[tor-commits] [tor/master] policy_is_reject_star():
nickm at torproject.org
nickm at torproject.org
Tue Nov 8 23:51:27 UTC 2016
commit d73c671d6d9a60d9318814b7f95ede320e5d58b2
Author: Nick Mathewson <nickm at torproject.org>
Date: Mon Oct 31 15:05:56 2016 -0400
policy_is_reject_star():
ome policies are default-reject, some default-accept. But
policy_is_reject_star() assumed they were all default_reject. Fix
that!
Also, document that policy_is_reject_star() treats a NULL policy as
empty. This allows us to simplify the checks in
parse_reachable_addresses() by quite a bit.
Fxes bug 20306; bugfix on 0.2.8.2-alpha.
---
changes/bug20306_029 | 4 ++++
src/or/policies.c | 37 +++++++++++++++++--------------------
src/or/policies.h | 3 ++-
src/or/router.c | 4 ++--
src/or/routerparse.c | 2 +-
src/test/test_policy.c | 18 ++++++++++--------
6 files changed, 36 insertions(+), 32 deletions(-)
diff --git a/changes/bug20306_029 b/changes/bug20306_029
new file mode 100644
index 0000000..ada2676
--- /dev/null
+++ b/changes/bug20306_029
@@ -0,0 +1,4 @@
+ o Minor bugfixes (fascistfirewall):
+ - Avoid spurious warnings when ReachableAddresses or FascistFirewall
+ is set. Fixes bug 20306; bugfix on 0.2.8.2-alpha.
+
diff --git a/src/or/policies.c b/src/or/policies.c
index 44a46d2..227e168 100644
--- a/src/or/policies.c
+++ b/src/or/policies.c
@@ -274,28 +274,22 @@ parse_reachable_addresses(void)
/* We ignore ReachableAddresses for relays */
if (!server_mode(options)) {
- if ((reachable_or_addr_policy
- && policy_is_reject_star(reachable_or_addr_policy, AF_UNSPEC))
- || (reachable_dir_addr_policy
- && policy_is_reject_star(reachable_dir_addr_policy, AF_UNSPEC))) {
+ if (policy_is_reject_star(reachable_or_addr_policy, AF_UNSPEC, 0)
+ || policy_is_reject_star(reachable_dir_addr_policy, AF_UNSPEC,0)) {
log_warn(LD_CONFIG, "Tor cannot connect to the Internet if "
"ReachableAddresses, ReachableORAddresses, or "
"ReachableDirAddresses reject all addresses. Please accept "
"some addresses in these options.");
} else if (options->ClientUseIPv4 == 1
- && ((reachable_or_addr_policy
- && policy_is_reject_star(reachable_or_addr_policy, AF_INET))
- || (reachable_dir_addr_policy
- && policy_is_reject_star(reachable_dir_addr_policy, AF_INET)))) {
+ && (policy_is_reject_star(reachable_or_addr_policy, AF_INET, 0)
+ || policy_is_reject_star(reachable_dir_addr_policy, AF_INET, 0))) {
log_warn(LD_CONFIG, "You have set ClientUseIPv4 1, but "
"ReachableAddresses, ReachableORAddresses, or "
"ReachableDirAddresses reject all IPv4 addresses. "
"Tor will not connect using IPv4.");
} else if (fascist_firewall_use_ipv6(options)
- && ((reachable_or_addr_policy
- && policy_is_reject_star(reachable_or_addr_policy, AF_INET6))
- || (reachable_dir_addr_policy
- && policy_is_reject_star(reachable_dir_addr_policy, AF_INET6)))) {
+ && (policy_is_reject_star(reachable_or_addr_policy, AF_INET6, 0)
+ || policy_is_reject_star(reachable_dir_addr_policy, AF_INET6, 0))) {
log_warn(LD_CONFIG, "You have configured tor to use IPv6 "
"(ClientUseIPv6 1 or UseBridges 1), but "
"ReachableAddresses, ReachableORAddresses, or "
@@ -1084,8 +1078,8 @@ validate_addr_policies(const or_options_t *options, char **msg)
const int exitrelay_setting_is_auto = options->ExitRelay == -1;
const int policy_accepts_something =
- ! (policy_is_reject_star(addr_policy, AF_INET) &&
- policy_is_reject_star(addr_policy, AF_INET6));
+ ! (policy_is_reject_star(addr_policy, AF_INET, 1) &&
+ policy_is_reject_star(addr_policy, AF_INET6, 1));
if (server_mode(options) &&
! warned_about_exitrelay &&
@@ -2156,13 +2150,16 @@ exit_policy_is_general_exit(smartlist_t *policy)
}
/** Return false if <b>policy</b> might permit access to some addr:port;
- * otherwise if we are certain it rejects everything, return true. */
+ * otherwise if we are certain it rejects everything, return true. If no
+ * part of <b>policy</b> matches, return <b>default_reject</b>.
+ * NULL policies are allowed, and treated as empty. */
int
-policy_is_reject_star(const smartlist_t *policy, sa_family_t family)
+policy_is_reject_star(const smartlist_t *policy, sa_family_t family,
+ int default_reject)
{
- if (!policy) /*XXXX disallow NULL policies? */
- return 1;
- SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, p) {
+ if (!policy)
+ return default_reject;
+ SMARTLIST_FOREACH_BEGIN(policy, const addr_policy_t *, p) {
if (p->policy_type == ADDR_POLICY_ACCEPT &&
(tor_addr_family(&p->addr) == family ||
tor_addr_family(&p->addr) == AF_UNSPEC)) {
@@ -2175,7 +2172,7 @@ policy_is_reject_star(const smartlist_t *policy, sa_family_t family)
return 1;
}
} SMARTLIST_FOREACH_END(p);
- return 1;
+ return default_reject;
}
/** Write a single address policy to the buf_len byte buffer at buf. Return
diff --git a/src/or/policies.h b/src/or/policies.h
index e134e68..20f58f2 100644
--- a/src/or/policies.h
+++ b/src/or/policies.h
@@ -100,7 +100,8 @@ void addr_policy_append_reject_addr_list(smartlist_t **dest,
const smartlist_t *addrs);
void policies_set_node_exitpolicy_to_reject_all(node_t *exitrouter);
int exit_policy_is_general_exit(smartlist_t *policy);
-int policy_is_reject_star(const smartlist_t *policy, sa_family_t family);
+int policy_is_reject_star(const smartlist_t *policy, sa_family_t family,
+ int reject_by_default);
char * policy_dump_to_string(const smartlist_t *policy_list,
int include_ipv4,
int include_ipv6);
diff --git a/src/or/router.c b/src/or/router.c
index 10498e8..b968072 100644
--- a/src/or/router.c
+++ b/src/or/router.c
@@ -2158,8 +2158,8 @@ router_build_fresh_descriptor(routerinfo_t **r, extrainfo_t **e)
&ri->exit_policy);
}
ri->policy_is_reject_star =
- policy_is_reject_star(ri->exit_policy, AF_INET) &&
- policy_is_reject_star(ri->exit_policy, AF_INET6);
+ policy_is_reject_star(ri->exit_policy, AF_INET, 1) &&
+ policy_is_reject_star(ri->exit_policy, AF_INET6, 1);
if (options->IPv6Exit) {
char *p_tmp = policy_summarize(ri->exit_policy, AF_INET6);
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 9348466..a78d1ee 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -2206,7 +2206,7 @@ router_parse_entry_from_string(const char *s, const char *end,
}
}
- if (policy_is_reject_star(router->exit_policy, AF_INET) &&
+ if (policy_is_reject_star(router->exit_policy, AF_INET, 1) &&
(!router->ipv6_exit_policy ||
short_policy_is_reject_star(router->ipv6_exit_policy)))
router->policy_is_reject_star = 1;
diff --git a/src/test/test_policy.c b/src/test/test_policy.c
index 0d4a3b1..22f473f 100644
--- a/src/test/test_policy.c
+++ b/src/test/test_policy.c
@@ -258,14 +258,16 @@ test_policies_general(void *arg)
tt_assert(!cmp_addr_policies(policy2, policy2));
tt_assert(!cmp_addr_policies(NULL, NULL));
- tt_assert(!policy_is_reject_star(policy2, AF_INET));
- tt_assert(policy_is_reject_star(policy, AF_INET));
- tt_assert(policy_is_reject_star(policy10, AF_INET));
- tt_assert(!policy_is_reject_star(policy10, AF_INET6));
- tt_assert(policy_is_reject_star(policy11, AF_INET));
- tt_assert(policy_is_reject_star(policy11, AF_INET6));
- tt_assert(policy_is_reject_star(NULL, AF_INET));
- tt_assert(policy_is_reject_star(NULL, AF_INET6));
+ tt_assert(!policy_is_reject_star(policy2, AF_INET, 1));
+ tt_assert(policy_is_reject_star(policy, AF_INET, 1));
+ tt_assert(policy_is_reject_star(policy10, AF_INET, 1));
+ tt_assert(!policy_is_reject_star(policy10, AF_INET6, 1));
+ tt_assert(policy_is_reject_star(policy11, AF_INET, 1));
+ tt_assert(policy_is_reject_star(policy11, AF_INET6, 1));
+ tt_assert(policy_is_reject_star(NULL, AF_INET, 1));
+ tt_assert(policy_is_reject_star(NULL, AF_INET6, 1));
+ tt_assert(!policy_is_reject_star(NULL, AF_INET, 0));
+ tt_assert(!policy_is_reject_star(NULL, AF_INET6, 0));
addr_policy_list_free(policy);
policy = NULL;
More information about the tor-commits
mailing list