Opened 5 years ago

Closed 5 years ago

#16053 closed defect (fixed)

Stem errors when it sees reject6 or accept6 exit policies

Reported by: atagar Owned by: atagar
Priority: Medium Milestone:
Component: Archived/Stem Version:
Severity: Normal Keywords: controller
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:


Tor has a couple exit policy keywords (reject6 and accept6) which break just about any bit of Stem that reads exit policies.

10:55 < toralf> atagar: "ExitPolicy reject6 *:*" raises in
controller.get_exit_policy() : ValueError: An exit policy should have
a space separating its accept/reject from the exit pattern: reject6

11:07 < atagar> toralf: Interesting! I keep an eye on changes to the
control and directory specifications but this didn't include a change
to either so 'reject6' is a surprise for me. Joy, guess this'll
warrant a hotfix for the recent 1.4.0 release.

11:07 < atagar> Thanks for the heads up. :P

Definitely something we should fix. Nyx evidently had a longstanding issue around this too (#10579). Not an overly big whoop though. First, they're extremely rare and second, unless I'm missing something they're pointless. Exit policy addresses fall into three camps...

  • wildcard (for instance 'accept *:80')
  • ipv4 (for instance 'accept')
  • ipv6 (for instance 'accept [0000:0000:0000:0000:0000:0000:0000:0000]/64:80')

The first camp (wildcards) match against ipv4 or ipv6. The later two are for ipv4-only or ipv6-only policy rules. Or at least that's how Stem treats it.

Unless I'm missing something reject6 is just an alias for... what? The man page entry added as part of #12878 is the only description it seems to have ever gotten, and personally can't say I'm finding it too illuminating.

Child Tickets

Change History (10)

comment:1 Changed 5 years ago by atagar

Component: - Select a componentStem
Keywords: controller added
Owner: set to atagar

comment:2 Changed 5 years ago by toralf

By the way does onionooo suffers from a similar problem ?
I do have 2 different exit policies for ipv6 (just 6 rules) and ipv4 (reduced exit policy) but the status page shows the ipv6 rule set for ipv4 too :

comment:3 Changed 5 years ago by atagar

By the way does onionooo suffers from a similar problem?

Seems so. Onionoo uses metricslib (Karsten's java library) so feel free to file a separate ticket about that.

comment:4 Changed 5 years ago by atagar

Filed #16103 to clarify how these should be handled.

comment:5 Changed 5 years ago by toralf

And - important for a tor exit node maintainer - do I need both lines :

ExitPolicy reject *:*
ExitPolicy reject6 *:*


comment:6 Changed 5 years ago by atagar

From my understanding including most of those lines should result in the following in your server descriptor...

reject *:*  # rejects all IPv4
ipv6-policy reject 1-65536  # reject all IPv6, this is the default so might be omitted

However, as mentioned by karsten on #16069 seems tor might have some bugs around this.

comment:7 Changed 5 years ago by atagar

bah, s/including most of those lines/including those lines

comment:8 Changed 5 years ago by teor

Severity: Normal

Note: the accept6/reject6 behaviour changed in so that accept6/reject6 produce rules that only apply to IPv6 addresses. (The previous behaviour was counter-intuitive.)

(However, accept/reject[6] private still includes all private addresses.)

Full details are in the man page.

comment:9 Changed 5 years ago by atagar

Hi toralf, you dropped off irc so replying here...

10:48 < toralf> atagar: I do wonder, why stem (1.4.0 + patched to latest git) complaints about this : "An exit policy should have a space separating its accept/reject from the exit pattern: reject6 [2a01:4f8:190:514a::]/64" whereas the next config line : "ExitPolicy reject6 [2002::]/16" seems to be fine for stem
10:48 < toralf> atagar: or deos stem just put this warnings once ?

You've mentioned this three times on irc (the first that caused this ticket). If this is important to you then patches are more than welcome. Suspecting you just forgot this ticket exists. :)

comment:10 Changed 5 years ago by atagar

Resolution: fixed
Status: newclosed

Thanks to teor we now support accept6/reject6, *4, and *6 wildcards. Feel free to reopen if I missed anything.

Note: See TracTickets for help on using tickets.