1 /* Copyright (c) 2013-2018, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
5 #define POLICIES_PRIVATE
7 #include "core/or/or.h"
8 #include "app/config/config.h"
9 #include "core/or/policies.h"
10 #include "feature/dirparse/policy_parse.h"
11 #include "feature/relay/router.h"
12 #include "lib/encoding/confline.h"
13 #include "test/test.h"
15 #include "core/or/addr_policy_st.h"
16 #include "core/or/port_cfg_st.h"
17 #include "feature/nodelist/node_st.h"
18 #include "feature/nodelist/routerinfo_st.h"
19 #include "feature/nodelist/routerstatus_st.h"
21 /* Helper: assert that short_policy parses and writes back out as itself,
22 or as <b>expected</b> if that's provided. */
24 test_short_policy_parse(const char *input
,
27 short_policy_t
*short_policy
= NULL
;
33 short_policy
= parse_short_policy(input
);
34 tt_assert(short_policy
);
35 out
= write_short_policy(short_policy
);
36 tt_str_op(out
, OP_EQ
, expected
);
40 short_policy_free(short_policy
);
43 /** Helper: Parse the exit policy string in <b>policy_str</b> with
44 * <b>options</b>, and make sure that policies_summarize() produces the string
45 * <b>expected_summary</b> from it when called with family. */
47 test_policy_summary_helper_family_flags(const char *policy_str
,
48 const char *expected_summary
,
50 exit_policy_parser_cfg_t options
)
53 smartlist_t
*policy
= smartlist_new();
55 char *summary_after
= NULL
;
57 short_policy_t
*short_policy
= NULL
;
60 line
.key
= (char*)"foo";
61 line
.value
= (char *)policy_str
;
64 r
= policies_parse_exit_policy(&line
, &policy
,
66 tt_int_op(r
,OP_EQ
, 0);
68 summary
= policy_summarize(policy
, family
);
70 tt_ptr_op(summary
, OP_NE
, NULL
);
71 tt_str_op(summary
,OP_EQ
, expected_summary
);
73 short_policy
= parse_short_policy(summary
);
74 tt_assert(short_policy
);
75 summary_after
= write_short_policy(short_policy
);
76 tt_str_op(summary
,OP_EQ
, summary_after
);
80 /* If we don't print the flags on failure, it's very hard to diagnose bugs */
82 TT_DECLARE("CTXT", ("\n IPv%d\n Options: %x\n Policy: %s",
83 family
== AF_INET
? 4 : 6, options
, policy_str
));
84 tor_free(summary_after
);
87 addr_policy_list_free(policy
);
88 short_policy_free(short_policy
);
91 /** Like test_policy_summary_helper_family_flags, but tries all the different
92 * flag combinations */
94 test_policy_summary_helper_family(const char *policy_str
,
95 const char *expected_summary
,
98 for (exit_policy_parser_cfg_t opt
= 0;
99 opt
<= EXIT_POLICY_OPTION_ALL
;
101 if (family
== AF_INET6
&& !(opt
& EXIT_POLICY_IPV6_ENABLED
))
102 /* Skip the test: IPv6 addresses need IPv6 enabled */
105 if (opt
& EXIT_POLICY_REJECT_LOCAL_INTERFACES
)
106 /* Skip the test: local interfaces are machine-specific */
109 test_policy_summary_helper_family_flags(policy_str
, expected_summary
,
114 /** Like test_policy_summary_helper_family, but uses expected_summary for
115 * both IPv4 and IPv6. */
117 test_policy_summary_helper(const char *policy_str
,
118 const char *expected_summary
)
120 test_policy_summary_helper_family(policy_str
, expected_summary
, AF_INET
);
121 test_policy_summary_helper_family(policy_str
, expected_summary
, AF_INET6
);
124 /** Like test_policy_summary_helper_family, but uses expected_summary4 for
125 * IPv4 and expected_summary6 for IPv6. */
127 test_policy_summary_helper6(const char *policy_str
,
128 const char *expected_summary4
,
129 const char *expected_summary6
)
131 test_policy_summary_helper_family(policy_str
, expected_summary4
, AF_INET
);
132 test_policy_summary_helper_family(policy_str
, expected_summary6
, AF_INET6
);
135 /** Run unit tests for generating summary lines of exit policies */
137 test_policies_general(void *arg
)
140 smartlist_t
*policy
= NULL
, *policy2
= NULL
, *policy3
= NULL
,
141 *policy4
= NULL
, *policy5
= NULL
, *policy6
= NULL
,
142 *policy7
= NULL
, *policy8
= NULL
, *policy9
= NULL
,
143 *policy10
= NULL
, *policy11
= NULL
, *policy12
= NULL
;
145 tor_addr_t tar
, tar2
;
146 smartlist_t
*addr_list
= NULL
;
148 smartlist_t
*sm
= NULL
;
149 char *policy_str
= NULL
;
150 short_policy_t
*short_parsed
= NULL
;
151 int malformed_list
= -1;
154 policy
= smartlist_new();
156 p
= router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*", -1,
158 tt_ptr_op(p
, OP_NE
, NULL
);
159 tt_int_op(ADDR_POLICY_REJECT
,OP_EQ
, p
->policy_type
);
160 tor_addr_from_ipv4h(&tar
, 0xc0a80000u
);
161 tt_int_op(0,OP_EQ
, tor_addr_compare(&p
->addr
, &tar
, CMP_EXACT
));
162 tt_int_op(16,OP_EQ
, p
->maskbits
);
163 tt_int_op(1,OP_EQ
, p
->prt_min
);
164 tt_int_op(65535,OP_EQ
, p
->prt_max
);
166 smartlist_add(policy
, p
);
168 tor_addr_from_ipv4h(&tar
, 0x01020304u
);
169 tt_assert(ADDR_POLICY_ACCEPTED
==
170 compare_tor_addr_to_addr_policy(&tar
, 2, policy
));
171 tor_addr_make_unspec(&tar
);
172 tt_assert(ADDR_POLICY_PROBABLY_ACCEPTED
==
173 compare_tor_addr_to_addr_policy(&tar
, 2, policy
));
174 tor_addr_from_ipv4h(&tar
, 0xc0a80102);
175 tt_assert(ADDR_POLICY_REJECTED
==
176 compare_tor_addr_to_addr_policy(&tar
, 2, policy
));
178 tt_int_op(0, OP_EQ
, policies_parse_exit_policy(NULL
, &policy2
,
179 EXIT_POLICY_IPV6_ENABLED
|
180 EXIT_POLICY_REJECT_PRIVATE
|
181 EXIT_POLICY_ADD_DEFAULT
, NULL
));
185 tor_addr_from_ipv4h(&tar
, 0x0306090cu
);
186 tor_addr_parse(&tar2
, "[2000::1234]");
187 addr_list
= smartlist_new();
188 smartlist_add(addr_list
, &tar
);
189 smartlist_add(addr_list
, &tar2
);
190 tt_int_op(0, OP_EQ
, policies_parse_exit_policy(NULL
, &policy12
,
191 EXIT_POLICY_IPV6_ENABLED
|
192 EXIT_POLICY_REJECT_PRIVATE
|
193 EXIT_POLICY_ADD_DEFAULT
,
195 smartlist_free(addr_list
);
200 policy3
= smartlist_new();
201 p
= router_parse_addr_policy_item_from_string("reject *:*", -1,
203 tt_ptr_op(p
, OP_NE
, NULL
);
204 smartlist_add(policy3
, p
);
205 p
= router_parse_addr_policy_item_from_string("accept *:*", -1,
207 tt_ptr_op(p
, OP_NE
, NULL
);
208 smartlist_add(policy3
, p
);
210 policy4
= smartlist_new();
211 p
= router_parse_addr_policy_item_from_string("accept *:443", -1,
213 tt_ptr_op(p
, OP_NE
, NULL
);
214 smartlist_add(policy4
, p
);
215 p
= router_parse_addr_policy_item_from_string("accept *:443", -1,
217 tt_ptr_op(p
, OP_NE
, NULL
);
218 smartlist_add(policy4
, p
);
220 policy5
= smartlist_new();
221 p
= router_parse_addr_policy_item_from_string("reject 0.0.0.0/8:*", -1,
223 tt_ptr_op(p
, OP_NE
, NULL
);
224 smartlist_add(policy5
, p
);
225 p
= router_parse_addr_policy_item_from_string("reject 169.254.0.0/16:*", -1,
