[tor-bugs] #16069 [Tor]: ipv4 + ipv6 exit : v6 policy is displayed twice, v4 isn't displayed

Tor Bug Tracker & Wiki blackhole at torproject.org
Fri Sep 11 03:31:32 UTC 2015 

#16069: ipv4 + ipv6 exit : v6 policy is displayed twice, v4 isn't displayed
--------------------------+-----------------------------------------------
     Reporter:  toralf    |      Owner:
         Type:  defect    |     Status:  needs_revision
     Priority:  critical  |  Milestone:  Tor: 0.2.7.x-final
    Component:  Tor       |    Version:  Tor: 0.2.7
   Resolution:            |   Keywords:  026-backport, ipv6, PostFreeze027
Actual Points:            |  Parent ID:
       Points:            |
--------------------------+-----------------------------------------------

Comment (by teor):

 Replying to [comment:23 nickm]:
 > Replying to [comment:22 teor]:
 > > Replying to [comment:20 nickm]:
 >
 > [...]
 > > > I think it's fine to do a NOTICE when * means "IPv4 and IPv6".
 > > >
 > > > I think accept6 * should mean "accept *6".
 > >
 > > So the full specification would be:
 > > * accept/reject * means IPv4 and IPv6 with NOTICE
 > > * accept/reject IPv4 or *4 means IPv4
 > > * accept/reject IPv6 or *6 means IPv6
 > >
 > > * accept6/reject6 * means IPv6 only (changed behaviour, but no-one
 expected it to mean IPv4)
 > > * accept6/reject6 IPv4 or *4 means ignore with WARN? (changed
 behaviour, but no-one expected it to mean IPv4)
 > > * accept6/reject6 IPv6 or *6 means IPv6 (existing behaviour)
 >
 > Yes, that looks good!

 There's one implication that it's worth being aware of:

 torrc exit policies will be more lenient than descriptor exit policies:
 * accept/reject * gets expanded into accept/reject *4, accept6/reject6 *6
 * accept/reject IPv6 or *6 gets transformed into accept6/reject6 IPv6 or
 *6
 * accept6/reject6 * gets transformed into accept6/reject6 *6
 * accept6/reject6 IPv4 or *4 gets ignored

 So there may be some confusion if people compare their torrc and exit
 policies.

 But any descriptor policy can be copied into a torrc and it will parse and
 mean the same thing. (This is a highly desirable property.)


 > > > Code notes:
 > > >
 > > > It seems like the TAPMP_IPV[46]_ONLY options won't actually stop any
 addresses that *don't* begin with a star.  That seems wrong. I would
 expect TAPMP_IPV4_ONLY to reject [FE80::]/16:80, for example.
 > >
 > > The TAPMP_IPV[46]_ONLY code only controls what * gets expanded into.
 >
 > In that case probably the option should be called
 TAPMP_STAR_IPV[46]_ONLY or something, and the documentation should explain
 that it only applies to * expansions?

 Done! Of course, we'll only be using the IPv6 variant in this patch.

--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16069#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tor-bugs mailing list