| blob | 2703d7edefd0c94ff656693ac3722e7f871996cb |
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2016, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 /**
7 * \file policies.c
8 * \brief Code to parse and use address policies and exit policies.
9 **/
11 #define POLICIES_PRIVATE
24 /** Policy that addresses for incoming SOCKS connections must match. */
26 /** Policy that addresses for incoming directory connections must match. */
28 /** Policy that addresses for incoming router descriptors must match in order
29 * to be published by us. */
31 /** Policy that addresses for incoming router descriptors must match in order
32 * to be marked as valid in our networkstatus. */
34 /** Policy that addresses for incoming router descriptors must <b>not</b>
35 * match in order to not be marked as BadExit. */
38 /** Parsed addr_policy_t describing which addresses we believe we can start
39 * circuits at. */
41 /** Parsed addr_policy_t describing which addresses we believe we can connect
42 * to directories at. */
45 /** Element of an exit policy summary */
50 this port range. */
54 /** Private networks. This list is used in two places, once to expand the
55 * "private" keyword when parsing our own exit policy, secondly to ignore
56 * just such networks when building exit policy summaries. It is important
57 * that all authorities agree on that list when creating summaries, so don't
58 * just change this without a proper migration plan and a proposal and stuff.
59 */
65 NULL
66 };
78 /** Replace all "private" entries in *<b>policy</b> with their expanded
79 * equivalents. */
80 void
82 {
97 }
99 addr_policy_t newpolicy;
107 }
109 }
115 }
117 /** Expand each of the AF_UNSPEC elements in *<b>policy</b> (which indicate
118 * protocol-neutral wildcards) into a pair of wildcard elements: one IPv4-
119 * specific and one IPv6-specific. */
120 void
122 {
133 addr_policy_t newpolicy_ipv4;
134 addr_policy_t newpolicy_ipv6;
143 }
153 }
158 }
160 /**
161 * Given a linked list of config lines containing "accept[6]" and "reject[6]"
162 * tokens, parse them and append the result to <b>dest</b>. Return -1
163 * if any tokens are malformed (and don't append any), else return 0.
164 *
165 * If <b>assume_action</b> is nonnegative, then insert its action
166 * (ADDR_POLICY_ACCEPT or ADDR_POLICY_REJECT) for items that specify no
167 * action.
168 */
169 static int
172 {
195 /* the error is so severe the entire list should be discarded */
200 /* the error is minor: don't add the item, but keep processing the
201 * rest of the policies in the list */
204 ent);
205 }
209 }
222 }
223 }
226 }
228 /** Helper: parse the Reachable(Dir|OR)?Addresses fields into
229 * reachable_(or|dir)_addr_policy. The options should already have
230 * been validated by validate_addr_policies.
231 */
232 static int
234 {
242 "Both ReachableDirAddresses and ReachableORAddresses are set. "
244 }
258 }
273 }
275 /* We ignore ReachableAddresses for relays */
279 || (reachable_dir_addr_policy
282 "ReachableAddresses, ReachableORAddresses, or "
283 "ReachableDirAddresses reject all addresses. Please accept "
286 && ((reachable_or_addr_policy
288 || (reachable_dir_addr_policy
291 "ReachableAddresses, ReachableORAddresses, or "
292 "ReachableDirAddresses reject all IPv4 addresses. "
295 && ((reachable_or_addr_policy
297 || (reachable_dir_addr_policy
300 "(ClientUseIPv6 1 or UseBridges 1), but "
301 "ReachableAddresses, ReachableORAddresses, or "
302 "ReachableDirAddresses reject all IPv6 addresses. "
304 }
305 }
308 }
310 /* Return true iff ClientUseIPv4 0 or ClientUseIPv6 0 might block any OR or Dir
311 * address:port combination. */
312 static int
314 {
316 /* Assume every non-bridge relay has an IPv4 address.
317 * Clients which use bridges may only know the IPv6 address of their
318 * bridge. */
322 }
324 /** Return true iff the firewall options, including ClientUseIPv4 0 and
325 * ClientUseIPv6 0, might block any OR address:port combination.
326 * Address preferences may still change which address is selected even if
327 * this function returns false.
328 */
329 int
331 {
333 }
335 /** Return true iff the firewall options, including ClientUseIPv4 0 and
336 * ClientUseIPv6 0, might block any Dir address:port combination.
337 * Address preferences may still change which address is selected even if
338 * this function returns false.
339 */
340 int
342 {
344 }
346 /** Return true iff <b>policy</b> (possibly NULL) will allow a
347 * connection to <b>addr</b>:<b>port</b>.
348 */
349 static int
352 {
353 addr_policy_result_t p;
365 }
366 }
368 /** Return true iff <b> policy</b> (possibly NULL) will allow a connection to
369 * <b>addr</b>:<b>port</b>. <b>addr</b> is an IPv4 address given in host
370 * order. */
371 /* XXXX deprecate when possible. */
372 static int
375 {
376 tor_addr_t a;
379 }
381 /** Return true iff we think our firewall will let us make a connection to
382 * addr:port.
383 *
384 * If we are configured as a server, ignore any address family preference and
385 * just use IPv4.
