[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: [tor-bugs] #16069 [Tor]: ipv4 + ipv6 exit : v6 policy is displayed twice, v4 isn't displayed
#16069: ipv4 + ipv6 exit : v6 policy is displayed twice, v4 isn't displayed
--------------------------+-----------------------------------------------
Reporter: toralf | Owner:
Type: defect | Status: needs_revision
Priority: critical | Milestone: Tor: 0.2.7.x-final
Component: Tor | Version: Tor: 0.2.7
Resolution: | Keywords: 026-backport, ipv6, PostFreeze027
Actual Points: | Parent ID:
Points: |
--------------------------+-----------------------------------------------
Comment (by teor):
Replying to [comment:23 nickm]:
> Replying to [comment:22 teor]:
> > Replying to [comment:20 nickm]:
>
> [...]
> > > I think it's fine to do a NOTICE when * means "IPv4 and IPv6".
> > >
> > > I think accept6 * should mean "accept *6".
> >
> > So the full specification would be:
> > * accept/reject * means IPv4 and IPv6 with NOTICE
> > * accept/reject IPv4 or *4 means IPv4
> > * accept/reject IPv6 or *6 means IPv6
> >
> > * accept6/reject6 * means IPv6 only (changed behaviour, but no-one
expected it to mean IPv4)
> > * accept6/reject6 IPv4 or *4 means ignore with WARN? (changed
behaviour, but no-one expected it to mean IPv4)
> > * accept6/reject6 IPv6 or *6 means IPv6 (existing behaviour)
>
> Yes, that looks good!
There's one implication that it's worth being aware of:
torrc exit policies will be more lenient than descriptor exit policies:
* accept/reject * gets expanded into accept/reject *4, accept6/reject6 *6
* accept/reject IPv6 or *6 gets transformed into accept6/reject6 IPv6 or
*6
* accept6/reject6 * gets transformed into accept6/reject6 *6
* accept6/reject6 IPv4 or *4 gets ignored
So there may be some confusion if people compare their torrc and exit
policies.
But any descriptor policy can be copied into a torrc and it will parse and
mean the same thing. (This is a highly desirable property.)
> > > Code notes:
> > >
> > > It seems like the TAPMP_IPV[46]_ONLY options won't actually stop any
addresses that *don't* begin with a star. That seems wrong. I would
expect TAPMP_IPV4_ONLY to reject [FE80::]/16:80, for example.
> >
> > The TAPMP_IPV[46]_ONLY code only controls what * gets expanded into.
>
> In that case probably the option should be called
TAPMP_STAR_IPV[46]_ONLY or something, and the documentation should explain
that it only applies to * expansions?
Done! Of course, we'll only be using the IPv6 variant in this patch.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/16069#comment:24>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
_______________________________________________
tor-bugs mailing list
tor-bugs@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-bugs