netfilter/iptable change interferes with lo interface rules

J B <jb.1234abcd@xxxxxxxxx> · Sun, 13 Jan 2019 22:03:51 +0100

Hi,
I determined that since kernel 4.20 there is a problem with iptables rule w/r to
lo interface.

My firewall config:
-A INPUT -m conntrack --ctstate INVALID -j logdrop
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i lo -j ACCEPT
...

It is about this line:
-A INPUT -i lo -j ACCEPT
I have had this config for very long time and I believe it is
programatically correct as it protects all interfaces.
There was no trouble in the past until kernel  4.20 .

I run Tor Browser (prod version) that schows there is a problem with
closing of its sockets on app close/exit.
To test it, I open TB and let it stay idle for 5 min, then close it.
I can see that there is a process left behind
$ ps -ef |grep -i tor
jb         656     1  0 20:41 tty1     00:00:05
/home/jb/Downloads/tor-browser_en-US/Browser/TorBrowser/Tor/tor
--defaults-torrc
/home/jb/Downloads/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc-defaults
-f /home/jb/Downloads/tor-browser_en-US/Browser/TorBrowser/Data/Tor/torrc
DataDirectory /home/jb/Downloads/tor-browser_en-US/Browser/TorBrowser/Data/Tor
GeoIPFile /home/jb/Downloads/tor-browser_en-US/Browser/TorBrowser/Data/Tor/geoip
GeoIPv6File /home/jb/Downloads/tor-browser_en-US/Browser/TorBrowser/Data/Tor/geoip6
HashedControlPassword
16:16d02f0510810bc360a4f4c43439edf97e0c03cfa9d7d0e6137523ead5
+__ControlPort 9151 +__SocksPort 127.0.0.1:9150 IPv6Traffic PreferIPv6
KeepAliveIsolateSOCKSAuth __OwningControllerProcess 625

and firewall log shows some blocked tcp messages
# iptables -nvL
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source
destination
    9   468 logdrop    all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate INVALID
 7534 8246K ACCEPT     all  --  *      *       0.0.0.0/0
0.0.0.0/0            ctstate RELATED,ESTABLISHED
   56  3480 ACCEPT     all  --  lo     *       0.0.0.0/0
0.0.0.0/0
...
Chain logdrop (1 references)
 pkts bytes target     prot opt in     out     source
destination
    9   468 LOG        all  --  *      *       0.0.0.0/0
0.0.0.0/0            limit: avg 5/min burst 10 LOG flags 0 level 4
    9   468 DROP       all  --  *      *       0.0.0.0/0
0.0.0.0/0

and they are logged in syslog as well
Jan 12 13:47:34 r61i kernel: IN=lo OUT=
MAC=00:00:00:00:00:00:00:00:00:00:00:00:08:00 SRC=127.0.0.1
DST=127.0.0.1 LEN=52 TOS=0x00 PREC=0x00 TTL=64 ID=30854 DF PROTO=TCP
SPT=34714 DPT=9151 WINDOW=512 RES=0x00 ACK FIN URGP=0
...

When I move the  lo-related firewall rule to the front like this
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j logdrop
-A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT

all is fine again, i.e. tcp messages are not blocked, TB closes cleanly without
any process left behind.
jb