Opened 7 years ago

Closed 7 years ago

#7190 closed defect (fixed)

tor client ignores ClientRejectInternalAddresses when considering short exit policies

Reported by: arma Owned by:
Priority: Medium Milestone: Tor: 0.2.3.x-final
Component: Core Tor/Tor Version: Tor: 0.2.3.23-rc
Severity: Keywords: tor-client, regression
Cc: robgjansen Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Erik Kline found that when setting up an internal Tor network using 0.2.3, even if the exit relays support exiting to an 'internal' IP address, the client preemptively refuses to do so.

Here's the patch he provides:

diff -rupN tmp/tor-0.2.3.20-rc/src/or/policies.c tor-0.2.3.20-rc/src/or/policies.c
--- tmp/tor-0.2.3.20-rc/src/or/policies.c       2012-08-04 22:24:35.000000000 -0700
+++ tor-0.2.3.20-rc/src/or/policies.c   2012-09-11 10:28:19.000000000 -0700
@@ -1428,13 +1428,13 @@ compare_tor_addr_to_short_policy(const t
   int found_match = 0;
   int accept;
   (void)addr;
-
   tor_assert(port != 0);
 
   if (addr && tor_addr_is_null(addr))
     addr = NULL; /* Unspec means 'no address at all,' in this context. */

-  if (addr && (tor_addr_is_internal(addr, 0) ||
+  if (addr && ((tor_addr_is_internal(addr, 0) 
+               && get_options()->ClientRejectInternalAddresses) ||
                tor_addr_is_loopback(addr)))
     return ADDR_POLICY_REJECTED;

Child Tickets

Change History (9)

comment:1 Changed 7 years ago by arma

Status: newneeds_review

bug7190 in my git

comment:2 Changed 7 years ago by arma

i'm going to try to get erik to try my patch this week while i'm here (since it is different than his patch)

comment:3 Changed 7 years ago by nickm

Any chance this could be an 0.2.4 item? Looks okay other than that.

comment:4 Changed 7 years ago by arma

Cc: robgjansen added

I'll check with Erik tomorrow about whether putting it in 0.2.3 will be more useful for him (it basically torpedos 0.2.3 for internal test networks).

Hey, speaking of which: Rob, how come this bug doesn't affect you? :)

comment:5 in reply to:  4 ; Changed 7 years ago by robgjansen

Replying to arma:

Hey, speaking of which: Rob, how come this bug doesn't affect you? :)

My exit policies are "accept *:*", as I at one point feared that anything else would be too restrictive for my small test networks.

comment:6 in reply to:  5 ; Changed 7 years ago by arma

Replying to robgjansen:

Replying to arma:

Hey, speaking of which: Rob, how come this bug doesn't affect you? :)

My exit policies are "accept *:*", as I at one point feared that anything else would be too restrictive for my small test networks.

Do you use real (not RFC1918) IP address space?

comment:7 in reply to:  6 Changed 7 years ago by robgjansen

Replying to arma:

Replying to robgjansen:

Replying to arma:

Hey, speaking of which: Rob, how come this bug doesn't affect you? :)

My exit policies are "accept *:*", as I at one point feared that anything else would be too restrictive for my small test networks.

Do you use real (not RFC1918) IP address space?

We currently use an integer counter to assign 32-bit IPs, starting from an arbitrarily small value. Fixing that behavior is on the docket: https://github.com/shadow/shadow/issues/39

comment:8 in reply to:  4 Changed 7 years ago by arma

Replying to arma:

I'll check with Erik tomorrow about whether putting it in 0.2.3 will be more useful for him (it basically torpedos 0.2.3 for internal test networks).

I think Erik is going to continue his "build from source, apply his own patches" plan for the next few months, since it's working fine. So he doesn't care what version we put this patch in.

That said, since it's a regression (it worked in 0.2.2 and doesn't work in 0.2.3), I'm inclined to put it in 0.2.3.

comment:9 Changed 7 years ago by arma

Resolution: fixed
Status: needs_reviewclosed

Merged it.

Note: See TracTickets for help on using tickets.