Commit 5991f9a1 authored by Nick Mathewson's avatar Nick Mathewson 👁
Browse files

TransProxyType replaces TransTPROXY option

I'm making this change now since ipfw will want its own option too,
and proliferating options here isn't sensible.

(See #10582 and #10267)
parent 00ec6e6a
o Minor features:
- Add support for the TPROXY transparent proxying facility on Linux.
See documentation for the new TransTRPOXY option for more details.
See documentation for the new TransProxyType option for more details.
Implementation by "thomo". Closes ticket 10582.
......@@ -1183,18 +1183,22 @@ The following options are useful only for clients (that is, if
compatibility, TransListenAddress is only allowed when TransPort is just
a port number.)
[[TransTPROXY]] **TransTPROXY** **0**|**1**::
TransTPROXY may only be enabled when there is transparent proxy listener
enabled and only for Linux.
[[TransProxyType]] **TransProxyTYpe** **default**|**TPROXY**::
TransProxyType may only be enabled when there is transparent proxy listener
enabled.
+
Set this 1 if you wish to be able to use the TPROXY linux module to
Set this to TPROXY if you wish to be able to use the TPROXY Linux module to
transparently proxy connections that are configured using the TransPort
option. This setting lets the listener on the TransPort accept connections
for all addresses, even when the TransListenAddress is configured for an
internal address. Detailed information on how to configure the TPROXY
feature can be found in the Linux kernel source tree in the file
feature can be found in the Linux kernel source tree in the file
Documentation/networking/tproxy.txt.
(Default: 0)
+
Set this to "default", or leave it unconfigured, to use regular IPTables
on Linux, or to use pf on the *BSD operating systems.
+
(Default: "default".)
[[NATDPort]] **NATDPort** \['address':]__port__|**auto** [_isolation flags_]::
Open this port to listen for connections from old versions of ipfw (as
......
......@@ -408,7 +408,7 @@ static config_var_t option_vars_[] = {
OBSOLETE("TrafficShaping"),
V(TransListenAddress, LINELIST, NULL),
VPORT(TransPort, LINELIST, NULL),
V(TransTPROXY, BOOL, "0"),
V(TransProxyType, STRING, "default"),
V(TunnelDirConns, BOOL, "1"),
V(UpdateBridgesFromAuthority, BOOL, "0"),
V(UseBridges, BOOL, "0"),
......@@ -2517,19 +2517,30 @@ options_validate(or_options_t *old_options, or_options_t *options,
"undefined, and there aren't any hidden services configured. "
"Tor will still run, but probably won't do anything.");
options->TransProxyType_parsed = TPT_DEFAULT;
#ifdef USE_TRANSPARENT
if (options->TransTPROXY) {
if (options->TransProxyType) {
if (!strcasecmp(options->TransProxyType, "default")) {
options->TransProxyType_parsed = TPT_DEFAULT;
} else if (!strcasecmp(options->TransProxyType, "tproxy")) {
#ifndef __linux__
REJECT("TransTPROXY is a Linux-specific feature.")
REJECT("TPROXY is a Linux-specific feature.");
#else
options->TransProxyType_parsed = TPT_TPROXY;
#endif
if (!options->TransPort_set) {
REJECT("Cannot use TransTPROXY without any valid TransPort or "
} else {
REJECT("Unrecognized value for TransProxyType");
}
if (strcasecmp(options->TransProxyType, "default") &&
!options->TransPort_set) {
REJECT("Cannot use TransProxyType without any valid TransPort or "
"TransListenAddress.");
}
}
#else
if (options->TransPort_set || options->TransTPROXY)
REJECT("TransPort, TransListenAddress, and TransTPROXY are disabled "
if (options->TransPort_set)
REJECT("TransPort and TransListenAddress are disabled "
"in this build.");
#endif
......
......@@ -1036,7 +1036,8 @@ connection_listener_new(const struct sockaddr *listensockaddr,
make_socket_reuseable(s);
#if defined USE_TRANSPARENT && defined(IP_TRANSPARENT)
if (options->TransTPROXY && type == CONN_TYPE_AP_TRANS_LISTENER) {
if (options->TransProxyType_parsed == TPT_TPROXY &&
type == CONN_TYPE_AP_TRANS_LISTENER) {
int one = 1;
if (setsockopt(s, SOL_IP, IP_TRANSPARENT, &one, sizeof(one)) < 0) {
const char *extra = "";
......
......@@ -3498,8 +3498,10 @@ typedef struct {
config_line_t *SocksPort_lines;
/** Ports to listen on for transparent pf/netfilter connections. */
config_line_t *TransPort_lines;
int TransTPROXY; /** < Boolean: are we going to listen for all destinations
* on the TransPort_lines are required for TPROXY? */
const char *TransProxyType; /**< What kind of transparent proxy
* implementation are we using? */
/** Parsed value of TransProxyType. */
enum { TPT_DEFAULT, TPT_TPROXY } TransProxyType_parsed;
config_line_t *NATDPort_lines; /**< Ports to listen on for transparent natd
* connections. */
config_line_t *ControlPort_lines; /**< Ports to listen on for control
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment