policy_is_reject_star():

ome policies are default-reject, some default-accept.  But
policy_is_reject_star() assumed they were all default_reject.  Fix
that!

Also, document that policy_is_reject_star() treats a NULL policy as
empty. This allows us to simplify the checks in
parse_reachable_addresses() by quite a bit.

Fxes bug 20306; bugfix on 0.2.8.2-alpha.

changes/bug20306_029

@@ -0,0 +1,4 @@
+  o Minor bugfixes (fascistfirewall):
+    - Avoid spurious warnings when ReachableAddresses or FascistFirewall
+      is set. Fixes bug 20306; bugfix on 0.2.8.2-alpha.
+

src/or/policies.c

@@ -274,28 +274,22 @@ parse_reachable_addresses(void)
 
   /* We ignore ReachableAddresses for relays */
   if (!server_mode(options)) {
-    if ((reachable_or_addr_policy
+    if (policy_is_reject_star(reachable_or_addr_policy, AF_UNSPEC, 0)
-         && policy_is_reject_star(reachable_or_addr_policy, AF_UNSPEC))
+        || policy_is_reject_star(reachable_dir_addr_policy, AF_UNSPEC,0)) {
-        || (reachable_dir_addr_policy
-            && policy_is_reject_star(reachable_dir_addr_policy, AF_UNSPEC))) {
       log_warn(LD_CONFIG, "Tor cannot connect to the Internet if "
                "ReachableAddresses, ReachableORAddresses, or "
                "ReachableDirAddresses reject all addresses. Please accept "
                "some addresses in these options.");
     } else if (options->ClientUseIPv4 == 1
-       && ((reachable_or_addr_policy
+       && (policy_is_reject_star(reachable_or_addr_policy, AF_INET, 0)
-            && policy_is_reject_star(reachable_or_addr_policy, AF_INET))
+           || policy_is_reject_star(reachable_dir_addr_policy, AF_INET, 0))) {
-        || (reachable_dir_addr_policy
-            && policy_is_reject_star(reachable_dir_addr_policy, AF_INET)))) {
           log_warn(LD_CONFIG, "You have set ClientUseIPv4 1, but "
                    "ReachableAddresses, ReachableORAddresses, or "
                    "ReachableDirAddresses reject all IPv4 addresses. "
                    "Tor will not connect using IPv4.");
     } else if (fascist_firewall_use_ipv6(options)
-       && ((reachable_or_addr_policy
+       && (policy_is_reject_star(reachable_or_addr_policy, AF_INET6, 0)
-            && policy_is_reject_star(reachable_or_addr_policy, AF_INET6))
+         || policy_is_reject_star(reachable_dir_addr_policy, AF_INET6, 0))) {
-        || (reachable_dir_addr_policy
-            && policy_is_reject_star(reachable_dir_addr_policy, AF_INET6)))) {
           log_warn(LD_CONFIG, "You have configured tor to use IPv6 "
                    "(ClientUseIPv6 1 or UseBridges 1), but "
                    "ReachableAddresses, ReachableORAddresses, or "
@@ -1084,8 +1078,8 @@ validate_addr_policies(const or_options_t *options, char **msg)
 
   const int exitrelay_setting_is_auto = options->ExitRelay == -1;
   const int policy_accepts_something =
-    ! (policy_is_reject_star(addr_policy, AF_INET) &&
+    ! (policy_is_reject_star(addr_policy, AF_INET, 1) &&
-       policy_is_reject_star(addr_policy, AF_INET6));
+       policy_is_reject_star(addr_policy, AF_INET6, 1));
 
   if (server_mode(options) &&
       ! warned_about_exitrelay &&
@@ -2156,13 +2150,16 @@ exit_policy_is_general_exit(smartlist_t *policy)
 }
 
