From 4050dfa320e3322beb263bff3afc1db10df5af96 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Mon, 3 Mar 2014 10:45:39 -0500 Subject: Warn if ports are specified in {Socks,Dir}Policy We have ignored any ports listed here since 80365b989 (0.0.7rc1), but we didn't warn the user that we were ignoring them. This patch adds a warning if you put explicit ports in any of the options {Socks,Dir}Policy or AuthDir{Reject,Invalid,BadDir,BadExit}. It also adjusts the manpage to say that ports are ignored. Fixes ticket 11108. --- doc/tor.1.txt | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) (limited to 'doc') diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 2b6de2ab6..31a56e92e 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -1025,7 +1025,7 @@ The following options are useful only for clients (that is, if [[SocksPolicy]] **SocksPolicy** __policy__,__policy__,__...__:: Set an entrance policy for this server, to limit who can connect to the SocksPort and DNSPort ports. The policies have the same form as exit - policies below. + policies below, except that port specifiers are ignored. [[SocksTimeout]] **SocksTimeout** __NUM__:: Let a socks connection wait NUM seconds handshaking, and NUM seconds @@ -1822,7 +1822,8 @@ if DirPort is non-zero): [[DirPolicy]] **DirPolicy** __policy__,__policy__,__...__:: Set an entrance policy for this server, to limit who can connect to the - directory ports. The policies have the same form as exit policies above. + directory ports. The policies have the same form as exit policies above, + except that port specifiers are ignored. [[FetchV2Networkstatus]] **FetchV2Networkstatus** **0**|**1**:: If set, we try to fetch the (obsolete, unused) version 2 network status @@ -1866,7 +1867,11 @@ DIRECTORY AUTHORITY SERVER OPTIONS [[AuthDirBadDir]] **AuthDirBadDir** __AddressPattern...__:: Authoritative directories only. A set of address patterns for servers that will be listed as bad directories in any network status document this - authority publishes, if **AuthDirListBadDirs** is set. + authority publishes, if **AuthDirListBadDirs** is set. + + + + (The address pattern syntax here and in the options below + is the same as for exit policies, except that you don't need to say + "accept" or "reject", and ports are not needed.) [[AuthDirBadExit]] **AuthDirBadExit** __AddressPattern...__:: Authoritative directories only. A set of address patterns for servers that -- cgit v1.2.3 From 967d9c9f1029a5d9b993888bac91d3959bf4c991 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Thu, 6 Mar 2014 10:21:59 -0500 Subject: Clarify default behavior of {SOCKS,Dir}Policy harder Improvement on 11108 fix; suggested by cypherpunks. --- doc/tor.1.txt | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) (limited to 'doc') diff --git a/doc/tor.1.txt b/doc/tor.1.txt index 31a56e92e..4b686ca88 100644 --- a/doc/tor.1.txt +++ b/doc/tor.1.txt @@ -1025,7 +1025,8 @@ The following options are useful only for clients (that is, if [[SocksPolicy]] **SocksPolicy** __policy__,__policy__,__...__:: Set an entrance policy for this server, to limit who can connect to the SocksPort and DNSPort ports. The policies have the same form as exit - policies below, except that port specifiers are ignored. + policies below, except that port specifiers are ignored. Any address + not matched by some entry in the policy is accepted. [[SocksTimeout]] **SocksTimeout** __NUM__:: Let a socks connection wait NUM seconds handshaking, and NUM seconds @@ -1823,7 +1824,8 @@ if DirPort is non-zero): [[DirPolicy]] **DirPolicy** __policy__,__policy__,__...__:: Set an entrance policy for this server, to limit who can connect to the directory ports. The policies have the same form as exit policies above, - except that port specifiers are ignored. + except that port specifiers are ignored. Any address not matched by + some entry in the policy is accepted. [[FetchV2Networkstatus]] **FetchV2Networkstatus** **0**|**1**:: If set, we try to fetch the (obsolete, unused) version 2 network status -- cgit v1.2.3