227 tt_ptr_op(p
, OP_NE
, NULL
);
228 smartlist_add(policy5
, p
);
229 p
= router_parse_addr_policy_item_from_string("reject 127.0.0.0/8:*", -1,
231 tt_ptr_op(p
, OP_NE
, NULL
);
232 smartlist_add(policy5
, p
);
233 p
= router_parse_addr_policy_item_from_string("reject 192.168.0.0/16:*",
234 -1, &malformed_list
);
235 tt_ptr_op(p
, OP_NE
, NULL
);
236 smartlist_add(policy5
, p
);
237 p
= router_parse_addr_policy_item_from_string("reject 10.0.0.0/8:*", -1,
239 tt_ptr_op(p
, OP_NE
, NULL
);
240 smartlist_add(policy5
, p
);
241 p
= router_parse_addr_policy_item_from_string("reject 172.16.0.0/12:*", -1,
243 tt_ptr_op(p
, OP_NE
, NULL
);
244 smartlist_add(policy5
, p
);
245 p
= router_parse_addr_policy_item_from_string("reject 80.190.250.90:*", -1,
247 tt_ptr_op(p
, OP_NE
, NULL
);
248 smartlist_add(policy5
, p
);
249 p
= router_parse_addr_policy_item_from_string("reject *:1-65534", -1,
251 tt_ptr_op(p
, OP_NE
, NULL
);
252 smartlist_add(policy5
, p
);
253 p
= router_parse_addr_policy_item_from_string("reject *:65535", -1,
255 tt_ptr_op(p
, OP_NE
, NULL
);
256 smartlist_add(policy5
, p
);
257 p
= router_parse_addr_policy_item_from_string("accept *:1-65535", -1,
259 tt_ptr_op(p
, OP_NE
, NULL
);
260 smartlist_add(policy5
, p
);
262 policy6
= smartlist_new();
263 p
= router_parse_addr_policy_item_from_string("accept 43.3.0.0/9:*", -1,
265 tt_ptr_op(p
, OP_NE
, NULL
);
266 smartlist_add(policy6
, p
);
268 policy7
= smartlist_new();
269 p
= router_parse_addr_policy_item_from_string("accept 0.0.0.0/8:*", -1,
271 tt_ptr_op(p
, OP_NE
, NULL
);
272 smartlist_add(policy7
, p
);
274 tt_int_op(0, OP_EQ
, policies_parse_exit_policy(NULL
, &policy8
,
275 EXIT_POLICY_IPV6_ENABLED
|
276 EXIT_POLICY_REJECT_PRIVATE
|
277 EXIT_POLICY_ADD_DEFAULT
,
282 tt_int_op(0, OP_EQ
, policies_parse_exit_policy(NULL
, &policy9
,
283 EXIT_POLICY_REJECT_PRIVATE
|
284 EXIT_POLICY_ADD_DEFAULT
,
289 /* accept6 * and reject6 * produce IPv6 wildcards only */
290 policy10
= smartlist_new();
291 p
= router_parse_addr_policy_item_from_string("accept6 *:*", -1,
293 tt_ptr_op(p
, OP_NE
, NULL
);
294 smartlist_add(policy10
, p
);
296 policy11
= smartlist_new();
297 p
= router_parse_addr_policy_item_from_string("reject6 *:*", -1,
299 tt_ptr_op(p
, OP_NE
, NULL
);
300 smartlist_add(policy11
, p
);
302 tt_assert(!exit_policy_is_general_exit(policy
));
303 tt_assert(exit_policy_is_general_exit(policy2
));
304 tt_assert(!exit_policy_is_general_exit(NULL
));
305 tt_assert(!exit_policy_is_general_exit(policy3
));
306 tt_assert(!exit_policy_is_general_exit(policy4
));
307 tt_assert(!exit_policy_is_general_exit(policy5
));
308 tt_assert(!exit_policy_is_general_exit(policy6
));
309 tt_assert(!exit_policy_is_general_exit(policy7
));
310 tt_assert(exit_policy_is_general_exit(policy8
));
311 tt_assert(exit_policy_is_general_exit(policy9
));
312 tt_assert(!exit_policy_is_general_exit(policy10
));
313 tt_assert(!exit_policy_is_general_exit(policy11
));
315 tt_assert(!addr_policies_eq(policy
, policy2
));
316 tt_assert(!addr_policies_eq(policy
, NULL
));
317 tt_assert(addr_policies_eq(policy2
, policy2
));
318 tt_assert(addr_policies_eq(NULL
, NULL
));
320 tt_assert(!policy_is_reject_star(policy2
