Wrong source port for dns replies when query is sent to an alias interface

I just found a bug with the internal tor dns server. It seems to be present in 0.2.2.22-alpha (on openwrt) as well as on 0.2.1.29 (debian squeeze).

PC A - this is where tor runs with a minimal default config:

SocksPort 9050 SocksListenAddress 127.0.0.1 DNSPort 9053 DNSListenAddress 0.0.0.0

There are two ips setup on eth0

eth0: inet 192.168.0.135/24 brd 192.168.0.255 scope global eth0 inet 192.168.22.1/24 scope global eth0

And port 53 is redirected to 9053:

iptables -t nat -I PREROUTING -p udp --dport 53 -j REDIRECT --to-ports 9053

PC B - The client, has also two IPs assigned.

br0: inet 192.168.0.30/24 brd 192.168.0.255 scope global br0 inet 192.168.22.2/24 scope global br0

from the client i did nslookups on the PC1 to the two different IPs:

$ nslookup heise.de 192.168.0.135 Server: 192.168.0.135 Address: 192.168.0.135#53 Non-authoritative answer: Name: heise.de Address: 193.99.144.80

$ nslookup heise.de 192.168.22.1 ;; reply from unexpected source: 192.168.22.1#9053, expected 192.168.22.1#53

So its quite clear, tor sends from the wrong source port when i ask for dns-lookup on the alias ip, which can also be seen in the tcpdump output:

05:16:30.689341 IP 192.168.0.30.51175 > 192.168.0.135.53: 39142+ A? heise.de. (26) 05:16:30.689874 IP 192.168.0.135.53 > 192.168.0.30.51175: 39142 1/0/0 A 193.99.144.80 (42) 05:16:45.430093 IP 192.168.22.2.51321 > 192.168.22.1.53: 16078+ A? heise.de. (26) 05:16:45.430513 IP 192.168.22.1.9053 > 192.168.22.2.51321: UDP, length 42

Trac:
Username: soma