| blob | 0ea3992d8fe6dfdaf918493eebcc1fcd375bbf41 |
1 #!/usr/bin/env python
3 # Usage:
4 #
5 # Regenerate the list:
6 # scripts/maint/updateFallbackDirs.py > src/app/config/fallback_dirs.inc 2> fallback_dirs.log
7 #
8 # Check the existing list:
9 # scripts/maint/updateFallbackDirs.py check_existing > fallback_dirs.inc.ok 2> fallback_dirs.log
10 # mv fallback_dirs.inc.ok src/app/config/fallback_dirs.inc
11 #
12 # This script should be run from a stable, reliable network connection,
13 # with no other network activity (and not over tor).
14 # If this is not possible, please disable:
15 # PERFORM_IPV4_DIRPORT_CHECKS and PERFORM_IPV6_DIRPORT_CHECKS
16 #
17 # Needs dateutil, stem, and potentially other python packages.
18 # Optionally uses ipaddress (python 3 builtin) or py2-ipaddress (package)
19 # for netblock analysis.
20 #
21 # Then read the logs to make sure the fallbacks aren't dominated by a single
22 # netblock or port.
24 # Script by weasel, April 2015
25 # Portions by gsathya & karsten, 2013
26 # https://trac.torproject.org/projects/tor/attachment/ticket/8374/dir_list.2.py
27 # Modifications by teor, 2015
29 import StringIO
30 import string
31 import re
32 import datetime
33 import gzip
35 import json
36 import math
37 import sys
38 import urllib
39 import urllib2
40 import hashlib
42 # bson_lazy provides bson
43 #from bson import json_util
44 import copy
45 import re
50 import logging
55 # python 3 builtin, or install package py2-ipaddress
56 # there are several ipaddress implementations for python 2
57 # with slightly different semantics with str typed text
58 # fortunately, all our IP addresses are in unicode
59 import ipaddress
62 # if this happens, we avoid doing netblock analysis
67 ## Top-Level Configuration
69 # We use semantic versioning: https://semver.org
70 # In particular:
71 # * major changes include removing a mandatory field, or anything else that
72 # would break an appropriately tolerant parser,
73 # * minor changes include adding a field,
74 # * patch changes include changing header comments or other unstructured
75 # content
80 # Output all candidate fallbacks, or only output selected fallbacks?
83 # Perform DirPort checks over IPv4?
84 # Change this to False if IPv4 doesn't work for you, or if you don't want to
85 # download a consensus for each fallback
86 # Don't check ~1000 candidates when OUTPUT_CANDIDATES is True
89 # Perform DirPort checks over IPv6?
90 # If you know IPv6 works for you, set this to True
91 # This will exclude IPv6 relays without an IPv6 DirPort configured
92 # So it's best left at False until #18394 is implemented
93 # Don't check ~1000 candidates when OUTPUT_CANDIDATES is True
96 # Must relays be running now?
97 MUST_BE_RUNNING_NOW = (PERFORM_IPV4_DIRPORT_CHECKS
100 # Clients have been using microdesc consensuses by default for a while now
103 # If a relay delivers an expired consensus, if it expired less than this many
104 # seconds ago, we still allow the relay. This should never be less than -90,
105 # as all directory mirrors should have downloaded a consensus 90 minutes
106 # before it expires. It should never be more than 24 hours, because clients
107 # reject consensuses that are older than REASONABLY_LIVE_TIME.
108 # For the consensus expiry check to be accurate, the machine running this
109 # script needs an accurate clock.
110 #
111 # Relays on 0.3.0 and later return a 404 when they are about to serve an
112 # expired consensus. This makes them fail the download check.
113 # We use a tolerance of 0, so that 0.2.x series relays also fail the download
114 # check if they serve an expired consensus.
117 # Output fallback name, flags, bandwidth, and ContactInfo in a C comment?
120 # Output matching ContactInfo in fallbacks list?
121 # Useful if you're trying to contact operators
124 # How the list should be sorted:
125 # fingerprint: is useful for stable diffs of fallback lists
126 # measured_bandwidth: is useful when pruning the list based on bandwidth
127 # contact: is useful for contacting operators once the list has been pruned
130 ## OnionOO Settings
133 #ONIONOO = 'https://onionoo.thecthulhu.com/'
135 # Don't bother going out to the Internet, just use the files available locally,
136 # even if they're very old
139 ## Whitelist / Blacklist Filter Settings
141 # The whitelist contains entries that are included if all attributes match
142 # (IPv4, dirport, orport, id, and optionally IPv6 and IPv6 orport)
144 # What happens to entries not in whitelist?
145 # When True, they are included, when False, they are excluded
151 # The number of bytes we'll read from a filter file before giving up
154 ## Eligibility Settings
156 # Require fallbacks to have the same address and port for a set amount of time
157 # We used to have this at 1 week, but that caused many fallback failures, which
158 # meant that we had to rebuild the list more often. We want fallbacks to be
159 # stable for 2 years, so we set it to a few months.
160 #
161 # If a relay changes address or port, that's it, it's not useful any more,
162 # because clients can't find it
164 # We ignore relays that have been down for more than this period
166 # FallbackDirs must have a time-weighted-fraction that is greater than or
167 # equal to:
168 # Mirrors that are down half the time are still useful half the time
171 # Guard flags are removed for some time after a relay restarts, so we ignore
172 # the guard flag.
174 # FallbackDirs must have a time-weighted-fraction that is less than or equal
175 # to:
176 # .00 means no bad exits
179 # older entries' weights are adjusted with ALPHA^(age in days)
182 # this factor is used to scale OnionOO entries to [0,1]
185 ## Fallback Count Limits
187 # The target for these parameters is 20% of the guards in the network
188 # This is around 200 as of October 2015
192 # Limit the number of fallbacks (eliminating lowest by advertised bandwidth)
194 # Emit a C #error if the number of fallbacks is less than expected
197 # The maximum number of fallbacks on the same address, contact, or family
198 #
199 # With 150 fallbacks, this means each operator sees 5% of client bootstraps.
200 # For comparison:
201 # - We try to limit guard and exit operators to 5% of the network
202 # - The directory authorities used to see 11% of client bootstraps each
203 #
204 # We also don't want too much of the list to go down if a single operator
205 # has to move all their relays.
207 MAX_FALLBACKS_PER_IPV4 = MAX_FALLBACKS_PER_IP
208 MAX_FALLBACKS_PER_IPV6 = MAX_FALLBACKS_PER_IP
212 ## Fallback Bandwidth Requirements
214 # Any fallback with the Exit flag has its bandwidth multiplied by this fraction
215 # to make sure we aren't further overloading exits
216 # (Set to 1.0, because we asked that only lightly loaded exits opt-in,
217 # and the extra load really isn't that much for large relays.)
220 # If a single fallback's bandwidth is too low, it's pointless adding it
221 # We expect fallbacks to handle an extra 10 kilobytes per second of traffic
222 # Make sure they can support fifty times the expected extra load
223 #
224 # We convert this to a consensus weight before applying the filter,
225 # because all the bandwidth amounts are specified by the relay
228 # Clients will time out after 30 seconds trying to download a consensus
229 # So allow fallback directories half that to deliver a consensus
230 # The exact download times might change based on the network connection
231 # running this script, but only by a few seconds
232 # There is also about a second of python overhead
234 # If the relay fails a consensus check, retry the download
235 # This avoids delisting a relay due to transient network conditions
238 ## Parsing Functions
244 # Remove each character in the bad_char_list
245 cleansed_string = raw_string
248 return cleansed_string
251 # Remove all unprintable characters
255 cleansed_string += c
256 return cleansed_string
259 # Replace all whitespace characters with a space
260 cleansed_string = raw_string
263 return cleansed_string
266 cleansed_string = raw_string
267 # Embedded newlines should be removed by tor/onionoo, but let's be paranoid
269 # ContactInfo and Version can be arbitrary binary data
271 # Prevent a malicious / unanticipated string from breaking out
272 # of a C-style multiline comment
273 # This removes '/*' and '*/' and '//'
275 # Prevent a malicious string from using C nulls
277 # Avoid confusing parsers by making sure there is only one comma per fallback
279 # Avoid confusing parsers by making sure there is only one equals per field
281 # Be safer by removing bad characters entirely
283 # Some compilers may further process the content of comments
284 # There isn't much we can do to cover every possible case
285 # But comment-based directives are typically only advisory
286 return cleansed_string
289 cleansed_string = raw_string
290 # Embedded newlines should be removed by tor/onionoo, but let's be paranoid
292 # ContactInfo and Version can be arbitrary binary data
294 # Prevent a malicious address/fingerprint string from breaking out
295 # of a C-style string
297 # Prevent a malicious string from using escapes
299 # Prevent a malicious string from using C nulls
301 # Avoid confusing parsers by making sure there is only one comma per fallback
303 # Avoid confusing parsers by making sure there is only one equals per field
305 # Be safer by removing bad characters entirely
307 # Some compilers may further process the content of strings
308 # There isn't much we can do to cover every possible case
309 # But this typically only results in changes to the string data
310 return cleansed_string
312 ## OnionOO Source Functions
314 # a dictionary of source metadata for each onionoo query we've made
315 fetch_source = {}
317 # register source metadata for 'what'
318 # assumes we only retrieve one document for each 'what'
325 # list each registered source's 'what'
329 # given 'what', provide a multiline C comment describing the source
344 return desc
346 ## File Processing Functions
357 )
369 )
370 return None
379 return file_data
390 # An exception here may be resolved by deleting the .last_modified
391 # and .json files, and re-running the script
400 )
402 ## OnionOO Functions
405 # Parse datetimes like: Fri, 02 Oct 2015 13:34:14 GMT
409 # Never modified - use start of epoch
411 # strip any timezone out (in case they're supported in future)
413 return dt
416 params = kwargs
418 #params['limit'] = 10
424 # Unfortunately, the URL is too long for some OS filenames,
425 # but we still don't want to get files from different URLs mixed up
437 # Read from the local file, don't write to anything
440 # store the full URL to a file for debugging
441 # no need to compare as long as you trust SHA-1
447 # load the last modified date from the file, if it exists
449 MAX_LAST_MODIFIED_LENGTH)
453 # Parse last modified date
456 # Not Modified and still recent enough to be useful
457 # Onionoo / Globe used to use 6 hours, but we can afford a day
459 # strip any timezone out (to match dateutil.parser)
463 # Make the OnionOO request
471 pass
479 # Check for freshness
482 # This check sometimes fails transiently, retry the script if it does
488 # Process the data
494 # use the most compact json representation to save space
497 # store the last modified date in its own file
500 last_modified_file_name,
501 MAX_LAST_MODIFIED_LENGTH)
512 url,
516 return response_json
519 #x = onionoo_fetch(what, **kwargs)
520 # don't use sort_keys, as the order of or_addresses is significant
521 #print json.dumps(x, indent=4, separators=(',', ': '))
522 #sys.exit(0)
526 ## Fallback Candidate Class
543 # relays without advertised bandwidth have it calculated from their
544 # consensus weight
569 # replace self._data['or_addresses'] with a stable ordering,
570 # sorting the secondary addresses in string order
571 # leave the received order in self._data['or_addresses_raw']
574 # subsequent entries in the or_addresses array are in an arbitrary order
575 # so we stabilise the addresses by sorting them in string order
583 # is_valid_ipv[46]_address by gsathya, karsten, 2013
584 @staticmethod
587 return False
589 # check if there are four period separated values
591 return False
593 # checks that each value in the octet are decimal values between 0-255
596 return False
600 return True
602 @staticmethod
605 return False
607 # remove brackets
610 # addresses are made up of eight colon separated groups of four hex digits
611 # with leading zeros being optional
612 # https://en.wikipedia.org/wiki/IPv6#Address_format
625 # If an IPv6 address has an embedded IPv4 address,
626 # it must be the last entry
628 return False
631 return False
635 return True
638 # Split the dir_address into dirip and dirport
643 # Choose the first ORPort that's on the same IPv4 address as the DirPort.
644 # In rare circumstances, this might not be the primary ORPort address.
645 # However, _stable_sort_or_addresses() ensures we choose the same one
646 # every time, even if onionoo changes the order of the secondaries.
655 return
658 # Choose the first IPv6 address that uses the same port as the ORPort
659 # Or, choose the first IPv6 address in the list
660 # _stable_sort_or_addresses() ensures we choose the same IPv6 address
661 # every time, even if onionoo changes the order of the secondaries.
664 # Choose the first IPv6 address that uses the same port as the ORPort
670 return
671 # Choose the first IPv6 address in the list
677 return
680 # parse the version out of the platform string
681 # The platform looks like: "Tor 0.2.7.6 on Linux"
684 return
685 # be tolerant of weird whitespacing, use a whitespace split
689 # if it's at least a.b.c.d, with potentially an -alpha-dev, -alpha, -rc
693 return
695 # From #20509
696 # bug #20499 affects versions from 0.2.9.1-alpha-dev to 0.2.9.4-alpha-dev
697 # and version 0.3.0.0-alpha-dev
698 # Exhaustive lists are hard to get wrong
706 '0.3.0.0-alpha-dev'
707 ]
710 # call _compute_version before calling this
711 # is the version of the relay a version we want as a fallback?
712 # checks both recommended versions and bug #20499 / #20509
713 #
714 # if the relay doesn't have a recommended version field, exclude the relay
718 return False
721 return False
722 # if the relay doesn't have version field, exclude the relay
725 return False
729 return False
730 return True
732 @staticmethod
734 # given a tree like this:
735 # {
736 # "1_month": {
737 # "count": 187,
738 # "factor": 0.001001001001001001,
739 # "first": "2015-02-27 06:00:00",
740 # "interval": 14400,
741 # "last": "2015-03-30 06:00:00",
742 # "values": [
743 # 999,
744 # 999
745 # ]
746 # },
747 # "1_week": {
748 # "count": 169,
749 # "factor": 0.001001001001001001,
750 # "first": "2015-03-23 07:30:00",
751 # "interval": 3600,
752 # "last": "2015-03-30 07:30:00",
753 # "values": [ ...]
754 # },
755 # "1_year": {
756 # "count": 177,
757 # "factor": 0.001001001001001001,
758 # "first": "2014-04-11 00:00:00",
759 # "interval": 172800,
760 # "last": "2015-03-29 00:00:00",
761 # "values": [ ...]
762 # },
763 # "3_months": {
764 # "count": 185,
765 # "factor": 0.001001001001001001,
766 # "first": "2014-12-28 06:00:00",
767 # "interval": 43200,
768 # "last": "2015-03-30 06:00:00",
769 # "values": [ ...]
770 # }
771 # },
772 # extract exactly one piece of data per time interval,
773 # using smaller intervals where available.
774 #
775 # returns list of (age, length, value) dictionaries.
777 generic_history = []
782 newest = now
794 agt2 = interval
803 })
804 newest = this_ts
805 this_ts -= interval
811 #print json.dumps(generic_history, sort_keys=True,
812 # indent=4, separators=(',', ': '))
813 return generic_history
815 @staticmethod
817 a = []
820 continue
834 return svw
840 print periods
843 pass
848 # flags we care about: Running, V2Dir, Guard
851 return
856 return
880 return False
885 return False
889 return False
893 return False
897 return False
898 # this function logs a message depending on which check fails
900 return False
904 return False
908 return False
912 return False
913 return True
916 """ A fallback matches if each key in the whitelist line matches:
917 ipv4
918 dirport
919 orport
920 id
921 ipv6 address and port (if present)
922 If the fallback has an ipv6 key, the whitelist line must also have
923 it, and vice versa, otherwise they don't match. """
929 # can't log here unless we match an IP and port, because every relay's
930 # fingerprint is compared to every entry's fingerprint
938 continue
942 continue
947 continue
952 continue
954 # if both entry and fallback have an ipv6 address, compare them
958 continue
959 # if the fallback has an IPv6 address but the whitelist entry
960 # doesn't, or vice versa, the whitelist entry doesn't match
964 continue
968 continue
969 return True
970 return False
973 # any relays with a missing or zero consensus weight are not candidates
974 # any relays with a missing advertised bandwidth have it set to zero
977 # since advertised_bandwidth is reported by the relay, it can be gamed
978 # to avoid this, use the median consensus weight to bandwidth factor to
979 # estimate this relay's measured bandwidth, and make that the upper limit
981 cw_to_bw= median_cw_to_bw_factor
982 # Reduce exit bandwidth to make sure we're not overloading them
984 cw_to_bw *= EXIT_BANDWIDTH_FRACTION
987 # limit advertised bandwidth (if available) to measured bandwidth
990 return measured_bandwidth
994 median_cw_to_bw_factor)
1005 # does this fallback have an IPv6 address and orport?
1009 # strip leading and trailing brackets from an IPv6 address
1010 # safe to use on non-bracketed IPv6 and on IPv4 addresses
1011 # also convert to unicode, and make None appear as ''
1012 @staticmethod
1022 # are ip_a and ip_b in the same netblock?
1023 # mask_bits is the size of the netblock
1024 # takes both IPv4 and IPv6 addresses
1025 # the versions of ip_a and ip_b must be the same
1026 # the mask must be valid for the IP version
1027 @staticmethod
1030 return False
1046 # is this fallback's IPv4 address (dirip) in the same netblock as other's
1047 # IPv4 address?
1048 # mask_bits is the size of the netblock
1052 # is this fallback's IPv6 address (ipv6addr) in the same netblock as
1053 # other's IPv6 address?
1054 # Returns False if either fallback has no IPv6 address
1055 # mask_bits is the size of the netblock
1058 return False
1061 # is this fallback's IPv4 DirPort the same as other's IPv4 DirPort?
1065 # is this fallback's IPv4 ORPort the same as other's IPv4 ORPort?
1069 # is this fallback's IPv6 ORPort the same as other's IPv6 ORPort?
1070 # Returns False if either fallback has no IPv6 address
1073 return False
1076 # does this fallback have the same DirPort, IPv4 ORPort, or
1077 # IPv6 ORPort as other?
1078 # Ignores IPv6 ORPort if either fallback has no IPv6 address
1083 # return a list containing IPv4 ORPort, DirPort, and IPv6 ORPort (if present)
1088 return ports
1090 # does this fallback share a port with other, regardless of whether the
1091 # port types match?
1092 # For example, if self's IPv4 ORPort is 80 and other's DirPort is 80,
1093 # return True
1097 return True
1098 return False
1100 # log how long it takes to download a consensus from dirip:dirport
1101 # returns True if the download failed, False if it succeeded within max_time
1102 @staticmethod
1104 max_time):
1106 # some directory mirrors respond to requests in ways that hang python
1107 # sockets, which is why we log this line here
1111 # there appears to be about 1 second of overhead when comparing stem's
1112 # internal trace time and the elapsed time calculated here
1123 microdescriptor = DOWNLOAD_MICRODESC_CONSENSUS
1130 stem_error)
1136 # keep the error failure status, and avoid using the variables
1137 pass
1157 return download_failed
1159 # does this fallback download the consensus fast enough?
1161 # include the relay if we're not doing a check, or we can't check (IPv6)
1169 CONSENSUS_DOWNLOAD_SPEED_MAX)
1171 # Clients assume the IPv6 DirPort is the same as the IPv4 DirPort
1176 CONSENSUS_DOWNLOAD_SPEED_MAX)
1179 # if this fallback has not passed a download check, try it again,
1180 # and record the result, available in get_fallback_download_consensus
1185 # did this fallback pass the download check?
1187 # if we're not performing checks, return True
1189 return True
1190 # if we are performing checks, but haven't done one, return False
1192 return False
1195 # output an optional header comment and info for this fallback
1196 # try_fallback_download_consensus before calling this
1201 # if the download speed is ok, output a C string
1202 # if it's not, but we OUTPUT_COMMENTS, output a commented-out C string
1205 return s
1207 # output a header comment for this fallback
1209 # /*
1210 # nickname
1211 # flags
1212 # adjusted bandwidth, consensus weight
1213 # [contact]
1214 # [identical contact counts]
1215 # */
1216 # Multiline C comment
1224 # this is an adjusted bandwidth, see calculate_measured_bandwidth()
1229 weight)
1240 # output the fallback info C string for this fallback
1241 # this is the text that would go after FallbackDir in a torrc
1242 # if this relay failed the download test and we OUTPUT_COMMENTS,
1243 # comment-out the returned string
1245 # "address:dirport orport=port id=fingerprint"
1246 # (insert additional madatory fields here)
1247 # "[ipv6=addr:orport]"
1248 # (insert additional optional fields here)
1249 # /* nickname=name */
1250 # /* extrainfo={0,1} */
1251 # (insert additional comment fields here)
1252 # /* ===== */
1253 # ,
1254 #
1255 # Do we want a C string, or a commented-out string?
1256 c_string = dl_speed_ok
1258 # If we don't want either kind of string, bail
1262 # Comment out the fallback directory entry if it's too slow
1263 # See the debug output for which address and port is failing
1266 # Multi-Line C string with trailing comma (part of a string list)
1267 # This makes it easier to diff the file, and remove IPv6 lines using grep
1268 # Integers don't need escaping
1274 # (insert additional madatory fields here)
1278 # (insert additional optional fields here)
1285 # if we know that the fallback is an extrainfo cache, flag it
1286 # and if we don't know, assume it is not
1293 # (insert additional comment fields here)
1294 # The terminator and comma must be the last line in each fallback entry
1297 s += SECTION_SEPARATOR_BASE
1305 return s
1307 ## Fallback Candidate List Class
1311 pass
1328 return
1362 return guard_count
1364 # Find fallbacks that fit the uptime, stability, and flags criteria,
1365 # and make an array of them in self.fallbacks
1371 # sort fallbacks by their consensus weight to advertised bandwidth factor,
1372 # lowest to highest
1373 # used to find the median cw_to_bw_factor()
1377 # sort fallbacks by their measured bandwidth, highest to lowest
1378 # calculate_measured_bandwidth before calling this
1379 # this is useful for reviewing candidates in priority order
1384 # sort fallbacks by the data field data_field, lowest to highest
1388 @staticmethod
1390 """ Read each line in the file, and parse it like a FallbackDir line:
1391 an IPv4 address and optional port:
1392 <IPv4 address>:<port>
1393 which are parsed into dictionary entries:
1394 ipv4=<IPv4 address>
1395 dirport=<port>
1396 followed by a series of key=value entries:
1397 orport=<port>
1398 id=<fingerprint>
1399 ipv6=<IPv6 address>:<IPv6 orport>
1400 each line's key/value pairs are placed in a dictonary,
1401 (of string -> string key/value pairs),
1402 and these dictionaries are placed in an array.
1403 comments start with # and are ignored """
1406 relaylist = []
1408 return relaylist
1410 relay_entry = {}
1411 # ignore comments
1414 # cleanup whitespace
1418 continue
1422 continue
1429 # assume that entries without a key are the ipv4 address,
1430 # perhaps with a dirport
1444 return relaylist
1446 # apply the fallback whitelist
1450 # parse the whitelist
1452 filtered_fallbacks = []
1456 # include
1459 # include
1462 # exclude
1467 return excluded_count
1469 @staticmethod
1474 # calculate each fallback's measured bandwidth based on the median
1475 # consensus weight to advertised bandwidth ratio
1482 # this will never be used, because there are no fallbacks
1487 # remove relays with low measured bandwidth from the fallback list
1488 # calculate_measured_bandwidth for each relay before calling this
1491 return
1492 above_min_bw_fallbacks = []
1497 # the bandwidth we log here is limited by the relay's consensus weight
1498 # as well as its adverttised bandwidth. See set_measured_bandwidth
1499 # for details
1506 # the minimum fallback in the list
1507 # call one of the sort_fallbacks_* functions before calling this
1512 return None
1514 # the median fallback in the list
1515 # call one of the sort_fallbacks_* functions before calling this
1517 # use the low-median when there are an evan number of fallbacks,
1518 # for consistency with the bandwidth authorities
1523 # if we need advertised_bandwidth but this relay doesn't have it,
1524 # move to a fallback with greater consensus weight until we find one
1528 return None
1531 return None
1533 # the maximum fallback in the list
1534 # call one of the sort_fallbacks_* functions before calling this
1539 return None
1541 # return a new bag suitable for storing attributes
1542 @staticmethod
1546 # get the count of attribute in attribute_bag
1547 # if attribute is None or the empty string, return 0
1548 @staticmethod
1556 # does attribute_bag contain more than max_count instances of attribute?
1557 # if so, return False
1558 # if not, return True
1559 # if attribute is None or the empty string, or max_count is invalid,
1560 # always return True
1561 @staticmethod
1564 return True
1566 return False
1568 return True
1570 # add attribute to attribute_bag, incrementing the count if it is already
1571 # present
1572 # if attribute is None or the empty string, or count is invalid,
1573 # do nothing
1574 @staticmethod
1577 pass
1581 # make sure there are only MAX_FALLBACKS_PER_IP fallbacks per IPv4 address,
1582 # and per IPv6 address
1583 # there is only one IPv4 address on each fallback: the IPv4 DirPort address
1584 # (we choose the IPv4 ORPort which is on the same IPv4 as the DirPort)
1585 # there is at most one IPv6 address on each fallback: the IPv6 ORPort address
1586 # we try to match the IPv4 ORPort, but will use any IPv6 address if needed
1587 # (clients only use the IPv6 ORPort)
1588 # if there is no IPv6 address, only the IPv4 address is checked
1589 # return the number of candidates we excluded
1591 ip_limit_fallbacks = []
1595 MAX_FALLBACKS_PER_IPV4)
1597 MAX_FALLBACKS_PER_IPV6)):
1603 MAX_FALLBACKS_PER_IPV4):
1609 MAX_FALLBACKS_PER_IPV6)):
1612 ip_list),
1618 # make sure there are only MAX_FALLBACKS_PER_CONTACT fallbacks for each
1619 # ContactInfo
1620 # if there is no ContactInfo, allow the fallback
1621 # this check can be gamed by providing no ContactInfo, or by setting the
1622 # ContactInfo to match another fallback
1623 # However, given the likelihood that relays with the same ContactInfo will
1624 # go down at similar times, its usefulness outweighs the risk
1626 contact_limit_fallbacks = []
1630 MAX_FALLBACKS_PER_CONTACT):
1637 contact_list),
1643 # make sure there are only MAX_FALLBACKS_PER_FAMILY fallbacks per effective
1644 # family
1645 # if there is no family, allow the fallback
1646 # we use effective family, which ensures mutual family declarations
1647 # but the check can be gamed by not declaring a family at all
1648 # if any indirect families exist, the result depends on the order in which
1649 # fallbacks are sorted in the list
1651 family_limit_fallbacks = []
1655 MAX_FALLBACKS_PER_FAMILY):
1661 # we already have a fallback with this fallback in its effective
1662 # family
1670 # try once to get the descriptors for fingerprint_list using stem
1671 # returns an empty list on exception
1672 @staticmethod
1675 return desc_list
1677 # try up to max_retries times to get the descriptors for fingerprint_list
1678 # using stem. Stops retrying when all descriptors have been retrieved.
1679 # returns a list containing the descriptors that were retrieved
1680 @staticmethod
1682 # we can't use stem's retries=, because we want to support more than 96
1683 # descriptors
1684 #
1685 # add an attempt for every MAX_FINGERPRINTS (or part thereof) in the list
1687 remaining_list = fingerprint_list
1688 desc_list = []
1691 break
1692 new_desc_list = CandidateList.get_fallback_descriptors_once(remaining_list[0:MAX_FINGERPRINTS])
1697 # warn and ignore if a directory mirror returned a bad descriptor
1700 continue
1702 return desc_list
1704 # find the fallbacks that cache extra-info documents
1705 # Onionoo doesn't know this, so we have to use stem
1717 # try a download check on each fallback candidate in order
1718 # stop after max_count successful downloads
1719 # but don't remove any candidates from the array
1725 # this fallback downloaded a consensus ok
1728 # we have enough fallbacks
1729 return
1731 # put max_count successful candidates in the fallbacks array:
1732 # - perform download checks on each fallback candidate
1733 # - retry failed candidates if CONSENSUS_DOWNLOAD_RETRY is set
1734 # - eliminate failed candidates
1735 # - if there are more than max_count candidates, eliminate lowest bandwidth
1736 # - if there are fewer than max_count candidates, leave only successful
1737 # Return the number of fallbacks that failed the consensus check
1742 # try unsuccessful candidates again
1743 # we could end up with more than max_count successful candidates here
1745 # now we have at least max_count successful candidates,
1746 # or we've tried them all
1750 # some of these failed the check, others skipped the check,
1751 # if we already had enough successful downloads
1754 return failed_count
1756 # return a string that describes a/b as a percentage
1757 @staticmethod
1762 # technically, 0/0 is undefined, but 0.0% is a sensible result
1765 # return a dictionary of lists of fallbacks by IPv4 netblock
1766 # the dictionary is keyed by the fingerprint of an arbitrary fallback
1767 # in each netblock
1768 # mask_bits is the size of the netblock
1770 netblocks = {}
1774 # we found an existing netblock containing this fallback
1776 # add it to the list
1779 break
1780 # make a new netblock based on this fallback's fingerprint
1783 return netblocks
1785 # return a dictionary of lists of fallbacks by IPv6 netblock
1786 # where mask_bits is the size of the netblock
1788 netblocks = {}
1790 # skip fallbacks without IPv6 addresses
1792 continue
1795 # we found an existing netblock containing this fallback
1797 # add it to the list
1800 break
1801 # make a new netblock based on this fallback's fingerprint
1804 return netblocks
1806 # log a message about the proportion of fallbacks in each IPv4 netblock,
1807 # where mask_bits is the size of the netblock
1815 # how many fallbacks are in a netblock with other fallbacks?
1817 # what's the netblock with the most fallbacks?
1820 most_frequent_netblock = b
1828 fallback_count),
1829 mask_bits,
1834 shared_netblock_fallback_count,
1835 fallback_count),
1836 mask_bits))
1838 # log a message about the proportion of fallbacks in each IPv6 netblock,
1839 # where mask_bits is the size of the netblock
1847 # how many fallbacks are in a netblock with other fallbacks?
1849 # what's the netblock with the most fallbacks?
