1 /* Copyright (c) 2013-2017, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
8 #include "routerparse.h"
9 #define POLICIES_PRIVATE
13 /* Helper: assert that short_policy parses and writes back out as itself,
14 or as <b>expected</b> if that's provided. */
16 test_short_policy_parse(const char *input
,
19 short_policy_t
*short_policy
= NULL
;
25 short_policy
= parse_short_policy(input
);
26 tt_assert(short_policy
);
27 out
= write_short_policy(short_policy
);
28 tt_str_op(out
, OP_EQ
, expected
);
32 short_policy_free(short_policy
);
35 /** Helper: Parse the exit policy string in <b>policy_str</b> with
36 * <b>options</b>, and make sure that policies_summarize() produces the string
37 * <b>expected_summary</b> from it when called with family. */
39 test_policy_summary_helper_family_flags(const char *policy_str
,
40 const char *expected_summary
,
42 exit_policy_parser_cfg_t options
)
45 smartlist_t
*policy
= smartlist_new();
47 char *summary_after
= NULL
;
49 short_policy_t
*short_policy
= NULL
;
52 line
.key
= (char*)"foo";
53 line
.value
= (char *)policy_str
;
56 r
= policies_parse_exit_policy(&line
, &policy
,
58 tt_int_op(r
,OP_EQ
, 0);
60 summary
= policy_summarize(policy
, family
);
62 tt_ptr_op(summary
, OP_NE
, NULL
);
63 tt_str_op(summary
,OP_EQ
, expected_summary
);
65 short_policy
= parse_short_policy(summary
);
66 tt_assert(short_policy
);
67 summary_after
= write_short_policy(short_policy
);
68 tt_str_op(summary
,OP_EQ
, summary_after
);
72 /* If we don't print the flags on failure, it's very hard to diagnose bugs */
74 TT_DECLARE("CTXT", ("\n IPv%d\n Options: %x\n Policy: %s",
75 family
== AF_INET
? 4 : 6, options
, policy_str
));
76 tor_free(summary_after
);
79 addr_policy_list_free(policy
);
80 short_policy_free(short_policy
);
83 /** Like test_policy_summary_helper_family_flags, but tries all the different
84 * flag combinations */
86 test_policy_summary_helper_family(const char *policy_str
,
87 const char *expected_summary
,
90 for (exit_policy_parser_cfg_t opt
= 0;
91 opt
<= EXIT_POLICY_OPTION_ALL
;
93 if (family
== AF_INET6
&& !(opt
& EXIT_POLICY_IPV6_ENABLED
))
94 /* Skip the test: IPv6 addresses need IPv6 enabled */
97 if (opt
& EXIT_POLICY_REJECT_LOCAL_INTERFACES
)
98 /* Skip the test: local interfaces are machine-specific */
101 test_policy_summary_helper_family_flags(policy_str
, expected_summary
,
106 /** Like test_policy_summary_helper_family, but uses expected_summary for
107 * both IPv4 and IPv6. */
109 test_policy_summary_helper(const char *policy_str
,
110 const char *expected_summary
)
112 test_policy_summary_helper_family(policy_str
, expected_summary
, AF_INET
);
113 test_policy_summary_helper_family(policy_str
, expected_summary
, AF_INET6
);
116 /** Like test_policy_summary_helper_family, but uses expected_summary4 for
117 * IPv4 and expected_summary6 for IPv6. */
119 test_policy_summary_helper6(const char *policy_str
,
120 const char *expected_summary4
,
121 const char *expected_summary6
)
123 test_policy_summary_helper_family(policy_str
, expected_summary4
, AF_INET
);
124 test_policy_summary_helper_family(policy_str
, expected_summary6
, AF_INET6
);
127 /** Run unit tests for generating summary lines of exit policies */
129 test_policies_general(void *arg
)
132 smartlist_t
*policy
= NULL
, *policy2
= NULL
, *policy3
= NULL
,
133 *policy4
= NULL
, *policy5
= NULL
, *policy6
= NULL
,
134 *policy7
= NULL
, *policy8
= NULL
, *policy9
= NULL
,
135 *policy10
= NULL
, *policy11
= NULL
, *policy12
= NULL
;
137 tor_addr_t tar
, tar2
;
138 smartlist_t
*addr_list
= NULL
;
140 smartlist_t
*sm
= NULL
;
141 char *policy_str
= NULL
;
142 short_policy_t
*short_parsed
= NULL
;
143 int malformed_list
= -1;
146 policy
= smartlist_new();
148 p
= router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*", -1,
150 tt_ptr_op(p
, OP_NE
, NULL
);
151 tt_int_op(ADDR_POLICY_REJECT
,OP_EQ
, p
->policy_type
);
152 tor_addr_from_ipv4h(&tar
, 0xc0a80000u
);
153 tt_int_op(0,OP_EQ
, tor_addr_compare(&p
->addr
, &tar
, CMP_EXACT
));
154 tt_int_op(16,OP_EQ
, p
->maskbits
);
155 tt_int_op(1,OP_EQ
, p
->prt_min
);
156 tt_int_op(65535,OP_EQ
, p
->prt_max
);
158 smartlist_add(policy
, p
);
160 tor_addr_from_ipv4h(&tar
, 0x01020304u
);
161 tt_assert(ADDR_POLICY_ACCEPTED
==
162 compare_tor_addr_to_addr_policy(&tar
, 2, policy
));
163 tor_addr_make_unspec(&tar
);
164 tt_assert(ADDR_POLICY_PROBABLY_ACCEPTED
==
165 compare_tor_addr_to_addr_policy(&tar
, 2, policy
));
166 tor_addr_from_ipv4h(&tar
, 0xc0a80102);
167 tt_assert(ADDR_POLICY_REJECTED
==
168 compare_tor_addr_to_addr_policy(&tar
, 2, policy
));
170 tt_int_op(0, OP_EQ
, policies_parse_exit_policy(NULL
, &policy2
,
171 EXIT_POLICY_IPV6_ENABLED
|
172 EXIT_POLICY_REJECT_PRIVATE
|
173 EXIT_POLICY_ADD_DEFAULT
, NULL
));
177 tor_addr_from_ipv4h(&tar
, 0x0306090cu
);
178 tor_addr_parse(&tar2
, "[2000::1234]");
179 addr_list
= smartlist_new();
180 smartlist_add(addr_list
, &tar
);
181 smartlist_add(addr_list
, &tar2
);
182 tt_int_op(0, OP_EQ
, policies_parse_exit_policy(NULL
, &policy12
,
183 EXIT_POLICY_IPV6_ENABLED
|
184 EXIT_POLICY_REJECT_PRIVATE
|
185 EXIT_POLICY_ADD_DEFAULT
,
187 smartlist_free(addr_list
);
192 policy3
= smartlist_new();
193 p
= router_parse_addr_policy_item_from_string("reject *:*", -1,
195 tt_ptr_op(p
, OP_NE
, NULL
);
196 smartlist_add(policy3
, p
);
197 p
= router_parse_addr_policy_item_from_string("accept *:*", -1,
199 tt_ptr_op(p
, OP_NE
, NULL
);
200 smartlist_add(policy3
, p
);
202 policy4
= smartlist_new();
203 p
= router_parse_addr_policy_item_from_string("accept *:443", -1,
205 tt_ptr_op(p
, OP_NE
, NULL
);
206 smartlist_add(policy4
, p
);
207 p
= router_parse_addr_policy_item_from_string("accept *:443", -1,
209 tt_ptr_op(p
, OP_NE
, NULL
);
210 smartlist_add(policy4
, p
);
212 policy5
= smartlist_new();
213 p
= router_parse_addr_policy_item_from_string("reject 0.0.0.0/8:*", -1,
215 tt_ptr_op(p
, OP_NE
, NULL
);
216 smartlist_add(policy5
, p
);
217 p
= router_parse_addr_policy_item_from_string("reject 169.254.0.0/16:*", -1,
219 tt_ptr_op(p
, OP_NE
, NULL
);
220 smartlist_add(policy5
, p
);
221 p
= router_parse_addr_policy_item_from_string("reject 127.0.0.0/8:*", -1,
223 tt_ptr_op(p
, OP_NE
, NULL
);
224 smartlist_add(policy5
, p
);
225 p
= router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*",
226 -1, &malformed_list
);
227 tt_ptr_op(p
, OP_NE
, NULL
);
228 smartlist_add(policy5
, p
);
229 p
= router_parse_addr_policy_item_from_string("reject 10.0.0.0/8:*", -1,
231 tt_ptr_op(p
, OP_NE
, NULL
);
232 smartlist_add(policy5
, p
);
233 p
= router_parse_addr_policy_item_from_string("reject 172.16.0.0/12:*", -1,
235 tt_ptr_op(p
, OP_NE
, NULL
);
236 smartlist_add(policy5
, p
);
237 p
= router_parse_addr_policy_item_from_string("reject 80.190.250.90:*", -1,
239 tt_ptr_op(p
, OP_NE
, NULL
);
240 smartlist_add(policy5
, p
);
241 p
= router_parse_addr_policy_item_from_string("reject *:1-65534", -1,
243 tt_ptr_op(p
, OP_NE
, NULL
);
244 smartlist_add(policy5
, p
);
245 p
= router_parse_addr_policy_item_from_string("reject *:65535", -1,
247 tt_ptr_op(p
, OP_NE
, NULL
);
248 smartlist_add(policy5
, p
);
249 p
= router_parse_addr_policy_item_from_string("accept *:1-65535", -1,
251 tt_ptr_op(p
, OP_NE
, NULL
);
252 smartlist_add(policy5
, p
);
254 policy6
= smartlist_new();
255 p
= router_parse_addr_policy_item_from_string("accept 43.3.0.0/9:*", -1,
257 tt_ptr_op(p
, OP_NE
, NULL
);
258 smartlist_add(policy6
, p
);
260 policy7
= smartlist_new();
261 p
= router_parse_addr_policy_item_from_string("accept 0.0.0.0/8:*", -1,
