summaryrefslogtreecommitdiff
path: root/src/or/config.c
diff options
context:
space:
mode:
authordana koch <dsk@google.com>2014-02-10 21:23:51 +1100
committerNick Mathewson <nickm@torproject.org>2014-04-16 23:03:25 -0400
commitf680d0fdd2e42bce109219ed78d0527d16995415 (patch)
tree9946b436e76cba9871cb09bec4c2acb59f10c98d /src/or/config.c
parent08ef8c0958ebeb134e4f29d1738c85c0ac81e71d (diff)
downloadtor-f680d0fdd2e42bce109219ed78d0527d16995415.tar.gz
tor-f680d0fdd2e42bce109219ed78d0527d16995415.zip
Educate tor on OpenBSD's use of divert-to rules with the pf firewall.
This means that tor can run without needing to communicate with ioctls to the firewall, and therefore doesn't need to run with privileges to open the /dev/pf device node. A new TransProxyType is added for this purpose, "pf-divert"; if the user specifies this TransProxyType in their torrc, then the pf device node is never opened and the connection destination is determined with getsockname (as per pf(4)). The default behaviour (ie., when TransProxyType is "default" when using the pf firewall) is still to assume that pf is configured with rdr-to rules.
Diffstat (limited to 'src/or/config.c')
-rw-r--r--src/or/config.c8
1 files changed, 7 insertions, 1 deletions
diff --git a/src/or/config.c b/src/or/config.c
index 55a23b1ce3..e22d3b86e0 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -1089,7 +1089,7 @@ options_act_reversible(const or_options_t *old_options, char **msg)
#if defined(HAVE_NET_IF_H) && defined(HAVE_NET_PFVAR_H)
/* Open /dev/pf before dropping privileges. */
- if (options->TransPort_set && options->TransProxyType_parsed != TPT_IPFW) {
+ if (options->TransPort_set && options->TransProxyType_parsed == TPT_DEFAULT) {
if (get_pf_socket() < 0) {
*msg = tor_strdup("Unable to open /dev/pf for transparent proxy.");
goto rollback;
@@ -2553,6 +2553,12 @@ options_validate(or_options_t *old_options, or_options_t *options,
if (options->TransProxyType) {
if (!strcasecmp(options->TransProxyType, "default")) {
options->TransProxyType_parsed = TPT_DEFAULT;
+ } else if (!strcasecmp(options->TransProxyType, "pf-divert")) {
+#ifdef __linux__
+ REJECT("pf is a BSD-specific feature.");
+#else
+ options->TransProxyType_parsed = TPT_PF_DIVERT;
+#endif
} else if (!strcasecmp(options->TransProxyType, "tproxy")) {
#ifndef __linux__
REJECT("TPROXY is a Linux-specific feature.");