nihilist/tor
1
0
Fork 0
mirror of https://gitlab.torproject.org/tpo/core/tor.git synced 2024-11-10 21:23:58 +01:00
Code Issues Packages Projects Releases Wiki Activity

Start obeying our firewall options more rigorously:

Browse Source 
- If we can't get to a dirserver directly, try going via Tor.
  - Don't ever try to connect (as a client) to a place our firewall
    options forbid.
  - If we specify a proxy and also firewall options, obey the firewall
    options even when we're using the proxy: some proxies can only proxy
    to certain destinations.


svn:r5431
This commit is contained in:
Roger Dingledine 2005-11-19 10:12:10 +00:00
parent b819a53654
commit 5c949fce51
4 changed files with 36 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/or/config.c
View File

@ -1701,7 +1701,7 @@ parse_reachable_addresses(void)
} }
/** Return true iff the firewall options might block any address:port /** Return true iff the firewall options might block any address:port
* combination * combination.
*/ */
int int
firewall_is_fascist(void) firewall_is_fascist(void)
@ -1710,7 +1710,7 @@ firewall_is_fascist(void)
} }
/** Return true iff we are configured to think that the local fascist /** Return true iff we are configured to think that the local fascist
* firewall (if any) will allow a connection to <b>addr</b>:<b>port</b> */ * firewall (if any) will allow a connection to <b>addr</b>:<b>port</b>. */
int int
fascist_firewall_allows_address(uint32_t addr, uint16_t port) fascist_firewall_allows_address(uint32_t addr, uint16_t port)
{ {

42
src/or/directory.c
View File

@ -133,6 +133,7 @@ directory_post_to_dirservers(uint8_t purpose, const char *payload,
size_t payload_len) size_t payload_len)
{ {
smartlist_t *dirservers; smartlist_t *dirservers;
int post_via_tor;
router_get_trusted_dir_servers(&dirservers); router_get_trusted_dir_servers(&dirservers);
tor_assert(dirservers); tor_assert(dirservers);
@ -141,23 +142,15 @@ directory_post_to_dirservers(uint8_t purpose, const char *payload,
*/ */
SMARTLIST_FOREACH(dirservers, trusted_dir_server_t *, ds, SMARTLIST_FOREACH(dirservers, trusted_dir_server_t *, ds,
{ {
/* Pay attention to fascistfirewall when we're uploading a post_via_tor = purpose_is_private(purpose) ||
* router descriptor, but not when uploading a service !fascist_firewall_allows_address(ds->addr,ds->dir_port);
* descriptor -- those use Tor. */ directory_initiate_command_trusted_dir(ds, purpose, post_via_tor,
if (purpose == DIR_PURPOSE_UPLOAD_DIR && !get_options()->HttpProxy) {
if (!fascist_firewall_allows_address(ds->addr,ds->dir_port))
continue;
}
directory_initiate_command_trusted_dir(ds, purpose,
purpose_is_private(purpose),
NULL, payload, payload_len); NULL, payload, payload_len);
}); });
} }
/** Start a connection to a random running directory server, using /** Start a connection to a random running directory server, using
* connection purpose 'purpose' requesting 'resource'. The purpose * connection purpose 'purpose' and requesting 'resource'.
* should be one of 'DIR_PURPOSE_FETCH_DIR',
* 'DIR_PURPOSE_FETCH_RENDDESC', 'DIR_PURPOSE_FETCH_RUNNING_LIST.'
* If <b>retry_if_no_servers</b>, then if all the possible servers seem * If <b>retry_if_no_servers</b>, then if all the possible servers seem
* down, mark them up and try again. * down, mark them up and try again.
*/ */
@ -167,10 +160,10 @@ directory_get_from_dirserver(uint8_t purpose, const char *resource,
{ {
routerinfo_t *r = NULL; routerinfo_t *r = NULL;
trusted_dir_server_t *ds = NULL; trusted_dir_server_t *ds = NULL;
int fascistfirewall = firewall_is_fascist();
or_options_t *options = get_options(); or_options_t *options = get_options();
int fetch_fresh_first = server_mode(options) && options->DirPort != 0; int fetch_fresh_first = server_mode(options) && options->DirPort != 0;
int directconn = !purpose_is_private(purpose); int directconn = !purpose_is_private(purpose);
int need_to_use_tor = 0;
int need_v1_support = purpose == DIR_PURPOSE_FETCH_DIR || int need_v1_support = purpose == DIR_PURPOSE_FETCH_DIR ||
purpose == DIR_PURPOSE_FETCH_RUNNING_LIST; purpose == DIR_PURPOSE_FETCH_RUNNING_LIST;
@ -187,12 +180,12 @@ directory_get_from_dirserver(uint8_t purpose, const char *resource,
} }
if (!ds && fetch_fresh_first) { if (!ds && fetch_fresh_first) {
/* only ask authdirservers, and don't ask myself */ /* only ask authdirservers, and don't ask myself */
ds = router_pick_trusteddirserver(need_v1_support, 1, fascistfirewall, ds = router_pick_trusteddirserver(need_v1_support, 1, 1,
retry_if_no_servers); retry_if_no_servers);
} }
if (!ds) { if (!ds) {
/* anybody with a non-zero dirport will do */ /* anybody with a non-zero dirport will do */
r = router_pick_directory_server(1, fascistfirewall, need_v2_support, r = router_pick_directory_server(1, 1, need_v2_support,
retry_if_no_servers); retry_if_no_servers);
if (!r) { if (!r) {
const char *which; const char *which;
@ -205,15 +198,24 @@ directory_get_from_dirserver(uint8_t purpose, const char *resource,
else // if (purpose == DIR_PURPOSE_FETCH_NETWORKSTATUS) else // if (purpose == DIR_PURPOSE_FETCH_NETWORKSTATUS)
which = "server descriptors"; which = "server descriptors";
info(LD_DIR, info(LD_DIR,
"No router found for %s; falling back to dirserver list",which); "No router found for %s; falling back to dirserver list", which);
ds = router_pick_trusteddirserver(1, 1, fascistfirewall, ds = router_pick_trusteddirserver(1, 1, 1,
retry_if_no_servers); retry_if_no_servers);
if (!ds)
need_to_use_tor = 1; /* last resort: try routing it via Tor */
} }
} }
} else { // (purpose == DIR_PURPOSE_FETCH_RENDDESC) }
/* only ask authdirservers, any of them will do */ if (!directconn || need_to_use_tor) {
/* Never use fascistfirewall; we're going via Tor. */ /* Never use fascistfirewall; we're going via Tor. */
ds = router_pick_trusteddirserver(0, 0, 0, retry_if_no_servers); if (purpose == DIR_PURPOSE_FETCH_RENDDESC) {
/* only ask authdirservers, any of them will do */
ds = router_pick_trusteddirserver(0, 0, 0, retry_if_no_servers);
} else {
/* anybody with a non-zero dirport will do. Disregard firewalls. */
r = router_pick_directory_server(1, 0, need_v2_support,
retry_if_no_servers);
}
} }
if (r) if (r)

14
src/or/or.h
View File

@ -314,26 +314,26 @@ typedef enum {
#define _CONTROL_CONN_STATE_MAX 4 #define _CONTROL_CONN_STATE_MAX 4
#define _DIR_PURPOSE_MIN 1 #define _DIR_PURPOSE_MIN 1
/** Purpose for connection to directory server: download a directory. */ /** A connection to a directory server: download a directory. */
#define DIR_PURPOSE_FETCH_DIR 1 #define DIR_PURPOSE_FETCH_DIR 1
/** Purpose for connection to directory server: download just the list /** A connection to a directory server: download just the list
* of running routers. */ * of running routers. */
#define DIR_PURPOSE_FETCH_RUNNING_LIST 2 #define DIR_PURPOSE_FETCH_RUNNING_LIST 2
/** Purpose for connection to directory server: download a rendezvous /** A connection to a directory server: download a rendezvous
* descriptor. */ * descriptor. */
#define DIR_PURPOSE_FETCH_RENDDESC 3 #define DIR_PURPOSE_FETCH_RENDDESC 3
/** Purpose for connection to directory server: set after a rendezvous /** A connection to a directory server: set after a rendezvous
* descriptor is downloaded. */ * descriptor is downloaded. */
#define DIR_PURPOSE_HAS_FETCHED_RENDDESC 4 #define DIR_PURPOSE_HAS_FETCHED_RENDDESC 4
/** A connection to a directory server: download one or more network-status /** A connection to a directory server: download one or more network-status
* objects */ * objects */
#define DIR_PURPOSE_FETCH_NETWORKSTATUS 5 #define DIR_PURPOSE_FETCH_NETWORKSTATUS 5
/** A connection to a directory server: download one or more server /** A connection to a directory server: download one or more server
* descriptors. */ * descriptors. */
#define DIR_PURPOSE_FETCH_SERVERDESC 6 #define DIR_PURPOSE_FETCH_SERVERDESC 6
/** Purpose for connection to directory server: upload a server descriptor. */ /** A connection to a directory server: upload a server descriptor. */
#define DIR_PURPOSE_UPLOAD_DIR 7 #define DIR_PURPOSE_UPLOAD_DIR 7
/** Purpose for connection to directory server: upload a rendezvous /** A connection to a directory server: upload a rendezvous
* descriptor. */ * descriptor. */
#define DIR_PURPOSE_UPLOAD_RENDDESC 8 #define DIR_PURPOSE_UPLOAD_RENDDESC 8
/** Purpose for connection at a directory server. */ /** Purpose for connection at a directory server. */

16
src/or/routerlist.c
View File

@ -339,7 +339,7 @@ router_pick_directory_server(int requireother,
return choice; return choice;
info(LD_DIR,"Still no %s router entries. Reloading and trying again.", info(LD_DIR,"Still no %s router entries. Reloading and trying again.",
firewall_is_fascist() ? "reachable" : "known"); fascistfirewall ? "reachable" : "known");
has_fetched_directory=0; /* reset it */ has_fetched_directory=0; /* reset it */
if (router_reload_router_list()) { if (router_reload_router_list()) {
return NULL; return NULL;
@ -391,8 +391,8 @@ router_pick_trusteddirserver(int need_v1_support,
/** Pick a random running verified directory server/mirror from our /** Pick a random running verified directory server/mirror from our
* routerlist. * routerlist.
* If <b>fascistfirewall</b> and we're not using a proxy, * If <b>fascistfirewall</b>,
* make sure the port we pick is allowed by options-\>firewallports. * make sure the router we pick is allowed by our firewall options.
* If <b>requireother</b>, it cannot be us. If <b>for_v2_directory</b>, * If <b>requireother</b>, it cannot be us. If <b>for_v2_directory</b>,
* choose a directory server new enough to support the v2 directory * choose a directory server new enough to support the v2 directory
* functionality. * functionality.
@ -407,9 +407,6 @@ router_pick_directory_server_impl(int requireother, int fascistfirewall,
if (!routerlist) if (!routerlist)
return NULL; return NULL;
if (get_options()->HttpProxy)
fascistfirewall = 0;
/* Find all the running dirservers we know about. */ /* Find all the running dirservers we know about. */
sl = smartlist_create(); sl = smartlist_create();
SMARTLIST_FOREACH(routerlist->routers, routerinfo_t *, router, SMARTLIST_FOREACH(routerlist->routers, routerinfo_t *, router,
@ -439,8 +436,8 @@ router_pick_directory_server_impl(int requireother, int fascistfirewall,
} }
/** Choose randomly from among the trusted dirservers that are up. /** Choose randomly from among the trusted dirservers that are up.
* If <b>fascistfirewall</b> and we're not using a proxy, * If <b>fascistfirewall</b>,
* make sure the port we pick is allowed by options-\>firewallports. * make sure the port we pick is allowed by our firewall options.
* If <b>requireother</b>, it cannot be us. If <b>need_v1_support</b>, choose * If <b>requireother</b>, it cannot be us. If <b>need_v1_support</b>, choose
* a trusted authority for the v1 directory system. * a trusted authority for the v1 directory system.
*/ */
@ -457,9 +454,6 @@ router_pick_trusteddirserver_impl(int need_v1_support,
if (!trusted_dir_servers) if (!trusted_dir_servers)
return NULL; return NULL;
if (get_options()->HttpProxy)
fascistfirewall = 0;
SMARTLIST_FOREACH(trusted_dir_servers, trusted_dir_server_t *, d, SMARTLIST_FOREACH(trusted_dir_servers, trusted_dir_server_t *, d,
{ {
if (!d->is_running) continue; if (!d->is_running) continue;