From 5138a9c3c22fb00b3f6e04058d80f0e6d56aea91 Mon Sep 17 00:00:00 2001 From: David Goulet Date: Wed, 10 Feb 2021 11:06:52 -0500 Subject: relay: Don't look at omit flag when building descriptor That comes from 685c4866acf8489c58aca41ec01aa5a53e39220a which added that check correctly except for when we build a descriptor. We already omit the IPv6 address, if we need to, when we encode the descriptor but we need to keep the actual discovered address in the descriptor so we can notice future IP changes and be able to assess that we are not publishable as long as we don't specifically set the omit flag. This lead to also having tor noticing that our IP changed from (no IPv6 in the descriptor) to a discovered one which would trigger every minute. Fixes #40279, #40288 Signed-off-by: David Goulet --- src/feature/relay/router.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/feature/relay/router.c b/src/feature/relay/router.c index 0be3eec1dd..9ef609c72d 100644 --- a/src/feature/relay/router.c +++ b/src/feature/relay/router.c @@ -2101,8 +2101,7 @@ router_build_fresh_unsigned_routerinfo,(routerinfo_t **ri_out)) ri->ipv4_dirport = routerconf_find_dir_port(options, 0); /* Optionally check for an IPv6. We still publish without one. */ - if (!omit_ipv6_on_publish && - relay_find_addr_to_publish(options, AF_INET6, RELAY_FIND_ADDR_NO_FLAG, + if (relay_find_addr_to_publish(options, AF_INET6, RELAY_FIND_ADDR_NO_FLAG, &ri->ipv6_addr)) { ri->ipv6_orport = routerconf_find_or_port(options, AF_INET6); router_check_descriptor_address_consistency(&ri->ipv6_addr); -- cgit v1.2.3-54-g00ecf From ae5800cd9faccd8c1319601cac7f6c76c4beb288 Mon Sep 17 00:00:00 2001 From: David Goulet Date: Wed, 10 Feb 2021 11:46:32 -0500 Subject: relay: Allow RFC1918 addresses for non public relays In other words, if PublishServerDescriptor is set to 0 and AssumeReachable to 1, then allow a relay to hold a RFC1918 address. Reasons for this are documented in #40208 Fixes #40208 Signed-off-by: David Goulet --- changes/ticket40208 | 6 ++++++ src/app/config/resolve_addr.c | 14 +++++++++++++- src/test/test_config.c | 17 +++++++++++++++++ 3 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 changes/ticket40208 diff --git a/changes/ticket40208 b/changes/ticket40208 new file mode 100644 index 0000000000..5a3a1aa55e --- /dev/null +++ b/changes/ticket40208 @@ -0,0 +1,6 @@ + o Minor bugfixes (relay): + - Allow relays to have a RFC1918 address if PublishServerDescriptor is set + to 0 and AssumeReachable is set to 1. This is to support the use case of a + bridge on a local network that can be used by restricted users on that + network to reach the Tor network. Fixes bug 40208; bugfix on + 0.4.5.1-alpha. diff --git a/src/app/config/resolve_addr.c b/src/app/config/resolve_addr.c index 080cb967bc..86db6ba680 100644 --- a/src/app/config/resolve_addr.c +++ b/src/app/config/resolve_addr.c @@ -193,7 +193,19 @@ address_can_be_used(const tor_addr_t *addr, const or_options_t *options, goto allow; } - /* We have a private IP address. It is allowed only if we set custom + /* We allow internal addresses to be used if the PublishServerDescriptor is + * unset and AssumeReachable (or for IPv6) is set. + * + * This is to cover the case where a relay/bridge might be run behind a + * firewall on a local network to users can reach the network through it + * using Tor Browser for instance. */ + if (options->PublishServerDescriptor_ == NO_DIRINFO && + (options->AssumeReachable || + (tor_addr_family(addr) == AF_INET6 && options->AssumeReachableIPv6))) { + goto allow; + } + + /* We have a private IP address. This is also allowed if we set custom * directory authorities. */ if (using_default_dir_authorities(options)) { log_fn(warn_severity, LD_CONFIG, diff --git a/src/test/test_config.c b/src/test/test_config.c index 4eb4ac9cf5..eacf12a25f 100644 --- a/src/test/test_config.c +++ b/src/test/test_config.c @@ -1460,6 +1460,7 @@ test_config_find_my_address(void *arg) options = options_new(); options_init(options); + options->PublishServerDescriptor_ = V3_DIRINFO; /* * Case 0: @@ -1782,6 +1783,22 @@ test_config_find_my_address(void *arg) VALIDATE_FOUND_ADDRESS(true, RESOLVED_ADDR_INTERFACE, NULL); CLEANUP_FOUND_ADDRESS; + /* + * Case 15: Address is a local address (internal) but we unset + * PublishServerDescriptor_ so we are allowed to hold it. + */ + options->PublishServerDescriptor_ = NO_DIRINFO; + if (p->family == AF_INET) { + options->AssumeReachable = 1; + } + config_line_append(&options->Address, "Address", p->internal_ip); + + tor_addr_parse(&test_addr, p->internal_ip); + retval = find_my_address(options, p->family, LOG_NOTICE, &resolved_addr, + &method_used, &hostname_out); + VALIDATE_FOUND_ADDRESS(true, RESOLVED_ADDR_CONFIGURED, NULL); + CLEANUP_FOUND_ADDRESS; + UNMOCK(get_interface_address6); UNMOCK(tor_gethostname); UNMOCK(tor_addr_lookup); -- cgit v1.2.3-54-g00ecf