[tor-commits] [stem/master] Skip accept/reject6 rules with IPv4 addresses
atagar at torproject.org
atagar at torproject.org
Fri Mar 4 17:36:15 UTC 2016
commit 400a8c2cbac31e9d9b1c605d5b4135bf9633cc06
Author: Damian Johnson <atagar at torproject.org>
Date: Fri Mar 4 08:58:13 2016 -0800
Skip accept/reject6 rules with IPv4 addresses
Damn. These are invalid and tor should outright reject them but according to
the manual they're just skipped...
Using an IPv4 address with accept6 or reject6 is ignored and generates a warning.
That was a mistake but oh well. It's minor.
---
stem/exit_policy.py | 15 +++++++++++++--
test/unit/exit_policy/rule.py | 9 ++++++---
2 files changed, 19 insertions(+), 5 deletions(-)
diff --git a/stem/exit_policy.py b/stem/exit_policy.py
index 0f80032..587ef14 100644
--- a/stem/exit_policy.py
+++ b/stem/exit_policy.py
@@ -683,6 +683,14 @@ class ExitPolicyRule(object):
self._mask = None
+ # Malformed exit policies are rejected, but there's an exception where it's
+ # just skipped: when an accept6/reject6 rule has an IPv4 address...
+ #
+ # "Using an IPv4 address with accept6 or reject6 is ignored and generates
+ # a warning."
+
+ self._skip_rule = False
+
addrspec, portspec = exitpattern.rsplit(':', 1)
self._apply_addrspec(rule, addrspec)
self._apply_portspec(rule, portspec)
@@ -741,6 +749,9 @@ class ExitPolicyRule(object):
:raises: **ValueError** if provided with a malformed address or port
"""
+ if self._skip_rule:
+ return False
+
# validate our input and check if the argument doesn't match our address type
if address is not None:
@@ -964,8 +975,7 @@ class ExitPolicyRule(object):
# num_ip4_bits ::= an integer between 0 and 32
if self.is_ipv6_only:
- rule_start = 'accept6' if self.is_accept else 'reject6'
- raise ValueError("'%s' rules should have an IPv6 address, not IPv4 (%s)" % (rule_start, self.address))
+ self._skip_rule = True
self._address_type = _address_type_to_int(AddressType.IPv4)
@@ -1075,6 +1085,7 @@ class MicroExitPolicyRule(ExitPolicyRule):
self.min_port = min_port
self.max_port = max_port
self._hash = None
+ self._skip_rule = False
def is_address_wildcard(self):
return True
diff --git a/test/unit/exit_policy/rule.py b/test/unit/exit_policy/rule.py
index 9ff0181..780f7cb 100644
--- a/test/unit/exit_policy/rule.py
+++ b/test/unit/exit_policy/rule.py
@@ -360,10 +360,13 @@ class TestExitPolicyRule(unittest.TestCase):
self.assertEqual(expected_result, rule.is_match(*match_args))
def test_ipv6_only_entries(self):
- # accept6/reject6 shouldn't allow ipv4 addresses
+ # accept6/reject6 shouldn't match anything when given an ipv4 addresses
- self.assertRaises(ValueError, ExitPolicyRule, 'accept6 192.168.0.1:*')
- self.assertRaises(ValueError, ExitPolicyRule, 'reject6 192.168.0.1:*')
+ rule = ExitPolicyRule('accept6 192.168.0.1/0:*')
+ self.assertTrue(rule._skip_rule)
+ self.assertFalse(rule.is_match('192.168.0.1'))
+ self.assertFalse(rule.is_match('FE80:0000:0000:0000:0202:B3FF:FE1E:8329'))
+ self.assertFalse(rule.is_match())
# wildcards match all ipv6 but *not* ipv4
More information about the tor-commits
mailing list