Merge branch 'feature_10582'

4 files changed, 40 insertions, 4 deletions

diff --git a/src/common/sandbox.c b/src/common/sandbox.c
index dec6bfeea..6b7874883 100644
--- a/src/common/sandbox.c
+++ b/src/common/sandbox.c
@@ -475,6 +475,14 @@ sb_setsockopt(scmp_filter_ctx ctx, sandbox_cfg_t *filter)
   if (rc)
     return rc;
 
+#ifdef IP_TRANSPARENT
+  rc = seccomp_rule_add(ctx, SCMP_ACT_ALLOW, SCMP_SYS(setsockopt), 2,
+      SCMP_CMP(1, SCMP_CMP_EQ, SOL_IP),
+      SCMP_CMP(2, SCMP_CMP_EQ, IP_TRANSPARENT));
+  if (rc)
+    return rc;
+#endif
+
   return 0;
 }
 
diff --git a/src/or/config.c b/src/or/config.c
index d348f1036..c921bb731 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -408,6 +408,7 @@ static config_var_t option_vars_[] = {
   OBSOLETE("TrafficShaping"),
   V(TransListenAddress,          LINELIST, NULL),
   VPORT(TransPort,                   LINELIST, NULL),
+  V(TransTPROXY,                 BOOL,     "0"),
   V(TunnelDirConns,              BOOL,     "1"),
   V(UpdateBridgesFromAuthority,  BOOL,     "0"),
   V(UseBridges,                  BOOL,     "0"),
@@ -2530,10 +2531,20 @@ options_validate(or_options_t *old_options, or_options_t *options,
         "undefined, and there aren't any hidden services configured.  "
         "Tor will still run, but probably won't do anything.");
 
-#ifndef USE_TRANSPARENT
-  /* XXXX024 I think we can remove this TransListenAddress */
-  if (options->TransPort_set || options->TransListenAddress)
-    REJECT("TransPort and TransListenAddress are disabled in this build.");
+#ifdef USE_TRANSPARENT
+  if (options->TransTPROXY) {
+#ifndef __linux__
+    REJECT("TransTPROXY is a Linux-specific feature.")
+#endif
+    if (!options->TransPort_set) {
+      REJECT("Cannot use TransTPROXY without any valid TransPort or "
+             "TransListenAddress.");
+    }
+  }
+#else
+  if (options->TransPort_set || options->TransTPROXY)
+    REJECT("TransPort, TransListenAddress, and TransTPROXY are disabled "
+           "in this build.");
 #endif
 
   if (options->TokenBucketRefillInterval <= 0
diff --git a/src/or/connection.c b/src/or/connection.c
index 1f6e11fac..6dbba668c 100644
--- a/src/or/connection.c
+++ b/src/or/connection.c
@@ -1035,6 +1035,21 @@ connection_listener_new(const struct sockaddr *listensockaddr,
 
     make_socket_reuseable(s);
 
+#if defined USE_TRANSPARENT && defined(IP_TRANSPARENT)
+    if (options->TransTPROXY && type == CONN_TYPE_AP_TRANS_LISTENER) {
+      int one = 1;
+      if (setsockopt(s, SOL_IP, IP_TRANSPARENT, &one, sizeof(one)) < 0) {
+        const char *extra = "";
+        int e = tor_socket_errno(s);
+        if (e == EPERM)
+          extra = "TransTPROXY requires root privileges or similar"
+            " capabilities.";
+        log_warn(LD_NET, "Error setting IP_TRANSPARENT flag: %s.%s",
+                 tor_socket_strerror(e), extra);
+      }
+    }
+#endif
+
 #ifdef IPV6_V6ONLY
     if (listensockaddr->sa_family == AF_INET6) {
 #ifdef _WIN32
diff --git a/src/or/or.h b/src/or/or.h
index 7df6c37f7..55f286208 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -3553,6 +3553,8 @@ typedef struct {
   config_line_t *SocksPort_lines;
   /** Ports to listen on for transparent pf/netfilter connections. */
   config_line_t *TransPort_lines;
+  int TransTPROXY; /** < Boolean: are we going to listen for all destinations
+                    * on the TransPort_lines are required for TPROXY? */
   config_line_t *NATDPort_lines; /**< Ports to listen on for transparent natd
                             * connections. */
   config_line_t *ControlPort_lines; /**< Ports to listen on for control