Start obeying our firewall options more rigorously:

- If we can't get to a dirserver directly, try going via Tor. - Don't ever try to connect (as a client) to a place our firewall options forbid. - If we specify a proxy and also firewall options, obey the firewall options even when we're using the proxy: some proxies can only proxy to certain destinations. svn:r5431
2024-09-21 05:26:20 +02:00 · 2005-11-19 10:12:10 +00:00 · 2005-11-19 10:12:10 +00:00 · 5c949fce51
commit 5c949fce51
parent b819a53654
4 changed files with 36 additions and 40 deletions
--- a/src/or/config.c
+++ b/src/or/config.c
@ -1701,7 +1701,7 @@ parse_reachable_addresses(void)
 }

 /** Return true iff the firewall options might block any address:port
- * combination
+ * combination.
 */
 int
 firewall_is_fascist(void)
@ -1710,7 +1710,7 @@ firewall_is_fascist(void)
 }

 /** Return true iff we are configured to think that the local fascist
- * firewall (if any) will allow a connection to <b>addr</b>:<b>port</b> */
+ * firewall (if any) will allow a connection to <b>addr</b>:<b>port</b>. */
 int
 fascist_firewall_allows_address(uint32_t addr, uint16_t port)
 {
--- a/src/or/directory.c
+++ b/src/or/directory.c
@ -133,6 +133,7 @@ directory_post_to_dirservers(uint8_t purpose, const char *payload,
                             size_t payload_len)
 {
  smartlist_t *dirservers;
+  int post_via_tor;

  router_get_trusted_dir_servers(&dirservers);
  tor_assert(dirservers);
@ -141,23 +142,15 @@ directory_post_to_dirservers(uint8_t purpose, const char *payload,
   */
  SMARTLIST_FOREACH(dirservers, trusted_dir_server_t *, ds,
    {
-      /* Pay attention to fascistfirewall when we're uploading a
-       * router descriptor, but not when uploading a service
-       * descriptor -- those use Tor. */
-      if (purpose == DIR_PURPOSE_UPLOAD_DIR && !get_options()->HttpProxy) {
-        if (!fascist_firewall_allows_address(ds->addr,ds->dir_port))
-          continue;
-      }
-      directory_initiate_command_trusted_dir(ds, purpose,
-                                             purpose_is_private(purpose),
+      post_via_tor = purpose_is_private(purpose) ||
+                     !fascist_firewall_allows_address(ds->addr,ds->dir_port);
+      directory_initiate_command_trusted_dir(ds, purpose, post_via_tor,
                                             NULL, payload, payload_len);
    });
 }

 /** Start a connection to a random running directory server, using
- * connection purpose 'purpose' requesting 'resource'.  The purpose
- * should be one of 'DIR_PURPOSE_FETCH_DIR',
- * 'DIR_PURPOSE_FETCH_RENDDESC', 'DIR_PURPOSE_FETCH_RUNNING_LIST.'
+ * connection purpose 'purpose' and requesting 'resource'.
 * If <b>retry_if_no_servers</b>, then if all the possible servers seem
 * down, mark them up and try again.
 */
@ -167,10 +160,10 @@ directory_get_from_dirserver(uint8_t purpose, const char *resource,
 {
  routerinfo_t *r = NULL;
  trusted_dir_server_t *ds = NULL;
-  int fascistfirewall = firewall_is_fascist();
  or_options_t *options = get_options();
  int fetch_fresh_first = server_mode(options) && options->DirPort != 0;
  int directconn = !purpose_is_private(purpose);
+  int need_to_use_tor = 0;

  int need_v1_support = purpose == DIR_PURPOSE_FETCH_DIR ||
                        purpose == DIR_PURPOSE_FETCH_RUNNING_LIST;
@ -187,12 +180,12 @@ directory_get_from_dirserver(uint8_t purpose, const char *resource,
    }
    if (!ds && fetch_fresh_first) {
      /* only ask authdirservers, and don't ask myself */
-      ds = router_pick_trusteddirserver(need_v1_support, 1, fascistfirewall,
+      ds = router_pick_trusteddirserver(need_v1_support, 1, 1,
                                        retry_if_no_servers);
    }
    if (!ds) {
      /* anybody with a non-zero dirport will do */
-      r = router_pick_directory_server(1, fascistfirewall, need_v2_support,
+      r = router_pick_directory_server(1, 1, need_v2_support,
                                       retry_if_no_servers);
      if (!r) {
        const char *which;
@ -205,15 +198,24 @@ directory_get_from_dirserver(uint8_t purpose, const char *resource,
        else // if (purpose == DIR_PURPOSE_FETCH_NETWORKSTATUS)
          which = "server descriptors";
        info(LD_DIR,
-             "No router found for %s; falling back to dirserver list",which);
-        ds = router_pick_trusteddirserver(1, 1, fascistfirewall,
+             "No router found for %s; falling back to dirserver list", which);
+        ds = router_pick_trusteddirserver(1, 1, 1,
                                          retry_if_no_servers);
+        if (!ds)
+          need_to_use_tor = 1; /* last resort: try routing it via Tor */
      }
    }
-  } else { // (purpose == DIR_PURPOSE_FETCH_RENDDESC)
-    /* only ask authdirservers, any of them will do */
+  }
+  if (!directconn || need_to_use_tor) {
    /* Never use fascistfirewall; we're going via Tor. */
-    ds = router_pick_trusteddirserver(0, 0, 0, retry_if_no_servers);
+    if (purpose == DIR_PURPOSE_FETCH_RENDDESC) {
+      /* only ask authdirservers, any of them will do */
+      ds = router_pick_trusteddirserver(0, 0, 0, retry_if_no_servers);
+    } else {
+      /* anybody with a non-zero dirport will do. Disregard firewalls. */
+      r = router_pick_directory_server(1, 0, need_v2_support,
+                                       retry_if_no_servers);
+    }
  }

  if (r)
--- a/src/or/or.h
+++ b/src/or/or.h
@ -314,26 +314,26 @@ typedef enum {
 #define _CONTROL_CONN_STATE_MAX 4

 #define _DIR_PURPOSE_MIN 1
-/** Purpose for connection to directory server: download a directory. */
+/** A connection to a directory server: download a directory. */
 #define DIR_PURPOSE_FETCH_DIR 1
-/** Purpose for connection to directory server: download just the list
+/** A connection to a directory server: download just the list
 * of running routers. */
 #define DIR_PURPOSE_FETCH_RUNNING_LIST 2
-/** Purpose for connection to directory server: download a rendezvous
+/** A connection to a directory server: download a rendezvous
 * descriptor. */
 #define DIR_PURPOSE_FETCH_RENDDESC 3
-/** Purpose for connection to directory server: set after a rendezvous
+/** A connection to a directory server: set after a rendezvous
 * descriptor is downloaded. */
 #define DIR_PURPOSE_HAS_FETCHED_RENDDESC 4
 /** A connection to a directory server: download one or more network-status
 * objects */
 #define DIR_PURPOSE_FETCH_NETWORKSTATUS 5
-/**  A connection to a directory server: download one or more server
+/** A connection to a directory server: download one or more server
 * descriptors. */
 #define DIR_PURPOSE_FETCH_SERVERDESC 6
-/** Purpose for connection to directory server: upload a server descriptor. */
+/** A connection to a directory server: upload a server descriptor. */
 #define DIR_PURPOSE_UPLOAD_DIR 7
-/** Purpose for connection to directory server: upload a rendezvous
+/** A connection to a directory server: upload a rendezvous
 * descriptor. */
 #define DIR_PURPOSE_UPLOAD_RENDDESC 8
 /** Purpose for connection at a directory server. */
--- a/src/or/routerlist.c
+++ b/src/or/routerlist.c
@ -339,7 +339,7 @@ router_pick_directory_server(int requireother,
    return choice;

  info(LD_DIR,"Still no %s router entries. Reloading and trying again.",
-         firewall_is_fascist() ? "reachable" : "known");
+         fascistfirewall ? "reachable" : "known");
  has_fetched_directory=0; /* reset it */
  if (router_reload_router_list()) {
    return NULL;
@ -391,8 +391,8 @@ router_pick_trusteddirserver(int need_v1_support,

 /** Pick a random running verified directory server/mirror from our
 * routerlist.
- * If <b>fascistfirewall</b> and we're not using a proxy,
- * make sure the port we pick is allowed by options-\>firewallports.
+ * If <b>fascistfirewall</b>,
+ * make sure the router we pick is allowed by our firewall options.
 * If <b>requireother</b>, it cannot be us.  If <b>for_v2_directory</b>,
 * choose a directory server new enough to support the v2 directory
 * functionality.
@ -407,9 +407,6 @@ router_pick_directory_server_impl(int requireother, int fascistfirewall,
  if (!routerlist)
    return NULL;

-  if (get_options()->HttpProxy)
-    fascistfirewall = 0;
-
  /* Find all the running dirservers we know about. */
  sl = smartlist_create();
  SMARTLIST_FOREACH(routerlist->routers, routerinfo_t *, router,
@ -439,8 +436,8 @@ router_pick_directory_server_impl(int requireother, int fascistfirewall,
 }

 /** Choose randomly from among the trusted dirservers that are up.
- * If <b>fascistfirewall</b> and we're not using a proxy,
- * make sure the port we pick is allowed by options-\>firewallports.
+ * If <b>fascistfirewall</b>,
+ * make sure the port we pick is allowed by our firewall options.
 * If <b>requireother</b>, it cannot be us.  If <b>need_v1_support</b>, choose
 * a trusted authority for the v1 directory system.
 */
@ -457,9 +454,6 @@ router_pick_trusteddirserver_impl(int need_v1_support,
  if (!trusted_dir_servers)
    return NULL;

-  if (get_options()->HttpProxy)
-    fascistfirewall = 0;
-
  SMARTLIST_FOREACH(trusted_dir_servers, trusted_dir_server_t *, d,
    {
      if (!d->is_running) continue;