commit 9de1d14c1c14d79d8d3cfa79ac60ff813e90c8e8
parent 8226148bf191462fca4fad862116ee34aa5bab6d
Author: trinity-1686a <trinity@deuxfleurs.fr>
Date: Sat, 29 Jul 2023 22:37:18 +0200
add config ReevaluateExitPolicy
Diffstat:
5 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/doc/man/tor.1.txt b/doc/man/tor.1.txt
@@ -2385,6 +2385,16 @@ is non-zero):
policy options are set, Tor behaves as if ExitRelay were set to 0.
(Default: auto)
+[[ReevaluateExitPolicy]] **ReevaluateExitPolicy** **0**|**1**::
+ If set, reevaluate the exit policy on existing connections when reloading
+ configuration. +
+ +
+ When the exit policy of an exit node change while reloading configuration,
+ connections made prior to this change could violate the new policy. By
+ setting this to 1, Tor will check if such connections exist, and mark them
+ for termination.
+ (Default: 0)
+
[[ExtendAllowPrivateAddresses]] **ExtendAllowPrivateAddresses** **0**|**1**::
When this option is enabled, Tor will connect to relays on localhost,
RFC1918 addresses, and so on. In particular, Tor will make direct OR
diff --git a/src/app/config/config.c b/src/app/config/config.c
@@ -637,6 +637,7 @@ static const config_var_t option_vars_[] = {
V(RephistTrackTime, INTERVAL, "24 hours"),
V_IMMUTABLE(RunAsDaemon, BOOL, "0"),
V(ReducedExitPolicy, BOOL, "0"),
+ V(ReevaluateExitPolicy, BOOL, "0"),
OBSOLETE("RunTesting"), // currently unused
V_IMMUTABLE(Sandbox, BOOL, "0"),
V(SafeLogging, STRING, "1"),
diff --git a/src/app/config/or_options_st.h b/src/app/config/or_options_st.h
@@ -141,6 +141,8 @@ struct or_options_t {
* Includes OutboundBindAddresses and
* configured ports. */
int ReducedExitPolicy; /**<Should we use the Reduced Exit Policy? */
+ int ReevaluateExitPolicy; /**<Should we re-evaluate Exit Policy on existing
+ * connections when it changes? */
struct config_line_t *SocksPolicy; /**< Lists of socks policy components */
struct config_line_t *DirPolicy; /**< Lists of dir policy components */
/** Local address to bind outbound sockets */
diff --git a/src/config/torrc.sample.in b/src/config/torrc.sample.in
@@ -225,6 +225,10 @@
#ExitPolicy accept6 *6:119 # accept nntp ports on IPv6 only as well as default exit policy
#ExitPolicy reject *:* # no exits allowed
+## Uncomment this if you want your exit relay to reevaluate its exit policy on
+## existing connections when the exit policy is modified.
+#ReevaluateExitPolicy 1
+
## Bridge relays (or "bridges") are Tor relays that aren't listed in the
## main directory. Since there is no complete public list of them, even an
## ISP that filters connections to all the known Tor relays probably
diff --git a/src/core/or/connection_edge.c b/src/core/or/connection_edge.c
@@ -4250,8 +4250,7 @@ connection_reapply_exit_policy(config_line_t *changes)
smartlist_t *policy = NULL;
int config_change_relevant = 0;
- /* TODO if (get_options()->ReevaluateExitPolicy == 1) {*/
- if (false) {
+ if (get_options()->ReevaluateExitPolicy == 0) {
return;
}
@@ -4262,6 +4261,7 @@ connection_reapply_exit_policy(config_line_t *changes)
"ExitRelay",
"ExitPolicy",
"ReducedExitPolicy",
+ "ReevaluateExitPolicy",
"IPv6Exit",
NULL
};
