Ticket #13605: tor-patch-ReducedExitPolicy-003.patch

File tor-patch-ReducedExitPolicy-003.patch, 11.3 KB (added by neel, 22 months ago)

Version 3 of patch to add ReducedExitPolicy option

  • src/or/config.c

    From 8a3ad13899e25268af1e1ddc44359c975427cc42 Mon Sep 17 00:00:00 2001
    From: Neel Chauhan <neel@neelc.org>
    Date: Tue, 10 Oct 2017 11:45:35 -0400
    Subject: [PATCH 1/3] Add code for letting user select Reduced Exit Policy
    
    ---
     src/or/config.c   |  1 +
     src/or/or.h       |  1 +
     src/or/policies.c | 39 ++++++++++++++++++++++++++++++++++-----
     src/or/policies.h |  3 ++-
     4 files changed, 38 insertions(+), 6 deletions(-)
    
    diff --git a/src/or/config.c b/src/or/config.c
    index 832a7c967..9e0e67628 100644
    a b static config_var_t option_vars_[] = { 
    484484  V(RendPostPeriod,              INTERVAL, "1 hour"),
    485485  V(RephistTrackTime,            INTERVAL, "24 hours"),
    486486  V(RunAsDaemon,                 BOOL,     "0"),
     487  V(ReducedExitPolicy,           BOOL,     "0"),
    487488  OBSOLETE("RunTesting"), // currently unused
    488489  V(Sandbox,                     BOOL,     "0"),
    489490  V(SafeLogging,                 STRING,   "1"),
  • src/or/or.h

    diff --git a/src/or/or.h b/src/or/or.h
    index 5bd07ba6a..4cf6add07 100644
    a b typedef struct { 
    36743674                                        * interface addresses?
    36753675                                        * Includes OutboundBindAddresses and
    36763676                                        * configured ports. */
     3677  int ReducedExitPolicy; /**<Should we use the Reduced Exit Policy? */
    36773678  config_line_t *SocksPolicy; /**< Lists of socks policy components */
    36783679  config_line_t *DirPolicy; /**< Lists of dir policy components */
    36793680  /** Local address to bind outbound sockets */
  • src/or/policies.c