1852 most_frequent_netblock = b
1860 fallback_count),
1861 mask_bits,
1866 shared_netblock_fallback_count,
1867 fallback_count),
1868 mask_bits))
1870 # log a message about the proportion of fallbacks in each IPv4 /8, /16,
1871 # and /24
1873 # this doesn't actually tell us anything useful
1874 #self.describe_fallback_ipv4_netblock_mask(8)
1876 #self.describe_fallback_ipv4_netblock_mask(24)
1878 # log a message about the proportion of fallbacks in each IPv6 /12 (RIR),
1879 # /23 (smaller RIR blocks), /32 (LIR), /48 (Customer), and /64 (Host)
1880 # https://www.iana.org/assignments/ipv6-unicast-address-assignments/
1882 # these don't actually tell us anything useful
1883 #self.describe_fallback_ipv6_netblock_mask(12)
1884 #self.describe_fallback_ipv6_netblock_mask(23)
1886 #self.describe_fallback_ipv6_netblock_mask(48)
1889 # log a message about the proportion of fallbacks in each IPv4 and IPv6
1890 # netblock
1895 # return a list of fallbacks which are on the IPv4 ORPort port
1899 # return a list of fallbacks which are on the IPv6 ORPort port
1903 # return a list of fallbacks which are on the DirPort port
1907 # log a message about the proportion of fallbacks on IPv4 ORPort port
1908 # and return that count
1914 fallback_count),
1915 port))
1916 return port_count
1918 # log a message about the proportion of IPv6 fallbacks on IPv6 ORPort port
1919 # and return that count
1925 fallback_count),
1926 port))
1927 return port_count
1929 # log a message about the proportion of fallbacks on DirPort port
1930 # and return that count
1936 fallback_count),
1937 port))
1938 return port_count
1940 # log a message about the proportion of fallbacks on each dirport,
1941 # each IPv4 orport, and each IPv6 orport
1944 ipv4_or_count = fallback_count
1949 fallback_count)))
1951 ipv6_or_count = ipv6_fallback_count
1956 ipv6_fallback_count)))
1957 dir_count = fallback_count
1962 fallback_count)))
1964 # return a list of fallbacks which cache extra-info documents
1968 # log a message about the proportion of fallbacks that cache extra-info docs
1974 fallback_count)))
1976 # return a list of fallbacks which have the Exit flag
1980 # log a message about the proportion of fallbacks with an Exit flag
1986 fallback_count)))
1988 # return a list of fallbacks which have an IPv6 address
1992 # log a message about the proportion of fallbacks on IPv6
1998 fallback_count)))
2003 # Report:
2004 # whether we checked consensus download times
2005 # the number of fallback directories (and limits/exclusions, if relevant)
2006 # min & max fallback bandwidths
2007 # #error if below minimum count
2014 CONSENSUS_DOWNLOAD_SPEED_MAX)
2018 # Multiline C comment with #error if things go bad
2021 # Integers don't need escaping in C comments
2027 guard_count,
2028 FALLBACK_PROPORTION_OF_GUARDS)
2030 fallback_proportion)
2038 # some 'Failed' failed the check, others 'Skipped' the check,
2039 # if we already had enough successful downloads
2042 excess_to_target_or_max)
2053 # We must have a minimum number of fallbacks so they are always
2054 # reachable, and are in diverse locations
2060 return s
2076 ## Main Function
2087 return None
2096 """ Fetches required onionoo documents and evaluates the
2097 fallback directory criteria for each of the relays """
2106 # end the header with a separator, to make it easier for parsers
2107 print SECTION_SEPARATOR_COMMENT
2111 # find relays that could be fallbacks
2115 # work out how many fallbacks we want
2118 target_count = guard_count
2121 # the maximum number of fallbacks is the least of:
2122 # - the target fallback count (FALLBACK_PROPORTION_OF_GUARDS * guard count)
2123 # - the maximum fallback count (MAX_FALLBACK_COUNT)
2125 max_count = target_count
2132 # filter with the whitelist
2133 # if a relay has changed IPv4 address or ports recently, it will be excluded
2134 # as ineligible before we call apply_filter_lists, and so there will be no
2135 # warning that the details have changed from those in the whitelist.
2136 # instead, there will be an info-level log during the eligibility check.
2142 # calculate the measured bandwidth of each relay,
2143 # then remove low-bandwidth relays
2147 # print the raw fallback list
2148 #for x in candidates.fallbacks:
2149 # print x.fallbackdir_line(True)
2150 # print json.dumps(candidates[x]._data, sort_keys=True, indent=4,
2151 # separators=(',', ': '), default=json_util.default)
2153 # impose mandatory conditions here, like one per contact, family, IP
2154 # in measured bandwidth order
2157 # only impose these limits on the final list - operators can nominate
2158 # multiple candidate fallbacks, and then we choose the best set
2164 # check if each candidate can serve a consensus
2165 # there's a small risk we've eliminated relays from the same operator that
2166 # can serve a consensus, in favour of one that can't
2167 # but given it takes up to 15 seconds to check each consensus download,
2168 # the risk is worth it
2174 # work out which fallbacks cache extra-infos
2177 # analyse and log interesting diversity metrics
2178 # like netblock, ports, exit, IPv4-only
2179 # (we can't easily analyse AS, and it's hard to accurately analyse country)
2181 # if we can't import the ipaddress module, we can't do netblock analysis
2188 # output C comments summarising the fallback selection process
2192 target_count)
2196 # output C comments specifying the OnionOO data used to create the list
2200 # start the list with a separator, to make it easy for parsers
2201 print SECTION_SEPARATOR_COMMENT
2203 # sort the list differently depending on why we've created it:
2204 # if we're outputting the final fallback list, sort by fingerprint
2205 # this makes diffs much more stable
2206 # otherwise, if we're trying to find a bandwidth cutoff, or we want to
2207 # contact operators in priority order, sort by bandwidth (not yet
2208 # implemented)
2209 # otherwise, if we're contacting operators, sort by contact