[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] Start obeying our firewall options more rigorously:
Update of /home2/or/cvsroot/tor/src/or
In directory moria:/home/arma/work/onion/cvs/tor/src/or
Modified Files:
config.c directory.c or.h routerlist.c
Log Message:
Start obeying our firewall options more rigorously:
- If we can't get to a dirserver directly, try going via Tor.
- Don't ever try to connect (as a client) to a place our firewall
options forbid.
- If we specify a proxy and also firewall options, obey the firewall
options even when we're using the proxy: some proxies can only proxy
to certain destinations.
Index: config.c
===================================================================
RCS file: /home2/or/cvsroot/tor/src/or/config.c,v
retrieving revision 1.448
retrieving revision 1.449
diff -u -d -r1.448 -r1.449
--- config.c 18 Nov 2005 02:47:08 -0000 1.448
+++ config.c 19 Nov 2005 10:12:10 -0000 1.449
@@ -1701,7 +1701,7 @@
}
/** Return true iff the firewall options might block any address:port
- * combination
+ * combination.
*/
int
firewall_is_fascist(void)
@@ -1710,7 +1710,7 @@
}
/** Return true iff we are configured to think that the local fascist
- * firewall (if any) will allow a connection to <b>addr</b>:<b>port</b> */
+ * firewall (if any) will allow a connection to <b>addr</b>:<b>port</b>. */
int
fascist_firewall_allows_address(uint32_t addr, uint16_t port)
{
Index: directory.c
===================================================================
RCS file: /home2/or/cvsroot/tor/src/or/directory.c,v
retrieving revision 1.319
retrieving revision 1.320
diff -u -d -r1.319 -r1.320
--- directory.c 8 Nov 2005 22:30:17 -0000 1.319
+++ directory.c 19 Nov 2005 10:12:10 -0000 1.320
@@ -133,6 +133,7 @@
size_t payload_len)
{
smartlist_t *dirservers;
+ int post_via_tor;
router_get_trusted_dir_servers(&dirservers);
tor_assert(dirservers);
@@ -141,23 +142,15 @@
*/
SMARTLIST_FOREACH(dirservers, trusted_dir_server_t *, ds,
{
- /* Pay attention to fascistfirewall when we're uploading a
- * router descriptor, but not when uploading a service
- * descriptor -- those use Tor. */
- if (purpose == DIR_PURPOSE_UPLOAD_DIR && !get_options()->HttpProxy) {
- if (!fascist_firewall_allows_address(ds->addr,ds->dir_port))
- continue;
- }
- directory_initiate_command_trusted_dir(ds, purpose,
- purpose_is_private(purpose),
+ post_via_tor = purpose_is_private(purpose) ||
+ !fascist_firewall_allows_address(ds->addr,ds->dir_port);
+ directory_initiate_command_trusted_dir(ds, purpose, post_via_tor,
NULL, payload, payload_len);
});
}
/** Start a connection to a random running directory server, using
- * connection purpose 'purpose' requesting 'resource'. The purpose
- * should be one of 'DIR_PURPOSE_FETCH_DIR',
- * 'DIR_PURPOSE_FETCH_RENDDESC', 'DIR_PURPOSE_FETCH_RUNNING_LIST.'
+ * connection purpose 'purpose' and requesting 'resource'.
* If <b>retry_if_no_servers</b>, then if all the possible servers seem
* down, mark them up and try again.
*/
@@ -167,10 +160,10 @@
{
routerinfo_t *r = NULL;
trusted_dir_server_t *ds = NULL;
- int fascistfirewall = firewall_is_fascist();
or_options_t *options = get_options();
int fetch_fresh_first = server_mode(options) && options->DirPort != 0;
int directconn = !purpose_is_private(purpose);
+ int need_to_use_tor = 0;
int need_v1_support = purpose == DIR_PURPOSE_FETCH_DIR ||
purpose == DIR_PURPOSE_FETCH_RUNNING_LIST;
@@ -187,12 +180,12 @@
}
if (!ds && fetch_fresh_first) {
/* only ask authdirservers, and don't ask myself */
- ds = router_pick_trusteddirserver(need_v1_support, 1, fascistfirewall,
+ ds = router_pick_trusteddirserver(need_v1_support, 1, 1,
retry_if_no_servers);
}
if (!ds) {
/* anybody with a non-zero dirport will do */
- r = router_pick_directory_server(1, fascistfirewall, need_v2_support,
+ r = router_pick_directory_server(1, 1, need_v2_support,
retry_if_no_servers);
if (!r) {
const char *which;
@@ -205,15 +198,24 @@
else // if (purpose == DIR_PURPOSE_FETCH_NETWORKSTATUS)
which = "server descriptors";
info(LD_DIR,
- "No router found for %s; falling back to dirserver list",which);
- ds = router_pick_trusteddirserver(1, 1, fascistfirewall,
+ "No router found for %s; falling back to dirserver list", which);
+ ds = router_pick_trusteddirserver(1, 1, 1,
retry_if_no_servers);
+ if (!ds)
+ need_to_use_tor = 1; /* last resort: try routing it via Tor */
}
}
- } else { // (purpose == DIR_PURPOSE_FETCH_RENDDESC)
- /* only ask authdirservers, any of them will do */
+ }
+ if (!directconn || need_to_use_tor) {
/* Never use fascistfirewall; we're going via Tor. */
- ds = router_pick_trusteddirserver(0, 0, 0, retry_if_no_servers);
+ if (purpose == DIR_PURPOSE_FETCH_RENDDESC) {
+ /* only ask authdirservers, any of them will do */
+ ds = router_pick_trusteddirserver(0, 0, 0, retry_if_no_servers);
+ } else {
+ /* anybody with a non-zero dirport will do. Disregard firewalls. */
+ r = router_pick_directory_server(1, 0, need_v2_support,
+ retry_if_no_servers);
+ }
}
if (r)
Index: or.h
===================================================================
RCS file: /home2/or/cvsroot/tor/src/or/or.h,v
retrieving revision 1.736
retrieving revision 1.737
diff -u -d -r1.736 -r1.737
--- or.h 19 Nov 2005 06:57:44 -0000 1.736
+++ or.h 19 Nov 2005 10:12:10 -0000 1.737
@@ -314,26 +314,26 @@
#define _CONTROL_CONN_STATE_MAX 4
#define _DIR_PURPOSE_MIN 1
-/** Purpose for connection to directory server: download a directory. */
+/** A connection to a directory server: download a directory. */
#define DIR_PURPOSE_FETCH_DIR 1
-/** Purpose for connection to directory server: download just the list
+/** A connection to a directory server: download just the list
* of running routers. */
#define DIR_PURPOSE_FETCH_RUNNING_LIST 2
-/** Purpose for connection to directory server: download a rendezvous
+/** A connection to a directory server: download a rendezvous
* descriptor. */
#define DIR_PURPOSE_FETCH_RENDDESC 3
-/** Purpose for connection to directory server: set after a rendezvous
+/** A connection to a directory server: set after a rendezvous
* descriptor is downloaded. */
#define DIR_PURPOSE_HAS_FETCHED_RENDDESC 4
/** A connection to a directory server: download one or more network-status
* objects */
#define DIR_PURPOSE_FETCH_NETWORKSTATUS 5
-/** A connection to a directory server: download one or more server
+/** A connection to a directory server: download one or more server
* descriptors. */
#define DIR_PURPOSE_FETCH_SERVERDESC 6
-/** Purpose for connection to directory server: upload a server descriptor. */
+/** A connection to a directory server: upload a server descriptor. */
#define DIR_PURPOSE_UPLOAD_DIR 7
-/** Purpose for connection to directory server: upload a rendezvous
+/** A connection to a directory server: upload a rendezvous
* descriptor. */
#define DIR_PURPOSE_UPLOAD_RENDDESC 8
/** Purpose for connection at a directory server. */
Index: routerlist.c
===================================================================
RCS file: /home2/or/cvsroot/tor/src/or/routerlist.c,v
retrieving revision 1.371
retrieving revision 1.372
diff -u -d -r1.371 -r1.372
--- routerlist.c 19 Nov 2005 06:57:44 -0000 1.371
+++ routerlist.c 19 Nov 2005 10:12:10 -0000 1.372
@@ -339,7 +339,7 @@
return choice;
info(LD_DIR,"Still no %s router entries. Reloading and trying again.",
- firewall_is_fascist() ? "reachable" : "known");
+ fascistfirewall ? "reachable" : "known");
has_fetched_directory=0; /* reset it */
if (router_reload_router_list()) {
return NULL;
@@ -391,8 +391,8 @@
/** Pick a random running verified directory server/mirror from our
* routerlist.
- * If <b>fascistfirewall</b> and we're not using a proxy,
- * make sure the port we pick is allowed by options-\>firewallports.
+ * If <b>fascistfirewall</b>,
+ * make sure the router we pick is allowed by our firewall options.
* If <b>requireother</b>, it cannot be us. If <b>for_v2_directory</b>,
* choose a directory server new enough to support the v2 directory
* functionality.
@@ -407,9 +407,6 @@
if (!routerlist)
return NULL;
- if (get_options()->HttpProxy)
- fascistfirewall = 0;
-
/* Find all the running dirservers we know about. */
sl = smartlist_create();
SMARTLIST_FOREACH(routerlist->routers, routerinfo_t *, router,
@@ -439,8 +436,8 @@
}
/** Choose randomly from among the trusted dirservers that are up.
- * If <b>fascistfirewall</b> and we're not using a proxy,
- * make sure the port we pick is allowed by options-\>firewallports.
+ * If <b>fascistfirewall</b>,
+ * make sure the port we pick is allowed by our firewall options.
* If <b>requireother</b>, it cannot be us. If <b>need_v1_support</b>, choose
* a trusted authority for the v1 directory system.
*/
@@ -457,9 +454,6 @@
if (!trusted_dir_servers)
return NULL;
- if (get_options()->HttpProxy)
- fascistfirewall = 0;
-
SMARTLIST_FOREACH(trusted_dir_servers, trusted_dir_server_t *, d,
{
if (!d->is_running) continue;