Hello, there.
I installed void #e a while ago on my O1, everything went smoothly until I had to setup a VPN with L2TP/IPsec.
After poking around with adb logcat, I found that the bundled kernel (mik_os's one) missed support for NETKEY sockets, IPSec over IPv4 and PPP altogether, so I rebuilt the kernel from source adding all missing options to .config.
I flashed the new kernel, boot it and tried to start the VPN, but it failed again.
This time - however - racoon was able to set up an IPsec security association with the remote host, but pppd complained about missing PPP support in kernel:
Code:
I/racoon ( 4330): ISAKMP-SA established <scrubbed>[500]-<scrubbed>[500] spi:<scrubbed>
I/racoon ( 4330): initiate new phase 2 negotiation: <scrubbed>[500]<=><scrubbed>[500]
I/racoon ( 4330): IPsec-SA established: ESP/Transport <scrubbed>[0]-><scrubbed>[0] spi=<scrubbed>(0x<scrubbed>)
I/racoon ( 4330): IPsec-SA established: ESP/Transport <scrubbed>[500]-><scrubbed>[500] spi=<scrubbed>(0x<scrubbed>)
I/mtpd ( 4532): Tunnel established
D/mtpd ( 4532): Received ICRP (remote_session = 65060) -> Sending ICCN
D/mtpd ( 4532): Received ACK
I/mtpd ( 4532): Session established
I/mtpd ( 4532): Creating PPPoX socket
I/mtpd ( 4532): Starting pppd (pppox = 13)
I/mtpd ( 4532): Pppd started (pid = 4533)
I/pppd ( 4533): Using PPPoX (socket = 13)
E/pppd ( 4533): This system lacks kernel support for PPP. This could be because
E/pppd ( 4533): the PPP kernel module could not be loaded, or because PPP was not
E/pppd ( 4533): included in the kernel configuration. If PPP was included as a
E/pppd ( 4533): module, try `/sbin/modprobe -v ppp'. If that fails, check that
E/pppd ( 4533): ppp.o exists in /lib/modules/`uname -r`/net.
E/pppd ( 4533): See README.linux file in the ppp distribution for more details.
I/mtpd ( 4532): Received signal 17
I/mtpd ( 4532): Pppd is terminated (status = 4)
D/mtpd ( 4532): Sending STOPCCN
I/mtpd ( 4532): Mtpd is terminated (status = 36)
I double-checked /proc/conf.gz and sure enough it contains all ppp options:
Code:
# zcat /proc/config.gz | grep PPP
CONFIG_PPP=y
CONFIG_PPP_MULTILINK=y
CONFIG_PPP_FILTER=y
CONFIG_PPP_ASYNC=y
CONFIG_PPP_SYNC_TTY=y
CONFIG_PPP_DEFLATE=y
CONFIG_PPP_BSDCOMP=y
CONFIG_PPP_MPPE=y
CONFIG_PPPOE=y
CONFIG_PPPOL2TP=y
CONFIG_PPPOLAC=y
CONFIG_PPPOPNS=y
I noticed in mik_os's sources that LG also set CONFIG_ANDROID_PARANOID_NETWORK to y, while in mik_os's build it is set to n.
Does anyone know if they are related and/or if I'm running into another issue (permissions, maybe)?
Thanks in advance
Sure enough, it was CONFIG_ANDROID_PARANOID_NETWORK.
For future reference, if this option is undefined AID_NET_ADMIN and AID_NET_RAW have no special meaning for the kernel (iow, CAP_NET_ADMIN and CAP_NET_RAW are not granted to non-root processes belonging to those special groups).
Moreover, network access restrictions are completely ignored, so any application can create sockets and/or access the bluetooth stack even if its manifest does not specify the relevant permissions.
Hi.
I wasn't too sure, if I should post this into the development area, I think it fits more into general.
Introduction
According to this thread, I tried to write a little script which lets one spoof his wi-fi MAC address unindependently from any adb shell or usb connection. It's very experimental and might not work that properly. If I try it at home, my router somehow shuts down any incoming wi-fi connection in the whole network and turns the internet off. :/ But the script itself actually SEEMS to change the MAC address (according to what the wi-fi settings say).
I am not responsible for any damage to your phone. However, you can reset the changed MAC address anyway, if something bad happens.
Please note, that you are only allowed to use this script in those networks where you have the permission to do so. Especially the use of the "MAC takeover" function might be illegal in different networks.
Requirements
You will need SL4A (Android Scripting Environment) and PFA (PHP for Android). Check out: http://www.phpforandroid.net/#requirements
The script
PHP:
<?php
// config: config-file and tmp-file
$cnf = "/etc/wl/nvram.txt";
$tmp = "/sdcard/nvram-tmp.txt";
// this is my very dirty solution to replace the actual config file with a new edited one. root needed. might not work everywhere.
