Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

bluetooth tethering borked as well #209

Closed
bahbarnett opened this issue Oct 8, 2013 · 5 comments
Closed

bluetooth tethering borked as well #209

bahbarnett opened this issue Oct 8, 2013 · 5 comments
Labels
Bug

Comments

@bahbarnett
Copy link

Same problem with bluetooth tethering on latest cm10.2 builds...

Logs say appid -1
@cernekee
Copy link
Contributor

cernekee commented Oct 8, 2013

Could you please post the results from running this immediately after attempting to tether:

adb shell
su
dmesg | grep AFL
busybox ifconfig -a
logcat -s "AFWall:*"

@bahbarnett
Copy link
Author

Sure thing... here you go!

# dmesg | grep AFL
<4>[   52.017427] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=50.115.125.93 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=4024 DF PROTO=TCP SPT=42295 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=10005 GID=10005 
<4>[   52.019014] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=50.115.125.93 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=9037 DF PROTO=TCP SPT=57763 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=10005 GID=10005 
<4>[   54.595818] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=54.249.235.25 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=47546 DF PROTO=TCP SPT=49043 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=10168 GID=10168 
<4>[   56.527605] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=54.249.235.25 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15842 DF PROTO=TCP SPT=57513 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=10168 GID=10168 
<4>[   57.520128] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=54.249.235.25 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=15843 DF PROTO=TCP SPT=57513 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=10168 GID=10168 
<4>[   57.521471] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=54.248.254.153 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=36232 DF PROTO=TCP SPT=44030 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=10168 GID=10168 
<4>[   58.520128] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=54.248.254.153 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=36233 DF PROTO=TCP SPT=44030 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=10168 GID=10168 
<4>[   58.800671] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=46.51.240.73 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48227 DF PROTO=TCP SPT=43626 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=10168 GID=10168 
<4>[   59.800122] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=46.51.240.73 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=48228 DF PROTO=TCP SPT=43626 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=10168 GID=10168 
<4>[   59.801007] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=54.249.255.245 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5363 DF PROTO=TCP SPT=54272 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=10168 GID=10168 
<4>[   60.800152] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=54.249.255.245 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=5364 DF PROTO=TCP SPT=54272 DPT=443 WINDOW=14600 RES=0x00 SYN URGP=0 UID=10168 GID=10168 
<4>[  255.593316] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=172.16.1.12 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=11859 DPT=53 LEN=48 UID=9999 GID=9999 
<4>[  255.594933] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=172.16.1.12 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=41823 DPT=53 LEN=42 UID=9999 GID=9999 
<4>[  255.642209] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=172.16.1.12 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=44613 DPT=53 LEN=48 UID=9999 GID=9999 
<4>[  255.644986] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=172.16.1.12 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=41501 DPT=53 LEN=42 UID=9999 GID=9999 
<4>[  255.652189] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=172.16.1.12 LEN=68 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=7431 DPT=53 LEN=48 UID=9999 GID=9999 
<4>[  255.654936] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=172.16.1.12 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=43179 DPT=53 LEN=42 UID=9999 GID=9999 
<4>[  264.063116] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=172.16.1.12 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=33182 DPT=53 LEN=42 UID=9999 GID=9999 
<4>[  264.072485] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=172.16.1.12 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=3927 DPT=53 LEN=42 UID=9999 GID=9999 
<4>[  264.079871] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=172.16.1.12 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=10223 DPT=53 LEN=42 UID=9999 GID=9999 
<4>[  264.132183] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=172.16.1.12 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=56746 DPT=53 LEN=42 UID=9999 GID=9999 
<4>[  268.560476] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=172.16.1.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=35002 DPT=53 LEN=40 UID=9999 GID=9999 
<4>[  268.569815] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=172.16.1.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=22517 DPT=53 LEN=40 UID=9999 GID=9999 
<4>[  268.577231] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=172.16.1.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=34496 DPT=53 LEN=40 UID=9999 GID=9999 
<4>[  268.584709] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=172.16.1.12 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=51786 DPT=53 LEN=40 UID=9999 GID=9999 
<4>[  280.662719] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=172.16.1.12 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=60820 DPT=53 LEN=42 UID=9999 GID=9999 
<4>[  280.697054] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=172.16.1.12 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=58235 DPT=53 LEN=42 UID=9999 GID=9999 
<4>[  280.705753] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=172.16.1.12 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=14344 DPT=53 LEN=42 UID=9999 GID=9999 
<4>[  280.758248] {AFL}IN= OUT=wlan0 SRC=172.16.1.140 DST=172.16.1.12 LEN=62 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=UDP SPT=46640 DPT=53 LEN=42 UID=9999 GID=9999 









255|root@android:/ # busybox ifconfig -a                                       
bt-pan    Link encap:Ethernet  HWaddr 04:FE:31:02:62:7A  
          inet addr:192.168.44.1  Bcast:192.168.44.255  Mask:255.255.255.0
          inet6 addr: fe80::6fe:31ff:fe02:627a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:57 errors:0 dropped:0 overruns:0 frame:0
          TX packets:54 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:500 
          RX bytes:7802 (7.6 KiB)  TX bytes:4457 (4.3 KiB)

dummy0    Link encap:Ethernet  HWaddr 22:93:91:43:D0:8B  
          BROADCAST NOARP  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:41 errors:0 dropped:0 overruns:0 frame:0
          TX packets:41 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:3662 (3.5 KiB)  TX bytes:3662 (3.5 KiB)

p2p0      Link encap:Ethernet  HWaddr 04:FE:31:02:62:7C  
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

rev_rmnet0 Link encap:Ethernet  HWaddr 12:84:9A:27:D9:B9  
          BROADCAST MULTICAST  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

rev_rmnet1 Link encap:Ethernet  HWaddr 66:D1:12:93:F7:B9  
          BROADCAST MULTICAST  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

rev_rmnet2 Link encap:Ethernet  HWaddr 36:F8:76:74:DC:A5  
          BROADCAST MULTICAST  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

rev_rmnet3 Link encap:Ethernet  HWaddr FE:30:7E:BC:ED:CA  
          BROADCAST MULTICAST  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

rev_rmnet4 Link encap:Ethernet  HWaddr C2:43:C9:88:ED:F3  
          BROADCAST MULTICAST  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

rev_rmnet5 Link encap:Ethernet  HWaddr F6:64:1E:3A:7F:FC  
          BROADCAST MULTICAST  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

rev_rmnet6 Link encap:Ethernet  HWaddr D2:68:14:79:F0:30  
          BROADCAST MULTICAST  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

rev_rmnet7 Link encap:Ethernet  HWaddr BE:69:0D:68:F8:51  
          BROADCAST MULTICAST  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

rev_rmnet8 Link encap:Ethernet  HWaddr CE:17:6F:D4:04:7F  
          BROADCAST MULTICAST  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

rmnet0    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          [NO FLAGS]  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

rmnet1    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          [NO FLAGS]  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

rmnet2    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          [NO FLAGS]  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

rmnet3    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          [NO FLAGS]  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

rmnet4    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          [NO FLAGS]  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

rmnet5    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          [NO FLAGS]  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

rmnet6    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          [NO FLAGS]  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

rmnet7    Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  
          [NO FLAGS]  MTU:2000  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

sit0      Link encap:IPv6-in-IPv4  
          NOARP  MTU:1480  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

wlan0     Link encap:Ethernet  HWaddr 04:FE:31:02:62:7B  
          inet addr:172.16.1.140  Bcast:172.16.1.255  Mask:255.255.255.0
          inet6 addr: fe80::6fe:31ff:fe02:627b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:135 errors:0 dropped:0 overruns:0 frame:0
          TX packets:143 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100 
          RX bytes:92500 (90.3 KiB)  TX bytes:22263 (21.7 KiB)

root@android:/ # logcat -s "AFWall:*"
--------- beginning of /dev/log/system
--------- beginning of /dev/log/main
I/AFWall  ( 2208): Now assuming wifi connection
I/AFWall  ( 2208): IPv4 LAN netmask on wlan0: 172.16.1.140/24
I/AFWall  ( 2208): IPv6 LAN netmask on wlan0: fe80::6fe:31ff:fe02:627b/64
D/AFWall  ( 2208): Starting root shell...
D/AFWall  ( 2208): Root shell is open
D/AFWall  ( 2208): CONNECTIVITY_CHANGE: interface state has not changed,
ignoring D/AFWall  ( 2208): CONNECTIVITY_CHANGE: interface state has not
changed, ignoring I/AFWall  ( 2208): BOOT_COMPLETED: applied rules

On Tue, 08 Oct 2013 12:28:02 -0700
Kevin Cernekee notifications@github.com wrote:

Could you please post the results from running this immediately after
attempting to tether:

adb shell
su
dmesg | grep AFL
busybox ifconfig -a
logcat -s "AFWall:*"

Reply to this email directly or view it on GitHub:
#209 (comment)

@cernekee
Copy link
Contributor

cernekee commented Oct 8, 2013

So, the way tethering works in AFWall today is something like:

  • Identify the wifi interface; it will match one of these wildcards: "eth+", "wlan+", "tiwlan+", "ra+", "bnep+"
  • Identify the 3G interface; it will match one of these wildcards: "rmnet+", "pdp+", "uwbr+","wimax+", "vsnet+", "rmnet_sdio+", "ccmni+", "qmi+", "svnet0+", "wwan+", "cdma_rmnet+", "usb+", "rment_usb+"
  • Add a rule allowing DHCP replies to be sent on the wifi interface: source port 67/udp, dest port 68, user "root" or "nobody" (dnsmasq)
  • Add rules allowing DNS replies to be sent on the wifi interface: source port 53/udp or 53/tcp, user "root" or "nobody" (dnsmasq)
  • Add rules allowing DNS requests to be sent on the 3G interface: dest port 53/udp or 53/tcp, user "root" or "nobody" (dnsmasq)

But this device behaves differently:

  • The upstream interface (which is normally 3G) is actually wlan0
  • The downstream interface (which is normally wifi) is actually bt-pan
  • bt-pan isn't recognized by AFWall at all, because it isn't in the list. This just means that there are no restrictions on it.
  • bt-pan uses IP 192.168.44.1; typically the downstream wifi interface uses 192.168.43.1. This isn't currently hardcoded into AFWall, but it does make it harder to reliably deduce tethering status.

Maybe what would make sense is to remove tethering from the application list, and make it a preference instead. The preference could have the following options:

  • Off - no special rules for tethering
  • Auto - same behavior as today - restrictive tethering rules that shouldn't cause leaks. This requires Active Rules to be enabled.
  • Leaky - use a more permissive set of tethering rules, and leave them enabled all of the time. This would allow "root" and "nobody" to send traffic with source or dest port 53/udp on any interface, and send traffic with source 67/udp, dest 68/udp on any interface. Other UIDs (applications) would not be affected, although this allows for DNS data leaks via netd / DnsProxy.

@bahbarnett
Copy link
Author

I'm wondering...

How about:

  1. AFWall has an 'advanced' option, where the user can specify additional
    interfaces to assign roles to.

Or, even to modify all roles, so that in a case like this, a user could
modify + select (maybe even a drop down list?) interfaces for specific
roles.

Would that not help get around this block a bit?

BTW, this is a CM10.2 device, but as you know its beta. It could be
non-conforming.. I'm not sure about apexqtmo and its port status with
respect to interfaces...

On Tue, 08 Oct 2013 15:44:06 -0700
Kevin Cernekee notifications@github.com wrote:

So, the way tethering works in AFWall today is something like:

  • Identify the wifi interface; it will match one of these wildcards:
    "eth+", "wlan+", "tiwlan+", "ra+", "bnep+"
  • Identify the 3G interface; it will match one of these wildcards:
    "rmnet+", "pdp+", "uwbr+","wimax+", "vsnet+", "rmnet_sdio+", "ccmni+",
    "qmi+", "svnet0+", "wwan+", "cdma_rmnet+", "usb+", "rment_usb+"
  • Add a rule allowing DHCP replies to be sent on the wifi interface:
    source port 67/udp, dest port 68, user "root" or "nobody" (dnsmasq)
  • Add rules allowing DNS replies to be sent on the wifi interface:
    source port 53/udp or 53/tcp, user "root" or "nobody" (dnsmasq)
  • Add rules allowing DNS requests to be sent on the 3G interface: dest
    port 53/udp or 53/tcp, user "root" or "nobody" (dnsmasq)

But this device behaves differently:

  • The upstream interface (which is normally 3G) is actually wlan0
  • The downstream interface (which is normally wifi) is actually bt-pan
  • bt-pan isn't recognized by AFWall at all, because it isn't in the
    list. This just means that there are no restrictions on it.
  • bt-pan uses IP 192.168.44.1; typically the downstream wifi interface
    uses 192.168.43.1. This isn't currently hardcoded into AFWall, but it
    does make it harder to reliably deduce tethering status.

Maybe what would make sense is to remove tethering from the application
list, and make it a preference instead. The preference could have the
following options:

  • Off - no special rules for tethering
  • Auto - same behavior as today - restrictive tethering rules that
    shouldn't cause leaks. This requires Active Rules to be enabled.
  • Leaky - use a more permissive set of tethering rules, and leave them
    enabled all of the time. This would allow "root" and "nobody" to send
    traffic with source or dest port 53/udp on any interface, and send
    traffic with source 67/udp, dest 68/udp on any interface. Other UIDs
    (applications) would not be affected, although this allows for DNS data
    leaks via netd / DnsProxy.

Reply to this email directly or view it on GitHub:
#209 (comment)

@varac
Copy link

varac commented Aug 14, 2014

hej, i experience the same problem (bluetooth tehering works, i can ping hosts on the internets, but dns is not working). CM 11-m8-apexqtmo, afwall+ 1.3.4
the only option is to turn off Afwall+ completely on bluetooth tehering, which is disappointing.

for reference, i link to a related issue here:

#257

@ukanth ukanth added the Bug label Jan 7, 2015
@ukanth ukanth closed this as completed Mar 13, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@ukanth @varac @cernekee @bahbarnett