diff options
author | Nick Mathewson <nickm@torproject.org> | 2012-01-13 12:28:32 -0500 |
---|---|---|
committer | Nick Mathewson <nickm@torproject.org> | 2012-01-13 12:28:47 -0500 |
commit | 938531773a017e6eb70f11e81a0543e81413f83f (patch) | |
tree | 860f0854a6725790a551e4ff9a733796cd4794a2 /src | |
parent | fbd243a1652d7d610e9c8e00901638662cbe34c5 (diff) | |
download | tor-938531773a017e6eb70f11e81a0543e81413f83f.tar.gz tor-938531773a017e6eb70f11e81a0543e81413f83f.zip |
Allow authorities to baddir/badexit/invalid/reject nodes by cc
Implements ticket #4207
Diffstat (limited to 'src')
-rw-r--r-- | src/or/config.c | 8 | ||||
-rw-r--r-- | src/or/or.h | 13 | ||||
-rw-r--r-- | src/or/policies.c | 31 |
3 files changed, 48 insertions, 4 deletions
diff --git a/src/or/config.c b/src/or/config.c index b118f30ace..341bc15d21 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -89,6 +89,10 @@ typedef struct config_abbrev_t { /** A list of abbreviations and aliases to map command-line options, obsolete * option names, or alternative option names, to their current values. */ static config_abbrev_t _option_abbrevs[] = { + PLURAL(AuthDirBadDirCC), + PLURAL(AuthDirBadExitCC), + PLURAL(AuthDirInvalidCC), + PLURAL(AuthDirRejectCC), PLURAL(ExitNode), PLURAL(EntryNode), PLURAL(ExcludeNode), @@ -182,11 +186,15 @@ static config_var_t _option_vars[] = { V(AlternateHSAuthority, LINELIST, NULL), V(AssumeReachable, BOOL, "0"), V(AuthDirBadDir, LINELIST, NULL), + V(AuthDirBadDirCC, CSV, ""), V(AuthDirBadExit, LINELIST, NULL), + V(AuthDirBadExitCC, CSV, ""), V(AuthDirInvalid, LINELIST, NULL), + V(AuthDirInvalidCC, CSV, ""), V(AuthDirFastGuarantee, MEMUNIT, "100 KB"), V(AuthDirGuardBWGuarantee, MEMUNIT, "250 KB"), V(AuthDirReject, LINELIST, NULL), + V(AuthDirRejectCC, CSV, ""), V(AuthDirRejectUnlisted, BOOL, "0"), V(AuthDirListBadDirs, BOOL, "0"), V(AuthDirListBadExits, BOOL, "0"), diff --git a/src/or/or.h b/src/or/or.h index 0fcb083a4e..21cb074408 100644 --- a/src/or/or.h +++ b/src/or/or.h @@ -3237,6 +3237,19 @@ typedef struct { * reject. */ config_line_t *AuthDirInvalid; /**< Address policy for descriptors to * never mark as valid. */ + /** @name AuthDir...CC + * + * Lists of of country codes to mark as BadDir, BadExit, or Invalid, or to + * reject entirely. + * + * @{ + */ + smartlist_t *AuthDirBadDirCC; + smartlist_t *AuthDirBadExitCC; + smartlist_t *AuthDirRejectCC; + smartlist_t *AuthDirInvalidCC; + /**@}*/ + int AuthDirListBadDirs; /**< True iff we should list bad dirs, * and vote for all other dir mirrors as good. */ int AuthDirListBadExits; /**< True iff we should list bad exits, diff --git a/src/or/policies.c b/src/or/policies.c index 40e5277478..fdec687b11 100644 --- a/src/or/policies.c +++ b/src/or/policies.c @@ -14,6 +14,7 @@ #include "nodelist.h" #include "policies.h" #include "routerparse.h" +#include "geoip.h" #include "ht.h" /** Policy that addresses for incoming SOCKS connections must match. */ @@ -313,13 +314,29 @@ socks_policy_permits_address(const tor_addr_t *addr) return addr_policy_permits_tor_addr(addr, 1, socks_policy); } +/** Return true iff the address <b>addr</b> is in a country listed in the + * case-insentive list of country codes <b>cc_list</b>. */ +static int +addr_is_in_cc_list(uint32_t addr, const smartlist_t *cc_list) +{ + country_t country; + const char *name; + if (!cc_list) + return 0; + country = geoip_get_country_by_ip(addr); + name = geoip_get_country_name(country); + return smartlist_string_isin_case(cc_list, name); +} + /** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our * directory, based on <b>authdir_reject_policy</b>. Else return 0. */ int authdir_policy_permits_address(uint32_t addr, uint16_t port) { - return addr_policy_permits_address(addr, port, authdir_reject_policy); + if (! addr_policy_permits_address(addr, port, authdir_reject_policy)) + return 0; + return !addr_is_in_cc_list(addr, get_options()->AuthDirRejectCC); } /** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our @@ -328,7 +345,9 @@ authdir_policy_permits_address(uint32_t addr, uint16_t port) int authdir_policy_valid_address(uint32_t addr, uint16_t port) { - return addr_policy_permits_address(addr, port, authdir_invalid_policy); + if (! addr_policy_permits_address(addr, port, authdir_invalid_policy)) + return 0; + return !addr_is_in_cc_list(addr, get_options()->AuthDirInvalidCC); } /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad dir, @@ -337,7 +356,9 @@ authdir_policy_valid_address(uint32_t addr, uint16_t port) int authdir_policy_baddir_address(uint32_t addr, uint16_t port) { - return ! addr_policy_permits_address(addr, port, authdir_baddir_policy); + if (! addr_policy_permits_address(addr, port, authdir_baddir_policy)) + return 1; + return addr_is_in_cc_list(addr, get_options()->AuthDirBadDirCC); } /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit, @@ -346,7 +367,9 @@ authdir_policy_baddir_address(uint32_t addr, uint16_t port) int authdir_policy_badexit_address(uint32_t addr, uint16_t port) { - return ! addr_policy_permits_address(addr, port, authdir_badexit_policy); + if (! addr_policy_permits_address(addr, port, authdir_badexit_policy)) + return 1; + return addr_is_in_cc_list(addr, get_options()->AuthDirBadExitCC); } #define REJECT(arg) \ |