remove the tor_dedicatedExitIP feature

this feature was rarely used and gets messy
with the new increased limit of relays per IPv4.

this commit introduces support for setting OutboundBindAddressExit via
the `tor_config` variable

.kitchen.yml

@@ -118,47 +118,3 @@ suites:
       - ["private_network", {ip: "198.51.100.10"}]
     provisioner:
       playbook: "test/integration/default/2publicIPs-exit-node.yml"
-  - name: t-exit-6publicIPs-dedicatedExitIP-2instPerIP
-    driver:
-      network:
-      - ["private_network", {ip: "192.0.2.10"}]
-      - ["private_network", {ip: "198.51.100.10"}]
-      - ["private_network", {ip: "198.51.100.11"}]
-      - ["private_network", {ip: "198.51.100.12"}]
-      - ["private_network", {ip: "198.51.100.13"}]
-      - ["private_network", {ip: "198.51.100.14"}]
-    provisioner:
-      playbook: "test/integration/default/6publicIPs-dedicatedExitIP-2instPerIP-exit-node.yml"
-  - name: t-exit-dirport0-6IPs-dedicatedExitIP-2PerIP
-    driver:
-      network:
-      - ["private_network", {ip: "192.0.2.10"}]
-      - ["private_network", {ip: "198.51.100.10"}]
-      - ["private_network", {ip: "198.51.100.11"}]
-      - ["private_network", {ip: "198.51.100.12"}]
-      - ["private_network", {ip: "198.51.100.13"}]
-      - ["private_network", {ip: "198.51.100.14"}]
-    provisioner:
-      playbook: "test/integration/default/dirport0-6publicIPs-dedicatedExitIP-2instPerIP-exit-node.yml"
-  - name: t-exit-6publicIPs-dedicatedExitIP-singleInstPerIP
-    driver:
-      network:
-      - ["private_network", {ip: "192.0.2.10"}]
-      - ["private_network", {ip: "198.51.100.10"}]
-      - ["private_network", {ip: "198.51.100.11"}]
-      - ["private_network", {ip: "198.51.100.12"}]
-      - ["private_network", {ip: "198.51.100.13"}]
-      - ["private_network", {ip: "198.51.100.14"}]
-    provisioner:
-      playbook: "test/integration/default/6publicIPs-dedicatedExitIP-singleInstPerIP-exit-node.yml"
-  - name: t-exit4-6publicIPs-dedicatedExitIP
-    driver:
-      network:
-      - ["private_network", {ip: "192.0.2.10"}]
-      - ["private_network", {ip: "198.51.100.10"}]
-      - ["private_network", {ip: "198.51.100.11"}]
-      - ["private_network", {ip: "198.51.100.12"}]
-      - ["private_network", {ip: "198.51.100.13"}]
-      - ["private_network", {ip: "198.51.100.14"}]
-    provisioner:
-      playbook: "test/integration/default/6publicIPs-dedicatedExitIP-exit4-node.yml"

README.md

@@ -127,7 +127,7 @@ All variables mentioned here are optional.
 * `tor_config` dictionary
     - this dictionary contains torrc settings and their value, for available options see the 'SERVER OPTIONS' section in tor's manual.
     - each setting can only be set once (regardless what tor's manpage says)
-    - this dictionary can be used to set any torrc option but NOT the following: `OfflineMasterKey`, `RunAsDaemon`, `Log`, `SocksPort`, `OutboundBindAddress`, `User`, `DataDirectory`, `ORPort`, `OutboundBindAddress`, `OutboundBindAddressExit`, `DirPort`, `SyslogIdentityTag`, `PidFile`, `MetricsPort`, `MetricsPortPolicy`, `ControlSocket`, `CookieAuthentication`, `Nickname`, `ExitRelay`, `IPv6Exit`, `ExitPolicy`, `RelayBandwidthRate`, `RelayBandwidthBurst`, `SigningKeyLifetime`
+    - this dictionary can be used to set any torrc option but NOT the following: `OfflineMasterKey`, `RunAsDaemon`, `Log`, `SocksPort`, `OutboundBindAddress`, `User`, `DataDirectory`, `ORPort`, `OutboundBindAddress`, `DirPort`, `SyslogIdentityTag`, `PidFile`, `MetricsPort`, `MetricsPortPolicy`, `ControlSocket`, `CookieAuthentication`, `Nickname`, `ExitRelay`, `IPv6Exit`, `ExitPolicy`, `RelayBandwidthRate`, `RelayBandwidthBurst`, `SigningKeyLifetime`
 
 * `tor_ports`
     - This var allows you to
@@ -263,16 +263,6 @@ All variables mentioned here are optional.
     - only relevant if `tor_ExitRelay` and `tor_IPv6` are True and we have an IPv6 address
     - default: True (unlike tor's default)
 
-* `tor_dedicatedExitIP` boolean
-    - on exit relays only: use a distinct source IP address for traffic leaving the tor network (exit traffic)
-    - this means tor will establish outbound exit connections on a separate IP(v4/v6) address (different from the IP announced in the consensus)
-    - automatically configures the [OutboundBindAddressExit](https://www.torproject.org/docs/tor-manual.html.en#OutboundBindAddressExit) tor feature (does not require you to manually specify the IP address to use)
-    - we will use the public IPv4/IPv6 address(es) available directly after the IP addresses we use for tor ORPorts for `OutboundBindAddressExit`
-    - to make use of this feature you need more public IPv4 or IPv6 addresses than `tor_maxPublicIPs`
-    - if this condition is not met we will abort
-    - manually specifying the IP address used by `OutboundBindAddressExit` is not supported
-    - default: False
-
 * `tor_enableMetricsPort` boolean
     - if True enable tor's MetricsPort on the localhost IP address 127.0.0.1 and allow the same IP to access it (MetricsPortPolicy)
     - this is a relayor beta feature and will change in the future to use the safer [unix socket](https://gitlab.torproject.org/tpo/core/tor/-/issues/40192) option once that becomes available

defaults/main.yml

@@ -93,9 +93,6 @@ tor_v6ips: "{{ tor_available_public_ipv6s[0:tor_ipv4_count|int] }}"
 
 tor_apt_update_cache: yes
 
-# This var enables autoconfiguration for OutboundBindAddressExit
-tor_dedicatedExitIP: False
-
 tor_RunAsDaemon: 1
 
 tor_enableControlSocket: False

tasks/main.yml

@@ -39,18 +39,6 @@
   tags:
     - always
 
-- name: Ensure preconditions for tor_dedicatedExitIP are met (enough public IP addresses on the system)
-  assert:
-    that:
-      - "tor_available_public_ipv4s | length >= tor_maxPublicIPs*2 or tor_available_public_ipv6s | length >= tor_maxPublicIPs*2"
-      - tor_ExitRelay
-      - tor_IPv6Exit
-      - tor_IPv6
-    msg: "You have to few public IPv4 and IPv6 addresses for the tor_dedicatedExitIP feature (or you did not enable exiting)"
-  when: tor_dedicatedExitIP
-  tags:
-    - always
-
 - name: >
         Abort if we use a centralized/common DNS resolver (Google, Quad9, CloudFlare, OpenDNS, Level3).
         See https://torproject.org/relay-guide#DNSonExitRelays (Exits only)

templates/torrc

@@ -57,45 +57,14 @@ ContactInfo {{ tor_ContactInfo }}
 ExitRelay 1
 {% if item.0.ipv6 != "" and item.0.ipv6 != "False" and tor_IPv6 == True and tor_IPv6Exit == True %}
 IPv6Exit 1
-{% if tor_dedicatedExitIP != True %}
 {% if item.1.dirport != 0 %}
 DirPort [{{ item.0.ipv6 }}]:{{ item.1.dirport }} NoAdvertise
 {% endif %}
 {% endif %}
-{% endif %}
 {% if tor_ExitNoticePage == True and tor_config.DirPortFrontPage is not defined %}
 DirPortFrontPage {{ tor_ConfDir }}/tor-exit-notice.html
 {% endif %}
 
