Took some effort but got getconf bridge working. Replying just 250 Bridge doesn’t cut it. I had to feed it a redacted reply.
The remaining command I have to clean up to make safe is getinfo circuit-status. It is required so we can’t block it, however it passes all the info about a circuit path fully. The replies have varying lengths and so require a bunch of rules with varying capture group numbers to account for all possible patterns.
There are two problems with the whitelist rule I have right now:
Doing a regex on
250+circuit-status is problematic because + is also interpreted as a special character if not escaped. I tried escaping pattern and reply as well as just the normal pattern, but that doesn’t work. There could also be problems with white-spaces.
Example raw output:
250+circuit-status=00 BUILT Z~Z,Z~Z,Z~Z BUILD_FLAGS=NEED_CAPACITY PURPOSE=GENERAL TIME_CREATED=2020-09-16T00:00:00.000000
Example pattern rule checked on pythex.org:
250\+circuit-status=(\S+) BUILT (\S+) (\S+) (\S+) (\S+)
What I am using as a replacement:
250+circuit-status=redacted
The 650 STREAM events seem to be about the destination IP only and don’t reveal anything about circuits.