386 * Otherwise:
387 * - return false for all IPv4 addresses:
388 * - if ClientUseIPv4 is 0, or
389 * if pref_only and pref_ipv6 are both true;
390 * - return false for all IPv6 addresses:
391 * - if fascist_firewall_use_ipv6() is 0, or
392 * - if pref_only is true and pref_ipv6 is false.
393 *
394 * Return false if addr is NULL or tor_addr_is_null(), or if port is 0. */
395 STATIC int
400 {
406 }
408 /* Clients stop using IPv4 if it's disabled. In most cases, clients also
409 * stop using IPv4 if it's not preferred.
410 * Servers must have IPv4 enabled and preferred. */
414 }
416 /* Clients and Servers won't use IPv6 unless it's enabled (and in most
417 * cases, IPv6 must also be preferred before it will be used). */
421 }
424 firewall_policy);
425 }
427 /** Is this client configured to use IPv6?
428 * Use node_ipv6_or/dir_preferred() when checking a specific node and OR/Dir
429 * port: it supports bridge client per-node IPv6 preferences.
430 */
431 int
433 {
434 /* Clients use IPv6 if it's set, or they use bridges, or they don't use
435 * IPv4 */
438 }
440 /** Do we prefer to connect to IPv6, ignoring ClientPreferIPv6ORPort and
441 * ClientPreferIPv6DirPort?
442 * If we're unsure, return -1, otherwise, return 1 for IPv6 and 0 for IPv4.
443 */
444 static int
446 {
447 /*
448 Cheap implementation of config options ClientUseIPv4 & ClientUseIPv6 --
449 If we're a server or IPv6 is disabled, use IPv4.
450 If IPv4 is disabled, use IPv6.
451 */
455 }
459 }
462 }
464 /** Do we prefer to connect to IPv6 ORPorts?
465 * Use node_ipv6_or_preferred() whenever possible: it supports bridge client
466 * per-node IPv6 preferences.
467 */
468 int
470 {
475 }
477 /* We can use both IPv4 and IPv6 - which do we prefer? */
480 }
483 }
485 /** Do we prefer to connect to IPv6 DirPorts?
486 *
487 * (node_ipv6_dir_preferred() doesn't support bridge client per-node IPv6
488 * preferences. There's no reason to use it instead of this function.)
489 */
490 int
492 {
497 }
499 /* We can use both IPv4 and IPv6 - which do we prefer? */
502 }
505 }
507 /** Return true iff we think our firewall will let us make a connection to
508 * addr:port. Uses ReachableORAddresses or ReachableDirAddresses based on
509 * fw_connection.
510 * If pref_only is true, return true if addr is in the client's preferred
511 * address family, which is IPv6 if pref_ipv6 is true, and IPv4 otherwise.
512 * If pref_only is false, ignore pref_ipv6, and return true if addr is allowed.
513 */
514 int
516 firewall_connection_t fw_connection,
518 {
521 reachable_or_addr_policy,
525 reachable_dir_addr_policy,
529 fw_connection);
531 }
532 }
534 /** Return true iff we think our firewall will let us make a connection to
535 * addr:port (ap). Uses ReachableORAddresses or ReachableDirAddresses based on
536 * fw_connection.
537 * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
538 */
539 static int
541 firewall_connection_t fw_connection,
543 {
547 pref_ipv6);
548 }
550 /* Return true iff we think our firewall will let us make a connection to
551 * ipv4h_or_addr:ipv4_or_port. ipv4h_or_addr is interpreted in host order.
552 * Uses ReachableORAddresses or ReachableDirAddresses based on
553 * fw_connection.
554 * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
555 */
556 static int
559 firewall_connection_t fw_connection,
561 {
562 tor_addr_t ipv4_or_addr;
566 pref_ipv6);
567 }
569 /** Return true iff we think our firewall will let us make a connection to
570 * ipv4h_addr/ipv6_addr. Uses ipv4_orport/ipv6_orport/ReachableORAddresses or
571 * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
572 * <b>fw_connection</b>.
573 * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
574 */
575 static int
580 firewall_connection_t fw_connection,
582 {
585 ? ipv4_orport
587 fw_connection,
590 }
594 ? ipv6_orport
596 fw_connection,
599 }
602 }
604 /** Like fascist_firewall_allows_base(), but takes ri. */
605 static int
607 firewall_connection_t fw_connection,
609 {
612 }
614 /* Assume IPv4 and IPv6 DirPorts are the same */
618 pref_ipv6);
619 }
621 /** Like fascist_firewall_allows_rs, but doesn't consult the node. */
622 static int
624 firewall_connection_t fw_connection,
626 {
629 }
631 /* Assume IPv4 and IPv6 DirPorts are the same */
635 pref_ipv6);
636 }
638 /** Like fascist_firewall_allows_base(), but takes rs.
639 * Consults the corresponding node, then falls back to rs if node is NULL.
640 * This should only happen when there's no valid consensus, and rs doesn't
641 * correspond to a bridge client's bridge.
642 */
643 int
646 {
649 }
656 /* There's no node-specific IPv6 preference, so use the generic IPv6
657 * preference instead. */
664 pref_ipv6);
665 }
666 }
668 /** Return true iff we think our firewall will let us make a connection to
669 * ipv6_addr:ipv6_orport based on ReachableORAddresses.
670 * If <b>fw_connection</b> is FIREWALL_DIR_CONNECTION, returns 0.
671 * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
672 */
673 static int
675 firewall_connection_t fw_connection,
677 {
680 }
682 /* Can't check dirport, it doesn't have one */
685 }
687 /* Also can't check IPv4, doesn't have that either */
690 pref_ipv6);
691 }
693 /** Like fascist_firewall_allows_base(), but takes node, and looks up pref_ipv6
694 * from node_ipv6_or/dir_preferred(). */
695 int
697 firewall_connection_t fw_connection,
699 {
702 }
710 /* Sometimes, the rs is missing the IPv6 address info, and we need to go
711 * all the way to the md */
716 fw_connection,
717 pref_only,
718 pref_ipv6)) {
721 fw_connection,
722 pref_only,
723 pref_ipv6)) {
726 /* If we know nothing, assume it's unreachable, we'll never get an address
727 * to connect to. */
729 }
730 }
732 /** Like fascist_firewall_allows_rs(), but takes ds. */
733 int
735 firewall_connection_t fw_connection,
737 {
740 }
742 /* A dir_server_t always has a fake_status. As long as it has the same
743 * addresses/ports in both fake_status and dir_server_t, this works fine.
744 * (See #17867.)
745 * This function relies on fascist_firewall_choose_address_rs looking up the
746 * node if it can, because that will get the latest info for the relay. */
748 pref_only);
749 }
751 /** If a and b are both valid and allowed by fw_connection,
752 * choose one based on want_a and return it.
753 * Otherwise, return whichever is allowed.
754 * Otherwise, return NULL.
755 * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
756 */
761 firewall_connection_t fw_connection,
763 {
768 pref_ipv6)) {
770 }
773 pref_ipv6)) {
775 }
777 /* If both are allowed */
779 /* Choose a if we want it */
782 /* Choose a if we have it */
784 }
785 }
787 /** If a and b are both valid and preferred by fw_connection,
788 * choose one based on want_a and return it.
789 * Otherwise, return whichever is preferred.
790 * If neither are preferred, and pref_only is false:
791 * - If a and b are both allowed by fw_connection,
792 * choose one based on want_a and return it.
793 * - Otherwise, return whichever is preferred.
794 * Otherwise, return NULL. */
799 firewall_connection_t fw_connection,
801 {
804 fw_connection,
807 /* If there is a preferred address, use it. If we can only use preferred
808 * addresses, and neither address is preferred, pref will be NULL, and we
809 * want to return NULL, so return it. */
812 /* If there's no preferred address, and we can return addresses that are
813 * not preferred, use an address that's allowed */
816 }
817 }
819 /** Copy an address and port into <b>ap</b> that we think our firewall will
820 * let us connect to. Uses ipv4_addr/ipv6_addr and
821 * ipv4_orport/ipv6_orport/ReachableORAddresses or
822 * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
823 * <b>fw_connection</b>.
824 * If pref_only, only choose preferred addresses. In either case, choose
825 * a preferred address before an address that's not preferred.
826 * If both addresses could be chosen (they are both preferred or both allowed)
827 * choose IPv6 if pref_ipv6 is true, otherwise choose IPv4.
828 * If neither address is chosen, return 0, else return 1. */
829 static int
836 firewall_connection_t fw_connection,
840 {
847 tor_addr_port_t ipv4_ap;
850 ? ipv4_orport
853 tor_addr_port_t ipv6_ap;
856 ? ipv6_orport
860 want_ipv4,
862 pref_ipv6);
870 }
871 }
873 /** Like fascist_firewall_choose_address_base(), but takes a host-order IPv4
874 * address as the first parameter. */
875 static int
882 firewall_connection_t fw_connection,
886 {
887 tor_addr_t ipv4_addr;
894 }
896 /** Like fascist_firewall_choose_address_base(), but takes <b>rs</b>.
897 * Consults the corresponding node, then falls back to rs if node is NULL.
898 * This should only happen when there's no valid consensus, and rs doesn't
899 * correspond to a bridge client's bridge.
900 */
901 int
903 firewall_connection_t fw_connection,
905 {
908 }
916 ap);
918 /* There's no node-specific IPv6 preference, so use the generic IPv6
919 * preference instead. */
925 /* Assume IPv4 and IPv6 DirPorts are the same.
926 * Assume the IPv6 OR and Dir addresses are the same. */
933 fw_connection,
934 pref_only,
935 pref_ipv6,
936 ap);
937 }
938 }
940 /** Like fascist_firewall_choose_address_base(), but takes <b>node</b>, and
941 * looks up the node's IPv6 preference rather than taking an argument
942 * for pref_ipv6. */
943 int
945 firewall_connection_t fw_connection,
947 {
950 }
958 tor_addr_port_t ipv4_or_ap;
960 tor_addr_port_t ipv4_dir_ap;
963 tor_addr_port_t ipv6_or_ap;
965 tor_addr_port_t ipv6_dir_ap;
968 /* Assume the IPv6 OR and Dir addresses are the same. */
975 fw_connection,
976 pref_only,
977 pref_ipv6_node,
978 ap);
979 }
981 /** Like fascist_firewall_choose_address_rs(), but takes <b>ds</b>. */
982 int
984 firewall_connection_t fw_connection,
987 {
990 }
992 /* A dir_server_t always has a fake_status. As long as it has the same
993 * addresses/ports in both fake_status and dir_server_t, this works fine.
994 * (See #17867.)
995 * This function relies on fascist_firewall_choose_address_rs looking up the
996 * node if it can, because that will get the latest info for the relay. */
999 }
1001 /** Return 1 if <b>addr</b> is permitted to connect to our dir port,
1002 * based on <b>dir_policy</b>. Else return 0.
1003 */
1004 int
1006 {
1008 }
1010 /** Return 1 if <b>addr</b> is permitted to connect to our socks port,
1011 * based on <b>socks_policy</b>. Else return 0.
1012 */
1013 int
1015 {
1017 }
1019 /** Return true iff the address <b>addr</b> is in a country listed in the
1020 * case-insensitive list of country codes <b>cc_list</b>. */
1021 static int
1023 {
1024 country_t country;
1026 tor_addr_t tar;
1030 /* XXXXipv6 */
1035 }
1037 /** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
1038 * directory, based on <b>authdir_reject_policy</b>. Else return 0.
1039 */
1040 int
1042 {
1046 }
1048 /** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
1049 * directory, based on <b>authdir_invalid_policy</b>. Else return 0.
1050 */
1051 int
1053 {
1057 }
1059 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
1060 * based on <b>authdir_badexit_policy</b>. Else return 0.
1061 */
1062 int
1064 {
1068 }
1070 #define REJECT(arg) \
1071 STMT_BEGIN *msg = tor_strdup(arg); goto err; STMT_END
1073 /** Config helper: If there's any problem with the policy configuration
1074 * options in <b>options</b>, return -1 and set <b>msg</b> to a newly
1075 * allocated description of the error. Else return 0. */
1076 int
1078 {
1079 /* XXXX Maybe merge this into parse_policies_from_options, to make sure
1080 * that the two can't go out of sync. */
1087 }
1098 exitrelay_setting_is_auto &&
1099 policy_accepts_something) {
1100 /* Policy accepts something */
1103 "Tor is running as an exit relay%s. If you did not want this "
1104 "behavior, please set the ExitRelay option to 0. If you do "
1105 "want to run an exit Relay, please set the ExitRelay option "
1111 "In a future version of Tor, ExitRelay 0 may become the "
1113 }
1114 }
1116 /* The rest of these calls *append* to addr_policy. So don't actually
1117 * use the results for anything other than checking if they parse! */
1123 ADDR_POLICY_REJECT))
1126 ADDR_POLICY_REJECT))
1129 ADDR_POLICY_REJECT))
1133 ADDR_POLICY_ACCEPT))
1136 ADDR_POLICY_ACCEPT))
1139 ADDR_POLICY_ACCEPT))
1142 err:
1145 #undef REJECT
1146 }
1148 /** Parse <b>string</b> in the same way that the exit policy
1149 * is parsed, and put the processed version in *<b>policy</b>.
1150 * Ignore port specifiers.
1151 */
1152 static int
1156 {
1164 }
1167 /* ports aren't used in these. */
1178 }
1180 }
1183 }
1185 }
1187 /** Set all policies based on <b>options</b>, which should have been validated
1188 * first by validate_addr_policies. */
1189 int
1191 {
1211 }
1213 /** Compare two provided address policy items, and return -1, 0, or 1
1214 * if the first is less than, equal to, or greater than the second. */
1215 static int
1217 {
1223 /* refcnt and is_canonical are irrelevant to equality,
1224 * they are hash table implementation details */
1234 }
1236 /** Like cmp_single_addr_policy() above, but looks at the
1237 * whole set of policies in each case. */
1238 int
1240 {
1248 }
1253 else
1255 }
1257 /** Node in hashtable used to store address policy entries. */
1263 /* DOCDOC policy_root */
1266 /** Return true iff a and b are equal. */
1269 {
1271 }
1273 /** Return a hashcode for <b>ent</b> */
1274 static unsigned int
1276 {
1278 addr_policy_t aa;
1291 }
1294 }
1297 policy_eq)
1301 /** Given a pointer to an addr_policy_t, return a copy of the pointer to the
1302 * "canonical" copy of that addr_policy_t; the canonical copy is a single
1303 * reference-counted object. */
1304 addr_policy_t *
1306 {
1319 }
1324 }
1326 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
1327 * addr and port are both known. */
1328 static addr_policy_result_t
1331 {
1332 /* We know the address and port, and we know the policy, so we can just
1333 * compute an exact match. */
1338 }
1339 /* Address is known */
1341 CMP_EXACT)) {
1343 /* Exact match for the policy */
1346 }
1347 }
1350 /* accept all by default. */
1352 }
1354 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
1355 * addr is known but port is not. */
1356 static addr_policy_result_t
1359 {
1360 /* We look to see if there's a definite match. If so, we return that
1361 match's value, unless there's an intervening possible match that says
1362 something different. */
1369 }
1371 CMP_EXACT)) {
1373 /* Definitely matches, since it covers all ports. */
1375 /* If we already hit a clause that might trigger a 'reject', than we
1376 * can't be sure of this certain 'accept'.*/
1378 ADDR_POLICY_ACCEPTED;
1381 ADDR_POLICY_REJECTED;
1382 }
1384 /* Might match. */
1387 else
1389 }
1390 }
1393 /* accept all by default. */
1395 }
1397 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
1398 * port is known but address is not. */
1399 static addr_policy_result_t
1402 {
1403 /* We look to see if there's a definite match. If so, we return that
1404 match's value, unless there's an intervening possible match that says
1405 something different. */
1412 }
1415 /* Definitely matches, since it covers all addresses. */
1417 /* If we already hit a clause that might trigger a 'reject', than we
1418 * can't be sure of this certain 'accept'.*/
1420 ADDR_POLICY_ACCEPTED;
1423 ADDR_POLICY_REJECTED;
1424 }
1426 /* Might match. */
1429 else
1431 }
1432 }
1435 /* accept all by default. */
1437 }
1439 /** Decide whether a given addr:port is definitely accepted,
1440 * definitely rejected, probably accepted, or probably rejected by a
1441 * given policy. If <b>addr</b> is 0, we don't know the IP of the
1442 * target address. If <b>port</b> is 0, we don't know the port of the
1443 * target address. (At least one of <b>addr</b> and <b>port</b> must be
1444 * provided. If you want to know whether a policy would definitely reject
1445 * an unknown address:port, use policy_is_reject_star().)
1446 *
1447 * We could do better by assuming that some ranges never match typical
1448 * addresses (127.0.0.1, and so on). But we'll try this for now.
1449 */
1453 {
1455 /* no policy? accept all. */
1462 }
1468 }
1469 }
1471 /** Return true iff the address policy <b>a</b> covers every case that
1472 * would be covered by <b>b</b>, so that a,b is redundant. */
1473 static int
1475 {
1477 /* You can't cover a different family. */
1479 }
1480 /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces
1481 * to "accept *:80". */
1483 /* a has more fixed bits than b; it can't possibly cover b. */
1485 }
1487 /* There's a fixed bit in a that's set differently in b. */
1489 }
1491 }
1493 /** Return true iff the address policies <b>a</b> and <b>b</b> intersect,
1494 * that is, there exists an address/port that is covered by <b>a</b> that
1495 * is also covered by <b>b</b>.
1496 */
1497 static int
1499 {
1500 maskbits_t minbits;
1501 /* All the bits we care about are those that are set in both
1502 * netmasks. If they are equal in a and b's networkaddresses
1503 * then the networks intersect. If there is a difference,
1504 * then they do not. */
1507 else
1514 }
1516 /** Add the exit policy described by <b>more</b> to <b>policy</b>.
1517 */
1518 STATIC void
1520 {
1521 config_line_t tmp;
1528 }
1529 }
1531 /** Add "reject <b>addr</b>:*" to <b>dest</b>, creating the list as needed. */
1532 void
1534 {
1552 }
1554 /* Is addr public for the purposes of rejection? */
1555 static int
1557 {
1560 }
1562 /* Add "reject <b>addr</b>:*" to <b>dest</b>, creating the list as needed.
1563 * Filter the address, only adding an IPv4 reject rule if ipv4_rules
1564 * is true, and similarly for ipv6_rules. Check each address returns true for
1565 * tor_addr_is_public_for_reject before adding it.
1566 */
1567 static void
1572 {
1576 /* Only reject IP addresses which are public */
1579 /* Reject IPv4 addresses and IPv6 addresses based on the filters */
1583 }
1584 }
1585 }
1587 /** Add "reject addr:*" to <b>dest</b>, for each addr in addrs, creating the
1588 * list as needed. */
1589 void
1592 {
1599 }
1601 /** Add "reject addr:*" to <b>dest</b>, for each addr in addrs, creating the
1602 * list as needed. Filter using */
1603 static void
1608 {
1615 }
1617 /** Detect and excise "dead code" from the policy *<b>dest</b>. */
1618 static void
1620 {
1624 /* Step one: kill every ipv4 thing after *4:*, every IPv6 thing after *6:*
1625 */
1626 {
1629 sa_family_t family;
1637 }
1640 /* This is a catch-all line -- later lines are unreachable. */
1645 }
1646 }
1647 }
1648 }
1650 /* Step two: for every entry, see if there's a redundant entry
1651 * later on, and remove it. */
1665 }
1666 }
1667 }
1669 /* Step three: for every entry A, see if there's an entry B making this one
1670 * redundant later on. This is the case if A and B are of the same type
1671 * (accept/reject), A is a subset of B, and there is no other entry of
1672 * different type in between those two that intersects with A.
1673 *
1674 * Anybody want to double-check the logic here? XXX
1675 */
1679 // tor_assert(j > i); // j starts out at i+1; j only increases; i only
1680 // // decreases.
1695 }
1696 }
1697 }
1698 }
1699 }
1701 /** Reject private helper for policies_parse_exit_policy_internal: rejects
1702 * publicly routable addresses on this exit relay.
1703 *
1704 * Add reject entries to the linked list *<b>dest</b>:
1705 * <ul>
1706 * <li>if configured_addresses is non-NULL, add entries that reject each
1707 * tor_addr_t in the list as a destination.
1708 * <li>if reject_interface_addresses is true, add entries that reject each
1709 * public IPv4 and IPv6 address of each interface on this machine.
1710 * <li>if reject_configured_port_addresses is true, add entries that reject
1711 * each IPv4 and IPv6 address configured for a port.
1712 * </ul>
1713 *
1714 * IPv6 entries are only added if ipv6_exit is true. (All IPv6 addresses are
1715 * already blocked by policies_parse_exit_policy_internal if ipv6_exit is
1716 * false.)
1717 *
1718 * The list in <b>dest</b> is created as needed.
1719 */
1720 void
1727 {
1730 /* Reject configured addresses, if they are from public netblocks. */
1734 }
1736 /* Reject configured port addresses, if they are from public netblocks. */
1742 /* Only reject port IP addresses, not port unix sockets */
1745 }
1747 }
1749 /* Reject local addresses from public netblocks on any interface. */
1753 /* Reject public IPv4 addresses on any interface */
1758 /* Don't look for IPv6 addresses if we're configured as IPv4-only */
1760 /* Reject public IPv6 addresses on any interface */
1764 }
1765 }
1767 /* If addresses were added multiple times, remove all but one of them. */
1770 }
1771 }
1773 /**
1774 * Iterate through <b>policy</b> looking for redundant entries. Log a
1775 * warning message with the first redundant entry, if any is found.
1776 */
1777 static void
1779 {
1784 sa_family_t family;
1788 /* Look for accept/reject *[4|6|]:* entires */
1791 /* accept/reject *:* may have already been expanded into
1792 * accept/reject *4:*,accept/reject *6:*
1793 * But handle both forms.
1794 */
1797 }
1800 }
1801 }
1803 /* We also find accept *4:*,reject *6:* ; and
1804 * accept *4:*,<other policies>,accept *6:* ; and similar.
1805 * That's ok, because they make any subsequent entries redundant. */
1808 /* if we're not on the final entry in the list */
1811 }
1813 }
1816 /* Work out if there are redundant trailing entries in the policy list */
1819 /* Longest possible policy is
1820 * "accept6 ffff:ffff:..255/128:10000-65535",
1821 * which contains a max-length IPv6 address, plus 24 characters. */
1826 /* since we've already parsed the policy into an addr_policy_t struct,
1827 * we might not log exactly what the user typed in */
1830 "redundant, as it follows accept/reject *:* rules for both "
1831 "IPv4 and IPv6. They will be removed from the exit policy. (Use "
1833 line);
1834 }
1835 }
1837 #define DEFAULT_EXIT_POLICY \
1840 "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
1842 /** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>.
1843 *
1844 * If <b>ipv6_exit</b> is false, prepend "reject *6:*" to the policy.
1845 *
1846 * If <b>rejectprivate</b> is true:
1847 * - prepend "reject private:*" to the policy.
1848 * - prepend entries that reject publicly routable addresses on this exit
1849 * relay by calling policies_parse_exit_policy_reject_private
1850 *
1851 * If cfg doesn't end in an absolute accept or reject and if
1852 * <b>add_default_policy</b> is true, add the default exit
1853 * policy afterwards.
1854 *
1855 * Return -1 if we can't parse cfg, else return 0.
1856 *
1857 * This function is used to parse the exit policy from our torrc. For
1858 * the functions used to parse the exit policy from a router descriptor,
1859 * see router_add_exit_policy.
1860 */
1861 static int
1870 {
1873 }
1875 /* Reject IPv4 and IPv6 reserved private netblocks */
1877 /* Reject IPv4 and IPv6 publicly routable addresses on this exit relay */
1880 configured_addresses,
1881 reject_interface_addresses,
1882 reject_configured_port_addresses);
1883 }
1887 /* Before we add the default policy and final rejects, check to see if
1888 * there are any lines after accept *:* or reject *:*. These lines have no
1889 * effect, and are most likely an error. */
1897 }
1901 }
1903 /** Parse exit policy in <b>cfg</b> into <b>dest</b> smartlist.
1904 *
1905 * Prepend an entry that rejects all IPv6 destinations unless
1906 * <b>EXIT_POLICY_IPV6_ENABLED</b> bit is set in <b>options</b> bitmask.
1907 *
1908 * If <b>EXIT_POLICY_REJECT_PRIVATE</b> bit is set in <b>options</b>:
1909 * - prepend an entry that rejects all destinations in all netblocks
1910 * reserved for private use.
1911 * - prepend entries that reject publicly routable addresses on this exit
1912 * relay by calling policies_parse_exit_policy_internal
1913 *
1914 * If <b>EXIT_POLICY_ADD_DEFAULT</b> bit is set in <b>options</b>, append
1915 * default exit policy entries to <b>result</b> smartlist.
1916 */
1917 int
1919 exit_policy_parser_cfg_t options,
1921 {
1927 reject_private,
1928 configured_addresses,
1929 reject_private,
1930 reject_private,
1931 add_default);
1932 }
1934 /** Helper function that adds a copy of addr to a smartlist as long as it is
1935 * non-NULL and not tor_addr_is_null().
1936 *
1937 * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
1938 */
1939 static void
1941 {
1946 }
1947 }
1949 /** Helper function that adds ipv4h_addr to a smartlist as a tor_addr_t *,
1950 * as long as it is not tor_addr_is_null(), by converting it to a tor_addr_t
1951 * and passing it to policies_add_addr_to_smartlist.
1952 *
1953 * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
1954 */
1955 static void
1957 {
1959 tor_addr_t ipv4_tor_addr;
1962 }
1963 }
1965 /** Helper function that adds copies of
1966 * or_options->OutboundBindAddressIPv[4|6]_ to a smartlist as tor_addr_t *, as
1967 * long as or_options is non-NULL, and the addresses are not
1968 * tor_addr_is_null(), by passing them to policies_add_addr_to_smartlist.
1969 *
1970 * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
1971 */
1972 static void
1975 {
1981 }
1982 }
1984 /** Parse <b>ExitPolicy</b> member of <b>or_options</b> into <b>result</b>
1985 * smartlist.
1986 * If <b>or_options->IPv6Exit</b> is false, prepend an entry that
1987 * rejects all IPv6 destinations.
1988 *
1989 * If <b>or_options->ExitPolicyRejectPrivate</b> is true:
1990 * - prepend an entry that rejects all destinations in all netblocks reserved
1991 * for private use.
1992 * - if local_address is non-zero, treat it as a host-order IPv4 address, and
1993 * add it to the list of configured addresses.
1994 * - if ipv6_local_address is non-NULL, and not the null tor_addr_t, add it
1995 * to the list of configured addresses.
1996 * - if or_options->OutboundBindAddressIPv4_ is not the null tor_addr_t, add
1997 * it to the list of configured addresses.
1998 * - if or_options->OutboundBindAddressIPv6_ is not the null tor_addr_t, add
1999 * it to the list of configured addresses.
2000 *
2001 * If <b>or_options->BridgeRelay</b> is false, append entries of default
2002 * Tor exit policy into <b>result</b> smartlist.
2003 *
2004 * If or_options->ExitRelay is false, then make our exit policy into
2005 * "reject *:*" regardless.
2006 */
2007 int
2012 {
2017 /* Short-circuit for non-exit relays */
2022 }
2026 /* Configure the parser */
2029 }
2033 }
2037 }
2039 /* Copy the configured addresses into the tor_addr_t* list */
2043 or_options);
2046 configured_addresses);
2052 }
2054 /** Add "reject *:*" to the end of the policy in *<b>dest</b>, allocating
2055 * *<b>dest</b> as needed. */
2056 void
2058 {
2061 }
2063 /** Replace the exit policy of <b>node</b> with reject *:* */
2064 void
2066 {
2068 }
2070 /** Return 1 if there is at least one /8 subnet in <b>policy</b> that
2071 * allows exiting to <b>port</b>. Otherwise, return 0. */
2072 static int
2074 {
2076 /* Is this /8 rejected (1), or undecided (0)? */
2092 /* Calculate the first and last subnet that this exit policy touches
2093 * and set it as loop boundaries. */
2095 tor_addr_t addr;
2104 /* We found an allowed subnet of at least size /8. Done
2105 * for this port! */
2109 }
2110 }
2113 }
2115 /** Return true iff <b>ri</b> is "useful as an exit node", meaning
2116 * it allows exit to at least one /8 address space for at least
2117 * two of ports 80, 443, and 6667. */
2118 int
2120 {
2129 }
2131 }
2133 /** Return false if <b>policy</b> might permit access to some addr:port;
2134 * otherwise if we are certain it rejects everything, return true. */
2135 int
2137 {
2151 }
2154 }
2156 /** Write a single address policy to the buf_len byte buffer at buf. Return
2157 * the number of characters written, or -1 on failure. */
2158 int
2161 {
2172 /* write accept/reject 1.2.3.4 */
2182 else
2186 }
2191 addrpart);
2195 /* If the maskbits is 32 (IPv4) or 128 (IPv6) we don't need to give it. If
2196 the mask is 0, we already wrote "*". */
2201 }
2203 /* There is no port set; write ":*" */
2209 /* There is only one port; write ":80". */
2215 /* There is a range of ports; write ":79-80". */
2221 }
2224 else
2228 }
2230 /** Create a new exit policy summary, initially only with a single
2231 * port 1-64k item */
2232 /* XXXX This entire thing will do most stuff in O(N^2), or worse. Use an
2233 * RB-tree if that turns out to matter. */
2236 {
2250 }
2252 /** Split the summary item in <b>item</b> at the port <b>new_starts</b>.
2253 * The current item is changed to end at new-starts - 1, the new item
2254 * copies reject_count and accepted from the old item,
2255 * starts at new_starts and ends at the port where the original item
2256 * previously ended.
2257 */
2260 {
2274 }
2276 /* XXXX Nick says I'm going to hell for this. If he feels charitably towards
2277 * my immortal soul, he can clean it up himself. */
2278 #define AT(x) ((policy_summary_item_t*)smartlist_get(summary, x))
2280 #define REJECT_CUTOFF_COUNT (1<<25)
2281 /** Split an exit policy summary so that prt_min and prt_max
2282 * fall at exactly the start and end of an item respectively.
2283 */
2284 static int
2287 {
2293 i++;
2298 i++;
2299 }
2303 i++;
2308 }
2311 }
2313 /** Mark port ranges as accepted if they are below the reject_count */
2314 static void
2317 {
2324 i++;
2325 }
2327 }
2329 /** Count the number of addresses in a network with prefixlen maskbits
2330 * against the given portrange. */
2331 static void
2333 maskbits_t maskbits,
2335 {
2337 /* XXX: ipv4 specific */
2342 i++;
2343 }
2345 }
2347 /** Add a single exit policy item to our summary:
2348 * If it is an accept ignore it unless it is for all IP addresses
2349 * ("*"), i.e. it's prefixlen/maskbits is 0, else call
2350 * policy_summary_accept().
