You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
AFWall+ v3.1.0 on an old Samsung S5 Snapdragon (klte?) running Android 7.1/LinageOS 14 is erasing the dmesg kernel ring buffer every one second if the log service is enabled.
This is something malware does to hide itself. I spent hours tracking down which app on this device was malware.
Interestingly, I have this same version of AFWall+ installed on three other devices and they do not appear to be exhibiting this behavior. There may be something specific about the app configuration or a combination of other factors which induce this undesirable behavior.
It's also noteworthy that toggling off the "Turn on log service" checkbox in preferences on this device does not take effect until the next system boot. This toggle will immediately activate the bad behavior, but not disable it. I am also under the impression that killing the AFWall+ service and uninstalling it (along with every other 3rd party app on the system) won't stop it until a reboot either.
Unfortunately I don't have time to dig deeper into this right now. If/when I get time to do that I'll come back and update this bug with more information. I hope to be able to play around with it next week.
The text was updated successfully, but these errors were encountered:
I have started working on this. This behaviour only exist for kernel which does not have NFLOG chain. All modern kernel's ship with NFLOG chain. Anyway I will fix this.
@ukanth I'm on AOSP Extended Pie, Xiaomi Redmi Note 4 (mido). Previously everything worked perfectly. I don't know exactly which release broke this a few weeks/months back. My kernel is built with both CONFIG_NETFILTER_XT_TARGET_LOG=y and NFLOG=y (I use a custom build).
But LOG is being prioritized over NFLOG. Manually adding -j NFLOG rule and running /data/data/dev.ukanth.ufirewall/app_bin/nflog 40 also works fine, log messages are received.
Is the decision between LOG/NFLOG based on some other factors?
Shouldn't be the order here inverse i.e. NFLOG first (I'm totally blind about coding stuff)?
Is there a way to force NFLOG?
AFWall+ v3.1.0 on an old Samsung S5 Snapdragon (klte?) running Android 7.1/LinageOS 14 is erasing the dmesg kernel ring buffer every one second if the log service is enabled.
This is something malware does to hide itself. I spent hours tracking down which app on this device was malware.
Interestingly, I have this same version of AFWall+ installed on three other devices and they do not appear to be exhibiting this behavior. There may be something specific about the app configuration or a combination of other factors which induce this undesirable behavior.
It's also noteworthy that toggling off the "Turn on log service" checkbox in preferences on this device does not take effect until the next system boot. This toggle will immediately activate the bad behavior, but not disable it. I am also under the impression that killing the AFWall+ service and uninstalling it (along with every other 3rd party app on the system) won't stop it until a reboot either.
Unfortunately I don't have time to dig deeper into this right now. If/when I get time to do that I'll come back and update this bug with more information. I hope to be able to play around with it next week.
The text was updated successfully, but these errors were encountered: