commit a659a3fced83ddb2586cade138f6fa1376d1402d Merge: fd85f2c eb1759e Author: teor (Tim Wilson-Brown) teor2345@gmail.com Date: Wed Sep 16 09:09:54 2015 +1000
Merge branch 'bug17027-reject-private-all-interfaces-v2' into bug16069-bug17027
src/test/test_policy.c: Merged calls to policies_parse_exit_policy by adding additional arguments. fixup to remaining instance of ~EXIT_POLICY_IPV6_ENABLED. Compacting logic test now produces previous list length of 4, corrected this.
src/config/torrc.sample.in: src/config/torrc.minimal.in-staging: Merged torrc modification dates in favour of latest.
changes/bug17027-reject-private-all-interfaces | 6 + doc/tor.1.txt | 7 +- src/common/address.c | 114 +++++++++--- src/common/address.h | 28 ++- src/config/torrc.minimal.in-staging | 8 +- src/config/torrc.sample.in | 8 +- src/or/policies.c | 131 ++++++++++++-- src/or/policies.h | 12 +- src/or/router.c | 2 +- src/test/test_address.c | 230 ++++++++++++++++++++++-- src/test/test_policy.c | 30 +++- 11 files changed, 495 insertions(+), 81 deletions(-)
diff --cc doc/tor.1.txt index 4f922c8,5ac6164..736cf75 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@@ -1586,12 -1577,12 +1586,15 @@@ is non-zero) reject *:6881-6999 accept *:*
+ Since the default exit policy uses accept/reject *, it applies to both + IPv4 and IPv6 addresses. + [[ExitPolicyRejectPrivate]] **ExitPolicyRejectPrivate** **0**|**1**:: - Reject all private (local) networks, along with your own public IP address, - at the beginning of your exit policy. See above entry on ExitPolicy. + Reject all private (local) networks, along with your own configured public + IPv4 and IPv6 addresses, at the beginning of your exit policy. Also reject + any public IPv4 and IPv6 addresses on any interface on the relay. (If + IPv6Exit is not set, all IPv6 addresses will be rejected anyway.) + See above entry on ExitPolicy. (Default: 1)
[[IPv6Exit]] **IPv6Exit** **0**|**1**:: diff --cc src/config/torrc.minimal.in-staging index c17f7eb,8ce16bb..ed3300f --- a/src/config/torrc.minimal.in-staging +++ b/src/config/torrc.minimal.in-staging @@@ -172,13 -171,13 +172,15 @@@ ## users will be told that those destinations are down. ## ## For security, by default Tor rejects connections to private (local) - ## networks, including to your public IP address. See the man page entry - ## for ExitPolicyRejectPrivate if you want to allow "exit enclaving". + ## networks, including to the configured public IPv4 and IPv6 addresses, + ## and any public IPv4 and IPv6 addresses on any interface on the relay. + ## See the man page entry for ExitPolicyRejectPrivate if you want to allow + ## "exit enclaving". ## -#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more -#ExitPolicy accept *:119 # accept nntp as well as default exit policy +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports on IPv4 and IPv6 but no more +#ExitPolicy accept *:119 # accept nntp ports on IPv4 and IPv6 as well as default exit policy +#ExitPolicy accept *4:119 # accept nntp ports on IPv4 only as well as default exit policy +#ExitPolicy accept6 *6:119 # accept nntp ports on IPv6 only as well as default exit policy #ExitPolicy reject *:* # no exits allowed
