[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[tor-commits] [tor/master] Allow authorities to baddir/badexit/invalid/reject nodes by cc
commit 938531773a017e6eb70f11e81a0543e81413f83f
Author: Nick Mathewson <nickm@xxxxxxxxxxxxxx>
Date: Fri Jan 13 12:28:32 2012 -0500
Allow authorities to baddir/badexit/invalid/reject nodes by cc
Implements ticket #4207
---
changes/badexitcc | 3 +++
doc/tor.1.txt | 12 ++++++++++++
src/or/config.c | 8 ++++++++
src/or/or.h | 13 +++++++++++++
src/or/policies.c | 31 +++++++++++++++++++++++++++----
5 files changed, 63 insertions(+), 4 deletions(-)
diff --git a/changes/badexitcc b/changes/badexitcc
new file mode 100644
index 0000000..6b10ab1
--- /dev/null
+++ b/changes/badexitcc
@@ -0,0 +1,3 @@
+ o Minor features (directory authority):
+ - Authority operators can now vote for all routers in a given
+ country to be BadDir/BadExit/Invali/Rejected.
diff --git a/doc/tor.1.txt b/doc/tor.1.txt
index fcc566e..adc84e7 100644
--- a/doc/tor.1.txt
+++ b/doc/tor.1.txt
@@ -1462,6 +1462,18 @@ DIRECTORY AUTHORITY SERVER OPTIONS
authority publishes, or accepted as an OR address in any descriptor
submitted for publication by this authority.
+**AuthDirBadDirCC** __CC__,... +
+
+**AuthDirBadExitCC** __CC__,... +
+
+**AuthDirInvalidCC** __CC__,... +
+
+**AuthDirRejectCC** __CC__,...::
+ Authoritative directories only. These options contain a comma-separated
+ list of country codes such that any server in one of those country codes
+ will be marked as a bad directory/bad exit/invalid for use, or rejected
+ entirely.
+
**AuthDirListBadDirs** **0**|**1**::
Authoritative directories only. If set to 1, this directory has some
opinion about which nodes are unsuitable as directory caches. (Do not set
diff --git a/src/or/config.c b/src/or/config.c
index b118f30..341bc15 100644
--- a/src/or/config.c
+++ b/src/or/config.c
@@ -89,6 +89,10 @@ typedef struct config_abbrev_t {
/** A list of abbreviations and aliases to map command-line options, obsolete
* option names, or alternative option names, to their current values. */
static config_abbrev_t _option_abbrevs[] = {
+ PLURAL(AuthDirBadDirCC),
+ PLURAL(AuthDirBadExitCC),
+ PLURAL(AuthDirInvalidCC),
+ PLURAL(AuthDirRejectCC),
PLURAL(ExitNode),
PLURAL(EntryNode),
PLURAL(ExcludeNode),
@@ -182,11 +186,15 @@ static config_var_t _option_vars[] = {
V(AlternateHSAuthority, LINELIST, NULL),
V(AssumeReachable, BOOL, "0"),
V(AuthDirBadDir, LINELIST, NULL),
+ V(AuthDirBadDirCC, CSV, ""),
V(AuthDirBadExit, LINELIST, NULL),
+ V(AuthDirBadExitCC, CSV, ""),
V(AuthDirInvalid, LINELIST, NULL),
+ V(AuthDirInvalidCC, CSV, ""),
V(AuthDirFastGuarantee, MEMUNIT, "100 KB"),
V(AuthDirGuardBWGuarantee, MEMUNIT, "250 KB"),
V(AuthDirReject, LINELIST, NULL),
+ V(AuthDirRejectCC, CSV, ""),
V(AuthDirRejectUnlisted, BOOL, "0"),
V(AuthDirListBadDirs, BOOL, "0"),
V(AuthDirListBadExits, BOOL, "0"),
diff --git a/src/or/or.h b/src/or/or.h
index 0fcb083..21cb074 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -3237,6 +3237,19 @@ typedef struct {
* reject. */
config_line_t *AuthDirInvalid; /**< Address policy for descriptors to
* never mark as valid. */
+ /** @name AuthDir...CC
+ *
+ * Lists of of country codes to mark as BadDir, BadExit, or Invalid, or to
+ * reject entirely.
+ *
+ * @{
+ */
+ smartlist_t *AuthDirBadDirCC;
+ smartlist_t *AuthDirBadExitCC;
+ smartlist_t *AuthDirRejectCC;
+ smartlist_t *AuthDirInvalidCC;
+ /**@}*/
+
int AuthDirListBadDirs; /**< True iff we should list bad dirs,
* and vote for all other dir mirrors as good. */
int AuthDirListBadExits; /**< True iff we should list bad exits,
diff --git a/src/or/policies.c b/src/or/policies.c
index 40e5277..fdec687 100644
--- a/src/or/policies.c
+++ b/src/or/policies.c
@@ -14,6 +14,7 @@
#include "nodelist.h"
#include "policies.h"
#include "routerparse.h"
+#include "geoip.h"
#include "ht.h"
/** Policy that addresses for incoming SOCKS connections must match. */
@@ -313,13 +314,29 @@ socks_policy_permits_address(const tor_addr_t *addr)
return addr_policy_permits_tor_addr(addr, 1, socks_policy);
}
+/** Return true iff the address <b>addr</b> is in a country listed in the
+ * case-insentive list of country codes <b>cc_list</b>. */
+static int
+addr_is_in_cc_list(uint32_t addr, const smartlist_t *cc_list)
+{
+ country_t country;
+ const char *name;
+ if (!cc_list)
+ return 0;
+ country = geoip_get_country_by_ip(addr);
+ name = geoip_get_country_name(country);
+ return smartlist_string_isin_case(cc_list, name);
+}
+
/** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
* directory, based on <b>authdir_reject_policy</b>. Else return 0.
*/
int
authdir_policy_permits_address(uint32_t addr, uint16_t port)
{
- return addr_policy_permits_address(addr, port, authdir_reject_policy);
+ if (! addr_policy_permits_address(addr, port, authdir_reject_policy))
+ return 0;
+ return !addr_is_in_cc_list(addr, get_options()->AuthDirRejectCC);
}
/** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
@@ -328,7 +345,9 @@ authdir_policy_permits_address(uint32_t addr, uint16_t port)
int
authdir_policy_valid_address(uint32_t addr, uint16_t port)
{
- return addr_policy_permits_address(addr, port, authdir_invalid_policy);
+ if (! addr_policy_permits_address(addr, port, authdir_invalid_policy))
+ return 0;
+ return !addr_is_in_cc_list(addr, get_options()->AuthDirInvalidCC);
}
/** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad dir,
@@ -337,7 +356,9 @@ authdir_policy_valid_address(uint32_t addr, uint16_t port)
int
authdir_policy_baddir_address(uint32_t addr, uint16_t port)
{
- return ! addr_policy_permits_address(addr, port, authdir_baddir_policy);
+ if (! addr_policy_permits_address(addr, port, authdir_baddir_policy))
+ return 1;
+ return addr_is_in_cc_list(addr, get_options()->AuthDirBadDirCC);
}
/** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
@@ -346,7 +367,9 @@ authdir_policy_baddir_address(uint32_t addr, uint16_t port)
int
authdir_policy_badexit_address(uint32_t addr, uint16_t port)
{
- return ! addr_policy_permits_address(addr, port, authdir_badexit_policy);
+ if (! addr_policy_permits_address(addr, port, authdir_badexit_policy))
+ return 1;
+ return addr_is_in_cc_list(addr, get_options()->AuthDirBadExitCC);
}
#define REJECT(arg) \
_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits