Hi Nick,
a few comments to proposal 186 below:
On 9/21/11 8:13 PM, Nick Mathewson wrote:
In consonance with our changes to the (Socks|Trans|NATD|DNS)Port options made in 0.2.3.x for proposal 171, I make a corresponding change to allow multiple SocksPort options and deprecate SocksListenAddress.
When you say "Socks" in this document in most cases you mean "OR".
The new syntax will be:
"SocksPort" PortDescription Options?
The syntax allows multiple options per SocksPort line, right? Would that be "Options*" then?
The 'NoListen' option tells Tor to advertise an address, but not bind to it. The operator needs to use some other mechanism to ensure that ports are redirected to ports that _are_ listened on.
Do we need to check that we have at least one SocksPort line without the NoListen option?
In current operating systems (unless we get into crazy nonportable tricks) we need to use one socket for every address:port that Tor bind on. As a sanity check, we can limit the number of such sockets we use to, say, 64. If you want to bind lots more address:port combinations, you'll want to do it at the firewall/routing level.
64 seems very high for the number sockets to open. If someone wants to open more than 8 sockets and doesn't know how to edit firewall rules, that person probably shouldn't be opening this number of sockets.
Example: Our firewall is redirecting ports 80, 443, and 7000-8000 on all hosts in x.244.2.0/24 onto our port 2929.
SocksPort 2929 no-advertise SocksPort x.244.2.0/24:80,443,7000-8000 no-listen
"no-advertise" -> "noadvertise"
"no-listen" -> "nolisten"
The "/24" should probably also go away.
Example: We have a dynamic DNS provider that maps tornode.example.com to our current external IPv4 and IPv6 addresses. Our firewall forwards port 443 on those address to our port 1337.
SocksPort 1337 no-advertise alladdrs SocksPort tornode.example.com:443 no-bind alladdrs
"no-advertise" -> "noadvertise"
"no-bind" -> "nolisten"
I wonder what the effect of putting in a dynamic hostname is. Tor uses an IP address in the server descriptor anyway, and wouldn't it find out the IP address(es) by itself?
It will now be possible for a Tor node to find that some addresses work and others do not. In this case, the node should only advertise socksport lines that have been checked.
What if a partial SocksPort line was found to work, that is, if only a few ports work?
A node must not list more than 8 or-address lines.
Should there also be a restriction of PORTSPECs per line? I can imagine how these lines can get quite long: 1.2.3.4:1-2,4-5,7-8,...
Rest looks good!
Best, Karsten