[tor-commits] [orbot/master] collection of submitted patches
n8fr8 at torproject.org
n8fr8 at torproject.org
Thu Oct 4 06:19:03 UTC 2012
commit 3ff65d2eed91922ac5a88bd6a1c51cd412d8a271
Author: n8fr8 <nathan at freitas.net>
Date: Thu Oct 4 11:28:47 2012 +0530
collection of submitted patches
---
patches/UDP-block.patch | 243 +++++++++++++++++++++++++++++++++++++
patches/udptransproxyfinal.patch | 247 ++++++++++++++++++++++++++++++++++++++
2 files changed, 490 insertions(+), 0 deletions(-)
diff --git a/patches/UDP-block.patch b/patches/UDP-block.patch
new file mode 100644
index 0000000..e16a957
--- /dev/null
+++ b/patches/UDP-block.patch
@@ -0,0 +1,243 @@
+From c2620d6939713762e30badc3ed5da981e296b742 Mon Sep 17 00:00:00 2001
+From: patch <patrickbx at gmail.com>
+Date: Mon, 23 Jul 2012 16:12:55 -0400
+Subject: [PATCH] Modified iptables rules for transproxying. UDP is now
+ blocked. Also removed some redundant rules and reordered
+ others. I reordered by the idea that its generally easier
+ to specifically allow traffic before your reject it.
+
+---
+ .../torproject/android/service/TorTransProxy.java | 133 ++++++++++----------
+ 1 file changed, 64 insertions(+), 69 deletions(-)
+
+diff --git a/src/org/torproject/android/service/TorTransProxy.java b/src/org/torproject/android/service/TorTransProxy.java
+index 2571123..c248a9f 100644
+--- a/src/org/torproject/android/service/TorTransProxy.java
++++ b/src/org/torproject/android/service/TorTransProxy.java
+@@ -224,6 +224,15 @@ public class TorTransProxy implements TorServiceConstants {
+
+ int torUid = context.getApplicationInfo().uid;
+
++ // Allow everything for Tor
++ script.append(ipTablesPath);
++ script.append(" -t filter");
++ script.append(" -A OUTPUT");
++ script.append(" -m owner --uid-owner ");
++ script.append(torUid);
++ script.append(" -j ACCEPT");
++ script.append(" || exit\n");
++
+ //build up array of shell cmds to execute under one root context
+ for (TorifiedApp tApp:apps)
+ {
+@@ -235,9 +244,9 @@ public class TorTransProxy implements TorServiceConstants {
+ {
+
+ TorService.logMessage("enabling transproxy for app: " + tApp.getUsername() + "(" + tApp.getUid() + ")");
+-
+- // Set up port redirection
+- script.append(ipTablesPath);
++
++ // Set up port redirection
++ script.append(ipTablesPath);
+ script.append(" -t nat");
+ script.append(" -A OUTPUT -p tcp");
+ script.append(" ! -d 127.0.0.1"); //allow access to localhost
+@@ -251,14 +260,28 @@ public class TorTransProxy implements TorServiceConstants {
+ // Same for DNS
+ script.append(ipTablesPath);
+ script.append(" -t nat");
+- script.append(" -A OUTPUT -p udp -m owner --uid-owner ");
++ script.append(" -A OUTPUT -p udp");
++ script.append(" -m owner --uid-owner ");
+ script.append(tApp.getUid());
+ script.append(" -m udp --dport ");
+ script.append(STANDARD_DNS_PORT);
+ script.append(" -j REDIRECT --to-ports ");
+ script.append(TOR_DNS_PORT);
+ script.append(" || exit\n");
+-
++
++ // Allow loopback
++ script.append(ipTablesPath);
++ script.append(" -t filter");
++ script.append(" -A OUTPUT");
++ script.append(" -m owner --uid-owner ");
++ script.append(tApp.getUid());
++ script.append(" -o lo");
++ script.append(" -j ACCEPT");
++ script.append(" || exit\n");
++
++ /*
++ //Outgoing loopback already allowed (23/7/12)
++
+ int[] ports = {TOR_DNS_PORT,TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP};
+
+ for (int port : ports)
+@@ -276,53 +299,32 @@ public class TorTransProxy implements TorServiceConstants {
+ script.append(" -j ACCEPT");
+ script.append(" || exit\n");
+ }
+-
+- // Allow loopback
++ */
++
++ // Reject all other outbound TCP packets
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT");
+ script.append(" -m owner --uid-owner ");
+ script.append(tApp.getUid());
+ script.append(" -p tcp");
+- script.append(" -o lo");
+- script.append(" -j ACCEPT");
+- script.append(" || exit\n");
+-
+- // Reject DNS that is not from Tor (order is important - first matched rule counts!)
+- script.append(ipTablesPath);
+- script.append(" -t filter");
+- script.append(" -A OUTPUT");
+- script.append(" -m owner --uid-owner ");
+- script.append(tApp.getUid());
+- script.append(" -p udp");
+- script.append(" --dport ");
+- script.append(STANDARD_DNS_PORT);
+ script.append(" -j REJECT");
+ script.append(" || exit\n");
+-
+- // Reject all other outbound TCP packets
++
++ // Reject all other outbound UDP packets
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+ script.append(" -A OUTPUT");
+ script.append(" -m owner --uid-owner ");
+ script.append(tApp.getUid());
+- script.append(" -p tcp");
++ script.append(" -p udp");
+ script.append(" -j REJECT");
+ script.append(" || exit\n");
++
+
+ }
+ }
+-
+
+- // Allow everything for Tor
+- script.append(ipTablesPath);
+- script.append(" -t filter");
+- script.append(" -A OUTPUT");
+- script.append(" -m owner --uid-owner ");
+- script.append(torUid);
+- script.append(" -j ACCEPT");
+- script.append(" || exit\n");
+-
+ String[] cmdAdd = {script.toString()};
+
+ code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor);
+@@ -450,8 +452,8 @@ public class TorTransProxy implements TorServiceConstants {
+
+ int torUid = context.getApplicationInfo().uid;
+
+- // Set up port redirection
+- script.append(ipTablesPath);
++ // Set up port redirection
++ script.append(ipTablesPath);
+ script.append(" -t nat");
+ script.append(" -A OUTPUT -p tcp");
+ script.append(" ! -d 127.0.0.1"); //allow access to localhost
+@@ -465,14 +467,36 @@ public class TorTransProxy implements TorServiceConstants {
+ // Same for DNS
+ script.append(ipTablesPath);
+ script.append(" -t nat");
+- script.append(" -A OUTPUT -p udp -m owner ! --uid-owner ");
++ script.append(" -A OUTPUT -p udp");
++ script.appent(" -m owner ! --uid-owner ");
+ script.append(torUid);
+ script.append(" -m udp --dport ");
+ script.append(STANDARD_DNS_PORT);
+ script.append(" -j REDIRECT --to-ports ");
+ script.append(TOR_DNS_PORT);
+ script.append(" || exit\n");
++
++ // Allow loopback
++ script.append(ipTablesPath);
++ script.append(" -t filter");
++ script.append(" -A OUTPUT");
++ script.append(" -o lo");
++ script.append(" -j ACCEPT");
++ script.append(" || exit\n");
+
++ // Allow everything for Tor
++ script.append(ipTablesPath);
++ script.append(" -t filter");
++ script.append(" -A OUTPUT");
++ script.append(" -m owner --uid-owner ");
++ script.append(torUid);
++ script.append(" -j ACCEPT");
++ script.append(" || exit\n");
++
++
++ /*
++ //Outgoing loopback already allowed (23/7/12)
++
+ int[] ports = {TOR_DNS_PORT,TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP};
+
+ for (int port : ports)
+@@ -490,25 +514,8 @@ public class TorTransProxy implements TorServiceConstants {
+ script.append(" -j ACCEPT");
+ script.append(" || exit\n");
+
+- }
+-
+- // Allow loopback
+- script.append(ipTablesPath);
+- script.append(" -t filter");
+- script.append(" -A OUTPUT");
+- script.append(" -p tcp");
+- script.append(" -o lo");
+- script.append(" -j ACCEPT");
+- script.append(" || exit\n");
++ } */
+
+- // Allow everything for Tor
+- script.append(ipTablesPath);
+- script.append(" -t filter");
+- script.append(" -A OUTPUT");
+- script.append(" -m owner --uid-owner ");
+- script.append(torUid);
+- script.append(" -j ACCEPT");
+- script.append(" || exit\n");
+
+ if (TorService.ENABLE_DEBUG_LOG)
+ {
+@@ -532,23 +539,11 @@ public class TorTransProxy implements TorServiceConstants {
+ script.append(" --log-uid");
+ script.append(" || exit\n");
+ }
+-
+- // Reject DNS that is not from Tor (order is important - first matched rule counts!)