, AF_INET
, 1));
321 tt_assert(policy_is_reject_star(policy
, AF_INET
, 1));
322 tt_assert(policy_is_reject_star(policy10
, AF_INET
, 1));
323 tt_assert(!policy_is_reject_star(policy10
, AF_INET6
, 1));
324 tt_assert(policy_is_reject_star(policy11
, AF_INET
, 1));
325 tt_assert(policy_is_reject_star(policy11
, AF_INET6
, 1));
326 tt_assert(policy_is_reject_star(NULL
, AF_INET
, 1));
327 tt_assert(policy_is_reject_star(NULL
, AF_INET6
, 1));
328 tt_assert(!policy_is_reject_star(NULL
, AF_INET
, 0));
329 tt_assert(!policy_is_reject_star(NULL
, AF_INET6
, 0));
331 addr_policy_list_free(policy
);
334 /* make sure assume_action works */
336 p
= router_parse_addr_policy_item_from_string("127.0.0.1",
341 tt_assert(!malformed_list
);
343 p
= router_parse_addr_policy_item_from_string("127.0.0.1:*",
348 tt_assert(!malformed_list
);
350 p
= router_parse_addr_policy_item_from_string("[::]",
355 tt_assert(!malformed_list
);
357 p
= router_parse_addr_policy_item_from_string("[::]:*",
362 tt_assert(!malformed_list
);
364 p
= router_parse_addr_policy_item_from_string("[face::b]",
369 tt_assert(!malformed_list
);
371 p
= router_parse_addr_policy_item_from_string("[b::aaaa]",
376 tt_assert(!malformed_list
);
378 p
= router_parse_addr_policy_item_from_string("*",
383 tt_assert(!malformed_list
);
385 p
= router_parse_addr_policy_item_from_string("*4",
390 tt_assert(!malformed_list
);
392 p
= router_parse_addr_policy_item_from_string("*6",
397 tt_assert(!malformed_list
);
399 /* These are all ambiguous IPv6 addresses, it's good that we reject them */
400 p
= router_parse_addr_policy_item_from_string("acce::abcd",
403 tt_ptr_op(p
, OP_EQ
, NULL
);
404 tt_assert(malformed_list
);
407 p
= router_parse_addr_policy_item_from_string("7:1234",
410 tt_ptr_op(p
, OP_EQ
, NULL
);
411 tt_assert(malformed_list
);
414 p
= router_parse_addr_policy_item_from_string("::",
417 tt_ptr_op(p
, OP_EQ
, NULL
);
418 tt_assert(malformed_list
);
421 /* make sure compacting logic works. */
423 line
.key
= (char*)"foo";
424 line
.value
= (char*)"accept *:80,reject private:*,reject *:*";
426 tt_int_op(0, OP_EQ
, policies_parse_exit_policy(&line
,&policy
,
427 EXIT_POLICY_IPV6_ENABLED
|
428 EXIT_POLICY_ADD_DEFAULT
, NULL
));
431 //test_streq(policy->string, "accept *:80");
432 //test_streq(policy->next->string, "reject *:*");
433 tt_int_op(smartlist_len(policy
),OP_EQ
, 4);
435 /* test policy summaries */
436 /* check if we properly ignore private IP addresses */
437 test_policy_summary_helper("reject 192.168.0.0/16:*,"
438 "reject 0.0.0.0/8:*,"
439 "reject 10.0.0.0/8:*,"
444 /* check all accept policies, and proper counting of rejects */
445 test_policy_summary_helper("reject 11.0.0.0/9:80,"
446 "reject 12.0.0.0/9:80,"
447 "reject 13.0.0.0/9:80,"
448 "reject 14.0.0.0/9:80,"
449 "accept *:*", "accept 1-65535");
450 test_policy_summary_helper("reject 11.0.0.0/9:80,"
451 "reject 12.0.0.0/9:80,"
452 "reject 13.0.0.0/9:80,"
453 "reject 14.0.0.0/9:80,"
454 "reject 15.0.0.0:81,"
455 "accept *:*", "accept 1-65535");
456 test_policy_summary_helper6("reject 11.0.0.0/9:80,"
457 "reject 12.0.0.0/9:80,"
458 "reject 13.0.0.0/9:80,"
459 "reject 14.0.0.0/9:80,"
460 "reject 15.0.0.0:80,"
465 test_policy_summary_helper("accept 11.0.0.0/9:80,"
