[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [chutney/master] Clarify exit policies for IPv4 and IPv6, including private addresses
commit 0c85da680fc3ed0492c1314b86592540ba0d424b
Author: teor <teor2345@xxxxxxxxx>
Date: Fri Apr 24 00:21:55 2015 +1000
Clarify exit policies for IPv4 and IPv6, including private addresses
Allow chutney exits to exit to all private addresses.
Tidy up exit policies, so each part of the policy is clearly identified.
Document alternatives to work around #11264, the microdescriptor
2x /8 requirement for exits.
Prepare for resolving #15353 by making sure the exit policies *should*
work when localhost is the only available IP. This still requires further
investigation.
---
torrc_templates/exit-v4.i | 26 ++++++++++++++++++++------
torrc_templates/exit-v6.i | 31 +++++++++++++++++--------------
2 files changed, 37 insertions(+), 20 deletions(-)
diff --git a/torrc_templates/exit-v4.i b/torrc_templates/exit-v4.i
index 375164b..1c33a83 100644
--- a/torrc_templates/exit-v4.i
+++ b/torrc_templates/exit-v4.i
@@ -1,9 +1,19 @@
-# An exit policy that allows exiting to IPv4 localhost
-#ExitPolicy accept 127.0.0.0/8:*
+# 1. Allow exiting to IPv4 localhost and private networks by default
+# -------------------------------------------------------------
-# An exit policy that allows exiting to the entire internet on HTTP(S)
-# This may be required to work around #11264 with microdescriptors enabled
+# Each IPv4 tor instance is configured with Address 127.0.0.1 by default
+ExitPolicy accept 127.0.0.0/8:*
+
+# If you only want tor to connect to localhost, disable these lines:
+# This may cause network failures in some circumstances
+ExitPolicyRejectPrivate 0
+ExitPolicy accept private:*
+
+# 2. Optionally: Allow exiting to the entire IPv4 internet on HTTP(S)
+# -------------------------------------------------------------------
+
+# 2. or 3. are required to work around #11264 with microdescriptors enabled
# "The core of this issue appears to be that the Exit flag code is
# optimistic (just needs a /8 and 2 ports), but the microdescriptor
# exit policy summary code is pessimistic (needs the entire internet)."
@@ -12,6 +22,10 @@
#ExitPolicy accept *:80
#ExitPolicy accept *:443
-#ExitPolicy reject *:*
-# OR
+# 3. Optionally: Accept all IPv4 addresses, that is, the public internet
+# ----------------------------------------------------------------------
ExitPolicy accept *:*
+
+# 4. Finally, reject all IPv4 addresses which haven't been permitted
+# ------------------------------------------------------------------
+ExitPolicy reject *:*
diff --git a/torrc_templates/exit-v6.i b/torrc_templates/exit-v6.i
index 5200f3e..8ba76a3 100644
--- a/torrc_templates/exit-v6.i
+++ b/torrc_templates/exit-v6.i
@@ -1,18 +1,21 @@
-# An exit policy that allows exiting to IPv6 localhost
-#ExitPolicy accept6 [::1]:*
+# 1. Allow exiting to IPv6 localhost and private networks by default
+# ------------------------------------------------------------------
IPv6Exit 1
-# An exit policy that allows exiting to the entire internet on HTTP(S)
-# This may be required to work around #11264 with microdescriptors enabled
-# "The core of this issue appears to be that the Exit flag code is
-# optimistic (just needs a /8 [IP6?] and 2 ports), but the microdescriptor
-# exit policy summary code is pessimistic (needs the entire internet)."
-# An alternative is to disable microdescriptors and use regular
-# descriptors, as they do not suffer from this issue.
-#ExitPolicy accept6 *:80
-#ExitPolicy accept6 *:443
+# Each IPv6 tor instance is configured with Address [::1] by default
+# This currently only applies to bridges
+ExitPolicy accept6 [::1]:*
-#ExitPolicy reject6 *:*
-# OR
-ExitPolicy accept6 *:*
+# If you only want tor to connect to localhost, disable these lines:
+# This may cause network failures in some circumstances
+ExitPolicyRejectPrivate 0
+ExitPolicy accept6 private:*
+
+# 2. Optionally: Accept all IPv6 addresses, that is, the public internet
+# ----------------------------------------------------------------------
+# ExitPolicy accept6 *:*
+
+# 3. Finally, reject all IPv6 addresses which haven't been permitted
+# ------------------------------------------------------------------
+ExitPolicy reject6 *:*
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits