| blob | b093463e08c33d350a7535837c55b3888999d529 |
1 #!/usr/bin/env python
3 # Usage:
4 #
5 # Regenerate the list:
6 # scripts/maint/updateFallbackDirs.py > src/or/fallback_dirs.inc 2> fallback_dirs.log
7 #
8 # Check the existing list:
9 # scripts/maint/updateFallbackDirs.py check_existing > fallback_dirs.inc.ok 2> fallback_dirs.log
10 # mv fallback_dirs.inc.ok src/or/fallback_dirs.inc
11 #
12 # This script should be run from a stable, reliable network connection,
13 # with no other network activity (and not over tor).
14 # If this is not possible, please disable:
15 # PERFORM_IPV4_DIRPORT_CHECKS and PERFORM_IPV6_DIRPORT_CHECKS
16 #
17 # Needs dateutil, stem, and potentially other python packages.
18 # Optionally uses ipaddress (python 3 builtin) or py2-ipaddress (package)
19 # for netblock analysis.
20 #
21 # Then read the logs to make sure the fallbacks aren't dominated by a single
22 # netblock or port.
24 # Script by weasel, April 2015
25 # Portions by gsathya & karsten, 2013
26 # https://trac.torproject.org/projects/tor/attachment/ticket/8374/dir_list.2.py
27 # Modifications by teor, 2015
29 import StringIO
30 import string
31 import re
32 import datetime
33 import gzip
35 import json
36 import math
37 import sys
38 import urllib
39 import urllib2
40 import hashlib
42 # bson_lazy provides bson
43 #from bson import json_util
44 import copy
45 import re
50 import logging
55 # python 3 builtin, or install package py2-ipaddress
56 # there are several ipaddress implementations for python 2
57 # with slightly different semantics with str typed text
58 # fortunately, all our IP addresses are in unicode
59 import ipaddress
62 # if this happens, we avoid doing netblock analysis
67 ## Top-Level Configuration
69 # We use semantic versioning: https://semver.org
70 # In particular:
71 # * major changes include removing a mandatory field, or anything else that
72 # would break an appropriately tolerant parser,
73 # * minor changes include adding a field,
74 # * patch changes include changing header comments or other unstructured
75 # content
80 # Output all candidate fallbacks, or only output selected fallbacks?
83 # Perform DirPort checks over IPv4?
84 # Change this to False if IPv4 doesn't work for you, or if you don't want to
85 # download a consensus for each fallback
86 # Don't check ~1000 candidates when OUTPUT_CANDIDATES is True
89 # Perform DirPort checks over IPv6?
90 # If you know IPv6 works for you, set this to True
91 # This will exclude IPv6 relays without an IPv6 DirPort configured
92 # So it's best left at False until #18394 is implemented
93 # Don't check ~1000 candidates when OUTPUT_CANDIDATES is True
96 # Must relays be running now?
97 MUST_BE_RUNNING_NOW = (PERFORM_IPV4_DIRPORT_CHECKS
100 # Clients have been using microdesc consensuses by default for a while now
103 # If a relay delivers an expired consensus, if it expired less than this many
104 # seconds ago, we still allow the relay. This should never be less than -90,
105 # as all directory mirrors should have downloaded a consensus 90 minutes
106 # before it expires. It should never be more than 24 hours, because clients
107 # reject consensuses that are older than REASONABLY_LIVE_TIME.
108 # For the consensus expiry check to be accurate, the machine running this
109 # script needs an accurate clock.
110 #
111 # Relays on 0.3.0 and later return a 404 when they are about to serve an
112 # expired consensus. This makes them fail the download check.
113 # We use a tolerance of 0, so that 0.2.x series relays also fail the download
114 # check if they serve an expired consensus.
117 # Output fallback name, flags, bandwidth, and ContactInfo in a C comment?
120 # Output matching ContactInfo in fallbacks list or the blacklist?
121 # Useful if you're trying to contact operators
125 # How the list should be sorted:
126 # fingerprint: is useful for stable diffs of fallback lists
127 # measured_bandwidth: is useful when pruning the list based on bandwidth
128 # contact: is useful for contacting operators once the list has been pruned
131 ## OnionOO Settings
134 #ONIONOO = 'https://onionoo.thecthulhu.com/'
136 # Don't bother going out to the Internet, just use the files available locally,
137 # even if they're very old
140 ## Whitelist / Blacklist Filter Settings
142 # The whitelist contains entries that are included if all attributes match
143 # (IPv4, dirport, orport, id, and optionally IPv6 and IPv6 orport)
144 # The blacklist contains (partial) entries that are excluded if any
145 # sufficiently specific group of attributes matches:
146 # IPv4 & DirPort
147 # IPv4 & ORPort
148 # ID
149 # IPv6 & DirPort
150 # IPv6 & IPv6 ORPort
151 # If neither port is included in the blacklist, the entire IP address is
152 # blacklisted.