469 test_policy_summary_helper("accept *:80,"
474 "accept 80-81,100-111");
476 test_policy_summary_helper("accept *:1,"
482 test_policy_summary_helper("accept *:1,"
488 test_policy_summary_helper("reject *:1,"
495 /* standard long policy on many exits */
496 test_policy_summary_helper("accept *:20-23,"
530 "accept *:2086-2087,"
531 "accept *:2095-2096,"
532 "accept *:2102-2104,"
540 "accept *:5222-5223,"
543 "accept *:6660-6669,"
550 "accept *:8087-8088,"
551 "accept *:8332-8333,"
565 "accept 20-23,43,53,79-81,88,110,143,194,220,389,"
566 "443,464,531,543-544,554,563,636,706,749,873,"
567 "902-904,981,989-995,1194,1220,1293,1500,1533,"
568 "1677,1723,1755,1863,2082-2083,2086-2087,"
569 "2095-2096,2102-2104,3128,3389,3690,4321,4643,"
570 "5050,5190,5222-5223,5228,5900,6660-6669,6679,"
571 "6697,8000,8008,8074,8080,8087-8088,8332-8333,"
572 "8443,8888,9418,9999-10000,11371,12350,19294,"
573 "19638,23456,33033,64738");
574 /* short policy with configured addresses */
575 test_policy_summary_helper("reject 149.56.1.1:*,"
576 "reject [2607:5300:1:1::1:0]:*,"
581 /* short policy with configured and local interface addresses */
582 test_policy_summary_helper("reject 149.56.1.0:*,"
583 "reject 149.56.1.1:*,"
584 "reject 149.56.1.2:*,"
585 "reject 149.56.1.3:*,"
586 "reject 149.56.1.4:*,"
587 "reject 149.56.1.5:*,"
588 "reject 149.56.1.6:*,"
589 "reject 149.56.1.7:*,"
590 "reject [2607:5300:1:1::1:0]:*,"
591 "reject [2607:5300:1:1::1:1]:*,"
592 "reject [2607:5300:1:1::1:2]:*,"
593 "reject [2607:5300:1:1::1:3]:*,"
594 "reject [2607:5300:1:1::2:0]:*,"
595 "reject [2607:5300:1:1::2:1]:*,"
596 "reject [2607:5300:1:1::2:2]:*,"
597 "reject [2607:5300:1:1::2:3]:*,"
602 /* short policy with configured netblocks */
603 test_policy_summary_helper("reject 149.56.0.0/16,"
604 "reject6 2607:5300::/32,"
605 "reject6 2608:5300::/64,"
606 "reject6 2609:5300::/96,"
611 /* short policy with large netblocks that do not count as a rejection */
612 test_policy_summary_helper("reject 148.0.0.0/7,"
618 /* short policy with large netblocks that count as a rejection */
619 test_policy_summary_helper("reject 148.0.0.0/6,"
625 /* short policy with huge netblocks that count as a rejection */
626 test_policy_summary_helper("reject 128.0.0.0/1,"
632 /* short policy which blocks everything using netblocks */
633 test_policy_summary_helper("reject 0.0.0.0/0,"
639 /* short policy which has repeated redundant netblocks */
640 test_policy_summary_helper("reject 0.0.0.0/0,"
655 /* longest possible policy
656 * (1-2,4-5,... is longer, but gets reduced to 3,6,... )
657 * Going all the way to 65535 is incredibly slow, so we just go slightly
658 * more than the expected length */
659 test_policy_summary_helper("accept *:1,"
925 "accept 1,3,5,7,9,11,13,15,17,19,21,23,25,27,29,"
926 "31,33,35,37,39,41,43,45,47,49,51,53,55,57,59,61,"
927 "63,65,67,69,71,73,75,77,79,81,83,85,87,89,91,93,"
928 "95,97,99,101,103,105,107,109,111,113,115,117,"
929 "119,121,123,125,127,129,131,133,135,137,139,141,"
930 "143,145,147,149,151,153,155,157,159,161,163,165,"
931 "167,169,171,173,175,177,179,181,183,185,187,189,"
932 "191,193,195,197,199,201,203,205,207,209,211,213,"
