policy_is_reject_star():

ome policies are default-reject, some default-accept.  But
policy_is_reject_star() assumed they were all default_reject.  Fix
that!

Also, document that policy_is_reject_star() treats a NULL policy as
empty. This allows us to simplify the checks in
parse_reachable_addresses() by quite a bit.

Fxes bug 20306; bugfix on 0.2.8.2-alpha.

6 files changed, 36 insertions, 32 deletions

diff --git a/changes/bug20306_029 b/changes/bug20306_029
new file mode 100644
index 0000000000..ada2676b2b
--- /dev/null
+++ b/changes/bug20306_029
@@ -0,0 +1,4 @@
+  o Minor bugfixes (fascistfirewall):
+    - Avoid spurious warnings when ReachableAddresses or FascistFirewall
+      is set. Fixes bug 20306; bugfix on 0.2.8.2-alpha.
+
diff --git a/src/or/policies.c b/src/or/policies.c
index 44a46d2fe2..227e168d9d 100644
--- a/src/or/policies.c
+++ b/src/or/policies.c
@@ -274,28 +274,22 @@ parse_reachable_addresses(void)
 
   /* We ignore ReachableAddresses for relays */
   if (!server_mode(options)) {
-    if ((reachable_or_addr_policy
-         && policy_is_reject_star(reachable_or_addr_policy, AF_UNSPEC))
-        || (reachable_dir_addr_policy
-            && policy_is_reject_star(reachable_dir_addr_policy, AF_UNSPEC))) {
+    if (policy_is_reject_star(reachable_or_addr_policy, AF_UNSPEC, 0)
+        || policy_is_reject_star(reachable_dir_addr_policy, AF_UNSPEC,0)) {
       log_warn(LD_CONFIG, "Tor cannot connect to the Internet if "
                "ReachableAddresses, ReachableORAddresses, or "
                "ReachableDirAddresses reject all addresses. Please accept "
                "some addresses in these options.");
     } else if (options->ClientUseIPv4 == 1
-       && ((reachable_or_addr_policy
-            && policy_is_reject_star(reachable_or_addr_policy, AF_INET))
-        || (reachable_dir_addr_policy
-            && policy_is_reject_star(reachable_dir_addr_policy, AF_INET)))) {
+       && (policy_is_reject_star(reachable_or_addr_policy, AF_INET, 0)
+           || policy_is_reject_star(reachable_dir_addr_policy, AF_INET, 0))) {
           log_warn(LD_CONFIG, "You have set ClientUseIPv4 1, but "
                    "ReachableAddresses, ReachableORAddresses, or "
                    "ReachableDirAddresses reject all IPv4 addresses. "
                    "Tor will not connect using IPv4.");
     } else if (fascist_firewall_use_ipv6(options)
-       && ((reachable_or_addr_policy
-            && policy_is_reject_star(reachable_or_addr_policy, AF_INET6))
-        || (reachable_dir_addr_policy
-            && policy_is_reject_star(reachable_dir_addr_policy, AF_INET6)))) {
+       && (policy_is_reject_star(reachable_or_addr_policy, AF_INET6, 0)
+         || policy_is_reject_star(reachable_dir_addr_policy, AF_INET6, 0))) {
           log_warn(LD_CONFIG, "You have configured tor to use IPv6 "
                    "(ClientUseIPv6 1 or UseBridges 1), but "
                    "ReachableAddresses, ReachableORAddresses, or "
@@ -1084,8 +1078,8 @@ validate_addr_policies(const or_options_t *options, char **msg)
 
   const int exitrelay_setting_is_auto = options->ExitRelay == -1;
   const int policy_accepts_something =
-    ! (policy_is_reject_star(addr_policy, AF_INET) &&
-       policy_is_reject_star(addr_policy, AF_INET6));
+    ! (policy_is_reject_star(addr_policy, AF_INET, 1) &&
+       policy_is_reject_star(addr_policy, AF_INET6, 1));
 
   if (server_mode(options) &&
       ! warned_about_exitrelay &&
@@ -2156,13 +2150,16 @@ exit_policy_is_general_exit(smartlist_t *policy)
 }
 
 /** Return false if <b>policy</b> might permit access to some addr:port;
- * otherwise if we are certain it rejects everything, return true. */
+ * otherwise if we are certain it rejects everything, return true. If no
+ * part of <b>policy</b> matches, return <b>default_reject</b>.
+ * NULL policies are allowed, and treated as empty. */
 int
-policy_is_reject_star(const smartlist_t *policy, sa_family_t family)
+policy_is_reject_star(const smartlist_t *policy, sa_family_t family,
+                      int default_reject)
 {
-  if (!policy) /*XXXX disallow NULL policies? */
-    return 1;
-  SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, p) {
+  if (!policy)
+    return default_reject;
+  SMARTLIST_FOREACH_BEGIN(policy, const addr_policy_t *, p) {
     if (p->policy_type == ADDR_POLICY_ACCEPT &&
         (tor_addr_family(&p->addr) == family ||
          tor_addr_family(&p->addr) == AF_UNSPEC)) {
@@ -2175,7 +2172,7 @@ policy_is_reject_star(const smartlist_t *policy, sa_family_t family)
       return 1;
     }
   } SMARTLIST_FOREACH_END(p);
-  return 1;
+  return default_reject;
 }
 
 /** Write a single address policy to the buf_len byte buffer at buf.  Return
diff --git a/src/or/policies.h b/src/or/policies.h
index e134e686d2..20f58f2beb 100644
--- a/src/or/policies.h
+++ b/src/or/policies.h
@@ -100,7 +100,8 @@ void addr_policy_append_reject_addr_list(smartlist_t **dest,
                                          const smartlist_t *addrs);
 void policies_set_node_exitpolicy_to_reject_all(node_t *exitrouter);
 int exit_policy_is_general_exit(smartlist_t *policy);
-int policy_is_reject_star(const smartlist_t *policy, sa_family_t family);
+int policy_is_reject_star(const smartlist_t *policy, sa_family_t family,
+                          int reject_by_default);
 char * policy_dump_to_string(const smartlist_t *policy_list,
                              int include_ipv4,
                              int include_ipv6);
diff --git a/src/or/router.c b/src/or/router.c
index 10498e8ae1..b968072612 100644
--- a/src/or/router.c
+++ b/src/or/router.c
@@ -2158,8 +2158,8 @@ router_build_fresh_descriptor(routerinfo_t **r, extrainfo_t **e)
                                             &ri->exit_policy);
   }
   ri->policy_is_reject_star =
-    policy_is_reject_star(ri->exit_policy, AF_INET) &&
-    policy_is_reject_star(ri->exit_policy, AF_INET6);
+    policy_is_reject_star(ri->exit_policy, AF_INET, 1) &&
+    policy_is_reject_star(ri->exit_policy, AF_INET6, 1);
 
   if (options->IPv6Exit) {
     char *p_tmp = policy_summarize(ri->exit_policy, AF_INET6);
diff --git a/src/or/routerparse.c b/src/or/routerparse.c
index 93484660d2..a78d1ee53e 100644
--- a/src/or/routerparse.c
+++ b/src/or/routerparse.c
@@ -2206,7 +2206,7 @@ router_parse_entry_from_string(const char *s, const char *end,
     }
   }
 
-  if (policy_is_reject_star(router->exit_policy, AF_INET) &&
+  if (policy_is_reject_star(router->exit_policy, AF_INET, 1) &&
       (!router->ipv6_exit_policy ||
        short_policy_is_reject_star(router->ipv6_exit_policy)))
     router->policy_is_reject_star = 1;
diff --git a/src/test/test_policy.c b/src/test/test_policy.c
index 0d4a3b104f..22f473f278 100644
--- a/src/test/test_policy.c
+++ b/src/test/test_policy.c
@@ -258,14 +258,16 @@ test_policies_general(void *arg)
   tt_assert(!cmp_addr_policies(policy2, policy2));
   tt_assert(!cmp_addr_policies(NULL, NULL));
 
-  tt_assert(!policy_is_reject_star(policy2, AF_INET));
-  tt_assert(policy_is_reject_star(policy, AF_INET));
-  tt_assert(policy_is_reject_star(policy10, AF_INET));
-  tt_assert(!policy_is_reject_star(policy10, AF_INET6));
-  tt_assert(policy_is_reject_star(policy11, AF_INET));
-  tt_assert(policy_is_reject_star(policy11, AF_INET6));
-  tt_assert(policy_is_reject_star(NULL, AF_INET));
-  tt_assert(policy_is_reject_star(NULL, AF_INET6));
+  tt_assert(!policy_is_reject_star(policy2, AF_INET, 1));
+  tt_assert(policy_is_reject_star(policy, AF_INET, 1));
+  tt_assert(policy_is_reject_star(policy10, AF_INET, 1));
+  tt_assert(!policy_is_reject_star(policy10, AF_INET6, 1));
+  tt_assert(policy_is_reject_star(policy11, AF_INET, 1));
+  tt_assert(policy_is_reject_star(policy11, AF_INET6, 1));
+  tt_assert(policy_is_reject_star(NULL, AF_INET, 1));
+  tt_assert(policy_is_reject_star(NULL, AF_INET6, 1));
+  tt_assert(!policy_is_reject_star(NULL, AF_INET, 0));
+  tt_assert(!policy_is_reject_star(NULL, AF_INET6, 0));
 
   addr_policy_list_free(policy);
   policy = NULL;