diff options
Diffstat (limited to 'doc')
-rw-r--r-- | doc/man/tor.1.txt | 62 |
1 files changed, 57 insertions, 5 deletions
diff --git a/doc/man/tor.1.txt b/doc/man/tor.1.txt index 1589809b1a..78449e3f72 100644 --- a/doc/man/tor.1.txt +++ b/doc/man/tor.1.txt @@ -2385,6 +2385,16 @@ is non-zero): policy options are set, Tor behaves as if ExitRelay were set to 0. (Default: auto) +[[ReevaluateExitPolicy]] **ReevaluateExitPolicy** **0**|**1**:: + If set, reevaluate the exit policy on existing connections when reloading + configuration. + + + + When the exit policy of an exit node change while reloading configuration, + connections made prior to this change could violate the new policy. By + setting this to 1, Tor will check if such connections exist, and mark them + for termination. + (Default: 0) + [[ExtendAllowPrivateAddresses]] **ExtendAllowPrivateAddresses** **0**|**1**:: When this option is enabled, Tor will connect to relays on localhost, RFC1918 addresses, and so on. In particular, Tor will make direct OR @@ -2795,17 +2805,16 @@ types of statistics that Tor relays collect and publish: + A relay is considered overloaded if at least one of these conditions is met: - - Onionskins are starting to be dropped. + - A certain ratio of ntor onionskins are dropped. - The OOM was invoked. + - TCP Port exhaustion. - - (Exit only) DNS timeout occurs X% of the time over Y seconds (values - controlled by consensus parameters, see param-spec.txt). + If ExtraInfoStatistics is enabled, it can also put two more specific overload lines in the extra-info document if at least one of these conditions is met: - - TCP Port exhaustion. - Connection rate limits have been reached (read and write side). + - File descriptors are exhausted. [[PaddingStatistics]] **PaddingStatistics** **0**|**1**:: Relays and bridges only. @@ -3027,6 +3036,44 @@ Denial of Service mitigation subsystem described above. consensus parameter. If not defined in the consensus, the value is 0. (Default: auto) +The following options are useful only for a exit relay. + +[[DoSStreamCreationEnabled]] **DoSStreamCreationEnabled** **0**|**1**|**auto**:: + + Enable the stream DoS mitigation. If set to 1 (enabled), tor will apply + rate limit on the creation of new streams and dns requests per circuit. + "auto" means use the consensus parameter. If not defined in the consensus, + the value is 0. (Default: auto) + +[[DoSStreamCreationDefenseType]] **DoSStreamCreationDefenseType** __NUM__:: + + This is the type of defense applied to a detected circuit or stream for the + stream mitigation. The possible values are: + + + 1: No defense. + + + 2: Reject the stream or resolve request. + + + 3: Close the circuit creating too many streams. + + + "0" means use the consensus parameter. If not defined in the consensus, the value is 2. + (Default: 0) + +[[DoSStreamCreationRate]] **DoSStreamCreationRate** __NUM__:: + + The allowed rate of stream creation from a single circuit per second. Coupled + with the burst (see below), if the limit is reached, actions can be taken + against the stream or circuit (DoSStreamCreationDefenseType). If not defined or + set to 0, it is controlled by a consensus parameter. If not defined in the + consensus, the value is 100. (Default: 0) + +[[DoSStreamCreationBurst]] **DoSStreamCreationBurst** __NUM__:: + + The allowed burst of stream creation from a circuit per second. + See the DoSStreamCreationRate for more details on this detection. If + not defined or set to 0, it is controlled by a consensus parameter. If not + defined in the consensus, the value is 300. (Default: 0) + For onion services, mitigations are a work in progress and multiple options are currently available. @@ -3371,6 +3418,11 @@ on the public Tor network. multiple times: the values from multiple lines are spliced together. When this is set then **VersioningAuthoritativeDirectory** should be set too. +[[MinimalAcceptedServerVersion]] **MinimalAcceptedServerVersion** __STRING__:: + STRING is the oldest Tor version accepted by the directory authority for + relays and bridge. Any older version will be rejected. + (Default: 0.4.7.0-alpha-dev) + [[V3AuthDistDelay]] **V3AuthDistDelay** __N__ **seconds**|**minutes**|**hours**:: V3 authoritative directories only. Configures the server's preferred delay between publishing its consensus and signature and assuming it has all the @@ -4065,7 +4117,7 @@ __DataDirectory__/**`stats/hidserv-stats`**:: of what fraction of the traffic is hidden service rendezvous traffic, and approximately how many hidden services the relay has seen. -__DataDirectory__/**networkstatus-bridges`**:: +__DataDirectory__/**`networkstatus-bridges`**:: Only used by authoritative bridge directories. Contains information about bridges that have self-reported themselves to the bridge authority. |