1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2007, Roger Dingledine, Nick Mathewson. */
3 /* See LICENSE for licensing information */
5 const char policies_c_id
[] = \
10 * \brief Code to parse and use address policies and exit policies.
15 /** Policy that addresses for incoming SOCKS connections must match. */
16 static addr_policy_t
*socks_policy
= NULL
;
17 /** Policy that addresses for incoming directory connections must match. */
18 static addr_policy_t
*dir_policy
= NULL
;
19 /** Policy that addresses for incoming router descriptors must match in order
20 * to be published by us. */
21 static addr_policy_t
*authdir_reject_policy
= NULL
;
22 /** Policy that addresses for incoming router descriptors must match in order
23 * to be marked as valid in our networkstatus. */
24 static addr_policy_t
*authdir_invalid_policy
= NULL
;
25 /** Policy that addresses for incoming router descriptors must <b>not</b>
26 * match in order to not be marked as BadExit. */
27 static addr_policy_t
*authdir_badexit_policy
= NULL
;
29 /** Parsed addr_policy_t describing which addresses we believe we can start
31 static addr_policy_t
*reachable_or_addr_policy
= NULL
;
32 /** Parsed addr_policy_t describing which addresses we believe we can connect
33 * to directories at. */
34 static addr_policy_t
*reachable_dir_addr_policy
= NULL
;
37 * Given a linked list of config lines containing "allow" and "deny"
38 * tokens, parse them and append the result to <b>dest</b>. Return -1
39 * if any tokens are malformed, else return 0.
42 parse_addr_policy(config_line_t
*cfg
, addr_policy_t
**dest
,
45 addr_policy_t
**nextp
;
55 nextp
= &((*nextp
)->next
);
57 entries
= smartlist_create();
58 for (; cfg
; cfg
= cfg
->next
) {
59 smartlist_split_string(entries
, cfg
->value
, ",",
60 SPLIT_SKIP_SPACE
|SPLIT_IGNORE_BLANK
, 0);
61 SMARTLIST_FOREACH(entries
, const char *, ent
,
63 log_debug(LD_CONFIG
,"Adding new entry '%s'",ent
);
64 *nextp
= router_parse_addr_policy_from_string(ent
, assume_action
);
66 if (addr_mask_get_bits((*nextp
)->msk
)<0) {
67 log_warn(LD_CONFIG
, "Address policy element '%s' can't be expressed "
68 "as a bit prefix.", ent
);
70 /* Advance nextp to the end of the policy. */
72 nextp
= &((*nextp
)->next
);
74 log_warn(LD_CONFIG
,"Malformed policy '%s'.", ent
);
78 SMARTLIST_FOREACH(entries
, char *, ent
, tor_free(ent
));
79 smartlist_clear(entries
);
81 smartlist_free(entries
);
85 /** Helper: parse the Reachable(Dir|OR)?Addresses fields into
86 * reachable_(or|dir)_addr_policy. */
88 parse_reachable_addresses(void)
90 or_options_t
*options
= get_options();
92 if (options
->ReachableDirAddresses
&&
93 options
->ReachableORAddresses
&&
94 options
->ReachableAddresses
) {
96 "Both ReachableDirAddresses and ReachableORAddresses are set. "
97 "ReachableAddresses setting will be ignored.");
99 addr_policy_free(reachable_or_addr_policy
);
100 reachable_or_addr_policy
= NULL
;
101 if (!options
->ReachableORAddresses
&& options
->ReachableAddresses
)
103 "Using ReachableAddresses as ReachableORAddresses.");
104 if (parse_addr_policy(options
->ReachableORAddresses
?
105 options
->ReachableORAddresses
:
106 options
->ReachableAddresses
,
107 &reachable_or_addr_policy
, ADDR_POLICY_ACCEPT
)) {
109 "Error parsing Reachable%sAddresses entry; ignoring.",
110 options
->ReachableORAddresses
? "OR" : "");
113 addr_policy_free(reachable_dir_addr_policy
);
114 reachable_dir_addr_policy
= NULL
;
115 if (!options
->ReachableDirAddresses
&& options
->ReachableAddresses
)
117 "Using ReachableAddresses as ReachableDirAddresses");
118 if (parse_addr_policy(options
->ReachableDirAddresses
?
119 options
->ReachableDirAddresses
:
120 options
->ReachableAddresses
,
121 &reachable_dir_addr_policy
, ADDR_POLICY_ACCEPT
)) {
122 if (options
->ReachableDirAddresses
)
124 "Error parsing ReachableDirAddresses entry; ignoring.");
128 /** Return true iff the firewall options might block any address:port
132 firewall_is_fascist_or(void)
134 return reachable_or_addr_policy
!= NULL
;
137 /** Return true iff <b>policy</b> (possibly NULL) will allow a
138 * connection to <b>addr</b>:<b>port</b>.
141 addr_policy_permits_address(uint32_t addr
, uint16_t port
,
142 addr_policy_t
*policy
)
144 addr_policy_result_t p
;
145 p
= compare_addr_to_addr_policy(addr
, port
, policy
);
147 case ADDR_POLICY_PROBABLY_ACCEPTED
:
148 case ADDR_POLICY_ACCEPTED
:
150 case ADDR_POLICY_PROBABLY_REJECTED
:
151 case ADDR_POLICY_REJECTED
:
154 log_warn(LD_BUG
, "Unexpected result: %d", (int)p
);
159 /** Return true iff we think our firewall will let us make an OR connection to
162 fascist_firewall_allows_address_or(uint32_t addr
, uint16_t port
)
164 return addr_policy_permits_address(addr
, port
,
165 reachable_or_addr_policy
);
168 /** Return true iff we think our firewall will let us make a directory
169 * connection to addr:port. */
171 fascist_firewall_allows_address_dir(uint32_t addr
, uint16_t port
)
173 return addr_policy_permits_address(addr
, port
,
174 reachable_dir_addr_policy
);
177 /** Return 1 if <b>addr</b> is permitted to connect to our dir port,
178 * based on <b>dir_policy</b>. Else return 0.
181 dir_policy_permits_address(uint32_t addr
)
183 return addr_policy_permits_address(addr
, 1, dir_policy
);
186 /** Return 1 if <b>addr</b> is permitted to connect to our socks port,
187 * based on <b>socks_policy</b>. Else return 0.
190 socks_policy_permits_address(uint32_t addr
)
192 return addr_policy_permits_address(addr
, 1, socks_policy
);
195 /** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
196 * directory, based on <b>authdir_reject_policy</b>. Else return 0.
199 authdir_policy_permits_address(uint32_t addr
, uint16_t port
)
201 return addr_policy_permits_address(addr
, port
, authdir_reject_policy
);
204 /** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
205 * directory, based on <b>authdir_invalid_policy</b>. Else return 0.
208 authdir_policy_valid_address(uint32_t addr
, uint16_t port
)
210 return addr_policy_permits_address(addr
, port
, authdir_invalid_policy
);
213 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
214 * based on <b>authdir_badexit_policy</b>. Else return 0.
217 authdir_policy_badexit_address(uint32_t addr
, uint16_t port
)
219 return ! addr_policy_permits_address(addr
, port
, authdir_badexit_policy
);
222 #define REJECT(arg) \
223 do { *msg = tor_strdup(arg); goto err; } while (0)
225 /** Config helper: If there's any problem with the policy configuration
226 * options in <b>options</b>, return -1 and set <b>msg</b> to a newly
227 * allocated description of the error. Else return 0. */
229 validate_addr_policies(or_options_t
*options
, char **msg
)
231 addr_policy_t
*addr_policy
=NULL
;
234 if (policies_parse_exit_policy(options
->ExitPolicy
, &addr_policy
,
235 options
->ExitPolicyRejectPrivate
))
236 REJECT("Error in ExitPolicy entry.");
238 /* The rest of these calls *append* to addr_policy. So don't actually
239 * use the results for anything other than checking if they parse! */
240 if (parse_addr_policy(options
->DirPolicy
, &addr_policy
, -1))
241 REJECT("Error in DirPolicy entry.");
242 if (parse_addr_policy(options
->SocksPolicy
, &addr_policy
, -1))
243 REJECT("Error in SocksPolicy entry.");
244 if (parse_addr_policy(options
->ReachableAddresses
, &addr_policy
,
246 REJECT("Error in ReachableAddresses entry.");
247 if (parse_addr_policy(options
->ReachableORAddresses
, &addr_policy
,
249 REJECT("Error in ReachableORAddresses entry.");
250 if (parse_addr_policy(options
->ReachableDirAddresses
, &addr_policy
,
252 REJECT("Error in ReachableDirAddresses entry.");
253 if (parse_addr_policy(options
->AuthDirReject
, &addr_policy
,
255 REJECT("Error in AuthDirReject entry.");
256 if (parse_addr_policy(options
->AuthDirInvalid
, &addr_policy
,
258 REJECT("Error in AuthDirInvalid entry.");
261 addr_policy_free(addr_policy
);
262 return *msg
? -1 : 0;
266 /** Parse <b>string</b> in the same way that the exit policy
267 * is parsed, and put the processed version in *<b>policy</b>.
268 * Ignore port specifiers.
271 load_policy_from_option(config_line_t
*config
, addr_policy_t
**policy
,
275 addr_policy_free(*policy
);
277 parse_addr_policy(config
, policy
, assume_action
);
278 /* ports aren't used. */
279 for (n
=*policy
; n
; n
= n
->next
) {
285 /** Set all policies based on <b>options</b>, which should have been validated
288 policies_parse_from_options(or_options_t
*options
)
290 load_policy_from_option(options
->SocksPolicy
, &socks_policy
, -1);
291 load_policy_from_option(options
->DirPolicy
, &dir_policy
, -1);
292 load_policy_from_option(options
->AuthDirReject
,
293 &authdir_reject_policy
, ADDR_POLICY_REJECT
);
294 load_policy_from_option(options
->AuthDirInvalid
,
295 &authdir_invalid_policy
, ADDR_POLICY_REJECT
);
296 load_policy_from_option(options
->AuthDirBadExit
,
297 &authdir_badexit_policy
, ADDR_POLICY_REJECT
);
298 parse_reachable_addresses();
301 /** Compare two provided address policy items, and return -1, 0, or 1
302 * if the first is less than, equal to, or greater than the second. */
304 cmp_single_addr_policy(addr_policy_t
*a
, addr_policy_t
*b
)
307 if ((r
=((int)a
->policy_type
- (int)b
->policy_type
)))
309 if ((r
=((int)a
->addr
- (int)b
->addr
)))
311 if ((r
=((int)a
->msk
- (int)b
->msk
)))
313 if ((r
=((int)a
->prt_min
- (int)b
->prt_min
)))
315 if ((r
=((int)a
->prt_max
- (int)b
->prt_max
)))
320 /** Like cmp_single_addr_policy() above, but looks at the
321 * whole set of policies in each case. */
323 cmp_addr_policies(addr_policy_t
*a
, addr_policy_t
*b
)
327 if ((r
=cmp_single_addr_policy(a
,b
)))
340 /** Decide whether a given addr:port is definitely accepted,
341 * definitely rejected, probably accepted, or probably rejected by a
342 * given policy. If <b>addr</b> is 0, we don't know the IP of the
343 * target address. If <b>port</b> is 0, we don't know the port of the
346 * For now, the algorithm is pretty simple: we look for definite and
347 * uncertain matches. The first definite match is what we guess; if
348 * it was preceded by no uncertain matches of the opposite policy,
349 * then the guess is definite; otherwise it is probable. (If we
350 * have a known addr and port, all matches are definite; if we have an
351 * unknown addr/port, any address/port ranges other than "all" are
354 * We could do better by assuming that some ranges never match typical
355 * addresses (127.0.0.1, and so on). But we'll try this for now.
358 compare_addr_to_addr_policy(uint32_t addr
, uint16_t port
,
359 addr_policy_t
*policy
)
361 int maybe_reject
= 0;
362 int maybe_accept
= 0;
367 for (tmpe
=policy
; tmpe
; tmpe
=tmpe
->next
) {
370 /* Address is unknown. */
371 if ((port
>= tmpe
->prt_min
&& port
<= tmpe
->prt_max
) ||
372 (!port
&& tmpe
->prt_min
<=1 && tmpe
->prt_max
>=65535)) {
373 /* The port definitely matches. */
374 if (tmpe
->msk
== 0) {
380 /* The port maybe matches. */
384 /* Address is known */
385 if ((addr
& tmpe
->msk
) == (tmpe
->addr
& tmpe
->msk
)) {
386 if (port
>= tmpe
->prt_min
&& port
<= tmpe
->prt_max
) {
387 /* Exact match for the policy */
395 if (tmpe
->policy_type
== ADDR_POLICY_REJECT
)
401 if (tmpe
->policy_type
== ADDR_POLICY_ACCEPT
) {
402 /* If we already hit a clause that might trigger a 'reject', than we
403 * can't be sure of this certain 'accept'.*/
404 return maybe_reject
? ADDR_POLICY_PROBABLY_ACCEPTED
:
405 ADDR_POLICY_ACCEPTED
;
407 return maybe_accept
? ADDR_POLICY_PROBABLY_REJECTED
:
408 ADDR_POLICY_REJECTED
;
412 /* accept all by default. */
413 return maybe_reject
? ADDR_POLICY_PROBABLY_ACCEPTED
: ADDR_POLICY_ACCEPTED
;
416 /** Return true iff the address policy <b>a</b> covers every case that
417 * would be covered by <b>b</b>, so that a,b is redundant. */
419 addr_policy_covers(addr_policy_t
*a
, addr_policy_t
*b
)
421 /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces
422 * to "accept *:80". */
423 if (a
->msk
& ~b
->msk
) {
424 /* There's a wildcard bit in b->msk that's not a wildcard in a. */
427 if ((a
->addr
& a
->msk
) != (b
->addr
& a
->msk
)) {
428 /* There's a fixed bit in a that's set differently in b. */
431 return (a
->prt_min
<= b
->prt_min
&& a
->prt_max
>= b
->prt_max
);
434 /** Return true iff the address policies <b>a</b> and <b>b</b> intersect,
435 * that is, there exists an address/port that is covered by <b>a</b> that
436 * is also covered by <b>b</b>.
439 addr_policy_intersects(addr_policy_t
*a
, addr_policy_t
*b
)
441 /* All the bits we care about are those that are set in both
442 * netmasks. If they are equal in a and b's networkaddresses
443 * then the networks intersect. If there is a difference,
444 * then they do not. */
445 if (((a
->addr
^ b
->addr
) & a
->msk
& b
->msk
) != 0)
447 if (a
->prt_max
< b
->prt_min
|| b
->prt_max
< a
->prt_min
)
452 /** Add the exit policy described by <b>more</b> to <b>policy</b>.
455 append_exit_policy_string(addr_policy_t
**policy
, const char *more
)
460 tmp
.value
= (char*) more
;
462 parse_addr_policy(&tmp
, policy
, -1);
465 /** Detect and excise "dead code" from the policy *<b>dest</b>. */
467 exit_policy_remove_redundancies(addr_policy_t
**dest
)
469 addr_policy_t
*ap
, *tmp
, *victim
, *previous
;
471 /* Step one: find a *:* entry and cut off everything after it. */
472 for (ap
=*dest
; ap
; ap
=ap
->next
) {
473 if (ap
->msk
== 0 && ap
->prt_min
<= 1 && ap
->prt_max
>= 65535) {
474 /* This is a catch-all line -- later lines are unreachable. */
476 addr_policy_free(ap
->next
);
482 /* Step two: for every entry, see if there's a redundant entry
483 * later on, and remove it. */
484 for (ap
=*dest
; ap
; ap
=ap
->next
) {
487 if (tmp
->next
&& addr_policy_covers(ap
, tmp
->next
)) {
488 log(LOG_DEBUG
, LD_CONFIG
, "Removing exit policy %s. It is made "
489 "redundant by %s.", tmp
->next
->string
, ap
->string
);
491 tmp
->next
= victim
->next
;
493 addr_policy_free(victim
);
500 /* Step three: for every entry A, see if there's an entry B making this one
501 * redundant later on. This is the case if A and B are of the same type
502 * (accept/reject), A is a subset of B, and there is no other entry of
503 * different type in between those two that intersects with A.
505 * Anybody want to doublecheck the logic here? XXX
510 for (tmp
=ap
->next
; tmp
; tmp
=tmp
->next
) {
511 if (ap
->policy_type
!= tmp
->policy_type
) {
512 if (addr_policy_intersects(ap
, tmp
)) {
513 tmp
= NULL
; /* so that we advance previous and ap */
516 } else { /* policy_types are equal. */
517 if (addr_policy_covers(tmp
, ap
)) {
518 log(LOG_DEBUG
, LD_CONFIG
, "Removing exit policy %s. It is already "
519 "covered by %s.", ap
->string
, tmp
->string
);
524 assert(previous
->next
== victim
);
525 previous
->next
= victim
->next
;
527 assert(*dest
== victim
);
528 *dest
= victim
->next
;
532 addr_policy_free(victim
);
544 #define DEFAULT_EXIT_POLICY \
545 "reject *:25,reject *:119,reject *:135-139,reject *:445," \
546 "reject *:465,reject *:563,reject *:587," \
547 "reject *:1214,reject *:4661-4666," \
548 "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
550 /** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>. If
551 * cfg doesn't end in an absolute accept or reject, add the default exit
552 * policy afterwards. If <b>rejectprivate</b> is true, prepend
553 * "reject private:*" to the policy. Return -1 if we can't parse cfg,
557 policies_parse_exit_policy(config_line_t
*cfg
, addr_policy_t
**dest
,
561 append_exit_policy_string(dest
, "reject private:*");
562 if (parse_addr_policy(cfg
, dest
, -1))
564 append_exit_policy_string(dest
, DEFAULT_EXIT_POLICY
);
566 exit_policy_remove_redundancies(dest
);
570 /** Return true iff <b>ri</b> is "useful as an exit node", meaning
571 * it allows exit to at least one /8 address space for at least
572 * two of ports 80, 443, and 6667. */
574 exit_policy_is_general_exit(addr_policy_t
*policy
)
576 static const int ports
[] = { 80, 443, 6667 };
579 for (i
= 0; i
< 3; ++i
) {
580 struct addr_policy_t
*p
= policy
;
581 for ( ; p
; p
= p
->next
) {
582 if (p
->prt_min
> ports
[i
] || p
->prt_max
< ports
[i
])
583 continue; /* Doesn't cover our port. */
584 if ((p
