Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix IPv6 filter workaround #195

Closed
wants to merge 2 commits into from
Closed

Fix IPv6 filter workaround #195

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0f8902e
Fix IPv6 filter workaround
goll Mar 2, 2019
67bf39a
Update torrc for wrapped ipv6s
goll Mar 3, 2019
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 4 additions & 9 deletions defaults/main.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -75,22 +75,17 @@ tor_distribution_release: "{{ ansible_lsb.codename }}"

# filter potentially malicious input from relay-provided IPv4/v6 addresses
# https://docs.ansible.com/ansible/playbooks_filters_ipaddr.html
tor_available_public_ipv4s: "{{ ansible_all_ipv4_addresses| ipv4('address') | ipv4('public') }}"
tor_available_public_ipv4s: "{{ ansible_all_ipv4_addresses | ipv4('address') | ipv4('public') }}"
tor_v4ips: "{{ tor_available_public_ipv4s[0:tor_maxPublicIPs] }}"
tor_ipv4_count: "{{ tor_v4ips | length|int }}"
tor_ipv4_count: "{{ tor_v4ips | length }}"

# we can not use more IPv6 IPs than we have IPv4 IPs so we truncate (but fewer is ok)
tor_available_public_ipv6s: "{{ ansible_all_ipv6_addresses|ipv6('public')|ipv6('address') }}"

tor_available_public_ipv6s: "{{ ansible_all_ipv6_addresses | ipv6('address') | ipv6('public') | ipwrap }}"
tor_v6ips: "{{ tor_available_public_ipv6s[0:tor_ipv4_count|int] | ipwrap }}"

# This var enables autoconfiguration for OutboundBindAddressExit
tor_dedicatedExitIP: False

# the following line is commented out and handled in ip-list.yml until
# https://github.com/ansible/ansible/issues/14829
# gets fixed
#tor_v6ips: "{{ tor_v6tmp[0:tor_ipv4_count|int]|ipv6('address') }}"

tor_RunAsDaemon: 1

# we do not support non-zero SocksPorts
Expand Down
17 changes: 0 additions & 17 deletions tasks/ip-list.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,23 +4,6 @@
include_vars: private_IPv4_only.yml
when: tor_v4ips == []

# workaround for this ansible IPv6 filter bug
# https://github.com/ansible/ansible/issues/14829
# we simply convert False to empty lists
- name: workaround for ansible bug 14829 (1/3)
set_fact:
tor_available_public_ipv6s: []
when: tor_available_public_ipv6s == False

- name: workaround for ansible bug 14829 (2/3)
set_fact:
tor_v6ips: "{{ tor_available_public_ipv6s[0:tor_ipv4_count|int]|ipv6('address') }}"

- name: workaround for ansible bug 14829 (3/3)
set_fact:
tor_v6ips: []
when: tor_v6ips == False

- name: setup IP list (1/2)
set_fact:
ips:
Expand Down
19 changes: 10 additions & 9 deletions templates/torrc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,9 @@ SocksPort {{ tor_SocksPort }}
User _tor-{{ item.0.ipv4 }}_{{ item.1.orport }}
DataDirectory {{ tor_DataDir }}/{{ item.0.ipv4 }}_{{ item.1.orport }}
ORPort {{ item.0.ipv4 }}:{{ item.1.orport }}
{% if item.0.ipv6 != "" and item.0.ipv6 != "False" and tor_IPv6 == True %}
ORPort [{{item.0.ipv6}}]:{{item.1.orport}}
OutboundBindAddress [{{item.0.ipv6}}]
{% if item.0.ipv6 != "" and tor_IPv6 == True %}
ORPort {{ item.0.ipv6 }}:{{ item.1.orport }}
OutboundBindAddress {{ item.0.ipv6 }}
{% endif %}

{% if item.1.dirport != 0 %}
Expand Down Expand Up @@ -59,10 +59,10 @@ NoExec {{ tor_NoExec }}
{% if ((tor_ExitRelay == True and tor_ExitRelaySetting_file is not defined) or (tor_ExitRelay == True and tor_ExitRelaySetting_file is defined and (lookup('csvfile', inventory_hostname~'-'~item.0.ipv4~'_'~item.1.orport~' file='~tor_ExitRelaySetting_file~' delimiter=,') == "exit"))) %}
# we are an exit relay!
ExitRelay 1
{% if item.0.ipv6 != "" and item.0.ipv6 != "False" and tor_IPv6 == True and tor_IPv6Exit == True %}
{% if item.0.ipv6 != "" and tor_IPv6 == True and tor_IPv6Exit == True %}
IPv6Exit 1
{% if tor_dedicatedExitIP != True %}
DirPort [{{ item.0.ipv6 }}]:{{ item.1.dirport }} NoAdvertise
DirPort {{ item.0.ipv6 }}:{{ item.1.dirport }} NoAdvertise
{% endif %}
{% endif %}
{% if tor_ExitNoticePage == True and tor_DirPortFrontPage is not defined %}
Expand All @@ -81,11 +81,11 @@ DirPort {{ tor_available_public_ipv4s[loop_idx + tor_maxPublicIPs]}}:{{ item.1.d
{% endif %}
{% if tor_available_public_ipv6s|length >= tor_maxPublicIPs*2 and tor_IPv6 == True and tor_IPv6Exit == True %}
{% if tor_ports|length == 2 %}
OutboundBindAddressExit [{{ tor_available_public_ipv6s[(loop_idx/2)|round(0,'floor')|int + tor_maxPublicIPs]}}]
DirPort [{{ tor_available_public_ipv6s[(loop_idx/2)|round(0,'floor')|int + tor_maxPublicIPs]}}]:{{ item.1.dirport }} NoAdvertise
OutboundBindAddressExit {{ tor_available_public_ipv6s[(loop_idx/2)|round(0,'floor')|int + tor_maxPublicIPs] }}
DirPort {{ tor_available_public_ipv6s[(loop_idx/2)|round(0,'floor')|int + tor_maxPublicIPs] }}:{{ item.1.dirport }} NoAdvertise
{% elif tor_ports|length == 1 %}
OutboundBindAddressExit [{{ tor_available_public_ipv6s[loop_idx + tor_maxPublicIPs]}}]
DirPort [{{ tor_available_public_ipv6s[loop_idx + tor_maxPublicIPs]}}]:{{ item.1.dirport }} NoAdvertise
OutboundBindAddressExit {{ tor_available_public_ipv6s[loop_idx + tor_maxPublicIPs] }}
DirPort {{ tor_available_public_ipv6s[loop_idx + tor_maxPublicIPs] }}:{{ item.1.dirport }} NoAdvertise
{% endif %}
{% endif %}
{% endif %}
Expand All @@ -96,6 +96,7 @@ ExitPolicy {{entry}}
{% else %}
ExitRelay 0
ExitPolicy reject *:*
ExitPolicy reject6 *:*
{% endif %}

{% if tor_PublishServerDescriptor is defined %}
Expand Down