Ignore fascistfirewall when dealing with service descriptors; obey fascistfirewall when posting server descriptors; ignore fascistfirewall on directory connections when httpproxy is set.

svn:r2527

4 files changed, 37 insertions, 22 deletions

diff --git a/doc/TODO b/doc/TODO
index 04d36767e4..fcd60e4533 100644
--- a/doc/TODO
+++ b/doc/TODO
@@ -11,19 +11,19 @@ ARMA    - arma claims
         X Abandoned
 
       0.0.9pre4:
-        - Don't use FascistFirewall if you're going via Tor, or if
+o       - Don't use FascistFirewall if you're going via Tor, or if
           you're going via HttpProxy.
-        - make RecommendedVersions a CONFIG_TYPE_LINELIST option
+N       - make RecommendedVersions a CONFIG_TYPE_LINELIST option
 R       . bandwidth buckets for write as well as read.
 N       - Handle rendezvousing with unverified nodes.
           - Specify: Stick rendezvous point's key in INTRODUCE cell.
             Bob should _always_ use key from INTRODUCE cell.
           - Implement.
-N       - node 'groups' that are known to be in the same zone of control.
-          - Nodes can list their coadministrated nodes.
-            - If A lists B, it only counts if B also lists A
-          - Users can list other coadministrated nodes if they like.
-          . Never choose two coadministrated nodes in the same circuit.
+        o node 'groups' that are known to be in the same zone of control.
+          o Nodes can list their coadministrated nodes.
+            o If A lists B, it only counts if B also lists A
+N         - Users can list other coadministrated nodes if they like.
+          o Never choose two coadministrated nodes in the same circuit.
 R       - figure out enclaves, e.g. so we know what to recommend that people
           do, and so running a tor server on your website is helpful.
           - Do enclaves for same IP only.
diff --git a/src/or/directory.c b/src/or/directory.c
index e221a9a42d..7726d33711 100644
--- a/src/or/directory.c
+++ b/src/or/directory.c
@@ -76,6 +76,7 @@ directory_post_to_dirservers(uint8_t purpose, const char *payload,
   int i;
   routerinfo_t *router;
   routerlist_t *rl;
+  char buf[16];
 
   router_get_routerlist(&rl);
   if(!rl)
@@ -85,8 +86,14 @@ directory_post_to_dirservers(uint8_t purpose, const char *payload,
     router = smartlist_get(rl->routers, i);
     /* Note: this posts our descriptor to ourselves, if we're an
      * authdirserver. But I think that's ok. */
-    if(router->is_trusted_dir)
-      directory_initiate_command_router(router, purpose, payload, payload_len);
+    if(!router->is_trusted_dir)
+      continue;
+    if (options.FascistFirewall && purpose == DIR_PURPOSE_UPLOAD_DIR) {
+      sprintf(buf,"%d",router->dir_port);
+      if (!smartlist_string_isin(options.FirewallPorts, buf))
+        continue;      
+    }
+    directory_initiate_command_router(router, purpose, payload, payload_len);
   }
 }
 
@@ -105,18 +112,19 @@ directory_get_from_dirserver(uint8_t purpose, const char *payload,
   if (purpose == DIR_PURPOSE_FETCH_DIR) {
     if (advertised_server_mode()) {
       /* only ask authdirservers, and don't ask myself */
-      ds = router_pick_trusteddirserver(1);
+      ds = router_pick_trusteddirserver(1, options.FascistFirewall);
     } else {
       /* anybody with a non-zero dirport will do */
-      r = router_pick_directory_server(1);
+      r = router_pick_directory_server(1, options.FascistFirewall);
       if (!r) {
         log_fn(LOG_INFO, "No router found for directory; falling back to dirserver list");
-        ds = router_pick_trusteddirserver(1);
+        ds = router_pick_trusteddirserver(1, options.FascistFirewall);
       }
     }
   } else { // (purpose == DIR_PURPOSE_FETCH_RENDDESC)
     /* only ask authdirservers, any of them will do */
-    ds = router_pick_trusteddirserver(0);
+    /* Never use fascistfirewall; we're going via Tor. */
+    ds = router_pick_trusteddirserver(0, 0);
   }
 
