diff options
author | Nick Mathewson <nickm@torproject.org> | 2014-02-02 15:48:27 -0500 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2014-02-02 15:48:27 -0500 |
commit | cac5949697ba1686fd3c5f3b17960273815a6a93 (patch) | |
tree | 2e8f2994ae0853076d54ed71f9dee2171861f451 /src | |
parent | 4fe253ef40a96dbfb978752e9d2833e8b491ca28 (diff) | |
parent | 25f0eb4512a57e305ed0bff00eb276812a7c8de6 (diff) | |
download | tor-cac5949697ba1686fd3c5f3b17960273815a6a93.tar tor-cac5949697ba1686fd3c5f3b17960273815a6a93.tar.gz |
Merge branch 'feature_10582'
Diffstat (limited to 'src')
-rw-r--r-- | src/common/sandbox.c | 8 | ||||
-rw-r--r-- | src/or/config.c | 19 | ||||
-rw-r--r-- | src/or/connection.c | 15 | ||||
-rw-r--r-- | src/or/or.h | 2 |
4 files changed, 40 insertions, 4 deletions
diff --git a/src/common/sandbox.c b/src/common/sandbox.c index dec6bfeea..6b7874883 100644 --- a/src/common/sandbox.c +++ b/src/common/sandbox.c @@ -475,6 +475,14 @@ sb_setsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter) if (rc) return rc; +#ifdef IP_TRANSPARENT + rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 2, + SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP), + SCMP_CMP(2, SCMP_CMP_EQ, IP_TRANSPARENT)); + if (rc) + return rc; +#endif + return 0; } diff --git a/src/or/config.c b/src/or/config.c index d348f1036..c921bb731 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -408,6 +408,7 @@ static config_var_t option_vars_[] = { OBSOLETE("TrafficShaping"), V(TransListenAddress, LINELIST, NULL), VPORT(TransPort, LINELIST, NULL), + V(TransTPROXY, BOOL, "0"), V(TunnelDirConns, BOOL, "1"), V(UpdateBridgesFromAuthority, BOOL, "0"), V(UseBridges, BOOL, "0"), @@ -2530,10 +2531,20 @@ options_validate(or_options_t *old_options, or_options_t *options, "undefined, and there aren't any hidden services configured. " "Tor will still run, but probably won't do anything."); -#ifndef USE_TRANSPARENT - /* XXXX024 I think we can remove this TransListenAddress */ - if (options->TransPort_set || options->TransListenAddress) - REJECT("TransPort and TransListenAddress are disabled in this build."); +#ifdef USE_TRANSPARENT + if (options->TransTPROXY) { +#ifndef __linux__ + REJECT("TransTPROXY is a Linux-specific feature.") +#endif + if (!options->TransPort_set) { + REJECT("Cannot use TransTPROXY without any valid TransPort or " + "TransListenAddress."); + } + } +#else + if (options->TransPort_set || options->TransTPROXY) + REJECT("TransPort, TransListenAddress, and TransTPROXY are disabled " + "in this build."); #endif if (options->TokenBucketRefillInterval <= 0 diff --git a/src/or/connection.c b/src/or/connection.c index 1f6e11fac..6dbba668c 100644 --- a/src/or/connection.c +++ b/src/or/connection.c @@ -1035,6 +1035,21 @@ connection_listener_new(const struct sockaddr *listensockaddr, make_socket_reuseable(s); +#if defined USE_TRANSPARENT && defined(IP_TRANSPARENT) + if (options->TransTPROXY && type == CONN_TYPE_AP_TRANS_LISTENER) { + int one = 1; + if (setsockopt(s, SOL_IP, IP_TRANSPARENT, &one, sizeof(one)) < 0) { + const char *extra = ""; + int e = tor_socket_errno(s); + if (e == EPERM) + extra = "TransTPROXY requires root privileges or similar" + " capabilities."; + log_warn(LD_NET, "Error setting IP_TRANSPARENT flag: %s.%s", + tor_socket_strerror(e), extra); + } + } +#endif + #ifdef IPV6_V6ONLY if (listensockaddr->sa_family == AF_INET6) { #ifdef _WIN32 diff --git a/src/or/or.h b/src/or/or.h index 7df6c37f7..55f286208 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -3553,6 +3553,8 @@ typedef struct { config_line_t *SocksPort_lines; /** Ports to listen on for transparent pf/netfilter connections. */ config_line_t *TransPort_lines; + int TransTPROXY; /** < Boolean: are we going to listen for all destinations + * on the TransPort_lines are required for TPROXY? */ config_line_t *NATDPort_lines; /**< Ports to listen on for transparent natd * connections. */ config_line_t *ControlPort_lines; /**< Ports to listen on for control |