Commit 3eaa9a37 authored by Jacob Appelbaum's avatar Jacob Appelbaum Committed by Nick Mathewson
Browse files

Changes to tor-fw-helper, some based on Nick's review 

 * MINIUPNPC rather than the generic UPNP
 * Nick suggested a better abstraction model for tor-fw-helper
 * Fix autoconf to build with either natpmp or miniupnpc
 * Add AM_PROG_CC_C_O to fix automake complaint
 * update spec to address nickm's concern
 * refactor nat-pmp to match upnp state
 * we prefer tor_snprintf to snprintf
 * link properlty for tor_snprintf
 * rename test_commandline_options to log_commandline_options
 * cast this uint as an int
 * detect possible FD_SETSIZE errors
 * make note about future enhancements for natpmp
 * add upnp enhancement note
 * ChangeLog entry
 * doxygen and check-spaces cleanup
 * create tor-fw-helper.1.txt
parent 9cc76cf0

changes/tor-fw-helper

0 → 100644
+14 −0
Original line number Diff line number Diff line 
  o Major features:

    - Tor now has the ability to wrangle NAT devices like a good network cowbot

      with the tor-fw-helper tool. The tor-fw-helper tool supports Apple's

      NAT-PMP protocol and the UPnP standard for TCP port mapping. This

      optional tool may be enabled at compile time by configuring with

      '--enable-upnp' or '--enable-natpmp' or with both. This tool may be

      called by hand or by Tor.  By configuring the PortForwarding option, Tor

      will launch the helper on a regular basis to ensure that the NAT mapping

      is regularly updated.  Additionally, a user may also specify an

      alternative helper by using the PortForwardingHelper option. The helper

      may be specified by name or with the full path to the helper. The default

      helper is named 'tor-fw-helper' and any alternative helper must take the

      tor-fw-helper-spec.txt into account.

configure.in

+5 −2
Original line number Diff line number Diff line
@@ -153,7 +153,10 @@ AC_PATH_PROG([A2X], [a2x], none) 


AM_CONDITIONAL(USE_ASCIIDOC, test x$asciidoc = xtrue)



AM_CONDITIONAL(USE_FW_HELPER, test x$natpmp = xtrue || x$upnp = xtrue)

AM_CONDITIONAL(USE_FW_HELPER, test x$natpmp = xtrue || test x$upnp = xtrue)

AM_CONDITIONAL(NAT_PMP, test x$natpmp = xtrue)

AM_CONDITIONAL(MINIUPNPC, test x$upnp = xtrue)

AM_PROG_CC_C_O



AC_PATH_PROG([SHA1SUM], [sha1sum], none)

AC_PATH_PROG([OPENSSL], [openssl], none)
@@ -486,7 +489,7 @@ dnl Where do you live, libminiupnpc? And how do we call you? 
dnl There are no packages for Debian or Redhat as of this patch



if test "$upnp" = "true"; then

    AC_DEFINE(UPNP, 1, [Define to 1 if we are building with UPnP.])

    AC_DEFINE(MINIUPNPC, 1, [Define to 1 if we are building with UPnP.])

    TOR_SEARCH_LIBRARY(libminiupnpc, $trylibminiupnpcdir, [-lminiupnpc],

        [#include <miniupnpc/miniwget.h>

         #include <miniupnpc/miniupnpc.h>

doc/spec/tor-fw-helper-spec.txt

+15 −2
Original line number Diff line number Diff line
@@ -33,12 +33,25 @@ 
    tor-fw-helper: FAILURE



 All informational messages are printed to standard output; all error messages

 are printed to standard error.

 are printed to standard error. Messages other than SUCCESS and FAILURE

 may be printed by any compliant tor-fw-helper.



2.2 Output format stability



 The above SUCCESS and FAILURE messages are the only stable output formats

 provided by this specification. tor-fw-helper-spec compliant implementations

 must return SUCCESS or FAILURE as defined above.



3. Security Concerns



 It is probably best to hand configure port forwarding and in the process, we

 suggest disabling NAT-PMP and/or UPnP.

 suggest disabling NAT-PMP and/or UPnP. This is of course absolutely confusing

 to users and so we support automatic, non-authenticated NAT port mapping

 protocols with compliant tor-fw-helper applications.



 NAT should not be considered a security boundary. NAT-PMP and UPnP are hacks

 to deal with the shortcomings of user education about TCP/IP, IPv4 shortages,

 and of course, NAT devices that suffer from horrible user interface design.



[0] http://en.wikipedia.org/wiki/NAT_Port_Mapping_Protocol

[1] http://en.wikipedia.org/wiki/Universal_Plug_and_Play

doc/tor-fw-helper.1.txt

0 → 100644
+68 −0
Original line number Diff line number Diff line 
// Copyright (c) The Tor Project, Inc.

// See LICENSE for licensing information

// This is an asciidoc file used to generate the manpage/html reference.

// Learn asciidoc on http://www.methods.co.nz/asciidoc/userguide.html

tor-fw-helper(1)

==============

Jacob Appelbaum



NAME

----

tor-fw-helper - Manage upstream firewall/NAT devices



SYNOPSIS

--------

**tor-fw-helper** [-h|--help] [-T|--test] [-v|--verbose] [-g|--fetch-public-ip]

-i|--internal-or-port __TCP port__ [-e|--external-or-port _TCP port_]

[-d|--internal-dir-port _TCP port_] [-p|--external-dir-port _TCP port_]



DESCRIPTION

-----------

**tor-fw-helper** currently supports Apple's NAT-PMP protocol and the UPnP

standard for TCP port mapping. It is written as the reference implementation of

tor-fw-helper-spec.txt and conforms to that loose plugin API.  If your network

supports either NAT-PMP or UPnP, tor-fw-helper will attempt to automatically

map the required TCP ports for Tor's Or and Dir ports. +



OPTIONS

-------

**-h** or **--help**::

    Display help text and exit.



**-v**::

    Display verbose output.



**-T** or **--test**::

    Display test information and print the test information in

    tor-fw-helper.log



**-g** or **--fetch-public-ip**::

    Fetch the the public ip address for each supported NAT helper method.



**-i** or **--internal-or-port** __port__::

    Inform **tor-fw-helper** of your internal OR port. This is the only

    required argument.



**-e** or **--external-or-port** __port__::

    Inform **tor-fw-helper** of your external OR port.



**-d** or **--internal-dir-port** __port__::

    Inform **tor-fw-helper** of your internal Dir port.



**-p** or **--external-dir-port** __port__::

    Inform **tor-fw-helper** of your external Dir port.



BUGS

----

This probably doesn't run on Windows. That's not a big issue, since we don't

really want to deal with Windows before October 2010 anyway.



SEE ALSO

--------

**tor**(1) +



See also the "tor-fw-helper-spec.txt" file, distributed with Tor.



AUTHORS

-------

    Jacob Appelbaum <jacob@torproject.org>, Steven J. Murdoch <Steven.Murdoch@cl.cam.ac.uk>

src/tools/tor-fw-helper/Makefile.am

+24 −3
Original line number Diff line number Diff line
@@ -7,6 +7,27 @@ endif 
tor_fw_helper_SOURCES = tor-fw-helper.c \

	tor-fw-helper-natpmp.c tor-fw-helper-upnp.c

tor_fw_helper_INCLUDES = tor-fw-helper.h tor-fw-helper-natpmp.h tor-fw-helper-upnp.h

tor_fw_helper_LDFLAGS = @TOR_LDFLAGS_libnatpmp@ @TOR_LDFLAGS_libminiupnpc@

tor_fw_helper_LDADD = -lnatpmp -lminiupnpc ../../common/libor.a @TOR_LIB_WS32@

tor_fw_helper_CPPFLAGS = @TOR_CPPFLAGS_libnatpmp@ @TOR_CPPFLAGS_libminiupnpc@
 


if NAT_PMP

nat_pmp_ldflags = @TOR_LDFLAGS_libnatpmp@

nat_pmp_ldadd  = -lnatpmp

nat_pmp_cppflags = @TOR_CPPFLAGS_libnatpmp@

else

nat_pmp_ldflags =

nat_pmp_ldadd  =

nat_pmp_cppflags =

endif



if MINIUPNPC

miniupnpc_ldflags = @TOR_LDFLAGS_libminiupnpc@

miniupnpc_ldadd = -lminiupnpc -lm

miniupnpc_cppflags = @TOR_CPPFLAGS_libminiupnpc@

else

miniupnpc_ldflags =

miniupnpc_ldadd =

miniupnpc_cppflags =

endif



tor_fw_helper_LDFLAGS = $(nat_pmp_ldflags) $(miniupnpc_ldflags)

tor_fw_helper_LDADD = $(nat_pmp_ldadd) $(miniupnpc_ldadd) ../../common/libor.a @TOR_LIB_WS32@

tor_fw_helper_CPPFLAGS = $(nat_pmp_cppflags) $(miniupnpc_cppflags)