Opened 5 years ago

Closed 5 years ago

#13348 closed defect (wontfix)

Exit Policy Summary shows "reject 1-65535" althought there accept ports and exit connections

Reported by: toralf Owned by: rndm
Priority: Very Low Milestone:
Component: Metrics/Onionoo Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I do have opened ports 80 and 443:

accept *:80
accept *:443

correcltx shown both in arm and globe stats. AT the tor server the program arm shows in addition already few established exit connections.

Nevertheless both Atlas and Globe are telling me:

Exit Policy Summary reject

Child Tickets

Change History (6)

comment:1 Changed 5 years ago by toralf

FWIW now it is correctly displayed - so the update of the "Summary" is delayed ?

comment:2 Changed 5 years ago by karsten

Status: newneeds_information

Yes, there's a short delay of maybe an hour or two.

If you had to wait longer, do you mind posting the fingerprint and date/time when you updated your relay's configuration, so that I can take a look?

comment:3 Changed 5 years ago by toralf

Well, I was just wondering, that the Summary is delayed wheres the details are shown immediately.
But if this is intended then it is not a bug.

comment:4 Changed 5 years ago by karsten

Component: GlobeOnionoo
Status: needs_informationnew

Ah, I was mislead by your mentioning of "arm" in the ticket description. Now I understand that Globe was telling you an "Exit Policy" with two ports open and at the same time an "Exit Policy Summary" with reject all. That's a (minor) bug in Onionoo then, though I'm not sure if there's an easy fix for it.

Here's what I think happened: your relay published a descriptor with accept *:80 accept *:443 shortly after 50 minutes of the hour, but the directory authorities base their vote on an earlier descriptor which still had reject *:*. The "Exit Policy" field is populated from the latest descriptor that Onionoo can find, which contains accept *:80 accept *:443, but "Exit Policy Summary" is generated by the directory authorities based on the earlier descriptor.

A possible fix might be to only consider a descriptor if it's referenced from the consensus, because that's the descriptor that directory authorities used to generate the summary. But that's a non-trivial change, and I cannot say what other effects that might have. Switching status back to new to think more about this.

comment:5 in reply to:  4 Changed 5 years ago by toralf

Replying to karsten:

Now I understand that Globe was telling you an "Exit Policy" with two ports open and at the same time an "Exit Policy Summary" with reject all.

yes - this irritated me

comment:6 Changed 5 years ago by karsten

Resolution: wontfix
Status: newclosed

I have been thinking about this, and I decided that the code changes to fix this rare edge case would be too complex and might possibly introduce new problems.

Instead I tried to explain this case better in the documentation:

diff --git a/web/protocol.html b/web/protocol.html
index dd7c833..dfbbdec 100644
--- a/web/protocol.html
+++ b/web/protocol.html
@@ -667,8 +667,12 @@ running in the last bridge network status.
 </h3>
 
 <p>
-Details documents are based on the network statuses published by the Tor
-directories and the server descriptors published by relays and bridges.
+Details documents are based on network statuses published by the Tor
+directories, server descriptors published by relays and bridges, and data
+published by Tor network services TorDNSEL and BridgeDB.
+Details documents use the most recently published data from these sources,
+which may lead to contradictions between fields based on different sources
+in rare edge cases.
 Details documents contain the following fields:
 </p>
 
@@ -1070,6 +1074,9 @@ found.
 Array of exit-policy lines.
 Missing if router descriptor containing this information cannot be
 found.
+May contradict the <strong>"exit_policy_summary"</strong> field in a rare
+edge case: this happens when the relay changes its exit policy after the
+directory authorities summarized the previous exit policy.
 </p>
 </li>
 
@@ -1084,6 +1091,9 @@ version of the relay's exit policy containing a dictionary
 If there is an "accept" ("reject") element, the relay accepts (rejects)
 all TCP ports or port ranges in the given list for most IP addresses and
 rejects (accepts) all other ports.
+May contradict the <strong>"exit_policy"</strong> field in a rare edge
+case: this happens when the relay changes its exit policy after the
+directory authorities summarized the previous exit policy.
 </p>
 </li>
 
@@ -1098,6 +1108,9 @@ If there is an "accept" ("reject") element, the relay acce
 all TCP ports or port ranges in the given list for most IP addresses and
 rejects (accepts) all other ports.
 Missing if the relay rejects all connections to IPv6 addresses.
+May contradict the <strong>"exit_policy_summary"</strong> field in a rare
+edge case: this happens when the relay changes its exit policy after the
+directory authorities summarized the previous exit policy.
 </p>
 </li>

Sorry for the confusion. Closing as wontfix.

Note: See TracTickets for help on using tickets.