-
Notifications
You must be signed in to change notification settings - Fork 446
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AFWall+ tells me that "Unknown(-100)" is generating traffic, but that app UID is not in the list #1250
Comments
I am getting this as well on brand new OnePlus 9Pro new install |
Same here. In case AFWall is enabled, there is no network in chrooted Arch linux on the phone. In AFWall log I can see Unknown(-100), and/or "Deleted app", when trying to ping or ssh something. |
I have the same issue [-100] Unknown, I just can't find the application in the list can you please fix this issue. Or allow to change setting for the application in log list. I am using paid version. |
The same. If you grant full network access to dev.afwall.special.kernel (AppID: -11) this message will no longer be displayed. |
Same for me. Hint by @berbant is working, but would be nice to know what Unknown (-100) is and don't grant access for (-11) to did not notified anymore. |
Thanks @berbant now the switch from WiFi to mobile data is working for me. It'd still be nice to have a specific entry for that. |
It doesn't notify anymore because you're letting those mysterious connections connect to their destination, defeating the purpose of a firewall. Why would you give something internet access if you don't know what it is? If your day to day usage is unaffected by -100 & -11 being blocked, you should leave them both blocked and unable to get any network access. The logs tell you activity happened, they aren't necessarily indicative of a "problem" unless an app isn't connecting to the web as it should. |
The cause of this is a race condition in the app in Log new view, entries appear as Unknown(-100) affected are a dozen or so packets that are detected before the app can determine an App ID I believe it appeared around 3.5.3 and appears in all later versions IMPACT: GET-AROUND: Do not use VPN :) |
Here’s a script that helped me out:
|
@ukanth This is THE BUG TO FIX for 3.6 random blocking of initial packets is not a problem when communication is retried If the initial 1073 DNS request for DNS privacy fails, connectivity check fails and Internet may not be reachable From my research, the AFWall+ set-up of user IDs is delayed and all packets are blocked before this is finished. Therefore, the dozen or so first packets for every interface are blocked no matter how AFWall+ is configured |
Log Symptoms: Duration Persistence Private DNS Complete Failure |
Some news on this issue? I am also affected by this error (using version 3.6), which version was not affected? |
I could solve it for me like that. Marking the packets! index cdba365a..4b8ee9b0 100644
--- a/app/src/main/java/dev/ukanth/ufirewall/Api.java
+++ b/app/src/main/java/dev/ukanth/ufirewall/Api.java
@@ -426,6 +426,7 @@ public final class Api {
} else {
for (Integer uid : uids) {
if (uid != null && uid >= 0) {
+ cmds.add("-A " + chain + " -m owner --uid-owner " + uid + " -j CONNMARK --set-mark 0x1234");
cmds.add("-A " + chain + " -m owner --uid-owner " + uid + action);
}
}
@@ -488,6 +489,9 @@ public final class Api {
}
private static void addRejectRules(List<String> cmds) {
+ // allow all 0x1234 marked packets
+ cmds.add("-A " + AFWALL_CHAIN_NAME + "-reject" + " -m connmark --mark 0x1234 -j ACCEPT");
+
// set up reject chain to log or not log
// this can be changed dynamically through the Firewall Logs activity I don't know if thats the right way to do it - but it works |
@evermind-zz Didn't quite work for me. I still see some "unknown -100" process is doing 0.0.0.0:0 -> 241.239.59.45:0, protocol 128 on eth after I applied @resolutecake 's script which unmasked process 1073 for me. |
@qumuq-til Maybe you could try marking all packets when they enter the filter in the prerouting table somehow reading the uid they enter and using it as a mark. Later in the afwall-reject table log them. In theory this may show us the process the packet originated from. I have no idea how the proper iptables syntax is or if this is even possible |
There is an app “Rethink: DNS + Firewall + VPN” com.celzero.bravedns in F-Droid This problem with random packets being blocked by AFWall+ causing DNS Privacy, Internet connectivity and any random app to fail is difficult to fix. It is likely never going to be fixed. I have suggested what the fix is but it is a huge amount of work, effectively a complete rewrite. And the result is an AFWall+ app that still requires root The alternative are these random patches disabling some aspect of AFWall+ making a very specific situation work better |
Detecting what process submitted a packet is really, really difficult. Even if you spend weeks of programming for a particular operating system it is not 100% reliable. one-packet udp connections like QUIC http/3 are especially difficult: once you see the packet, the process may no longer exist. udp listeners may receive everything and then do in-process filtering so it cannot be determined what the process is receiving or listening for But iptables and all other packet filtering I have seen can filter on uid if a kernel module is loaded. So 100s of rules can be created, one for each uid, that manually logs what uid was filtered. This will always work. A typical operating system will only have 100s of users, Android maybe 300. User id is otherwise often 32-bit number: 4 billion Android 12+ has often removed iptables logging depending on how the kernel was compiled. Instead counters could be used AFWall+ features some tricks so its logging works even if logging is not available. By aligning with what AFWall+ is already doing, logging of uid can be made to work |
AFWall+ tells me that "Unknown(-100)" is generating traffic:
What does a negative UID mean, particularly when the UID is not listed for whitelist?
How can I whitelist a UID that generates traffic but isn't listed, even when I select "Show all apps" ?
The text was updated successfully, but these errors were encountered: