diff options
| -rw-r--r-- | changes/feature10067 | 12 | ||||
| -rw-r--r-- | doc/tor.1.txt | 13 | ||||
| -rw-r--r-- | src/or/config.c | 3 | ||||
| -rw-r--r-- | src/or/or.h | 8 | ||||
| -rw-r--r-- | src/or/policies.c | 36 |
5 files changed, 71 insertions, 1 deletions
diff --git a/changes/feature10067 b/changes/feature10067 new file mode 100644 index 0000000000..3a387d0497 --- /dev/null +++ b/changes/feature10067 @@ -0,0 +1,12 @@ + o Major features (changed defaults): + - Prevent relay operators from unintentionally running exits: When + a relay is configured as an exit node, we now warn the user + unless the 'ExitRelay' option is set to 1. We warn even more + loudly if the relay is configured with the default exit policy, + since this tends to indicate accidental misconfiguration. + Setting 'ExitRelay' to 0 stops Tor from running as an exit relay. + Closes ticket 10067. + + o Removed features: + - To avoid confusion with the 'ExitRelay' option, 'ExitNode' is no + longer silently accepted as an alias for 'ExitNodes'. diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 4e3e07e2d3..9e86a67359 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -1469,6 +1469,19 @@ is non-zero): that it's an email address and/or generate a new address for this purpose. +[[ExitRelay]] **ExitRelay** **0**|**1**|**auto**:: + Tells Tor whether to run as an exit relay. If Tor is running as a + non-bridge server, and ExitRelay is set to 1, then Tor allows traffic to + exit according to the ExitPolicy option (or the default ExitPolicy if + none is specified). + + + If ExitRelay is set to 0, no traffic is allowed to + exit, and the ExitPolicy option is ignored. + + + + If ExitRelay is set to "auto", then Tor behaves as if it were set to 1, but + warns the user if this would cause traffic to exit. In a future version, + the default value will be 0. (Default: auto) + [[ExitPolicy]] **ExitPolicy** __policy__,__policy__,__...__:: Set an exit policy for this server. Each policy is of the form "**accept**|**reject** __ADDR__[/__MASK__][:__PORT__]". If /__MASK__ is diff --git a/src/or/config.c b/src/or/config.c index be0bfc7687..2fa077e146 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -65,7 +65,6 @@ static config_abbrev_t option_abbrevs_[] = { PLURAL(AuthDirBadExitCC), PLURAL(AuthDirInvalidCC), PLURAL(AuthDirRejectCC), - PLURAL(ExitNode), PLURAL(EntryNode), PLURAL(ExcludeNode), PLURAL(FirewallPort), @@ -229,6 +228,7 @@ static config_var_t option_vars_[] = { V(ExitPolicyRejectPrivate, BOOL, "1"), V(ExitPortStatistics, BOOL, "0"), V(ExtendAllowPrivateAddresses, BOOL, "0"), + V(ExitRelay, AUTOBOOL, "auto"), VPORT(ExtORPort, LINELIST, NULL), V(ExtORPortCookieAuthFile, STRING, NULL), V(ExtORPortCookieAuthFileGroupReadable, BOOL, "0"), @@ -3924,6 +3924,7 @@ options_transition_affects_descriptor(const or_options_t *old_options, !opt_streq(old_options->Nickname,new_options->Nickname) || !opt_streq(old_options->Address,new_options->Address) || !config_lines_eq(old_options->ExitPolicy,new_options->ExitPolicy) || + old_options->ExitRelay != new_options->ExitRelay || old_options->ExitPolicyRejectPrivate != new_options->ExitPolicyRejectPrivate || old_options->IPv6Exit != new_options->IPv6Exit || diff --git a/src/or/or.h b/src/or/or.h index c0ecadc0e2..58e2164665 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -4271,6 +4271,14 @@ typedef struct { * when sending. */ int SchedulerMaxFlushCells__; + + /** Is this an exit node? This is a tristate, where "1" means "yes, and use + * the default exit policy if none is given" and "0" means "no; exit policy + * is 'reject *'" and "auto" (-1) means "same as 1, but warn the user." + * + * XXXX Eventually, the default will be 0. */ + int ExitRelay; + } or_options_t; /** Persistent state for an onion router, as saved to disk. */ diff --git a/src/or/policies.c b/src/or/policies.c index 2095907025..560b8cb4c3 100644 --- a/src/or/policies.c +++ b/src/or/policies.c @@ -434,6 +434,33 @@ validate_addr_policies(const or_options_t *options, char **msg) REJECT("Error in ExitPolicy entry."); } + static int warned_about_exitrelay = 0; + + const int exitrelay_setting_is_auto = options->ExitRelay == -1; + const int policy_accepts_something = + ! (policy_is_reject_star(addr_policy, AF_INET) && + policy_is_reject_star(addr_policy, AF_INET6)); + + if (server_mode(options) && + ! warned_about_exitrelay && + exitrelay_setting_is_auto && + policy_accepts_something) { + /* Policy accepts something */ + warned_about_exitrelay = 1; + log_warn(LD_CONFIG, + "Tor is running as an exit relay%s. If you did not want this " + "behavior, please set the ExitRelay option to 0. If you do " + "want to run an exit Relay, please set the ExitRelay option " + "to 1 to disable this warning, and for forward compatibility.", + options->ExitPolicy == NULL ? + " with the default exit policy" : ""); + if (options->ExitPolicy == NULL) { + log_warn(LD_CONFIG, + "In a future version of Tor, ExitRelay 0 may become the " + "default when no ExitPolicy is given."); + } + } + /* The rest of these calls *append* to addr_policy. So don't actually * use the results for anything other than checking if they parse! */ if (parse_addr_policy(options->DirPolicy, &addr_policy, -1)) @@ -1022,6 +1049,9 @@ policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest, * * If <b>or_options->BridgeRelay</b> is false, add entries of default * Tor exit policy into <b>result</b> smartlist. + * + * If or_options->ExitRelay is false, then make our exit policy into + * "reject *:*" regardless. */ int policies_parse_exit_policy_from_options(const or_options_t *or_options, @@ -1030,6 +1060,12 @@ policies_parse_exit_policy_from_options(const or_options_t *or_options, { exit_policy_parser_cfg_t parser_cfg = 0; + if (or_options->ExitRelay == 0) { + append_exit_policy_string(result, "reject *4:*"); + append_exit_policy_string(result, "reject *6:*"); + return 0; + } + if (or_options->IPv6Exit) { parser_cfg |= EXIT_POLICY_IPV6_ENABLED; } |