Commit 785176e9 authored by Nick Mathewson's avatar Nick Mathewson 🎨
Browse files

Clean up and fix exit policy check in connection_exit_connect().

Previously, we would reject even rendezvous connections to IPv6
addresses when IPv6Exit was false.  But that doesn't make sense; we
don't count that as "exit"ing.  I've corrected the logic and tried
to make it a lottle more clear.

Fixes bug 18357; this code has been wrong since 9016d9e8 in
parent 68450051
o Minor bugfixes (hidden service):
- Allow hidden services to run on IPv6 addresses even when the
IPv6Exit option is not set. Fixes bug 18357; bugfix on
......@@ -3232,14 +3232,22 @@ connection_exit_connect(edge_connection_t *edge_conn)
uint16_t port;
connection_t *conn = TO_CONN(edge_conn);
int socket_error = 0, result;
if ( (!connection_edge_is_rendezvous_stream(edge_conn) &&
edge_conn->base_.port)) ||
(tor_addr_family(&conn->addr) == AF_INET6 &&
! get_options()->IPv6Exit)) {
log_info(LD_EXIT,"%s:%d failed exit policy. Closing.",
escaped_safe_str_client(conn->address), conn->port);
const char *why_failed_exit_policy = NULL;
if (! connection_edge_is_rendezvous_stream(edge_conn)) {
/* only apply exit policy to non-rendezvous connections. */
if (router_compare_to_my_exit_policy(&edge_conn->base_.addr,
edge_conn->base_.port)) {
why_failed_exit_policy = "";
} else if (tor_addr_family(&conn->addr) == AF_INET6 &&
! get_options()->IPv6Exit) {
why_failed_exit_policy = " (IPv6 address without IPv6Exit configured)";
if (why_failed_exit_policy) {
log_info(LD_EXIT,"%s:%d failed exit policy%s. Closing.",
escaped_safe_str_client(conn->address), conn->port,
connection_edge_end(edge_conn, END_STREAM_REASON_EXITPOLICY);
circuit_detach_stream(circuit_get_by_edge_conn(edge_conn), edge_conn);
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment