tornetns: Introduce a new *port flag NetworkNamespacePath (!534) · Merge requests · The Tor Project / Core / Tor

tornetns requested to merge tornetns/tor:maint-0.4.6 into maint-0.4.6 Feb 16, 2022

On Linux there are CLONE_NEWNET network_namespaces(7). These allow to split off a network namespace, which is in essense a completely separate network device stack with its own local loopback interface.

This change allows Tor to open its listening sockets in network namespaces other than the default.

Typically one would create a fresh network namespace using unshare(8) and persist it with a bind mount. Filesystem path to the bind mount points Tor to the desired network namespace in the configuration.

Requires root to successfully switch unless the path points to the current network namespace, like /proc/self/ns/net.

A mini usage demonstration follows:

$ cd tor && make
# mkdir /var/run/netns
# touch /var/run/netns/tornetns
# unshare -n mount -o bind /proc/self/ns/net /var/run/netns/tornetns
# nsenter -n/var/run/netns/tornetns ip link set lo up
# src/app/tor --SocksPort '9050 NetworkNamespacePath=/var/run/netns/tornetns' --User tor

Edited Feb 17, 2022 by tornetns

tornetns: Introduce a new *port flag NetworkNamespacePath

Merge request reports