From 514f0041d190b9e142cc246e3ec7ac65342547bd Mon Sep 17 00:00:00 2001 From: "teor (Tim Wilson-Brown)" Date: Fri, 1 Jul 2016 15:37:13 +1000 Subject: Avoid disclosing exit IP addresses in exit policies by default From 0.2.7.2-alpha onwards, Exits would reject all the IP addresses they knew about in their exit policy. But this may have disclosed addresses that were otherwise unlisted. Now, only advertised addresses are rejected by default by ExitPolicyRejectPrivate. All known addresses are only rejected when ExitPolicyRejectLocalInterfaces is explicitly set to 1. --- src/or/config.c | 3 +++ 1 file changed, 3 insertions(+) (limited to 'src/or/config.c') diff --git a/src/or/config.c b/src/or/config.c index 45acd39980..5643c8d226 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -244,6 +244,7 @@ static config_var_t option_vars_[] = { V(ExitNodes, ROUTERSET, NULL), V(ExitPolicy, LINELIST, NULL), V(ExitPolicyRejectPrivate, BOOL, "1"), + V(ExitPolicyRejectLocalInterfaces, BOOL, "0"), V(ExitPortStatistics, BOOL, "0"), V(ExtendAllowPrivateAddresses, BOOL, "0"), V(ExitRelay, AUTOBOOL, "auto"), @@ -4320,6 +4321,8 @@ options_transition_affects_descriptor(const or_options_t *old_options, old_options->ExitRelay != new_options->ExitRelay || old_options->ExitPolicyRejectPrivate != new_options->ExitPolicyRejectPrivate || + old_options->ExitPolicyRejectLocalInterfaces != + new_options->ExitPolicyRejectLocalInterfaces || old_options->IPv6Exit != new_options->IPv6Exit || !config_lines_eq(old_options->ORPort_lines, new_options->ORPort_lines) || -- cgit v1.2.3-54-g00ecf