[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [tor/master] Split "can reach ipv4 orport" from "can reach ipv6 orport".



commit bc9979a670026004bf0a516bd38a25251ca6d9bb
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date:   Thu Jun 18 16:05:16 2020 -0400

    Split "can reach ipv4 orport" from "can reach ipv6 orport".
    
    I've managed to keep this change mainly contained to our
    self-testing module.  The changes here are:
    
      * There are two different variables for tracking "is our orport
        reachable".
    
      * We have a new function that says whether we can skip a single
        family's orport reachability test; the old function for this now
        tells whether we can skip _all_ orport reachability testing.
    
        (The name, router_should_skip_orport_reachability_test, is not
        so good.  I will rename it later if I can think of a good
        replacement.)
    
      * The function that launches orport reachability tests now only
        launches the ones that haven't completed.
    
      * The function that notes that we're reachable on an ORPort now
        takes a family.
    
      * Various log messages are cleaned up.
---
 changes/ticket34067                    |   4 +
 src/feature/relay/circuitbuild_relay.c |   6 +-
 src/feature/relay/relay_periodic.c     |  44 +++++++---
 src/feature/relay/selftest.c           | 141 +++++++++++++++++++++++++--------
 src/feature/relay/selftest.h           |  13 ++-
 5 files changed, 163 insertions(+), 45 deletions(-)

diff --git a/changes/ticket34067 b/changes/ticket34067
new file mode 100644
index 000000000..b67ccf608
--- /dev/null
+++ b/changes/ticket34067
@@ -0,0 +1,4 @@
+  o Major features (relay self-testing, IPv6):
+    - Relays now track their IPv6 ORPort separately from the reachability of
+      their IPv4 ORPort.  They will not publish a descriptor unless _both_
+      ports appear to be externally reachable. Closes ticket 34067.
diff --git a/src/feature/relay/circuitbuild_relay.c b/src/feature/relay/circuitbuild_relay.c
index b89866b47..4a7f639ca 100644
--- a/src/feature/relay/circuitbuild_relay.c
+++ b/src/feature/relay/circuitbuild_relay.c
@@ -542,7 +542,11 @@ onionskin_answer(struct or_circuit_t *circ,
     /* record that we could process create cells from a non-local conn
      * that we didn't initiate; presumably this means that create cells
      * can reach us too. */
-    router_orport_found_reachable();
+    tor_addr_t remote_addr;
+    if (channel_get_addr_if_possible(circ->p_chan, &remote_addr)) {
+      int family = tor_addr_family(&remote_addr);
+      router_orport_found_reachable(family);
+    }
   }
 
   return 0;
diff --git a/src/feature/relay/relay_periodic.c b/src/feature/relay/relay_periodic.c
index 6a92f49d2..3171dffa5 100644
--- a/src/feature/relay/relay_periodic.c
+++ b/src/feature/relay/relay_periodic.c
@@ -202,19 +202,45 @@ reachability_warnings_callback(time_t now, const or_options_t *options)
     /* every 20 minutes, check and complain if necessary */
     const routerinfo_t *me = router_get_my_routerinfo();
     if (me && !router_should_skip_orport_reachability_check(options)) {
-      char *address = tor_dup_ip(me->addr);
-      if (address) {
+      /* We need to warn that one or more of our ORPorts isn't reachable.
+       * Determine which, and give a reasonable warning. */
+      char *address4 = tor_dup_ip(me->addr);
+      char *address6 = tor_addr_to_str_dup(&me->ipv6_addr);
+      bool v4_ok =
+        router_should_skip_orport_reachability_check_family(options,AF_INET);
+      bool v6_ok =
+        router_should_skip_orport_reachability_check_family(options,AF_INET6);
+      if (address4 || address6) {
+        char *where4=NULL, *where6=NULL;
+        if (!v4_ok)
+          tor_asprintf(&where4, "%s:%d", address4, me->or_port);
+        if (!v6_ok)
+          tor_asprintf(&where6, "[%s]:%d", address6, me->or_port);
+        const char *opt_and = (!v4_ok && !v6_ok) ? "and" : "";
+
         log_warn(LD_CONFIG,
-                 "Your server (%s:%d) has not managed to confirm that "
-                 "its ORPort is reachable. Relays do not publish descriptors "
+                 "Your server has not managed to confirm reachability for "
+                 "its ORPort(s) at %s%s%s. Relays do not publish descriptors "
                  "until their ORPort and DirPort are reachable. Please check "
                  "your firewalls, ports, address, /etc/hosts file, etc.",
-                 address, me->or_port);
-        control_event_server_status(LOG_WARN,
-                                    "REACHABILITY_FAILED ORADDRESS=%s:%d",
-                                    address, me->or_port);
-        tor_free(address);
+                 where4?where4:"",
+                 opt_and,
+                 where6?where6:"");
+        tor_free(where4);
+        tor_free(where6);
+        if (!v4_ok) {
+          control_event_server_status(LOG_WARN,
+                                      "REACHABILITY_FAILED ORADDRESS=%s:%d",
+                                      address4, me->or_port);
+        }
+        if (!v6_ok) {
+          control_event_server_status(LOG_WARN,
+                                      "REACHABILITY_FAILED ORADDRESS=[%s]:%d",
+                                      address6, me->ipv6_orport);
+        }
       }
+      tor_free(address4);
+      tor_free(address6);
     }
 
     if (me && !router_should_skip_dirport_reachability_check(options)) {
diff --git a/src/feature/relay/selftest.c b/src/feature/relay/selftest.c
index 834e8cf0a..7dc579c19 100644
--- a/src/feature/relay/selftest.c
+++ b/src/feature/relay/selftest.c
@@ -44,8 +44,12 @@
 #include "feature/relay/router.h"
 #include "feature/relay/selftest.h"
 
-/** Whether we can reach our ORPort from the outside. */
-static bool can_reach_or_port = false;
+static bool have_orport_for_family(int family);
+
+/** Whether we can reach our IPv4 ORPort from the outside. */
+static bool can_reach_or_port_ipv4 = false;
+/** Whether we can reach our IPv6 ORPort from the outside. */
+static bool can_reach_or_port_ipv6 = false;
 /** Whether we can reach our DirPort from the outside. */
 static bool can_reach_dir_port = false;
 
@@ -53,7 +57,7 @@ static bool can_reach_dir_port = false;
 void
 router_reset_reachability(void)
 {
-  can_reach_or_port = can_reach_dir_port = false;
+  can_reach_or_port_ipv4 = can_reach_or_port_ipv6 = can_reach_dir_port = false;
 }
 
 /** Return 1 if we won't do reachability checks, because:
@@ -75,13 +79,35 @@ router_reachability_checks_disabled(const or_options_t *options)
  *   - we've seen a successful reachability check, or
  *   - AssumeReachable is set, or
  *   - the network is disabled.
+
+ * If `family'`is AF_INET or AF_INET6, return true only when we should skip
+ * the given family's orport check (Because it's been checked, or because we
+ * aren't checking it.)  If `family` is 0, return true if we can skip _all_
+ * orport checks.
  */
 int
-router_should_skip_orport_reachability_check(const or_options_t *options)
+router_should_skip_orport_reachability_check_family(
+                                                const or_options_t *options,
+                                                int family)
 {
+  tor_assert_nonfatal(family == AF_INET || family == AF_INET6 || family == 0);
   int reach_checks_disabled = router_reachability_checks_disabled(options);
-  return reach_checks_disabled ||
-         can_reach_or_port;
+  if (reach_checks_disabled) {
+    return true;
+  }
+
+  if (family != AF_INET6) {
+    if (have_orport_for_family(AF_INET) && !can_reach_or_port_ipv4) {
+      return false;
+    }
+  }
+  if (family != AF_INET) {
+    if (have_orport_for_family(AF_INET6) && !can_reach_or_port_ipv6) {
+      return false;
+    }
+  }
+
+  return true;
 }
 