263 tt_ptr_op(p
, OP_NE
, NULL
);
264 smartlist_add(policy7
, p
);
266 tt_int_op(0, OP_EQ
, policies_parse_exit_policy(NULL
, &policy8
,
267 EXIT_POLICY_IPV6_ENABLED
|
268 EXIT_POLICY_REJECT_PRIVATE
|
269 EXIT_POLICY_ADD_DEFAULT
,
274 tt_int_op(0, OP_EQ
, policies_parse_exit_policy(NULL
, &policy9
,
275 EXIT_POLICY_REJECT_PRIVATE
|
276 EXIT_POLICY_ADD_DEFAULT
,
281 /* accept6 * and reject6 * produce IPv6 wildcards only */
282 policy10
= smartlist_new();
283 p
= router_parse_addr_policy_item_from_string("accept6 *:*", -1,
285 tt_ptr_op(p
, OP_NE
, NULL
);
286 smartlist_add(policy10
, p
);
288 policy11
= smartlist_new();
289 p
= router_parse_addr_policy_item_from_string("reject6 *:*", -1,
291 tt_ptr_op(p
, OP_NE
, NULL
);
292 smartlist_add(policy11
, p
);
294 tt_assert(!exit_policy_is_general_exit(policy
));
295 tt_assert(exit_policy_is_general_exit(policy2
));
296 tt_assert(!exit_policy_is_general_exit(NULL
));
297 tt_assert(!exit_policy_is_general_exit(policy3
));
298 tt_assert(!exit_policy_is_general_exit(policy4
));
299 tt_assert(!exit_policy_is_general_exit(policy5
));
300 tt_assert(!exit_policy_is_general_exit(policy6
));
301 tt_assert(!exit_policy_is_general_exit(policy7
));
302 tt_assert(exit_policy_is_general_exit(policy8
));
303 tt_assert(exit_policy_is_general_exit(policy9
));
304 tt_assert(!exit_policy_is_general_exit(policy10
));
305 tt_assert(!exit_policy_is_general_exit(policy11
));
307 tt_assert(!addr_policies_eq(policy
, policy2
));
308 tt_assert(!addr_policies_eq(policy
, NULL
));
309 tt_assert(addr_policies_eq(policy2
, policy2
));
310 tt_assert(addr_policies_eq(NULL
, NULL
));
312 tt_assert(!policy_is_reject_star(policy2
, AF_INET
, 1));
313 tt_assert(policy_is_reject_star(policy
, AF_INET
, 1));
314 tt_assert(policy_is_reject_star(policy10
, AF_INET
, 1));
315 tt_assert(!policy_is_reject_star(policy10
, AF_INET6
, 1));
316 tt_assert(policy_is_reject_star(policy11
, AF_INET
, 1));
317 tt_assert(policy_is_reject_star(policy11
, AF_INET6
, 1));
318 tt_assert(policy_is_reject_star(NULL
, AF_INET
, 1));
319 tt_assert(policy_is_reject_star(NULL
, AF_INET6
, 1));
320 tt_assert(!policy_is_reject_star(NULL
, AF_INET
, 0));
321 tt_assert(!policy_is_reject_star(NULL
, AF_INET6
, 0));
323 addr_policy_list_free(policy
);
326 /* make sure assume_action works */
328 p
= router_parse_addr_policy_item_from_string("127.0.0.1",
333 tt_assert(!malformed_list
);
335 p
= router_parse_addr_policy_item_from_string("127.0.0.1:*",
340 tt_assert(!malformed_list
);
342 p
= router_parse_addr_policy_item_from_string("[::]",
347 tt_assert(!malformed_list
);
349 p
= router_parse_addr_policy_item_from_string("[::]:*",
354 tt_assert(!malformed_list
);
356 p
= router_parse_addr_policy_item_from_string("[face::b]",
361 tt_assert(!malformed_list
);
363 p
= router_parse_addr_policy_item_from_string("[b::aaaa]",
368 tt_assert(!malformed_list
);
370 p
= router_parse_addr_policy_item_from_string("*",
375 tt_assert(!malformed_list
);
377 p
= router_parse_addr_policy_item_from_string("*4",
382 tt_assert(!malformed_list
);
384 p
= router_parse_addr_policy_item_from_string("*6",
389 tt_assert(!malformed_list
);
391 /* These are all ambiguous IPv6 addresses, it's good that we reject them */
392 p
= router_parse_addr_policy_item_from_string("acce::abcd",
395 tt_ptr_op(p
, OP_EQ
, NULL
);
396 tt_assert(malformed_list
);
399 p
= router_parse_addr_policy_item_from_string("7:1234",
402 tt_ptr_op(p
, OP_EQ
, NULL
);
403 tt_assert(malformed_list
);
406 p
= router_parse_addr_policy_item_from_string("::",
409 tt_ptr_op(p
, OP_EQ
, NULL
);
410 tt_assert(malformed_list
);
413 /* make sure compacting logic works. */
415 line
.key
= (char*)"foo";
416 line
.value
= (char*)"accept *:80,reject private:*,reject *:*";
418 tt_int_op(0, OP_EQ
, policies_parse_exit_policy(&line
,&policy
,
419 EXIT_POLICY_IPV6_ENABLED
|
420 EXIT_POLICY_ADD_DEFAULT
, NULL
));
423 //test_streq(policy->string, "accept *:80");
424 //test_streq(policy->next->string, "reject *:*");
425 tt_int_op(smartlist_len(policy
),OP_EQ
, 4);
427 /* test policy summaries */
428 /* check if we properly ignore private IP addresses */
429 test_policy_summary_helper("reject 192.168.0.0/16:*,"
430 "reject 0.0.0.0/8:*,"
431 "reject 10.0.0.0/8:*,"
436 /* check all accept policies, and proper counting of rejects */
437 test_policy_summary_helper("reject 11.0.0.0/9:80,"
438 "reject 12.0.0.0/9:80,"
439 "reject 13.0.0.0/9:80,"
440 "reject 14.0.0.0/9:80,"
441 "accept *:*", "accept 1-65535");
442 test_policy_summary_helper("reject 11.0.0.0/9:80,"
443 "reject 12.0.0.0/9:80,"
444 "reject 13.0.0.0/9:80,"
445 "reject 14.0.0.0/9:80,"
446 "reject 15.0.0.0:81,"
447 "accept *:*", "accept 1-65535");
448 test_policy_summary_helper6("reject 11.0.0.0/9:80,"
449 "reject 12.0.0.0/9:80,"
450 "reject 13.0.0.0/9:80,"
451 "reject 14.0.0.0/9:80,"
452 "reject 15.0.0.0:80,"
457 test_policy_summary_helper("accept 11.0.0.0/9:80,"
461 test_policy_summary_helper("accept *:80,"
466 "accept 80-81,100-111");
468 test_policy_summary_helper("accept *:1,"
474 test_policy_summary_helper("accept *:1,"
480 test_policy_summary_helper("reject *:1,"
487 /* standard long policy on many exits */
488 test_policy_summary_helper("accept *:20-23,"
522 "accept *:2086-2087,"
523 "accept *:2095-2096,"
524 "accept *:2102-2104,"
532 "accept *:5222-5223,"
535 "accept *:6660-6669,"
542 "accept *:8087-8088,"
543 "accept *:8332-8333,"
557 "accept 20-23,43,53,79-81,88,110,143,194,220,389,"
558 "443,464,531,543-544,554,563,636,706,749,873,"
559 "902-904,981,989-995,1194,1220,1293,1500,1533,"
560 "1677,1723,1755,1863,2082-2083,2086-2087,"
561 "2095-2096,2102-2104,3128,3389,3690,4321,4643,"
562 "5050,5190,5222-5223,5228,5900,6660-6669,6679,"
563 "6697,8000,8008,8074,8080,8087-8088,8332-8333,"
564 "8443,8888,9418,9999-10000,11371,12350,19294,"
565 "19638,23456,33033,64738");
566 /* short policy with configured addresses */
567 test_policy_summary_helper("reject 149.56.1.1:*,"
568 "reject [2607:5300:1:1::1:0]:*,"
573 /* short policy with configured and local interface addresses */
574 test_policy_summary_helper("reject 149.56.1.0:*,"
575 "reject 149.56.1.1:*,"
576 "reject 149.56.1.2:*,"
577 "reject 149.56.1.3:*,"
578 "reject 149.56.1.4:*,"
579 "reject 149.56.1.5:*,"
580 "reject 149.56.1.6:*,"
581 "reject 149.56.1.7:*,"
582 "reject [2607:5300:1:1::1:0]:*,"
583 "reject [2607:5300:1:1::1:1]:*,"
584 "reject [2607:5300:1:1::1:2]:*,"
585 "reject [2607:5300:1:1::1:3]:*,"
586 "reject [2607:5300:1:1::2:0]:*,"
587 "reject [2607:5300:1:1::2:1]:*,"
588 "reject [2607:5300:1:1::2:2]:*,"
589 "reject [2607:5300:1:1::2:3]:*,"
594 /* short policy with configured netblocks */
595 test_policy_summary_helper("reject 149.56.0.0/16,"
596 "reject6 2607:5300::/32,"
597 "reject6 2608:5300::/64,"
598 "reject6 2609:5300::/96,"
603 /* short policy with large netblocks that do not count as a rejection */
604 test_policy_summary_helper("reject 148.0.0.0/7,"
610 /* short policy with large netblocks that count as a rejection */
611 test_policy_summary_helper("reject 148.0.0.0/6,"
617 /* short policy with huge netblocks that count as a rejection */
618 test_policy_summary_helper("reject 128.0.0.0/1,"
624 /* short policy which blocks everything using netblocks */
625 test_policy_summary_helper("reject 0.0.0.0/0,"
631 /* short policy which has repeated redundant netblocks */
632 test_policy_summary_helper("reject 0.0.0.0/0,"
647 /* longest possible policy
648 * (1-2,4-5,... is longer, but gets reduced to 3,6,... )
649 * Going all the way to 65535 is incredibly slow, so we just go slightly
650 * more than the expected length */
651 test_policy_summary_helper("accept *:1,"
917 "accept 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,"
918 "31,33,35,37,39,41,43,45,47,49,51,53,55,57,59,61,"
919 "63,65,67,69,71,73,75,77,79,81,83,85,87,89,91,93,"
920 "95,97,99,101,103,105,107,109,111,113,115,117,"
921 "119,121,123,125,127,129,131,133,135,137,139,141,"
922 "143,145,147,149,151,153,155,157,159,161,163,165,"
923 "167,169,171,173,175,177,179,181,183,185,187,189,"
924 "191,193,195,197,199,201,203,205,207,209,211,213,"
925 "215,217,219,221,223,225,227,229,231,233,235,237,"
926 "239,241,243,245,247,249,251,253,255,257,259,261,"
927 "263,265,267,269,271,273,275,277,279,281,283,285,"
928 "287,289,291,293,295,297,299,301,303,305,307,309,"
929 "311,313,315,317,319,321,323,325,327,329,331,333,"
930 "335,337,339,341,343,345,347,349,351,353,355,357,"
931 "359,361,363,365,367,369,371,373,375,377,379,381,"
932 "383,385,387,389,391,393,395,397,399,401,403,405,"
933 "407,409,411,413,415,417,419,421,423,425,427,429,"
934 "431,433,435,437,439,441,443,445,447,449,451,453,"
935 "455,457,459,461,463,465,467,469,471,473,475,477,"
936 "479,481,483,485,487,489,491,493,495,497,499,501,"
937 "503,505,507,509,511,513,515,517,519,521,523");
939 /* Short policies with unrecognized formats should get accepted. */
940 test_short_policy_parse("accept fred,2,3-5", "accept 2,3-5");
941 test_short_policy_parse("accept 2,fred,3", "accept 2,3");
942 test_short_policy_parse("accept 2,fred,3,bob", "accept 2,3");
943 test_short_policy_parse("accept 2,-3,500-600", "accept 2,500-600");
944 /* Short policies with nil entries are accepted too. */
945 test_short_policy_parse("accept 1,,3", "accept 1,3");
946 test_short_policy_parse("accept 100-200,,", "accept 100-200");
947 test_short_policy_parse("reject ,1-10,,,,30-40", "reject 1-10,30-40");
949 /* Try parsing various broken short policies */
950 #define TT_BAD_SHORT_POLICY(s) \
952 tt_ptr_op(NULL, OP_EQ, (short_parsed = parse_short_policy((s)))); \
954 TT_BAD_SHORT_POLICY("accept 200-199");
955 TT_BAD_SHORT_POLICY("");
956 TT_BAD_SHORT_POLICY("rejekt 1,2,3");
957 TT_BAD_SHORT_POLICY("reject ");
958 TT_BAD_SHORT_POLICY("reject");
959 TT_BAD_SHORT_POLICY("rej");
960 TT_BAD_SHORT_POLICY("accept 2,3,100000");
961 TT_BAD_SHORT_POLICY("accept 2,3x,4");
962 TT_BAD_SHORT_POLICY("accept 2,3x,4");
963 TT_BAD_SHORT_POLICY("accept 2-");
964 TT_BAD_SHORT_POLICY("accept 2-x");
965 TT_BAD_SHORT_POLICY("accept 1-,3");
966 TT_BAD_SHORT_POLICY("accept 1-,3");
968 /* Make sure that IPv4 addresses are ignored in accept6/reject6 lines. */
969 p
= router_parse_addr_policy_item_from_string("accept6 1.2.3.4:*", -1,
971 tt_ptr_op(p
, OP_EQ
, NULL
);
972 tt_assert(!malformed_list
);
974 p
= router_parse_addr_policy_item_from_string("reject6 2.4.6.0/24:*", -1,
976 tt_ptr_op(p
, OP_EQ
, NULL
);
977 tt_assert(!malformed_list
);
979 p
= router_parse_addr_policy_item_from_string("accept6 *4:*", -1,
981 tt_ptr_op(p
, OP_EQ
, NULL
);
982 tt_assert(!malformed_list
);
984 /* Make sure malformed policies are detected as such. */
985 p
= router_parse_addr_policy_item_from_string("bad_token *4:*", -1,
987 tt_ptr_op(p
, OP_EQ
, NULL
);
988 tt_assert(malformed_list
);
990 p
= router_parse_addr_policy_item_from_string("accept6 **:*", -1,
992 tt_ptr_op(p
, OP_EQ
, NULL
);
993 tt_assert(malformed_list
);
995 p
= router_parse_addr_policy_item_from_string("accept */15:*", -1,
997 tt_ptr_op(p
, OP_EQ
, NULL
);
998 tt_assert(malformed_list
);
1000 p
= router_parse_addr_policy_item_from_string("reject6 */:*", -1,
1002 tt_ptr_op(p
, OP_EQ
, NULL
);
1003 tt_assert(malformed_list
);
1005 p
= router_parse_addr_policy_item_from_string("accept 127.0.0.1/33:*", -1,
1007 tt_ptr_op(p
, OP_EQ
, NULL
);
1008 tt_assert(malformed_list
);
1010 p
= router_parse_addr_policy_item_from_string("accept6 [::1]/129:*", -1,
1012 tt_ptr_op(p
, OP_EQ
, NULL
);
1013 tt_assert(malformed_list
);
1015 p
= router_parse_addr_policy_item_from_string("reject 8.8.8.8/-1:*", -1,
1017 tt_ptr_op(p
, OP_EQ
, NULL
);
1018 tt_assert(malformed_list
);
1020 p
= router_parse_addr_policy_item_from_string("reject 8.8.4.4:10-5", -1,
1022 tt_ptr_op(p
, OP_EQ
, NULL
);
1023 tt_assert(malformed_list
);
1025 p
= router_parse_addr_policy_item_from_string("reject 1.2.3.4:-1", -1,
1027 tt_ptr_op(p
, OP_EQ
, NULL
);
1028 tt_assert(malformed_list
);
1030 /* Test a too-long policy. */
1032 char *policy_strng
= NULL
;
1033 smartlist_t
*chunks
= smartlist_new();
1034 smartlist_add_strdup(chunks
, "accept ");
1035 for (i
=1; i
<10000; ++i
)
1036 smartlist_add_asprintf(chunks
, "%d,", i
);
1037 smartlist_add_strdup(chunks
, "20000");
1038 policy_strng
= smartlist_join_strings(chunks
, "", 0, NULL
);
1039 SMARTLIST_FOREACH(chunks
, char *, ch
, tor_free(ch
));
1040 smartlist_free(chunks
);
1041 short_parsed
= parse_short_policy(policy_strng
);/* shouldn't be accepted */
1042 tor_free(policy_strng
);
1043 tt_ptr_op(NULL
, OP_EQ
, short_parsed
);
1046 /* truncation ports */
1047 sm
= smartlist_new();
1048 for (i
=1; i
<2000; i
+=2) {
1049 char buf
[POLICY_BUF_LEN
];
1050 tor_snprintf(buf
, sizeof(buf
), "reject *:%d", i
);
1051 smartlist_add_strdup(sm
, buf
);
1053 smartlist_add_strdup(sm
, "accept *:*");
1054 policy_str
= smartlist_join_strings(sm
, ",", 0, NULL
);
1055 test_policy_summary_helper( policy_str
,
1056 "accept 2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,"
1057 "46,48,50,52,54,56,58,60,62,64,66,68,70,72,74,76,78,80,82,84,86,88,90,"
1058 "92,94,96,98,100,102,104,106,108,110,112,114,116,118,120,122,124,126,128,"
1059 "130,132,134,136,138,140,142,144,146,148,150,152,154,156,158,160,162,164,"
1060 "166,168,170,172,174,176,178,180,182,184,186,188,190,192,194,196,198,200,"
1061 "202,204,206,208,210,212,214,216,218,220,222,224,226,228,230,232,234,236,"
1062 "238,240,242,244,246,248,250,252,254,256,258,260,262,264,266,268,270,272,"
1063 "274,276,278,280,282,284,286,288,290,292,294,296,298,300,302,304,306,308,"
1064 "310,312,314,316,318,320,322,324,326,328,330,332,334,336,338,340,342,344,"
1065 "346,348,350,352,354,356,358,360,362,364,366,368,370,372,374,376,378,380,"
1066 "382,384,386,388,390,392,394,396,398,400,402,404,406,408,410,412,414,416,"
1067 "418,420,422,424,426,428,430,432,434,436,438,440,442,444,446,448,450,452,"
1068 "454,456,458,460,462,464,466,468,470,472,474,476,478,480,482,484,486,488,"
1069 "490,492,494,496,498,500,502,504,506,508,510,512,514,516,518,520,522");
1072 addr_policy_list_free(policy
);
1073 addr_policy_list_free(policy2
);
1074 addr_policy_list_free(policy3
);
1075 addr_policy_list_free(policy4
);
1076 addr_policy_list_free(policy5
);
1077 addr_policy_list_free(policy6
);
1078 addr_policy_list_free(policy7
);
1079 addr_policy_list_free(policy8
);
1080 addr_policy_list_free(policy9
);
1081 addr_policy_list_free(policy10
);
1082 addr_policy_list_free(policy11
);
1083 addr_policy_list_free(policy12
);
1084 tor_free(policy_str
);
1086 SMARTLIST_FOREACH(sm
, char *, s
, tor_free(s
));
1089 short_policy_free(short_parsed
);
1092 /** Helper: Check that policy_list contains address */
1094 test_policy_has_address_helper(const smartlist_t
*policy_list
,
1095 const tor_addr_t
*addr
)
1099 tt_assert(policy_list
);
1102 SMARTLIST_FOREACH_BEGIN(policy_list
, addr_policy_t
*, p
) {
1103 if (tor_addr_eq(&p
->addr
, addr
)) {
1106 } SMARTLIST_FOREACH_END(p
);
1114 #define TEST_IPV4_ADDR (0x01020304)
1115 #define TEST_IPV6_ADDR ("2002::abcd")
1117 /** Run unit tests for rejecting the configured addresses on this exit relay
