1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. */
3 /* See LICENSE for licensing information */
5 const char policies_c_id
[] = \
10 * \brief Code to parse and use address policies and exit policies.
15 static addr_policy_t
*socks_policy
= NULL
;
16 static addr_policy_t
*dir_policy
= NULL
;
17 static addr_policy_t
*authdir_reject_policy
= NULL
;
18 static addr_policy_t
*authdir_invalid_policy
= NULL
;
19 static addr_policy_t
*authdir_badexit_policy
= NULL
;
21 /** Parsed addr_policy_t describing which addresses we believe we can start
23 static addr_policy_t
*reachable_or_addr_policy
= NULL
;
24 /** Parsed addr_policy_t describing which addresses we believe we can connect
25 * to directories at. */
26 static addr_policy_t
*reachable_dir_addr_policy
= NULL
;
29 * Given a linked list of config lines containing "allow" and "deny"
30 * tokens, parse them and append the result to <b>dest</b>. Return -1
31 * if any tokens are malformed, else return 0.
34 parse_addr_policy(config_line_t
*cfg
, addr_policy_t
**dest
,
37 addr_policy_t
**nextp
;
47 nextp
= &((*nextp
)->next
);
49 entries
= smartlist_create();
50 for (; cfg
; cfg
= cfg
->next
) {
51 smartlist_split_string(entries
, cfg
->value
, ",",
52 SPLIT_SKIP_SPACE
|SPLIT_IGNORE_BLANK
, 0);
53 SMARTLIST_FOREACH(entries
, const char *, ent
,
55 log_debug(LD_CONFIG
,"Adding new entry '%s'",ent
);
56 *nextp
= router_parse_addr_policy_from_string(ent
, assume_action
);
58 if (addr_mask_get_bits((*nextp
)->msk
)<0) {
59 log_warn(LD_CONFIG
, "Address policy element '%s' can't be expressed "
60 "as a bit prefix.", ent
);
62 /* Advance nextp to the end of the policy. */
64 nextp
= &((*nextp
)->next
);
66 log_warn(LD_CONFIG
,"Malformed policy '%s'.", ent
);
70 SMARTLIST_FOREACH(entries
, char *, ent
, tor_free(ent
));
71 smartlist_clear(entries
);
73 smartlist_free(entries
);
77 /** Helper: parse the Reachable(Dir|OR)?Addresses fields into
78 * reachable_(or|dir)_addr_policy. */
80 parse_reachable_addresses(void)
82 or_options_t
*options
= get_options();
84 if (options
->ReachableDirAddresses
&&
85 options
->ReachableORAddresses
&&
86 options
->ReachableAddresses
) {
88 "Both ReachableDirAddresses and ReachableORAddresses are set. "
89 "ReachableAddresses setting will be ignored.");
91 addr_policy_free(reachable_or_addr_policy
);
92 reachable_or_addr_policy
= NULL
;
93 if (!options
->ReachableORAddresses
&& options
->ReachableAddresses
)
95 "Using ReachableAddresses as ReachableORAddresses.");
96 if (parse_addr_policy(options
->ReachableORAddresses
?
97 options
->ReachableORAddresses
:
98 options
->ReachableAddresses
,
99 &reachable_or_addr_policy
, ADDR_POLICY_ACCEPT
)) {
101 "Error parsing Reachable%sAddresses entry; ignoring.",
102 options
->ReachableORAddresses
? "OR" : "");
105 addr_policy_free(reachable_dir_addr_policy
);
106 reachable_dir_addr_policy
= NULL
;
107 if (!options
->ReachableDirAddresses
&& options
->ReachableAddresses
)
109 "Using ReachableAddresses as ReachableDirAddresses");
110 if (parse_addr_policy(options
->ReachableDirAddresses
?
111 options
->ReachableDirAddresses
:
112 options
->ReachableAddresses
,
113 &reachable_dir_addr_policy
, ADDR_POLICY_ACCEPT
)) {
114 if (options
->ReachableDirAddresses
)
116 "Error parsing ReachableDirAddresses entry; ignoring.");
120 /** Return true iff the firewall options might block any address:port
124 firewall_is_fascist_or(void)
126 return reachable_or_addr_policy
!= NULL
;
129 /** Return true iff <b>policy</b> (possibly NULL) will allow a
130 * connection to <b>addr</b>:<b>port</b>.