-{% if tor_dedicatedExitIP == True and tor_ExitRelay == True %}
-{% if tor_available_public_ipv4s|length >= tor_maxPublicIPs*2 %}
-{% if tor_ports|length == 2 %}
-OutboundBindAddressExit {{ tor_available_public_ipv4s[(loop_idx/2)|round(0,'floor')|int + tor_maxPublicIPs]}}
-{% if item.1.dirport != 0 %}
-DirPort {{ tor_available_public_ipv4s[(loop_idx/2)|round(0,'floor')|int + tor_maxPublicIPs]}}:{{ item.1.dirport }} NoAdvertise
-{% endif %}
-{% elif tor_ports|length == 1 %}
-OutboundBindAddressExit {{ tor_available_public_ipv4s[loop_idx + tor_maxPublicIPs]}}
-{% if item.1.dirport != 0 %}
-DirPort {{ tor_available_public_ipv4s[loop_idx + tor_maxPublicIPs]}}:{{ item.1.dirport }} NoAdvertise
-{% endif %}
-{% endif %}
-{% endif %}
-{% if tor_available_public_ipv6s|length >= tor_maxPublicIPs*2 and tor_IPv6 == True and tor_IPv6Exit == True %}
-{% if tor_ports|length == 2 %}
-OutboundBindAddressExit [{{ tor_available_public_ipv6s[(loop_idx/2)|round(0,'floor')|int + tor_maxPublicIPs]}}]
-{% if item.1.dirport != 0 %}
-DirPort [{{ tor_available_public_ipv6s[(loop_idx/2)|round(0,'floor')|int + tor_maxPublicIPs]}}]:{{ item.1.dirport }} NoAdvertise
-{% endif %}
-{% elif tor_ports|length == 1 %}
-OutboundBindAddressExit [{{ tor_available_public_ipv6s[loop_idx + tor_maxPublicIPs]}}]
-{% if item.1.dirport != 0 %}
-DirPort [{{ tor_available_public_ipv6s[loop_idx + tor_maxPublicIPs]}}]:{{ item.1.dirport }} NoAdvertise
-{% endif %}
-{% endif %}
-{% endif %}
-{% endif %}
-
 {% if tor_ExitPolicy_file is defined and (lookup('csvfile', inventory_hostname~'-'~item.0.ipv4~'_'~item.1.orport~' file='~tor_ExitPolicy_file~' delimiter=;') != [])  %}
 ExitPolicy {{ lookup('csvfile', inventory_hostname~'-'~item.0.ipv4~'_'~item.1.orport~' file='~tor_ExitPolicy_file~' delimiter=;') }}
 {% else %}
@@ -127,7 +96,7 @@ NoExec 1
 {% endif %}
 
 {% for config_item, value in tor_config.items() | sort() %}
-{% if config_item not in ["ContactInfo","OfflineMasterKey","RunAsDaemon","Log","SocksPort","OutboundBindAddress","User","DataDirectory","ORPort","OutboundBindAddress","OutboundBindAddressExit","DirPort","SyslogIdentityTag","PidFile","MetricsPort","MetricsPortPolicy","ControlSocket","CookieAuthentication","Nickname","ExitRelay","IPv6Exit","ExitPolicy","RelayBandwidthRate","RelayBandwidthBurst","SigningKeyLifetime"] %}
+{% if config_item not in ["ContactInfo","OfflineMasterKey","RunAsDaemon","Log","SocksPort","OutboundBindAddress","User","DataDirectory","ORPort","OutboundBindAddress","DirPort","SyslogIdentityTag","PidFile","MetricsPort","MetricsPortPolicy","ControlSocket","CookieAuthentication","Nickname","ExitRelay","IPv6Exit","ExitPolicy","RelayBandwidthRate","RelayBandwidthBurst","SigningKeyLifetime"] %}
 {{ config_item }} {{ value }}
 {% endif %}
 {% endfor %}