   if (r)
diff --git a/src/or/or.h b/src/or/or.h
index 080d9aaaed..1fe05447da 100644
--- a/src/or/or.h
+++ b/src/or/or.h
@@ -1412,8 +1412,8 @@ typedef struct trusted_dir_server_t {
 } trusted_dir_server_t;
 
 int router_reload_router_list(void);
-routerinfo_t *router_pick_directory_server(int requireothers);
-trusted_dir_server_t *router_pick_trusteddirserver(int requireothers);
+routerinfo_t *router_pick_directory_server(int requireothers, int fascistfirewall);
+trusted_dir_server_t *router_pick_trusteddirserver(int requireothers, int fascistfirewall);
 int all_trusted_directory_servers_down(void);
 struct smartlist_t;
 void routerlist_add_family(struct smartlist_t *sl, routerinfo_t *router);
diff --git a/src/or/routerlist.c b/src/or/routerlist.c
index 2bdbaf23f8..b16847e62e 100644
--- a/src/or/routerlist.c
+++ b/src/or/routerlist.c
@@ -73,13 +73,14 @@ int router_reload_router_list(void)
  * in our routerlist, set all the authoritative ones as running again,
  * and pick one. If there are no dirservers at all in our routerlist,
  * reload the routerlist and try one last time. */
-routerinfo_t *router_pick_directory_server(int requireothers) {
+routerinfo_t *router_pick_directory_server(int requireothers,
+                                           int fascistfirewall) {
   routerinfo_t *choice;
 
   if (!routerlist)
     return NULL;
 
-  choice = router_pick_directory_server_impl(requireothers, options.FascistFirewall);
+  choice = router_pick_directory_server_impl(requireothers, fascistfirewall);
   if(choice)
     return choice;
 
@@ -87,7 +88,7 @@ routerinfo_t *router_pick_directory_server(int requireothers) {
   /* mark all authdirservers as up again */
   mark_all_trusteddirservers_up();
   /* try again */
-  choice = router_pick_directory_server_impl(requireothers, options.FascistFirewall);
+  choice = router_pick_directory_server_impl(requireothers, fascistfirewall);
   if(choice)
     return choice;
 
@@ -103,11 +104,11 @@ routerinfo_t *router_pick_directory_server(int requireothers) {
   return choice;
 }
 
-trusted_dir_server_t *router_pick_trusteddirserver(int requireothers) {
+trusted_dir_server_t *router_pick_trusteddirserver(int requireothers,
+                                                   int fascistfirewall) {
   trusted_dir_server_t *choice;
 
-  choice = router_pick_trusteddirserver_impl(requireothers,
-                                             options.FascistFirewall);
+  choice = router_pick_trusteddirserver_impl(requireothers, fascistfirewall);
   if(choice)
     return choice;
 
@@ -115,7 +116,7 @@ trusted_dir_server_t *router_pick_trusteddirserver(int requireothers) {
   /* mark all authdirservers as up again */
   mark_all_trusteddirservers_up();
   /* try again */
-  choice = router_pick_trusteddirserver_impl(requireothers, 0);
+  choice = router_pick_trusteddirserver_impl(requireothers, fascistfirewall);
   if(choice)
     return choice;
 
@@ -145,6 +146,9 @@ router_pick_directory_server_impl(int requireothers, int fascistfirewall)
   if(!routerlist)
     return NULL;
 
+  if(options.HttpProxy)
+    fascistfirewall = 0;
+
   /* Find all the running dirservers we know about. */
   sl = smartlist_create();
   for(i=0;i< smartlist_len(routerlist->routers); i++) {
@@ -179,6 +183,9 @@ router_pick_trusteddirserver_impl(int requireother, int fascistfirewall)
   if (!trusted_dir_servers)
     return NULL;
 
+  if(options.HttpProxy)
+    fascistfirewall = 0;
+
   SMARTLIST_FOREACH(trusted_dir_servers, trusted_dir_server_t *, d,
     {
       if (!d->is_running) continue;