[or-cvs] Turn addr_policy_compare from a tristate to a quadstate; th...
Nick Mathewson
nickm at seul.org
Sat Mar 19 06:57:19 UTC 2005
Update of /home/or/cvsroot/tor/src/or
In directory moria.mit.edu:/tmp/cvs-serv25042/src/or
Modified Files:
circuitbuild.c circuituse.c connection_edge.c directory.c or.h
router.c routerlist.c
Log Message:
Turn addr_policy_compare from a tristate to a quadstate; this should help address our "Ah, you allow 1.2.3.4:80. You are a good choice for google.com" problem.
Index: circuitbuild.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/circuitbuild.c,v
retrieving revision 1.86
retrieving revision 1.87
diff -u -d -r1.86 -r1.87
--- circuitbuild.c 15 Mar 2005 01:44:46 -0000 1.86
+++ circuitbuild.c 19 Mar 2005 06:57:15 -0000 1.87
@@ -858,10 +858,11 @@
uint16_t port;
for (i = 0; i < smartlist_len(needed_ports); ++i) {
+ addr_policy_result_t r;
port = *(uint16_t *)smartlist_get(needed_ports, i);
tor_assert(port);
- if (router_compare_addr_to_addr_policy(0, port, router->exit_policy) !=
- ADDR_POLICY_REJECTED)
+ r = router_compare_addr_to_addr_policy(0, port, router->exit_policy);
+ if (r != ADDR_POLICY_REJECTED && r != ADDR_POLICY_PROBABLY_REJECTED)
return 1;
}
return 0;
Index: circuituse.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/circuituse.c,v
retrieving revision 1.56
retrieving revision 1.57
diff -u -d -r1.56 -r1.57
--- circuituse.c 19 Mar 2005 04:38:58 -0000 1.56
+++ circuituse.c 19 Mar 2005 06:57:15 -0000 1.57
@@ -291,13 +291,19 @@
circ->timestamp_dirty + get_options()->MaxCircuitDirtiness < now)) {
exitrouter = router_get_by_digest(circ->build_state->chosen_exit_digest);
if (exitrouter &&
- (!need_uptime || circ->build_state->need_uptime) &&
- ((conn && connection_ap_can_use_exit(conn, exitrouter)) ||
- (!conn &&
- router_compare_addr_to_addr_policy(0, port, exitrouter->exit_policy) !=
- ADDR_POLICY_REJECTED))) {
- if (++num >= min)
- return 1;
+ (!need_uptime || circ->build_state->need_uptime)) {
+ int ok;
+ if (conn) {
+ ok = connection_ap_can_use_exit(conn, exitrouter);
+ } else {
+ addr_policy_result_t r =
+ router_compare_addr_to_addr_policy(0, port, exitrouter->exit_policy);
+ ok = r != ADDR_POLICY_REJECTED && r != ADDR_POLICY_PROBABLY_REJECTED;
+ }
+ if (ok) {
+ if (++num >= min)
+ return 1;
+ }
}
}
}
Index: connection_edge.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/connection_edge.c,v
retrieving revision 1.300
retrieving revision 1.301
diff -u -d -r1.300 -r1.301
--- connection_edge.c 19 Mar 2005 05:09:13 -0000 1.300
+++ connection_edge.c 19 Mar 2005 06:57:15 -0000 1.301
@@ -1471,8 +1471,8 @@
return 0;
}
-/** Return 1 if router <b>exit</b> might allow stream <b>conn</b>
- * to exit from it, or 0 if it definitely will not allow it.
+/** Return 1 if router <b>exit</b> is likely to allow stream <b>conn</b>
+ * to exit from it, or 0 if it probably will not allow it.
* (We might be uncertain if conn's destination address has not yet been
* resolved.)
*/
@@ -1502,10 +1502,12 @@
if (conn->socks_request->command != SOCKS_COMMAND_RESOLVE) {
struct in_addr in;
uint32_t addr = 0;
+ addr_policy_result_t r;
if (tor_inet_aton(conn->socks_request->address, &in))
addr = ntohl(in.s_addr);
- if (router_compare_addr_to_addr_policy(addr, conn->socks_request->port,
- exit->exit_policy) == ADDR_POLICY_REJECTED)
+ r = router_compare_addr_to_addr_policy(addr, conn->socks_request->port,
+ exit->exit_policy);
+ if (r == ADDR_POLICY_REJECTED || r == ADDR_POLICY_PROBABLY_REJECTED)
return 0;
}
return 1;
@@ -1550,11 +1552,10 @@
if (!socks_policy) /* 'no socks policy' means 'accept' */
return 1;
a = router_compare_addr_to_addr_policy(addr, 1, socks_policy);
- if (a==-1)
+ if (a==ADDR_POLICY_REJECTED)
return 0;
- else if (a==0)
+ else if (a==ADDR_POLICY_ACCEPTED)
return 1;
- tor_assert(a==1);
log_fn(LOG_WARN, "Bug: Got unexpected 'maybe' answer from socks policy");
return 0;
}
Index: directory.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/directory.c,v
retrieving revision 1.217
retrieving revision 1.218
diff -u -d -r1.217 -r1.218
--- directory.c 14 Mar 2005 03:28:46 -0000 1.217
+++ directory.c 19 Mar 2005 06:57:15 -0000 1.218
@@ -100,11 +100,10 @@
if (!dir_policy) /* 'no dir policy' means 'accept' */
return 1;
a = router_compare_addr_to_addr_policy(addr, 1, dir_policy);
- if (a==-1)
+ if (a==ADDR_POLICY_REJECTED)
return 0;
- else if (a==0)
+ else if (a==ADDR_POLICY_ACCEPTED)
return 1;
- tor_assert(a==1);
log_fn(LOG_WARN, "Bug: got unexpected 'maybe' answer from dir policy");
return 0;
}
Index: or.h
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/or.h,v
retrieving revision 1.560
retrieving revision 1.561
diff -u -d -r1.560 -r1.561
--- or.h 19 Mar 2005 05:07:19 -0000 1.560
+++ or.h 19 Mar 2005 06:57:15 -0000 1.561
@@ -1661,6 +1661,12 @@
int rend_mid_rendezvous(circuit_t *circ, const char *request, size_t request_len);
/********************************* router.c ***************************/
+typedef enum {
+ ADDR_POLICY_ACCEPTED=0,
+ ADDR_POLICY_REJECTED=-1,
+ ADDR_POLICY_PROBABLY_ACCEPTED=1,
+ ADDR_POLICY_PROBABLY_REJECTED=2
+} addr_policy_result_t;
void set_onion_key(crypto_pk_env_t *k);
crypto_pk_env_t *get_onion_key(void);
@@ -1760,11 +1766,9 @@
int router_load_single_router(const char *s);
int router_load_routerlist_from_directory(const char *s,crypto_pk_env_t *pkey,
int dir_is_recent, int dir_is_cached);
-int router_compare_addr_to_addr_policy(uint32_t addr, uint16_t port,
- addr_policy_t *policy);
-#define ADDR_POLICY_ACCEPTED 0
-#define ADDR_POLICY_REJECTED -1
-#define ADDR_POLICY_UNKNOWN 1
+addr_policy_result_t router_compare_addr_to_addr_policy(uint32_t addr,
+ uint16_t port, addr_policy_t *policy);
+
int router_exit_policy_all_routers_reject(uint32_t addr, uint16_t port,
int need_uptime);
Index: router.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/router.c,v
retrieving revision 1.153
retrieving revision 1.154
diff -u -d -r1.153 -r1.154
--- router.c 17 Mar 2005 12:38:36 -0000 1.153
+++ router.c 19 Mar 2005 06:57:16 -0000 1.154
@@ -581,8 +581,8 @@
config_parse_addr_policy(&default_policy, &router->exit_policy);
}
-/** OR only: Return false if my exit policy says to allow connection to
- * conn. Else return true.
+/** OR only: Check whether my exit policy says to allow connection to
+ * conn. Return false if we accept; true if we reject.
*/
int router_compare_to_my_exit_policy(connection_t *conn)
{
@@ -594,10 +594,11 @@
return -1;
return router_compare_addr_to_addr_policy(conn->addr, conn->port,
- desc_routerinfo->exit_policy);
+ desc_routerinfo->exit_policy) != ADDR_POLICY_ACCEPTED;
}
+
/** Return true iff <b>router</b> has the same nickname as this OR. (For an
* OP, always returns false.)
*/
Index: routerlist.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/routerlist.c,v
retrieving revision 1.219
retrieving revision 1.220
diff -u -d -r1.219 -r1.220
--- routerlist.c 17 Mar 2005 12:38:36 -0000 1.219
+++ routerlist.c 19 Mar 2005 06:57:16 -0000 1.220
@@ -1001,16 +1001,26 @@
return 0;
}
-/** Decide whether a given addr:port is definitely accepted, definitely
- * rejected, or neither by a given policy. If <b>addr</b> is 0, we
- * don't know the IP of the target address. If <b>port</b> is 0, we
- * don't know the port of the target address.
+/** Decide whether a given addr:port is definitely accepted,
+ * definitely rejected, probably accepted, or probably rejected by a
+ * given policy. If <b>addr</b> is 0, we don't know the IP of the
+ * target address. If <b>port</b> is 0, we don't know the port of the
+ * target address.
*
- * Returns -1 for "rejected", 0 for "accepted", 1 for "maybe" (since IP or
- * port is unknown).
+ * For now, the algorithm is pretty simple: we look for definite and
+ * uncertain matches. The first definite match is what we guess; if
+ * it was proceded by no uncertain matches of the opposite policy,
+ * then the guess is definite; otherwise it is probable. (If we
+ * have a known addr and port, all matches are definite; if we have an
+ * unknown addr/port, any address/port ranges other than "all" are
+ * uncertain.)
+ *
+ * We could do better by assuming that some ranges never match typical
+ * addresses (127.0.0.1, and so on). But we'll try this for now.
*/
-int router_compare_addr_to_addr_policy(uint32_t addr, uint16_t port,
- addr_policy_t *policy)
+addr_policy_result_t
+router_compare_addr_to_addr_policy(uint32_t addr, uint16_t port,
+ addr_policy_t *policy)
{
int maybe_reject = 0;
int maybe_accept = 0;
@@ -1060,14 +1070,14 @@
if (tmpe->policy_type == ADDR_POLICY_ACCEPT) {
/* If we already hit a clause that might trigger a 'reject', than we
* can't be sure of this certain 'accept'.*/
- return maybe_reject ? ADDR_POLICY_UNKNOWN : ADDR_POLICY_ACCEPTED;
+ return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED : ADDR_POLICY_ACCEPTED;
} else {
- return maybe_accept ? ADDR_POLICY_UNKNOWN : ADDR_POLICY_REJECTED;
+ return maybe_accept ? ADDR_POLICY_PROBABLY_REJECTED : ADDR_POLICY_REJECTED;
}
}
}
/* accept all by default. */
- return maybe_reject ? ADDR_POLICY_UNKNOWN : ADDR_POLICY_ACCEPTED;
+ return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED : ADDR_POLICY_ACCEPTED;
}
/** Return 1 if all running sufficiently-stable routers will reject
@@ -1076,15 +1086,17 @@
int need_uptime) {
int i;
routerinfo_t *router;
+ addr_policy_result_t r;
if (!routerlist) return 1;
for (i=0;i<smartlist_len(routerlist->routers);i++) {
router = smartlist_get(routerlist->routers, i);
if (router->is_running &&
- !router_is_unreliable(router, need_uptime, 0) &&
- router_compare_addr_to_addr_policy(
- addr, port, router->exit_policy) != ADDR_POLICY_REJECTED)
- return 0; /* this one could be ok. good enough. */
+ !router_is_unreliable(router, need_uptime, 0)) {
+ r = router_compare_addr_to_addr_policy(addr, port, router->exit_policy);
+ if (r != ADDR_POLICY_REJECTED && r != ADDR_POLICY_PROBABLY_REJECTED)
+ return 0; /* this one could be ok. good enough. */
+ }
}
return 1; /* all will reject. */
}
More information about the tor-commits
mailing list