+- script.append(ipTablesPath);
+- script.append(" -t filter");
+- script.append(" -A OUTPUT");
+- script.append(" -p udp");
+- script.append(" --dport ");
+- script.append(STANDARD_DNS_PORT);
+- script.append(" -j REJECT");
+- script.append(" || exit\n");
+-
+- // Reject all other outbound TCP packets
++
++ // Reject all other outbound packets by default
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+- script.append(" -A OUTPUT");
+- script.append(" -p tcp");
+- script.append(" -j REJECT");
++ script.append(" -P OUTPUT DROP");
+ script.append(" || exit\n");
+
+ String[] cmdAdd = {script.toString()};
+--
+1.7.9.5
+
diff --git a/patches/transproxy.patch b/patches/transproxy.patch
new file mode 100644
index 0000000..e69de29
diff --git a/patches/udptransproxyfinal.patch b/patches/udptransproxyfinal.patch
new file mode 100644
index 0000000..32cc0e2
--- /dev/null
+++ b/patches/udptransproxyfinal.patch
@@ -0,0 +1,247 @@
+From a81741afe06ac2309b4306dedbd5a0ebf755b7e1 Mon Sep 17 00:00:00 2001
+From: patch <patrickbx at gmail.com>
+Date: Fri, 31 Aug 2012 17:25:52 -0400
+Subject: [PATCH] Addendum to the last commit on UDP transproxy rules. Trying
+ to simplfy the iptables rules didn't work out so this is a
+ minimal change from the original TorTransProxy.java file.
+ UDP is blocked and tested as working.
+
+---
+ .../torproject/android/service/TorTransProxy.java | 144 ++++++++++++--------
+ 1 file changed, 84 insertions(+), 60 deletions(-)
+
+diff --git a/src/org/torproject/android/service/TorTransProxy.java b/src/org/torproject/android/service/TorTransProxy.java
+index c248a9f..90bdc34 100644
+--- a/src/org/torproject/android/service/TorTransProxy.java
++++ b/src/org/torproject/android/service/TorTransProxy.java
+@@ -224,15 +224,6 @@ public class TorTransProxy implements TorServiceConstants {
+
+ int torUid = context.getApplicationInfo().uid;
+
+- // Allow everything for Tor
+- script.append(ipTablesPath);
+- script.append(" -t filter");
+- script.append(" -A OUTPUT");
+- script.append(" -m owner --uid-owner ");
+- script.append(torUid);
+- script.append(" -j ACCEPT");
+- script.append(" || exit\n");
+-
+ //build up array of shell cmds to execute under one root context
+ for (TorifiedApp tApp:apps)
+ {
+@@ -244,9 +235,9 @@ public class TorTransProxy implements TorServiceConstants {
+ {
+
+ TorService.logMessage("enabling transproxy for app: " + tApp.getUsername() + "(" + tApp.getUid() + ")");
+-
+- // Set up port redirection
+- script.append(ipTablesPath);
++
++ // Set up port redirection
++ script.append(ipTablesPath);
+ script.append(" -t nat");
+ script.append(" -A OUTPUT -p tcp");
+ script.append(" ! -d 127.0.0.1"); //allow access to localhost
+@@ -260,28 +251,14 @@ public class TorTransProxy implements TorServiceConstants {
+ // Same for DNS
+ script.append(ipTablesPath);
+ script.append(" -t nat");
+- script.append(" -A OUTPUT -p udp");
+- script.append(" -m owner --uid-owner ");
++ script.append(" -A OUTPUT -p udp -m owner --uid-owner ");
+ script.append(tApp.getUid());
+ script.append(" -m udp --dport ");
+ script.append(STANDARD_DNS_PORT);
+ script.append(" -j REDIRECT --to-ports ");
+ script.append(TOR_DNS_PORT);
+ script.append(" || exit\n");
+-
+- // Allow loopback
+- script.append(ipTablesPath);
+- script.append(" -t filter");
+- script.append(" -A OUTPUT");
+- script.append(" -m owner --uid-owner ");
+- script.append(tApp.getUid());
+- script.append(" -o lo");
+- script.append(" -j ACCEPT");
+- script.append(" || exit\n");
+-
+- /*
+- //Outgoing loopback already allowed (23/7/12)
+-
++
+ int[] ports = {TOR_DNS_PORT,TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP};
+
+ for (int port : ports)
+@@ -299,8 +276,30 @@ public class TorTransProxy implements TorServiceConstants {
+ script.append(" -j ACCEPT");
+ script.append(" || exit\n");
+ }
+- */
+-
++
++ // Allow loopback
++ script.append(ipTablesPath);
++ script.append(" -t filter");
++ script.append(" -A OUTPUT");
++ script.append(" -m owner --uid-owner ");
++ script.append(tApp.getUid());
++ script.append(" -p tcp");
++ script.append(" -o lo");
++ script.append(" -j ACCEPT");
++ script.append(" || exit\n");
++
++ // Reject DNS that is not from Tor (order is important - first matched rule counts!)
++ script.append(ipTablesPath);
++ script.append(" -t filter");
++ script.append(" -A OUTPUT");
++ script.append(" -m owner --uid-owner ");
++ script.append(tApp.getUid());
++ script.append(" -p udp");
++ script.append(" --dport ");
++ script.append(STANDARD_DNS_PORT);
++ script.append(" -j REJECT");
++ script.append(" || exit\n");
++
+ // Reject all other outbound TCP packets
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+@@ -321,10 +320,19 @@ public class TorTransProxy implements TorServiceConstants {
+ script.append(" -j REJECT");
+ script.append(" || exit\n");
+
+-
+ }
+ }
++
+
++ // Allow everything for Tor
++ script.append(ipTablesPath);
++ script.append(" -t filter");
++ script.append(" -A OUTPUT");
++ script.append(" -m owner --uid-owner ");
++ script.append(torUid);
++ script.append(" -j ACCEPT");
++ script.append(" || exit\n");
++
+ String[] cmdAdd = {script.toString()};
+
+ code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor);
+@@ -452,8 +460,8 @@ public class TorTransProxy implements TorServiceConstants {
+
+ int torUid = context.getApplicationInfo().uid;
+
+- // Set up port redirection
+- script.append(ipTablesPath);
++ // Set up port redirection
++ script.append(ipTablesPath);
+ script.append(" -t nat");
+ script.append(" -A OUTPUT -p tcp");
+ script.append(" ! -d 127.0.0.1"); //allow access to localhost
+@@ -467,36 +475,14 @@ public class TorTransProxy implements TorServiceConstants {
+ // Same for DNS
+ script.append(ipTablesPath);
+ script.append(" -t nat");
+- script.append(" -A OUTPUT -p udp");
+- script.appent(" -m owner ! --uid-owner ");
++ script.append(" -A OUTPUT -p udp -m owner ! --uid-owner ");
+ script.append(torUid);
+ script.append(" -m udp --dport ");
+ script.append(STANDARD_DNS_PORT);
+ script.append(" -j REDIRECT --to-ports ");
+ script.append(TOR_DNS_PORT);
+ script.append(" || exit\n");
+-
+- // Allow loopback
+- script.append(ipTablesPath);
+- script.append(" -t filter");
+- script.append(" -A OUTPUT");
+- script.append(" -o lo");
+- script.append(" -j ACCEPT");
+- script.append(" || exit\n");
+
+- // Allow everything for Tor
+- script.append(ipTablesPath);
+- script.append(" -t filter");
+- script.append(" -A OUTPUT");
+- script.append(" -m owner --uid-owner ");
+- script.append(torUid);
+- script.append(" -j ACCEPT");
+- script.append(" || exit\n");
+-
+-
+- /*
+- //Outgoing loopback already allowed (23/7/12)
+-
+ int[] ports = {TOR_DNS_PORT,TOR_TRANSPROXY_PORT,PORT_SOCKS,PORT_HTTP};
+
+ for (int port : ports)
+@@ -514,8 +500,25 @@ public class TorTransProxy implements TorServiceConstants {
+ script.append(" -j ACCEPT");
+ script.append(" || exit\n");
+
+- } */
++ }
++
++ // Allow loopback
++ script.append(ipTablesPath);
++ script.append(" -t filter");
++ script.append(" -A OUTPUT");
++ script.append(" -p tcp");
++ script.append(" -o lo");
++ script.append(" -j ACCEPT");
++ script.append(" || exit\n");
+
++ // Allow everything for Tor
++ script.append(ipTablesPath);
++ script.append(" -t filter");
++ script.append(" -A OUTPUT");
++ script.append(" -m owner --uid-owner ");
++ script.append(torUid);
++ script.append(" -j ACCEPT");
++ script.append(" || exit\n");
+
+ if (TorService.ENABLE_DEBUG_LOG)
+ {
+@@ -539,13 +542,34 @@ public class TorTransProxy implements TorServiceConstants {
+ script.append(" --log-uid");
+ script.append(" || exit\n");
+ }
+-
+- // Reject all other outbound packets by default
++
++ // Reject DNS that is not from Tor (order is important - first matched rule counts!)
+ script.append(ipTablesPath);
+ script.append(" -t filter");
+- script.append(" -P OUTPUT DROP");
++ script.append(" -A OUTPUT");
++ script.append(" -p udp");
++ script.append(" --dport ");
++ script.append(STANDARD_DNS_PORT);
++ script.append(" -j REJECT");
+ script.append(" || exit\n");
+
++ // Reject all other outbound TCP packets
++ script.append(ipTablesPath);
++ script.append(" -t filter");
++ script.append(" -A OUTPUT");
++ script.append(" -p tcp");
++ script.append(" -j REJECT");
++ script.append(" || exit\n");
++
++ // Reject all other outbound UDP packets
++ script.append(ipTablesPath);
++ script.append(" -t filter");
++ script.append(" -A OUTPUT");
++ script.append(" -p udp");
++ script.append(" -j REJECT");
++ script.append(" || exit\n");
++
++
+ String[] cmdAdd = {script.toString()};
+
+ code = TorServiceUtils.doShellCommand(cmdAdd, res, runRoot, waitFor);
+--
+1.7.9.5
+
More information about the tor-commits
mailing list