$cmd = 'su -c "mount -o rw,remount -t yaffs2 /dev/block/mtdblock4 /system; mv -f \"'.$tmp.'\" \"'.$cnf.'\"; chmod 644 \"'.$cnf.'\"; mount -o ro,remount -t yaffs2 /dev/block/mtdblock4 /system"';
// access android api
require_once("Android.php");
$droid = new Android();
// get config file src
$src = file_get_contents($cnf);
// check, if mac address was already spoofed before
preg_match("|macaddr=([a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2})|i", $src, $res);
$spoofed = false;
$macaddr = "13:57:9B:DF:13:37";
if(isset($res[1]))
{
$spoofed = true;
$macaddr = $res[1];
}
// pre-configurations
$title = "LG-OO-P500 MAC Spoofer";
$action = "start";
// main loop for actions
while(true)
{
switch($action)
{
// start
case "start":
$msg = "Your MAC address is currently set on default.";
// currently spoofed mac address?
if($spoofed)
{
$msg = "Your currently spoofed MAC address is: ".$macaddr;
}
$droid->makeToast($msg);
// create dialog
$droid->dialogCreateAlert($title);
$droid->dialogSetItems(array("Change MAC address", "MAC takeover", "Reset MAC address", "Exit"));
$droid->dialogShow();
// determine next action
$res = $droid->dialogGetResponse();
$actions = array("spoof", "scan", "reset", "exit");
$action = $actions[$res["result"]->item];
$droid->dialogDismiss();
break;
// spoof and reset action
case "spoof": case "scan": case "reset":
// get user input for new mac addr
switch($action)
{
case "spoof":
while(true)
{
$res = $droid->dialogGetInput($title, "Insert new MAC address", $macaddr);
$macaddr = strtoupper($res["result"]);
if(preg_match("|[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}|i", $macaddr))
{
break;
}
$droid->makeToast("Invalid MAC address. (example: 00:00:00:00:00:00 to FF:FF:FF:FF:FF:FF)");
}
$rpl = "macaddr=".$macaddr;
break;
case "scan":
$droid->dialogCreateSpinnerProgress("Now scanning network...");
// scan for MACs and filter ip and MAC addresses from the output
exec("arp -a", $out);
preg_match_all("|\(([0-9]+\.[0-9]+\.[0-9]+\.[0-9]+)\) at ([a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2}:[a-f0-9]{2})|i", strtoupper(implode("\r\n", $out)), $res);
$droid->dialogDismiss();
// create new array
$arr = array();
for($i = 0; $i != count($res[1]); $i++)
{
$arr["list"][] = $res[1][$i]."\n=> ".$res[2][$i];
$arr["ip"][] = $res[1][$i];
$arr["mac"][] = $res[2][$i];
}
$droid->dialogCreateAlert("Found ".count($arr)." individuals... please choose:");
$droid->dialogSetItems($arr["list"]);
$droid->dialogShow();
$res = $droid->dialogGetResponse();
$rpl = "macaddr=".$arr["mac"][$res["result"]->item];
break;
case "reset": default:
$rpl = null;
break;
}
// edit src
($spoofed || empty($rpl)) ? $src = rtrim(preg_replace("|macaddr=.*|i", $rpl, $src)) : $src = rtrim($src)."\n".$rpl;
// disable wifi
$droid->toggleWifiState(false);
// save tmp file
$h = fopen($tmp, "w");
fwrite($h, $src);
fclose($h);
// overwrite with root privileges
exec($cmd);
$droid->makeToast("Operation complete.");
$action = "exit";
break;
// exit
case "exit":
// enable wlan and exit
$droid->toggleWifiState(true);
$droid->exit();
exit();
break;
}
}
I am really not sure, if it is going to work for you. I tested it under devoid #forever (CM7, 2.3.4). Maybe other ROMs and other smartphones are going to behave different. And to be honest, for me it didn't work that good either until now.
If you are having trouble, you can also try to reboot after spoofing.
Have fun trying.
Is this all this about adding macaddr in nvram.txt as we had this discussion earlier.
Nice work.
Sent from my LG-P500 using XDA Premium App
I added another very experimental function which I named "MAC takeover". It allows the user to scan the network for all connected MAC addresses and afterwards display and finally spoof one of those addresses.
The whole script might be buggy, so tell me if something doesn't work properly.
Please note, that you are only allowed to use this script in those networks where you have the permission to do so. Especially the use of the "MAC takeover" function might be illegal in different networks.
See the changes above in the source code.
Is this all this about adding macaddr in nvram.txt as we had this discussion earlier.
Click to expand...
Click to collapse
Yup, but it makes things a lot easier, because you just need your phone to change the MAC address. Additionally it has something like an interface.
I have a bash script somewhere doing the same (except for takeover... nasty boy ). Will post it when I find it. Should be a hell lot easier to use (just bash, no weird stuff needed.)
This is actually quite easy as well, you just need PHP installed on android. However, I'm also very interested in that bash script, please share!
[script] reliable interface stats
pro: reliable, works on any Linux; low battery consumption; runs only when necessary
contra: no GUI
prerequisites: script manager able to trigger on network changes
root is not needed, because the script uses the readable-for-all /proc/net/dev interface to gather statistics.
My problem was that I could not find any app that would give me the megabytes sent from/to the device. They would either ignore GPRS, WiFi or count from reboot to reboot, display stupid ads or cost even money without delivering. I'm on a data flatrate with throttling from 200MB up, and I only want to know how much I already "spent".
The following script should run on network changes, but it can be run at any time. You get more data entries in the log files for the various active interfaces when running it more often.
EDIT: it turns out the "network change" event works perfectly for interface wlan0, but not for pdp0, which happens to be the GPRS/G2/G3/G4 packet interface. Maybe "Tasker" does better than "Script Manager" with this, try and find out. What will always work is manual mode: after using an interface, run the script. This will enter the numbers from any interface that traffic into the respective log.
The script is run with zero or one argument. If given, it can be the name of an interface or the string "all" to get just a readout of the current counters of all interfaces that had traffic without logging anything.
The output is lines with bytes, data packets, errornous and dropped packets for "rx" (received) and "tx" (transmitted) for all or the selected interfaces. Without arguments all active interfaces are logged to separate files in /sdcard/. If you want to change this directory or the names or the date format, well, it should be easy to adapt.
Note that this first script does only data gathering as to the byte counts and it must run on network events. See below for the script(s) that do evaluation according to date to find out how much to go until throttling.
Code:
#!/system/bin/sh
want_if="${1:-*}"
all=""
case "-${want_if}" in
-all)
want_if="*"; all=all;
;;
esac
log_prefix="/mnt/sdcard/interface-stats"
now="$(date '+%d.%m.%y-%H:%M:%S')"
# rx: bytes packets errs drop fifo frame compressed multicast
# tx: bytes packets errs drop fifo colls carrier compressed
# lo: 4944 74 0 0 0 0 0 0 4944 74 0 0 0 0 0 0
# wlan0: 42447725 41554 302 0 0 0 0 0 3280981 33753 0 0 0 0 0 0
while read intf rb rp re rd x x x x tb tp te td rest
do
case "-${intf}" in
-${want_if:-*}:)
case "${rb}--${tb}" in
0--0) continue;;
esac
stats="rx: $rb $rp $re $rd tx: $tb $tp $te $td"
intf_="${intf%:}"
echo "${intf} ${stats}"
[ -z "${all}" ] &&
echo "${now} ${stats}" >> "${log_prefix}-${intf_}.txt"
;;
esac
done < /proc/net/dev
exit 0
Here's the script to output the megabytes. It gets zero, one or two arguments, the first being a date pattern that needs to match the dates in the log file, the second the name of said logg.
An optional third argument, if given, gives debug output. Use only if the number doesn't look plausible.
It doesn't need any special privileges and can be run anytime.
If less than one megabyte has been hit so far, then the output is the number of bytes. Due to limitations of "awk" there can still be decimals in the output!
Code:
# /home/ino/interface-stats.sh _date: 20120225-2103_
# vim: set filetype=sh ts=4:
# -*- mode: sh; -*-
#
# <url:man:1 awk>
# sample:
#
# 25.02.12-02:28:28 rx: 182909647 374371 462 0 tx: 681742703 542899 0 0
# 25.02.12-12:15:00 rx: 3 374464 494 0 tx: 5 542974 0 0
#
# at around noon the device was rebooted, so the stats start at low
# values.
#
# algorithm:
#
# initialize old-accumulator and offset to zero.
#
# since received and transmitted bytes are accumulated by the kernel,
# the script has to just store the sum of the received and transmitted
# bytes into an accumulator, unless the current value is less than the
# running count. this happens after a reboot. so store this first low
# value into $offset, store the old accumulator and keep the running game
# until either the next reboot or EOF. now
# accumulator = old-accumulator + accumulator - offset.
awk_prog='
BEGIN {
debug = debug > 0
accu=0
accu_old=0
offset=0
accu_sum=0
# megabytes
mb_scaler=1024*1024
# field definitions
rx_bytes=3
rx_packets=4
rx_errors=5
rx_dropped=6
tx_bytes=8
tx_packets=9
tx_errors=10
tx_dropped=11
# date pattern
# 25.02.12-12:15:00 rx: 3 374464 494 0 tx: 5 542974 0 0
pat_date_dflt = "[0-9][0-9]\.[0-9][0-9]\.[0-9][0-9]-[0-9][0-9]:[0-9][0-9]:[0-9][0-9]"
pat_date = length(pat_date) == 0 ? pat_date_dflt : pat_date
}
function dbg(x) {
if (debug > 0) print("debug: " x);
}
# no particular validity check: if there are 11 fields and the first one
# matches the date the user is after, we will use the record.
(NF == 11) && ($1 ~ pat_date) {
dbg("select line: " $0)
accu_sum = $rx_bytes + $tx_bytes
if (accu_sum < accu) {
dbg("break: accu_sum=" accu_sum "; accu_old=" accu_old "; accu=" accu "; offset=" offset);
accu = accu_old + accu - offset
accu_old = accu
offset = accu_sum
accu = accu_sum
} else {
accu = accu_sum
}
}
END {
dbg("eof: accu_sum=" accu_sum "; accu_old=" accu_old "; accu=" accu "; offset=" offset);
accu = accu_old + accu - offset
if (accu > mb_scaler) accu = (accu / mb_scaler) "MB"
print(accu)
}
'
debug=0
log_prefix="/mnt/sdcard/interface-stats"
dates="${1:-.}"
want_if="${2:-wlan0}"
debug="${3+1}"
input="${log_prefix}-${want_if}.txt"
awk -v pat_date="${dates}" -v debug="${debug}" "${awk_prog}" "${input}"
And finally this one is for quick inspection of a logg. Gets the name of an interface as argument if needed. Again it needs no privileges and is appropriate for use as a SMwidget.
Code:
#!/system/bin/sh
want_if="${1:-wlan0}"
log_prefix="/mnt/sdcard/interface-stats"
logg="${log_prefix}-${want_if}.txt"
[ -r "${logg}" ] &&
while read tim rx rb rp re rd tx tb tp te td rest
do
case "${rb}--${tb}" in
0--0) continue;;
esac
stats="rx: $rb $rp $re $rd tx: $tb $tp $te $td"
echo "${tim} ${stats}"
done < "${logg}"
exit 0
Does somebody know what tags to brace code with in order to keep formatting intact? To me all my stuff has no indentation and lines seem to break at other points than just and only newlines!
EDIT: just found out that there's no problem in the web view, it's just the "forum runner" that can't render what the "\[ code \]" tag generates.
Well, as an alternative, what's the least-hassle file dump?