133 addr_policy_permits_address(uint32_t addr
, uint16_t port
,
134 addr_policy_t
*policy
)
136 addr_policy_result_t p
;
137 p
= compare_addr_to_addr_policy(addr
, port
, policy
);
139 case ADDR_POLICY_PROBABLY_ACCEPTED
:
140 case ADDR_POLICY_ACCEPTED
:
142 case ADDR_POLICY_PROBABLY_REJECTED
:
143 case ADDR_POLICY_REJECTED
:
146 log_warn(LD_BUG
, "Unexpected result: %d", (int)p
);
152 fascist_firewall_allows_address_or(uint32_t addr
, uint16_t port
)
154 return addr_policy_permits_address(addr
, port
,
155 reachable_or_addr_policy
);
159 fascist_firewall_allows_address_dir(uint32_t addr
, uint16_t port
)
161 return addr_policy_permits_address(addr
, port
,
162 reachable_dir_addr_policy
);
165 /** Return 1 if <b>addr</b> is permitted to connect to our dir port,
166 * based on <b>dir_policy</b>. Else return 0.
169 dir_policy_permits_address(uint32_t addr
)
171 return addr_policy_permits_address(addr
, 1, dir_policy
);
174 /** Return 1 if <b>addr</b> is permitted to connect to our socks port,
175 * based on <b>socks_policy</b>. Else return 0.
178 socks_policy_permits_address(uint32_t addr
)
180 return addr_policy_permits_address(addr
, 1, socks_policy
);
183 /** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
184 * directory, based on <b>authdir_reject_policy</b>. Else return 0.
187 authdir_policy_permits_address(uint32_t addr
, uint16_t port
)
189 return addr_policy_permits_address(addr
, port
, authdir_reject_policy
);
192 /** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
193 * directory, based on <b>authdir_invalid_policy</b>. Else return 0.
196 authdir_policy_valid_address(uint32_t addr
, uint16_t port
)
198 return addr_policy_permits_address(addr
, port
, authdir_invalid_policy
);
201 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
202 * based on <b>authdir_badexit_policy</b>. Else return 0.
205 authdir_policy_badexit_address(uint32_t addr
, uint16_t port
)
207 return ! addr_policy_permits_address(addr
, port
, authdir_badexit_policy
);
210 #define REJECT(arg) \
211 do { *msg = tor_strdup(arg); goto err; } while (0)
213 validate_addr_policies(or_options_t
*options
, char **msg
)
215 addr_policy_t
*addr_policy
=NULL
;
218 if (policies_parse_exit_policy(options
->ExitPolicy
, &addr_policy
,
219 options
->ExitPolicyRejectPrivate
))
220 REJECT("Error in ExitPolicy entry.");
222 /* The rest of these calls *append* to addr_policy. So don't actually
223 * use the results for anything other than checking if they parse! */
224 if (parse_addr_policy(options
->DirPolicy
, &addr_policy
, -1))
225 REJECT("Error in DirPolicy entry.");
226 if (parse_addr_policy(options
->SocksPolicy
, &addr_policy
, -1))
227 REJECT("Error in SocksPolicy entry.");
228 if (parse_addr_policy(options
->ReachableAddresses
, &addr_policy
,
230 REJECT("Error in ReachableAddresses entry.");
231 if (parse_addr_policy(options
->ReachableORAddresses
, &addr_policy
,
233 REJECT("Error in ReachableORAddresses entry.");
234 if (parse_addr_policy(options
->ReachableDirAddresses
, &addr_policy
,
236 REJECT("Error in ReachableDirAddresses entry.");
237 if (parse_addr_policy(options
->AuthDirReject
, &addr_policy
,
239 REJECT("Error in AuthDirReject entry.");
240 if (parse_addr_policy(options
->AuthDirInvalid
, &addr_policy
,
242 REJECT("Error in AuthDirInvalid entry.");
245 addr_policy_free(addr_policy
);
246 return *msg
? -1 : 0;
250 /* Parse <b>string</b> in the same way that the exit policy
251 * is parsed, and put the processed version in *<b>policy</b>.
252 * Ignore port specifiers.
