Opened 7 years ago

Closed 3 years ago

#7904 closed enhancement (wontfix)

Allow domain-names in ExitPolicy

Reported by: davidl Owned by:
Priority: Medium Milestone: Tor: unspecified
Component: Core Tor/Tor Version:
Severity: Normal Keywords: tor-relay needs-proposal
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Apparently ExitPolicy will only take an IP address literal (no domain names); when I try that, I get error messages like:

[warn] Malformed IP "" in address pattern; rejecting.
[warn] Couldn't parse line "". Dropping

If I list a domain-name there, I guess there are two ways it could be interpreted:

  1. At load-time, pull DNS records, follow all pointers, translate all A and AAAA records
  2. At connection-time (for all connections), do a reverse lookup, compare to the result

For maximum flexibility, support both, on a per-rule basis?

Child Tickets

Change History (3)

comment:1 Changed 7 years ago by nickm

Keywords: tor-relay needs-proposal added
Milestone: Tor: unspecified

This could be a neat idea, and would need a feature proposal. We'd need to define it carefully, and figure out how to migrate there while we're waiting for clients to support the new format. Could be one way to do exit enclaving.

comment:2 Changed 6 years ago by naif

Would it possible, with this method, to enable an exit policy to express stuff like:

  • "Allow only Facebook"
  • "Allow only Youtube"
  • "Allow only Youporn"

It would be interesting to try to implement one of such policy, as it would enable a lot of people to run "high bandwidth exit node" going on the top-traffic websites (that are also the non-abuse generating, so safe to be run at home).

comment:3 Changed 3 years ago by nickm

Resolution: wontfix
Severity: Normal
Status: newclosed
Note: See TracTickets for help on using tickets.