From 6b70d3e911b55ecaec0cd9c034e1b3d786a0b772 Mon Sep 17 00:00:00 2001
From: Pierre Bourdon <delroth@gmail.com>
Date: Wed, 25 Aug 2021 06:03:41 +0200
Subject: nixos/tor: allow AF_NETLINK address family

Tor attempts to detect what external IP address a machine is using by
listing addresses on all network interfaces on the system. This listing
is done using getifaddrs(3), which relies on netlink in order to get
IPv6 address information.

This change fixes Tor not finding the relay's IPv6 address unless
explicitly configured via either an ORPort directive or via DNS
resolution of the machine hostname.
---
 nixos/modules/services/security/tor.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'nixos/modules/services/security/tor.nix')

diff --git a/nixos/modules/services/security/tor.nix b/nixos/modules/services/security/tor.nix
index 9e8f18e93c8..1e1f443905d 100644
--- a/nixos/modules/services/security/tor.nix
+++ b/nixos/modules/services/security/tor.nix
@@ -1022,7 +1022,7 @@ in
         ProtectKernelTunables = true;
         ProtectSystem = "strict";
         RemoveIPC = true;
-        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" ];
+        RestrictAddressFamilies = [ "AF_UNIX" "AF_INET" "AF_INET6" "AF_NETLINK" ];
         RestrictNamespaces = true;
         RestrictRealtime = true;
         RestrictSUIDSGID = true;
-- 
cgit 1.4.1