255 load_policy_from_option(config_line_t
*config
, addr_policy_t
**policy
,
259 addr_policy_free(*policy
);
261 parse_addr_policy(config
, policy
, assume_action
);
262 /* ports aren't used. */
263 for (n
=*policy
; n
; n
= n
->next
) {
270 policies_parse_from_options(or_options_t
*options
)
272 load_policy_from_option(options
->SocksPolicy
, &socks_policy
, -1);
273 load_policy_from_option(options
->DirPolicy
, &dir_policy
, -1);
274 load_policy_from_option(options
->AuthDirReject
,
275 &authdir_reject_policy
, ADDR_POLICY_REJECT
);
276 load_policy_from_option(options
->AuthDirInvalid
,
277 &authdir_invalid_policy
, ADDR_POLICY_REJECT
);
278 load_policy_from_option(options
->AuthDirBadExit
,
279 &authdir_badexit_policy
, ADDR_POLICY_REJECT
);
280 parse_reachable_addresses();
283 /** Compare two provided address policy items, and return -1, 0, or 1
284 * if the first is less than, equal to, or greater than the second. */
286 cmp_single_addr_policy(addr_policy_t
*a
, addr_policy_t
*b
)
289 if ((r
=((int)a
->policy_type
- (int)b
->policy_type
)))
291 if ((r
=((int)a
->addr
- (int)b
->addr
)))
293 if ((r
=((int)a
->msk
- (int)b
->msk
)))
295 if ((r
=((int)a
->prt_min
- (int)b
->prt_min
)))
297 if ((r
=((int)a
->prt_max
- (int)b
->prt_max
)))
302 /** Like cmp_single_addr_policy() above, but looks at the
303 * whole set of policies in each case. */
305 cmp_addr_policies(addr_policy_t
*a
, addr_policy_t
*b
)
309 if ((r
=cmp_single_addr_policy(a
,b
)))
322 /** Decide whether a given addr:port is definitely accepted,
323 * definitely rejected, probably accepted, or probably rejected by a
324 * given policy. If <b>addr</b> is 0, we don't know the IP of the
325 * target address. If <b>port</b> is 0, we don't know the port of the
328 * For now, the algorithm is pretty simple: we look for definite and
329 * uncertain matches. The first definite match is what we guess; if
330 * it was preceded by no uncertain matches of the opposite policy,
331 * then the guess is definite; otherwise it is probable. (If we
332 * have a known addr and port, all matches are definite; if we have an
333 * unknown addr/port, any address/port ranges other than "all" are
336 * We could do better by assuming that some ranges never match typical
337 * addresses (127.0.0.1, and so on). But we'll try this for now.
340 compare_addr_to_addr_policy(uint32_t addr
, uint16_t port
,
341 addr_policy_t
*policy
)
343 int maybe_reject
= 0;
344 int maybe_accept
= 0;
349 for (tmpe
=policy
; tmpe
; tmpe
=tmpe
->next
) {
352 /* Address is unknown. */
353 if ((port
>= tmpe
->prt_min
&& port
<= tmpe
->prt_max
) ||
354 (!port
&& tmpe
->prt_min
<=1 && tmpe
->prt_max
>=65535)) {
355 /* The port definitely matches. */
356 if (tmpe
->msk
== 0) {
362 /* The port maybe matches. */
366 /* Address is known */
367 if ((addr
& tmpe
->msk
) == (tmpe
->addr
& tmpe
->msk
)) {
368 if (port
>= tmpe
->prt_min
&& port
<= tmpe
->prt_max
) {
369 /* Exact match for the policy */
377 if (tmpe
->policy_type
== ADDR_POLICY_REJECT
)
383 if (tmpe
->policy_type
== ADDR_POLICY_ACCEPT
) {
384 /* If we already hit a clause that might trigger a 'reject', than we
385 * can't be sure of this certain 'accept'.*/
386 return maybe_reject
? ADDR_POLICY_PROBABLY_ACCEPTED
:
387 ADDR_POLICY_ACCEPTED
;
389 return maybe_accept
? ADDR_POLICY_PROBABLY_REJECTED
:
390 ADDR_POLICY_REJECTED
;
394 /* accept all by default. */
395 return maybe_reject
? ADDR_POLICY_PROBABLY_ACCEPTED
: ADDR_POLICY_ACCEPTED
;
398 /** Return true iff the address policy <b>a</b> covers every case that
399 * would be covered by <b>b</b>, so that a,b is redundant. */
401 addr_policy_covers(addr_policy_t
*a
, addr_policy_t
*b
)
403 /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces
404 * to "accept *:80". */
405 if (a
->msk
& ~b
->msk
) {
406 /* There's a wildcard bit in b->msk that's not a wildcard in a. */
409 if ((a
->addr
& a
->msk
) != (b
->addr
& a
->msk
)) {
410 /* There's a fixed bit in a that's set differently in b. */
413 return (a
->prt_min
<= b
->prt_min
&& a
->prt_max
>= b
->prt_max
);
416 /** Return true iff the address policies <b>a</b> and <b>b</b> intersect,
417 * that is, there exists an address/port that is covered by <b>a</b> that
418 * is also covered by <b>b</b>.