1118 * using policies_parse_exit_policy_reject_private */
1120 test_policies_reject_exit_address(void *arg
)
1122 smartlist_t
*policy
= NULL
;
1123 tor_addr_t ipv4_addr
, ipv6_addr
;
1124 smartlist_t
*ipv4_list
, *ipv6_list
, *both_list
, *dupl_list
;
1127 tor_addr_from_ipv4h(&ipv4_addr
, TEST_IPV4_ADDR
);
1128 tor_addr_parse(&ipv6_addr
, TEST_IPV6_ADDR
);
1130 ipv4_list
= smartlist_new();
1131 ipv6_list
= smartlist_new();
1132 both_list
= smartlist_new();
1133 dupl_list
= smartlist_new();
1135 smartlist_add(ipv4_list
, &ipv4_addr
);
1136 smartlist_add(both_list
, &ipv4_addr
);
1137 smartlist_add(dupl_list
, &ipv4_addr
);
1138 smartlist_add(dupl_list
, &ipv4_addr
);
1139 smartlist_add(dupl_list
, &ipv4_addr
);
1141 smartlist_add(ipv6_list
, &ipv6_addr
);
1142 smartlist_add(both_list
, &ipv6_addr
);
1143 smartlist_add(dupl_list
, &ipv6_addr
);
1144 smartlist_add(dupl_list
, &ipv6_addr
);
1146 /* IPv4-Only Exits */
1148 /* test that IPv4 addresses are rejected on an IPv4-only exit */
1149 policies_parse_exit_policy_reject_private(&policy
, 0, ipv4_list
, 0, 0);
1151 tt_int_op(smartlist_len(policy
), OP_EQ
, 1);
1152 tt_assert(test_policy_has_address_helper(policy
, &ipv4_addr
));
1153 addr_policy_list_free(policy
);
1156 /* test that IPv6 addresses are NOT rejected on an IPv4-only exit
1157 * (all IPv6 addresses are rejected by policies_parse_exit_policy_internal
1158 * on IPv4-only exits, so policies_parse_exit_policy_reject_private doesn't
1159 * need to do anything) */
1160 policies_parse_exit_policy_reject_private(&policy
, 0, ipv6_list
, 0, 0);
1161 tt_ptr_op(policy
, OP_EQ
, NULL
);
1163 /* test that only IPv4 addresses are rejected on an IPv4-only exit */
1164 policies_parse_exit_policy_reject_private(&policy
, 0, both_list
, 0, 0);
1166 tt_int_op(smartlist_len(policy
), OP_EQ
, 1);
1167 tt_assert(test_policy_has_address_helper(policy
, &ipv4_addr
));
1168 addr_policy_list_free(policy
);
1171 /* Test that lists with duplicate entries produce the same results */
1172 policies_parse_exit_policy_reject_private(&policy
, 0, dupl_list
, 0, 0);
1174 tt_int_op(smartlist_len(policy
), OP_EQ
, 1);
1175 tt_assert(test_policy_has_address_helper(policy
, &ipv4_addr
));
1176 addr_policy_list_free(policy
);
1179 /* IPv4/IPv6 Exits */
1181 /* test that IPv4 addresses are rejected on an IPv4/IPv6 exit */
1182 policies_parse_exit_policy_reject_private(&policy
, 1, ipv4_list
, 0, 0);
1184 tt_int_op(smartlist_len(policy
), OP_EQ
, 1);
1185 tt_assert(test_policy_has_address_helper(policy
, &ipv4_addr
));
1186 addr_policy_list_free(policy
);
1189 /* test that IPv6 addresses are rejected on an IPv4/IPv6 exit */
1190 policies_parse_exit_policy_reject_private(&policy
, 1, ipv6_list
, 0, 0);
1192 tt_int_op(smartlist_len(policy
), OP_EQ
, 1);
1193 tt_assert(test_policy_has_address_helper(policy
, &ipv6_addr
));
1194 addr_policy_list_free(policy
);
1197 /* test that IPv4 and IPv6 addresses are rejected on an IPv4/IPv6 exit */
1198 policies_parse_exit_policy_reject_private(&policy
, 1, both_list
, 0, 0);
1200 tt_int_op(smartlist_len(policy
), OP_EQ
, 2);
1201 tt_assert(test_policy_has_address_helper(policy
, &ipv4_addr
));
1202 tt_assert(test_policy_has_address_helper(policy
, &ipv6_addr
));
1203 addr_policy_list_free(policy
);
1206 /* Test that lists with duplicate entries produce the same results */
1207 policies_parse_exit_policy_reject_private(&policy
, 1, dupl_list
, 0, 0);
1209 tt_int_op(smartlist_len(policy
), OP_EQ
, 2);
1210 tt_assert(test_policy_has_address_helper(policy
, &ipv4_addr
));
1211 tt_assert(test_policy_has_address_helper(policy
, &ipv6_addr
));
1212 addr_policy_list_free(policy
);
1216 addr_policy_list_free(policy
);
1217 smartlist_free(ipv4_list
);
1218 smartlist_free(ipv6_list
);
1219 smartlist_free(both_list
);
1220 smartlist_free(dupl_list
);
1223 static smartlist_t
*test_configured_ports
= NULL
;
1225 /** Returns test_configured_ports */
1226 static const smartlist_t
*
1227 mock_get_configured_ports(void)
1229 return test_configured_ports
;
1232 /** Run unit tests for rejecting publicly routable configured port addresses
1233 * on this exit relay using policies_parse_exit_policy_reject_private */
1235 test_policies_reject_port_address(void *arg
)
1237 smartlist_t
*policy
= NULL
;
1238 port_cfg_t
*ipv4_port
= NULL
;
1239 port_cfg_t
*ipv6_port
= NULL
;
1242 test_configured_ports
= smartlist_new();
1244 ipv4_port
= port_cfg_new(0);
1245 tor_addr_from_ipv4h(&ipv4_port
->addr
, TEST_IPV4_ADDR
);
1246 smartlist_add(test_configured_ports
, ipv4_port
);
1248 ipv6_port
= port_cfg_new(0);
1249 tor_addr_parse(&ipv6_port
->addr
, TEST_IPV6_ADDR
);
1250 smartlist_add(test_configured_ports
, ipv6_port
);
1252 MOCK(get_configured_ports
, mock_get_configured_ports
);
1254 /* test that an IPv4 port is rejected on an IPv4-only exit, but an IPv6 port
1255 * is NOT rejected (all IPv6 addresses are rejected by
1256 * policies_parse_exit_policy_internal on IPv4-only exits, so
1257 * policies_parse_exit_policy_reject_private doesn't need to do anything
1258 * with IPv6 addresses on IPv4-only exits) */
1259 policies_parse_exit_policy_reject_private(&policy
, 0, NULL
, 0, 1);
1261 tt_int_op(smartlist_len(policy
), OP_EQ
, 1);
1262 tt_assert(test_policy_has_address_helper(policy
, &ipv4_port
->addr
));
1263 addr_policy_list_free(policy
);
1266 /* test that IPv4 and IPv6 ports are rejected on an IPv4/IPv6 exit */
1267 policies_parse_exit_policy_reject_private(&policy
, 1, NULL
, 0, 1);
1269 tt_int_op(smartlist_len(policy
), OP_EQ
, 2);
1270 tt_assert(test_policy_has_address_helper(policy
, &ipv4_port
->addr
));
1271 tt_assert(test_policy_has_address_helper(policy
, &ipv6_port
->addr
));
1272 addr_policy_list_free(policy
);
1276 addr_policy_list_free(policy
);
1277 if (test_configured_ports
) {
1278 SMARTLIST_FOREACH(test_configured_ports
,
1279 port_cfg_t
*, p
, port_cfg_free(p
));
1280 smartlist_free(test_configured_ports
);
1281 test_configured_ports
= NULL
;
1283 UNMOCK(get_configured_ports
);
1286 static smartlist_t
*mock_ipv4_addrs
= NULL
;
1287 static smartlist_t
*mock_ipv6_addrs
= NULL
;
1289 /* mock get_interface_address6_list, returning a deep copy of the template
1290 * address list ipv4_interface_address_list or ipv6_interface_address_list */
1291 static smartlist_t
*
1292 mock_get_interface_address6_list(int severity
,
1294 int include_internal
)
1297 (void)include_internal
;
1298 smartlist_t
*clone_list
= smartlist_new();
1299 smartlist_t
*template_list
= NULL
;
1301 if (family
== AF_INET
) {
1302 template_list
= mock_ipv4_addrs
;
1303 } else if (family
== AF_INET6
) {
1304 template_list
= mock_ipv6_addrs
;
1309 tt_assert(template_list
);
1311 SMARTLIST_FOREACH_BEGIN(template_list
, tor_addr_t
*, src_addr
) {
1312 tor_addr_t
*dest_addr
= tor_malloc(sizeof(tor_addr_t
));
1313 memset(dest_addr
, 0, sizeof(*dest_addr
));
1314 tor_addr_copy_tight(dest_addr
, src_addr
);
1315 smartlist_add(clone_list
, dest_addr
);
1316 } SMARTLIST_FOREACH_END(src_addr
);
1321 interface_address6_list_free(clone_list
);
1325 /** Run unit tests for rejecting publicly routable interface addresses on this
1326 * exit relay using policies_parse_exit_policy_reject_private */
1328 test_policies_reject_interface_address(void *arg
)
1330 smartlist_t
*policy
= NULL
;
1331 smartlist_t
*public_ipv4_addrs
=
1332 get_interface_address6_list(LOG_INFO
, AF_INET
, 0);
1333 smartlist_t
*public_ipv6_addrs
=
1334 get_interface_address6_list(LOG_INFO
, AF_INET6
, 0);
1335 tor_addr_t ipv4_addr
, ipv6_addr
;
1338 /* test that no addresses are rejected when none are supplied/requested */
1339 policies_parse_exit_policy_reject_private(&policy
, 0, NULL
, 0, 0);
1340 tt_ptr_op(policy
, OP_EQ
, NULL
);
1342 /* test that only IPv4 interface addresses are rejected on an IPv4-only exit
1343 * (and allow for duplicates)
1345 policies_parse_exit_policy_reject_private(&policy
, 0, NULL
, 1, 0);
1347 tt_assert(smartlist_len(policy
) <= smartlist_len(public_ipv4_addrs
));
1348 addr_policy_list_free(policy
);
1352 /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6
1353 * exit (and allow for duplicates) */
1354 policies_parse_exit_policy_reject_private(&policy
, 1, NULL
, 1, 0);
1356 tt_assert(smartlist_len(policy
) <= (smartlist_len(public_ipv4_addrs
)
1357 + smartlist_len(public_ipv6_addrs
)));
1358 addr_policy_list_free(policy
);
1362 /* Now do it all again, but mocked */
1363 tor_addr_from_ipv4h(&ipv4_addr
, TEST_IPV4_ADDR
);
1364 mock_ipv4_addrs
= smartlist_new();
1365 smartlist_add(mock_ipv4_addrs
, (void *)&ipv4_addr
);
1367 tor_addr_parse(&ipv6_addr
, TEST_IPV6_ADDR
);
1368 mock_ipv6_addrs
= smartlist_new();
1369 smartlist_add(mock_ipv6_addrs
, (void *)&ipv6_addr
);
1371 MOCK(get_interface_address6_list
, mock_get_interface_address6_list
);
1373 /* test that no addresses are rejected when none are supplied/requested */
1374 policies_parse_exit_policy_reject_private(&policy
, 0, NULL
, 0, 0);
1375 tt_ptr_op(policy
, OP_EQ
, NULL
);
1377 /* test that only IPv4 interface addresses are rejected on an IPv4-only exit
1379 policies_parse_exit_policy_reject_private(&policy
, 0, NULL
, 1, 0);
1381 tt_assert(smartlist_len(policy
) == smartlist_len(mock_ipv4_addrs
));
1382 addr_policy_list_free(policy
);
1385 /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6
1387 policies_parse_exit_policy_reject_private(&policy
, 1, NULL
, 1, 0);
1389 tt_assert(smartlist_len(policy
) == (smartlist_len(mock_ipv4_addrs
)
1390 + smartlist_len(mock_ipv6_addrs
)));
1391 addr_policy_list_free(policy
);
1395 addr_policy_list_free(policy
);
1396 interface_address6_list_free(public_ipv4_addrs
);
1397 interface_address6_list_free(public_ipv6_addrs
);
1399 UNMOCK(get_interface_address6_list
);
1400 /* we don't use interface_address6_list_free on these lists because their
1401 * address pointers are stack-based */
1402 smartlist_free(mock_ipv4_addrs
);
1403 smartlist_free(mock_ipv6_addrs
);
1406 #undef TEST_IPV4_ADDR
1407 #undef TEST_IPV6_ADDR
1410 test_dump_exit_policy_to_string(void *arg
)
1413 addr_policy_t
*policy_entry
;
1414 int malformed_list
= -1;
1416 routerinfo_t
*ri
= tor_malloc_zero(sizeof(routerinfo_t
));
1420 ri
->policy_is_reject_star
= 1;
1421 ri
->exit_policy
= NULL
; // expecting "reject *:*"
1422 ep
= router_dump_exit_policy_to_string(ri
,1,1);
1424 tt_str_op("reject *:*",OP_EQ
, ep
);
1428 ri
->exit_policy
= smartlist_new();
1429 ri
->policy_is_reject_star
= 0;
1431 policy_entry
= router_parse_addr_policy_item_from_string("accept *:*", -1,
1434 smartlist_add(ri
->exit_policy
,policy_entry
);
1436 ep
= router_dump_exit_policy_to_string(ri
,1,1);
1438 tt_str_op("accept *:*",OP_EQ
, ep
);
1442 policy_entry
= router_parse_addr_policy_item_from_string("reject *:25", -1,
1445 smartlist_add(ri
->exit_policy
,policy_entry
);
1447 ep
= router_dump_exit_policy_to_string(ri
,1,1);
1449 tt_str_op("accept *:*\nreject *:25",OP_EQ
, ep
);
1454 router_parse_addr_policy_item_from_string("reject 8.8.8.8:*", -1,
1457 smartlist_add(ri
->exit_policy
,policy_entry
);
1459 ep
= router_dump_exit_policy_to_string(ri
,1,1);
1461 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*",OP_EQ
, ep
);
1465 router_parse_addr_policy_item_from_string("reject6 [FC00::]/7:*", -1,
1468 smartlist_add(ri
->exit_policy
,policy_entry
);
1470 ep
= router_dump_exit_policy_to_string(ri
,1,1);
1472 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*\n"
1473 "reject6 [fc00::]/7:*",OP_EQ
, ep
);
1477 router_parse_addr_policy_item_from_string("accept6 [c000::]/3:*", -1,
1480 smartlist_add(ri
->exit_policy
,policy_entry
);
1482 ep
= router_dump_exit_policy_to_string(ri
,1,1);
1484 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*\n"
1485 "reject6 [fc00::]/7:*\naccept6 [c000::]/3:*",OP_EQ
, ep
);
1489 if (ri
->exit_policy
) {
1490 SMARTLIST_FOREACH(ri
->exit_policy
, addr_policy_t
*,
1491 entry
, addr_policy_free(entry
));
1492 smartlist_free(ri
->exit_policy
);
1498 static routerinfo_t
*mock_desc_routerinfo
= NULL
;
1499 static const routerinfo_t
*
1500 mock_router_get_my_routerinfo(void)
1502 return mock_desc_routerinfo
;
1505 #define DEFAULT_POLICY_STRING "reject *:*"
1506 #define TEST_IPV4_ADDR (0x02040608)
1507 #define TEST_IPV6_ADDR ("2003::ef01")
1509 static or_options_t mock_options
;
1511 static const or_options_t
*
1512 mock_get_options(void)
1514 return &mock_options
;
1517 /** Run unit tests for generating summary lines of exit policies */
1519 test_policies_getinfo_helper_policies(void *arg
)
1523 size_t ipv4_len
= 0, ipv6_len
= 0;
1524 char *answer
= NULL
;
1525 const char *errmsg
= NULL
;
1526 routerinfo_t mock_my_routerinfo
;
1528 memset(&mock_my_routerinfo
, 0, sizeof(mock_my_routerinfo
));
1530 rv
= getinfo_helper_policies(NULL
, "exit-policy/default", &answer
, &errmsg
);
1531 tt_int_op(rv
, OP_EQ
, 0);
1532 tt_ptr_op(answer
, OP_NE
, NULL
);
1533 tt_assert(strlen(answer
) > 0);
1536 rv
= getinfo_helper_policies(NULL
, "exit-policy/reject-private/default",
1538 tt_int_op(rv
, OP_EQ
, 0);
1539 tt_ptr_op(answer
, OP_NE
, NULL
);
1540 tt_assert(strlen(answer
) > 0);
1543 memset(&mock_my_routerinfo
, 0, sizeof(routerinfo_t
));
1544 MOCK(router_get_my_routerinfo
, mock_router_get_my_routerinfo
);
1545 mock_my_routerinfo
.exit_policy
= smartlist_new();
1546 mock_desc_routerinfo
= &mock_my_routerinfo
;
1548 memset(&mock_options
, 0, sizeof(or_options_t
));
1549 MOCK(get_options
, mock_get_options
);
1551 rv
= getinfo_helper_policies(NULL
, "exit-policy/reject-private/relay",
1553 tt_int_op(rv
, OP_EQ
, 0);
1554 tt_ptr_op(answer
, OP_NE
, NULL
);
1555 tt_assert(strlen(answer
) == 0);
1558 rv
= getinfo_helper_policies(NULL
, "exit-policy/ipv4", &answer
,
1560 tt_int_op(rv
, OP_EQ
, 0);
1561 tt_ptr_op(answer
, OP_NE
, NULL
);
1562 ipv4_len
= strlen(answer
);
1563 tt_assert(ipv4_len
== 0 || ipv4_len
== strlen(DEFAULT_POLICY_STRING
));
1564 tt_assert(ipv4_len
== 0 || !strcasecmp(answer
, DEFAULT_POLICY_STRING
));
1567 rv
= getinfo_helper_policies(NULL
, "exit-policy/ipv6", &answer
,
1569 tt_int_op(rv
, OP_EQ
, 0);
1570 tt_ptr_op(answer
, OP_NE
, NULL
);
1571 ipv6_len
= strlen(answer
);
1572 tt_assert(ipv6_len
== 0 || ipv6_len
== strlen(DEFAULT_POLICY_STRING
));
1573 tt_assert(ipv6_len
== 0 || !strcasecmp(answer
, DEFAULT_POLICY_STRING
));
1576 rv
= getinfo_helper_policies(NULL
, "exit-policy/full", &answer
,
1578 tt_int_op(rv
, OP_EQ
, 0);
1579 tt_ptr_op(answer
, OP_NE
, NULL
);
1580 /* It's either empty or it's the default */
1581 tt_assert(strlen(answer
) == 0 || !strcasecmp(answer
, DEFAULT_POLICY_STRING
));
1584 mock_my_routerinfo
.addr
= TEST_IPV4_ADDR
;
1585 tor_addr_parse(&mock_my_routerinfo
.ipv6_addr
, TEST_IPV6_ADDR
);
1586 append_exit_policy_string(&mock_my_routerinfo
.exit_policy
, "accept *4:*");
1587 append_exit_policy_string(&mock_my_routerinfo
.exit_policy
, "reject *6:*");
1589 mock_options
.IPv6Exit
= 1;
1590 tor_addr_from_ipv4h(
1591 &mock_options
.OutboundBindAddresses
[OUTBOUND_ADDR_EXIT
][0],
1594 &mock_options
.OutboundBindAddresses
[OUTBOUND_ADDR_EXIT
][1],
1597 mock_options
.ExitPolicyRejectPrivate
= 1;
1598 mock_options
.ExitPolicyRejectLocalInterfaces
= 1;
1600 rv
