diff options
| author | dana koch <dsk@google.com> | 2014-02-10 21:23:51 +1100 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2014-04-16 23:03:25 -0400 |
| commit | f680d0fdd2e42bce109219ed78d0527d16995415 (patch) | |
| tree | 9946b436e76cba9871cb09bec4c2acb59f10c98d /src/or/or.h | |
| parent | 08ef8c0958ebeb134e4f29d1738c85c0ac81e71d (diff) | |
| download | tor-f680d0fdd2e42bce109219ed78d0527d16995415.tar.gz tor-f680d0fdd2e42bce109219ed78d0527d16995415.zip | |
Educate tor on OpenBSD's use of divert-to rules with the pf firewall.
This means that tor can run without needing to communicate with ioctls
to the firewall, and therefore doesn't need to run with privileges to
open the /dev/pf device node.
A new TransProxyType is added for this purpose, "pf-divert"; if the user
specifies this TransProxyType in their torrc, then the pf device node is
never opened and the connection destination is determined with getsockname
(as per pf(4)). The default behaviour (ie., when TransProxyType is "default"
when using the pf firewall) is still to assume that pf is configured with
rdr-to rules.
Diffstat (limited to 'src/or/or.h')
| -rw-r--r-- | src/or/or.h | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/or/or.h b/src/or/or.h index a5e2e7069d..5510af723e 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -3461,7 +3461,12 @@ typedef struct { const char *TransProxyType; /**< What kind of transparent proxy * implementation are we using? */ /** Parsed value of TransProxyType. */ - enum { TPT_DEFAULT, TPT_TPROXY, TPT_IPFW } TransProxyType_parsed; + enum { + TPT_DEFAULT, + TPT_PF_DIVERT, + TPT_IPFW, + TPT_TPROXY, + } TransProxyType_parsed; config_line_t *NATDPort_lines; /**< Ports to listen on for transparent natd * connections. */ config_line_t *ControlPort_lines; /**< Ports to listen on for control |