Add an option to disable the block-private-addresses feature

Suggested by rransom.  Probably necessary for testing network mode.

diff --git a/changes/bug2279 b/changes/bug2279
index e0c23b36043c29031948f3723af56e5aa7b20321..d31300978eb4f9c37ce726279274ad8e3aaf93f9 100644 (file)
--- a/changes/bug2279
+++ b/changes/bug2279
@@ -8,6 +8,8 @@
       IP addresses (like 127.0.0.1, 10.0.0.1, and so on) with a randomly
       chosen exit node.  Attempts to do so are always ill-defined, generally
       prevented by exit policies, and usually in error.  This will also
-      help to detect loops in transparent proxy configurations.
+      help to detect loops in transparent proxy configurations.  You can
+      disable this feature by setting "ClientRejectInternalAddresses 0"
+      in your torrc.
 
 

diff --git a/src/or/config.c b/src/or/config.c
index 8c1205de474652fbe5259502d1f14b40d91204b3..5aca2256ff68e626f10e336b4ac395e9caed9c65 100644 (file)
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -195,6 +195,7 @@ static config_var_t _option_vars[] = {
   V(CircuitStreamTimeout,        INTERVAL, "0"),
   V(CircuitPriorityHalflife,     DOUBLE,  "-100.0"), /*negative:'Use default'*/
   V(ClientDNSRejectInternalAddresses, BOOL,"1"),
+  V(ClientRejectInternalAddresses, BOOL,   "1"),
   V(ClientOnly,                  BOOL,     "0"),
   V(ConsensusParams,             STRING,   NULL),
   V(ConnLimit,                   UINT,     "1000"),
@@ -405,6 +406,7 @@ static config_var_t testing_tor_network_defaults[] = {
   V(AuthDirMaxServersPerAddr,    UINT,     "0"),
   V(AuthDirMaxServersPerAuthAddr,UINT,     "0"),
   V(ClientDNSRejectInternalAddresses, BOOL,"0"),
+  V(ClientRejectInternalAddresses, BOOL,   "0"),
   V(ExitPolicyRejectPrivate,     BOOL,     "0"),
   V(V3AuthVotingInterval,        INTERVAL, "5 minutes"),
   V(V3AuthVoteDelay,             INTERVAL, "20 seconds"),

diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c
index a85943f69fa5d1702bbee001fa33c4d10267f3ac..47e9035e90ebe427ba1ede8075e5cd1b2f8b1f78 100644 (file)
--- a/src/or/connection_edge.c
+++ b/src/or/connection_edge.c
@@ -1659,7 +1659,8 @@ connection_ap_handshake_rewrite_and_attach(edge_connection_t *conn,
         connection_mark_unattached_ap(conn, END_STREAM_REASON_TORPROTOCOL);
         return -1;
       }
-      if (!conn->use_begindir && !conn->chosen_exit_name && !circ) {
+      if (options->ClientRejectInternalAddresses &&
+          !conn->use_begindir && !conn->chosen_exit_name && !circ) {
         tor_addr_t addr;
         if (tor_addr_from_str(&addr, socks->address) >= 0 &&
             tor_addr_is_internal(&addr, 0)) {

diff --git a/src/or/or.h b/src/or/or.h
index a3ec71a927e37002b7ca793b2036e1f419710e93..752de219ef24b6a198f444ad28b6d9b06b6363cb 100644 (file)
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -2756,6 +2756,10 @@ typedef struct {
    * Helps avoid some cross-site attacks. */
   int ClientDNSRejectInternalAddresses;
 
+  /** If true, do not accept any requests to connect to internal addresses
+   * over randomly chosen exits. */
+  int ClientRejectInternalAddresses;
+
   /** The length of time that we think a consensus should be fresh. */
   int V3AuthVotingInterval;
   /** The length of time we think it will take to distribute votes. */