421 addr_policy_intersects(addr_policy_t
*a
, addr_policy_t
*b
)
423 /* All the bits we care about are those that are set in both
424 * netmasks. If they are equal in a and b's networkaddresses
425 * then the networks intersect. If there is a difference,
426 * then they do not. */
427 if (((a
->addr
^ b
->addr
) & a
->msk
& b
->msk
) != 0)
429 if (a
->prt_max
< b
->prt_min
|| b
->prt_max
< a
->prt_min
)
434 /** Add the exit policy described by <b>more</b> to <b>policy</b>.
437 append_exit_policy_string(addr_policy_t
**policy
, const char *more
)
442 tmp
.value
= (char*) more
;
444 parse_addr_policy(&tmp
, policy
, -1);
447 /** Detect and excise "dead code" from the policy *<b>dest</b>. */
449 exit_policy_remove_redundancies(addr_policy_t
**dest
)
451 addr_policy_t
*ap
, *tmp
, *victim
, *previous
;
453 /* Step one: find a *:* entry and cut off everything after it. */
454 for (ap
=*dest
; ap
; ap
=ap
->next
) {
455 if (ap
->msk
== 0 && ap
->prt_min
<= 1 && ap
->prt_max
>= 65535) {
456 /* This is a catch-all line -- later lines are unreachable. */
458 addr_policy_free(ap
->next
);
464 /* Step two: for every entry, see if there's a redundant entry
465 * later on, and remove it. */
466 for (ap
=*dest
; ap
; ap
=ap
->next
) {
469 if (tmp
->next
&& addr_policy_covers(ap
, tmp
->next
)) {
470 log(LOG_DEBUG
, LD_CONFIG
, "Removing exit policy %s. It is made "
471 "redundant by %s.", tmp
->next
->string
, ap
->string
);
473 tmp
->next
= victim
->next
;
475 addr_policy_free(victim
);
482 /* Step three: for every entry A, see if there's an entry B making this one
483 * redundant later on. This is the case if A and B are of the same type
484 * (accept/reject), A is a subset of B, and there is no other entry of
485 * different type in between those two that intersects with A.
487 * Anybody want to doublecheck the logic here? XXX
492 for (tmp
=ap
->next
; tmp
; tmp
=tmp
->next
) {
493 if (ap
->policy_type
!= tmp
->policy_type
&&
494 addr_policy_intersects(ap
, tmp
)) {
495 tmp
= NULL
; /* so that we advance previous and ap */
498 if (ap
->policy_type
== tmp
->policy_type
&&
499 addr_policy_covers(tmp
, ap
)) {
500 log(LOG_DEBUG
, LD_CONFIG
, "Removing exit policy %s. It is already "
501 "covered by %s.", ap
->string
, tmp
->string
);
506 assert(previous
->next
== victim
);
507 previous
->next
= victim
->next
;
509 assert(*dest
== victim
);
510 *dest
= victim
->next
;
514 addr_policy_free(victim
);
525 #define DEFAULT_EXIT_POLICY \
526 "reject *:25,reject *:119,reject *:135-139,reject *:445," \
527 "reject *:465,reject *:563,reject *:587," \
528 "reject *:1214,reject *:4661-4666," \
529 "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
531 /** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>. If
532 * cfg doesn't end in an absolute accept or reject, add the default exit
533 * policy afterwards. If <b>rejectprivate</b> is true, prepend
534 * "reject private:*" to the policy. Return -1 if we can't parse cfg,
538 policies_parse_exit_policy(config_line_t
*cfg
, addr_policy_t
**dest
,
542 append_exit_policy_string(dest
, "reject private:*");
543 if (parse_addr_policy(cfg
, dest
, -1))
545 append_exit_policy_string(dest
, DEFAULT_EXIT_POLICY
);
547 exit_policy_remove_redundancies(dest
);
551 /** Return true iff <b>ri</b> is "useful as an exit node", meaning
552 * it allows exit to at least one /8 address space for at least
553 * two of ports 80, 443, and 6667. */
