Opened 19 months ago

Last modified 19 months ago

#30053 new enhancement

Allow countrycodes in ExitPolicy

Reported by: tornewuser Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Lets saya user is from russia. Let him configure tor like this:

ExitRelay 1
ExitPolicy reject {ru}:*

to enable an exit node but not for addresses from the country he is living in, to avoid possible problems with local authorities

Child Tickets

Change History (4)

comment:1 Changed 19 months ago by nickm

Milestone: Tor: unspecified

comment:2 Changed 19 months ago by neel

ExitRelay and ExitPolicy is for exit relay operators, not clients. I believe you are talking about clients.

I think what you're looking for is ExcludeNodes. To exclude a country, you can use ExcludeNodes {RU} if you want to exclude Russian relays. Replace RU with the country code you want to exclude (e.g. DE or US, just put them inside {}). If you want to block multiple countries, you can do them in a comma-separated list like ExcludeNodes {RU}, {US}, {CN}

If you are talking about exit relay operators, blocking destinations to a country would consume resources, and could lead to false positives as IP addresses could be reassigned, transferred, or even allocated to another region than what's in the whois (e.g. cloud/VPS providers, multinational corporations with their own ASNs).

comment:3 Changed 19 months ago by tornewuser

I was talking about exit relay operators.

ExcludeNodes can also lead to false positives. It is still better than nothing though...

I think that the main problem with ExitPolicy reject {ru}:* would be to push this info to the nodes and relays directory and tested on clients side. Otherwise an exit node would just decline some connections and behaves like broken. The feature is more complicated than it seems.

comment:4 Changed 19 months ago by cypherpunks

it would be needed to be parsed in descriptor additionally. how this affects performance to parse it together with geoip file for every stream request in circuit selection?

Note: See TracTickets for help on using tickets.