[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: UseEntryGuards=0 overwrites EntryNodes

     On Tue, 06 Jan 2009 17:30:57 +0100 Dominik Sandjaja <dominik@xxxxxxxxxx>
>Tor version (r16744) on Linux is my client.
>In the torrc:
>  StrictEntryNodes 1
>  EntryNodes commodore64
>  UseEntryGuards 0
>I get in the log:
>Jan 06 17:20:43.736 [info] internal (high-uptime) circ (length 3, exit
>Tonga): tibet108(open) anon1984n2(open) Tonga(open)
>and other circuits, all excluding commodore64.
>If UseEntryGuards = 1 (default), I don't get a connection (commodore64
>is no guard yet):
>Jan 06 17:26:23.816 [warn] Failed to find node for hop 0 of our path.
>Discarding this circuit.
>Jan 06 17:26:23.816 [info] onion_populate_cpath(): Generating cpath hop
>It seems as if UseEntryGuards=0 overwrites StrictEntryNodes and
>Is this behavior intentional? As I understood it, UseEntryGuards should
>have lower priority than EntryNodes + StrictEntryNodes. If all is
>configured, the guards should be picked from the EntryNodes. Especially,
>as commodore64 even appears in the cached-descriptors file.
     Huh.  Interesting.  Your interpretation is completely different from
mine, so I just reread the tor man page, and I now see that it is indeed
unclear.  My interpretation was that UseEntryGuards would simply enable
or disable the feature of using entry guards at all.  Also, I understood
that EntryNodes and StrictEntryNodes would only have any effect if the
entry guards feature were enabled.  EntryNodes serves as a recommended
list of nodes to use as first hop relays, but the man page is unclear as
to whether EntryNodes has any effect at all when UseEntryGuards is disabled.
EntryNodes serves as the exclusive list of nodes to use for first hops
when StrictEntryNodes is enabled, but it's not clear what is supposed to
happen when it is enabled but no EntryNodes list is provided.  Also, the
man page fails to note whether those relays listed in EntryNodes will only
be used if the directory authorities list them with the Guard flag or,
alternatively, EntryNodes provides a list to be used without any connection
to the Guard flag from the authorities.
     So try turning UseEntryGuards back on while leaving the other two
statements untouched.  My guess is that that should do what you want.
     But this brings up another issue.  I recently noticed a recurring
problem of broken connections part of the way through retrieval of image
files from one web site.  The breakages only seemed to occur when a certain
high data rate relay was in the route selected by tor, so I added that
relay's name to ExcludeNodes.  Unfortunately, that relay was already listed
as an entry guard in tor's state file, and tor appears not to take action
on the newly "excluded" node in response to a SIGHUP after the change was
made to torrc.  I am temporarily blocking with outbound packets to the
apparently offending relay by means of pf, but that's a very ugly kluge I'd
rather not have to use.  But I'm wondering whether removing those lines
from the state file just before the next time I start tor will allow tor
to exclude that node from future routes.  My relay has been up without
other obvious troubles for nearly a month, and its version is recent enough
that I'm not inclined to restart it anytime soon unless some outside force
intervenes (e.g., failure of network connection, extended power outage, etc.),
but I really would like to know how to get tor to obey what I tell it in

                                  Scott Bennett, Comm. ASMELG, CFIAG
* Internet:       bennett at cs.niu.edu                              *
* "A well regulated and disciplined militia, is at all times a good  *
* objection to the introduction of that bane of all free governments *
* -- a standing army."                                               *
*    -- Gov. John Hancock, New York Journal, 28 January 1790         *