    diff --git a/src/or/policies.c b/src/or/policies.c
    index 4c24bfbc3..3cc279cd6 100644
    a b static int policies_parse_exit_policy_internal( 
    8181                                      const smartlist_t *configured_addresses,
    8282                                      int reject_interface_addresses,
    8383                                      int reject_configured_port_addresses,
    84                                       int add_default_policy);
     84                                      int add_default_policy,
     85                                      int add_reduced_policy);
    8586
    8687/** Replace all "private" entries in *<b>policy</b> with their expanded
    8788 * equivalents. */
    policies_log_first_redundant_entry(const smartlist_t *policy) 
    18771878  "reject *:563,reject *:1214,reject *:4661-4666,"                  \
    18781879  "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
    18791880
     1881#define REDUCED_EXIT_POLICY                                                   \
     1882  "accept *:20-23,accept *:43,accept *:53,accept *:79-81,accept *:88,"        \
     1883  "accept *:110,accept *:143,accept *:194,accept *:220,accept *:389,"         \
     1884  "accept *:443,accept *:464,accept *:465,accept *:531,accept *:543-544,"     \
     1885  "accept *:554,accept *:563,accept *:587,accept *:636,accept *:706,"         \
     1886  "accept *:749,accept *:873,accept *:902-904,accept *:981,accept *:989-995," \
     1887  "accept *:1194,accept *:1220,accept *:1293,accept *:1500,accept *:1533,"    \
     1888  "accept *:1677,accept *:1723,accept *:1755,accept *:1863,"                  \
     1889  "accept *:2082-2083,accept *:2086-2087,accept *:2095-2096,"                 \
     1890  "accept *:2102-2104,accept *:3128,accept *:3389,accept *:3690,"             \
     1891  "accept *:4321,accept *:4643,accept *:5050,accept *:5190,"                  \
     1892  "accept *:5222-5223,accept *:5228,accept *:5900,accept *:6660-6669,"        \
     1893  "accept *:6679,accept *:6697,accept *:8000,accept *:8008,accept *:8074,"    \
     1894  "accept *:8080,accept *:8082,accept *:8087-8088,accept *:8232-8233,"        \
     1895  "accept *:8332-8333,accept *:8443,accept *:8888,accept *:9418,"             \
     1896  "accept *:9999,accept *:10000,accept *:11371,accept *:19294,"               \
     1897  "accept *:19638,accept *:50002,accept *:64738,reject *:*"
     1898
    18801899/** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>.
    18811900 *
    18821901 * If <b>ipv6_exit</b> is false, prepend "reject *6:*" to the policy.
    policies_parse_exit_policy_internal(config_line_t *cfg, 
    19121931                                    const smartlist_t *configured_addresses,
    19131932                                    int reject_interface_addresses,
    19141933                                    int reject_configured_port_addresses,
    1915                                     int add_default_policy)
     1934                                    int add_default_policy,
     1935                                    int add_reduced_policy)
    19161936{
    19171937  if (!ipv6_exit) {
    19181938    append_exit_policy_string(dest, "reject *6:*");
    policies_parse_exit_policy_internal(config_line_t *cfg, 
    19381958   * effect, and are most likely an error. */
    19391959  policies_log_first_redundant_entry(*dest);
    19401960
    1941   if (add_default_policy) {
     1961  if (add_reduced_policy) {
     1962    append_exit_policy_string(dest, REDUCED_EXIT_POLICY);
     1963  }
     1964  else if (add_default_policy) {
    19421965    append_exit_policy_string(dest, DEFAULT_EXIT_POLICY);
    19431966  } else {
    19441967    append_exit_policy_string(dest, "reject *4:*");
    policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest, 
    19792002  int add_default = (options & EXIT_POLICY_ADD_DEFAULT) ? 1 : 0;
    19802003  int reject_local_interfaces = (options &
    19812004                                 EXIT_POLICY_REJECT_LOCAL_INTERFACES) ? 1 : 0;
     2005  int add_reduced = (options & EXIT_POLICY_ADD_REDUCED) ? 1 : 0;
    19822006
    19832007  return policies_parse_exit_policy_internal(cfg,dest,ipv6_enabled,
    19842008                                             reject_private,
    19852009                                             configured_addresses,
    19862010                                             reject_local_interfaces,
    19872011                                             reject_local_interfaces,
    1988                                              add_default);
     2012                                             add_default,
     2013                                             add_reduced);
    19892014}
    19902015
    19912016/** Helper function that adds a copy of addr to a smartlist as long as it is
    policies_parse_exit_policy_from_options(const or_options_t *or_options, 
    20942119    parser_cfg |= EXIT_POLICY_REJECT_PRIVATE;
    20952120  }
    20962121
    2097   if (!or_options->BridgeRelay) {
     2122  if (!or_options->BridgeRelay && !or_options->ReducedExitPolicy) {
    20982123    parser_cfg |= EXIT_POLICY_ADD_DEFAULT;
    20992124  }
    21002125
     2126  if (or_options->ReducedExitPolicy) {
     2127    parser_cfg |= EXIT_POLICY_ADD_REDUCED;
     2128  }
     2129
    21012130  if (or_options->ExitPolicyRejectLocalInterfaces) {
    21022131    parser_cfg |= EXIT_POLICY_REJECT_LOCAL_INTERFACES;
    21032132  }
  • src/or/policies.h

    diff --git a/src/or/policies.h b/src/or/policies.h
    index 52ff4e2f9..cd97ee7f5 100644
    a b  
    2222#define EXIT_POLICY_REJECT_PRIVATE           (1 << 1)
    2323#define EXIT_POLICY_ADD_DEFAULT              (1 << 2)
    2424#define EXIT_POLICY_REJECT_LOCAL_INTERFACES  (1 << 3)
    25 #define EXIT_POLICY_OPTION_MAX             EXIT_POLICY_REJECT_LOCAL_INTERFACES
     25#define EXIT_POLICY_ADD_REDUCED              (1 << 4)
     26#define EXIT_POLICY_OPTION_MAX             EXIT_POLICY_ADD_REDUCED
    2627/* All options set: used for unit testing */
    2728#define EXIT_POLICY_OPTION_ALL             ((EXIT_POLICY_OPTION_MAX << 1) - 1)
    2829
  • doc/tor.1.txt

    -- 
    2.14.1
    
    
    From 0bcecb792d0d0ae8e58085bb2e737cfb277a033e Mon Sep 17 00:00:00 2001
    From: Neel Chauhan <neel@neelc.org>
    Date: Tue, 10 Oct 2017 12:40:42 -0400
    Subject: [PATCH 2/3] Modify man page to describe ReducedExitPolicy option
    
    ---
     doc/tor.1.txt | 101 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
     1 file changed, 100 insertions(+), 1 deletion(-)
    
    diff --git a/doc/tor.1.txt b/doc/tor.1.txt
    index ba2bc13da..949bd40c2 100644
    a b is non-zero): 
    17591759       reject *:6346-6429
    17601760       reject *:6699
    17611761       reject *:6881-6999
    1762        accept *:*
     1762       accept *:* +
     1763 +
     1764    If you want to use a reduced exit policy rather than the default exit
     1765    policy, set "ReducedExitPolicy 1". If you want to _replace_ the default
     1766    exit policy with your custom exit policy, end your exit policy with either
     1767    a reject *:* or an accept *:*. Otherwise, you’re _augmenting_ (prepending
     1768    to) the default or reduced exit policy.
    17631769
    17641770[[ExitPolicyDefault]]::
    17651771    Since the default exit policy uses accept/reject *, it applies to both
    is non-zero): 
    17831789    to disclose.
    17841790    (Default: 0)
    17851791
     1792[[ReducedExitPolicy] **ReducedExitPolicy** **0**|**1**::
     1793    If set, use a reduced exit policy rather than the default one. +
     1794 +
     1795    The reduced exit policy is an alternative to the default exit policy. It
     1796    allows as many Internet services as possible while still blocking the
     1797    majority of TCP ports. Currently, the policy allows approximately 65 ports.
     1798    This reduces the odds that your node will be used for peer-to-peer
     1799    applications. +
     1800 +
     1801    The reduced exit policy is:
     1802
     1803        accept *:20-21
     1804        accept *:22
     1805        accept *:23
     1806        accept *:43
     1807        accept *:53
     1808        accept *:79
     1809        accept *:80-81
     1810        accept *:88
     1811        accept *:110
     1812        accept *:143
     1813        accept *:194
     1814        accept *:220
     1815        accept *:389
     1816        accept *:443
     1817        accept *:464
     1818        accept *:465
     1819        accept *:531
     1820        accept *:543-544
     1821        accept *:554
     1822        accept *:563
     1823        accept *:587
     1824        accept *:636
     1825        accept *:706
     1826        accept *:749
     1827        accept *:873
     1828        accept *:902-904
     1829        accept *:981
     1830        accept *:989-990
     1831        accept *:991
     1832        accept *:992
     1833        accept *:993
     1834        accept *:994
     1835        accept *:995
     1836        accept *:1194
     1837        accept *:1220
     1838        accept *:1293
     1839        accept *:1500
     1840        accept *:1533
     1841        accept *:1677
     1842        accept *:1723
     1843        accept *:1755
     1844        accept *:1863
     1845        accept *:2082
     1846        accept *:2083
     1847        accept *:2086-2087
     1848        accept *:2095-2096
     1849        accept *:2102-2104
     1850        accept *:3128
     1851        accept *:3389
     1852        accept *:3690
     1853        accept *:4321
     1854        accept *:4643
     1855        accept *:5050
     1856        accept *:5190
     1857        accept *:5222-5223
     1858        accept *:5228
     1859        accept *:5900
     1860        accept *:6660-6669
     1861        accept *:6679
     1862        accept *:6697
     1863        accept *:8000
     1864        accept *:8008
     1865        accept *:8074
     1866        accept *:8080
     1867        accept *:8082
     1868        accept *:8087-8088
     1869        accept *:8232-8233
     1870        accept *:8332-8333
     1871        accept *:8443
     1872        accept *:8888
     1873        accept *:9418
     1874        accept *:9999
     1875        accept *:10000
     1876        accept *:11371
     1877        accept *:19294
     1878        accept *:19638
     1879        accept *:50002
     1880        accept *:64738
     1881        reject *:* +
     1882 +
     1883    (Default: 0)
     1884
    17861885[[IPv6Exit]] **IPv6Exit** **0**|**1**::
    17871886    If set, and we are an exit node, allow clients to use us for IPv6
    17881887    traffic. (Default: 0)
  • new file changes/ticket13605

    -- 
    2.14.1
    
    
    From d1884258aa93a55d4dca405a6e3680bdded1bf76 Mon Sep 17 00:00:00 2001
    From: Neel Chauhan <neel@neelc.org>
    Date: Tue, 10 Oct 2017 12:41:57 -0400
    Subject: [PATCH 3/3] Add ChangLog entry for the ReducedExitPolicy option
    
    ---
     changes/ticket13605 | 4 ++++
     1 file changed, 4 insertions(+)
     create mode 100644 changes/ticket13605
    
    diff --git a/changes/ticket13605 b/changes/ticket13605
    new file mode 100644
    index 000000000..786ff0932
    - +  
     1  o Major features (tor-relay):
     2    - Implement an option, ReducedExitPolicy, to allow an Tor exit relay
     3      operator to use a reduced exit policy rather than the default one. Closes
     4      ticket 13605.