRC=192.168.178.50 DST=some-target LEN=40 TOS=0x00
PREC=0x00 TTL=64 ID=0 DF PROTO=TCP SPT=50447 DPT=443 WINDOW=1002
RES=0x00 ACK URGP=0

This packet is https, most likely generated by my firefox user when I
was browsing a website. But it gets more interesting. There are lost
packets, even when I only use Tor. A reverse dns lookup of the target
ip shows that these are packets send by tor to the first relay.

How is it possible for a packet not to have an associated uid?
Dropping these packets of course works, but the logging clutters my
syslog, and after all, why is there this type of leaking in the first
place?

I'm not a netfilter expert, but it looks this is a pure TCP ACK packet.With LEN=40 there's no application data in it. It may have beenauto-generated by the kernel as a reply to the external packet and nevertagged with a user for that reason.

Dropping them may result in retransmission. As you noticed, once ortwice a second until there's some user tagged data going out that cantransmit the ack.


Just a theory.

- Marsh
_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Follow-Ups:
- Re: [tor-talk] tor/netfilter: packets without uid
  - From: coderman

References:
- [tor-talk] tor/netfilter: packets without uid
  - From: johnmurphy323

Prev by Author: Re: [tor-talk] How to Control middle Nodes?
Next by Author: Re: [tor-talk] google analytics says it can track across separate domains
Previous by thread: Re: [tor-talk] tor/netfilter: packets without uid
Next by thread: Re: [tor-talk] tor/netfilter: packets without uid
Index(es):
- Author
- Thread