Jookia
commented
5 years ago I don't quite understand what the problem is here. What should be happening, and what actually happens?
Open abidal3 opened 5 years ago
Jookia
commented
5 years ago I don't quite understand what the problem is here. What should be happening, and what actually happens?
abidal3
commented
5 years ago What should be happening, and what actually happens?
When option Enable inbound connections is checked and Tor rules is enabled for apps then AFWall isn't started and there is error on iptables in log.
Jookia
commented
5 years ago This doesn't happen on my device. Have you tried rebooting?
abidal3
commented
5 years ago Have you tried rebooting?
Yes, of course.
Jookia
commented
4 years ago Orbot has actually been broken on my phone so I'm currently unable to test or fix the code. My guess would be that the ordering is somehow wrong and it wants to jump to afwall-tor-reject before it's added?
When I get Orbot working again I'll look in to this and see what's up.
On Sat, Apr 11, 2020 at 05:42:39AM -0700, Jake Stańczak wrote:
Same problem with newest version, on Mi 9t with lineage 17.1.
command 'iptables -A afwall-input -j afwall-tor-reject' exited with status 1
-- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/ukanth/afwall/issues/956#issuecomment-612412604
PureIncompetence
commented
3 years ago I can confirm this bug, it happens to me on official LOS 17 just as @abidal3 described it: When I try to apply new rules that contain at least one which routes traffic through tor, I get the the error-notification "Error applying firewall rules. Click to open settings" and the firewall gets disabled. If I disable the option "Enable inbound connections", everything works as expected. I tried 3 AFWall-versions: 3.4, 3.5 and 3.5.2 -> Got the same behaviour on each of them. On the other hand I tested with a friends device (also with LOS 17), which has exactly the same AFWall-Settings and I can't reproduce the problem with it.
I looked through logcat and found the following entry, which I assume to be related, as it always appears, when I try to apply the rules: [CODE] command 'iptables -A afwall-input -j afwall-tor-reject' exited with status 1 Output: iptables: Invalid argument. Run `dmesg' for more information. [/CODE] When grepping for iptables in the output of dmesg, I got: [CODE] adb shell su -c dmesg | grep -i iptables [ 824.176835] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 1314.159697] [ 1229] 0 1229 8505 928 12 3 0 -1000 iptables-restor [/CODE]
Jookia
commented
3 years ago Unfortunately I can't fix this as Orbot no longer works on my phone
On Tue, May 18, 2021 at 10:08:27AM -0700, PureIncompetence wrote:
I can confirm this bug, it happens to me on official LOS 17 just as @abidal3 described it: When I try to apply new rules that contain at least one which routes traffic through tor, I get the the error-notification "Error applying firewall rules. Click to open settings" and the firewall gets disabled. If I disable the option "Enable inbound connections", everything works as expected. I tried 3 AFWall-versions: 3.4, 3.5 and 3.5.2 -> Got the same behaviour on each of them. On the other hand I tested with a friends device (also with LOS 17), which has exactly the same AFWall-Settings and I can't reproduce the problem with it.
I looked through logcat and found the following entry, which I assume to be related, as it always appears, when I try to apply the rules: [CODE] command 'iptables -A afwall-input -j afwall-tor-reject' exited with status 1 Output: iptables: Invalid argument. Run `dmesg' for more information. [/CODE] When grepping for iptables in the output of dmesg, I got: [CODE] adb shell su -c dmesg | grep -i iptables [ 824.176835] nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. [ 1314.159697] [ 1229] 0 1229 8505 928 12 3 0 -1000 iptables-restor [/CODE]
-- You are receiving this because you commented. Reply to this email directly or view it on GitHub: https://github.com/ukanth/afwall/issues/956#issuecomment-843368733
PureIncompetence
commented
3 years ago You don't need to have Orbot on your phone to replicate the bug. Just enable "Allow inbound connections" and Tor control and try to activate it for any app. I tried that with and without Orbot installed on the phone, and the behaviour was exactly the same I described above.
PureIncompetence
commented
9 months ago I've got another case to which this bugreport applies: LineageOS 20 on an OnePlus 6T (fajita). I will give as much detail as possible to help narrowing down the cause, adhering to the official template for bug reporting.
If more information for debugging is missing, please ask. I will do my best to provide it. I'm happy to test possible fixes and/or workarounds, as this is not a daily driver. Imho this bug is a huge regression for many power users.
Edit: After trying other available ROMs on the OnePlus 6T I can confirm that the bug also occurs on the following ones:
That means that I didn't find any A13+ ROM yet, where it does not occur. /Edit
Edit 2: The same problem occurs on the following older LOS versions:
/Edit 2
Edit 3: Same goes with the latest version 11.1.2.2 of OxygenOS (OnePlus stock ROM). Exactly the same error. /Edit 3
- AFWall+ Mode (whitelist [default enabled]/blacklist)
Whitelist Mode
- Android ROM + exact version number
LineageOS 20 (Android 13) on OnePlus 6T
- What steps will reproduce the problem?
Preferences -> Rules/Connectivity -> Tor controlPreferences -> Experimental -> Enable inbound connectionsInstalling / using Orbot is not necessary / relevant to reproduce this bug!
- Additional security software installed (like XPrivacy/Avast)? Is it really deactivated?!
None.
- What is the expected output? What do you see instead?
The expected result would be a successful application of the newly set rules (including all implicitly set rules). This combination works perfectly on other devices running OmniROM and LineageOS (both Android 11).
Instead, after the usual popup countdown - which by the way pauses briefly for the third last rule rule (153 of 155) - I get the error message Error applying firewall rules. Click to open setttings. As soon as I disable the TOR checkbox or deactivate Enable inbound connections and reapply the rules, it works again.
- Attach your exported rules.log (IPv4 + IPv6)
I didn't get AFWall+ to export the v6rules, the button show rules -> enable IPv6 rules didn't do anything.
/storage/emulated/0/Android/data/dev.ukanth.ufirewall/files/IPv4rules.log :
- Please provide any additional information below (e.g. logcat).
adb shell su -c logcat -v long while starting AFWall+ :
adb shell su -c logcat -v long while trying to apply the rules and getting the error:
adb shell su -c dmesg -T --follow | grep -Ei afwall\|tables while trying to apply the rules:
- Which binaries are used for BusyBox/IPTables?
Built-In/Built-/In, but it doesn't seem to matter, as I've tried all possible combinations of both options without any success.
- Which DNS-proxy option is in usage?
Disable DNS via netd, but that doesnt seem to matter either, as I've also tried with states "Enable DNS via netd" and "Auto".
- Are the experimental options enabled/disabled?!
Yes, with "Enable inbound connections" being the only one active.
AFWall is disabled when add Tor rules for apps. But it's okay if disable option Enable inbound connections.
Log: Start processing next state Using applySaved4IptablesRules command 'ip6tables -A afwall-input -j afwall-tor-reject' exited with status 1 Start processing next state State of rootShell: BUSY Forcefully changing the state BUSY command 'iptables -A afwall-input -j afwall-tor-reject' exited with status 1