[BUG - Samsung Pie(?)] - root [0] being blocked although it's allowed in settings

[d3cim]

Hi, thanks for your wonderful app first of all. I found myself very well on Oreo but I contact you because since I switched to LineageOS 16.0 I find this issue. Basically I have to enable Any App (-10) to see the apps that I I enabled works. (see screenshots).

I saw that it is a common problem and talking about it on telegram I saw other users talking about it. can you take a look at it? #981

I use dnscrypt-proxy, a Magisk module to change DNS (which is why it prevents me from using Internet at all) with this script:

iptables -t nat -A OUTPUT -p tcp ! -d 146.185.167.43 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
iptables -t nat -A OUTPUT -p udp ! -d 146.185.167.43 --dport 53 -j DNAT --to-destination 127.0.0.1:5354

I tried to remove the module and the script itself but the problem persists. even if I tick root (0) doesn't enable if I do not also enable Any App (-10). I tried finally to enable ALL connections except Any App (-10) and logs continue show me blocked connections from root (0). That's why I think it's a Afwall issue related.

Thank for your attention.

[d3cim]

I wanted to repeat the same operation on two devices. one with LOS13 and one with LOS14.1. everything works perfectly, the DNS are changed and I do not need to enable Any App (-10) to see the other apps that I have enabled working properly. I think this is the proof that the cause of the issue is in Afwall when applying the rules on LOS16.

Maybe can I provide better logs?

[d3cim]

I tried to export the rules.. I tried to enable Any App (-10) first and then disable via main screen entries, and remember root (0) was always enabled in these steps.

these are the differences extracted from the rules after disable Any App (-10): https://del.dog/yizicaqumu

As you can see those rules are added that block root (0) even if root (0) is active in the main screen.

[d3cim]

HOW TO REPRODUCE:

1 Download and install dnscrypt-proxy from magisk module 2 Reboot 3 Install AFWall+ and keep all the settings as default 4 Insert this script in the two AFWall+ checkboxes (to activate the module):

iptables -t nat -A OUTPUT -p tcp ! -d 9.9.9.9 --dport 53 -j DNAT --to-destination 127.0.0.1:5354
iptables -t nat -A OUTPUT -p udp ! -d 9.9.9.9 --dport 53 -j DNAT --to-destination 127.0.0.1:5354

5 In AFWall+ main page tick (enable connection to) root (0) and your browser 6 Enable the firewall and try to browse any page, result in (server not found) 7_ Try now to tick (enable connection) to Any App (-10), apply new rules and try to browse any page, all works as expected.

Goal is not having to enable connection to Any App (-10) to see work your browser

[ukanth]

You have to enable UID "1000" or disable captiveportal to make all apps work without "any app"

[d3cim]

I already tried the methods you described. in the first case I disabled CaptivePortalLogin (10057) with the following commands via local terminal:

su

pm disable com.android.captiveportallogin

settings put global captive_portal_detection_enabled 0

settings put global captive_portal_server localhost

settings put global captive_portal_mode 0

Reboot

Did I miss something?

I also tried to enable System (1000)keeping Any App (-10) disabled (unticked) in the while but the connection of the apps I've enabled singularly from the main screen still doesn't work and root (0) still blocked in logs even if it is active (ticked) from the main screen.

[d3cim]

I forgot to say that I have done these steps on some others devices with success: Moto G3 (2015) (osprey) - Official LOS14.1 / Unofficial LOS16 LG G2 (d802) - Official LOS16 OnePlus 3T (oneplus3) - Official LOS16 Moto G4 Play (montana) - Unofficial LOS16 Samsung S9 (starlte) - Official LOS15.1

The device that give me this trouble is: Samsung S9 (starlte) - Unofficial LOS16

[d3cim]

I can provide logs and whatever you need. I contacted you also via e-mail regarding this issue. I have also Telegram if you want.

[ukanth]

Please attach iptables log from menu->firewall rules->export.

[d3cim]

sure. I also tested these steps on OneUI and there is this issue. At this point seems that it's a sort of bug related to an AFWall+ Samsung Pie compatibility. I'll attach the logs you asked for. if you need anything else let me know.

IPv4rules(anyapp_disabled).log IPv4rules(anyapp _enabled).log

[lemmy04]

same on Magisk-rooted (stock) Android 9 on Samsung Tab S5e

[lemmy04]

I've been looking at the iptables rules and the log messages, and what is being blocked (at least on my devices) is DNS over TCP... so I'm going to add this to my custom script and see if that helps:

$IPTABLES -A afwall -p tcp —dport 53 -j RETURN

[mke2fs]

@lemmy04

I had similar issue. I just added these to custom script and fixed the problem:

my dnscrypt-proxy is listening at 127.0.0.1:5354

$IPTABLES -A afwall -p tcp -d 127.0.0.1 --dport 5354 -j RETURN $IPTABLES -A afwall -p udp -d 127.0.0.1 --dport 5354 -j RETURN