diff options
| author | trinity-1686a <trinity@deuxfleurs.fr> | 2023-07-23 20:57:32 +0200 |
|---|---|---|
| committer | trinity-1686a <trinity@deuxfleurs.fr> | 2023-07-29 23:15:23 +0200 |
| commit | 8226148bf191462fca4fad862116ee34aa5bab6d (patch) | |
| tree | 57606a9b2613a1366a4099dc9ce62cf4eeae8e64 | |
| parent | 4667195deded5e34d93ef9984ff091b2ae822fbb (diff) | |
| download | tor-8226148bf191462fca4fad862116ee34aa5bab6d.tar.gz tor-8226148bf191462fca4fad862116ee34aa5bab6d.zip | |
reapply exit policy on reload
| -rw-r--r-- | src/app/config/config.c | 1 | ||||
| -rw-r--r-- | src/core/or/connection_edge.c | 68 | ||||
| -rw-r--r-- | src/core/or/connection_edge.h | 2 | ||||
| -rw-r--r-- | src/core/or/policies.c | 2 |
4 files changed, 72 insertions, 1 deletions
diff --git a/src/app/config/config.c b/src/app/config/config.c index a10329c552..60565d15c4 100644 --- a/src/app/config/config.c +++ b/src/app/config/config.c @@ -996,6 +996,7 @@ set_options(or_options_t *new_val, char **msg) config_line_t *changes = config_get_changes(get_options_mgr(), old_options, new_val); control_event_conf_changed(changes); + connection_reapply_exit_policy(changes); config_free_lines(changes); } diff --git a/src/core/or/connection_edge.c b/src/core/or/connection_edge.c index f21779a80c..f7cc1d7a98 100644 --- a/src/core/or/connection_edge.c +++ b/src/core/or/connection_edge.c @@ -105,6 +105,7 @@ #include "lib/buf/buffers.h" #include "lib/crypt_ops/crypto_rand.h" #include "lib/crypt_ops/crypto_util.h" +#include "lib/encoding/confline.h" #include "core/or/cell_st.h" #include "core/or/cpath_build_state_st.h" @@ -4237,6 +4238,73 @@ my_exit_policy_rejects(const tor_addr_t *addr, return 0; } +/* Reapply exit policy to existing connections, possibly terminating + * connections + * no longer allowed by the policy. + */ +void +connection_reapply_exit_policy(config_line_t *changes) +{ + int marked_for_close = 0; + smartlist_t *conn_list = NULL; + smartlist_t *policy = NULL; + int config_change_relevant = 0; + + /* TODO if (get_options()->ReevaluateExitPolicy == 1) {*/ + if (false) { + return; + } + + for (const config_line_t *line = changes; + line && !config_change_relevant; + line = line->next) { + const char* exit_policy_options[] = { + "ExitRelay", + "ExitPolicy", + "ReducedExitPolicy", + "IPv6Exit", + NULL + }; + for (unsigned int i = 0; exit_policy_options[i] != NULL; ++i) { + if (strcmp(line->key, exit_policy_options[i]) == 0) { + config_change_relevant = 1; + break; + } + } + } + + if (!config_change_relevant) { + /* Policy did not change: no need to iterate over connections */ + return; + } + + // we can't use router_compare_to_my_exit_policy as it depend on the + // descriptor, which is regenerated asynchronously, so we have to parse the + // policy ourselves. + // We don't verify for our own IP, it's not part of the configuration. + policies_parse_exit_policy_from_options(get_options(), NULL, NULL, &policy); + + conn_list = connection_list_by_type_purpose(CONN_TYPE_EXIT, + EXIT_PURPOSE_CONNECT); + + SMARTLIST_FOREACH_BEGIN(conn_list, connection_t *, conn) { + addr_policy_result_t verdict = compare_tor_addr_to_addr_policy(&conn->addr, + conn->port, + policy); + if (verdict != ADDR_POLICY_ACCEPTED) { + connection_edge_end(TO_EDGE_CONN(conn), END_STREAM_REASON_EXITPOLICY); + connection_mark_for_close(conn); + ++marked_for_close; + } + } SMARTLIST_FOREACH_END(conn); + + smartlist_free(conn_list); + smartlist_free(policy); + + log_info(LD_GENERAL, "Marked %d connections to be closed as no longer " + "allowed per ExitPolicy", marked_for_close); +} + /** Return true iff the consensus allows network reentry. The default value is * false if the parameter is not found. */ static bool diff --git a/src/core/or/connection_edge.h b/src/core/or/connection_edge.h index 59fc17dea5..1bb0e6d368 100644 --- a/src/core/or/connection_edge.h +++ b/src/core/or/connection_edge.h @@ -13,6 +13,7 @@ #define TOR_CONNECTION_EDGE_H #include "lib/testsupport/testsupport.h" +#include "lib/encoding/confline.h" #include "feature/hs/hs_service.h" @@ -101,6 +102,7 @@ void connection_entry_set_controller_wait(entry_connection_t *conn); void connection_ap_about_to_close(entry_connection_t *edge_conn); void connection_exit_about_to_close(edge_connection_t *edge_conn); +void connection_reapply_exit_policy(config_line_t *changes); MOCK_DECL(int, connection_ap_handshake_send_begin,(entry_connection_t *ap_conn)); diff --git a/src/core/or/policies.c b/src/core/or/policies.c index 1864b84d5e..4641632b60 100644 --- a/src/core/or/policies.c +++ b/src/core/or/policies.c @@ -1066,7 +1066,7 @@ socks_policy_permits_address(const tor_addr_t *addr) } /** Return 1 if <b>addr</b> is permitted to connect to our metrics port, - * based on <b>socks_policy</b>. Else return 0. + * based on <b>metrics_policy</b>. Else return 0. */ int metrics_policy_permits_address(const tor_addr_t *addr) |