[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
[or-cvs] quick-and-dirty dir policy since the dirservers are getting...
- To: or-cvs@freehaven.net
- Subject: [or-cvs] quick-and-dirty dir policy since the dirservers are getting...
- From: arma@seul.org (Roger Dingledine)
- Date: Mon, 25 Oct 2004 02:16:29 -0400 (EDT)
- Delivered-to: archiver@seul.org
- Delivered-to: or-cvs-outgoing@seul.org
- Delivered-to: or-cvs@seul.org
- Delivery-date: Mon, 25 Oct 2004 02:16:50 -0400
- Reply-to: or-dev@freehaven.net
- Sender: owner-or-cvs@freehaven.net
Update of /home/or/cvsroot/src/or
In directory moria.mit.edu:/home2/arma/work/onion/cvs/src/or
Modified Files:
config.c connection.c directory.c or.h
Log Message:
quick-and-dirty dir policy since the dirservers are getting hammered
nick, could you abstract this sometime so we don't repeat the
sockspolicy code twice?
Index: config.c
===================================================================
RCS file: /home/or/cvsroot/src/or/config.c,v
retrieving revision 1.184
retrieving revision 1.185
diff -u -d -r1.184 -r1.185
--- config.c 24 Oct 2004 00:58:29 -0000 1.184
+++ config.c 25 Oct 2004 06:16:26 -0000 1.185
@@ -236,6 +236,7 @@
config_compare(list, "DirPort", CONFIG_TYPE_UINT, &options->DirPort) ||
config_compare(list, "DirBindAddress", CONFIG_TYPE_LINELIST, &options->DirBindAddress) ||
config_compare(list, "DirFetchPostPeriod",CONFIG_TYPE_UINT, &options->DirFetchPostPeriod) ||
+ config_compare(list, "DirPolicy", CONFIG_TYPE_LINELIST, &options->DirPolicy) ||
config_compare(list, "DirServer", CONFIG_TYPE_LINELIST, &options->DirServers) ||
config_compare(list, "ExitNodes", CONFIG_TYPE_STRING, &options->ExitNodes) ||
@@ -479,6 +480,7 @@
config_free_lines(options->DirBindAddress);
config_free_lines(options->ExitPolicy);
config_free_lines(options->SocksPolicy);
+ config_free_lines(options->DirPolicy);
config_free_lines(options->DirServers);
config_free_lines(options->RecommendedVersions);
config_free_lines(options->NodeFamilies);
@@ -487,7 +489,7 @@
SMARTLIST_FOREACH(options->RedirectExitList,
exit_redirect_t *, p, tor_free(p));
smartlist_free(options->RedirectExitList);
- options->RedirectExitList = NULL;
+ options->RedirectExitList = NULL;
}
if (options->FirewallPorts) {
SMARTLIST_FOREACH(options->FirewallPorts, char *, cp, tor_free(cp));
Index: connection.c
===================================================================
RCS file: /home/or/cvsroot/src/or/connection.c,v
retrieving revision 1.270
retrieving revision 1.271
diff -u -d -r1.270 -r1.271
--- connection.c 24 Oct 2004 01:50:33 -0000 1.270
+++ connection.c 25 Oct 2004 06:16:26 -0000 1.271
@@ -420,6 +420,15 @@
return 0;
}
}
+ if(new_type == CONN_TYPE_DIR) {
+ /* check dirpolicy to see if we should accept it */
+ if(dir_policy_permits_address(ntohl(remote.sin_addr.s_addr)) == 0) {
+ log_fn(LOG_WARN,"Denying dir connection from address %s.",
+ inet_ntoa(remote.sin_addr));
+ tor_close_socket(news);
+ return 0;
+ }
+ }
newconn = connection_new(new_type);
newconn->s = news;
Index: directory.c
===================================================================
RCS file: /home/or/cvsroot/src/or/directory.c,v
retrieving revision 1.151
retrieving revision 1.152
diff -u -d -r1.151 -r1.152
--- directory.c 17 Oct 2004 04:06:48 -0000 1.151
+++ directory.c 25 Oct 2004 06:16:26 -0000 1.152
@@ -48,6 +48,8 @@
extern or_options_t options; /* command-line and config-file options */
+static struct exit_policy_t *dir_policy = NULL;
+
#if 0 /* commented out for now, since for now what clients send is
different from what servers want to receive */
/** URL for publishing rendezvous descriptors. */
@@ -63,6 +65,48 @@
/********* END VARIABLES ************/
+/** A helper function for dir_policy_permits_address() below.
+ *
+ * Parse options.DirPolicy in the same way that the exit policy
+ * is parsed, and put the processed version in &dir_policy.
+ * Ignore port specifiers.
+ */
+static void parse_dir_policy(void)
+{
+ struct exit_policy_t *n;
+ if (dir_policy) {
+ exit_policy_free(dir_policy);
+ dir_policy = NULL;
+ }
+ config_parse_exit_policy(options.DirPolicy, &dir_policy);
+ /* ports aren't used. */
+ for (n=dir_policy; n; n = n->next) {
+ n->prt_min = 1;
+ n->prt_max = 65535;
+ }
+}
+
+/** Return 1 if <b>addr</b> is permitted to connect to our dir port,
+ * based on <b>dir_policy</b>. Else return 0.
+ */
+int dir_policy_permits_address(uint32_t addr)
+{
+ int a;
+ if (options.DirPolicy && !dir_policy)
+ parse_dir_policy();
+
+ if(!dir_policy) /* 'no dir policy' means 'accept' */
+ return 1;
+ a = router_compare_addr_to_exit_policy(addr, 1, dir_policy);
+ if (a==-1)
+ return 0;
+ else if (a==0)
+ return 1;
+ tor_assert(a==1);
+ log_fn(LOG_WARN, "Got unexpected 'maybe' answer from dir policy");
+ return 0;
+}
+
/** Start a connection to every known directory server, using
* connection purpose 'purpose' and uploading the payload 'payload'
* (length 'payload_len'). The purpose should be one of
Index: or.h
===================================================================
RCS file: /home/or/cvsroot/src/or/or.h,v
retrieving revision 1.443
retrieving revision 1.444
diff -u -d -r1.443 -r1.444
--- or.h 24 Oct 2004 01:22:40 -0000 1.443
+++ or.h 25 Oct 2004 06:16:26 -0000 1.444
@@ -860,6 +860,7 @@
int _AllowUnverified; /**< Bitmask; derived from AllowUnverifiedNodes; */
struct config_line_t *ExitPolicy; /**< Lists of exit policy components. */
struct config_line_t *SocksPolicy; /**< Lists of socks policy components */
+ struct config_line_t *DirPolicy; /**< Lists of dir policy components */
/** Addresses to bind for listening for SOCKS connections. */
struct config_line_t *SocksBindAddress;
/** Addresses to bind for listening for OR connections. */
@@ -1191,6 +1192,7 @@
/********************************* directory.c ***************************/
+int dir_policy_permits_address(uint32_t addr);
void directory_post_to_dirservers(uint8_t purpose, const char *payload,
size_t payload_len);
void directory_get_from_dirserver(uint8_t purpose, const char *payload,