diff options
| author | Nick Mathewson <nickm@torproject.org> | 2021-03-24 12:23:30 -0400 |
|---|---|---|
| committer | Nick Mathewson <nickm@torproject.org> | 2021-03-24 12:23:30 -0400 |
| commit | 37b16d7e1977647d297c165afa0435536a474264 (patch) | |
| tree | 5fb4271fce5bc1ed3461956a59bc420ee2ebc25f | |
| parent | f1c673fa545dc4fc9003b3fe2170d7fd42870a18 (diff) | |
| parent | 6de09642f06b8ee0da3e47e17b350aea6c7644a9 (diff) | |
| download | tor-37b16d7e1977647d297c165afa0435536a474264.tar.gz tor-37b16d7e1977647d297c165afa0435536a474264.zip | |
Merge remote-tracking branch 'tor-gitlab/mr/339'
| -rw-r--r-- | changes/ticket40271 | 5 | ||||
| -rw-r--r-- | src/core/or/connection_edge.c | 20 |
2 files changed, 25 insertions, 0 deletions
diff --git a/changes/ticket40271 b/changes/ticket40271 new file mode 100644 index 0000000000..a977be75e1 --- /dev/null +++ b/changes/ticket40271 @@ -0,0 +1,5 @@ + o Minor features (client): + - Clients now check whether their streams are attempting to re-enter + the Tor network (i.e. to send Tor traffic over Tor), and they close + them preemptively if they think exit relays will refuse them. See + ticket 2667 for details. Close ticket 40271. diff --git a/src/core/or/connection_edge.c b/src/core/or/connection_edge.c index 7e0f51428a..b89f3336dc 100644 --- a/src/core/or/connection_edge.c +++ b/src/core/or/connection_edge.c @@ -163,6 +163,7 @@ static int connection_ap_process_natd(entry_connection_t *conn); static int connection_exit_connect_dir(edge_connection_t *exitconn); static int consider_plaintext_ports(entry_connection_t *conn, uint16_t port); static int connection_ap_supports_optimistic_data(const entry_connection_t *); +static bool network_reentry_is_allowed(void); /** * Cast a `connection_t *` to an `edge_connection_t *`. @@ -2401,6 +2402,25 @@ connection_ap_handshake_rewrite_and_attach(entry_connection_t *conn, * address. */ conn->entry_cfg.ipv6_traffic = 0; } + + /* Next, yet another check: we know it's a direct IP address. Is it + * the IP address of a known relay and its ORPort, or of a directory + * authority and its OR or Dir Port? If so, and if a consensus param + * says to, then exit relays will refuse this request (see ticket + * 2667 for details). Let's just refuse it locally right now, to + * save time and network load but also to give the user a more + * useful log message. */ + if (!network_reentry_is_allowed() && + nodelist_reentry_contains(&addr, socks->port)) { + log_warn(LD_APP, "Not attempting connection to %s:%d because " + "the network would reject it. Are you trying to send " + "Tor traffic over Tor? This traffic can be harmful to " + "the Tor network. If you really need it, try using " + "a bridge as a workaround.", + safe_str_client(socks->address), socks->port); + connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL); + return -1; + } } } |