Opened 9 years ago

Closed 9 years ago

Last modified 7 years ago

#2366 closed defect (fixed)

Sync relay's policy with published descriptor.

Reported by: postman Owned by:
Priority: Medium Milestone: Tor: 0.2.2.x-final
Component: Core Tor/Tor Version:
Severity: Keywords: dns reject policy tor-relay
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

If DNS is screwed up then an exit relay don't claim to be an exit. So it publishes descriptor with "reject star" policy. While it still behave like exit, it fetches extra stuff and etc. Relay's policy need to be synced with stuff used by clients.

--- router.c.origin	Mon Jan  3 22:25:30 2011
+++ router.c	Sun Jan  9 14:52:34 2011
@@ -1414,6 +1414,14 @@
   policies_parse_exit_policy(options->ExitPolicy, &ri->exit_policy,
                              options->ExitPolicyRejectPrivate,
                              ri->address, !options->BridgeRelay);
+
+  if (dns_seems_to_be_broken() || has_dns_init_failed()) {
+    addr_policy_list_free(ri->exit_policy);
+    ri->exit_policy = NULL; /* empty */
+    policies_parse_exit_policy(NULL, &ri->exit_policy, 0, NULL, 0);
+    if (!ri->exit_policy || !policy_is_reject_star(ri->exit_policy))
+      log_warn(LD_BUG, "Unable to produce reject star policy");
+  }
   ri->policy_is_reject_star =
     policy_is_reject_star(ri->exit_policy);

Child Tickets

Change History (7)

comment:1 Changed 9 years ago by postman

Extended version:

--- router.c.origin	Mon Jan  3 22:25:30 2011
+++ router.c	Sun Jan  9 16:34:36 2011
@@ -1414,6 +1414,15 @@
   policies_parse_exit_policy(options->ExitPolicy, &ri->exit_policy,
                              options->ExitPolicyRejectPrivate,
                              ri->address, !options->BridgeRelay);
+
+  if (dns_seems_to_be_broken() || has_dns_init_failed()) {
+    /* DNS is screwed up; don't claim to be an exit. */
+    addr_policy_list_free(ri->exit_policy);
+    ri->exit_policy = NULL; /* empty */
+    policies_parse_exit_policy(NULL, &ri->exit_policy, 0, NULL, 0);
+    if (!ri->exit_policy || !policy_is_reject_star(ri->exit_policy))
+      log_warn(LD_BUG, "Unable to produce reject star policy");
+  }
   ri->policy_is_reject_star =
     policy_is_reject_star(ri->exit_policy);
 
@@ -1865,9 +1874,7 @@
   }
 
   /* Write the exit policy to the end of 's'. */
-  if (dns_seems_to_be_broken() || has_dns_init_failed() ||
-      !router->exit_policy || !smartlist_len(router->exit_policy)) {
-    /* DNS is screwed up; don't claim to be an exit. */
+  if (!router->exit_policy || !smartlist_len(router->exit_policy)) {
     strlcat(s+written, "reject *:*\n", maxlen-written);
     written += strlen("reject *:*\n");
     tmpe = NULL;

comment:2 Changed 9 years ago by postman

Extended of extended version:

--- router.c.origin	Mon Jan  3 22:25:30 2011
+++ router.c	Sun Jan  9 18:31:32 2011
@@ -1411,9 +1411,16 @@
 
   ri->bandwidthcapacity = hibernating ? 0 : rep_hist_bandwidth_assess();
 
-  policies_parse_exit_policy(options->ExitPolicy, &ri->exit_policy,
-                             options->ExitPolicyRejectPrivate,
-                             ri->address, !options->BridgeRelay);
+  if (dns_seems_to_be_broken() || has_dns_init_failed()) {
+    /* DNS is screwed up; don't claim to be an exit. */
+    policies_parse_exit_policy(NULL, &ri->exit_policy, 0, NULL, 0);
+    if (!ri->exit_policy || !policy_is_reject_star(ri->exit_policy))
+      log_warn(LD_BUG, "Unable to produce reject star policy");
+  } else {
+    policies_parse_exit_policy(options->ExitPolicy, &ri->exit_policy,
+                               options->ExitPolicyRejectPrivate,
+                               ri->address, !options->BridgeRelay);
+  }
   ri->policy_is_reject_star =
     policy_is_reject_star(ri->exit_policy);
 
@@ -1865,9 +1872,7 @@
   }
 
   /* Write the exit policy to the end of 's'. */
-  if (dns_seems_to_be_broken() || has_dns_init_failed() ||
-      !router->exit_policy || !smartlist_len(router->exit_policy)) {
-    /* DNS is screwed up; don't claim to be an exit. */
+  if (!router->exit_policy || !smartlist_len(router->exit_policy)) {
     strlcat(s+written, "reject *:*\n", maxlen-written);
     written += strlen("reject *:*\n");
     tmpe = NULL;

comment:3 Changed 9 years ago by postman

Extended of extended of extended version:

--- policies.h.origin	Mon Jan  3 22:25:30 2011
+++ policies.h	Sun Jan  9 18:46:58 2011
@@ -48,6 +48,7 @@
 int policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest,
                                int rejectprivate, const char *local_address,
                                int add_default_policy);
+void policies_exit_policy_append_reject_star(smartlist_t **dest);
 void policies_set_node_exitpolicy_to_reject_all(node_t *exitrouter);
 int exit_policy_is_general_exit(smartlist_t *policy);
 int policy_is_reject_star(const smartlist_t *policy);

--- policies.c.origin	Mon Jan  3 22:25:30 2011
+++ policies.c	Sun Jan  9 18:53:18 2011
@@ -875,6 +875,13 @@
   return 0;
 }
 
+/** DOC */
+void
+policies_exit_policy_append_reject_star(smartlist_t **dest)
+{
+  append_exit_policy_string(dest, "reject *:*");
+}
+
 /** Replace the exit policy of <b>node</b> with reject *:* */
 void
 policies_set_node_exitpolicy_to_reject_all(node_t *node)

--- router.c.origin	Mon Jan  3 22:25:30 2011
+++ router.c	Sun Jan  9 18:48:06 2011
@@ -1411,9 +1411,14 @@
 
   ri->bandwidthcapacity = hibernating ? 0 : rep_hist_bandwidth_assess();
 
-  policies_parse_exit_policy(options->ExitPolicy, &ri->exit_policy,
-                             options->ExitPolicyRejectPrivate,
-                             ri->address, !options->BridgeRelay);
+  if (dns_seems_to_be_broken() || has_dns_init_failed()) {
+    /* DNS is screwed up; don't claim to be an exit. */
+    policies_exit_policy_append_reject_star(&ri->exit_policy);
+  } else {
+    policies_parse_exit_policy(options->ExitPolicy, &ri->exit_policy,
+                               options->ExitPolicyRejectPrivate,
+                               ri->address, !options->BridgeRelay);
+  }
   ri->policy_is_reject_star =
     policy_is_reject_star(ri->exit_policy);
 
@@ -1865,9 +1870,7 @@
   }
 
   /* Write the exit policy to the end of 's'. */
-  if (dns_seems_to_be_broken() || has_dns_init_failed() ||
-      !router->exit_policy || !smartlist_len(router->exit_policy)) {
-    /* DNS is screwed up; don't claim to be an exit. */
+  if (!router->exit_policy || !smartlist_len(router->exit_policy)) {
     strlcat(s+written, "reject *:*\n", maxlen-written);
     written += strlen("reject *:*\n");
     tmpe = NULL;

comment:4 Changed 9 years ago by nickm

Milestone: Tor: 0.2.2.x-final
Status: newneeds_review

comment:5 Changed 9 years ago by nickm

Resolution: fixed
Status: needs_reviewclosed

This looks correct to me. I'm adding a changes file and merging it into 0.2.2. Thanks!

comment:6 Changed 7 years ago by nickm

Keywords: tor-relay added

comment:7 Changed 7 years ago by nickm

Component: Tor RelayTor
Note: See TracTickets for help on using tickets.