From 938531773a017e6eb70f11e81a0543e81413f83f Mon Sep 17 00:00:00 2001
From: Nick Mathewson <nickm@torproject.org>
Date: Fri, 13 Jan 2012 12:28:32 -0500
Subject: Allow authorities to baddir/badexit/invalid/reject nodes by cc

Implements ticket #4207
---
 src/or/policies.c | 31 +++++++++++++++++++++++++++----
 1 file changed, 27 insertions(+), 4 deletions(-)

(limited to 'src/or/policies.c')

diff --git a/src/or/policies.c b/src/or/policies.c
index 40e527747..fdec687b1 100644
--- a/src/or/policies.c
+++ b/src/or/policies.c
@@ -14,6 +14,7 @@
 #include "nodelist.h"
 #include "policies.h"
 #include "routerparse.h"
+#include "geoip.h"
 #include "ht.h"
 
 /** Policy that addresses for incoming SOCKS connections must match. */
@@ -313,13 +314,29 @@ socks_policy_permits_address(const tor_addr_t *addr)
   return addr_policy_permits_tor_addr(addr, 1, socks_policy);
 }
 
+/** Return true iff the address <b>addr</b> is in a country listed in the
+ * case-insentive list of country codes <b>cc_list</b>. */
+static int
+addr_is_in_cc_list(uint32_t addr, const smartlist_t *cc_list)
+{
+  country_t country;
+  const char *name;
+  if (!cc_list)
+    return 0;
+  country = geoip_get_country_by_ip(addr);
+  name = geoip_get_country_name(country);
+  return smartlist_string_isin_case(cc_list, name);
+}
+
 /** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
  * directory, based on <b>authdir_reject_policy</b>. Else return 0.
  */
 int
 authdir_policy_permits_address(uint32_t addr, uint16_t port)
 {
-  return addr_policy_permits_address(addr, port, authdir_reject_policy);
+  if (! addr_policy_permits_address(addr, port, authdir_reject_policy))
+    return 0;
+  return !addr_is_in_cc_list(addr, get_options()->AuthDirRejectCC);
 }
 
 /** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
@@ -328,7 +345,9 @@ authdir_policy_permits_address(uint32_t addr, uint16_t port)
 int
 authdir_policy_valid_address(uint32_t addr, uint16_t port)
 {
-  return addr_policy_permits_address(addr, port, authdir_invalid_policy);
+  if (! addr_policy_permits_address(addr, port, authdir_invalid_policy))
+    return 0;
+  return !addr_is_in_cc_list(addr, get_options()->AuthDirInvalidCC);
 }
 
 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad dir,
@@ -337,7 +356,9 @@ authdir_policy_valid_address(uint32_t addr, uint16_t port)
 int
 authdir_policy_baddir_address(uint32_t addr, uint16_t port)
 {
-  return ! addr_policy_permits_address(addr, port, authdir_baddir_policy);
+  if (! addr_policy_permits_address(addr, port, authdir_baddir_policy))
+    return 1;
+  return addr_is_in_cc_list(addr, get_options()->AuthDirBadDirCC);
 }
 
 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
@@ -346,7 +367,9 @@ authdir_policy_baddir_address(uint32_t addr, uint16_t port)
 int
 authdir_policy_badexit_address(uint32_t addr, uint16_t port)
 {
-  return ! addr_policy_permits_address(addr, port, authdir_badexit_policy);
+  if (! addr_policy_permits_address(addr, port, authdir_badexit_policy))
+    return 1;
+  return addr_is_in_cc_list(addr, get_options()->AuthDirBadExitCC);
 }
 
 #define REJECT(arg) \
-- 
cgit v1.2.3