2351 * If it's a reject ignore it if it is about one of the private
2352 * networks, else call policy_summary_reject().
2353 */
2354 static void
2356 {
2360 }
2366 tor_addr_t addr;
2367 maskbits_t maskbits;
2371 }
2376 }
2377 }
2381 }
2384 }
2386 /** Create a string representing a summary for an exit policy.
2387 * The summary will either be an "accept" plus a comma-separated list of port
2388 * ranges or a "reject" plus port-ranges, depending on which is shorter.
2389 *
2390 * If no exits are allowed at all then "reject 1-65535" is returned. If no
2391 * ports are blocked instead of "reject " we return "accept 1-65535". (These
2392 * are an exception to the shorter-representation-wins rule).
2393 */
2396 {
2406 /* Create the summary list */
2411 }
2414 /* XXXX-ipv6 More family work is needed */
2418 /* Now create two lists of strings, one for accepted and one
2419 * for rejected ports. We take care to merge ranges so that
2420 * we avoid getting stuff like "1-4,5-9,10", instead we want
2421 * "1-10"
2422 */
2435 else
2440 else
2447 };
2448 i++;
2449 };
2451 /* Figure out which of the two stringlists will be shorter and use
2452 * that to build the result
2453 */
2457 }
2461 }
2474 c--;
2485 }
2489 cleanup:
2490 /* cleanup */
2503 }
2505 /** Convert a summarized policy string into a short_policy_t. Return NULL
2506 * if the string is not well-formed. */
2507 short_policy_t *
2509 {
2526 }
2543 }
2546 /* unrecognized entry format. skip it. */
2548 }
2550 /* empty; skip it. */
2551 /* XXX This happens to be unreachable, since if len==0, then *summary is
2552 * ',' or '\0', and the TOR_ISDIGIT test above would have failed. */
2554 }
2564 }
2570 }
2576 }
2580 n_entries++;
2581 }
2587 }
2589 {
2595 }
2601 }
2603 /** Write <b>policy</b> back out into a string. Used only for unit tests
2604 * currently. */
2607 {
2620 }
2623 }
2628 }
2630 /** Release all storage held in <b>policy</b>. */
2631 void
2633 {
2635 }
2637 /** See whether the <b>addr</b>:<b>port</b> address is likely to be accepted
2638 * or rejected by the summarized policy <b>policy</b>. Return values are as
2639 * for compare_tor_addr_to_addr_policy. Unlike the regular addr_policy
2640 * functions, requires the <b>port</b> be specified. */
2641 addr_policy_result_t
2644 {
2663 }
2664 }
2668 else
2671 /* ???? are these right? -NM */
2672 /* We should be sure not to return ADDR_POLICY_ACCEPTED in the accept
2673 * case here, because it would cause clients to believe that the node
2674 * allows exit enclaving. Trying it anyway would open up a cool attack
2675 * where the node refuses due to exitpolicy, the client reacts in
2676 * surprise by rewriting the node's exitpolicy to reject *:*, and then
2677 * an adversary targets users by causing them to attempt such connections
2678 * to 98% of the exits.
2679 *
2680 * Once microdescriptors can handle addresses in special cases (e.g. if
2681 * we ever solve ticket 1774), we can provide certainty here. -RD */
2684 else
2686 }
2688 /** Return true iff <b>policy</b> seems reject all ports */
2689 int
2691 {
2692 /* This doesn't need to be as much on the lookout as policy_is_reject_star,
2693 * since policy summaries are from the consensus or from consensus
2694 * microdescs.
2695 */
2697 /* Check for an exact match of "reject 1-65535". */
2701 }
2703 /** Decide whether addr:port is probably or definitely accepted or rejected by
2704 * <b>node</b>. See compare_tor_addr_to_addr_policy for details on addr/port
2705 * interpretation. */
2706 addr_policy_result_t
2709 {
2721 else
2723 }
2730 else
2735 }
2736 }
2738 /**
2739 * Given <b>policy_list</b>, a list of addr_policy_t, produce a string
2740 * representation of the list.
2741 * If <b>include_ipv4</b> is true, include IPv4 entries.
2742 * If <b>include_ipv6</b> is true, include IPv6 entries.
2743 */
2748 {
2759 }
2762 }
2771 }
2778 done:
2783 }
2785 /** Implementation for GETINFO control command: knows the answer for questions
2786 * about "exit-policy/..." */
2787 int
2791 {
2803 /* IPv6 addresses are in "[]" and contain ":",
2804 * IPv4 addresses are not in "[]" and contain "." */
2806 priv++;
2807 }
2821 }
2826 }
2831 /* Copy the configured addresses into the tor_addr_t* list */
2835 options);
2840 configured_addresses,
2861 }
2866 }
2869 }
2871 }
2873 /** Release all storage held by <b>p</b>. */
2874 void
2876 {
2881 }
2883 /** Release all storage held by <b>p</b>. */
2884 void
2886 {
2898 }
2899 }
2901 }
2902 }
2904 /** Release all storage held by policy variables. */
2905 void
2907 {
2931 /* Note the first 10 cached policies to try to figure out where they
2932 * might be coming from. */
2938 }
2939 }
2941 }