diff options
author | David Goulet <dgoulet@torproject.org> | 2021-01-27 21:49:56 -0500 |
---|---|---|
committer | David Goulet <dgoulet@torproject.org> | 2021-01-29 14:19:17 -0500 |
commit | f26950fa7a077de4b6a9329af397fce74182b1e5 (patch) | |
tree | 8db81e11d883a11f129f9de6c9ac0c33523da69c /src/feature/nodelist/dirlist.c | |
parent | 9556276f07e62e8b2e6a496e9b2a918293367839 (diff) | |
download | tor-f26950fa7a077de4b6a9329af397fce74182b1e5.tar.gz tor-f26950fa7a077de4b6a9329af397fce74182b1e5.zip |
relay: Add bloomfiter of relay address + {OR|Dir}Port
In order to deny re-entry in the network, we now keep a bloomfilter of relay
ORPort + address and authorities ORPort + address and DirPort + address
combinations.
So when an Exit stream is handled, we deny anything connecting back into the
network on the ORPorts for relays and on the ORPort+DirPort for the
authorities.
Related to #2667
Signed-off-by: David Goulet <dgoulet@torproject.org>
Diffstat (limited to 'src/feature/nodelist/dirlist.c')
-rw-r--r-- | src/feature/nodelist/dirlist.c | 36 |
1 files changed, 36 insertions, 0 deletions
diff --git a/src/feature/nodelist/dirlist.c b/src/feature/nodelist/dirlist.c index 93baa6e4e0..25f769dd5a 100644 --- a/src/feature/nodelist/dirlist.c +++ b/src/feature/nodelist/dirlist.c @@ -49,6 +49,42 @@ static smartlist_t *trusted_dir_servers = NULL; * and all fallback directory servers. */ static smartlist_t *fallback_dir_servers = NULL; +/** Helper: From a given trusted directory entry, add the v4 or/and v6 address + * to the nodelist address set. */ +static void +add_trusted_dir_to_nodelist_addr_set(const dir_server_t *dir) +{ + tor_addr_t tmp_addr; + + tor_assert(dir); + tor_assert(dir->is_authority); + + /* Add IPv4 and then IPv6 if applicable. For authorities, we add the ORPort + * and DirPort so re-entry into the network back to them is not possible. */ + tor_addr_from_ipv4h(&tmp_addr, dir->addr); + nodelist_add_addr_to_address_set(&tmp_addr, dir->or_port, dir->dir_port); + if (!tor_addr_is_null(&dir->ipv6_addr)) { + /* IPv6 DirPort is not a thing yet for authorities. */ + nodelist_add_addr_to_address_set(&dir->ipv6_addr, dir->ipv6_orport, 0); + } +} + +/** Go over the trusted directory server list and add their address(es) to the + * nodelist address set. This is called every time a new consensus is set. */ +void +dirlist_add_trusted_dir_addresses(void) +{ + if (!trusted_dir_servers) { + return; + } + + SMARTLIST_FOREACH_BEGIN(trusted_dir_servers, const dir_server_t *, ent) { + if (ent->is_authority) { + add_trusted_dir_to_nodelist_addr_set(ent); + } + } SMARTLIST_FOREACH_END(ent); +} + /** Return the number of directory authorities whose type matches some bit set * in <b>type</b> */ int |