 /** Return false if <b>policy</b> might permit access to some addr:port;
- * otherwise if we are certain it rejects everything, return true. */
+ * otherwise if we are certain it rejects everything, return true. If no
+ * part of <b>policy</b> matches, return <b>default_reject</b>.
+ * NULL policies are allowed, and treated as empty. */
 int
-policy_is_reject_star(const smartlist_t *policy, sa_family_t family)
+policy_is_reject_star(const smartlist_t *policy, sa_family_t family,
+                      int default_reject)
 {
-  if (!policy) /*XXXX disallow NULL policies? */
+  if (!policy)
-    return 1;
+    return default_reject;
-  SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, p) {
+  SMARTLIST_FOREACH_BEGIN(policy, const addr_policy_t *, p) {
     if (p->policy_type == ADDR_POLICY_ACCEPT &&
         (tor_addr_family(&p->addr) == family ||
          tor_addr_family(&p->addr) == AF_UNSPEC)) {
@@ -2175,7 +2172,7 @@ policy_is_reject_star(const smartlist_t *policy, sa_family_t family)
       return 1;
     }
   } SMARTLIST_FOREACH_END(p);
-  return 1;
+  return default_reject;
 }
 
 /** Write a single address policy to the buf_len byte buffer at buf.  Return

src/or/policies.h

@@ -100,7 +100,8 @@ void addr_policy_append_reject_addr_list(smartlist_t **dest,
                                          const smartlist_t *addrs);
 void policies_set_node_exitpolicy_to_reject_all(node_t *exitrouter);
 int exit_policy_is_general_exit(smartlist_t *policy);
-int policy_is_reject_star(const smartlist_t *policy, sa_family_t family);
+int policy_is_reject_star(const smartlist_t *policy, sa_family_t family,
+                          int reject_by_default);
 char * policy_dump_to_string(const smartlist_t *policy_list,
                              int include_ipv4,
                              int include_ipv6);

src/or/router.c

@@ -2158,8 +2158,8 @@ router_build_fresh_descriptor(routerinfo_t **r, extrainfo_t **e)
                                             &ri->exit_policy);
   }
   ri->policy_is_reject_star =
-    policy_is_reject_star(ri->exit_policy, AF_INET) &&
+    policy_is_reject_star(ri->exit_policy, AF_INET, 1) &&
-    policy_is_reject_star(ri->exit_policy, AF_INET6);
+    policy_is_reject_star(ri->exit_policy, AF_INET6, 1);
 
   if (options->IPv6Exit) {
     char *p_tmp = policy_summarize(ri->exit_policy, AF_INET6);

src/or/routerparse.c

@@ -2206,7 +2206,7 @@ router_parse_entry_from_string(const char *s, const char *end,
     }
   }
 
-  if (policy_is_reject_star(router->exit_policy, AF_INET) &&
+  if (policy_is_reject_star(router->exit_policy, AF_INET, 1) &&
       (!router->ipv6_exit_policy ||
        short_policy_is_reject_star(router->ipv6_exit_policy)))
     router->policy_is_reject_star = 1;

src/test/test_policy.c

@@ -258,14 +258,16 @@ test_policies_general(void *arg)
   tt_assert(!cmp_addr_policies(policy2, policy2));
   tt_assert(!cmp_addr_policies(NULL, NULL));
 
-  tt_assert(!policy_is_reject_star(policy2, AF_INET));
+  tt_assert(!policy_is_reject_star(policy2, AF_INET, 1));
-  tt_assert(policy_is_reject_star(policy, AF_INET));
+  tt_assert(policy_is_reject_star(policy, AF_INET, 1));
-  tt_assert(policy_is_reject_star(policy10, AF_INET));
+  tt_assert(policy_is_reject_star(policy10, AF_INET, 1));
-  tt_assert(!policy_is_reject_star(policy10, AF_INET6));
+  tt_assert(!policy_is_reject_star(policy10, AF_INET6, 1));
-  tt_assert(policy_is_reject_star(policy11, AF_INET));
+  tt_assert(policy_is_reject_star(policy11, AF_INET, 1));
-  tt_assert(policy_is_reject_star(policy11, AF_INET6));
+  tt_assert(policy_is_reject_star(policy11, AF_INET6, 1));
-  tt_assert(policy_is_reject_star(NULL, AF_INET));
+  tt_assert(policy_is_reject_star(NULL, AF_INET, 1));
-  tt_assert(policy_is_reject_star(NULL, AF_INET6));
+  tt_assert(policy_is_reject_star(NULL, AF_INET6, 1));
+  tt_assert(!policy_is_reject_star(NULL, AF_INET, 0));
+  tt_assert(!policy_is_reject_star(NULL, AF_INET6, 0));
 
   addr_policy_list_free(policy);
   policy = NULL;