new option: OutboundBindAddressLoopback

afcady · Dec 30, 2017 · 4790aa16d04e6fa08962e31cb7333ff594881e67 · 4790aa1
1 parent f5d89fa
commit 4790aa16d04e6fa08962e31cb7333ff594881e67
Showing with 53 additions and 43 deletions.

+8 −0 doc/tor.1.txt

+7 −0 src/or/config.c

+35 −43 src/or/connection.c

+3 −0 src/or/or.h
diff --git a/doc/tor.1.txt b/doc/tor.1.txt
@@ -695,6 +695,14 @@ GENERAL OPTIONS
     This setting will be ignored
     for connections to the loopback addresses (127.0.0.0/8 and ::1).
 
+[[OutboundBindAddressLoopback]] **OutboundBindAddressLoopback** __IP__::
+    Make all connections to loopback addresses (127.0.0.0/8 and ::1) originate
+    from the IP address specified.
+ +
+    (For IPv6, make sure the address is added to the loopback interface on your
+    system; e.g. with `ip addr add ::54:6f72/128 dev lo`. For IPv4, `127.*.*.*`
+    should be on the loopback already. `127.84.111.114` encodes "Tor" in ASCII.)
+
 [[PidFile]] **PidFile** __FILE__::
     On startup, write our PID to FILE. On clean shutdown, remove
     FILE. Can not be changed while tor is running.

diff --git a/src/or/config.c b/src/or/config.c
@@ -434,6 +434,7 @@ static config_var_t option_vars_[] = {
   OBSOLETE("ORListenAddress"),
   VPORT(ORPort),
   V(OutboundBindAddress,         LINELIST,   NULL),
+  V(OutboundBindAddressLoopback, LINELIST,   NULL),
   V(OutboundBindAddressOR,       LINELIST,   NULL),
   V(OutboundBindAddressExit,     LINELIST,   NULL),
 
@@ -8332,6 +8333,12 @@ parse_outbound_addresses(or_options_t *options, int validate_only, char **msg)
     goto err;
   }
 
+  if (parse_outbound_address_lines(options->OutboundBindAddressLoopback,
+                                   OUTBOUND_ADDR_LOOPBACK, options, validate_only,
+                                   msg)  < 0) {
+    goto err;
+  }
+
   if (parse_outbound_address_lines(options->OutboundBindAddressOR,
                                    OUTBOUND_ADDR_OR, options, validate_only,
                                    msg) < 0) {

diff --git a/src/or/connection.c b/src/or/connection.c
@@ -138,7 +138,9 @@ static void connection_send_socks5_connect(connection_t *conn);
 static const char *proxy_type_to_string(int proxy_type);
 static int get_proxy_type(void);
 const tor_addr_t *conn_get_outbound_address(sa_family_t family,
-                  const or_options_t *options, unsigned int conn_type);
+                                            const or_options_t *options,
+                                            unsigned int conn_type,
+                                            int is_loopback);
 
 /** The last addresses that our network interface seemed to have been
  * binding to.  We use this as one way to detect when our IP changes.
@@ -1919,10 +1921,10 @@ connection_connect_log_client_use_ip_version(const connection_t *conn)
  **/
 const tor_addr_t *
 conn_get_outbound_address(sa_family_t family,
-             const or_options_t *options, unsigned int conn_type)
+                          const or_options_t *options,
+                          unsigned int conn_type,
+                          int is_loopback)
 {
-  const tor_addr_t *ext_addr = NULL;
-
   int fam_index;
   switch (family) {
     case AF_INET:
@@ -1935,31 +1937,22 @@ conn_get_outbound_address(sa_family_t family,
       return NULL;
   }
 
-  // If an exit connection, use the exit address (if present)
-  if (conn_type == CONN_TYPE_EXIT) {
-    if (!tor_addr_is_null(
-        &options->OutboundBindAddresses[OUTBOUND_ADDR_EXIT][fam_index])) {
-      ext_addr = &options->OutboundBindAddresses[OUTBOUND_ADDR_EXIT]
-                 [fam_index];
-    } else if (!tor_addr_is_null(
-                 &options->OutboundBindAddresses[OUTBOUND_ADDR_EXIT_AND_OR]
-                 [fam_index])) {
-      ext_addr = &options->OutboundBindAddresses[OUTBOUND_ADDR_EXIT_AND_OR]
-                 [fam_index];
-    }
+  const tor_addr_t *ext_addr = NULL;
+  const tor_addr_t (*addrs)[OUTBOUND_ADDR_MAX][2] = &options->OutboundBindAddresses;
+
+  if (is_loopback) {
+    ext_addr = addrs[OUTBOUND_ADDR_LOOPBACK][fam_index];
+  } else if (conn_type == CONN_TYPE_EXIT) {
+    // If an exit connection, use the exit address (if present)
+    ext_addr = addrs[OUTBOUND_ADDR_EXIT][fam_index];
+    if (tor_addr_is_null(ext_addr))
+      ext_addr = addrs[OUTBOUND_ADDR_EXIT_AND_OR][fam_index];
   } else { // All non-exit connections
-    if (!tor_addr_is_null(
-           &options->OutboundBindAddresses[OUTBOUND_ADDR_OR][fam_index])) {
-      ext_addr = &options->OutboundBindAddresses[OUTBOUND_ADDR_OR]
-                 [fam_index];
-    } else if (!tor_addr_is_null(
-                 &options->OutboundBindAddresses[OUTBOUND_ADDR_EXIT_AND_OR]
-                 [fam_index])) {
-      ext_addr = &options->OutboundBindAddresses[OUTBOUND_ADDR_EXIT_AND_OR]
-                 [fam_index];
-    }
+    ext_addr = addrs[OUTBOUND_ADDR_OR][fam_index];
+    if (tor_addr_is_null(ext_addr))
+      ext_addr = addrs[OUTBOUND_ADDR_EXIT_AND_OR][fam_index];
   }
-  return ext_addr;
+  return tor_addr_is_null(ext_addr) ? NULL : ext_addr;
 }
 
 /** Take conn, make a nonblocking socket; try to connect to
@@ -1988,22 +1981,21 @@ connection_connect(connection_t *conn, const char *address,
    */
   connection_connect_log_client_use_ip_version(conn);
 
-  if (!tor_addr_is_loopback(addr)) {
-    const tor_addr_t *ext_addr = NULL;
-    ext_addr = conn_get_outbound_address(tor_addr_family(addr), get_options(),
-                                         conn->type);
-    if (ext_addr) {
-      memset(&bind_addr_ss, 0, sizeof(bind_addr_ss));
-      bind_addr_len = tor_addr_to_sockaddr(ext_addr, 0,
-                                           (struct sockaddr *) &bind_addr_ss,
-                                           sizeof(bind_addr_ss));
-      if (bind_addr_len == 0) {
-        log_warn(LD_NET,
-                 "Error converting OutboundBindAddress %s into sockaddr. "
-                 "Ignoring.", fmt_and_decorate_addr(ext_addr));
-      } else {
-        bind_addr = (struct sockaddr *)&bind_addr_ss;
-      }
+  const tor_addr_t *ext_addr = NULL;
+  ext_addr = conn_get_outbound_address(tor_addr_family(addr), get_options(),
+                                       conn->type,
+                                       tor_addr_is_loopback(addr));
+  if (ext_addr) {
+    memset(&bind_addr_ss, 0, sizeof(bind_addr_ss));
+    bind_addr_len = tor_addr_to_sockaddr(ext_addr, 0,
+                                          (struct sockaddr *) &bind_addr_ss,
+                                          sizeof(bind_addr_ss));
+    if (bind_addr_len == 0) {
+      log_warn(LD_NET,
+                "Error converting OutboundBindAddress %s into sockaddr. "
+                "Ignoring.", fmt_and_decorate_addr(ext_addr));
+    } else {
+      bind_addr = (struct sockaddr *)&bind_addr_ss;
     }
   }
 

diff --git a/src/or/or.h b/src/or/or.h
@@ -3631,6 +3631,7 @@ typedef struct routerset_t routerset_t;
  * Exit-only, OR-only, or both */
 typedef enum {OUTBOUND_ADDR_EXIT, OUTBOUND_ADDR_OR,
               OUTBOUND_ADDR_EXIT_AND_OR,
+              OUTBOUND_ADDR_LOOPBACK,
               OUTBOUND_ADDR_MAX} outbound_addr_t;
 
 /** Configuration options for a Tor process. */
@@ -3713,6 +3714,8 @@ typedef struct {
   config_line_t *DirPolicy; /**< Lists of dir policy components */
   /** Local address to bind outbound sockets */
   config_line_t *OutboundBindAddress;
+  /** Local address to bind outbound sockets (loopback connections) */
+  config_line_t *OutboundBindAddressLoopback;
   /** Local address to bind outbound relay sockets */
   config_line_t *OutboundBindAddressOR;
   /** Local address to bind outbound exit sockets */