[tor-bugs] #25423 [Core Tor/Stem]: Treat 'ExitRelay 0' as a reject-all policy

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Mar 30 18:38:07 UTC 2018 

#25423: Treat 'ExitRelay 0' as a reject-all policy
---------------------------+------------------------
 Reporter:  atagar         |          Owner:  atagar
     Type:  defect         |         Status:  new
 Priority:  Medium         |      Milestone:
Component:  Core Tor/Stem  |        Version:
 Severity:  Normal         |     Resolution:
 Keywords:                 |  Actual Points:
Parent ID:                 |         Points:
 Reviewer:                 |        Sponsor:
---------------------------+------------------------

Comment (by dmr):

 Replying to [comment:2 arma]:
 > Is stem looking at a 'getconf exitpolicy'?
 >
 > It seems like it should instead be doing a 'getinfo exitpolicy', which
 should tell it what Tor is actually using as its exit policy.

 I've looked into this a bit so far; stem is definitely using GETCONF
 ExitPolicy:
 https://gitweb.torproject.org/stem.git/tree/stem/control.py?id=72700087b94f2889b5b364738a1178c324862ba5#n1292
 {{{
         for policy_line in self.get_conf('ExitPolicy', multiple = True):
           policy += policy_line.split(',')
 }}}

 On a local test relay (standard Debian9 tor stable) with torrc...
 {{{
 # configuration for local relay, for exploratory testing
 DataDirectory <redacted>
 SocksPort 1112
 ORPort 1113
 ControlPort 1111
 HashedControlPassword <redacted>
 ExitRelay 0
 PublishServerDescriptor 0
 AssumeReachable 1
 DownloadExtraInfo 1
 Log notice stdout
 Log notice file <redacted>/tor_log
 }}}
 ... `str(controller.get_exit_policy())` returns:
 {{{
 'reject 0.0.0.0/8:*, reject 169.254.0.0/16:*, reject 127.0.0.0/8:*, reject
 192.168.0.0/16:*, reject 10.0.0.0/8:*, reject 172.16.0.0/12:*, reject
 107.5.239.102:*, reject *:25, reject *:119, reject *:135-139, reject
 *:445, reject *:563, reject *:1214, reject *:4661-4666, reject
 *:6346-6429, reject *:6699, reject *:6881-6999, accept *:*'controller.
 }}}
 On a standard Debian9 tor client (i.e. no relaying),
 `str(controller.get_exit_policy())` returns the same.

 Obviously these are both incorrect.

 I'm looking into switching `get_exit_policy()` to use `controller.get_info
 ('exit-policy/full')` instead.
 I think that will cover a lot of the more-complicated `get_conf` /
 `get_info` logic (e.g. `get_info('exit-policy/default')`) that currently
 exists in `get_exit_policy()`, but I'm checking fairly conservatively.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/25423#comment:4>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list