add config ReevaluateExitPolicy

2025-02-23 22:47:12 +01:00 · 2023-07-29 22:37:18 +02:00 · 2023-07-29 22:37:18 +02:00 · 9de1d14c1c
commit 9de1d14c1c
parent 8226148bf1
5 changed files with 19 additions and 2 deletions
--- a/doc/man/tor.1.txt
+++ b/doc/man/tor.1.txt
@ -2385,6 +2385,16 @@ is non-zero):
    policy options are set, Tor behaves as if ExitRelay were set to 0.
    (Default: auto)

+[[ReevaluateExitPolicy]] **ReevaluateExitPolicy** **0**|**1**::
+    If set, reevaluate the exit policy on existing connections when reloading
+    configuration. +
+     +
+    When the exit policy of an exit node change while reloading configuration,
+    connections made prior to this change could violate the new policy. By
+    setting this to 1, Tor will check if such connections exist, and mark them
+    for termination.
+    (Default: 0)
+
 [[ExtendAllowPrivateAddresses]] **ExtendAllowPrivateAddresses** **0**|**1**::
    When this option is enabled, Tor will connect to relays on localhost,
    RFC1918 addresses, and so on. In particular, Tor will make direct OR
--- a/src/app/config/config.c
+++ b/src/app/config/config.c
@ -637,6 +637,7 @@ static const config_var_t option_vars_[] = {
  V(RephistTrackTime,            INTERVAL, "24 hours"),
  V_IMMUTABLE(RunAsDaemon,       BOOL,     "0"),
  V(ReducedExitPolicy,           BOOL,     "0"),
+  V(ReevaluateExitPolicy,        BOOL,     "0"),
  OBSOLETE("RunTesting"), // currently unused
  V_IMMUTABLE(Sandbox,           BOOL,     "0"),
  V(SafeLogging,                 STRING,   "1"),
--- a/src/app/config/or_options_st.h
+++ b/src/app/config/or_options_st.h
@ -141,6 +141,8 @@ struct or_options_t {
                                        * Includes OutboundBindAddresses and
                                        * configured ports. */
  int ReducedExitPolicy; /**<Should we use the Reduced Exit Policy? */
+  int ReevaluateExitPolicy; /**<Should we re-evaluate Exit Policy on existing
+                             * connections when it changes? */
  struct config_line_t *SocksPolicy; /**< Lists of socks policy components */
  struct config_line_t *DirPolicy; /**< Lists of dir policy components */
  /** Local address to bind outbound sockets */
--- a/src/config/torrc.sample.in
+++ b/src/config/torrc.sample.in
@ -225,6 +225,10 @@
 #ExitPolicy accept6 *6:119 # accept nntp ports on IPv6 only as well as default exit policy
 #ExitPolicy reject *:* # no exits allowed

+## Uncomment this if you want your exit relay to reevaluate its exit policy on
+## existing connections when the exit policy is modified.
+#ReevaluateExitPolicy 1
+
 ## Bridge relays (or "bridges") are Tor relays that aren't listed in the
 ## main directory. Since there is no complete public list of them, even an
 ## ISP that filters connections to all the known Tor relays probably
--- a/src/core/or/connection_edge.c
+++ b/src/core/or/connection_edge.c
@ -4250,8 +4250,7 @@ connection_reapply_exit_policy(config_line_t *changes)
  smartlist_t *policy = NULL;
  int config_change_relevant = 0;

-  /* TODO if (get_options()->ReevaluateExitPolicy == 1) {*/
-  if (false) {
+  if (get_options()->ReevaluateExitPolicy == 0) {
    return;
  }

@ -4262,6 +4261,7 @@ connection_reapply_exit_policy(config_line_t *changes)
      "ExitRelay",
      "ExitPolicy",
      "ReducedExitPolicy",
+      "ReevaluateExitPolicy",
      "IPv6Exit",
      NULL
    };