->msk
& 0x00fffffful
) != 0)
585 continue; /* Narrower than a /8. */
586 if ((p
->addr
& 0xff000000ul
) == 0x7f000000ul
)
587 continue; /* 127.x */
588 /* We have a match that is at least a /8. */
589 if (p
->policy_type
== ADDR_POLICY_ACCEPT
) {
591 break; /* stop considering this port */
595 return n_allowed
>= 2;
598 /** Return false if <b>policy</b> might permit access to some addr:port;
599 * otherwise if we are certain it rejects everything, return true. */
601 policy_is_reject_star(addr_policy_t
*p
)
603 for ( ; p
; p
= p
->next
) {
604 if (p
->policy_type
== ADDR_POLICY_ACCEPT
)
606 else if (p
->policy_type
== ADDR_POLICY_REJECT
&&
607 p
->prt_min
<= 1 && p
->prt_max
== 65535 &&
614 /** Write a single address policy to the buf_len byte buffer at buf. Return
615 * the number of characters written, or -1 on failure. */
617 policy_write_item(char *buf
, size_t buflen
, addr_policy_t
*policy
)
621 char addrbuf
[INET_NTOA_BUF_LEN
];
624 in
.s_addr
= htonl(policy
->addr
);
625 tor_inet_ntoa(&in
, addrbuf
, sizeof(addrbuf
));
626 /* write accept/reject 1.2.3.4 */
627 result
= tor_snprintf(buf
, buflen
, "%s %s",
628 policy
->policy_type
== ADDR_POLICY_ACCEPT
? "accept" : "reject",
629 policy
->msk
== 0 ? "*" : addrbuf
);
632 written
+= strlen(buf
);
633 /* If the mask is 0xffffffff, we don't need to give it. If the mask is 0,
634 * we already wrote "*". */
635 if (policy
->msk
!= 0xFFFFFFFFu
&& policy
->msk
!= 0) {
636 int n_bits
= addr_mask_get_bits(policy
->msk
);
638 if (tor_snprintf(buf
+written
, buflen
-written
, "/%d", n_bits
)<0)
641 /* Write "/255.255.0.0" */
642 in
.s_addr
= htonl(policy
->msk
);
643 tor_inet_ntoa(&in
, addrbuf
, sizeof(addrbuf
));
644 if (tor_snprintf(buf
+written
, buflen
-written
, "/%s", addrbuf
)<0)
647 written
+= strlen(buf
+written
);
649 if (policy
->prt_min
<= 1 && policy
->prt_max
== 65535) {
650 /* There is no port set; write ":*" */
651 if (written
+4 > buflen
)
653 strlcat(buf
+written
, ":*", buflen
-written
);
655 } else if (policy
->prt_min
== policy
->prt_max
) {
656 /* There is only one port; write ":80". */
657 result
= tor_snprintf(buf
+written
, buflen
-written
, ":%d", policy
->prt_min
);
662 /* There is a range of ports; write ":79-80". */
663 result
= tor_snprintf(buf
+written
, buflen
-written
, ":%d-%d",
664 policy
->prt_min
, policy
->prt_max
);
669 if (written
< buflen
)
677 /** Implementation for GETINFO control command: knows the answer for questions
678 * about "exit-policy/..." */
680 getinfo_helper_policies(control_connection_t
*conn
,
681 const char *question
, char **answer
)
684 if (!strcmp(question
, "exit-policy/default")) {
685 *answer
= tor_strdup(DEFAULT_EXIT_POLICY
);
690 /** Release all storage held by <b>p</b>. */
692 addr_policy_free(addr_policy_t
*p
)
704 /** Release all storage held by policy variables. */
706 policies_free_all(void)
708 addr_policy_free(reachable_or_addr_policy
);
709 reachable_or_addr_policy
= NULL
;
710 addr_policy_free(reachable_dir_addr_policy
);
711 reachable_dir_addr_policy
= NULL
;
712 addr_policy_free(socks_policy
);
714 addr_policy_free(dir_policy
);
716 addr_policy_free(authdir_reject_policy
);
717 authdir_reject_policy
= NULL
;
718 addr_policy_free(authdir_invalid_policy
);
719 authdir_invalid_policy
= NULL
;