154 # What happens to entries in neither list?
155 # When True, they are included, when False, they are excluded
158 # If an entry is in both lists, what happens?
159 # When True, it is excluded, when False, it is included
166 # The number of bytes we'll read from a filter file before giving up
169 ## Eligibility Settings
171 # Require fallbacks to have the same address and port for a set amount of time
172 # We used to have this at 1 week, but that caused many fallback failures, which
173 # meant that we had to rebuild the list more often. We want fallbacks to be
174 # stable for 2 years, so we set it to a few months.
175 #
176 # If a relay changes address or port, that's it, it's not useful any more,
177 # because clients can't find it
179 # We ignore relays that have been down for more than this period
181 # FallbackDirs must have a time-weighted-fraction that is greater than or
182 # equal to:
183 # Mirrors that are down half the time are still useful half the time
186 # Guard flags are removed for some time after a relay restarts, so we ignore
187 # the guard flag.
189 # FallbackDirs must have a time-weighted-fraction that is less than or equal
190 # to:
191 # .00 means no bad exits
194 # older entries' weights are adjusted with ALPHA^(age in days)
197 # this factor is used to scale OnionOO entries to [0,1]
200 ## Fallback Count Limits
202 # The target for these parameters is 20% of the guards in the network
203 # This is around 200 as of October 2015
207 # Limit the number of fallbacks (eliminating lowest by advertised bandwidth)
209 # Emit a C #error if the number of fallbacks is less than expected
212 # The maximum number of fallbacks on the same address, contact, or family
213 #
214 # With 150 fallbacks, this means each operator sees 5% of client bootstraps.
215 # For comparison:
216 # - We try to limit guard and exit operators to 5% of the network
217 # - The directory authorities used to see 11% of client bootstraps each
218 #
219 # We also don't want too much of the list to go down if a single operator
220 # has to move all their relays.
222 MAX_FALLBACKS_PER_IPV4 = MAX_FALLBACKS_PER_IP
223 MAX_FALLBACKS_PER_IPV6 = MAX_FALLBACKS_PER_IP
227 ## Fallback Bandwidth Requirements
229 # Any fallback with the Exit flag has its bandwidth multiplied by this fraction
230 # to make sure we aren't further overloading exits
231 # (Set to 1.0, because we asked that only lightly loaded exits opt-in,
232 # and the extra load really isn't that much for large relays.)
235 # If a single fallback's bandwidth is too low, it's pointless adding it
236 # We expect fallbacks to handle an extra 10 kilobytes per second of traffic
237 # Make sure they can support fifty times the expected extra load
238 #
239 # We convert this to a consensus weight before applying the filter,
240 # because all the bandwidth amounts are specified by the relay
243 # Clients will time out after 30 seconds trying to download a consensus
244 # So allow fallback directories half that to deliver a consensus
245 # The exact download times might change based on the network connection
246 # running this script, but only by a few seconds
247 # There is also about a second of python overhead
249 # If the relay fails a consensus check, retry the download
250 # This avoids delisting a relay due to transient network conditions
253 ## Parsing Functions
259 # Remove each character in the bad_char_list
260 cleansed_string = raw_string
263 return cleansed_string
266 # Remove all unprintable characters
270 cleansed_string += c
271 return cleansed_string
274 # Replace all whitespace characters with a space
275 cleansed_string = raw_string
278 return cleansed_string
281 cleansed_string = raw_string
282 # Embedded newlines should be removed by tor/onionoo, but let's be paranoid
284 # ContactInfo and Version can be arbitrary binary data
286 # Prevent a malicious / unanticipated string from breaking out
287 # of a C-style multiline comment
288 # This removes '/*' and '*/' and '//'
290 # Prevent a malicious string from using C nulls
292 # Avoid confusing parsers by making sure there is only one comma per fallback
294 # Avoid confusing parsers by making sure there is only one equals per field
296 # Be safer by removing bad characters entirely
298 # Some compilers may further process the content of comments
299 # There isn't much we can do to cover every possible case
300 # But comment-based directives are typically only advisory
301 return cleansed_string
304 cleansed_string = raw_string
305 # Embedded newlines should be removed by tor/onionoo, but let's be paranoid
307 # ContactInfo and Version can be arbitrary binary data
309 # Prevent a malicious address/fingerprint string from breaking out
310 # of a C-style string
312 # Prevent a malicious string from using escapes
314 # Prevent a malicious string from using C nulls
316 # Avoid confusing parsers by making sure there is only one comma per fallback
318 # Avoid confusing parsers by making sure there is only one equals per field
320 # Be safer by removing bad characters entirely
322 # Some compilers may further process the content of strings
323 # There isn't much we can do to cover every possible case
324 # But this typically only results in changes to the string data
