After updating on Android to 1.19.0 I cannot sync anymore

pvvoup · February 4, 2022, 10:38am

I just updated to 1.19.0 on my Pixel 3 XL with Android 12.

I waited for the rescan to be completed, but now my other machine just shows as Disconnected.

In the logs I just see one thing appearing over and over again:

02-04 11:30:46.298 W/libsyncthing.so( 5666): type=1400 audit(0.0:540): avc: denied { bind } for scontext=u:r:untrusted_app:s0:c225,c256,c512,c768 tcontext=u:r:untrusted_app:s0:c225,c256,c512,c768 tclass=netlink_route_socket permissive=0 bug=b/155595000 app=com.nutomic.syncthingandroid

But when searching for this and after reading this I guess that doesn’t really matter as the lookup of other device should still works even with this message, right?

Where else could I search what is causing this issue?

imsodin · February 4, 2022, 10:42am

I mean that might mean that Syncthing can’t announce it’s own address anymore, but the discovery server should still be able to get the address from the announcement.

Anyway screenshots of the remote devices from both sides are a good way to start debugging this.

pvvoup · February 6, 2022, 10:34pm

@imsodin Thanks for your quick reply!

Here the screenshot from my Android device:

And here from my Linux machine:

On my Linux machine I have following iptables config (which I guess now after looking at the screenshots might play a role?). However, with the version < 1.19.0 I didn’t have any problems with this config though. Did anything in 1.19.0 change, so that I need to adjust my iptables? Or do I still need to have a look somewhere else?

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N TCP
-N UDP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable
-A INPUT -p tcp -m tcp --dport 22000 -j ACCEPT
-A INPUT -p udp -m udp --dport 22000 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 21027 -j ACCEPT
-A INPUT -p udp -m udp --dport 21027 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22067 -j ACCEPT
-A INPUT -p tcp -m tcp --dport 22070 -j ACCEPT

imsodin · February 7, 2022, 7:44am

The iptable rules look ok (22000 allowed). Are the ips/ports listed on the android correct? If they are, there still has to be some kind of firewall problem, as it’s correctly discovering the linux machine but still getting connection refused errors.

As for what changed: Likely discovery announcements on android are mostly broken with the upgrade due to new android limitations.

pvvoup · February 7, 2022, 9:40am

Okay, this explains why it was working before.

IPs yes! Ports, I guess yes!? See:

But you are right, it’s an issue with my iptables config. When allowing everything then Syncthing works.

-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT

But I’m not sure why it is not working with my config in my previous post.

pvvoup · February 7, 2022, 9:58am

Okay switching lines was necessary. These lines need to come after accepting 22000.

-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

And it doesn’t seem to be necessary to allow following ports: 21027, 22067, 22070

So finally this iptables config works:

-P INPUT DROP
-P FORWARD DROP
-P OUTPUT ACCEPT
-N TCP
-N UDP
-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i lo -j ACCEPT
-A INPUT -m conntrack --ctstate INVALID -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -m conntrack --ctstate NEW -j ACCEPT
-A INPUT -p udp -m conntrack --ctstate NEW -j UDP
-A INPUT -p tcp -m tcp --tcp-flags FIN,SYN,RST,ACK SYN -m conntrack --ctstate NEW -j TCP
-A INPUT -p tcp -m tcp --dport 22000 -j ACCEPT
-A INPUT -p udp -m udp --dport 22000 -j ACCEPT
-A INPUT -p udp -j REJECT --reject-with icmp-port-unreachable
-A INPUT -p tcp -j REJECT --reject-with tcp-reset
-A INPUT -j REJECT --reject-with icmp-proto-unreachable

@imsodin thanks for you patience

imsodin · February 7, 2022, 10:00am

21027 is local discovery, which you have enabled in Syncthing, so would make sense to enable it in firewall too. See the docs for all ports and explanations: Firewall Setup — Syncthing v1 documentation

pvvoup · February 7, 2022, 10:06am

Perfect, thanks for the hint! I will add that.

dkidawayogbo · February 7, 2022, 3:10pm

I just wanted to add a quick note that I’m running into the same problem with my GrapheneOS Android app and Windows 10 Pro (x64) connection: updated to 1.19.0 on my phone and the two devices don’t see each other any more. I’ll run through the above and see if anything helps.

EDIT: I don’t see what’s wrong on my system. But, since I’m using GrapheneOS/Windows 10, let me start my own thread on this.

system · March 9, 2022, 3:10pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.