555 exit_policy_is_general_exit(addr_policy_t
*policy
)
557 static const int ports
[] = { 80, 443, 6667 };
560 for (i
= 0; i
< 3; ++i
) {
561 struct addr_policy_t
*p
= policy
;
562 for ( ; p
; p
= p
->next
) {
563 if (p
->prt_min
> ports
[i
] || p
->prt_max
< ports
[i
])
564 continue; /* Doesn't cover our port. */
565 if ((p
->msk
& 0x00fffffful
) != 0)
566 continue; /* Narrower than a /8. */
567 if ((p
->addr
& 0xff000000ul
) == 0x7f000000ul
)
568 continue; /* 127.x */
569 /* We have a match that is at least a /8. */
570 if (p
->policy_type
== ADDR_POLICY_ACCEPT
) {
572 break; /* stop considering this port */
576 return n_allowed
>= 2;
579 /** Return false if <b>policy</b> might permit access to some addr:port;
580 * otherwise if we are certain it rejects everything, return true. */
582 policy_is_reject_star(addr_policy_t
*p
)
584 for ( ; p
; p
= p
->next
) {
585 if (p
->policy_type
== ADDR_POLICY_ACCEPT
)
587 else if (p
->policy_type
== ADDR_POLICY_REJECT
&&
588 p
->prt_min
<= 1 && p
->prt_max
== 65535 &&
595 /** Write a single address policy to the buf_len byte buffer at buf. Return
596 * the number of characters written, or -1 on failure. */
598 policy_write_item(char *buf
, size_t buflen
, addr_policy_t
*policy
)
602 char addrbuf
[INET_NTOA_BUF_LEN
];
605 in
.s_addr
= htonl(policy
->addr
);
606 tor_inet_ntoa(&in
, addrbuf
, sizeof(addrbuf
));
607 /* write accept/reject 1.2.3.4 */
608 result
= tor_snprintf(buf
, buflen
, "%s %s",
609 policy
->policy_type
== ADDR_POLICY_ACCEPT
? "accept" : "reject",
610 policy
->msk
== 0 ? "*" : addrbuf
);
613 written
+= strlen(buf
);
614 /* If the mask is 0xffffffff, we don't need to give it. If the mask is 0,
615 * we already wrote "*". */
616 if (policy
->msk
!= 0xFFFFFFFFu
&& policy
->msk
!= 0) {
617 int n_bits
= addr_mask_get_bits(policy
->msk
);
619 if (tor_snprintf(buf
+written
, buflen
-written
, "/%d", n_bits
)<0)
622 /* Write "/255.255.0.0" */
623 in
.s_addr
= htonl(policy
->msk
);
624 tor_inet_ntoa(&in
, addrbuf
, sizeof(addrbuf
));
625 if (tor_snprintf(buf
+written
, buflen
-written
, "/%s", addrbuf
)<0)
628 written
+= strlen(buf
+written
);
630 if (policy
->prt_min
<= 1 && policy
->prt_max
== 65535) {
631 /* There is no port set; write ":*" */
632 if (written
+4 > buflen
)
634 strlcat(buf
+written
, ":*", buflen
-written
);
636 } else if (policy
->prt_min
== policy
->prt_max
) {
637 /* There is only one port; write ":80". */
638 result
= tor_snprintf(buf
+written
, buflen
-written
, ":%d", policy
->prt_min
);
643 /* There is a range of ports; write ":79-80". */
644 result
= tor_snprintf(buf
+written
, buflen
-written
, ":%d-%d",
645 policy
->prt_min
, policy
->prt_max
);
650 if (written
< buflen
)
659 getinfo_helper_policies(control_connection_t
*conn
,
660 const char *question
, char **answer
)
663 if (!strcmp(question
, "exit-policy/default")) {
664 *answer
= tor_strdup(DEFAULT_EXIT_POLICY
);
669 /** Release all storage held by <b>p</b> */
671 addr_policy_free(addr_policy_t
*p
)
684 policies_free_all(void)
686 addr_policy_free(reachable_or_addr_policy
);
687 reachable_or_addr_policy
= NULL
;
688 addr_policy_free(reachable_dir_addr_policy
);
689 reachable_dir_addr_policy
= NULL
;
690 addr_policy_free(socks_policy
);
692 addr_policy_free(dir_policy
);
694 addr_policy_free(authdir_reject_policy
);
695 authdir_reject_policy
= NULL
;
696 addr_policy_free(authdir_invalid_policy
);
697 authdir_invalid_policy
= NULL
;