Clients with NoIPv4Traffic should only choose IPv6-supporting Exits
Tor logs a warning when this happens in connection_ap_get_begincell_flags(), but it should actually fail.
Earlier in the process, it should choose an IPv6-supporting exit when NoIPv4Traffic is set (and choose an IPv4-supporting exit when NoIPv6 traffic is set).
Activity
changed milestone to %Tor: 0.3.5.x-final
Trac:
Status: new to assigned
Owner: N/A to neel
Cc: N/A to neel@neelc.orgin
connection_ap_get_begincell_flags(), would it be okay that in:if (!ap_conn->entry_cfg.ipv4_traffic) flags |= BEGIN_FLAG_IPV4_NOT_OK;I add an
||withoptions->NoIPv4Trafficin theifstatement.And here:
if (ap_conn->entry_cfg.ipv6_traffic && exitnode) { tor_addr_t a; tor_addr_make_null(&a, AF_INET6); if (compare_tor_addr_to_node_policy(&a, ap_conn->socks_request->port, exitnode) != ADDR_POLICY_REJECTED) { /* Only say "IPv6 OK" if the exit node supports IPv6. Otherwise there's * no point. */ flags |= BEGIN_FLAG_IPV6_OK; } }I add an
&&with!options->NoIPv6Trafficin theifstatement.Is this correct, or should I do something else instead?
UPDATE: correct a paragraph.
Replying to neel:
in
connection_ap_get_begincell_flags(), would it be okay that in:{{{ if (!ap_conn->entry_cfg.ipv4_traffic) flags |= BEGIN_FLAG_IPV4_NOT_OK; }}}
I add an
||withoptions->NoIPv4Trafficin theifstatement.And here:
{{{ if (ap_conn->entry_cfg.ipv6_traffic && exitnode) { tor_addr_t a; tor_addr_make_null(&a, AF_INET6); if (compare_tor_addr_to_node_policy(&a, ap_conn->socks_request->port, exitnode) != ADDR_POLICY_REJECTED) { /* Only say "IPv6 OK" if the exit node supports IPv6. Otherwise there's * no point. */ flags |= BEGIN_FLAG_IPV6_OK; } } }}}
I add an
&&with!options->NoIPv6Trafficin theifstatement.Is this correct, or should I do something else instead?
UPDATE: correct a paragraph.
NoIPv4Traffic is not in options.
It is a SOCKSPort option flag, and it is the same as
!ap_conn->entry_cfg.ipv4_trafficandap_conn->entry_cfg.ipv6_traffic.You need to:
- modify exit selection before the circuit so that only exits that support IPv6 are chosen when
!ap_conn->entry_cfg.ipv4_traffic - modify stream attachment after the circuit is built so that only streams with exits that support IPv6 are chosen when
!ap_conn->entry_cfg.ipv4_traffic
- modify exit selection before the circuit so that only exits that support IPv6 are chosen when
Thank you again.
Sorry to ask you one more time, but I have a few more questions:
- Is
connection_ap_attach_pending()the stream attachment code? - Would it be okay to use
node_has_ipv6_addr()ornode_has_ipv6_orport()along with checking for!ap_conn->entry_cfg.ipv4_trafficto see if a node has IPv6 support? If so, wouldnode_has_ipv6_addr()suffice or would I neednode_has_ipv6_orport()?
- Is
Replying to neel:
Thank you again.
Sorry to ask you one more time, but I have a few more questions:
- Is
connection_ap_attach_pending()the stream attachment code?
Yes.
- Would it be okay to use
node_has_ipv6_addr()ornode_has_ipv6_orport()along with checking for!ap_conn->entry_cfg.ipv4_trafficto see if a node has IPv6 support? If so, wouldnode_has_ipv6_addr()suffice or would I neednode_has_ipv6_orport()?
No, these functions check for an IPv6 ORPort. You need to check for an IPv6 exit policy that allows exiting to the port in the request.
When building a circuit, use exit_policy_is_general_exit(), but add a "sa_family_t family" argument to it for IPv6. It should look a bit like policy_is_reject_star().
When attaching a stream, use compare_tor_addr_to_node_policy() with a NULL address for a domain, or the IPv6 address.
- Is
Also, in
connection_ap_can_use_exit(), if I callexit_policy_is_general_exit(), I think I am getting a NULLexit_policyif I access it viaexit_node->ri->exit_policy. Inmicrodesc_t, theexit_policyis ashort_policy_t.What is the right way to get an exit policy in
connection_ap_can_use_exit()to pass toexit_policy_is_general_exit()?Thank you so much for your help.
My patch is almost ready, but I have two more questions before I finish.
Should I:
- Modify the code to only choose IPv4 exits before the circuit if
!ap_conn->entry_cfg.ipv6_trafficis set? - Modify the code to only choose IPv4 exits in the stream attachment if
!ap_conn->entry_cfg.ipv4_trafficis set?
- Modify the code to only choose IPv4 exits before the circuit if
I have a branch on GitHub which addresses this patch. The URL is: https://github.com/neelchauhan/tor/tree/b21346-001
It checks for IPv6-capable exits if
!ap_conn->entry_cfg.ipv4_trafficis set but not for IPv4-capable exits if!ap_conn->entry_cfg.ipv4_trafficis set. If you need the latter, I can add it.
Hmmm... I think the approach here is not ideal. It seems that the patch is looking at the choosen exit node if we can use it with IPv6 and then unmark it.
Instead, shouldn't we pick the node in the first place with IPv6 exit policy and not fail later? The function
connection_ap_can_use_exit()seems to already performing validation on the exit node if the we have no IPv4 but IPv6 enabled.So I think we should do this filtering around
circuit_get_best()?Trac:
Status: needs_review to needs_revision