 /** Return 0 if we need to do a DirPort reachability check, because:
@@ -133,6 +159,28 @@ router_should_check_reachability(int test_or, int test_dir)
   return 1;
 }
 
+/**
+ * Return true if we have configured an ORPort for the given family that
+ * we would like to advertise.
+ *
+ * Like other self-testing functions, this function looks at our most
+ * recently built descriptor.
+ **/
+static bool
+have_orport_for_family(int family)
+{
+  const routerinfo_t *me = router_get_my_routerinfo();
+
+  if (!me)
+    return false;
+
+  tor_addr_port_t ap;
+  if (router_get_orport(me, &ap, family) < 0) {
+    return false;
+  }
+  return true;
+}
+
 /** Allocate and return a new extend_info_t that can be used to build
  * a circuit to or through the router <b>r</b>, using an address from
  * <b>family</b> (if available).
@@ -255,16 +303,22 @@ router_do_reachability_checks(int test_or, int test_dir)
 {
   const routerinfo_t *me = router_get_my_routerinfo();
   const or_options_t *options = get_options();
-  int orport_reachable = router_should_skip_orport_reachability_check(options);
+  int orport_reachable_v4 =
+    router_should_skip_orport_reachability_check_family(options, AF_INET);
+  int orport_reachable_v6 =
+    router_should_skip_orport_reachability_check_family(options, AF_INET6);
 
   if (router_should_check_reachability(test_or, test_dir)) {
-    if (test_or && (!orport_reachable || !circuit_enough_testing_circs())) {
-      /* At the moment, tor relays believe that they are reachable when they
-       * receive any create cell on an inbound connection. We'll do separate
-       * IPv4 and IPv6 reachability checks in #34067, and make them more
-       * precise. */
-      router_do_orport_reachability_checks(me, AF_INET, orport_reachable);
-      router_do_orport_reachability_checks(me, AF_INET6, orport_reachable);
+    bool need_testing = !circuit_enough_testing_circs();
+    /* At the moment, tor relays believe that they are reachable when they
+     * receive any create cell on an inbound connection, if the address
+     * family is correct.
+     */
+    if (test_or && (!orport_reachable_v4 || need_testing)) {
+      router_do_orport_reachability_checks(me, AF_INET, orport_reachable_v4);
+    }
+    if (test_or && (!orport_reachable_v6 || need_testing)) {
+      router_do_orport_reachability_checks(me, AF_INET6, orport_reachable_v6);
     }
 
     if (test_dir && !router_should_skip_dirport_reachability_check(options)) {
@@ -341,34 +395,58 @@ inform_testing_reachability(void)
   return 1;
 }
 
-/** Annotate that we found our ORPort reachable. */
+/**
+ * Return true if this module knows of no reason why we shouldn't publish
+ * a server descriptor.
+ **/
+static bool
+ready_to_publish(const or_options_t *options)
+{
+  return options->PublishServerDescriptor_ != NO_DIRINFO &&
+    router_should_skip_dirport_reachability_check(options) &&
+    router_should_skip_orport_reachability_check(options);
+}
+
+/** Annotate that we found our ORPort reachable with a given address
+ * family. */
 void
-router_orport_found_reachable(void)
+router_orport_found_reachable(int family)
 {
   const routerinfo_t *me = router_get_my_routerinfo();
   const or_options_t *options = get_options();
-  if (!can_reach_or_port && me) {
-    char *address = tor_dup_ip(me->addr);
-
-    if (!address)
+  bool *can_reach_ptr;
+  if (family == AF_INET) {
+    can_reach_ptr = &can_reach_or_port_ipv4;
+  } else if (family == AF_INET6) {
+    can_reach_ptr = &can_reach_or_port_ipv6;
+  } else {
+    tor_assert_nonfatal_unreached();
+    return;
+  }
+  if (!*can_reach_ptr && me) {
+    tor_addr_port_t ap;
+    if (router_get_orport(me, &ap, family) < 0) {
       return;
+    }
+    char *address = tor_strdup(fmt_addrport_ap(&ap));
+
+    *can_reach_ptr = true;
 