= getinfo_helper_policies(NULL
, "exit-policy/reject-private/relay",
1602 tt_int_op(rv
, OP_EQ
, 0);
1603 tt_ptr_op(answer
, OP_NE
, NULL
);
1604 tt_assert(strlen(answer
) > 0);
1607 mock_options
.ExitPolicyRejectPrivate
= 1;
1608 mock_options
.ExitPolicyRejectLocalInterfaces
= 0;
1610 rv
= getinfo_helper_policies(NULL
, "exit-policy/reject-private/relay",
1612 tt_int_op(rv
, OP_EQ
, 0);
1613 tt_ptr_op(answer
, OP_NE
, NULL
);
1614 tt_assert(strlen(answer
) > 0);
1617 mock_options
.ExitPolicyRejectPrivate
= 0;
1618 mock_options
.ExitPolicyRejectLocalInterfaces
= 1;
1620 rv
= getinfo_helper_policies(NULL
, "exit-policy/reject-private/relay",
1622 tt_int_op(rv
, OP_EQ
, 0);
1623 tt_ptr_op(answer
, OP_NE
, NULL
);
1624 tt_assert(strlen(answer
) > 0);
1627 mock_options
.ExitPolicyRejectPrivate
= 0;
1628 mock_options
.ExitPolicyRejectLocalInterfaces
= 0;
1630 rv
= getinfo_helper_policies(NULL
, "exit-policy/reject-private/relay",
1632 tt_int_op(rv
, OP_EQ
, 0);
1633 tt_ptr_op(answer
, OP_NE
, NULL
);
1634 tt_assert(strlen(answer
) == 0);
1637 rv
= getinfo_helper_policies(NULL
, "exit-policy/ipv4", &answer
,
1639 tt_int_op(rv
, OP_EQ
, 0);
1640 tt_ptr_op(answer
, OP_NE
, NULL
);
1641 ipv4_len
= strlen(answer
);
1642 tt_assert(ipv4_len
> 0);
1645 rv
= getinfo_helper_policies(NULL
, "exit-policy/ipv6", &answer
,
1647 tt_int_op(rv
, OP_EQ
, 0);
1648 tt_ptr_op(answer
, OP_NE
, NULL
);
1649 ipv6_len
= strlen(answer
);
1650 tt_assert(ipv6_len
> 0);
1653 rv
= getinfo_helper_policies(NULL
, "exit-policy/full", &answer
,
1655 tt_int_op(rv
, OP_EQ
, 0);
1656 tt_ptr_op(answer
, OP_NE
, NULL
);
1657 tt_assert(strlen(answer
) > 0);
1658 tt_assert(strlen(answer
) == ipv4_len
+ ipv6_len
+ 1);
1663 UNMOCK(get_options
);
1664 UNMOCK(router_get_my_routerinfo
);
1665 addr_policy_list_free(mock_my_routerinfo
.exit_policy
);
1668 #undef DEFAULT_POLICY_STRING
1669 #undef TEST_IPV4_ADDR
1670 #undef TEST_IPV6_ADDR
1672 #define TEST_IPV4_ADDR_STR "1.2.3.4"
1673 #define TEST_IPV6_ADDR_STR "[1002::4567]"
1674 #define REJECT_IPv4_FINAL_STR "reject 0.0.0.0/0:*"
1675 #define REJECT_IPv6_FINAL_STR "reject [::]/0:*"
1677 #define OTHER_IPV4_ADDR_STR "6.7.8.9"
1678 #define OTHER_IPV6_ADDR_STR "[afff::]"
1680 /** Run unit tests for fascist_firewall_allows_address */
1682 test_policies_fascist_firewall_allows_address(void *arg
)
1685 tor_addr_t ipv4_addr
, ipv6_addr
, r_ipv4_addr
, r_ipv6_addr
;
1686 tor_addr_t n_ipv4_addr
, n_ipv6_addr
;
1687 const uint16_t port
= 1234;
1688 smartlist_t
*policy
= NULL
;
1689 smartlist_t
*e_policy
= NULL
;
1690 addr_policy_t
*item
= NULL
;
1691 int malformed_list
= 0;
1693 /* Setup the options and the items in the policies */
1694 memset(&mock_options
, 0, sizeof(or_options_t
));
1695 MOCK(get_options
, mock_get_options
);
1697 policy
= smartlist_new();
1698 item
= router_parse_addr_policy_item_from_string("accept "
1699 TEST_IPV4_ADDR_STR
":*",
1703 tt_assert(!malformed_list
);
1704 smartlist_add(policy
, item
);
1705 item
= router_parse_addr_policy_item_from_string("accept "
1710 tt_assert(!malformed_list
);
1711 smartlist_add(policy
, item
);
1712 /* Normally, policy_expand_unspec would do this for us */
1713 item
= router_parse_addr_policy_item_from_string(REJECT_IPv4_FINAL_STR
,
1717 tt_assert(!malformed_list
);
1718 smartlist_add(policy
, item
);
1719 item
= router_parse_addr_policy_item_from_string(REJECT_IPv6_FINAL_STR
,
1723 tt_assert(!malformed_list
);
1724 smartlist_add(policy
, item
);
1727 e_policy
= smartlist_new();
1730 char *polstr = policy_dump_to_string(policy, 1, 1);
1731 printf("%s\n", polstr);
1735 /* Parse the addresses */
1736 tor_addr_parse(&ipv4_addr
, TEST_IPV4_ADDR_STR
);
1737 tor_addr_parse(&ipv6_addr
, TEST_IPV6_ADDR_STR
);
1738 tor_addr_parse(&r_ipv4_addr
, OTHER_IPV4_ADDR_STR
);
1739 tor_addr_parse(&r_ipv6_addr
, OTHER_IPV6_ADDR_STR
);
1740 tor_addr_make_null(&n_ipv4_addr
, AF_INET
);
1741 tor_addr_make_null(&n_ipv6_addr
, AF_INET6
);
1743 /* Test the function's address matching with IPv4 and IPv6 on */
1744 memset(&mock_options
, 0, sizeof(or_options_t
));
1745 mock_options
.ClientUseIPv4
= 1;
1746 mock_options
.ClientUseIPv6
= 1;
1747 mock_options
.UseBridges
= 0;
1749 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 0, 0),
1751 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 0, 0),
1753 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 0, 0),
1755 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 0, 0),
1758 /* Preferring IPv4 */
1759 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 1, 0),
1761 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 1, 0),
1763 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 1, 0),
1765 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 1, 0),
1768 /* Preferring IPv6 */
1769 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 1, 1),
1771 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 1, 1),
1773 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 1, 1),
1775 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 1, 1),
1778 /* Test the function's address matching with UseBridges on */
1779 memset(&mock_options
, 0, sizeof(or_options_t
));
1780 mock_options
.ClientUseIPv4
= 1;
1781 mock_options
.ClientUseIPv6
= 1;
1782 mock_options
.UseBridges
= 1;
1784 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 0, 0),
1786 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 0, 0),
1788 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 0, 0),
1790 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 0, 0),
1793 /* Preferring IPv4 */
1794 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 1, 0),
1796 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 1, 0),
1798 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 1, 0),
1800 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 1, 0),
1803 /* Preferring IPv6 */
1804 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 1, 1),
1806 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 1, 1),
1808 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 1, 1),
1810 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 1, 1),
1813 /* bridge clients always use IPv6, regardless of ClientUseIPv6 */
1814 mock_options
.ClientUseIPv4
= 1;
1815 mock_options
.ClientUseIPv6
= 0;
1816 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 0, 0),
1818 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 0, 0),
1820 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 0, 0),
1822 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 0, 0),
1825 /* Test the function's address matching with IPv4 on */
1826 memset(&mock_options
, 0, sizeof(or_options_t
));
1827 mock_options
.ClientUseIPv4
= 1;
1828 mock_options
.ClientUseIPv6
= 0;
1829 mock_options
.UseBridges
= 0;
1831 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 0, 0),
1833 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 0, 0),
1835 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 0, 0),
1837 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 0, 0),
1840 /* Test the function's address matching with IPv6 on */
1841 memset(&mock_options
, 0, sizeof(or_options_t
));
1842 mock_options
.ClientUseIPv4
= 0;
1843 mock_options
.ClientUseIPv6
= 1;
1844 mock_options
.UseBridges
= 0;
1846 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 0, 0),
1848 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 0, 0),
1850 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 0, 0),
1852 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 0, 0),
1855 /* Test the function's address matching with ClientUseIPv4 0.
