IRCaBot 2.1.0
GPLv3 © acetone, 2021-2022
#i2p-dev
/2021/12/15
dr|z3d zzz: chunk of the ip restriction patch in ProfileOrganizer looks wrong to me. minor, but it appears that logging excluded peers won't happen.
dr|z3d maybe I'm reading it wrong, but the following looks like the correct way to handle logging?
dr|z3d if (ok) {
dr|z3d ok = mask <= 0 || notRestricted(peer, ipSet, mask);
dr|z3d matches.add(peer);
dr|z3d } else {
dr|z3d matches.remove(peer);
dr|z3d if (_log.shouldLog(Log.WARN)
dr|z3d _log.warn("IP restriction prevents " + peer + " from joining " + matches);
dr|z3d maybe I'm reading it wrong, ok is defined in the top clause. notwithstanding, I'd expect to see a few exclusion log entries from the ProfileOrganizer. nada as yet.
dr|z3d ah. nevermind. finally logging triggered.
dr|z3d matches doesn't print anything, though. just []
dr|z3d > IP restriction prevents XXXX from joining []
dr|z3d should that be a tunnel id?
zzz dr|z3d, I think that code is right, its old code from 12 years ago. I only got a couple hits also, but I verified they were correct by looking up the RIs
zzz I'm temporarily changing the default from 2 to 1 in TunnelPeerSettings for testing so it hits more often, lets see what happens
dr|z3d zzz: yeah, my bad, it logs ok, it just doesn't always print the matches. tunnel id instead in the logs?
dr|z3d it got me thinking though about the scope of the blocks. it's too early I know, but at some point an external list of ranges for specific ranges might be an idea, for example for vps providers, orgs etc. and then of course limiting by country code also seems like a possible use.
zzz what would tunnel id do for you?
dr|z3d something that always prints in the logs
zzz I'm not following, but maybe I need more coffee
dr|z3d maybe tunnel id's not much help either, but something in the logs that better indicates why the peer's been blocked.
dr|z3d like the specific network range.
dr|z3d Blocking [peer] from joining [tunnelid] -> in the same range as [xxxx] and [yyyy] (0.0.0.0/24) or somesuch.
zzz unfortunately more trouble than it's worth as it's hidden down in MaskedIPSet. The log is there mainly so I can tell that it's working, so it's doing its job
dr|z3d if it's hassle, forget it.
zzz it is also matching on port number and family
zzz there is also a match for NTCP with cost 2, which I don't understand and need to research
dr|z3d I can confirm it's apparently working. some config knobs would help test things without recourse to recompiling perhaps. port and family is a good start. much work to slide countries into the mix?
zzz whats the threat model for same country?
dr|z3d router.iprestrictRange=24 and router.ipretrictCount=1 I'm thinking of.
dr|z3d threat model is state level interference class sybil attacks?
dr|z3d that would also apply to org ranges, to prevent someone from hosting a few hundred "droplets" aka micro-VPSs to perform sybil attacks. apparently that's already happened.
dr|z3d s/Range/Metric
zzz that seems better addressed by hidden mode that blocks everybody from your country now
zzz not sure if disallowing two from the same country does much
dr|z3d well, at the minimum it ensures your tunnels are using a more diverse set of routers. hidden mode is a different beast, what with the inherent performance downgrade.
zzz it's something new to be considered and justified separately, won't be thrown into the current effort to fix whats broken
zzz as we can see even this ip restriction is very rare
zzz anyway, thanks for testing
dr|z3d no worries, and yeah, country and list-based org restrictions are a "for consideration" topic, not a proposal for immediate integration :)
dr|z3d on a completely different topic, i2pd and i2p's http server tunnels apparently have different characteristics that allow for profiling/identification.
zzz e.g.?
dr|z3d for a 304 resource, i2pd responds with 0 bytes, i2p will send a good chunk of data, 20 bytes or so, to fulfill the same request.
dr|z3d *20KB
dr|z3d what's even more weird is that i2p's tunnel isn't consistent in the amount it sends for a 304.
dr|z3d i2pd sends the response as a 304, i2p as a 200.
dr|z3d and even when i2pd sends as a 200, it's still sending a 0 byte response. so definitely some discrepancy in handling.
zzz why would we send anything with a 304
zzz it's either a 200 or a 304, cant be both
dr|z3d that's not an i2p thing, that's a server operator thing. you'd send a 304 because "file not changed"
zzz if anything it would be a jetty vs. something else thing, not a i2p vs i2pd thing
dr|z3d the backend server's the same. not jetty.
dr|z3d that's what's strange, same backend, i2p or i2pd, different responses.
zzz our proxies don't turn 304s into 200s or vice versa
dr|z3d from the logs, it looks like eepget (?) is ignorant of 304 responses and ignores them.
dr|z3d that's my guess, could be way off the mark, though.
dr|z3d the only time I see a 304 response in the logs is when i2pd is handling the request. i2p never returns 304 it looks like.
zzz eepget doesnt send the etag/last mod headers that would provoke a 304 response unless you put it in the command line
dr|z3d yeah, but that doesn't account for the different response at the business end of things. i2p peer requests update.zip, i2pd responds with either a 200 or 304 and then a 0 byte payload, i2p will handle the same request and always responds with a 200 and a variable sized response. just odd.
dr|z3d the logging is different, too. i2p logs as domain.i2p, i2pd logs requests as *.b32.i2p
zzz dunno. not a rabbit hole I'm going to jump into
dr|z3d I'll do some digging, see if there's anything obvious in the code.
Xeha no surprise, check how huge the codebase is. its literally bloatware
Xeha it was fun seeing people try it starting ~1.5 weeks ago