[tor-relays] Possible problem with NYX
teor at riseup.net
Wed Sep 5 05:56:37 UTC 2018
> On 5 Sep 2018, at 02:36, Damian Johnson <atagar at torproject.org> wrote:
> Nyx's 'should this be scrubbed' check is pretty simple .
> Inbound addresses are scrubbed if...
> 1. You're configured to accept user traffic (ie. you set BridgeRelay
> in your torrc or have receive the Guard flag). 
There are so many edge cases for this check.
Flags are a *recommendation* to clients. They don't force clients
to behave a certain way.
* clients connecting via bridges can use a middle node as their
second hop. These middle nodes will leak bridge addresses via nyx.
* clients and relays can have different consensuses:
* if a relay loses the Guard flag, and finds out earlier than its clients,
nyx will stop protecting those clients
* if a client finds out before the relay, nyx won't protect those clients
* some Tor client versions don't check the guard flag at all. Others
keep their guards, even if they lose the flag
* middle and exit relays can be used as bridges, even if they don't set
* older Tor versions have a non-zero probability of choosing any relay
as an entry, even if it doesn't have the guard flag
* various config options make tor clients ignore the Guard flag
Please only show an IP if the relay is already public in the consensus.
> 2. The connection doesn't belong to a another tor relay. 
>  https://gitweb.torproject.org/nyx.git/tree/nyx/panel/connection.py#n230
>  https://gitweb.torproject.org/stem.git/tree/stem/control.py
>  In particular, we check if the address/port is in the consensus.
You could also check if the connection is authenticated to a public relay.
But the IP check works in most cases, and if it fails, it's ok to keep more
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the tor-relays