Q&A for [2.2+][ROOT][1.3.4.1] AFWall+ IPTables Firewall [21 Aug 2014]
Some developers prefer that questions remain separate from their main development thread to help keep things organized. Placing your question within this thread will increase its chances of being answered by a member of the community or by the developer.
Before posting, please use the forum search and read through the discussion thread for [2.2+][ROOT][1.3.4.1] AFWall+ IPTables Firewall [21 Aug 2014]. If you can't find an answer, post it here, being sure to give as much information as possible (firmware version, steps to reproduce, logcat if available) so that you can get help.
Thanks for understanding and for helping to keep XDA neat and tidy!
Which app to enable for streaming?
I'm running in whitelist mode and would like to enable a browser to watch streaming videos. Enabling the browser was obvious but when I click on something to watch a stream I get a Error message about not being able to download the file. Can you let me know which App I need to whitelist for this to work. I tried whitelisting "Media Server" but that did not help.
Thanks.
xraken said:
I'm running in whitelist mode and would like to enable a browser to watch streaming videos. Enabling the browser was obvious but when I click on something to watch a stream I get a Error message about not being able to download the file. Can you let me know which App I need to whitelist for this to work. I tried whitelisting "Media Server" but that did not help.
Thanks.
Click to expand...
Click to collapse
try allowing "Download Manager"
That did not work. The exact message is "Error reading video file". This works when firewall is off, so I just need to find the 'thing' that needs to be white listed.
---------- Post added at 03:27 PM ---------- Previous post was at 03:14 PM ----------
Sorry, made a noob mistake. Did not realize I needed to select "Apply filters" for it to take effect. Thanks, works as expected now.
Hi, I am hoping someone can help me to get T-Mobile MMS working with a DNSqache an app by xda member tdhite that uses polipo as a proxy and caches DNS requests and allows you to select the DNS provider of your choice.
When DNSqache is activated it runs this script
run killall dnsqache
run rm -f "/data/data/com.tdhite.dnsqache/var/dnsqache.pid"
run "/data/data/com.tdhite.dnsqache/bin/dnsqache" "--conf-file=/data/data/com.tdhite.dnsqache/conf/dnsqache.conf"
setprop "dnsqache.status" running
run chmod 644 "/data/data/com.tdhite.dnsqache/var/dnsqache.log"
run iptables "-t" nat "-N" dnsqache
run iptables "-t" nat "-A" dnsqache "-p" tcp "--dport" "53" "--destination" "8.8.8.8" "-j" RETURN
run iptables "-t" nat "-A" dnsqache "-p" udp "--dport" "53" "--destination" "8.8.8.8" "-j" RETURN
run iptables "-t" nat "-A" dnsqache "-p" tcp "--dport" "53" "--destination" "8.8.4.4" "-j" RETURN
run iptables "-t" nat "-A" dnsqache "-p" udp "--dport" "53" "--destination" "8.8.4.4" "-j" RETURN
run "iptables -t nat -A dnsqache -p udp --dport 53 -j DNAT --to-destination 127.0.0.1:5353
run "iptables -t nat -A dnsqache -p tcp --dport 53 -j DNAT --to-destination 127.0.0.1:5353
run iptables "-t" nat "-I" OUTPUT "-j" dnsqache
I posted following in the DNSqache thread but no luck yet.
OK if anyone who is knowledgeable can help it would be great.
On T-Mobile when an MultiMediaMessage is sent or received it will not go through if the DNS has changed. I think it is because the IP is a private IP so the only dnsservers that can access it are tmobiles. I have sent MMS with a "network connections" app that shows what connection is made by app, android system etc....
The DNS servers that are stock TMobile are
dns1:10.177.0.34,dns2:10.176.83.140
With the following APN
APN for T-Mobile LTE
>fast.t-mobile.com
>MMSC:
>http://mms.msg.eng.t-mobile.com/mms/wapenc
>MMS proxy:
>blank
>MMS proxy port:
>blank
When an MMS is sent from myself to myself with standard DNS settings.
Android system connects to 10.177.0.34
then Android system and Messaging app connect to one of a few IPS that are the same for both for each message the IP's were all on port 80 were 10.176.75.129 or 10.176.75.130 or 10.184.75.130 or 10.184.75.129. Then the message is received.
I tried editing the APN to one one of the IP addresses above thinking that the phone might send the MMS if does not have to use a lookup service and connects directly to T-Mobile's IPs like this
>MMSC:
>10.176.75.129
>MMS proxy:
>blank
>MMS proxy port:
>blank
Send the MMS and it goes through and in network connections it shows the same connections to the IPs as when the MMSC was a domain name.
Then I attempt to send MMS with DNSqache activated with both Google and Opendnsservers selected it does not send the MMS and will not receive MMS.
I also tried the APN with TMObile MMS PROXY set to 216.155.165.50 port 8080 and the MMS messages go through as long as DNSqache is not active the same as if the there was nothing in MMS proxy.
With this information can does anyone know if there is something that can be done still get MMS working with DNSqache active. In DNSqache, with polipo proxy selected I entered all the IP addresses that MMS was connecting to and the mms proxy address and that also didn't work.
Update/edit: In adaway I set a redirect for mms.msg.eng.t-mobile.com to 10.176.75.129. And When I send the message it sends it successfully, but doesn't receive it, when it would just create an error without the redirect.
If I set DNSqache to use One Google and one T-Mobile DNS as the one of the DNS server with DNSqache it sends and receives the message. But what I want to do is just use Google or OpenDNS cache DNS without using T-mobiles except for the android messaging apps and possibly android system as this are the apps that make connections when sending/receiving MMS or possibly just when anything on any app that is coming from or going to *.t-mobile.com* uses T-mobiles DNS while the rest if the phone uses DNSqache.
Hopefully that covers everything but if you need a log from anything I can get it.
Problem with "Smart Network" on Lollipop
Hi:
I'm running AFWall+ on a stock and rooted Nexus 5 with Lollipop (LRX21O). I'm having an issue where the "smartnetwork" feature thinks that the wifi connection is down because it's getting blocked by AFWall+. Looking at the logcat, this is what happens if AFWall+ is enabled (note I inserted an extra "t" in htttp because otherwise the forum software thinks i'm trying to post a link and won't let me):
Code:
D/NetworkMonitorNetworkAgentInfo [WIFI () - null]( 782): Checking htttp://clients3.google.com/generate_204 on "XXXXX"
D/NetworkMonitorNetworkAgentInfo [WIFI () - null]( 782): Probably not a portal: exception java.net.UnknownHostException: Unable to resolve host "clients3.google.com": No address associated with hostname
and if AFWall+ is not enabled I get this:
Code:
D/NetworkMonitorNetworkAgentInfo [WIFI () - null]( 782): Checking htttp://clients3.google.com/generate_204 on "XXXXX"
D/NetworkMonitorNetworkAgentInfo [WIFI () - null]( 782): isCaptivePortal: ret=204 headers={null=[HTTP/1.1 204 No Content], Content-Length=[0], Content-Type=[text/html; charset=UTF-8], Date=[Wed, 19 Nov 2014 03:15:12 GMT], Server=[GFE/2.0], X-Android-Received-Millis=[1416366905558], X-Android-Response-Source=[NETWORK 204], X-Android-Sent-Millis=[1416366905422]}
On my phone process 782 is system_server owned by user "system":
Code:
system 782 196 1875652 151224 ffffffff 00000000 S system_server
And in the iptables rules, system is allowed to access the network while on wifi:
Code:
Chain afwall-wifi-wan (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere owner UID match root
RETURN all -- anywhere anywhere owner UID match system
Thus, I'm pretty perplexed as to why the system might think wifi isn't working. Of course when it does that, it forces all traffic to go over mobile data which means I can never use the wifi connection -- not exactly good
.
Anyone else having this issue? Any suggestions?
daxvex said:
Hi:
I'm running AFWall+ on a stock and rooted Nexus 5 with Lollipop (LRX21O). I'm having an issue where the "smartnetwork" feature thinks that the wifi connection is down because it's getting blocked by AFWall+. Looking at the logcat, this is what happens if AFWall+ is enabled (note I inserted an extra "t" in htttp because otherwise the forum software thinks i'm trying to post a link and won't let me):
Code:
D/NetworkMonitorNetworkAgentInfo [WIFI () - null]( 782): Checking htttp://clients3.google.com/generate_204 on "XXXXX"
D/NetworkMonitorNetworkAgentInfo [WIFI () - null]( 782): Probably not a portal: exception java.net.UnknownHostException: Unable to resolve host "clients3.google.com": No address associated with hostname
and if AFWall+ is not enabled I get this:
Code:
D/NetworkMonitorNetworkAgentInfo [WIFI () - null]( 782): Checking htttp://clients3.google.com/generate_204 on "XXXXX"
D/NetworkMonitorNetworkAgentInfo [WIFI () - null]( 782): isCaptivePortal: ret=204 headers={null=[HTTP/1.1 204 No Content], Content-Length=[0], Content-Type=[text/html; charset=UTF-8], Date=[Wed, 19 Nov 2014 03:15:12 GMT], Server=[GFE/2.0], X-Android-Received-Millis=[1416366905558], X-Android-Response-Source=[NETWORK 204], X-Android-Sent-Millis=[1416366905422]}
On my phone process 782 is system_server owned by user "system":
Code:
system 782 196 1875652 151224 ffffffff 00000000 S system_server
And in the iptables rules, system is allowed to access the network while on wifi:
Code:
Chain afwall-wifi-wan (1 references)
target prot opt source destination
RETURN all -- anywhere anywhere owner UID match root
RETURN all -- anywhere anywhere owner UID match system
Thus, I'm pretty perplexed as to why the system might think wifi isn't working. Of course when it does that, it forces all traffic to go over mobile data which means I can never use the wifi connection -- not exactly good
.
Anyone else having this issue? Any suggestions?
Click to expand...
Click to collapse
BTW, I have narrowed it down. I'm not sure if this is a bug or not. When I have LAN controlled enabled, then it produces this little chain snippet:
Code:
Chain afwall-wifi-fork (2 references)
target prot opt source destination
REJECT all -- anywhere anywhere reject-with icmp-port-unreachable
Which is obviously bad. If I disable LAN control, it produces the right chain contents
Code:
Chain afwall-wifi-fork (2 references)
target prot opt source destination
afwall-wifi-wan all -- anywhere anywhere
Looking at the code, the suspicious snippet is
Code:
if (G.enableLAN() && !cfg.isTethered) {
if(setv6 && !cfg.lanMaskV6.equals("")) {
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -d " + cfg.lanMaskV6 + " -j " + AFWALL_CHAIN_NAME + "-wifi-lan");
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork '!' -d " + cfg.lanMaskV6 + " -j " + AFWALL_CHAIN_NAME + "-wifi-wan");
} else if(!setv6 && !cfg.lanMaskV4.equals("")) {
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -d " + cfg.lanMaskV4 + " -j " + AFWALL_CHAIN_NAME + "-wifi-lan");
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork '!' -d "+ cfg.lanMaskV4 + " -j " + AFWALL_CHAIN_NAME + "-wifi-wan");
} else {
// No IP address -> no traffic. This prevents a data leak between the time
// the interface gets an IP address, and the time we process the intent
// (which could be 5+ seconds). This is likely to catch a little bit of
// legitimate traffic from time to time, so we won't log the failures.
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -j REJECT");
}
where if for some reason Android L slightly changed the way the netmask is being extracted, it might extract to blank and result in an empty netmask. I'm not setup to compile and there are no logging hooks so I can't go any further.
Is this a bug? can anyone with a development environment look into this?
@daxvex, Thanks for the details. I haven't get a chance to install Lollipop on my n7. I'll try look into it this weekend.
ukanth said:
@daxvex, Thanks for the details. I haven't get a chance to install Lollipop on my n7. I'll try look into it this weekend.
Click to expand...
Click to collapse
BTW, I'm seeing this on a Nexus 5. Not sure if that will make a difference or not.
Issue with orwall
I installed orbot and since then, every time I reboot the iptables are not there (any app can get to internet) and have to reapply them with AFWall+.
I have since uninstalled orbot, but still the same issue. Does anyone know what could be done so AFWall+ roots remain after reboot?
Proposed Fix for Connectivity Bug for Android L
ukanth said:
@daxvex, Thanks for the details. I haven't get a chance to install Lollipop on my n7. I'll try look into it this weekend.
Click to expand...
Click to collapse
I finally found some time to setup a dev environment. It seems that in Android L, the system service will try to connect to one of Google's services whenever WIFI becomes present to see if the WIFI interface actually has connectivity. If you enable LAN control, AFwall conservatively rejects all packets to the LAN interface when it thinks there's no WIFI connection (see the last else block below0
Code:
if (G.enableLAN() && !cfg.isTethered) {
if(setv6 && !cfg.lanMaskV6.equals("")) {
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -d " + cfg.lanMaskV6 + " -j " + AFWALL_CHAIN_NAME + "-wifi-lan");
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork '!' -d " + cfg.lanMaskV6 + " -j " + AFWALL_CHAIN_NAME + "-wifi-wan");
} else if(!setv6 && !cfg.lanMaskV4.equals("")) {
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -d " + cfg.lanMaskV4 + " -j " + AFWALL_CHAIN_NAME + "-wifi-lan");
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork '!' -d "+ cfg.lanMaskV4 + " -j " + AFWALL_CHAIN_NAME + "-wifi-wan");
} else {
// No IP address -> no traffic. This prevents a data leak between the time
// the interface gets an IP address, and the time we process the intent
// (which could be 5+ seconds). This is likely to catch a little bit of
// legitimate traffic from time to time, so we won't log the failures.
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -j REJECT");
}
Thus there is a race. If the system checks for connectivity before AFWall has had a chance to start letting packets through the wifi connection, then the system will mistakenly think the WIFI connection is bad and continue to send all packets to cellular data. I suspect if you tried to replicate this bug on an N7, you would fail.
The solution is pretty simple, you need to loosen it up so even when the wifi connection looks down, you still let the system service and root send packets on wifi. Thus you replace:
Code:
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -j REJECT");
with
Code:
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -m owner --uid-owner root -j RETURN");
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -m owner --uid-owner system -j RETURN");
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -j REJECT");
I have been testing for a bit and it seems to work. Can the developer please review this and if ok with it, commit the fix and update so I can go back to using the version on Google Play. Replying to this thread to let me know when it's done would be most appreciated as well. Thanks! (and thanks for providing this great app!).
cant receive files using superbeam
I am not able to receive files using superbeam after installing AFwall+. I am able to send them though. Am not able to receive files using superbeam with wifi of the two (sending phone and my -receiving-phone) ON. But if both the phones are connected to the same Wifi network , i am able to receive files using superbeam . I uninstalled AFWALL+ and superbeam is working normally even when phones are not connected to a wifi network.
Whats the fix?
afwall blocking vpn unless disable,connect,disconnect,enable,connect,connect. ...
Hi there and happy holidays everyone
Hope someone can point Mr in the right direction or to a threat more appropriate for this.
Trying to set up VPN on my S4 with latest cm11 nightly, successful so far but...
Only after I disable afw after reboot of phone, then connect, then disconnect, then enable afw ... And then I can keep it enabled and connect/disconnect VPN ad much as I like .... Until next reboot of phone.
Here is what I do:
. boot phone
. try vpn connect - fails.
AFW+ log entry:
___
AppID :0
Application's Name: (root) - Applications running as root
Total Packets Blocked:1
[UDP]IP.of.my.vpntarget:500(1)
___
. disable - enable afw+ (just to see if a dis-enable cycle would solve it already - no)
. try connect vpn
. still blocking with same message
. !disable! afw+ by widget on homescreen
. try connect w/ afw !off!: vpn connects okay
. disconnect vpn
. !enable! afw+ by widget
. try connect vpn w/ afw !ON! :vpn connects okay [emoji3]
...and thereafter as often as I want until reboot.
Huh???
Any ideas? Can't bring up enough google-foo to find cause/solution on this, sorry! Wy would it need this "connect once without afw+"? And how do I get it to work straight away?
Brgds
L^2
afwall fix for superbeam
This is a solution to the problem reorted below.
Markuzy said:
I've reported an issue with Wifi Direct using the SuperBeam app on github.
Shall post it here as well for your info and anyone who is interested.
Superbeam will fail if the sending device has AFWall+ installed and is in White list mode.
How to replicate:
1) Set whitelist mode in firewall
2) Select all checkboxes; in theory it should allow all apps
3) Share a file with Superbeam to trigger wifi direct.
4) Superbeam will fail to send any selected file.
My workaround:
1) Set to blacklist mode in firewall
2) Either leave all unchecked or just check your blacklist apps; in my case, I reversed the checkboxes from my whitelist mode.
3) Share a file with Superbeam to trigger wifi direct.
4) Superbeam will successfully send the selected file.
OR
1) Disable firewall.
2) Follow steps 3-4 from above.
Click to expand...
Click to collapse
Click to expand...
Click to collapse
Hi Markuzy, I had the same problem as you. I could only get Superbeam working when AFWall+ was disabled. I've found a solution using Custom Scripts from AFWall+ wiki page.
https://github.com/ukanth/afwall/wiki/CustomScripts
This was the script that worked for me. Replace IP with IP of destination Device. Fing is a great app for displaying all connected device ip's on the wireless network.
Code:
# Necessary at the beginning of each script!
IP6TABLES=/system/bin/ip6tables
IPTABLES=/system/bin/iptables
# Now add your rules...
# Always allow connections to 192.168.0.1, no matter the interface
$IPTABLES -A "afwall" --destination "192.168.0.1" -j RETURN
Cheers
DNS blocked to USB tethered PC
First off, this is on an HTC One M8 Dev Edition (Sense) Lollipop release. Phone is S-off if matters. I am running AFWall+ 1.3.4.1 (Latest from the Play store).
The problem is that DNS requests appear to be blocked for USB tethering, no matter how I configure iptables. Something is ignoring/misconfiguring -11 (kernel), because when I checked the logs, they showed that process -11 (kernel) was blocked from sending UDP (DNS) to the tethered IP address. However, I specifically enabled the kernel, as well as -12 (tethering DHCP & DNS) and root apps for good measure.
However, it is JUST DNS. If I use an onboard terminal to nslookup the name, say "nslookup form.xda-developers.com", I can use the IP address from the tethered machine just fine. (well, I can't for XDA because it immediately redirects, which hangs on DNS lookup...) It appears that TCP isn't being blocked, just UDP. Further, local apps have no problem accessing the network in any way - it's just the USB tethered PC that is having trouble. I have not tried WiFi tethering yet.
I will add that I started with DroidWall, and migrated to AFWall+ when I found DroidWall wasn't listing all of the system services. I note that because I am still seeing references to droidwall in the iptables rule set. I'm not clear on how I can completely blow away the rules and start fresh (I thought enable/disable the firewall did that?)
I can clear up the problem by disabling the firewall entirely.
How to use real multi user?
Half answer:
Ok, I found out what's going on. The app is installed as uid u0_a123(10123). In the other users it runs as uids u10_a123(1010123) and u11_a123(1110123). AFwall is not aware of these uids and so I can't allow them. I guess you should either have an app-list per user, or a user list per app. Unless you want to deal with the switching (and to my preference) this should be maintained by the main user only.
Original question:
I have several AFwall profiles, for specific apps to which I want to rarely permit internet. You alternately refer to this as multi user, but I feel that's a totally different thing, as follows:
Now I have gone multi user (androidcoliseum.com/2014/01/how-to-enable-multi-user-profiles-on.html) and have created restricted Android profiles to run the same app in parallel with different settings.
The FW whitelistings that work in my main user, seem to disappear when I switch. I tried granting AFwall to the other profile (which was allowed), but your app is nonetheless not visible in the restricted profile. Probably the required root permission runs counter to the idea of restriction.
The dirty solution is to turn off the FW before switching, but I hate to do that. If it could be automated with tasker, that would be better than nothing, but anyway I couldn't figure out how. Any enlightenment or solution?
The FAQ mentions making it a system app, which would then hover above individual users? You don't elaborate why you discourage that.
Galaxy S3, CM11 november snapshot.
Lollipop and AFWALL+: No Wifi Location
Hello all,
after I have run Lollipop on my Nexus 5 for some time, I installed AFWALL+
After I set up the whitelist so that most thinks are working I figured out that the Wifi based Location is not working. Maps just displays me a very coarse Location when within a building.
When I now disable the firewall or even uninstall AFWALL+ the location service is still not working.
Has anyone similar issues or an solution?
daxvex said:
I finally found some time to setup a dev environment. It seems that in Android L, the system service will try to connect to one of Google's services whenever WIFI becomes present to see if the WIFI interface actually has connectivity. If you enable LAN control, AFwall conservatively rejects all packets to the LAN interface when it thinks there's no WIFI connection (see the last else block below0
Code:
if (G.enableLAN() && !cfg.isTethered) {
if(setv6 && !cfg.lanMaskV6.equals("")) {
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -d " + cfg.lanMaskV6 + " -j " + AFWALL_CHAIN_NAME + "-wifi-lan");
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork '!' -d " + cfg.lanMaskV6 + " -j " + AFWALL_CHAIN_NAME + "-wifi-wan");
} else if(!setv6 && !cfg.lanMaskV4.equals("")) {
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -d " + cfg.lanMaskV4 + " -j " + AFWALL_CHAIN_NAME + "-wifi-lan");
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork '!' -d "+ cfg.lanMaskV4 + " -j " + AFWALL_CHAIN_NAME + "-wifi-wan");
} else {
// No IP address -> no traffic. This prevents a data leak between the time
// the interface gets an IP address, and the time we process the intent
// (which could be 5+ seconds). This is likely to catch a little bit of
// legitimate traffic from time to time, so we won't log the failures.
