Commit 5e555243 authored by intrigeri's avatar intrigeri

Revert "Support exempting some users from torification measures."

This reverts commit 6bc54f03.

This stuff is not ready for the shared repo, but we want to take benefit from me
having already merged immerda's stuff into my branch and solved the conflicts.
parent 88fa544a
......@@ -88,11 +88,8 @@ When no destination is provided traffic directed to RFC1918 addresses
is by default allowed and (obviously) not torified. This behaviour can
be changed by setting the allow_rfc1918 parameter to false.
Torify any outgoing TCP traffic but
- connections to RFC1918 addresses
- connections from users bob and alice:
Torify any outgoing TCP traffic but connections to RFC1918 addresses:
$non_torified_users = [ 'bob', 'alice' ]
shorewall::rules::torify {
'torify-everything-but-lan':
}
......
......@@ -33,10 +33,6 @@ class shorewall(
default => $dist_tor_user,
}
}
case $non_torified_users {
'': { $non_torified_users = [] }
}
$real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ])
# See http://www.shorewall.net/3.0/Documentation.htm#Zones
shorewall::managed_file{ zones: }
......
......@@ -18,8 +18,6 @@ define shorewall::rules::torify(
$allow_rfc1918 = true
){
include shorewall::rules::torify::non_torified_users
$originaldest = join($destinations,',')
shorewall::rules::torify::user {
......
class shorewall::rules::torify::allow_tor_user {
$whitelist_rule = "allow-from-tor-user"
if !defined(Shorewall::Rule["$whitelist_rule"]) {
shorewall::rule {
"$whitelist_rule":
source => '$FW',
destination => 'all',
user => $shorewall::tor_user,
order => 101,
action => 'ACCEPT';
}
}
}
define shorewall::rules::torify::non_torified_user() {
$user = $name
$whitelist_rule = "allow-from-user=${user}"
shorewall::rule {
"$whitelist_rule":
source => '$FW',
destination => 'all',
user => $user,
order => 101,
action => 'ACCEPT';
}
$nonat_rule = "dont-redirect-to-tor-user=${user}"
shorewall::rule {
"$nonat_rule":
source => '$FW',
destination => '-',
user => $user,
order => 106,
action => 'NONAT';
}
}
class shorewall::rules::torify::non_torified_users {
$real_non_torified_users = $shorewall::real_non_torified_users
shorewall::rules::torify::non_torified_user {
$real_non_torified_users:
}
}
......@@ -14,6 +14,11 @@ define shorewall::rules::torify::redirect_tcp_to_tor(
default => $originaldest,
}
$user_real = $user ? {
'-' => "!${shorewall::tor_user}",
default => $user,
}
$destzone = $shorewall::tor_transparent_proxy_host ? {
'127.0.0.1' => '$FW',
default => 'net'
......@@ -25,7 +30,7 @@ define shorewall::rules::torify::redirect_tcp_to_tor(
destination => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}",
proto => 'tcp:syn',
originaldest => $originaldest_real,
user => $user,
user => $user_real,
order => 110,
action => 'DNAT';
}
......
......@@ -7,6 +7,10 @@ define shorewall::rules::torify::user(
include shorewall::rules::torify::allow_tor_transparent_proxy
if $originaldest == '-' and $user == '-' {
include shorewall::rules::torify::allow_tor_user
}
shorewall::rules::torify::redirect_tcp_to_tor {
"redirect-to-tor-user=${user}-to=${originaldest}":
user => $user,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment