reject *:6881-6999
accept *:*
+ Since the default exit policy uses accept/reject *, it applies to both
+ IPv4 and IPv6 addresses.
+
[[ExitPolicyRejectPrivate]] **ExitPolicyRejectPrivate** **0**|**1**::
- Reject all private (local) networks, along with your own public IP address,
- at the beginning of your exit policy. See above entry on ExitPolicy.
+ Reject all private (local) networks, along with your own configured public
+ IPv4 and IPv6 addresses, at the beginning of your exit policy. Also reject
+ any public IPv4 and IPv6 addresses on any interface on the relay. (If
+ IPv6Exit is not set, all IPv6 addresses will be rejected anyway.)
+ See above entry on ExitPolicy.
(Default: 1)
[[IPv6Exit]] **IPv6Exit** **0**|**1**::
## users will be told that those destinations are down.
##
## For security, by default Tor rejects connections to private (local)
- ## networks, including to your public IP address. See the man page entry
- ## for ExitPolicyRejectPrivate if you want to allow "exit enclaving".
+ ## networks, including to the configured public IPv4 and IPv6 addresses,
+ ## and any public IPv4 and IPv6 addresses on any interface on the relay.
+ ## See the man page entry for ExitPolicyRejectPrivate if you want to allow
+ ## "exit enclaving".
##
-#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
-#ExitPolicy accept *:119 # accept nntp as well as default exit policy
+#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports on IPv4 and IPv6 but no more
+#ExitPolicy accept *:119 # accept nntp ports on IPv4 and IPv6 as well as default exit policy
+#ExitPolicy accept *4:119 # accept nntp ports on IPv4 only as well as default exit policy
+#ExitPolicy accept6 *6:119 # accept nntp ports on IPv6 only as well as default exit policy
#ExitPolicy reject *:* # no exits allowed
## Bridge relays (or "bridges") are Tor relays that aren't listed in the
## users will be told that those destinations are down.
##
## For security, by default Tor rejects connections to private (local)
- ## networks, including to your public IP address. See the man page entry
- ## for ExitPolicyRejectPrivate if you want to allow "exit enclaving".
+ ## networks, including to the configured public IPv4 and IPv6 addresses,
+ ## and any public IPv4 and IPv6 addresses on any interface on the relay.
+ ## See the man page entry for ExitPolicyRejectPrivate if you want to allow
+ ## "exit enclaving".
##
-#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports but no more
-#ExitPolicy accept *:119 # accept nntp as well as default exit policy
+#ExitPolicy accept *:6660-6667,reject *:* # allow irc ports on IPv4 and IPv6 but no more
+#ExitPolicy accept *:119 # accept nntp ports on IPv4 and IPv6 as well as default exit policy
+#ExitPolicy accept *4:119 # accept nntp ports on IPv4 only as well as default exit policy
+#ExitPolicy accept6 *6:119 # accept nntp ports on IPv6 only as well as default exit policy
#ExitPolicy reject *:* # no exits allowed
## Bridge relays (or "bridges") are Tor relays that aren't listed in the
int i;
smartlist_t *policy = NULL, *policy2 = NULL, *policy3 = NULL,
*policy4 = NULL, *policy5 = NULL, *policy6 = NULL,
- *policy7 = NULL, *policy12 = NULL;
+ *policy7 = NULL, *policy8 = NULL, *policy9 = NULL,
- *policy10 = NULL, *policy11 = NULL;
++ *policy10 = NULL, *policy11 = NULL, *policy12 = NULL;
addr_policy_t *p;
tor_addr_t tar;
config_line_t line;
tt_assert(policy2);
+ tor_addr_parse(&tar, "[2000::1234]");
+ tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy12,
+ EXIT_POLICY_IPV6_ENABLED |
+ EXIT_POLICY_REJECT_PRIVATE |
+ EXIT_POLICY_ADD_DEFAULT,
+ 0x0306090cu, &tar, 1));
+
+ tt_assert(policy12);
+
policy3 = smartlist_new();
- p = router_parse_addr_policy_item_from_string("reject *:*",-1);
+ p = router_parse_addr_policy_item_from_string("reject *:*", -1,
+ &malformed_list);
tt_assert(p != NULL);
smartlist_add(policy3, p);
- p = router_parse_addr_policy_item_from_string("accept *:*",-1);
+ p = router_parse_addr_policy_item_from_string("accept *:*", -1,
+ &malformed_list);
tt_assert(p != NULL);
smartlist_add(policy3, p);
tt_assert(p != NULL);
smartlist_add(policy7, p);
- EXIT_POLICY_ADD_DEFAULT, 0));
+ tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy8,
+ EXIT_POLICY_IPV6_ENABLED |
+ EXIT_POLICY_REJECT_PRIVATE |
- EXIT_POLICY_ADD_DEFAULT, 0));
++ EXIT_POLICY_ADD_DEFAULT, 0,
++ NULL, 0));
+
+ tt_assert(policy8);
+
+ tt_int_op(0, OP_EQ, policies_parse_exit_policy(NULL, &policy9,
+ EXIT_POLICY_REJECT_PRIVATE |
++ EXIT_POLICY_ADD_DEFAULT, 0,
++ NULL, 0));
+
+ tt_assert(policy9);
+
+ /* accept6 * and reject6 * produce IPv6 wildcards only */
+ policy10 = smartlist_new();
+ p = router_parse_addr_policy_item_from_string("accept6 *:*", -1,
+ &malformed_list);
+ tt_assert(p != NULL);
+ smartlist_add(policy10, p);
+
+ policy11 = smartlist_new();
+ p = router_parse_addr_policy_item_from_string("reject6 *:*", -1,
+ &malformed_list);
+ tt_assert(p != NULL);
+ smartlist_add(policy11, p);
+
tt_assert(!exit_policy_is_general_exit(policy));
tt_assert(exit_policy_is_general_exit(policy2));
tt_assert(!exit_policy_is_general_exit(NULL));
addr_policy_list_free(policy5);
addr_policy_list_free(policy6);
addr_policy_list_free(policy7);
+ addr_policy_list_free(policy8);
+ addr_policy_list_free(policy9);
+ addr_policy_list_free(policy10);
+ addr_policy_list_free(policy11);
+ addr_policy_list_free(policy12);
tor_free(policy_str);
if (sm) {
SMARTLIST_FOREACH(sm, char *, s, tor_free(s));
projects / thirdparty / tor.git / commitdiff
