[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: UseEntryGuards=0 overwrites EntryNodes


Am Mittwoch, den 07.01.2009, 02:35 -0600 schrieb Scott Bennett:
> On Tue, 06 Jan 2009 17:30:57 +0100 Dominik Sandjaja <dominik@xxxxxxxxxx>
> wrote:

> >It seems as if UseEntryGuards=0 overwrites StrictEntryNodes and
> >EntryNodes.
> >
> >Is this behavior intentional? As I understood it, UseEntryGuards should
> >have lower priority than EntryNodes + StrictEntryNodes. If all is
> >configured, the guards should be picked from the EntryNodes. Especially,
> >as commodore64 even appears in the cached-descriptors file.
> >
>      Huh.  Interesting.  Your interpretation is completely different from
> mine, so I just reread the tor man page, and I now see that it is indeed
> unclear.  My interpretation was that UseEntryGuards would simply enable
> or disable the feature of using entry guards at all. Also, I understood
> that EntryNodes and StrictEntryNodes would only have any effect if the
> entry guards feature were enabled.  EntryNodes serves as a recommended
> list of nodes to use as first hop relays, but the man page is unclear as
> to whether EntryNodes has any effect at all when UseEntryGuards is disabled.

that is exactly the problem. As you see, it leaves too much room for
interpretation :-)

> EntryNodes serves as the exclusive list of nodes to use for first hops
> when StrictEntryNodes is enabled, but it's not clear what is supposed to
> happen when it is enabled but no EntryNodes list is provided.  Also, the
> man page fails to note whether those relays listed in EntryNodes will only
> be used if the directory authorities list them with the Guard flag or,
> alternatively, EntryNodes provides a list to be used without any connection
> to the Guard flag from the authorities.
>      So try turning UseEntryGuards back on while leaving the other two
> statements untouched.  My guess is that that should do what you want.

I did this:

> >If UseEntryGuards = 1 (default), I don't get a connection (commodore64
> >is no guard yet):
> >Jan 06 17:26:23.816 [warn] Failed to find node for hop 0 of our path.
> >Discarding this circuit.
> >Jan 06 17:26:23.816 [info] onion_populate_cpath(): Generating cpath hop
> >failed.

Then, the UseEntryGuards is obeyed, as well as the StrictEntryNodes,
but no connection can be made due to none of the nodes in EntryNodes is
flagged as guard (yet). I will try to turn off the guard-check in the
tor source and use that modified version, but nevertheless, the issue
on how the options are handled should be clarified.

>      But this brings up another issue.  I recently noticed a recurring
> problem of broken connections part of the way through retrieval of image
> files from one web site.  The breakages only seemed to occur when a certain
> high data rate relay was in the route selected by tor, so I added that
> relay's name to ExcludeNodes.  Unfortunately, that relay was already listed
> as an entry guard in tor's state file, and tor appears not to take action
> on the newly "excluded" node in response to a SIGHUP after the change was
> made to torrc.  I am temporarily blocking with outbound packets to the
> apparently offending relay by means of pf, but that's a very ugly kluge I'd
> rather not have to use.  But I'm wondering whether removing those lines
> from the state file just before the next time I start tor will allow tor
> to exclude that node from future routes.  My relay has been up without
> other obvious troubles for nearly a month, and its version is recent enough
> that I'm not inclined to restart it anytime soon unless some outside force
> intervenes (e.g., failure of network connection, extended power outage, etc.),
> but I really would like to know how to get tor to obey what I tell it in
> ExcludeNodes.

As above, this seems to be an issue with how the options are
treated/interpreted. Again, clarification would be nice.

Thanks for the answer!