[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[or-cvs] [tor/maint-0.2.2] Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2



commit 13e9a2b19d4a65d9761256ac72f754c35c371b0b
Merge: a793f1f 1471e57
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date:   Thu Jan 20 15:00:24 2011 -0500

    Merge remote branch 'origin/maint-0.2.1' into maint-0.2.2

 changes/policy_summarize-assert |    6 ++++++
 src/or/policies.c               |    4 ++--
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --combined src/or/policies.c
index 6947222,0a8fd73..62e048c
--- a/src/or/policies.c
+++ b/src/or/policies.c
@@@ -9,10 -9,6 +9,10 @@@
   **/
  
  #include "or.h"
 +#include "config.h"
 +#include "dirserv.h"
 +#include "policies.h"
 +#include "routerparse.h"
  #include "ht.h"
  
  /** Policy that addresses for incoming SOCKS connections must match. */
@@@ -348,8 -344,7 +348,8 @@@ validate_addr_policies(or_options_t *op
    *msg = NULL;
  
    if (policies_parse_exit_policy(options->ExitPolicy, &addr_policy,
 -                                 options->ExitPolicyRejectPrivate, NULL))
 +                                 options->ExitPolicyRejectPrivate, NULL,
 +                                 !options->BridgeRelay))
      REJECT("Error in ExitPolicy entry.");
  
    /* The rest of these calls *append* to addr_policy. So don't actually
@@@ -380,8 -375,14 +380,8 @@@
    if (parse_addr_policy(options->ReachableDirAddresses, &addr_policy,
                          ADDR_POLICY_ACCEPT))
      REJECT("Error in ReachableDirAddresses entry.");
 -  if (parse_addr_policy(options->AuthDirReject, &addr_policy,
 -                        ADDR_POLICY_REJECT))
 -    REJECT("Error in AuthDirReject entry.");
 -  if (parse_addr_policy(options->AuthDirInvalid, &addr_policy,
 -                        ADDR_POLICY_REJECT))
 -    REJECT("Error in AuthDirInvalid entry.");
  
 -err:
 + err:
    addr_policy_list_free(addr_policy);
    return *msg ? -1 : 0;
  #undef REJECT
@@@ -828,16 -829,14 +828,16 @@@ exit_policy_remove_redundancies(smartli
    "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
  
  /** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>. If
 - * cfg doesn't end in an absolute accept or reject, add the default exit
 + * cfg doesn't end in an absolute accept or reject and if
 + * <b>add_default_policy</b> is true, add the default exit
   * policy afterwards. If <b>rejectprivate</b> is true, prepend
   * "reject private:*" to the policy. Return -1 if we can't parse cfg,
   * else return 0.
   */
  int
  policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest,
 -                           int rejectprivate, const char *local_address)
 +                           int rejectprivate, const char *local_address,
 +                           int add_default_policy)
  {
    if (rejectprivate) {
      append_exit_policy_string(dest, "reject private:*");
@@@ -849,10 -848,8 +849,10 @@@
    }
    if (parse_addr_policy(cfg, dest, -1))
      return -1;
 -  append_exit_policy_string(dest, DEFAULT_EXIT_POLICY);
 -
 +  if (add_default_policy)
 +    append_exit_policy_string(dest, DEFAULT_EXIT_POLICY);
 +  else
 +    append_exit_policy_string(dest, "reject *:*");
    exit_policy_remove_redundancies(*dest);
  
    return 0;
@@@ -869,49 -866,6 +869,49 @@@ policies_set_router_exitpolicy_to_rejec
    smartlist_add(r->exit_policy, item);
  }
  
 +/** Return 1 if there is at least one /8 subnet in <b>policy</b> that
 + * allows exiting to <b>port</b>.  Otherwise, return 0. */
 +static int
 +exit_policy_is_general_exit_helper(smartlist_t *policy, int port)
 +{
 +  uint32_t mask, ip, i;
 +  /* Is this /8 rejected (1), or undecided (0)? */
 +  char subnet_status[256];
 +
 +  memset(subnet_status, 0, sizeof(subnet_status));
 +  SMARTLIST_FOREACH(policy, addr_policy_t *, p, {
 +    if (p->prt_min > port || p->prt_max < port)
 +      continue; /* Doesn't cover our port. */
 +    mask = 0;
 +    tor_assert(p->maskbits <= 32);
 +
 +    if (p->maskbits)
 +      mask = UINT32_MAX<<(32-p->maskbits);
 +    ip = tor_addr_to_ipv4h(&p->addr);
 +
 +    /* Calculate the first and last subnet that this exit policy touches
 +     * and set it as loop boundaries. */
 +    for (i = ((mask & ip)>>24); i <= (~((mask & ip) ^ mask)>>24); ++i) {
 +      tor_addr_t addr;
 +      if (subnet_status[i] != 0)
 +        continue; /* We already reject some part of this /8 */
 +      tor_addr_from_ipv4h(&addr, i<<24);
 +      if (tor_addr_is_internal(&addr, 0))
 +        continue; /* Local or non-routable addresses */
 +      if (p->policy_type == ADDR_POLICY_ACCEPT) {
 +        if (p->maskbits > 8)
 +          continue; /* Narrower than a /8. */
 +        /* We found an allowed subnet of at least size /8. Done
 +         * for this port! */
 +        return 1;
 +      } else if (p->policy_type == ADDR_POLICY_REJECT) {
 +        subnet_status[i] = 1;
 +      }
 +    }
 +  });
 +  return 0;
 +}
 +
  /** Return true iff <b>ri</b> is "useful as an exit node", meaning
   * it allows exit to at least one /8 address space for at least
   * two of ports 80, 443, and 6667. */
@@@ -925,7 -879,19 +925,7 @@@ exit_policy_is_general_exit(smartlist_
      return 0;
  
    for (i = 0; i < 3; ++i) {
 -    SMARTLIST_FOREACH(policy, addr_policy_t *, p, {
 -      if (p->prt_min > ports[i] || p->prt_max < ports[i])
 -        continue; /* Doesn't cover our port. */
 -      if (p->maskbits > 8)
 -        continue; /* Narrower than a /8. */
 -      if (tor_addr_is_loopback(&p->addr))
 -        continue; /* 127.x or ::1. */
 -      /* We have a match that is at least a /8. */
 -      if (p->policy_type == ADDR_POLICY_ACCEPT) {
 -        ++n_allowed;
 -        break; /* stop considering this port */
 -      }
 -    });
 +    n_allowed += exit_policy_is_general_exit_helper(policy, ports[i]);
    }
    return n_allowed >= 2;
  }
@@@ -1243,8 -1209,8 +1243,8 @@@ policy_summarize(smartlist_t *policy
    accepts_str = smartlist_join_strings(accepts, ",", 0, &accepts_len);
    rejects_str = smartlist_join_strings(rejects, ",", 0, &rejects_len);
  
-   if (rejects_len > MAX_EXITPOLICY_SUMMARY_LEN &&
-       accepts_len > MAX_EXITPOLICY_SUMMARY_LEN) {
+   if (rejects_len > MAX_EXITPOLICY_SUMMARY_LEN-strlen("reject")-1 &&
+       accepts_len > MAX_EXITPOLICY_SUMMARY_LEN-strlen("accept")-1) {
      char *c;
      shorter_str = accepts_str;
      prefix = "accept";
@@@ -1272,7 -1238,7 +1272,7 @@@
    result = tor_malloc(final_size);
    tor_snprintf(result, final_size, "%s %s", prefix, shorter_str);
  
 -cleanup:
 + cleanup:
    /* cleanup */
    SMARTLIST_FOREACH(summary, policy_summary_item_t *, s, tor_free(s));
    smartlist_free(summary);
@@@ -1292,11 -1258,9 +1292,11 @@@
   * about "exit-policy/..." */
  int
  getinfo_helper_policies(control_connection_t *conn,
 -                        const char *question, char **answer)
 +                        const char *question, char **answer,
 +                        const char **errmsg)
  {
    (void) conn;
 +  (void) errmsg;
    if (!strcmp(question, "exit-policy/default")) {
      *answer = tor_strdup(DEFAULT_EXIT_POLICY);
    }
@@@ -1307,8 -1271,7 +1307,8 @@@
  void
  addr_policy_list_free(smartlist_t *lst)
  {
 -  if (!lst) return;
 +  if (!lst)
 +    return;
    SMARTLIST_FOREACH(lst, addr_policy_t *, policy, addr_policy_free(policy));
    smartlist_free(lst);
  }
@@@ -1317,20 -1280,19 +1317,20 @@@
  void
  addr_policy_free(addr_policy_t *p)
  {
 -  if (p) {
 -    if (--p->refcnt <= 0) {
 -      if (p->is_canonical) {
 -        policy_map_ent_t search, *found;
 -        search.policy = p;
 -        found = HT_REMOVE(policy_map, &policy_root, &search);
 -        if (found) {
 -          tor_assert(p == found->policy);
 -          tor_free(found);
 -        }
 +  if (!p)
 +    return;
 +
 +  if (--p->refcnt <= 0) {
 +    if (p->is_canonical) {
 +      policy_map_ent_t search, *found;
 +      search.policy = p;
 +      found = HT_REMOVE(policy_map, &policy_root, &search);
 +      if (found) {
 +        tor_assert(p == found->policy);
 +        tor_free(found);
        }
 -      tor_free(p);
      }
 +    tor_free(p);
    }
  }