TransProxyType replaces TransTPROXY option

I'm making this change now since ipfw will want its own option too,
and proliferating options here isn't sensible.

(See #10582 and #10267)
This commit is contained in:
Nick Mathewson 2014-02-03 13:56:19 -05:00
parent 00ec6e6af0
commit 5991f9a156
5 changed files with 35 additions and 17 deletions

View File

@ -1,7 +1,7 @@
o Minor features:
- Add support for the TPROXY transparent proxying facility on Linux.
See documentation for the new TransTRPOXY option for more details.
See documentation for the new TransProxyType option for more details.
Implementation by "thomo". Closes ticket 10582.

View File

@ -1183,18 +1183,22 @@ The following options are useful only for clients (that is, if
compatibility, TransListenAddress is only allowed when TransPort is just
a port number.)
[[TransTPROXY]] **TransTPROXY** **0**|**1**::
TransTPROXY may only be enabled when there is transparent proxy listener
enabled and only for Linux.
[[TransProxyType]] **TransProxyTYpe** **default**|**TPROXY**::
TransProxyType may only be enabled when there is transparent proxy listener
enabled.
+
Set this 1 if you wish to be able to use the TPROXY linux module to
Set this to TPROXY if you wish to be able to use the TPROXY Linux module to
transparently proxy connections that are configured using the TransPort
option. This setting lets the listener on the TransPort accept connections
for all addresses, even when the TransListenAddress is configured for an
internal address. Detailed information on how to configure the TPROXY
feature can be found in the Linux kernel source tree in the file
feature can be found in the Linux kernel source tree in the file
Documentation/networking/tproxy.txt.
(Default: 0)
+
Set this to "default", or leave it unconfigured, to use regular IPTables
on Linux, or to use pf on the *BSD operating systems.
+
(Default: "default".)
[[NATDPort]] **NATDPort** \['address':]__port__|**auto** [_isolation flags_]::
Open this port to listen for connections from old versions of ipfw (as

View File

@ -408,7 +408,7 @@ static config_var_t option_vars_[] = {
OBSOLETE("TrafficShaping"),
V(TransListenAddress, LINELIST, NULL),
VPORT(TransPort, LINELIST, NULL),
V(TransTPROXY, BOOL, "0"),
V(TransProxyType, STRING, "default"),
V(TunnelDirConns, BOOL, "1"),
V(UpdateBridgesFromAuthority, BOOL, "0"),
V(UseBridges, BOOL, "0"),
@ -2517,19 +2517,30 @@ options_validate(or_options_t *old_options, or_options_t *options,
"undefined, and there aren't any hidden services configured. "
"Tor will still run, but probably won't do anything.");
options->TransProxyType_parsed = TPT_DEFAULT;
#ifdef USE_TRANSPARENT
if (options->TransTPROXY) {
if (options->TransProxyType) {
if (!strcasecmp(options->TransProxyType, "default")) {
options->TransProxyType_parsed = TPT_DEFAULT;
} else if (!strcasecmp(options->TransProxyType, "tproxy")) {
#ifndef __linux__
REJECT("TransTPROXY is a Linux-specific feature.")
REJECT("TPROXY is a Linux-specific feature.");
#else
options->TransProxyType_parsed = TPT_TPROXY;
#endif
if (!options->TransPort_set) {
REJECT("Cannot use TransTPROXY without any valid TransPort or "
} else {
REJECT("Unrecognized value for TransProxyType");
}
if (strcasecmp(options->TransProxyType, "default") &&
!options->TransPort_set) {
REJECT("Cannot use TransProxyType without any valid TransPort or "
"TransListenAddress.");
}
}
#else
if (options->TransPort_set || options->TransTPROXY)
REJECT("TransPort, TransListenAddress, and TransTPROXY are disabled "
if (options->TransPort_set)
REJECT("TransPort and TransListenAddress are disabled "
"in this build.");
#endif

View File

@ -1036,7 +1036,8 @@ connection_listener_new(const struct sockaddr *listensockaddr,
make_socket_reuseable(s);
#if defined USE_TRANSPARENT && defined(IP_TRANSPARENT)
if (options->TransTPROXY && type == CONN_TYPE_AP_TRANS_LISTENER) {
if (options->TransProxyType_parsed == TPT_TPROXY &&
type == CONN_TYPE_AP_TRANS_LISTENER) {
int one = 1;
if (setsockopt(s, SOL_IP, IP_TRANSPARENT, &one, sizeof(one)) < 0) {
const char *extra = "";

View File

@ -3498,8 +3498,10 @@ typedef struct {
config_line_t *SocksPort_lines;
/** Ports to listen on for transparent pf/netfilter connections. */
config_line_t *TransPort_lines;
int TransTPROXY; /** < Boolean: are we going to listen for all destinations
* on the TransPort_lines are required for TPROXY? */
const char *TransProxyType; /**< What kind of transparent proxy
* implementation are we using? */
/** Parsed value of TransProxyType. */
enum { TPT_DEFAULT, TPT_TPROXY } TransProxyType_parsed;
config_line_t *NATDPort_lines; /**< Ports to listen on for transparent natd
* connections. */
config_line_t *ControlPort_lines; /**< Ports to listen on for control