Merge branch 'exitnode_10067_squashed'

Conflicts:
	src/or/or.h

changes/feature10067

@@ -0,0 +1,12 @@
+  o Major features (changed defaults):
+    - Prevent relay operators from unintentionally running exits: When
+      a relay is configured as an exit node, we now warn the user
+      unless the 'ExitRelay' option is set to 1. We warn even more
+      loudly if the relay is configured with the default exit policy,
+      since this tends to indicate accidental misconfiguration.
+      Setting 'ExitRelay' to 0 stops Tor from running as an exit relay.
+      Closes ticket 10067.
+
+  o Removed features:
+    - To avoid confusion with the 'ExitRelay' option, 'ExitNode' is no
+      longer silently accepted as an alias for 'ExitNodes'.

doc/tor.1.txt

@@ -1469,6 +1469,19 @@ is non-zero):
     that it's an email address and/or generate a new address for this
     purpose.
 
+[[ExitRelay]] **ExitRelay** **0**|**1**|**auto**::
+    Tells Tor whether to run as an exit relay.  If Tor is running as a
+    non-bridge server, and ExitRelay is set to 1, then Tor allows traffic to
+    exit according to the ExitPolicy option (or the default ExitPolicy if
+    none is specified).
+ +
+    If ExitRelay is set to 0, no traffic is allowed to
+    exit, and the ExitPolicy option is ignored. +
+ +
+    If ExitRelay is set to "auto", then Tor behaves as if it were set to 1, but
+    warns the user if this would cause traffic to exit.  In a future version,
+    the default value will be 0. (Default: auto)
+
 [[ExitPolicy]] **ExitPolicy** __policy__,__policy__,__...__::
     Set an exit policy for this server. Each policy is of the form
     "**accept**|**reject** __ADDR__[/__MASK__][:__PORT__]". If /__MASK__ is

src/or/config.c

@@ -65,7 +65,6 @@ static config_abbrev_t option_abbrevs_[] = {
   PLURAL(AuthDirBadExitCC),
   PLURAL(AuthDirInvalidCC),
   PLURAL(AuthDirRejectCC),
-  PLURAL(ExitNode),
   PLURAL(EntryNode),
   PLURAL(ExcludeNode),
   PLURAL(FirewallPort),
@@ -229,6 +228,7 @@ static config_var_t option_vars_[] = {
   V(ExitPolicyRejectPrivate,     BOOL,     "1"),
   V(ExitPortStatistics,          BOOL,     "0"),
   V(ExtendAllowPrivateAddresses, BOOL,     "0"),
+  V(ExitRelay,                   AUTOBOOL, "auto"),
   VPORT(ExtORPort,               LINELIST, NULL),
   V(ExtORPortCookieAuthFile,     STRING,   NULL),
   V(ExtORPortCookieAuthFileGroupReadable, BOOL, "0"),
@@ -3924,6 +3924,7 @@ options_transition_affects_descriptor(const or_options_t *old_options,
       !opt_streq(old_options->Nickname,new_options->Nickname) ||
       !opt_streq(old_options->Address,new_options->Address) ||
       !config_lines_eq(old_options->ExitPolicy,new_options->ExitPolicy) ||
+      old_options->ExitRelay != new_options->ExitRelay ||
       old_options->ExitPolicyRejectPrivate !=
         new_options->ExitPolicyRejectPrivate ||
       old_options->IPv6Exit != new_options->IPv6Exit ||

src/or/or.h

@@ -4271,6 +4271,14 @@ typedef struct {
    * when sending.
    */
   int SchedulerMaxFlushCells__;
+
+  /** Is this an exit node?  This is a tristate, where "1" means "yes, and use
+   * the default exit policy if none is given" and "0" means "no; exit policy
+   * is 'reject *'" and "auto" (-1) means "same as 1, but warn the user."
+   *
+   * XXXX Eventually, the default will be 0. */
+  int ExitRelay;
+
 } or_options_t;
 
 /** Persistent state for an onion router, as saved to disk. */

src/or/policies.c

@@ -434,6 +434,33 @@ validate_addr_policies(const or_options_t *options, char **msg)
     REJECT("Error in ExitPolicy entry.");
   }
 
+  static int warned_about_exitrelay = 0;
+
+  const int exitrelay_setting_is_auto = options->ExitRelay == -1;
+  const int policy_accepts_something =
+    ! (policy_is_reject_star(addr_policy, AF_INET) &&
+       policy_is_reject_star(addr_policy, AF_INET6));
+
+  if (server_mode(options) &&
+      ! warned_about_exitrelay &&
+      exitrelay_setting_is_auto &&
+      policy_accepts_something) {
+      /* Policy accepts something */
+    warned_about_exitrelay = 1;
+    log_warn(LD_CONFIG,
+             "Tor is running as an exit relay%s. If you did not want this "
+             "behavior, please set the ExitRelay option to 0. If you do "
+             "want to run an exit Relay, please set the ExitRelay option "
+             "to 1 to disable this warning, and for forward compatibility.",
+             options->ExitPolicy == NULL ?
+                 " with the default exit policy" : "");
+    if (options->ExitPolicy == NULL) {
+      log_warn(LD_CONFIG,
+               "In a future version of Tor, ExitRelay 0 may become the "
+               "default when no ExitPolicy is given.");
+    }
+  }
+
   /* The rest of these calls *append* to addr_policy. So don't actually
    * use the results for anything other than checking if they parse! */
   if (parse_addr_policy(options->DirPolicy, &addr_policy, -1))
@@ -1022,6 +1049,9 @@ policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest,
  *
  * If <b>or_options->BridgeRelay</b> is false, add entries of default
  * Tor exit policy into <b>result</b> smartlist.
+ *
+ * If or_options->ExitRelay is false, then make our exit policy into
+ * "reject *:*" regardless.
  */
 int
 policies_parse_exit_policy_from_options(const or_options_t *or_options,
@@ -1030,6 +1060,12 @@ policies_parse_exit_policy_from_options(const or_options_t *or_options,
 {
   exit_policy_parser_cfg_t parser_cfg = 0;
 
+  if (or_options->ExitRelay == 0) {
+    append_exit_policy_string(result, "reject *4:*");
+    append_exit_policy_string(result, "reject *6:*");
+    return 0;
+  }
+
   if (or_options->IPv6Exit) {
     parser_cfg |= EXIT_POLICY_IPV6_ENABLED;
   }