Commit e31f901d authored by intrigeri's avatar intrigeri

Merge branch 'feature/torification-exception' into old-master

parents 6c29c55b 6bc54f03
......@@ -88,8 +88,11 @@ When no destination is provided traffic directed to RFC1918 addresses
is by default allowed and (obviously) not torified. This behaviour can
be changed by setting the allow_rfc1918 parameter to false.
Torify any outgoing TCP traffic but connections to RFC1918 addresses:
Torify any outgoing TCP traffic but
- connections to RFC1918 addresses
- connections from users bob and alice:
$non_torified_users = [ 'bob', 'alice' ]
shorewall::rules::torify {
'torify-everything-but-lan':
}
......
......@@ -33,6 +33,10 @@ class shorewall(
default => $dist_tor_user,
}
}
case $non_torified_users {
'': { $non_torified_users = [] }
}
$real_non_torified_users = uniq_flatten([ $tor_user, $non_torified_users ])
# See http://www.shorewall.net/3.0/Documentation.htm#Zones
shorewall::managed_file{ zones: }
......
......@@ -18,6 +18,8 @@ define shorewall::rules::torify(
$allow_rfc1918 = true
){
include shorewall::rules::torify::non_torified_users
$originaldest = join($destinations,',')
shorewall::rules::torify::user {
......
class shorewall::rules::torify::allow_tor_user {
$whitelist_rule = "allow-from-tor-user"
if !defined(Shorewall::Rule["$whitelist_rule"]) {
shorewall::rule {
"$whitelist_rule":
source => '$FW',
destination => 'all',
user => $shorewall::tor_user,
order => 101,
action => 'ACCEPT';
}
}
}
define shorewall::rules::torify::non_torified_user() {
$user = $name
$whitelist_rule = "allow-from-user=${user}"
shorewall::rule {
"$whitelist_rule":
source => '$FW',
destination => 'all',
user => $user,
order => 101,
action => 'ACCEPT';
}
$nonat_rule = "dont-redirect-to-tor-user=${user}"
shorewall::rule {
"$nonat_rule":
source => '$FW',
destination => '-',
user => $user,
order => 106,
action => 'NONAT';
}
}
class shorewall::rules::torify::non_torified_users {
$real_non_torified_users = $shorewall::real_non_torified_users
shorewall::rules::torify::non_torified_user {
$real_non_torified_users:
}
}
......@@ -14,11 +14,6 @@ define shorewall::rules::torify::redirect_tcp_to_tor(
default => $originaldest,
}
$user_real = $user ? {
'-' => "!${shorewall::tor_user}",
default => $user,
}
$destzone = $shorewall::tor_transparent_proxy_host ? {
'127.0.0.1' => '$FW',
default => 'net'
......@@ -30,7 +25,7 @@ define shorewall::rules::torify::redirect_tcp_to_tor(
destination => "${destzone}:${shorewall::tor_transparent_proxy_host}:${shorewall::tor_transparent_proxy_port}",
proto => 'tcp:syn',
originaldest => $originaldest_real,
user => $user_real,
user => $user,
order => 110,
action => 'DNAT';
}
......
......@@ -7,10 +7,6 @@ define shorewall::rules::torify::user(
include shorewall::rules::torify::allow_tor_transparent_proxy
if $originaldest == '-' and $user == '-' {
include shorewall::rules::torify::allow_tor_user
}
shorewall::rules::torify::redirect_tcp_to_tor {
"redirect-to-tor-user=${user}-to=${originaldest}":
user => $user,
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment