Opened 7 weeks ago

Last modified 6 weeks ago

#30053 new enhancement

Allow countrycodes in ExitPolicy

Reported by: tornewuser Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Lets saya user is from russia. Let him configure tor like this:

ExitRelay 1
ExitPolicy reject {ru}:*

to enable an exit node but not for addresses from the country he is living in, to avoid possible problems with local authorities

Child Tickets

Change History (4)

comment:1 Changed 7 weeks ago by nickm

Milestone: Tor: unspecified

comment:2 Changed 6 weeks ago by neel

ExitRelay and ExitPolicy is for exit relay operators, not clients. I believe you are talking about clients.

I think what you're looking for is ExcludeNodes. To exclude a country, you can use ExcludeNodes {RU} if you want to exclude Russian relays. Replace RU with the country code you want to exclude (e.g. DE or US, just put them inside {}). If you want to block multiple countries, you can do them in a comma-separated list like ExcludeNodes {RU}, {US}, {CN}

If you are talking about exit relay operators, blocking destinations to a country would consume resources, and could lead to false positives as IP addresses could be reassigned, transferred, or even allocated to another region than what's in the whois (e.g. cloud/VPS providers, multinational corporations with their own ASNs).

comment:3 Changed 6 weeks ago by tornewuser

I was talking about exit relay operators.

ExcludeNodes can also lead to false positives. It is still better than nothing though...

I think that the main problem with ExitPolicy reject {ru}:* would be to push this info to the nodes and relays directory and tested on clients side. Otherwise an exit node would just decline some connections and behaves like broken. The feature is more complicated than it seems.

comment:4 Changed 6 weeks ago by cypherpunks

it would be needed to be parsed in descriptor additionally. how this affects performance to parse it together with geoip file for every stream request in circuit selection?

Note: See TracTickets for help on using tickets.