From 20422cde2b71c079e88dcf3bfc2b1f1b4bc23c1c Mon Sep 17 00:00:00 2001 From: Sebastian Hahn Date: Fri, 5 Feb 2010 13:40:31 +0100 Subject: [PATCH 1/4] 0/8 doesn't count as a /8 subnet towards an Exit flag --- src/or/policies.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/or/policies.c b/src/or/policies.c index eb8b5fd462..3c060aeb73 100644 --- a/src/or/policies.c +++ b/src/or/policies.c @@ -883,7 +883,7 @@ exit_policy_is_general_exit_helper(smartlist_t *policy, int port) if (subnet_status[j] != 0) continue; /* We already reject some part of this /8 */ tor_addr_from_ipv4h(&addr, j<<24); - if (tor_addr_is_internal(&addr, 1)) /* 1 because * = 0.0.0.0 */ + if (tor_addr_is_internal(&addr, 0)) continue; /* Local or non-routable addresses */ if (tor_addr_compare_masked(&addr, &p->addr, p->maskbits, CMP_EXACT) == 0) { From 01030a4db2c9aae4479ee9df431a75f41e75025c Mon Sep 17 00:00:00 2001 From: Sebastian Hahn Date: Fri, 5 Feb 2010 11:59:15 +0100 Subject: [PATCH 2/4] Another unit test for exit_policy_is_general_exit() --- src/test/test.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/src/test/test.c b/src/test/test.c index d7575ac61f..8b84290446 100644 --- a/src/test/test.c +++ b/src/test/test.c @@ -648,7 +648,8 @@ test_policies(void) { int i; smartlist_t *policy = NULL, *policy2 = NULL, *policy3 = NULL, - *policy4 = NULL, *policy5 = NULL, *policy6 = NULL; + *policy4 = NULL, *policy5 = NULL, *policy6 = NULL, + *policy7 = NULL; addr_policy_t *p; tor_addr_t tar; config_line_t line; @@ -725,12 +726,17 @@ test_policies(void) p = router_parse_addr_policy_item_from_string("accept *:1-65535",-1); test_assert(p != NULL); smartlist_add(policy5, p); - + policy6 = smartlist_create(); p = router_parse_addr_policy_item_from_string("accept 43.3.0.0/9:*",-1); test_assert(p != NULL); smartlist_add(policy6, p); + policy7 = smartlist_create(); + p = router_parse_addr_policy_item_from_string("accept 0.0.0.0/8:*",-1); + test_assert(p != NULL); + smartlist_add(policy7, p); + test_assert(!exit_policy_is_general_exit(policy)); test_assert(exit_policy_is_general_exit(policy2)); test_assert(!exit_policy_is_general_exit(NULL)); @@ -738,6 +744,7 @@ test_policies(void) test_assert(!exit_policy_is_general_exit(policy4)); test_assert(!exit_policy_is_general_exit(policy5)); test_assert(!exit_policy_is_general_exit(policy6)); + test_assert(!exit_policy_is_general_exit(policy7)); test_assert(cmp_addr_policies(policy, policy2)); test_assert(cmp_addr_policies(policy, NULL)); @@ -853,6 +860,7 @@ test_policies(void) addr_policy_list_free(policy4); addr_policy_list_free(policy5); addr_policy_list_free(policy6); + addr_policy_list_free(policy7); tor_free(policy_str); if (sm) { SMARTLIST_FOREACH(sm, char *, s, tor_free(s)); From 1e49c908f724842a9adf383553689cf2a0aa7a0b Mon Sep 17 00:00:00 2001 From: Sebastian Hahn Date: Fri, 5 Feb 2010 16:58:24 +0100 Subject: [PATCH 3/4] Speed up the execution of exit_policy_is_general_exit_helper() It isn't necessary to walk through all possible subnets when the policy we're looking at doesn't touch that subnet. --- src/or/policies.c | 36 +++++++++++++++++++++--------------- 1 file changed, 21 insertions(+), 15 deletions(-) diff --git a/src/or/policies.c b/src/or/policies.c index 3c060aeb73..a49de01e18 100644 --- a/src/or/policies.c +++ b/src/or/policies.c @@ -870,7 +870,7 @@ policies_set_router_exitpolicy_to_reject_all(routerinfo_t *r) static int exit_policy_is_general_exit_helper(smartlist_t *policy, int port) { - uint32_t j; + uint32_t mask, ip, i; /* Is this /8 rejected (1), or undecided (0)? */ char subnet_status[256]; @@ -878,24 +878,30 @@ exit_policy_is_general_exit_helper(smartlist_t *policy, int port) SMARTLIST_FOREACH(policy, addr_policy_t *, p, { if (p->prt_min > port || p->prt_max < port) continue; /* Doesn't cover our port. */ - for (j = 0; j < 256; ++j) { + mask = 0; + tor_assert(p->maskbits <= 32); + + if (p->maskbits) + mask = UINT32_MAX<<(32-p->maskbits); + ip = tor_addr_to_ipv4h(&p->addr); + + /* Calculate the first and last subnet that this exit policy touches + * and set it as loop boundaries. */ + for (i = ((mask & ip)>>24); i <= (~((mask & ip) ^ mask)>>24); ++i) { tor_addr_t addr; - if (subnet_status[j] != 0) + if (subnet_status[i] != 0) continue; /* We already reject some part of this /8 */ - tor_addr_from_ipv4h(&addr, j<<24); + tor_addr_from_ipv4h(&addr, i<<24); if (tor_addr_is_internal(&addr, 0)) continue; /* Local or non-routable addresses */ - if (tor_addr_compare_masked(&addr, &p->addr, p->maskbits, - CMP_EXACT) == 0) { - if (p->policy_type == ADDR_POLICY_ACCEPT) { - if (p->maskbits > 8) - continue; /* Narrower than a /8. */ - /* We found an allowed subnet of at least size /8. Done - * for this port! */ - return 1; - } else if (p->policy_type == ADDR_POLICY_REJECT) { - subnet_status[j] = 1; - } + if (p->policy_type == ADDR_POLICY_ACCEPT) { + if (p->maskbits > 8) + continue; /* Narrower than a /8. */ + /* We found an allowed subnet of at least size /8. Done + * for this port! */ + return 1; + } else if (p->policy_type == ADDR_POLICY_REJECT) { + subnet_status[i] = 1; } } }); From 253fd21ae1cbf66efe0eedc4eee26f8c712d2804 Mon Sep 17 00:00:00 2001 From: Sebastian Hahn Date: Fri, 5 Feb 2010 17:04:33 +0100 Subject: [PATCH 4/4] Fix a whitespace violation --- src/or/connection_edge.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/or/connection_edge.c b/src/or/connection_edge.c index 8447853fc1..f559359383 100644 --- a/src/or/connection_edge.c +++ b/src/or/connection_edge.c @@ -2937,7 +2937,8 @@ parse_extended_hostname(char *address, int allowdotexit) return EXIT_HOSTNAME; /* .exit */ } else { log_warn(LD_APP, "The \".exit\" notation is disabled in Tor due to " - "security risks. Set AllowDotExit in your torrc to enable it."); + "security risks. Set AllowDotExit in your torrc to enable " + "it."); /* FFFF send a controller event too to notify Vidalia users */ return BAD_HOSTNAME; }