Opened 6 years ago

Closed 5 years ago

#10896 closed enhancement (implemented)

Add support for pf divert-to sockets

Reported by: _x3j11 Owned by:
Priority: Medium Milestone: Tor: 0.2.5.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: 025-triaged, andrea-review-0254
Cc: nickm Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Since OpenBSD 4.4, the pf firewall introduced support for divert-to rules alongside rdr-to rules. The latter form of rules translate and modify packets and requires Tor to communicate with pf via ioctls on its privileged device node /dev/pf to get the original untranslated destination address. divert-to rules however do not require access to the firewall via ioctl and the original destination address information is accessible via a getsockname(2) call.

The attached patch adds a single new TransProxyType pf-divert to signify that the firewall is operating with a divert-to rule configured to divert traffic to Tor's transparent proxy listener (discussion on the nomenclature of TransProxyTypes may be required). To avoid bloating connection_ap_get_original_destination too much, the existing logic is factored out into two additional functions, which get the destination address information via firewall (if using traditional rdr-to rules), or via the socket itself (if on Linux or using divert-to rules).

At the moment, the default TransProxyType assumes rdr-to rules and behaviour to avoid breaking existing installations. An additional TransProxyType can be added in future (pf-rdr) and the meaning of the default TransProxyType can be changed to default to assume divert rules.

Note that this means that when using pf and divert-to rules, Tor can run completely nonprivileged. This feature is not "advertised" in the documentation modification, because it has only lightly been tested and there may be other instances where Tor needs privileges that haven't been triggered in testing this patch. If admins are using rdr-to rules to begin with, they need to specify a User and start Tor as root (in order to access /dev/pf, which is mode 600 root:wheel), and making a change to use divert-to rules and remaining running Tor as root should need no other configuration changes. If admins want to run Tor as a regular nonprivileged user and do not remove the User clause, they will be prompted to do so. If it is determined there are no other instances where Tor needs privileges in this case, then this feature could be further publicised.

Child Tickets

Attachments (1)

0001-Educate-tor-on-OpenBSD-s-use-of-divert-to-rules-with.patch (7.6 KB) - added by _x3j11 6 years ago.

Download all attachments as: .zip

Change History (13)

comment:1 Changed 6 years ago by _x3j11

Status: newneeds_review

comment:2 Changed 5 years ago by andrea

Keywords: 025-triaged added

comment:3 Changed 5 years ago by nickm

This will conflict with #10267 ; I'll come up with a combined branch.

comment:4 Changed 5 years ago by nickm

See branch 10267_plus_10896_rebased in my public repository (https://gitweb.torproject.org/nickm/tor.git) for both branches, plus some small tweaks. I can confirm that the code looks okay to me so far and it doesn't break compilation on OSX or Linux; can somebody else confirm that pf-divert still works with this branch, and that it doesn't break regular pf users?

_x3j11, can you confirm that I didn't mangle your code badly or put anything inaccurate in the changes file?

comment:5 Changed 5 years ago by _x3j11

There's a typo/merge-o on line 1462 of connection_edge.c on your branch: the #endif is inside the block when it should be outside. After making this tweak, I was able to build and briefly test pf-divert still behaved correctly. The other commits on that branch LGTM.

comment:6 Changed 5 years ago by nickm

Okay, that should be fixed now by aeb82f9bea61f208fc4d2cc7f4ee43a806fef5b7. Can anybody test whether the ipfw code works and/or whether I broke regular pf users?

comment:7 Changed 5 years ago by _x3j11

I hope the following is useful; for the record and for reproducibility, here is my testing methodology for OpenBSD and both styles of pf rules (I have not tested ipfw on FreeBSD, but maybe someone can make use of this?).

There are four cases to look at, where the torrc is set up for rdr-to rules/divert-to rules, and whether the system's firewall is set up for rdr-to rules/divert-to rules.

Set up an OpenBSD VM or similar at IP address <addr>, and set sysctl -w net.inet.ip.forwarding=1.

Call torrc-rdr:

User foo
DataDirectory /home/foo/.tor
TransListenAddress 127.0.0.1
TransPort 9999

Call torrc-divert:

TransListenAddress 127.0.0.1
TransPort 9999
TransProxyType pf-divert

Call pf-rdr.conf, supposing <addr> is on <netblock> (eg., 192.168.0.0/24):

set skip on lo
pass in quick from any to ! <netblock> rdr-to 127.0.0.1 port 9999

Call pf-divert.conf:

set skip on lo
pass in quick from any to ! <netblock> divert-to 127.0.0.1 port 9999

From a different machine on the network, set its default route to this VM.

Then:

  • case 1: torrc-divert and pf-rdr.conf: expected fail.
    • run sudo pfctl -f pf-rdr.conf
    • start tor with <path-to-tor>/tor -f torrc-divert
    • Make a test connection (from the other machine) lynx check.torproject.org.
    • An error message is logged ("Rejecting request for anonymous connection..." IIRC)
    • (failed, as expected)
  • case 2: torrc-rdr and pf-rdr.conf: expected success.
    • run sudo pfctl -f pf-rdr.conf
    • start tor with sudo <path-to-tor>/tor -f torrc-rdr
    • Make a test connection (from the other machine) lynx check.torproject.org.
    • Should succeed (as expected)
  • case 3: torrc-divert and pf-divert.conf: expected success.
    • run sudo pfctl -f pf-divert.conf
    • start tor with <path-to-tor>/tor -f torrc-divert
    • Make a test connection (from the other machine) lynx check.torproject.org.
    • Should succeed (as expected)
  • case 4: torrc-rdr and pf-divert.conf: doesn't matter (if it succeeds, migration of pf.conf is seamless, otherwise, it fails, torrc and pf.conf need to be migrated together.)
    • run sudo pfctl -f pf-divert.conf
    • start tor with sudo <path-to-tor>/tor -f torrc-rdr
    • Make a test connection (from the other machine) lynx check.torproject.org.
    • (On testing on OpenBSD 5.4, this succeeds, but that may not be the case on earlier versions?)
Last edited 5 years ago by _x3j11 (previous) (diff)

comment:8 Changed 5 years ago by nickm

Thanks for the writeup! Does that mean that you think this is good-to-merge?

comment:9 Changed 5 years ago by _x3j11

From the OpenBSD perspective, I think it is, yes.

comment:10 Changed 5 years ago by nickm

Keywords: andrea-review-0254 added

Drop owners from needs_review tickets in tor 0.2.5

comment:11 Changed 5 years ago by andrea

This with the revisions from nickm looks okay to me. Recommend merging the nickm/10267_plus_10896_rebased for 0.2.5.4.

comment:12 Changed 5 years ago by nickm

Resolution: implemented
Status: needs_reviewclosed

Rebased again and merged! Thanks, everybody.

Note: See TracTickets for help on using tickets.