mirror of
https://gitlab.torproject.org/tpo/core/tor.git
synced 2024-11-28 06:13:31 +01:00
Merge branch 'feature_10582'
This commit is contained in:
commit
cac5949697
7
changes/10582_tproxy
Normal file
7
changes/10582_tproxy
Normal file
@ -0,0 +1,7 @@
|
|||||||
|
o Minor features:
|
||||||
|
|
||||||
|
- Add support for the TPROXY transparent proxying facility on Linux.
|
||||||
|
See documentation for the new TransTRPOXY option for more details.
|
||||||
|
Implementation by "thomo". Closes ticket 10582.
|
||||||
|
|
||||||
|
|
@ -1183,6 +1183,19 @@ The following options are useful only for clients (that is, if
|
|||||||
compatibility, TransListenAddress is only allowed when TransPort is just
|
compatibility, TransListenAddress is only allowed when TransPort is just
|
||||||
a port number.)
|
a port number.)
|
||||||
|
|
||||||
|
[[TransTPROXY]] **TransTPROXY** **0**|**1**::
|
||||||
|
TransTPROXY may only be enabled when there is transparent proxy listener
|
||||||
|
enabled and only for Linux.
|
||||||
|
+
|
||||||
|
Set this 1 if you wish to be able to use the TPROXY linux module to
|
||||||
|
transparently proxy connections that are configured using the TransPort
|
||||||
|
option. This setting lets the listener on the TransPort accept connections
|
||||||
|
for all addresses, even when the TransListenAddress is configured for an
|
||||||
|
internal address. Detailed information on how to configure the TPROXY
|
||||||
|
feature can be found in the Linux kernel source tree in the file
|
||||||
|
Documentation/networking/tproxy.txt.
|
||||||
|
(Default: 0)
|
||||||
|
|
||||||
[[NATDPort]] **NATDPort** \['address':]__port__|**auto** [_isolation flags_]::
|
[[NATDPort]] **NATDPort** \['address':]__port__|**auto** [_isolation flags_]::
|
||||||
Open this port to listen for connections from old versions of ipfw (as
|
Open this port to listen for connections from old versions of ipfw (as
|
||||||
included in old versions of FreeBSD, etc) using the NATD protocol.
|
included in old versions of FreeBSD, etc) using the NATD protocol.
|
||||||
|
@ -475,6 +475,14 @@ sb_setsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
|
|||||||
if (rc)
|
if (rc)
|
||||||
return rc;
|
return rc;
|
||||||
|
|
||||||
|
#ifdef IP_TRANSPARENT
|
||||||
|
rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 2,
|
||||||
|
SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
|
||||||
|
SCMP_CMP(2, SCMP_CMP_EQ, IP_TRANSPARENT));
|
||||||
|
if (rc)
|
||||||
|
return rc;
|
||||||
|
#endif
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -408,6 +408,7 @@ static config_var_t option_vars_[] = {
|
|||||||
OBSOLETE("TrafficShaping"),
|
OBSOLETE("TrafficShaping"),
|
||||||
V(TransListenAddress, LINELIST, NULL),
|
V(TransListenAddress, LINELIST, NULL),
|
||||||
VPORT(TransPort, LINELIST, NULL),
|
VPORT(TransPort, LINELIST, NULL),
|
||||||
|
V(TransTPROXY, BOOL, "0"),
|
||||||
V(TunnelDirConns, BOOL, "1"),
|
V(TunnelDirConns, BOOL, "1"),
|
||||||
V(UpdateBridgesFromAuthority, BOOL, "0"),
|
V(UpdateBridgesFromAuthority, BOOL, "0"),
|
||||||
V(UseBridges, BOOL, "0"),
|
V(UseBridges, BOOL, "0"),
|
||||||
@ -2530,10 +2531,20 @@ options_validate(or_options_t *old_options, or_options_t *options,
|
|||||||
"undefined, and there aren't any hidden services configured. "
|
"undefined, and there aren't any hidden services configured. "
|
||||||
"Tor will still run, but probably won't do anything.");
|
"Tor will still run, but probably won't do anything.");
|
||||||
|
|
||||||
#ifndef USE_TRANSPARENT
|
#ifdef USE_TRANSPARENT
|
||||||
/* XXXX024 I think we can remove this TransListenAddress */
|
if (options->TransTPROXY) {
|
||||||
if (options->TransPort_set || options->TransListenAddress)
|
#ifndef __linux__
|
||||||
REJECT("TransPort and TransListenAddress are disabled in this build.");
|
REJECT("TransTPROXY is a Linux-specific feature.")
|
||||||
|
#endif
|
||||||
|
if (!options->TransPort_set) {
|
||||||
|
REJECT("Cannot use TransTPROXY without any valid TransPort or "
|
||||||
|
"TransListenAddress.");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#else
|
||||||
|
if (options->TransPort_set || options->TransTPROXY)
|
||||||
|
REJECT("TransPort, TransListenAddress, and TransTPROXY are disabled "
|
||||||
|
"in this build.");
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
if (options->TokenBucketRefillInterval <= 0
|
if (options->TokenBucketRefillInterval <= 0
|
||||||
|
@ -1035,6 +1035,21 @@ connection_listener_new(const struct sockaddr *listensockaddr,
|
|||||||
|
|
||||||
make_socket_reuseable(s);
|
make_socket_reuseable(s);
|
||||||
|
|
||||||
|
#if defined USE_TRANSPARENT && defined(IP_TRANSPARENT)
|
||||||
|
if (options->TransTPROXY && type == CONN_TYPE_AP_TRANS_LISTENER) {
|
||||||
|
int one = 1;
|
||||||
|
if (setsockopt(s, SOL_IP, IP_TRANSPARENT, &one, sizeof(one)) < 0) {
|
||||||
|
const char *extra = "";
|
||||||
|
int e = tor_socket_errno(s);
|
||||||
|
if (e == EPERM)
|
||||||
|
extra = "TransTPROXY requires root privileges or similar"
|
||||||
|
" capabilities.";
|
||||||
|
log_warn(LD_NET, "Error setting IP_TRANSPARENT flag: %s.%s",
|
||||||
|
tor_socket_strerror(e), extra);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
#ifdef IPV6_V6ONLY
|
#ifdef IPV6_V6ONLY
|
||||||
if (listensockaddr->sa_family == AF_INET6) {
|
if (listensockaddr->sa_family == AF_INET6) {
|
||||||
#ifdef _WIN32
|
#ifdef _WIN32
|
||||||
|
@ -3553,6 +3553,8 @@ typedef struct {
|
|||||||
config_line_t *SocksPort_lines;
|
config_line_t *SocksPort_lines;
|
||||||
/** Ports to listen on for transparent pf/netfilter connections. */
|
/** Ports to listen on for transparent pf/netfilter connections. */
|
||||||
config_line_t *TransPort_lines;
|
config_line_t *TransPort_lines;
|
||||||
|
int TransTPROXY; /** < Boolean: are we going to listen for all destinations
|
||||||
|
* on the TransPort_lines are required for TPROXY? */
|
||||||
config_line_t *NATDPort_lines; /**< Ports to listen on for transparent natd
|
config_line_t *NATDPort_lines; /**< Ports to listen on for transparent natd
|
||||||
* connections. */
|
* connections. */
|
||||||
config_line_t *ControlPort_lines; /**< Ports to listen on for control
|
config_line_t *ControlPort_lines; /**< Ports to listen on for control
|
||||||
|
Loading…
Reference in New Issue
Block a user