-    log_notice(LD_OR,"Self-testing indicates your ORPort is reachable from "
+    log_notice(LD_OR,"Self-testing indicates your ORPort %s is reachable from "
                "the outside. Excellent.%s",
-               options->PublishServerDescriptor_ != NO_DIRINFO
-               && router_should_skip_dirport_reachability_check(options) ?
-                 " Publishing server descriptor." : "");
-    can_reach_or_port = true;
+               address,
+               ready_to_publish(options) ?
+               " Publishing server descriptor." : "");
+
     mark_my_descriptor_dirty("ORPort found reachable");
     /* This is a significant enough change to upload immediately,
      * at least in a test network */
     if (options->TestingTorNetwork == 1) {
       reschedule_descriptor_update_check();
     }
-    /* We'll add an IPv6 event in #34068. */
     control_event_server_status(LOG_NOTICE,
-                                "REACHABILITY_SUCCEEDED ORADDRESS=%s:%d",
-                                address, me->or_port);
+                                "REACHABILITY_SUCCEEDED ORADDRESS=%s",
+                                address);
     tor_free(address);
   }
 }
@@ -379,18 +457,19 @@ router_dirport_found_reachable(void)
 {
   const routerinfo_t *me = router_get_my_routerinfo();
   const or_options_t *options = get_options();
+
   if (!can_reach_dir_port && me) {
     char *address = tor_dup_ip(me->addr);
 
     if (!address)
       return;
 
+    can_reach_dir_port = true;
     log_notice(LD_DIRSERV,"Self-testing indicates your DirPort is reachable "
                "from the outside. Excellent.%s",
-               options->PublishServerDescriptor_ != NO_DIRINFO
-               && router_should_skip_orport_reachability_check(options) ?
+               ready_to_publish(options) ?
                " Publishing server descriptor." : "");
-    can_reach_dir_port = true;
+
     if (router_should_advertise_dirport(options, me->dir_port)) {
       mark_my_descriptor_dirty("DirPort found reachable");
       /* This is a significant enough change to upload immediately,
diff --git a/src/feature/relay/selftest.h b/src/feature/relay/selftest.h
index 5799a6ca3..d65edf56f 100644
--- a/src/feature/relay/selftest.h
+++ b/src/feature/relay/selftest.h
@@ -15,8 +15,11 @@
 #ifdef HAVE_MODULE_RELAY
 
 struct or_options_t;
-int router_should_skip_orport_reachability_check(
-                                         const struct or_options_t *options);
+#define router_should_skip_orport_reachability_check(opts) \
+  router_should_skip_orport_reachability_check_family((opts),0)
+int router_should_skip_orport_reachability_check_family(
+                                         const struct or_options_t *options,
+                                         int family);
 int router_should_skip_dirport_reachability_check(
                                          const struct or_options_t *options);
 
@@ -24,15 +27,17 @@ void router_do_reachability_checks(int test_or, int test_dir);
 void router_perform_bandwidth_test(int num_circs, time_t now);
 int inform_testing_reachability(void);
 
-void router_orport_found_reachable(void);
+void router_orport_found_reachable(int family);
 void router_dirport_found_reachable(void);
 
 void router_reset_reachability(void);
 
 #else /* !defined(HAVE_MODULE_RELAY) */
 
-#define router_should_skip_orport_reachability_check(opts) \
+#define router_should_skip_orport_reachability_check(opts)     \
   ((void)(opts), 0)
+#define router_should_skip_orport_reachability_check_family(opts, fam)  \
+  ((void)(opts), (void)(fam), 0)
 #define router_should_skip_dirport_reachability_check(opts) \
   ((void)(opts), 0)
 



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits