Start obeying our firewall options more rigorously:

  - If we can't get to a dirserver directly, try going via Tor.
  - Don't ever try to connect (as a client) to a place our firewall
    options forbid.
  - If we specify a proxy and also firewall options, obey the firewall
    options even when we're using the proxy: some proxies can only proxy
    to certain destinations.


svn:r5431

src/or/config.c

@@ -1701,7 +1701,7 @@ parse_reachable_addresses(void)
 }
 
 /** Return true iff the firewall options might block any address:port
- * combination
+ * combination.
  */
 int
 firewall_is_fascist(void)
@@ -1710,7 +1710,7 @@ firewall_is_fascist(void)
 }
 
 /** Return true iff we are configured to think that the local fascist
- * firewall (if any) will allow a connection to <b>addr</b>:<b>port</b> */
+ * firewall (if any) will allow a connection to <b>addr</b>:<b>port</b>. */
 int
 fascist_firewall_allows_address(uint32_t addr, uint16_t port)
 {

src/or/directory.c

@@ -133,6 +133,7 @@ directory_post_to_dirservers(uint8_t purpose, const char *payload,
                              size_t payload_len)
 {
   smartlist_t *dirservers;
+  int post_via_tor;
 
   router_get_trusted_dir_servers(&dirservers);
   tor_assert(dirservers);
@@ -141,23 +142,15 @@ directory_post_to_dirservers(uint8_t purpose, const char *payload,
    */
   SMARTLIST_FOREACH(dirservers, trusted_dir_server_t *, ds,
     {
-      /* Pay attention to fascistfirewall when we're uploading a
-       * router descriptor, but not when uploading a service
-       * descriptor -- those use Tor. */
-      if (purpose == DIR_PURPOSE_UPLOAD_DIR && !get_options()->HttpProxy) {
-        if (!fascist_firewall_allows_address(ds->addr,ds->dir_port))
-          continue;
-      }
-      directory_initiate_command_trusted_dir(ds, purpose,
-                                             purpose_is_private(purpose),
+      post_via_tor = purpose_is_private(purpose) ||
+                     !fascist_firewall_allows_address(ds->addr,ds->dir_port);
+      directory_initiate_command_trusted_dir(ds, purpose, post_via_tor,
                                              NULL, payload, payload_len);
     });
 }
 
 /** Start a connection to a random running directory server, using
- * connection purpose 'purpose' requesting 'resource'.  The purpose
- * should be one of 'DIR_PURPOSE_FETCH_DIR',
- * 'DIR_PURPOSE_FETCH_RENDDESC', 'DIR_PURPOSE_FETCH_RUNNING_LIST.'
+ * connection purpose 'purpose' and requesting 'resource'.
  * If <b>retry_if_no_servers</b>, then if all the possible servers seem
  * down, mark them up and try again.
  */
@@ -167,10 +160,10 @@ directory_get_from_dirserver(uint8_t purpose, const char *resource,
 {
   routerinfo_t *r = NULL;
   trusted_dir_server_t *ds = NULL;
-  int fascistfirewall = firewall_is_fascist();
   or_options_t *options = get_options();
   int fetch_fresh_first = server_mode(options) && options->DirPort != 0;
   int directconn = !purpose_is_private(purpose);
+  int need_to_use_tor = 0;
 
   int need_v1_support = purpose == DIR_PURPOSE_FETCH_DIR ||
                         purpose == DIR_PURPOSE_FETCH_RUNNING_LIST;
@@ -187,12 +180,12 @@ directory_get_from_dirserver(uint8_t purpose, const char *resource,
     }
     if (!ds && fetch_fresh_first) {
       /* only ask authdirservers, and don't ask myself */
-      ds = router_pick_trusteddirserver(need_v1_support, 1, fascistfirewall,
+      ds = router_pick_trusteddirserver(need_v1_support, 1, 1,
                                         retry_if_no_servers);
     }
     if (!ds) {
       /* anybody with a non-zero dirport will do */
-      r = router_pick_directory_server(1, fascistfirewall, need_v2_support,
+      r = router_pick_directory_server(1, 1, need_v2_support,
                                        retry_if_no_servers);
       if (!r) {
         const char *which;
@@ -205,15 +198,24 @@ directory_get_from_dirserver(uint8_t purpose, const char *resource,
         else // if (purpose == DIR_PURPOSE_FETCH_NETWORKSTATUS)
           which = "server descriptors";
         info(LD_DIR,
-             "No router found for %s; falling back to dirserver list",which);
-        ds = router_pick_trusteddirserver(1, 1, fascistfirewall,
+             "No router found for %s; falling back to dirserver list", which);
+        ds = router_pick_trusteddirserver(1, 1, 1,
                                           retry_if_no_servers);
+        if (!ds)
+          need_to_use_tor = 1; /* last resort: try routing it via Tor */
       }
     }
-  } else { // (purpose == DIR_PURPOSE_FETCH_RENDDESC)
-    /* only ask authdirservers, any of them will do */
+  }
+  if (!directconn || need_to_use_tor) {
     /* Never use fascistfirewall; we're going via Tor. */
-    ds = router_pick_trusteddirserver(0, 0, 0, retry_if_no_servers);
+    if (purpose == DIR_PURPOSE_FETCH_RENDDESC) {
+      /* only ask authdirservers, any of them will do */
+      ds = router_pick_trusteddirserver(0, 0, 0, retry_if_no_servers);
+    } else {
+      /* anybody with a non-zero dirport will do. Disregard firewalls. */
+      r = router_pick_directory_server(1, 0, need_v2_support,
+                                       retry_if_no_servers);
+    }
   }
 
