|
@@ -1474,6 +1474,53 @@ connection_ap_handshake_rewrite_and_attach(entry_connection_t *conn,
|
|
|
}
|
|
|
#endif
|
|
|
|
|
|
+ /* socks->address is a non-onion hostname or IP address.
|
|
|
+ * If we can't do any non-onion requests, refuse the connection.
|
|
|
+ * If we have a hostname but can't do DNS, refuse the connection.
|
|
|
+ * If we have an IP address, but we can't use that address family,
|
|
|
+ * refuse the connection.
|
|
|
+ *
|
|
|
+ * If we can do DNS requests, and we can use at least one address family,
|
|
|
+ * then we have to resolve the address first. Then we'll know if it
|
|
|
+ * resolves to a usable address family. */
|
|
|
+
|
|
|
+ /* First, check if all non-onion traffic is disabled */
|
|
|
+ if (!conn->entry_cfg.dns_request && !conn->entry_cfg.ipv4_traffic
|
|
|
+ && !conn->entry_cfg.ipv6_traffic) {
|
|
|
+ log_warn(LD_APP, "Refusing to connect to non-hidden-service hostname "
|
|
|
+ "or IP address %s because Port has OnionTrafficOnly set (or "
|
|
|
+ "NoDNSRequest, NoIPv4Traffic, and NoIPv6Traffic).",
|
|
|
+ safe_str_client(socks->address));
|
|
|
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
+
|
|
|
+ /* Then check if we have a hostname or IP address, and whether DNS or
|
|
|
+ * the IP address family are permitted */
|
|
|
+ tor_addr_t dummy_addr;
|
|
|
+ int socks_family = tor_addr_parse(&dummy_addr, socks->address);
|
|
|
+ /* family will be -1 for a non-onion hostname that's not an IP */
|
|
|
+ if (socks_family == -1 && !conn->entry_cfg.dns_request) {
|
|
|
+ log_warn(LD_APP, "Refusing to connect to hostname %s "
|
|
|
+ "because Port has NoDNSRequest set.",
|
|
|
+ safe_str_client(socks->address));
|
|
|
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
|
|
|
+ return -1;
|
|
|
+ } else if (socks_family == AF_INET && !conn->entry_cfg.ipv4_traffic) {
|
|
|
+ log_warn(LD_APP, "Refusing to connect to IPv4 address %s because "
|
|
|
+ "Port has NoIPv4Traffic set.",
|
|
|
+ safe_str_client(socks->address));
|
|
|
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
|
|
|
+ return -1;
|
|
|
+ } else if (socks_family == AF_INET6 && !conn->entry_cfg.ipv6_traffic) {
|
|
|
+ log_warn(LD_APP, "Refusing to connect to IPv6 address %s because "
|
|
|
+ "Port has NoIPv6Traffic set.",
|
|
|
+ safe_str_client(socks->address));
|
|
|
+ connection_mark_unattached_ap(conn, END_STREAM_REASON_ENTRYPOLICY);
|
|
|
+ return -1;
|
|
|
+ }
|
|
|
+ /* No else, we've covered all possible returned value. */
|
|
|
+
|
|
|
/* See if this is a hostname lookup that we can answer immediately.
|
|
|
* (For example, an attempt to look up the IP address for an IP address.)
|
|
|
*/
|