Add an ExitRelay option to override ExitPolicy

If we're not a relay, we ignore it.

If it's set to 1, we obey ExitPolicy.

If it's set to 0, we force ExitPolicy to 'reject *:*'

And if it's set to auto, then we warn the user if they're running an
exit, and tell them how they can stop running an exit if they didn't
mean to do that.

Fixes ticket 10067

doc/tor.1.txt

@@ -1479,6 +1479,19 @@ is non-zero):
     that it's an email address and/or generate a new address for this
     purpose.
 
+[[ExitRelay]] **ExitRelay** **0**|**1**|**auto**::
+    Tells Tor whether to run as an exit relay.  If Tor is running as a
+    non-bridge server, and ExitRelay is set to 1, then Tor allows traffic to
+    exit according to the ExitPolicy option (or the default ExitPolicy if
+    none is specified).
+ +
+    If ExitRelay is set to 0, no traffic is allowed to
+    exit, and the ExitPolicy option is ignored. +
+ +
+    If ExitRelay is set to "auto", then Tor behaves as if it were set to 1, but
+    warns the user if this would cause traffic to exit.  In a future version,
+    the default value will be 0. (Default: auto)
+
 [[ExitPolicy]] **ExitPolicy** __policy__,__policy__,__...__::
     Set an exit policy for this server. Each policy is of the form
     "**accept**|**reject** __ADDR__[/__MASK__][:__PORT__]". If /__MASK__ is

src/or/config.c

@@ -63,7 +63,6 @@ static config_abbrev_t option_abbrevs_[] = {
   PLURAL(AuthDirBadExitCC),
   PLURAL(AuthDirInvalidCC),
   PLURAL(AuthDirRejectCC),
-  PLURAL(ExitNode),
   PLURAL(EntryNode),
   PLURAL(ExcludeNode),
   PLURAL(FirewallPort),
@@ -227,6 +226,7 @@ static config_var_t option_vars_[] = {
   V(ExitPolicyRejectPrivate,     BOOL,     "1"),
   V(ExitPortStatistics,          BOOL,     "0"),
   V(ExtendAllowPrivateAddresses, BOOL,     "0"),
+  V(ExitRelay,                   AUTOBOOL, "auto"),
   VPORT(ExtORPort,               LINELIST, NULL),
   V(ExtORPortCookieAuthFile,     STRING,   NULL),
   V(ExtORPortCookieAuthFileGroupReadable, BOOL, "0"),
@@ -3797,6 +3797,7 @@ options_transition_affects_descriptor(const or_options_t *old_options,
       !opt_streq(old_options->Nickname,new_options->Nickname) ||
       !opt_streq(old_options->Address,new_options->Address) ||
       !config_lines_eq(old_options->ExitPolicy,new_options->ExitPolicy) ||
+      old_options->ExitRelay != new_options->ExitRelay ||
       old_options->ExitPolicyRejectPrivate !=
         new_options->ExitPolicyRejectPrivate ||
       old_options->IPv6Exit != new_options->IPv6Exit ||

src/or/or.h

@@ -4232,6 +4232,13 @@ typedef struct {
   /** Should we send the timestamps that pre-023 hidden services want? */
   int Support022HiddenServices;
 
+  /** Is this an exit node?  This is a tristate, where "1" means "yes, and use
+   * the default exit policy if none is given" and "0" means "no; exit policy
+   * is 'reject *'" and "auto" (-1) means "same as 1, but warn the user."
+   *
+   * XXXX Eventually, the default will be 0. */
+  int ExitRelay;
+
 } or_options_t;
 
 /** Persistent state for an onion router, as saved to disk. */

src/or/policies.c

@@ -434,6 +434,33 @@ validate_addr_policies(const or_options_t *options, char **msg)
     REJECT("Error in ExitPolicy entry.");
   }
 
+  static int warned_about_exitrelay = 0;
+
+  const int exitrelay_setting_is_auto = options->ExitRelay == -1;
+  const int policy_accepts_something =
+    ! (policy_is_reject_star(addr_policy, AF_INET) &&
+       policy_is_reject_star(addr_policy, AF_INET6));
+
+  if (server_mode(options) &&
+      ! warned_about_exitrelay &&
+      exitrelay_setting_is_auto &&
+      policy_accepts_something) {
+      /* Policy accepts something */
+    warned_about_exitrelay = 1;
+    log_warn(LD_CONFIG,
+             "Tor is running as an exit relay%s. If you did not want this "
+             "behavior, please set the ExitRelay option to 0. If you do "
+             "want to run an exit Relay, please set the ExitRelay option "
+             "to 1 to disable this warning, and for forward compatibility.",
+             options->ExitPolicy == NULL ?
+                 " with the default exit policy" : "");
+    if (options->ExitPolicy == NULL) {
+      log_warn(LD_CONFIG,
+               "In a future version of Tor, ExitRelay 0 may become the "
+               "default when no ExitPolicy is given.");
+    }
+  }
+
   /* The rest of these calls *append* to addr_policy. So don't actually
    * use the results for anything other than checking if they parse! */
   if (parse_addr_policy(options->DirPolicy, &addr_policy, -1))
@@ -1022,6 +1049,9 @@ policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest,
  *
  * If <b>or_options->BridgeRelay</b> is false, add entries of default
  * Tor exit policy into <b>result</b> smartlist.
+ *
+ * If or_options->ExitRelay is false, then make our exit policy into
+ * "reject *:*" regardless.
  */
 int
 policies_parse_exit_policy_from_options(const or_options_t *or_options,
@@ -1030,6 +1060,12 @@ policies_parse_exit_policy_from_options(const or_options_t *or_options,
 {
   exit_policy_parser_cfg_t parser_cfg = 0;
 
+  if (or_options->ExitRelay == 0) {
+    append_exit_policy_string(result, "reject *4:*");
+    append_exit_policy_string(result, "reject *6:*");
+    return 0;
+  }
+
   if (or_options->IPv6Exit) {
     parser_cfg |= EXIT_POLICY_IPV6_ENABLED;
   }