[tor-bugs] #17975 [Core Tor/Tor]: Introduce OutboundExitAddress to enable exit-only traffic to go via a different IP address
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Nov 7 12:27:32 UTC 2016
#17975: Introduce OutboundExitAddress to enable exit-only traffic to go via a
different IP address
-------------------------------------------------+-------------------------
Reporter: naif | Owner:
Type: enhancement | Status:
| needs_revision
Priority: Low | Milestone: Tor:
| 0.3.0.x-final
Component: Core Tor/Tor | Version:
Severity: Normal | Resolution:
Keywords: lorax, yawning, isaremoved, review- | Actual Points:
group-11 |
Parent ID: | Points: 1
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by michaelsonntag):
* parse_outbound_address is complicated, because it is complex. All cases
are different. There is the (old) general option affecting both OR and
exit traffic, as well as the separation between IPv4 and IPv6 and the
random sequence any of these options may appear. Therefore I don't think
factoring out is really going to be useful (e.g. checking for no duplicate
settings and providing helpful error messages while checking for one/two
conflicting options). The "adr_found" array could be changed to a two-
dimensional array with constants as index (OR, EXIT; IPv4, IPv6) - this
would render it extensions easier.
* conn_get_outbound_address falls back to the exit address if OR is null,
because the user explicitly specified something, so this should be honored
(better something than nothing). But it can also be left to the default
address.
* Other outbound connection types: the following seem to exist:
#define CONN_TYPE_OR_LISTENER 3
#define CONN_TYPE_OR 4
These are relay connections, so should not be sent over the "exit"
interface
#define CONN_TYPE_EXIT 5
Actual exit connection, should use the "exit" interface
#define CONN_TYPE_AP_LISTENER 6
#define CONN_TYPE_AP 7
Socks proxy connections. This is "input" and should therefore not use the
"exit" interface.
#define CONN_TYPE_DIR_LISTENER 8
#define CONN_TYPE_DIR 9
Directory server, i.e. internal communication going into this or another
node. It should not use the "exit" interface.
#define CONN_TYPE_CONTROL_LISTENER 11
#define CONN_TYPE_CONTROL 12
Connection to a user interface - should be locally only and is definitely
not "exit" traffic.
#define CONN_TYPE_AP_TRANS_LISTENER 13
#define CONN_TYPE_AP_NATD_LISTENER 14
Traffic redirected into tor, so incoming connections and should not use
the "exit" interface.
#define CONN_TYPE_AP_DNS_LISTENER 15
Listen for DNS requests from clients; like SOCKS so no exit traffic.
#define CONN_TYPE_EXT_OR 16
#define CONN_TYPE_EXT_OR_LISTENER 17
Relay connections, should not be sent over the "exit" interface
* DNS request nameservers seem to be configured in or/dns.c:1355
(configure_nameservers). However, in my configuration I could not find any
position where HAVE_EVDNS_SET_DEFAULT_OUTGOING_BIND_ADDRESS is set/defined
(remnant of old library?). Generally: DNS requests are problematic. The
local host or some internal server might be used for DNS resolving. Then
another option for configuring DNS would be necessary, as these may not be
reachable from the "exit" interface.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/17975#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list