1856 * This means "use IPv6" regardless of the other settings. */
1857 memset(&mock_options
, 0, sizeof(or_options_t
));
1858 mock_options
.ClientUseIPv4
= 0;
1859 mock_options
.ClientUseIPv6
= 0;
1860 mock_options
.UseBridges
= 0;
1862 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 0, 0),
1864 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 0, 0),
1866 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 0, 0),
1868 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 0, 0),
1871 /* Test the function's address matching for unusual inputs */
1872 memset(&mock_options
, 0, sizeof(or_options_t
));
1873 mock_options
.ClientUseIPv4
= 1;
1874 mock_options
.ClientUseIPv6
= 1;
1875 mock_options
.UseBridges
= 1;
1877 /* NULL and tor_addr_is_null addresses are rejected */
1878 tt_int_op(fascist_firewall_allows_address(NULL
, port
, policy
, 0, 0), OP_EQ
,
1880 tt_int_op(fascist_firewall_allows_address(&n_ipv4_addr
, port
, policy
, 0, 0),
1882 tt_int_op(fascist_firewall_allows_address(&n_ipv6_addr
, port
, policy
, 0, 0),
1885 /* zero ports are rejected */
1886 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, 0, policy
, 0, 0),
1888 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, 0, policy
, 0, 0),
1891 /* NULL and empty policies accept everything */
1892 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, NULL
, 0, 0),
1894 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, NULL
, 0, 0),
1896 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, e_policy
, 0, 0),
1898 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, e_policy
, 0, 0),
1902 addr_policy_free(item
);
1903 addr_policy_list_free(policy
);
1904 addr_policy_list_free(e_policy
);
1905 UNMOCK(get_options
);
1908 #undef REJECT_IPv4_FINAL_STR
1909 #undef REJECT_IPv6_FINAL_STR
1910 #undef OTHER_IPV4_ADDR_STR
1911 #undef OTHER_IPV6_ADDR_STR
1913 #define TEST_IPV4_OR_PORT 1234
1914 #define TEST_IPV4_DIR_PORT 2345
1915 #define TEST_IPV6_OR_PORT 61234
1916 #define TEST_IPV6_DIR_PORT 62345
1918 /* Check that fascist_firewall_choose_address_rs() returns the expected
1920 #define CHECK_CHOSEN_ADDR_RS(fake_rs, fw_connection, pref_only, expect_rv, \
1923 tor_addr_port_t chosen_rs_ap; \
1924 tor_addr_make_null(&chosen_rs_ap.addr, AF_INET); \
1925 chosen_rs_ap.port = 0; \
1926 tt_int_op(fascist_firewall_choose_address_rs(&(fake_rs), \
1930 OP_EQ, (expect_rv)); \
1931 tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_rs_ap.addr)); \
1932 tt_int_op((expect_ap).port, OP_EQ, chosen_rs_ap.port); \
1935 /* Check that fascist_firewall_choose_address_node() returns the expected
1937 #define CHECK_CHOSEN_ADDR_NODE(fake_node, fw_connection, pref_only, \
1938 expect_rv, expect_ap) \
1940 tor_addr_port_t chosen_node_ap; \
1941 tor_addr_make_null(&chosen_node_ap.addr, AF_INET); \
1942 chosen_node_ap.port = 0; \
1943 tt_int_op(fascist_firewall_choose_address_node(&(fake_node), \
1947 OP_EQ, (expect_rv)); \
1948 tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_node_ap.addr)); \
1949 tt_int_op((expect_ap).port, OP_EQ, chosen_node_ap.port); \
1952 /* Check that fascist_firewall_choose_address_rs and
1953 * fascist_firewall_choose_address_node() both return the expected results. */
1954 #define CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, fw_connection, pref_only, \
1955 expect_rv, expect_ap) \
1957 CHECK_CHOSEN_ADDR_RS(fake_rs, fw_connection, pref_only, expect_rv, \
1959 CHECK_CHOSEN_ADDR_NODE(fake_node, fw_connection, pref_only, expect_rv, \
1963 /** Run unit tests for fascist_firewall_choose_address */
1965 test_policies_fascist_firewall_choose_address(void *arg
)
1968 tor_addr_port_t ipv4_or_ap
, ipv4_dir_ap
, ipv6_or_ap
, ipv6_dir_ap
;
1969 tor_addr_port_t n_ipv4_ap
, n_ipv6_ap
;
1971 /* Setup the options */
1972 memset(&mock_options
, 0, sizeof(or_options_t
));
1973 MOCK(get_options
, mock_get_options
);
1975 /* Parse the addresses */
1976 tor_addr_parse(&ipv4_or_ap
.addr
, TEST_IPV4_ADDR_STR
);
1977 ipv4_or_ap
.port
= TEST_IPV4_OR_PORT
;
1978 tor_addr_parse(&ipv4_dir_ap
.addr
, TEST_IPV4_ADDR_STR
);
1979 ipv4_dir_ap
.port
= TEST_IPV4_DIR_PORT
;
1981 tor_addr_parse(&ipv6_or_ap
.addr
, TEST_IPV6_ADDR_STR
);
1982 ipv6_or_ap
.port
= TEST_IPV6_OR_PORT
;
1983 tor_addr_parse(&ipv6_dir_ap
.addr
, TEST_IPV6_ADDR_STR
);
1984 ipv6_dir_ap
.port
= TEST_IPV6_DIR_PORT
;
1986 tor_addr_make_null(&n_ipv4_ap
.addr
, AF_INET
);
1988 tor_addr_make_null(&n_ipv6_ap
.addr
, AF_INET6
);
1991 /* Sanity check fascist_firewall_choose_address with IPv4 and IPv6 on */
1992 memset(&mock_options
, 0, sizeof(or_options_t
));
1993 mock_options
.ClientUseIPv4
= 1;
1994 mock_options
.ClientUseIPv6
= 1;
1995 mock_options
.UseBridges
= 0;
1998 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 1,
1999 FIREWALL_OR_CONNECTION
, 0, 0)
2001 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 1,
2002 FIREWALL_OR_CONNECTION
, 1, 0)
2004 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap
, &ipv6_dir_ap
, 1,
2005 FIREWALL_DIR_CONNECTION
, 0, 0)
2007 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap
, &ipv6_dir_ap
, 1,
2008 FIREWALL_DIR_CONNECTION
, 1, 0)
2012 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 0,
2013 FIREWALL_OR_CONNECTION
, 0, 1)
2015 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 0,
2016 FIREWALL_OR_CONNECTION
, 1, 1)
2018 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap
, &ipv6_dir_ap
, 0,
2019 FIREWALL_DIR_CONNECTION
, 0, 1)
2021 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap
, &ipv6_dir_ap
, 0,
2022 FIREWALL_DIR_CONNECTION
, 1, 1)
2025 /* Unusual inputs */
2027 /* null preferred OR addresses */
2028 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &n_ipv6_ap
, 0,
2029 FIREWALL_OR_CONNECTION
, 0, 1)
2031 tt_assert(fascist_firewall_choose_address(&n_ipv4_ap
, &ipv6_or_ap
, 1,
2032 FIREWALL_OR_CONNECTION
, 0, 0)
2035 /* null both OR addresses */
2036 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap
, &n_ipv6_ap
, 0,
2037 FIREWALL_OR_CONNECTION
, 0, 1),
2039 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap
, &n_ipv6_ap
, 1,
2040 FIREWALL_OR_CONNECTION
, 0, 0),
2043 /* null preferred Dir addresses */
2044 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap
, &n_ipv6_ap
, 0,
2045 FIREWALL_DIR_CONNECTION
, 0, 1)
2047 tt_assert(fascist_firewall_choose_address(&n_ipv4_ap
, &ipv6_dir_ap
, 1,
2048 FIREWALL_DIR_CONNECTION
, 0, 0)
2051 /* null both Dir addresses */
2052 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap
, &n_ipv6_ap
, 0,
2053 FIREWALL_DIR_CONNECTION
, 0, 1),
2055 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap
, &n_ipv6_ap
, 1,
2056 FIREWALL_DIR_CONNECTION
, 0, 0),
2059 /* Prefer IPv4 but want IPv6 (contradictory) */
2060 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 0,
2061 FIREWALL_OR_CONNECTION
, 0, 0)
2063 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 0,
2064 FIREWALL_OR_CONNECTION
, 1, 0)
2067 /* Prefer IPv6 but want IPv4 (contradictory) */
2068 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 1,
2069 FIREWALL_OR_CONNECTION
, 0, 1)
2071 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 1,
2072 FIREWALL_OR_CONNECTION
, 1, 1)
2075 /* Make a fake rs. There will be no corresponding node.
2076 * This is what happens when there's no consensus and we're bootstrapping
2077 * from authorities / fallbacks. */
2078 routerstatus_t fake_rs
;
2079 memset(&fake_rs
, 0, sizeof(routerstatus_t
));
2080 /* In a routerstatus, the OR and Dir addresses are the same */
2081 fake_rs
.addr
= tor_addr_to_ipv4h(&ipv4_or_ap
.addr
);
2082 fake_rs
.or_port
= ipv4_or_ap
.port
;
2083 fake_rs
.dir_port
= ipv4_dir_ap
.port
;
2085 tor_addr_copy(&fake_rs
.ipv6_addr
, &ipv6_or_ap
.addr
);
2086 fake_rs
.ipv6_orport
= ipv6_or_ap
.port
;
2087 /* In a routerstatus, the IPv4 and IPv6 DirPorts are the same.*/
2088 ipv6_dir_ap
.port
= TEST_IPV4_DIR_PORT
;
2090 /* Make a fake node. Even though it contains the fake_rs, a lookup won't
2091 * find the node from the rs, because they're not in the hash table. */
2093 memset(&fake_node
, 0, sizeof(node_t
));
2094 fake_node
.rs
= &fake_rs
;
2096 /* Choose an address with IPv4 and IPv6 on */
2097 memset(&mock_options
, 0, sizeof(or_options_t
));
2098 mock_options
.ClientUseIPv4
= 1;
2099 mock_options
.ClientUseIPv6
= 1;
2100 mock_options
.UseBridges
= 0;
2102 /* Preferring IPv4 */
2103 mock_options
.ClientPreferIPv6ORPort
= 0;
2104 mock_options
.ClientPreferIPv6DirPort
= 0;
2105 /* Simulate the initialisation of fake_node.ipv6_preferred */
2106 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2109 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2111 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2113 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2115 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2118 /* Auto (Preferring IPv4) */
2119 mock_options
.ClientPreferIPv6ORPort
= -1;
2120 mock_options
.ClientPreferIPv6DirPort
= -1;
2121 /* Simulate the initialisation of fake_node.ipv6_preferred */
2122 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2125 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2127 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2129 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2131 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2134 /* Preferring IPv6 */
2135 mock_options
.ClientPreferIPv6ORPort
= 1;
2136 mock_options
.ClientPreferIPv6DirPort
= 1;
2137 /* Simulate the initialisation of fake_node.ipv6_preferred */
2138 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2141 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2143 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2145 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2147 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2150 /* Preferring IPv4 OR / IPv6 Dir */
2151 mock_options
.ClientPreferIPv6ORPort
= 0;
2152 mock_options
.ClientPreferIPv6DirPort
= 1;
2153 /* Simulate the initialisation of fake_node.ipv6_preferred */
2154 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2157 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2159 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2161 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2163 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2166 /* Preferring IPv6 OR / IPv4 Dir */
2167 mock_options
.ClientPreferIPv6ORPort
= 1;
2168 mock_options
.ClientPreferIPv6DirPort
= 0;
2169 /* Simulate the initialisation of fake_node.ipv6_preferred */
2170 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2173 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2175 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2177 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2179 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2182 /* Choose an address with UseBridges on */
2183 memset(&mock_options
, 0, sizeof(or_options_t
));
2184 mock_options
.UseBridges
= 1;
2185 mock_options
.ClientUseIPv4
= 1;
2186 mock_options
.ClientUseIPv6
= 1;
2188 /* Preferring IPv4 */
2189 mock_options
.ClientPreferIPv6ORPort
= 0;
2190 mock_options
.ClientPreferIPv6DirPort
= 0;
2191 /* Simulate the initialisation of fake_node.ipv6_preferred */
2192 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2195 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2197 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2199 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2201 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2205 * - bridge clients prefer the configured bridge OR address from the node,
2206 * (the configured address family sets node.ipv6_preferred)
2207 * - other clients prefer IPv4 OR by default (see above),
2208 * - all clients, including bridge clients, prefer IPv4 Dir by default.
2210 mock_options
.ClientPreferIPv6ORPort
= -1;
2211 mock_options
.ClientPreferIPv6DirPort
= -1;
2213 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2214 * configured with an IPv4 address */
2215 fake_node
.ipv6_preferred
= 0;
2216 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 0, 1, ipv4_or_ap
);
2217 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 1, 1, ipv4_or_ap
);
2218 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2220 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2223 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2224 * configured with an IPv6 address */
2225 fake_node
.ipv6_preferred
= 1;
2226 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 0, 1, ipv6_or_ap
);
2227 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 1, 1, ipv6_or_ap
);
2228 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2230 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2233 /* When a rs has no node, it defaults to IPv4 under auto. */
2234 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_OR_CONNECTION
, 0, 1, ipv4_or_ap
);
2235 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_OR_CONNECTION
, 1, 1, ipv4_or_ap
);
2236 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_DIR_CONNECTION
, 0, 1, ipv4_dir_ap
);
2237 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_DIR_CONNECTION
, 1, 1, ipv4_dir_ap
);
2239 /* Preferring IPv6 */
2240 mock_options
.ClientPreferIPv6ORPort
= 1;
2241 mock_options
.ClientPreferIPv6DirPort
= 1;
2242 /* Simulate the initialisation of fake_node.ipv6_preferred */
2243 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2246 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2248 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2250 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2252 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2255 /* In the default configuration (Auto / IPv6 off), bridge clients should
2256 * use both IPv4 and IPv6, but only prefer IPv6 for bridges configured with
2257 * an IPv6 address, regardless of ClientUseIPv6. (See above.) */
2258 mock_options
.ClientUseIPv6
= 0;
2259 mock_options
.ClientPreferIPv6ORPort
= -1;
2260 mock_options
.ClientPreferIPv6DirPort
= -1;
2261 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2262 * configured with an IPv4 address */
2263 fake_node
.ipv6_preferred
= 0;
2264 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 0, 1, ipv4_or_ap
);
2265 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 1, 1, ipv4_or_ap
);
2266 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2268 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2271 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2272 * configured with an IPv6 address */
2273 fake_node
.ipv6_preferred
= 1;
2274 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 0, 1, ipv6_or_ap
);
2275 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 1, 1, ipv6_or_ap
);
2276 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2278 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2281 /* When a rs has no node, it defaults to IPv4 under auto. */
2282 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_OR_CONNECTION
, 0, 1, ipv4_or_ap
);
2283 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_OR_CONNECTION
, 1, 1, ipv4_or_ap
);
2284 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_DIR_CONNECTION
, 0, 1, ipv4_dir_ap
);
2285 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_DIR_CONNECTION
, 1, 1, ipv4_dir_ap
);
2287 /* Choose an address with IPv4 on */
2288 memset(&mock_options
, 0, sizeof(or_options_t
));
2289 mock_options
.ClientUseIPv4
= 1;
2290 mock_options
.ClientUseIPv6
= 0;
2291 /* Simulate the initialisation of fake_node.ipv6_preferred */
2292 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2295 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2297 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2299 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2301 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2304 /* Choose an address with IPv6 on */
2305 memset(&mock_options
, 0, sizeof(or_options_t
));
2306 mock_options
.ClientUseIPv4
= 0;
2307 mock_options
.ClientUseIPv6
= 1;
2308 /* Simulate the initialisation of fake_node.ipv6_preferred */
2309 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2312 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2314 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2316 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2318 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2321 /* Choose an address with ClientUseIPv4 0.
2322 * This means "use IPv6" regardless of the other settings. */
2323 memset(&mock_options
, 0, sizeof(or_options_t
));
2324 mock_options
.ClientUseIPv4
= 0;
2325 mock_options
.ClientUseIPv6
= 0;
2326 /* Simulate the initialisation of fake_node.ipv6_preferred */
2327 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2330 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2332 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2334 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2336 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2339 /* Choose an address with ORPort_set 1 (server mode).
2340 * This means "use IPv4" regardless of the other settings. */
2341 memset(&mock_options
, 0, sizeof(or_options_t
));
2342 mock_options
.ORPort_set
= 1;
2343 mock_options
.ClientUseIPv4
= 0;
2344 mock_options
.ClientUseIPv6
= 1;
2345 mock_options
.ClientPreferIPv6ORPort
= 1;
2346 mock_options
.ClientPreferIPv6DirPort
= 1;
2348 /* Simulate the initialisation of fake_node.ipv6_preferred */
2349 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2352 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2354 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2356 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2358 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2362 UNMOCK(get_options
);
2365 #undef TEST_IPV4_ADDR_STR
2366 #undef TEST_IPV6_ADDR_STR
2367 #undef TEST_IPV4_OR_PORT
2368 #undef TEST_IPV4_DIR_PORT
2369 #undef TEST_IPV6_OR_PORT
2370 #undef TEST_IPV6_DIR_PORT
2372 #undef CHECK_CHOSEN_ADDR_RS
2373 #undef CHECK_CHOSEN_ADDR_NODE
2374 #undef CHECK_CHOSEN_ADDR_RN
2376 struct testcase_t policy_tests
[] = {
2377 { "router_dump_exit_policy_to_string", test_dump_exit_policy_to_string
, 0,
2379 { "general", test_policies_general
, 0, NULL
, NULL
},
2380 { "getinfo_helper_policies", test_policies_getinfo_helper_policies
, 0, NULL
,
2382 { "reject_exit_address", test_policies_reject_exit_address
, 0, NULL
, NULL
},
2383 { "reject_interface_address", test_policies_reject_interface_address
, 0,
2385 { "reject_port_address", test_policies_reject_port_address
, 0, NULL
, NULL
},
2386 { "fascist_firewall_allows_address",
2387 test_policies_fascist_firewall_allows_address
, 0, NULL
, NULL
},
2388 { "fascist_firewall_choose_address",
2389 test_policies_fascist_firewall_choose_address
, 0, NULL
, NULL
},