## Bridge relays (or "bridges") are Tor relays that aren't listed in the diff --cc src/config/torrc.sample.in index c17f7eb,8ce16bb..ed3300f --- a/src/config/torrc.sample.in +++ b/src/config/torrc.sample.in @@@ -172,13 -171,13 +172,15 @@@ ## users will be told that those destinations are down. ## ## For security, by default Tor rejects connections to private (local) - ## networks, including to your public IP address. See the man page entry - ## for ExitPolicyRejectPrivate if you want to allow "exit enclaving". + ## networks, including to the configured public IPv4 and IPv6 addresses, + ## and any public IPv4 and IPv6 addresses on any interface on the relay. + ## See the man page entry for ExitPolicyRejectPrivate if you want to allow + ## "exit enclaving". ## -#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more -#ExitPolicy accept *:119 # accept nntp as well as default exit policy +#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports on IPv4 and IPv6 but no more +#ExitPolicy accept *:119 # accept nntp ports on IPv4 and IPv6 as well as default exit policy +#ExitPolicy accept *4:119 # accept nntp ports on IPv4 only as well as default exit policy +#ExitPolicy accept6 *6:119 # accept nntp ports on IPv6 only as well as default exit policy #ExitPolicy reject *:* # no exits allowed
## Bridge relays (or "bridges") are Tor relays that aren't listed in the diff --cc src/test/test_policy.c index e9be9e4,d7d3cf0..37c36fe --- a/src/test/test_policy.c +++ b/src/test/test_policy.c @@@ -77,8 -77,7 +77,8 @@@ test_policies_general(void *arg int i; smartlist_t *policy = NULL, *policy2 = NULL, *policy3 = NULL, *policy4 = NULL, *policy5 = NULL, *policy6 = NULL, - *policy7 = NULL, *policy12 = NULL; + *policy7 = NULL, *policy8 = NULL, *policy9 = NULL, - *policy10 = NULL, *policy11 = NULL; ++ *policy10 = NULL, *policy11 = NULL, *policy12 = NULL; addr_policy_t *p; tor_addr_t tar; config_line_t line; @@@ -119,13 -117,20 +120,22 @@@
tt_assert(policy2);
+ tor_addr_parse(&tar, "[2000::1234]"); + tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy12, + EXIT_POLICY_IPV6_ENABLED | + EXIT_POLICY_REJECT_PRIVATE | + EXIT_POLICY_ADD_DEFAULT, + 0x0306090cu, &tar, 1)); + + tt_assert(policy12); + policy3 = smartlist_new(); - p = router_parse_addr_policy_item_from_string("reject *:*",-1); + p = router_parse_addr_policy_item_from_string("reject *:*", -1, + &malformed_list); tt_assert(p != NULL); smartlist_add(policy3, p); - p = router_parse_addr_policy_item_from_string("accept *:*",-1); + p = router_parse_addr_policy_item_from_string("accept *:*", -1, + &malformed_list); tt_assert(p != NULL); smartlist_add(policy3, p);
@@@ -193,32 -184,6 +203,34 @@@ tt_assert(p != NULL); smartlist_add(policy7, p);
+ tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy8, + EXIT_POLICY_IPV6_ENABLED | + EXIT_POLICY_REJECT_PRIVATE | - EXIT_POLICY_ADD_DEFAULT, 0)); ++ EXIT_POLICY_ADD_DEFAULT, 0, ++ NULL, 0)); + + tt_assert(policy8); + + tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy9, + EXIT_POLICY_REJECT_PRIVATE | - EXIT_POLICY_ADD_DEFAULT, 0)); ++ EXIT_POLICY_ADD_DEFAULT, 0, ++ NULL, 0)); + + tt_assert(policy9); + + /* accept6 * and reject6 * produce IPv6 wildcards only */ + policy10 = smartlist_new(); + p = router_parse_addr_policy_item_from_string("accept6 *:*", -1, + &malformed_list); + tt_assert(p != NULL); + smartlist_add(policy10, p); + + policy11 = smartlist_new(); + p = router_parse_addr_policy_item_from_string("reject6 *:*", -1, + &malformed_list); + tt_assert(p != NULL); + smartlist_add(policy11, p); + tt_assert(!exit_policy_is_general_exit(policy)); tt_assert(exit_policy_is_general_exit(policy2)); tt_assert(!exit_policy_is_general_exit(NULL)); @@@ -463,10 -358,7 +476,11 @@@ addr_policy_list_free(policy5); addr_policy_list_free(policy6); addr_policy_list_free(policy7); + addr_policy_list_free(policy8); + addr_policy_list_free(policy9); + addr_policy_list_free(policy10); + addr_policy_list_free(policy11); + addr_policy_list_free(policy12); tor_free(policy_str); if (sm) { SMARTLIST_FOREACH(sm, char *, s, tor_free(s));