From 3e4680f3126c2a06358535b08bf267dca1bb90a7 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 3 Feb 2014 14:09:07 -0500 Subject: ipfw TransPort support on FreeBSD (10267) This isn't on by default; to get it, you need to set "TransProxyType ipfw". (The original patch had automatic detection for whether /dev/pf is present and openable, but that seems marginally fragile.) --- src/or/or.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'src/or/or.h') diff --git a/src/or/or.h b/src/or/or.h index 38ab1767e..a5e2e7069 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -3461,7 +3461,7 @@ typedef struct { const char *TransProxyType; /**< What kind of transparent proxy * implementation are we using? */ /** Parsed value of TransProxyType. */ - enum { TPT_DEFAULT, TPT_TPROXY } TransProxyType_parsed; + enum { TPT_DEFAULT, TPT_TPROXY, TPT_IPFW } TransProxyType_parsed; config_line_t *NATDPort_lines; /**< Ports to listen on for transparent natd * connections. */ config_line_t *ControlPort_lines; /**< Ports to listen on for control -- cgit v1.2.3 From f680d0fdd2e42bce109219ed78d0527d16995415 Mon Sep 17 00:00:00 2001 From: dana koch Date: Mon, 10 Feb 2014 21:23:51 +1100 Subject: Educate tor on OpenBSD's use of divert-to rules with the pf firewall. This means that tor can run without needing to communicate with ioctls to the firewall, and therefore doesn't need to run with privileges to open the /dev/pf device node. A new TransProxyType is added for this purpose, "pf-divert"; if the user specifies this TransProxyType in their torrc, then the pf device node is never opened and the connection destination is determined with getsockname (as per pf(4)). The default behaviour (ie., when TransProxyType is "default" when using the pf firewall) is still to assume that pf is configured with rdr-to rules. --- src/or/or.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'src/or/or.h') diff --git a/src/or/or.h b/src/or/or.h index a5e2e7069..5510af723 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -3461,7 +3461,12 @@ typedef struct { const char *TransProxyType; /**< What kind of transparent proxy * implementation are we using? */ /** Parsed value of TransProxyType. */ - enum { TPT_DEFAULT, TPT_TPROXY, TPT_IPFW } TransProxyType_parsed; + enum { + TPT_DEFAULT, + TPT_PF_DIVERT, + TPT_IPFW, + TPT_TPROXY, + } TransProxyType_parsed; config_line_t *NATDPort_lines; /**< Ports to listen on for transparent natd * connections. */ config_line_t *ControlPort_lines; /**< Ports to listen on for control -- cgit v1.2.3