diff options
author | Peter Palfrader <peter@palfrader.org> | 2006-02-13 01:54:31 +0000 |
---|---|---|
committer | Peter Palfrader <peter@palfrader.org> | 2006-02-13 01:54:31 +0000 |
commit | 6c4d873591e6d50e037b2523eabd0b7a08e27fde (patch) | |
tree | cc30cc66fc579577af527182daa67606ea67b440 /src/or/config.c | |
parent | 2cc66125b8c90558d30f93456fb8d7c3bd1362ec (diff) | |
download | tor-6c4d873591e6d50e037b2523eabd0b7a08e27fde.tar tor-6c4d873591e6d50e037b2523eabd0b7a08e27fde.tar.gz |
Compress exit policies even more. please review
svn:r5995
Diffstat (limited to 'src/or/config.c')
-rw-r--r-- | src/or/config.c | 83 |
1 files changed, 66 insertions, 17 deletions
diff --git a/src/or/config.c b/src/or/config.c index b2e7645bd..54fff6418 100644 --- a/src/or/config.c +++ b/src/or/config.c @@ -356,6 +356,7 @@ static void config_register_addressmaps(or_options_t *options); static int parse_dir_server_line(const char *line, int validate_only); static int config_cmp_single_addr_policy(addr_policy_t *a, addr_policy_t *b); static int config_addr_policy_covers(addr_policy_t *a, addr_policy_t *b); +static int config_addr_policy_intersects(addr_policy_t *a, addr_policy_t *b); static int parse_redirect_line(smartlist_t *result, config_line_t *line); static int parse_log_severity_range(const char *range, int *min_out, @@ -3043,32 +3044,16 @@ config_expand_exit_policy_aliases(smartlist_t *entries, int assume_action) static void config_exit_policy_remove_redundancies(addr_policy_t **dest) { - addr_policy_t *ap, *tmp, *victim; - int have_seen_accept=0; + addr_policy_t *ap, *tmp, *victim, *previous; /* Step one: find a *:* entry and cut off everything after it. */ for (ap=*dest; ap; ap=ap->next) { - if (ap->policy_type == ADDR_POLICY_ACCEPT) - have_seen_accept=1; if (ap->msk == 0 && ap->prt_min <= 1 && ap->prt_max >= 65535) { /* This is a catch-all line -- later lines are unreachable. */ if (ap->next) { addr_policy_free(ap->next); ap->next = NULL; } - if (ap->policy_type == ADDR_POLICY_REJECT && - ap != *dest && !have_seen_accept) { - /* This is a "reject *:*" and all previous entries were - * "reject something". Throw out the previous entries. */ - for (tmp=*dest; tmp; tmp=tmp->next) { - if (tmp->next == ap) { - tmp->next = NULL; - addr_policy_free(*dest); - *dest = ap; - break; - } - } - } } } @@ -3078,6 +3063,8 @@ config_exit_policy_remove_redundancies(addr_policy_t **dest) tmp=ap; while (tmp) { if (tmp->next && config_addr_policy_covers(ap, tmp->next)) { + log(LOG_INFO, LD_CONFIG, "Removing exit policy %s. It is made " + "redundant by %s.", tmp->next->string, ap->string); victim = tmp->next; tmp->next = victim->next; victim->next = NULL; @@ -3087,6 +3074,48 @@ config_exit_policy_remove_redundancies(addr_policy_t **dest) } } } + + /* Step three: for every entry A, see if there's an entry B making this one + * redundant later on. This is the case if A and B are of the same type + * (accept/reject), A is a subset of B, and there is no other entry of + * different type in between those two that intersects with A. + * + * Anybody want to doublecheck the logic here? XXX + */ + ap = *dest; + previous = NULL; + while (ap) { + for (tmp=ap->next; tmp; tmp=tmp->next) { + if (ap->policy_type != tmp->policy_type && + config_addr_policy_intersects(ap, tmp)) { + tmp = NULL; /* so that we advance previous and ap */ + break; + } + if (ap->policy_type == tmp->policy_type && + config_addr_policy_covers(tmp, ap)) { + log(LOG_INFO, LD_CONFIG, "Removing exit policy %s. It is made " + "redundant by %s.", ap->string, tmp->string); + victim = ap; + ap = ap->next; + + if (previous) { + assert(previous->next == victim); + previous->next = victim->next; + } else { + assert(*dest == victim); + *dest = victim->next; + } + + victim->next = NULL; + addr_policy_free(victim); + break; + } + } + if (!tmp) { + previous = ap; + ap = ap->next; + } + } } #define DEFAULT_EXIT_POLICY \ @@ -3201,6 +3230,26 @@ config_addr_policy_covers(addr_policy_t *a, addr_policy_t *b) return (a->prt_min <= b->prt_min && a->prt_max >= b->prt_max); } +/** Return true iff the address policies <b>a</b> and <b>b</b> intersect, that + * is, there exists an address/port that is covered by <b>a</b> that is also + * covered by <b>b</b>. + * + * XXX: somebody needs to doublecheck the IP logic. -- PP + * */ +static int +config_addr_policy_intersects(addr_policy_t *a, addr_policy_t *b) +{ + /* All the bits we care about are those that are set in both + * netmasks. If they are equal in a and b's networkaddresses + * then the networks intersect. If there is a difference, + * then they do not' */ + if (!( ((a->addr ^ b->addr) & a->msk & b->msk) == 0 )) + return 0; + if (a->prt_max < b->prt_min || b->prt_max < a->prt_min) + return 0; + return 1; +} + /** Like config_cmp_single_addr_policy() above, but looks at the * whole set of policies in each case. */ int |