V
Vlad
Guest
Hello,
Recently I discovered an issue with packet routing in the latest Android releases (4.4+ KitKat & Lollipop).
It seems that the problem Android specific, but essentially it comes from the Linux kernel.
I already filed a bug report to Google. You can see the details by searching for 'Android Issue 78910' - it's the first result that pops up.
However, I will be very grateful if anyone could suggest how to debug this in order to resolve it faster.
In a nutshell, my setup consists of 2 interfaces = wlan0 (WiFi AP) and tun0 (VPN tunnel).
My goal is to provide full VPN access to one of the WiFi clients, while additionally forwarding all traffic coming from a specific IP in the VPN to the same client as well.
In my test case the WiFi client address is 192.168.100.50 and the VPN address in question is 172.28.26.36.
I am adding the following IPTABLES rules in order to do that:
echo 1 > /proc/sys/net/ipv4/ip_forward;
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE;
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -i tun0 -o wlan0;
iptables -A FORWARD -j ACCEPT -o tun0 -i wlan0; iptables -t nat -A PREROUTING -s 192.168.100.50 -j DNAT --to-destination 172.28.26.36;
This was working perfectly fine before upgrading to Android 4.4.
When I check the IPTABLES stats I can see that my rules are no longer matching any of the packets.
Monitoring the traffic with TCPDUMP shows that the packets are received and have the correct parameters, so it seems like they are not handled properly by the kernel.
I have downloaded the Android kernel source code, but a lot of things have changed between 4.3 and 4.4, so it won't be easy to find the cause there without strong networking knowledge (which I don't have). The main thing is that Google added UNIX-like multi user support to the OS, which required all of the previously used routing rule setting mechanics to be changed.
As I said, I am quite new to Linux networking, so any help and suggestions will be greatly appreciated.
I am not relying on Google to solve this, as this bug has been out there since last December and apparently the impact is not big enough for them to prioritize (or even acknowledge) it.
However, this is a major setback and a show stopper for my product.
Thanks!
Recently I discovered an issue with packet routing in the latest Android releases (4.4+ KitKat & Lollipop).
It seems that the problem Android specific, but essentially it comes from the Linux kernel.
I already filed a bug report to Google. You can see the details by searching for 'Android Issue 78910' - it's the first result that pops up.
However, I will be very grateful if anyone could suggest how to debug this in order to resolve it faster.
In a nutshell, my setup consists of 2 interfaces = wlan0 (WiFi AP) and tun0 (VPN tunnel).
My goal is to provide full VPN access to one of the WiFi clients, while additionally forwarding all traffic coming from a specific IP in the VPN to the same client as well.
In my test case the WiFi client address is 192.168.100.50 and the VPN address in question is 172.28.26.36.
I am adding the following IPTABLES rules in order to do that:
echo 1 > /proc/sys/net/ipv4/ip_forward;
iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE;
iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT -i tun0 -o wlan0;
iptables -A FORWARD -j ACCEPT -o tun0 -i wlan0; iptables -t nat -A PREROUTING -s 192.168.100.50 -j DNAT --to-destination 172.28.26.36;
This was working perfectly fine before upgrading to Android 4.4.
When I check the IPTABLES stats I can see that my rules are no longer matching any of the packets.
Monitoring the traffic with TCPDUMP shows that the packets are received and have the correct parameters, so it seems like they are not handled properly by the kernel.
I have downloaded the Android kernel source code, but a lot of things have changed between 4.3 and 4.4, so it won't be easy to find the cause there without strong networking knowledge (which I don't have). The main thing is that Google added UNIX-like multi user support to the OS, which required all of the previously used routing rule setting mechanics to be changed.
As I said, I am quite new to Linux networking, so any help and suggestions will be greatly appreciated.
I am not relying on Google to solve this, as this bug has been out there since last December and apparently the impact is not big enough for them to prioritize (or even acknowledge) it.
However, this is a major setback and a show stopper for my product.
Thanks!
