[tor-bugs] #16069 [Tor]: ipv4 + ipv6 exit : v6 policy is displayed twice, v4 isn't displayed

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Sep 9 09:34:28 UTC 2015


#16069: ipv4 + ipv6 exit : v6 policy is displayed twice, v4 isn't displayed
--------------------------+-----------------------------------------------
     Reporter:  toralf    |      Owner:
         Type:  defect    |     Status:  new
     Priority:  critical  |  Milestone:  Tor: 0.2.7.x-final
    Component:  Tor       |    Version:  Tor: 0.2.7
   Resolution:            |   Keywords:  026-backport, ipv6, PostFreeze027
Actual Points:            |  Parent ID:
       Points:            |
--------------------------+-----------------------------------------------

Comment (by teor):

 I've given this some further thought today. In summary:
 * The current accept/accept6 scheme is confusing, as accept6 looks like it
 should mean all IPv6 addresses only.
 * My first suggestion of changing accept6 to mean IPv6 addresses, without
 changing the meaning of accept (both IPv4 and IPv6), just seems to add to
 the confusion.
 * I no longer like the semantics of changing accept to mean IPv4
 addresses, as it changes the meaning of accept *:* and reject *:*, which
 is the last entry in many ExitPolicy blocks. This could cause IPv6 Exits
 to have many more open ports, a serious issue.

 I am now if favour of the following scheme: (based on my second suggestion
 above)
 * accept/reject don't change semantics, they mean both IPv4 and IPv6
 addresses.
   * This preserves the semantics of accept *:* and reject *:*, which are
 vital to the correct operation of many ExitPolicy blocks.
   * Warn that any torrc ExitPolicy entries after an accept *:* or reject
 *:* are ignored. (This would perhaps have assisted toralf in discovering
 and resolving their issues at config time.)
   * Warn that any accept/reject *:N entries cover both IPv4 and IPv6.
 * accept4/reject4 mean IPv4 addresses only. (Using with *:N means IPv4
 only.)
   * Using accept4/reject4 with IPv6 addresses or *6:N is an error or a
 warning. It has no effect.
   * Info about new behaviour for consistency with accept6/reject6?
 * accept6/reject6 mean IPv6 addresses only. (Using with *:N means IPv6
 only.)
   * Using accept6/reject6 with IPv4 addresses or *4:N is an error or a
 warning. It has no effect.
   * Warn or info about changed behaviour.

 This has the following impacts:
 * accept6/reject6 lines change behaviour to only affect IPv6. This could
 change the number of open IPv4 or IPv6 ports on existing Exits. However,
 this is likely to be closer to actual operator intent.
 * counter-intuitive combinations are now flagged using warnings or errors.

 We may also need to make similar changes to the default exit policy in-
 code, manpage, sample torrc, and torspec.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16069#comment:13>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online


More information about the tor-bugs mailing list