   if (r)

src/or/or.h

@@ -314,26 +314,26 @@ typedef enum {
 #define _CONTROL_CONN_STATE_MAX 4
 
 #define _DIR_PURPOSE_MIN 1
-/** Purpose for connection to directory server: download a directory. */
+/** A connection to a directory server: download a directory. */
 #define DIR_PURPOSE_FETCH_DIR 1
-/** Purpose for connection to directory server: download just the list
+/** A connection to a directory server: download just the list
  * of running routers. */
 #define DIR_PURPOSE_FETCH_RUNNING_LIST 2
-/** Purpose for connection to directory server: download a rendezvous
+/** A connection to a directory server: download a rendezvous
  * descriptor. */
 #define DIR_PURPOSE_FETCH_RENDDESC 3
-/** Purpose for connection to directory server: set after a rendezvous
+/** A connection to a directory server: set after a rendezvous
  * descriptor is downloaded. */
 #define DIR_PURPOSE_HAS_FETCHED_RENDDESC 4
 /** A connection to a directory server: download one or more network-status
  * objects */
 #define DIR_PURPOSE_FETCH_NETWORKSTATUS 5
-/**  A connection to a directory server: download one or more server
+/** A connection to a directory server: download one or more server
  * descriptors. */
 #define DIR_PURPOSE_FETCH_SERVERDESC 6
-/** Purpose for connection to directory server: upload a server descriptor. */
+/** A connection to a directory server: upload a server descriptor. */
 #define DIR_PURPOSE_UPLOAD_DIR 7
-/** Purpose for connection to directory server: upload a rendezvous
+/** A connection to a directory server: upload a rendezvous
  * descriptor. */
 #define DIR_PURPOSE_UPLOAD_RENDDESC 8
 /** Purpose for connection at a directory server. */

src/or/routerlist.c

@@ -339,7 +339,7 @@ router_pick_directory_server(int requireother,
     return choice;
 
   info(LD_DIR,"Still no %s router entries. Reloading and trying again.",
-         firewall_is_fascist() ? "reachable" : "known");
+         fascistfirewall ? "reachable" : "known");
   has_fetched_directory=0; /* reset it */
   if (router_reload_router_list()) {
     return NULL;
@@ -391,8 +391,8 @@ router_pick_trusteddirserver(int need_v1_support,
 
 /** Pick a random running verified directory server/mirror from our
  * routerlist.
- * If <b>fascistfirewall</b> and we're not using a proxy,
- * make sure the port we pick is allowed by options-\>firewallports.
+ * If <b>fascistfirewall</b>,
+ * make sure the router we pick is allowed by our firewall options.
  * If <b>requireother</b>, it cannot be us.  If <b>for_v2_directory</b>,
  * choose a directory server new enough to support the v2 directory
  * functionality.
@@ -407,9 +407,6 @@ router_pick_directory_server_impl(int requireother, int fascistfirewall,
   if (!routerlist)
     return NULL;
 
-  if (get_options()->HttpProxy)
-    fascistfirewall = 0;
-
   /* Find all the running dirservers we know about. */
   sl = smartlist_create();
   SMARTLIST_FOREACH(routerlist->routers, routerinfo_t *, router,
@@ -439,8 +436,8 @@ router_pick_directory_server_impl(int requireother, int fascistfirewall,
 }
 
 /** Choose randomly from among the trusted dirservers that are up.
- * If <b>fascistfirewall</b> and we're not using a proxy,
- * make sure the port we pick is allowed by options-\>firewallports.
+ * If <b>fascistfirewall</b>,
+ * make sure the port we pick is allowed by our firewall options.
  * If <b>requireother</b>, it cannot be us.  If <b>need_v1_support</b>, choose
  * a trusted authority for the v1 directory system.
  */
@@ -457,9 +454,6 @@ router_pick_trusteddirserver_impl(int need_v1_support,
   if (!trusted_dir_servers)
     return NULL;
 
-  if (get_options()->HttpProxy)
-    fascistfirewall = 0;
-
   SMARTLIST_FOREACH(trusted_dir_servers, trusted_dir_server_t *, d,
     {
       if (!d->is_running) continue;