commit 4bec25c3cd8869fb4b0cb6f1139bc2672b5b14a7 Author: Nick Mathewson nickm@torproject.org Date: Wed Oct 31 11:08:38 2012 -0400

Add {No,}IPv{4,6}Traffic options to SOCKSPort

These options are for telling the SOCKSPort that it should allow or not allow connections to IPv4/IPv6 addresses.

These aren't implemented yet; this is just the code to read the options and get them into the entrey_connection_t. --- src/or/config.c | 25 +++++++++++++++++++++++-- src/or/connection.c | 9 +++++++++ src/or/or.h | 18 ++++++++++++++++++ 3 files changed, 50 insertions(+), 2 deletions(-)

diff --git a/src/or/config.c b/src/or/config.c index 76038d5..1af6817 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -4441,6 +4441,7 @@ warn_nonlocal_controller_ports(smartlist_t *ports, unsigned forbid) #define CL_PORT_ALLOW_EXTRA_LISTENADDR (1u<<2) #define CL_PORT_SERVER_OPTIONS (1u<<3) #define CL_PORT_FORBID_NONLOCAL (1u<<4) +#define CL_PORT_TAKES_HOSTNAMES (1u<<5)

/** * Parse port configuration for a single port type. @@ -4473,6 +4474,9 @@ warn_nonlocal_controller_ports(smartlist_t *ports, unsigned forbid) * isolation options in the FooPort entries; instead allow the * server-port option set. * + * If CL_PORT_TAKES_HOSTNAMES is set in <b>flags</b>, allow the options + * {No,}IPv{4,6}Traffic. + * * On success, if <b>out</b> is given, add a new port_cfg_t entry to * <b>out</b> for every port that the client should listen on. Return 0 * on success, -1 on failure. @@ -4496,6 +4500,7 @@ parse_port_config(smartlist_t *out, const unsigned forbid_nonlocal = flags & CL_PORT_FORBID_NONLOCAL; const unsigned allow_spurious_listenaddr = flags & CL_PORT_ALLOW_EXTRA_LISTENADDR; + const unsigned takes_hostnames = flags & CL_PORT_TAKES_HOSTNAMES; int got_zero_port=0, got_nonzero_port=0;

/* FooListenAddress is deprecated; let's make it work like it used to work, @@ -4599,7 +4604,8 @@ parse_port_config(smartlist_t *out, uint16_t ptmp=0; int ok; int no_listen = 0, no_advertise = 0, all_addrs = 0, - ipv4_only = 0, ipv6_only = 0; + ipv4_only = 0, ipv6_only = 0, + ipv4_traffic = 1, ipv6_traffic = 0;

smartlist_split_string(elts, ports->value, NULL, SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0); @@ -4723,9 +4729,21 @@ parse_port_config(smartlist_t *out, no = 1; elt += 2; } + + if (takes_hostnames) { + if (!strcasecmp(elt, "IPv4Traffic")) { + ipv4_traffic = ! no; + continue; + } else if (!strcasecmp(elt, "IPv6Traffic")) { + ipv6_traffic = ! no; + continue; + } + } + if (!strcasecmpend(elt, "s")) elt[strlen(elt)-1] = '\0'; /* kill plurals. */

+ if (!strcasecmp(elt, "IsolateDestPort")) { isoflag = ISO_DESTPORT; } else if (!strcasecmp(elt, "IsolateDestAddr")) { @@ -4766,6 +4784,8 @@ parse_port_config(smartlist_t *out, cfg->all_addrs = all_addrs; cfg->ipv4_only = ipv4_only; cfg->ipv6_only = ipv6_only; + cfg->ipv4_traffic = ipv4_traffic; + cfg->ipv6_traffic = ipv6_traffic;

smartlist_add(out, cfg); } @@ -4858,7 +4878,8 @@ parse_ports(or_options_t *options, int validate_only, options->SocksPort_lines, options->SocksListenAddress, "Socks", CONN_TYPE_AP_LISTENER, "127.0.0.1", 9050, - CL_PORT_WARN_NONLOCAL|CL_PORT_ALLOW_EXTRA_LISTENADDR) < 0) { + CL_PORT_WARN_NONLOCAL|CL_PORT_ALLOW_EXTRA_LISTENADDR| + CL_PORT_TAKES_HOSTNAMES) < 0) { *msg = tor_strdup("Invalid SocksPort/SocksListenAddress configuration"); goto err; } diff --git a/src/or/connection.c b/src/or/connection.c index bb175d0..89ac8f5 100644 --- a/src/or/connection.c +++ b/src/or/connection.c @@ -1115,6 +1115,13 @@ connection_listener_new(const struct sockaddr *listensockaddr, lis_conn->session_group = global_next_session_group--; } } + if (type == CONN_TYPE_AP) { + lis_conn->socks_ipv4_traffic = port_cfg->ipv4_traffic; + lis_conn->socks_ipv6_traffic = port_cfg->ipv6_traffic; + } else { + lis_conn->socks_ipv4_traffic = 1; + lis_conn->socks_ipv6_traffic = 1; + }

if (connection_add(conn) < 0) { /* no space, forget it */ log_warn(LD_NET,"connection_add for listener failed. Giving up."); @@ -1348,6 +1355,8 @@ connection_init_accepted_conn(connection_t *conn, TO_ENTRY_CONN(conn)->session_group = listener->session_group; TO_ENTRY_CONN(conn)->nym_epoch = get_signewnym_epoch(); TO_ENTRY_CONN(conn)->socks_request->listener_type = listener->base_.type; + TO_ENTRY_CONN(conn)->ipv4_traffic_ok = listener->socks_ipv4_traffic; + TO_ENTRY_CONN(conn)->ipv6_traffic_ok = listener->socks_ipv6_traffic; switch (TO_CONN(listener)->type) { case CONN_TYPE_AP_LISTENER: conn->state = AP_CONN_STATE_SOCKS_WAIT; diff --git a/src/or/or.h b/src/or/or.h index 9d22e11..8a77c94 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -1225,6 +1225,15 @@ typedef struct listener_connection_t { uint8_t isolation_flags; /**@}*/

+ /** For a SOCKS listener, these fields describe whether we should + * allow IPv4 and IPv6 addresses from our exit nodes, respectively. + * + * @{ + */ + unsigned int socks_ipv4_traffic : 1; + unsigned int socks_ipv6_traffic : 1; + /** @} */ + } listener_connection_t;

/** Minimum length of the random part of an AUTH_CHALLENGE cell. */ @@ -1522,6 +1531,13 @@ typedef struct entry_connection_t { */ unsigned int may_use_optimistic_data : 1;

+ /** Should we permit IPv4 and IPv6 traffic to use this connection? + * + * @{ */ + unsigned int ipv4_traffic_ok : 1; + unsigned int ipv6_traffic_ok : 1; + /** @} */ + } entry_connection_t;

/** Subtype of connection_t for an "directory connection" -- that is, an HTTP @@ -3044,6 +3060,8 @@ typedef struct port_cfg_t { unsigned int all_addrs : 1; unsigned int ipv4_only : 1; unsigned int ipv6_only : 1; + unsigned int ipv4_traffic : 1; + unsigned int ipv6_traffic : 1;

/* Unix sockets only: */ /** Path for an AF_UNIX address */