Based on patch from "thomo" at #10582.
--- /dev/null
+ o Minor features:
+
+ - Add support for the TPROXY transparent proxying facility on Linux.
+ See documentation for the new TransTRPOXY option for more details.
+ Implementation by "thomo". Closes ticket 10582.
+
+
compatibility, TransListenAddress is only allowed when TransPort is just
a port number.)
+[[TransTPROXY]] **TransTPROXY** **0**|**1**::
+ TransTPROXY may only be enabled when there is transparent proxy listener
+ enabled and only for Linux.
+ +
+ Set this 1 if you wish to be able to use the TPROXY linux module to
+ transparently proxy connections that are configured using the TransPort
+ option. This setting lets the listener on the TransPort accept connections
+ for all addresses, even when the TransListenAddress is configured for an
+ internal address. Detailed information on how to configure the TPROXY
+ feature can be found in the Linux kernel source tree in the file
+ Documentation/networking/tproxy.txt.
+ (Default: 0)
+
[[NATDPort]] **NATDPort** \['address':]__port__|**auto** [_isolation flags_]::
Open this port to listen for connections from old versions of ipfw (as
included in old versions of FreeBSD, etc) using the NATD protocol.
OBSOLETE("TrafficShaping"),
V(TransListenAddress, LINELIST, NULL),
VPORT(TransPort, LINELIST, NULL),
+ V(TransTPROXY, BOOL, "0"),
V(TunnelDirConns, BOOL, "1"),
V(UpdateBridgesFromAuthority, BOOL, "0"),
V(UseBridges, BOOL, "0"),
"undefined, and there aren't any hidden services configured. "
"Tor will still run, but probably won't do anything.");
-#ifndef USE_TRANSPARENT
- /* XXXX024 I think we can remove this TransListenAddress */
- if (options->TransPort_set || options->TransListenAddress)
- REJECT("TransPort and TransListenAddress are disabled in this build.");
+#ifdef USE_TRANSPARENT
+ if (options->TransTPROXY) {
+#ifndef __linux__
+ REJECT("TransTPROXY is a Linux-specific feature.")
+#endif
+ if (!options->TransPort_set) {
+ REJECT("Cannot use TransTPROXY without any valid TransPort or "
+ "TransListenAddress.");
+ }
+ /* Friendly suggestion about running as root initially. */
+ if (!options->User) {
+ log_warn(LD_CONFIG,
+ "You have enabled TransTPROXY but have not specified the "
+ "\"User\" option. TransTPROXY will not function without "
+ "root privileges.");
+ }
+ }
+#else
+ if (options->TransPort_set || options->TransTPROXY)
+ REJECT("TransPort, TransListenAddress, and TransTPROXY are disabled "
+ "in this build.");
#endif
if (options->TokenBucketRefillInterval <= 0
make_socket_reuseable(s);
+#if defined USE_TRANSPARENT && defined(IP_TRANSPARENT)
+ if (options->TransTPROXY && type == CONN_TYPE_AP_TRANS_LISTENER) {
+ int one = 1;
+ if (setsockopt(s, SOL_IP, IP_TRANSPARENT, &one, sizeof(one)) < 0) {
+ int e = tor_socket_errno(s);
+ log_warn(LD_NET, "Error setting IP_TRANSPARENT flag: %s",
+ tor_socket_strerror(e));
+ }
+ }
+#endif
+
#ifdef IPV6_V6ONLY
if (listensockaddr->sa_family == AF_INET6) {
#ifdef _WIN32
config_line_t *SocksPort_lines;
/** Ports to listen on for transparent pf/netfilter connections. */
config_line_t *TransPort_lines;
+ int TransTPROXY; /** < Boolean: are we going to listen for all destinations
+ * on the TransPort_lines are required for TPROXY? */
config_line_t *NATDPort_lines; /**< Ports to listen on for transparent natd
* connections. */
config_line_t *ControlPort_lines; /**< Ports to listen on for control
projects / thirdparty / tor.git / commitdiff