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -j REJECT");
}
Thus there is a race. If the system checks for connectivity before AFWall has had a chance to start letting packets through the wifi connection, then the system will mistakenly think the WIFI connection is bad and continue to send all packets to cellular data. I suspect if you tried to replicate this bug on an N7, you would fail.
The solution is pretty simple, you need to loosen it up so even when the wifi connection looks down, you still let the system service and root send packets on wifi. Thus you replace:
Code:
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -j REJECT");
with
Code:
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -m owner --uid-owner root -j RETURN");
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -m owner --uid-owner system -j RETURN");
cmds.add("-A " + AFWALL_CHAIN_NAME + "-wifi-fork -j REJECT");
I have been testing for a bit and it seems to work. Can the developer please review this and if ok with it, commit the fix and update so I can go back to using the version on Google Play. Replying to this thread to let me know when it's done would be most appreciated as well. Thanks! (and thanks for providing this great app!).
Click to expand...
Click to collapse
Have you had any response to this? Is it responsible for the wifi - exclamation mark issue?
Sent from my Nexus 4 using Tapatalk
What is the proper way to uninstall this app?
No response. Also the problem came back despite these changes and I haven't had time to debug further.
Sent from my Nexus 5 using XDA Free mobile app
Hello everyone,
For my first thread, I won't ask a question, I will post a solution.
I have recently acquired a second-hand Ugoos X3 device, which is quite a good device.
But I have been really frustrated upon testing it after unboxing it, because despite the fact that this device advertises for the ability of having a Gigabit ethernet port and a builtin samba server, my tests showed a max 11,4 MiB/s instead of rather a 114 MiB/s.
I started to identify the reason, with a vast amount of Googling. After realizing how many people on earth already been through this (mostly unsolved) issue, and after testing the good gigabit-readiness of my Ethernet cable, I dug into the rabbit hole of the system.
I then discovered the root causes, and you won't like it :
- the smbd binary dates from 2005
- the smb.conf is counter-optimized and dates from this 2005 era
See for yourself:
Code:
/data/system/samba_________________ug # ./smbd -V
Version 3.0.20a
Code:
[global]
interfaces = wlan0 eth0 eth1 eth2
min protocol = SMB2
bind interfaces only = yes
workgroup = WORKGROUP
server string = Samba on Android mediacenter
netbios name = mybox
#remote announce = 255.255.255.255
encrypt passwords = yes
security = SHARE
restrict anonymous = 0
load printers = no
printcap name = /dev/null
disable spoolss = yes
deadtime = 5
delete readonly = yes
nt acl support = no
inherit permissions = yes
socket options = IPTOS_LOWDELAY TCP_NODELAY SO_SNDBUF=64000 SO_RCVBUF=64000 SO_KEEPALIVE
local master = no
unix extensions = yes
[internal storage]
vfs objects = fake_perms
comment = mybox /sdcard
path = /sdcard
force user = root
read only = no
writable = yes
guest ok = yes
A lot of directives in this config file are totally deprecated, and the "socket options" is responsible for capping at 11,4 MiB/s.
So after having spent this vast amount of time finding the issue, I took some to patch.
Here's my solution.
0) Root your device
1) Download the Termux compiled package of your device architecture of the "samba" package : https://grimler.se/termux-packages-24/pool/main/s/samba/
2) On your device, replace the smbd binary with the Termux one, at this location : "/data/system/samba_________________ug"
3) Replace the original "smb.conf" (same directory than previous) configuration with this one (which by way the contains security hardening features and support SMBv2 which allows not installing SMBv1 on Windows...)
Code:
[global]
lock dir = /data/local/tmp/lock/
state directory = /data/local/tmp/state/
ncalrpc dir = /data/local/tmp/ncalrpc/
interfaces = wlan0 eth0 eth1 eth2
server min protocol = SMB2
bind interfaces only = yes
workgroup = WORKGROUP
server string = Samba on Android mediacenter
netbios name = mybox
server role = standalone server
security = user
map to guest = Bad Password
usershare allow guests = yes
load printers = no
printcap name = /dev/null
disable spoolss = yes
deadtime = 5
delete readonly = yes
nt acl support = no
inherit permissions = yes
local master = no
disable netbios = yes
smb ports = 445
lm announce = no
multicast dns register = no
[internal storage]
vfs objects = fake_perms
comment = mybox /sdcard
path = /sdcard
force user = root
read only = no
writable = yes
guest ok = yes
4) Edit the "smbd" binary calling line in the "samba-rc" launching script, with this one
Code:
$PRE/smbd -D -s /data/system/samba_________________ug/smb.conf
Reboot your device, you now have a best-of-breed samba server and configuration.
A simple but heartful message to Ugoos: update the packages you use in your image ! We need more up-to-date binaries and configuration from your products ! Provide firmwares that does not require to make people do insecure stuff such as installing SMBv1 client on their client !
I am really grateful to these resources which helped a lot:
- https://lafibre.info/nas/perfs-moisies-avec-samba/ (sorry, in french, use google translate)
- https://serverfault.com/questions/470650/samba-configuration-for-public-shares/700449#700449
- https://blog.hiebl.cc/posts/why-your-samba-config-does-not-work/
Hello. According to your instructions with file replacement and line editing, the server becomes inoperable. The server activation checkbox is not activated in the ugoos settings. Please describe the actions in more detail or upload files for replacement.
Hello @Nereal-NeSkill,
As of step 1), try to perform a "pkg install samba" first with Termux.
Then, can you perform a "./samba-rc start" and paste here the output ?
Was a bit skeptical replacing daemon but It works great!