1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2017, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
9 * \brief Header file for policies.c.
12 #ifndef TOR_POLICIES_H
13 #define TOR_POLICIES_H
16 * "accept6 [ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]/128:65535-65535\n"
17 * plus a terminating NUL, rounded up to a nice number.)
19 #define POLICY_BUF_LEN 72
21 #define EXIT_POLICY_IPV6_ENABLED (1 << 0)
22 #define EXIT_POLICY_REJECT_PRIVATE (1 << 1)
23 #define EXIT_POLICY_ADD_DEFAULT (1 << 2)
24 #define EXIT_POLICY_REJECT_LOCAL_INTERFACES (1 << 3)
25 #define EXIT_POLICY_ADD_REDUCED (1 << 4)
26 #define EXIT_POLICY_OPTION_MAX EXIT_POLICY_ADD_REDUCED
27 /* All options set: used for unit testing */
28 #define EXIT_POLICY_OPTION_ALL ((EXIT_POLICY_OPTION_MAX << 1) - 1)
30 typedef enum firewall_connection_t
{
31 FIREWALL_OR_CONNECTION
= 0,
32 FIREWALL_DIR_CONNECTION
= 1
33 } firewall_connection_t
;
35 typedef int exit_policy_parser_cfg_t
;
37 int firewall_is_fascist_or(void);
38 int firewall_is_fascist_dir(void);
39 int fascist_firewall_use_ipv6(const or_options_t
*options
);
40 int fascist_firewall_prefer_ipv6_orport(const or_options_t
*options
);
41 int fascist_firewall_prefer_ipv6_dirport(const or_options_t
*options
);
43 int fascist_firewall_allows_address_addr(const tor_addr_t
*addr
,
45 firewall_connection_t fw_connection
,
46 int pref_only
, int pref_ipv6
);
48 int fascist_firewall_allows_rs(const routerstatus_t
*rs
,
49 firewall_connection_t fw_connection
,
51 int fascist_firewall_allows_node(const node_t
*node
,
52 firewall_connection_t fw_connection
,
54 int fascist_firewall_allows_dir_server(const dir_server_t
*ds
,
55 firewall_connection_t fw_connection
,
58 int fascist_firewall_choose_address_rs(const routerstatus_t
*rs
,
59 firewall_connection_t fw_connection
,
60 int pref_only
, tor_addr_port_t
* ap
);
61 int fascist_firewall_choose_address_node(const node_t
*node
,
62 firewall_connection_t fw_connection
,
63 int pref_only
, tor_addr_port_t
* ap
);
64 int fascist_firewall_choose_address_dir_server(const dir_server_t
*ds
,
65 firewall_connection_t fw_connection
,
66 int pref_only
, tor_addr_port_t
* ap
);
68 int dir_policy_permits_address(const tor_addr_t
*addr
);
69 int socks_policy_permits_address(const tor_addr_t
*addr
);
70 int authdir_policy_permits_address(uint32_t addr
, uint16_t port
);
71 int authdir_policy_valid_address(uint32_t addr
, uint16_t port
);
72 int authdir_policy_badexit_address(uint32_t addr
, uint16_t port
);
74 int validate_addr_policies(const or_options_t
*options
, char **msg
);
75 void policy_expand_private(smartlist_t
**policy
);
76 void policy_expand_unspec(smartlist_t
**policy
);
77 int policies_parse_from_options(const or_options_t
*options
);
79 addr_policy_t
*addr_policy_get_canonical_entry(addr_policy_t
*ent
);
80 int addr_policies_eq(const smartlist_t
*a
, const smartlist_t
*b
);
81 MOCK_DECL(addr_policy_result_t
, compare_tor_addr_to_addr_policy
,
82 (const tor_addr_t
*addr
, uint16_t port
, const smartlist_t
*policy
));
83 addr_policy_result_t
compare_tor_addr_to_node_policy(const tor_addr_t
*addr
,
84 uint16_t port
, const node_t
*node
);
86 int policies_parse_exit_policy_from_options(
87 const or_options_t
*or_options
,
88 uint32_t local_address
,
89 const tor_addr_t
*ipv6_local_address
,
90 smartlist_t
**result
);
91 int policies_parse_exit_policy(config_line_t
*cfg
, smartlist_t
**dest
,
92 exit_policy_parser_cfg_t options
,
93 const smartlist_t
*configured_addresses
);
94 void policies_parse_exit_policy_reject_private(
97 const smartlist_t
*configured_addresses
,
98 int reject_interface_addresses
,
99 int reject_configured_port_addresses
);
100 void policies_exit_policy_append_reject_star(smartlist_t
**dest
);
101 void addr_policy_append_reject_addr(smartlist_t
**dest
,
102 const tor_addr_t
*addr
);
103 void addr_policy_append_reject_addr_list(smartlist_t
**dest
,
104 const smartlist_t
*addrs
);
105 void policies_set_node_exitpolicy_to_reject_all(node_t
*exitrouter
);
106 int exit_policy_is_general_exit(smartlist_t
*policy
);
107 int policy_is_reject_star(const smartlist_t
*policy
, sa_family_t family
,
108 int reject_by_default
);
109 char * policy_dump_to_string(const smartlist_t
*policy_list
,
112 int getinfo_helper_policies(control_connection_t
*conn
,
113 const char *question
, char **answer
,
114 const char **errmsg
);
115 int policy_write_item(char *buf
, size_t buflen
, const addr_policy_t
*item
,
116 int format_for_desc
);
118 void addr_policy_list_free_(smartlist_t
*p
);
119 #define addr_policy_list_free(lst) \
120 FREE_AND_NULL(smartlist_t, addr_policy_list_free_, (lst))
121 void addr_policy_free_(addr_policy_t
*p
);
122 #define addr_policy_free(p) \
123 FREE_AND_NULL(addr_policy_t, addr_policy_free_, (p))
124 void policies_free_all(void);
126 char *policy_summarize(smartlist_t
*policy
, sa_family_t family
);
128 short_policy_t
*parse_short_policy(const char *summary
);
129 char *write_short_policy(const short_policy_t
*policy
);
130 void short_policy_free_(short_policy_t
*policy
);
131 #define short_policy_free(p) \
132 FREE_AND_NULL(short_policy_t, short_policy_free_, (p))
133 int short_policy_is_reject_star(const short_policy_t
*policy
);
134 addr_policy_result_t
compare_tor_addr_to_short_policy(
135 const tor_addr_t
*addr
, uint16_t port
,
136 const short_policy_t
*policy
);
138 #ifdef POLICIES_PRIVATE
139 STATIC
void append_exit_policy_string(smartlist_t
**policy
, const char *more
);
140 STATIC
int fascist_firewall_allows_address(const tor_addr_t
*addr
,
142 smartlist_t
*firewall_policy
,
143 int pref_only
, int pref_ipv6
);
144 STATIC
const tor_addr_port_t
* fascist_firewall_choose_address(
145 const tor_addr_port_t
*a
,
146 const tor_addr_port_t
*b
,
148 firewall_connection_t fw_connection
,
149 int pref_only
, int pref_ipv6
);
151 #endif /* defined(POLICIES_PRIVATE) */
153 #endif /* !defined(TOR_POLICIES_H) */
