[tor-bugs] #16069 [Tor]: ipv4 + ipv6 exit : v6 policy is displayed twice, v4 isn't displayed
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Sep 14 07:37:19 UTC 2015
#16069: ipv4 + ipv6 exit : v6 policy is displayed twice, v4 isn't displayed
--------------------------+-----------------------------------------------
Reporter: toralf | Owner:
Type: defect | Status: needs_review
Priority: critical | Milestone: Tor: 0.2.7.x-final
Component: Tor | Version: Tor: 0.2.7
Resolution: | Keywords: 026-backport, ipv6, PostFreeze027
Actual Points: | Parent ID:
Points: |
--------------------------+-----------------------------------------------
Comment (by teor):
Replying to [comment:30 teor]:
> Replying to [comment:29 nickm]:
> > okay, thoughts!
> >
> > {{{
> > + log_notice(LD_GENERAL,
> > + "accept/reject * expands into rules which apply to
all IPv4 "
> > + "and IPv6 addresses.");
> > }}}
> >
> > Maybe this should:
> ...
> > * tell the user what to do if they only wanted it to apply to IPv4?
> > * not happen once per policy line per hup. :)
> > * Give the user some way to avoid the message if they really did
mean "all ipv4 and ipv6".
>
> Hmm, yes, this is a complex one to fix. I suggest a split solution:
> * downgrading the severity of the every-line-every-hup message to INFO
or DEBUG
> * telling the user to use *4 for IPv4 or *6 for IPv6
>
> Then creating another message that is NOTICE that only occurs once per
torrc parse when:
> * the policy has an `accept *:*` or `reject *:*` line
> * other lines occur after that line (and will be ignored)
> We can then create a message telling the user:
> * that lines after `accept/reject *:*` are being ignored
> * to use *4 for IPv4 or *6 for IPv6 or put `accept/reject *:*` at the
end of the policy to silence this notice
>
> For toralf's torrc and similar torrcs:
> * this patch makes the IPv6 section would now be IPv6 only
> * the accept/reject section would only apply to IPv4 due to `ExitPolicy
reject6 *:*` at the end of the accept6/reject6 section
> * no warnings would be issued, as `reject *:*` occurs last
>
> If someone goes against the advice to end with `accept/reject *:*`, and
puts `accept6/reject6/accept/reject` after an `accept/reject *:*`, then
they will get this NOTICE once on every torrc parse.
Now that I think about it, any ExitPolicy lines after `accept/reject *:*`
are almost certainly a misconfiguration. Should we elevate them to WARN?
(Note we won't WARN on policies of the form `accept *:N,reject *6:N,accept
*:*`. I think this is ok, as it's unclear if they are intentional or not,
and deciding whether they are or not is non-trivial. We could NOTICE/INFO
when rules override each other, but this is often intentional. Maybe we
coulod issue a single NOTICE with the resultant policy per torrc parse?)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16069#comment:32>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list