325 return cleansed_string
327 ## OnionOO Source Functions
329 # a dictionary of source metadata for each onionoo query we've made
330 fetch_source = {}
332 # register source metadata for 'what'
333 # assumes we only retrieve one document for each 'what'
340 # list each registered source's 'what'
344 # given 'what', provide a multiline C comment describing the source
359 return desc
361 ## File Processing Functions
372 )
384 )
385 return None
394 return file_data
405 # An exception here may be resolved by deleting the .last_modified
406 # and .json files, and re-running the script
415 )
417 ## OnionOO Functions
420 # Parse datetimes like: Fri, 02 Oct 2015 13:34:14 GMT
424 # Never modified - use start of epoch
426 # strip any timezone out (in case they're supported in future)
428 return dt
431 params = kwargs
433 #params['limit'] = 10
439 # Unfortunately, the URL is too long for some OS filenames,
440 # but we still don't want to get files from different URLs mixed up
452 # Read from the local file, don't write to anything
455 # store the full URL to a file for debugging
456 # no need to compare as long as you trust SHA-1
462 # load the last modified date from the file, if it exists
464 MAX_LAST_MODIFIED_LENGTH)
468 # Parse last modified date
471 # Not Modified and still recent enough to be useful
472 # Onionoo / Globe used to use 6 hours, but we can afford a day
474 # strip any timezone out (to match dateutil.parser)
478 # Make the OnionOO request
486 pass
494 # Check for freshness
497 # This check sometimes fails transiently, retry the script if it does
503 # Process the data
509 # use the most compact json representation to save space
512 # store the last modified date in its own file
515 last_modified_file_name,
516 MAX_LAST_MODIFIED_LENGTH)
527 url,
531 return response_json
534 #x = onionoo_fetch(what, **kwargs)
535 # don't use sort_keys, as the order of or_addresses is significant
536 #print json.dumps(x, indent=4, separators=(',', ': '))
537 #sys.exit(0)
541 ## Fallback Candidate Class
558 # relays without advertised bandwidth have it calculated from their
559 # consensus weight
584 # replace self._data['or_addresses'] with a stable ordering,
585 # sorting the secondary addresses in string order
586 # leave the received order in self._data['or_addresses_raw']
589 # subsequent entries in the or_addresses array are in an arbitrary order
590 # so we stabilise the addresses by sorting them in string order
598 # is_valid_ipv[46]_address by gsathya, karsten, 2013
599 @staticmethod
602 return False
604 # check if there are four period separated values
606 return False
608 # checks that each value in the octet are decimal values between 0-255
611 return False
615 return True
617 @staticmethod
620 return False
622 # remove brackets
625 # addresses are made up of eight colon separated groups of four hex digits
626 # with leading zeros being optional
627 # https://en.wikipedia.org/wiki/IPv6#Address_format
640 # If an IPv6 address has an embedded IPv4 address,
641 # it must be the last entry
643 return False
646 return False
650 return True
653 # Split the dir_address into dirip and dirport
658 # Choose the first ORPort that's on the same IPv4 address as the DirPort.
659 # In rare circumstances, this might not be the primary ORPort address.
660 # However, _stable_sort_or_addresses() ensures we choose the same one
661 # every time, even if onionoo changes the order of the secondaries.
670 return
673 # Choose the first IPv6 address that uses the same port as the ORPort
674 # Or, choose the first IPv6 address in the list
675 # _stable_sort_or_addresses() ensures we choose the same IPv6 address
676 # every time, even if onionoo changes the order of the secondaries.
679 # Choose the first IPv6 address that uses the same port as the ORPort
685 return
686 # Choose the first IPv6 address in the list
692 return
695 # parse the version out of the platform string
696 # The platform looks like: "Tor 0.2.7.6 on Linux"
699 return
700 # be tolerant of weird whitespacing, use a whitespace split
704 # if it's at least a.b.c.d, with potentially an -alpha-dev, -alpha, -rc
708 return
710 # From #20509
711 # bug #20499 affects versions from 0.2.9.1-alpha-dev to 0.2.9.4-alpha-dev
712 # and version 0.3.0.0-alpha-dev
713 # Exhaustive lists are hard to get wrong
721 '0.3.0.0-alpha-dev'
722 ]
725 # call _compute_version before calling this
726 # is the version of the relay a version we want as a fallback?
727 # checks both recommended versions and bug #20499 / #20509
728 #
729 # if the relay doesn't have a recommended version field, exclude the relay
733 return False
736 return False
737 # if the relay doesn't have version field, exclude the relay
740 return False
744 return False
745 return True
747 @staticmethod
749 # given a tree like this:
750 # {
751 # "1_month": {
752 # "count": 187,
753 # "factor": 0.001001001001001001,
754 # "first": "2015-02-27 06:00:00",
755 # "interval": 14400,
756 # "last": "2015-03-30 06:00:00",
757 # "values": [
758 # 999,
759 # 999
760 # ]
761 # },
762 # "1_week": {
763 # "count": 169,
764 # "factor": 0.001001001001001001,
765 # "first": "2015-03-23 07:30:00",
766 # "interval": 3600,
767 # "last": "2015-03-30 07:30:00",
768 # "values": [ ...]
769 # },
770 # "1_year": {
771 # "count": 177,
772 # "factor": 0.001001001001001001,
773 # "first": "2014-04-11 00:00:00",
774 # "interval": 172800,
775 # "last": "2015-03-29 00:00:00",
776 # "values": [ ...]
777 # },
778 # "3_months": {
779 # "count": 185,
780 # "factor": 0.001001001001001001,
781 # "first": "2014-12-28 06:00:00",
782 # "interval": 43200,
783 # "last": "2015-03-30 06:00:00",
784 # "values": [ ...]
785 # }
786 # },
787 # extract exactly one piece of data per time interval,
788 # using smaller intervals where available.
789 #
790 # returns list of (age, length, value) dictionaries.
792 generic_history = []
797 newest = now
809 agt2 = interval
818 })
819 newest = this_ts
820 this_ts -= interval
826 #print json.dumps(generic_history, sort_keys=True,
827 # indent=4, separators=(',', ': '))
828 return generic_history
830 @staticmethod
832 a = []
835 continue
849 return svw
855 print periods
858 pass
863 # flags we care about: Running, V2Dir, Guard
866 return
871 return
895 return False
900 return False
904 return False
908 return False
912 return False
913 # this function logs a message depending on which check fails
915 return False
919 return False
923 return False
927 return False
928 return True
931 """ A fallback matches if each key in the whitelist line matches:
932 ipv4
933 dirport
934 orport
935 id
936 ipv6 address and port (if present)
937 If the fallback has an ipv6 key, the whitelist line must also have
938 it, and vice versa, otherwise they don't match. """
944 # can't log here unless we match an IP and port, because every relay's
945 # fingerprint is compared to every entry's fingerprint
953 continue
957 continue
962 continue
967 continue
969 # if both entry and fallback have an ipv6 address, compare them
973 continue
974 # if the fallback has an IPv6 address but the whitelist entry
975 # doesn't, or vice versa, the whitelist entry doesn't match
979 continue
983 continue
984 return True
985 return False
988 """ A fallback matches a blacklist line if a sufficiently specific group
989 of attributes matches:
990 ipv4 & dirport
991 ipv4 & orport
992 id
993 ipv6 & dirport
994 ipv6 & ipv6 orport
995 If the fallback and the blacklist line both have an ipv6 key,
996 their values will be compared, otherwise, they will be ignored.
997 If there is no dirport and no orport, the entry matches all relays on
998 that ip. """
1005 return True
1007 # if the dirport is present, check it too
1013 return True
1014 # if the orport is present, check it too
1020 return True
1025 return True
1030 # if both entry and fallback have an ipv6 address, compare them,
1031 # otherwise, disregard ipv6 addresses
1033 # if the dirport is present, check it too
1039 return True
1040 # we've already checked the ORPort, it's part of entry['ipv6']
1044 return True
1046 # only log if the fingerprint matches but the IPv6 doesn't
1057 return False
1060 # any relays with a missing or zero consensus weight are not candidates
1061 # any relays with a missing advertised bandwidth have it set to zero
1064 # since advertised_bandwidth is reported by the relay, it can be gamed
1065 # to avoid this, use the median consensus weight to bandwidth factor to
1066 # estimate this relay's measured bandwidth, and make that the upper limit
1068 cw_to_bw= median_cw_to_bw_factor
1069 # Reduce exit bandwidth to make sure we're not overloading them
1071 cw_to_bw *= EXIT_BANDWIDTH_FRACTION
1074 # limit advertised bandwidth (if available) to measured bandwidth
1077 return measured_bandwidth
1081 median_cw_to_bw_factor)
1092 # does this fallback have an IPv6 address and orport?
1096 # strip leading and trailing brackets from an IPv6 address
1097 # safe to use on non-bracketed IPv6 and on IPv4 addresses
1098 # also convert to unicode, and make None appear as ''
1099 @staticmethod
1109 # are ip_a and ip_b in the same netblock?
1110 # mask_bits is the size of the netblock
1111 # takes both IPv4 and IPv6 addresses
1112 # the versions of ip_a and ip_b must be the same
1113 # the mask must be valid for the IP version
1114 @staticmethod
1117 return False
1133 # is this fallback's IPv4 address (dirip) in the same netblock as other's
1134 # IPv4 address?
1135 # mask_bits is the size of the netblock
1139 # is this fallback's IPv6 address (ipv6addr) in the same netblock as
1140 # other's IPv6 address?
1141 # Returns False if either fallback has no IPv6 address
1142 # mask_bits is the size of the netblock
1145 return False
1148 # is this fallback's IPv4 DirPort the same as other's IPv4 DirPort?
1152 # is this fallback's IPv4 ORPort the same as other's IPv4 ORPort?
1156 # is this fallback's IPv6 ORPort the same as other's IPv6 ORPort?
1157 # Returns False if either fallback has no IPv6 address
1160 return False
1163 # does this fallback have the same DirPort, IPv4 ORPort, or
1164 # IPv6 ORPort as other?
1165 # Ignores IPv6 ORPort if either fallback has no IPv6 address
1170 # return a list containing IPv4 ORPort, DirPort, and IPv6 ORPort (if present)
1175 return ports
1177 # does this fallback share a port with other, regardless of whether the
1178 # port types match?
1179 # For example, if self's IPv4 ORPort is 80 and other's DirPort is 80,
1180 # return True
1184 return True
1185 return False
1187 # log how long it takes to download a consensus from dirip:dirport
1188 # returns True if the download failed, False if it succeeded within max_time
1189 @staticmethod
1191 max_time):
1193 # some directory mirrors respond to requests in ways that hang python
1194 # sockets, which is why we log this line here
1198 # there appears to be about 1 second of overhead when comparing stem's
1199 # internal trace time and the elapsed time calculated here
1210 microdescriptor = DOWNLOAD_MICRODESC_CONSENSUS
1217 stem_error)
1223 # keep the error failure status, and avoid using the variables
1224 pass
1244 return download_failed
1246 # does this fallback download the consensus fast enough?
1248 # include the relay if we're not doing a check, or we can't check (IPv6)
1256 CONSENSUS_DOWNLOAD_SPEED_MAX)
1258 # Clients assume the IPv6 DirPort is the same as the IPv4 DirPort
1263 CONSENSUS_DOWNLOAD_SPEED_MAX)
1266 # if this fallback has not passed a download check, try it again,
1267 # and record the result, available in get_fallback_download_consensus
1272 # did this fallback pass the download check?
1274 # if we're not performing checks, return True
1276 return True
1277 # if we are performing checks, but haven't done one, return False
1279 return False
1282 # output an optional header comment and info for this fallback
1283 # try_fallback_download_consensus before calling this
1288 # if the download speed is ok, output a C string
1289 # if it's not, but we OUTPUT_COMMENTS, output a commented-out C string
1292 return s
1294 # output a header comment for this fallback
1296 # /*
1297 # nickname
1298 # flags
1299 # adjusted bandwidth, consensus weight
1300 # [contact]
1301 # [identical contact counts]
1302 # */
1303 # Multiline C comment
1311 # this is an adjusted bandwidth, see calculate_measured_bandwidth()
1316 weight)
1339 return s
1341 # output the fallback info C string for this fallback
1342 # this is the text that would go after FallbackDir in a torrc
1343 # if this relay failed the download test and we OUTPUT_COMMENTS,
1344 # comment-out the returned string
1346 # "address:dirport orport=port id=fingerprint"
1347 # (insert additional madatory fields here)
1348 # "[ipv6=addr:orport]"
1349 # (insert additional optional fields here)
1350 # /* nickname=name */
1351 # /* extrainfo={0,1} */
1352 # (insert additional comment fields here)
1353 # /* ===== */
1354 # ,
1355 #
1356 # Do we want a C string, or a commented-out string?
1357 c_string = dl_speed_ok
1359 # If we don't want either kind of string, bail
1363 # Comment out the fallback directory entry if it's too slow
1364 # See the debug output for which address and port is failing
1367 # Multi-Line C string with trailing comma (part of a string list)
1368 # This makes it easier to diff the file, and remove IPv6 lines using grep
1369 # Integers don't need escaping
1375 # (insert additional madatory fields here)
1379 # (insert additional optional fields here)
1386 # if we know that the fallback is an extrainfo cache, flag it
1387 # and if we don't know, assume it is not
1394 # (insert additional comment fields here)
1395 # The terminator and comma must be the last line in each fallback entry
1398 s += SECTION_SEPARATOR_BASE
1406 return s
1408 ## Fallback Candidate List Class
1412 pass
1429 return
1463 return guard_count
1465 # Find fallbacks that fit the uptime, stability, and flags criteria,
1466 # and make an array of them in self.fallbacks
1472 # sort fallbacks by their consensus weight to advertised bandwidth factor,
1473 # lowest to highest
1474 # used to find the median cw_to_bw_factor()
1478 # sort fallbacks by their measured bandwidth, highest to lowest
1479 # calculate_measured_bandwidth before calling this
1480 # this is useful for reviewing candidates in priority order
1485 # sort fallbacks by the data field data_field, lowest to highest
1489 @staticmethod
1491 """ Read each line in the file, and parse it like a FallbackDir line:
1492 an IPv4 address and optional port:
1493 <IPv4 address>:<port>
1494 which are parsed into dictionary entries:
1495 ipv4=<IPv4 address>
1496 dirport=<port>
1497 followed by a series of key=value entries:
1498 orport=<port>
1499 id=<fingerprint>
1500 ipv6=<IPv6 address>:<IPv6 orport>
1501 each line's key/value pairs are placed in a dictonary,
1502 (of string -> string key/value pairs),
1503 and these dictionaries are placed in an array.
1504 comments start with # and are ignored """
1507 relaylist = []
1509 return relaylist
1511 relay_entry = {}
1512 # ignore comments
1515 # cleanup whitespace
1519 continue
1523 continue
1530 # assume that entries without a key are the ipv4 address,
1531 # perhaps with a dirport
1545 return relaylist
1547 # apply the fallback whitelist and blacklist
1551 # parse the whitelist and blacklist
1554 filtered_fallbacks = []
1560 # exclude
1565 # include
1568 # include
1571 # exclude
1576 # include
1579 # exclude
1584 return excluded_count
1586 @staticmethod
1591 # calculate each fallback's measured bandwidth based on the median
1592 # consensus weight to advertised bandwidth ratio
1599 # this will never be used, because there are no fallbacks
1604 # remove relays with low measured bandwidth from the fallback list
1605 # calculate_measured_bandwidth for each relay before calling this
1608 return
1609 above_min_bw_fallbacks = []
1614 # the bandwidth we log here is limited by the relay's consensus weight
1615 # as well as its adverttised bandwidth. See set_measured_bandwidth
1616 # for details
1623 # the minimum fallback in the list
1624 # call one of the sort_fallbacks_* functions before calling this
1629 return None
1631 # the median fallback in the list
1632 # call one of the sort_fallbacks_* functions before calling this
1634 # use the low-median when there are an evan number of fallbacks,
1635 # for consistency with the bandwidth authorities
1640 # if we need advertised_bandwidth but this relay doesn't have it,
1641 # move to a fallback with greater consensus weight until we find one
1645 return None
1648 return None
1650 # the maximum fallback in the list
1651 # call one of the sort_fallbacks_* functions before calling this
1656 return None
1658 # return a new bag suitable for storing attributes
1659 @staticmethod
1663 # get the count of attribute in attribute_bag
1664 # if attribute is None or the empty string, return 0
1665 @staticmethod
1673 # does attribute_bag contain more than max_count instances of attribute?
1674 # if so, return False
1675 # if not, return True
1676 # if attribute is None or the empty string, or max_count is invalid,
1677 # always return True
1678 @staticmethod
1681 return True
1683 return False
1685 return True
1687 # add attribute to attribute_bag, incrementing the count if it is already
1688 # present
1689 # if attribute is None or the empty string, or count is invalid,
1690 # do nothing
1691 @staticmethod
1694 pass
1698 # make sure there are only MAX_FALLBACKS_PER_IP fallbacks per IPv4 address,
1699 # and per IPv6 address
1700 # there is only one IPv4 address on each fallback: the IPv4 DirPort address
1701 # (we choose the IPv4 ORPort which is on the same IPv4 as the DirPort)
1702 # there is at most one IPv6 address on each fallback: the IPv6 ORPort address
1703 # we try to match the IPv4 ORPort, but will use any IPv6 address if needed
1704 # (clients only use the IPv6 ORPort)
1705 # if there is no IPv6 address, only the IPv4 address is checked
1706 # return the number of candidates we excluded
1708 ip_limit_fallbacks = []
1712 MAX_FALLBACKS_PER_IPV4)
1714 MAX_FALLBACKS_PER_IPV6)):
1720 MAX_FALLBACKS_PER_IPV4):
1726 MAX_FALLBACKS_PER_IPV6)):
1729 ip_list),
1735 # make sure there are only MAX_FALLBACKS_PER_CONTACT fallbacks for each
1736 # ContactInfo
1737 # if there is no ContactInfo, allow the fallback
1738 # this check can be gamed by providing no ContactInfo, or by setting the
1739 # ContactInfo to match another fallback
1740 # However, given the likelihood that relays with the same ContactInfo will
1741 # go down at similar times, its usefulness outweighs the risk
1743 contact_limit_fallbacks = []
1747 MAX_FALLBACKS_PER_CONTACT):
1754 contact_list),
1760 # make sure there are only MAX_FALLBACKS_PER_FAMILY fallbacks per effective
1761 # family
1762 # if there is no family, allow the fallback
1763 # we use effective family, which ensures mutual family declarations
1764 # but the check can be gamed by not declaring a family at all
1765 # if any indirect families exist, the result depends on the order in which
1766 # fallbacks are sorted in the list
1768 family_limit_fallbacks = []
1772 MAX_FALLBACKS_PER_FAMILY):
1778 # we already have a fallback with this fallback in its effective
1779 # family
1787 # try once to get the descriptors for fingerprint_list using stem
1788 # returns an empty list on exception
1789 @staticmethod
1792 return desc_list
1794 # try up to max_retries times to get the descriptors for fingerprint_list
1795 # using stem. Stops retrying when all descriptors have been retrieved.
1796 # returns a list containing the descriptors that were retrieved
1797 @staticmethod
1799 # we can't use stem's retries=, because we want to support more than 96
1800 # descriptors
1801 #
1802 # add an attempt for every MAX_FINGERPRINTS (or part thereof) in the list
1804 remaining_list = fingerprint_list
1805 desc_list = []
1808 break
1809 new_desc_list = CandidateList.get_fallback_descriptors_once(remaining_list[0:MAX_FINGERPRINTS])
1814 # warn and ignore if a directory mirror returned a bad descriptor
1817 continue
1819 return desc_list
1821 # find the fallbacks that cache extra-info documents
1822 # Onionoo doesn't know this, so we have to use stem
1834 # try a download check on each fallback candidate in order
1835 # stop after max_count successful downloads
1836 # but don't remove any candidates from the array
1842 # this fallback downloaded a consensus ok
1845 # we have enough fallbacks
1846 return
1848 # put max_count successful candidates in the fallbacks array:
1849 # - perform download checks on each fallback candidate
1850 # - retry failed candidates if CONSENSUS_DOWNLOAD_RETRY is set
1851 # - eliminate failed candidates
1852 # - if there are more than max_count candidates, eliminate lowest bandwidth
1853 # - if there are fewer than max_count candidates, leave only successful
1854 # Return the number of fallbacks that failed the consensus check
1859 # try unsuccessful candidates again
1860 # we could end up with more than max_count successful candidates here
1862 # now we have at least max_count successful candidates,
1863 # or we've tried them all
1867 # some of these failed the check, others skipped the check,
1868 # if we already had enough successful downloads
1871 return failed_count
1873 # return a string that describes a/b as a percentage
1874 @staticmethod
1879 # technically, 0/0 is undefined, but 0.0% is a sensible result
1882 # return a dictionary of lists of fallbacks by IPv4 netblock
1883 # the dictionary is keyed by the fingerprint of an arbitrary fallback
1884 # in each netblock
1885 # mask_bits is the size of the netblock
1887 netblocks = {}
1891 # we found an existing netblock containing this fallback
1893 # add it to the list
1896 break
1897 # make a new netblock based on this fallback's fingerprint
1900 return netblocks
1902 # return a dictionary of lists of fallbacks by IPv6 netblock
1903 # where mask_bits is the size of the netblock
1905 netblocks = {}
1907 # skip fallbacks without IPv6 addresses
1909 continue
1912 # we found an existing netblock containing this fallback
1914 # add it to the list
1917 break
1918 # make a new netblock based on this fallback's fingerprint
1921 return netblocks
1923 # log a message about the proportion of fallbacks in each IPv4 netblock,
1924 # where mask_bits is the size of the netblock
1932 # how many fallbacks are in a netblock with other fallbacks?
1934 # what's the netblock with the most fallbacks?
1937 most_frequent_netblock = b
1945 fallback_count),
1946 mask_bits,
1951 shared_netblock_fallback_count,
1952 fallback_count),
1953 mask_bits))
1955 # log a message about the proportion of fallbacks in each IPv6 netblock,
1956 # where mask_bits is the size of the netblock
1964 # how many fallbacks are in a netblock with other fallbacks?
1966 # what's the netblock with the most fallbacks?
1969 most_frequent_netblock = b
1977 fallback_count),
1978 mask_bits,
1983 shared_netblock_fallback_count,
1984 fallback_count),
1985 mask_bits))
1987 # log a message about the proportion of fallbacks in each IPv4 /8, /16,
1988 # and /24
1990 # this doesn't actually tell us anything useful
1991 #self.describe_fallback_ipv4_netblock_mask(8)
1993 #self.describe_fallback_ipv4_netblock_mask(24)
1995 # log a message about the proportion of fallbacks in each IPv6 /12 (RIR),
1996 # /23 (smaller RIR blocks), /32 (LIR), /48 (Customer), and /64 (Host)
1997 # https://www.iana.org/assignments/ipv6-unicast-address-assignments/
1999 # these don't actually tell us anything useful
2000 #self.describe_fallback_ipv6_netblock_mask(12)
2001 #self.describe_fallback_ipv6_netblock_mask(23)
2003 #self.describe_fallback_ipv6_netblock_mask(48)
2006 # log a message about the proportion of fallbacks in each IPv4 and IPv6
2007 # netblock
2012 # return a list of fallbacks which are on the IPv4 ORPort port
2016 # return a list of fallbacks which are on the IPv6 ORPort port
2020 # return a list of fallbacks which are on the DirPort port
2024 # log a message about the proportion of fallbacks on IPv4 ORPort port
2025 # and return that count
2031 fallback_count),
2032 port))
2033 return port_count
2035 # log a message about the proportion of IPv6 fallbacks on IPv6 ORPort port
2036 # and return that count
2042 fallback_count),
2043 port))
2044 return port_count
2046 # log a message about the proportion of fallbacks on DirPort port
2047 # and return that count
2053 fallback_count),
2054 port))
2055 return port_count
2057 # log a message about the proportion of fallbacks on each dirport,
2058 # each IPv4 orport, and each IPv6 orport
2061 ipv4_or_count = fallback_count
2066 fallback_count)))
2068 ipv6_or_count = ipv6_fallback_count
2073 ipv6_fallback_count)))
2074 dir_count = fallback_count
2079 fallback_count)))
2081 # return a list of fallbacks which cache extra-info documents
2085 # log a message about the proportion of fallbacks that cache extra-info docs
2091 fallback_count)))
2093 # return a list of fallbacks which have the Exit flag
2097 # log a message about the proportion of fallbacks with an Exit flag
2103 fallback_count)))
2105 # return a list of fallbacks which have an IPv6 address
2109 # log a message about the proportion of fallbacks on IPv6
2115 fallback_count)))
2120 # Report:
2121 # whether we checked consensus download times
2122 # the number of fallback directories (and limits/exclusions, if relevant)
2123 # min & max fallback bandwidths
2124 # #error if below minimum count
2131 CONSENSUS_DOWNLOAD_SPEED_MAX)
2135 # Multiline C comment with #error if things go bad
2138 # Integers don't need escaping in C comments
2144 guard_count,
2145 FALLBACK_PROPORTION_OF_GUARDS)
2147 fallback_proportion)
2155 # some 'Failed' failed the check, others 'Skipped' the check,
2156 # if we already had enough successful downloads
2159 excess_to_target_or_max)
2170 # We must have a minimum number of fallbacks so they are always
2171 # reachable, and are in diverse locations
2177 return s
2197 ## Main Function
2208 return None
2217 """ Fetches required onionoo documents and evaluates the
2218 fallback directory criteria for each of the relays """
2227 # end the header with a separator, to make it easier for parsers
2228 print SECTION_SEPARATOR_COMMENT
2232 # find relays that could be fallbacks
2236 # work out how many fallbacks we want
2239 target_count = guard_count
2242 # the maximum number of fallbacks is the least of:
2243 # - the target fallback count (FALLBACK_PROPORTION_OF_GUARDS * guard count)
2244 # - the maximum fallback count (MAX_FALLBACK_COUNT)
2246 max_count = target_count
2253 # filter with the whitelist and blacklist
2254 # if a relay has changed IPv4 address or ports recently, it will be excluded
2255 # as ineligible before we call apply_filter_lists, and so there will be no
2256 # warning that the details have changed from those in the whitelist.
2257 # instead, there will be an info-level log during the eligibility check.
2263 # calculate the measured bandwidth of each relay,
2264 # then remove low-bandwidth relays
2268 # print the raw fallback list
2269 #for x in candidates.fallbacks:
2270 # print x.fallbackdir_line(True)
2271 # print json.dumps(candidates[x]._data, sort_keys=True, indent=4,
2272 # separators=(',', ': '), default=json_util.default)
2274 # impose mandatory conditions here, like one per contact, family, IP
2275 # in measured bandwidth order
2278 # only impose these limits on the final list - operators can nominate
2279 # multiple candidate fallbacks, and then we choose the best set
2285 # check if each candidate can serve a consensus
2286 # there's a small risk we've eliminated relays from the same operator that
2287 # can serve a consensus, in favour of one that can't
2288 # but given it takes up to 15 seconds to check each consensus download,
2289 # the risk is worth it
2295 # work out which fallbacks cache extra-infos
2298 # analyse and log interesting diversity metrics
2299 # like netblock, ports, exit, IPv4-only
2300 # (we can't easily analyse AS, and it's hard to accurately analyse country)
2302 # if we can't import the ipaddress module, we can't do netblock analysis
2309 # output C comments summarising the fallback selection process
2313 target_count)
2317 # output C comments specifying the OnionOO data used to create the list
2321 # start the list with a separator, to make it easy for parsers
2322 print SECTION_SEPARATOR_COMMENT
2324 # sort the list differently depending on why we've created it:
2325 # if we're outputting the final fallback list, sort by fingerprint
2326 # this makes diffs much more stable
2327 # otherwise, if we're trying to find a bandwidth cutoff, or we want to
2328 # contact operators in priority order, sort by bandwidth (not yet
2329 # implemented)
2330 # otherwise, if we're contacting operators, sort by contact