Opened 6 years ago

Closed 6 years ago

Last modified 6 years ago

#10582 closed enhancement (implemented)

Please add support for TPROXY for linux in TransProxy

Reported by: thomo Owned by:
Priority: Medium Milestone: Tor: 0.2.5.x-final
Component: Core Tor/Tor Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

The TPROXY target on linux is pretty much the same as the current TransProxy but with the exception that the local port isn't visible therefore making it possible to transparently map the entire range of 1:65356 to tor.

The only difference between the current TransProxy implementation is the addition to listen for all addresses on the stock. I attach a patch that does this. Binding for all addresses has no effect when you use NAT to redirect a port to given address, so it is quite a small change.

TOR needs root or some capablitlity to setsockopt with SOL_IP IP_TRANSPARENT, but apart from that the change is trivial.

This patch has been tested with with the nat rule as well TPROXY target and works for both .onion sites using AutoResolv also.

Child Tickets

Attachments (5)

tproxy.patch (695 bytes) - added by thomo 6 years ago.
TPROXY patch
tproxy_with_config.patch (4.2 KB) - added by thomo 6 years ago.
TPROXY patch with TransTPROXY option
tproxy_with_config_revised.patch (4.2 KB) - added by thomo 6 years ago.
Revised patch with TPROXY config line
tproxy_with_config_revised_again.patch (4.2 KB) - added by thomo 6 years ago.
0001-Add-support-for-TPROXY-via-new-TransTPRoxy-option.patch (5.2 KB) - added by nickm 6 years ago.

Download all attachments as: .zip

Change History (20)

Changed 6 years ago by thomo

Attachment: tproxy.patch added

TPROXY patch

comment:1 Changed 6 years ago by thomo

TPROXY only works on a router, it doesn't work on the local machine. You still need to use NAT for that. But to test this you do the following:

Create a rule for a firewall mark for the traffic to lookup a routing table.
ie.
ip rule add fwmark 16 lookup 10

add a routing rule for the traffic to the lo device:
ip route add local default dev lo table 10
ip -6 route add local default dev lo table 10

And tell the firewall to mark the packets:

in ferm:
domain (ip ip6) {

table mangle {

chain PREROUTING {

CONNMARK restore-mark;
interface XXXX proto tcp dport (80 443) mod connmark mark 0 TPROXY on-port 9040 tproxy-mark 16;
CONNMARK save-mark;

}

}

}

Last edited 6 years ago by thomo (previous) (diff)

comment:2 Changed 6 years ago by thomo

Type: defectenhancement

comment:3 Changed 6 years ago by nickm

Milestone: Tor: 0.2.5.x-final

If we're going to give a warning when setting this option fails, and it requires root to set the option, then most TransPort users are going to see this warning every time they start up. Is there a better way? Should this be controlled by an option?

Also, what's the best documentation to read about TPROXY and how this option works? The first few links that I could find were complaints about the state of TPROXY documentation. :)

comment:4 Changed 6 years ago by thomo

I think that the best documentation although a bit old is still in the kernel source tree. http://lxr.free-electrons.com/source/Documentation/networking/tproxy.txt

As for removing the warning, do you have any suggestions for enabling this feature were it to be included. I thought about a TransParentProxyTproxy boolean flag but that would change a few more files and would mean yet another configuration option. What do you suggest?

comment:5 Changed 6 years ago by thomo

Ok, I have tried again adding a TransTPROXY option. I am not sure if this is what you meant but if you can have a look at this I would be appreciate it.

Changed 6 years ago by thomo

Attachment: tproxy_with_config.patch added

TPROXY patch with TransTPROXY option

comment:6 Changed 6 years ago by nickm

Status: newneeds_revision

It looks like the code in connection.c doesn't actually check whether get_options()->TransTPROXY is set?

comment:7 in reply to:  6 Changed 6 years ago by thomo

Replying to nickm:

It looks like the code in connection.c doesn't actually check whether get_options()->TransTPROXY is set?

Yes, you are correct. Also fixed up the grammar in the comment, recompiled and retested. Please see the new tproxy_with_config_revised.patch file.

Changed 6 years ago by thomo

Revised patch with TPROXY config line

comment:8 Changed 6 years ago by nickm

I still don't see any code in src/or/connection.c to check whether TransTPROXY is set.

comment:9 Changed 6 years ago by thomo

Whoops. Got the TransPort confused with the TPROXY. Sorry about that. Third time lucky?

Changed 6 years ago by thomo

comment:10 Changed 6 years ago by nickm

Ow. This version of the patch still warns unconditionally when options->User is not set. Also, it doesn't compile when transparent proxy support is disabled, and it doesn't compile on non-linux systems that lack IP_TRANSPARENT.

How about the attached patch, also in my branch "feature_10582" in my public repository?

comment:11 Changed 6 years ago by nickm

Status: needs_revisionneeds_review

comment:12 Changed 6 years ago by thomo

FWIW that seems ok by me. That linux feature makes it a lot clearer.

comment:13 Changed 6 years ago by nickm

Resolution: implemented
Status: needs_reviewclosed

Okay, I tweaked it a little more and merged it. Thanks!

comment:14 Changed 6 years ago by nickm

I changed the option syntax in 5991f9a15646d53b838562fd1424b6a8fd9ef614, so that we can eventually support ipfw too without needing one option per firewall type.

comment:15 Changed 6 years ago by nickm

(See #10267 for ipfw info)

Note: See TracTickets for help on using tickets.