Module exit_policy

Expand description

Exit policy parsing and evaluation for Tor relays.

This module provides types for parsing and evaluating Tor exit policies, which determine what traffic a relay will allow to exit the Tor network. Exit policies are a fundamental part of Tor’s design, allowing relay operators to control which destinations their relay will connect to.

§Overview

Exit policies consist of ordered rules that are evaluated in sequence. Each rule either accepts or rejects traffic to specific addresses and ports. The first matching rule determines whether traffic is allowed.

§Policy Types

This module provides three main types:

ExitPolicy: A complete exit policy consisting of multiple rules
ExitPolicyRule: A single accept/reject rule with address and port specifications
MicroExitPolicy: A compact policy format used in microdescriptors

§Rule Format

Exit policy rules follow the format defined in the Tor directory specification:

accept|reject[6] addrspec:portspec

Where:

accept or reject determines if matching traffic is allowed
accept6 or reject6 are IPv6-specific variants
addrspec is an address specification (wildcard, IPv4, or IPv6 with optional CIDR mask)
portspec is a port specification (wildcard, single port, or port range)

§Address Specifications

Address specifications can be:

* - matches any address (IPv4 or IPv6)
*4 - matches any IPv4 address
*6 - matches any IPv6 address
IPv4 address: 192.168.1.1
IPv4 with CIDR: 10.0.0.0/8
IPv4 with mask: 192.168.0.0/255.255.0.0
IPv6 address: [::1]
IPv6 with CIDR: [2001:db8::]/32

§Port Specifications

Port specifications can be:

* - matches any port (1-65535)
Single port: 80
Port range: 80-443

§Example

use stem_rs::exit_policy::{ExitPolicy, MicroExitPolicy};
use std::net::IpAddr;

// Parse a full exit policy
let policy = ExitPolicy::parse("accept *:80, accept *:443, reject *:*").unwrap();

// Check if traffic can exit to a destination
let addr: IpAddr = "192.168.1.1".parse().unwrap();
assert!(policy.can_exit_to(addr, 80));   // HTTP allowed
assert!(policy.can_exit_to(addr, 443));  // HTTPS allowed
assert!(!policy.can_exit_to(addr, 22));  // SSH blocked

// Get a summary of the policy
assert_eq!(policy.summary(), "accept 80, 443");

// Parse a microdescriptor policy (port-only)
let micro = MicroExitPolicy::parse("accept 80,443").unwrap();
assert!(micro.can_exit_to(80));
assert!(!micro.can_exit_to(22));

§Private and Default Rules

Exit policies may contain special rule sequences:

Private rules: Rules expanded from the private keyword that block traffic to private/internal IP ranges (10.0.0.0/8, 192.168.0.0/16, etc.)
Default rules: The standard suffix appended by Tor that blocks commonly abused ports (SMTP, NetBIOS, etc.)

Use ExitPolicy::has_private and ExitPolicy::has_default to check for these, and ExitPolicy::strip_private and ExitPolicy::strip_default to remove them.

§See Also

crate::descriptor::ServerDescriptor - Contains relay exit policies
crate::descriptor::Microdescriptor - Contains micro exit policies
Tor Directory Specification - Formal policy format

Structs§

ExitPolicy: A complete exit policy consisting of multiple rules.
ExitPolicyRule: A single rule in an exit policy.
MicroExitPolicy: A compact exit policy used in microdescriptors.
PortRange: A range of TCP/UDP ports.

Enums§

AddressType: The type of address in an exit policy rule.