933 "215,217,219,221,223,225,227,229,231,233,235,237,"
934 "239,241,243,245,247,249,251,253,255,257,259,261,"
935 "263,265,267,269,271,273,275,277,279,281,283,285,"
936 "287,289,291,293,295,297,299,301,303,305,307,309,"
937 "311,313,315,317,319,321,323,325,327,329,331,333,"
938 "335,337,339,341,343,345,347,349,351,353,355,357,"
939 "359,361,363,365,367,369,371,373,375,377,379,381,"
940 "383,385,387,389,391,393,395,397,399,401,403,405,"
941 "407,409,411,413,415,417,419,421,423,425,427,429,"
942 "431,433,435,437,439,441,443,445,447,449,451,453,"
943 "455,457,459,461,463,465,467,469,471,473,475,477,"
944 "479,481,483,485,487,489,491,493,495,497,499,501,"
945 "503,505,507,509,511,513,515,517,519,521,523");
947 /* Short policies with unrecognized formats should get accepted. */
948 test_short_policy_parse("accept fred,2,3-5", "accept 2,3-5");
949 test_short_policy_parse("accept 2,fred,3", "accept 2,3");
950 test_short_policy_parse("accept 2,fred,3,bob", "accept 2,3");
951 test_short_policy_parse("accept 2,-3,500-600", "accept 2,500-600");
952 /* Short policies with nil entries are accepted too. */
953 test_short_policy_parse("accept 1,,3", "accept 1,3");
954 test_short_policy_parse("accept 100-200,,", "accept 100-200");
955 test_short_policy_parse("reject ,1-10,,,,30-40", "reject 1-10,30-40");
957 /* Try parsing various broken short policies */
958 #define TT_BAD_SHORT_POLICY(s) \
960 tt_ptr_op(NULL, OP_EQ, (short_parsed = parse_short_policy((s)))); \
962 TT_BAD_SHORT_POLICY("accept 200-199");
963 TT_BAD_SHORT_POLICY("");
964 TT_BAD_SHORT_POLICY("rejekt 1,2,3");
965 TT_BAD_SHORT_POLICY("reject ");
966 TT_BAD_SHORT_POLICY("reject");
967 TT_BAD_SHORT_POLICY("rej");
968 TT_BAD_SHORT_POLICY("accept 2,3,100000");
969 TT_BAD_SHORT_POLICY("accept 2,3x,4");
970 TT_BAD_SHORT_POLICY("accept 2,3x,4");
971 TT_BAD_SHORT_POLICY("accept 2-");
972 TT_BAD_SHORT_POLICY("accept 2-x");
973 TT_BAD_SHORT_POLICY("accept 1-,3");
974 TT_BAD_SHORT_POLICY("accept 1-,3");
976 /* Make sure that IPv4 addresses are ignored in accept6/reject6 lines. */
977 p
= router_parse_addr_policy_item_from_string("accept6 1.2.3.4:*", -1,
979 tt_ptr_op(p
, OP_EQ
, NULL
);
980 tt_assert(!malformed_list
);
982 p
= router_parse_addr_policy_item_from_string("reject6 2.4.6.0/24:*", -1,
984 tt_ptr_op(p
, OP_EQ
, NULL
);
985 tt_assert(!malformed_list
);
987 p
= router_parse_addr_policy_item_from_string("accept6 *4:*", -1,
989 tt_ptr_op(p
, OP_EQ
, NULL
);
990 tt_assert(!malformed_list
);
992 /* Make sure malformed policies are detected as such. */
993 p
= router_parse_addr_policy_item_from_string("bad_token *4:*", -1,
995 tt_ptr_op(p
, OP_EQ
, NULL
);
996 tt_assert(malformed_list
);
998 p
= router_parse_addr_policy_item_from_string("accept6 **:*", -1,
1000 tt_ptr_op(p
, OP_EQ
, NULL
);
1001 tt_assert(malformed_list
);
1003 p
= router_parse_addr_policy_item_from_string("accept */15:*", -1,
1005 tt_ptr_op(p
, OP_EQ
, NULL
);
1006 tt_assert(malformed_list
);
1008 p
= router_parse_addr_policy_item_from_string("reject6 */:*", -1,
1010 tt_ptr_op(p
, OP_EQ
, NULL
);
1011 tt_assert(malformed_list
);
1013 p
= router_parse_addr_policy_item_from_string("accept 127.0.0.1/33:*", -1,
1015 tt_ptr_op(p
, OP_EQ
, NULL
);
1016 tt_assert(malformed_list
);
1018 p
= router_parse_addr_policy_item_from_string("accept6 [::1]/129:*", -1,
1020 tt_ptr_op(p
, OP_EQ
, NULL
);
1021 tt_assert(malformed_list
);
1023 p
= router_parse_addr_policy_item_from_string("reject 8.8.8.8/-1:*", -1,
1025 tt_ptr_op(p
, OP_EQ
, NULL
);
1026 tt_assert(malformed_list
);
1028 p
= router_parse_addr_policy_item_from_string("reject 8.8.4.4:10-5", -1,
1030 tt_ptr_op(p
, OP_EQ
, NULL
);
1031 tt_assert(malformed_list
);
1033 p
= router_parse_addr_policy_item_from_string("reject 1.2.3.4:-1", -1,
1035 tt_ptr_op(p
, OP_EQ
, NULL
);
1036 tt_assert(malformed_list
);
1038 /* Test a too-long policy. */
1040 char *policy_strng
= NULL
;
1041 smartlist_t
*chunks
= smartlist_new();
1042 smartlist_add_strdup(chunks
, "accept ");
1043 for (i
=1; i
<10000; ++i
)
1044 smartlist_add_asprintf(chunks
, "%d,", i
);
1045 smartlist_add_strdup(chunks
, "20000");
1046 policy_strng
= smartlist_join_strings(chunks
, "", 0, NULL
);
1047 SMARTLIST_FOREACH(chunks
, char *, ch
, tor_free(ch
));
1048 smartlist_free(chunks
);
1049 short_parsed
= parse_short_policy(policy_strng
);/* shouldn't be accepted */
1050 tor_free(policy_strng
);
1051 tt_ptr_op(NULL
, OP_EQ
, short_parsed
);
1054 /* truncation ports */
1055 sm
= smartlist_new();
1056 for (i
=1; i
<2000; i
+=2) {
1057 char buf
[POLICY_BUF_LEN
];
1058 tor_snprintf(buf
, sizeof(buf
), "reject *:%d", i
);
1059 smartlist_add_strdup(sm
, buf
);
1061 smartlist_add_strdup(sm
, "accept *:*");
1062 policy_str
= smartlist_join_strings(sm
, ",", 0, NULL
);
1063 test_policy_summary_helper( policy_str
,
1064 "accept 2,4,6,8,10,12,14,16,18,20,22,24,26,28,30,32,34,36,38,40,42,44,"
1065 "46,48,50,52,54,56,58,60,62,64,66,68,70,72,74,76,78,80,82,84,86,88,90,"
1066 "92,94,96,98,100,102,104,106,108,110,112,114,116,118,120,122,124,126,128,"
1067 "130,132,134,136,138,140,142,144,146,148,150,152,154,156,158,160,162,164,"
1068 "166,168,170,172,174,176,178,180,182,184,186,188,190,192,194,196,198,200,"
1069 "202,204,206,208,210,212,214,216,218,220,222,224,226,228,230,232,234,236,"
1070 "238,240,242,244,246,248,250,252,254,256,258,260,262,264,266,268,270,272,"
1071 "274,276,278,280,282,284,286,288,290,292,294,296,298,300,302,304,306,308,"
1072 "310,312,314,316,318,320,322,324,326,328,330,332,334,336,338,340,342,344,"
1073 "346,348,350,352,354,356,358,360,362,364,366,368,370,372,374,376,378,380,"
1074 "382,384,386,388,390,392,394,396,398,400,402,404,406,408,410,412,414,416,"
1075 "418,420,422,424,426,428,430,432,434,436,438,440,442,444,446,448,450,452,"
1076 "454,456,458,460,462,464,466,468,470,472,474,476,478,480,482,484,486,488,"
1077 "490,492,494,496,498,500,502,504,506,508,510,512,514,516,518,520,522");
1080 addr_policy_list_free(policy
);
1081 addr_policy_list_free(policy2
);
1082 addr_policy_list_free(policy3
);
1083 addr_policy_list_free(policy4
);
1084 addr_policy_list_free(policy5
);
1085 addr_policy_list_free(policy6
);
1086 addr_policy_list_free(policy7
);
1087 addr_policy_list_free(policy8
);
1088 addr_policy_list_free(policy9
);
1089 addr_policy_list_free(policy10
);
1090 addr_policy_list_free(policy11
);
1091 addr_policy_list_free(policy12
);
1092 tor_free(policy_str
);
1094 SMARTLIST_FOREACH(sm
, char *, s
, tor_free(s
));
1097 short_policy_free(short_parsed
);
1100 /** Helper: Check that policy_list contains address */
1102 test_policy_has_address_helper(const smartlist_t
*policy_list
,
1103 const tor_addr_t
*addr
)
1107 tt_assert(policy_list
);
1110 SMARTLIST_FOREACH_BEGIN(policy_list
, addr_policy_t
*, p
) {
1111 if (tor_addr_eq(&p
->addr
, addr
)) {
1114 } SMARTLIST_FOREACH_END(p
);
1122 #define TEST_IPV4_ADDR (0x01020304)
1123 #define TEST_IPV6_ADDR ("2002::abcd")
1125 /** Run unit tests for rejecting the configured addresses on this exit relay
1126 * using policies_parse_exit_policy_reject_private */
1128 test_policies_reject_exit_address(void *arg
)
1130 smartlist_t
*policy
= NULL
;
1131 tor_addr_t ipv4_addr
, ipv6_addr
;
1132 smartlist_t
*ipv4_list
, *ipv6_list
, *both_list
, *dupl_list
;
1135 tor_addr_from_ipv4h(&ipv4_addr
, TEST_IPV4_ADDR
);
1136 tor_addr_parse(&ipv6_addr
, TEST_IPV6_ADDR
);
1138 ipv4_list
= smartlist_new();
1139 ipv6_list
= smartlist_new();
1140 both_list
= smartlist_new();
1141 dupl_list
= smartlist_new();
1143 smartlist_add(ipv4_list
, &ipv4_addr
);
1144 smartlist_add(both_list
, &ipv4_addr
);
1145 smartlist_add(dupl_list
, &ipv4_addr
);
1146 smartlist_add(dupl_list
, &ipv4_addr
);
1147 smartlist_add(dupl_list
, &ipv4_addr
);
1149 smartlist_add(ipv6_list
, &ipv6_addr
);
1150 smartlist_add(both_list
, &ipv6_addr
);
1151 smartlist_add(dupl_list
, &ipv6_addr
);
1152 smartlist_add(dupl_list
, &ipv6_addr
);
1154 /* IPv4-Only Exits */
1156 /* test that IPv4 addresses are rejected on an IPv4-only exit */
1157 policies_parse_exit_policy_reject_private(&policy
, 0, ipv4_list
, 0, 0);
1159 tt_int_op(smartlist_len(policy
), OP_EQ
, 1);
1160 tt_assert(test_policy_has_address_helper(policy
, &ipv4_addr
));
1161 addr_policy_list_free(policy
);
1164 /* test that IPv6 addresses are NOT rejected on an IPv4-only exit
1165 * (all IPv6 addresses are rejected by policies_parse_exit_policy_internal
1166 * on IPv4-only exits, so policies_parse_exit_policy_reject_private doesn't
1167 * need to do anything) */
1168 policies_parse_exit_policy_reject_private(&policy
, 0, ipv6_list
, 0, 0);
1169 tt_ptr_op(policy
, OP_EQ
, NULL
);
1171 /* test that only IPv4 addresses are rejected on an IPv4-only exit */
1172 policies_parse_exit_policy_reject_private(&policy
, 0, both_list
, 0, 0);
1174 tt_int_op(smartlist_len(policy
), OP_EQ
, 1);
1175 tt_assert(test_policy_has_address_helper(policy
, &ipv4_addr
));
1176 addr_policy_list_free(policy
);
1179 /* Test that lists with duplicate entries produce the same results */
1180 policies_parse_exit_policy_reject_private(&policy
, 0, dupl_list
, 0, 0);
1182 tt_int_op(smartlist_len(policy
), OP_EQ
, 1);
1183 tt_assert(test_policy_has_address_helper(policy
, &ipv4_addr
));
1184 addr_policy_list_free(policy
);
1187 /* IPv4/IPv6 Exits */
1189 /* test that IPv4 addresses are rejected on an IPv4/IPv6 exit */
1190 policies_parse_exit_policy_reject_private(&policy
, 1, ipv4_list
, 0, 0);
1192 tt_int_op(smartlist_len(policy
), OP_EQ
, 1);
1193 tt_assert(test_policy_has_address_helper(policy
, &ipv4_addr
));
1194 addr_policy_list_free(policy
);
1197 /* test that IPv6 addresses are rejected on an IPv4/IPv6 exit */
1198 policies_parse_exit_policy_reject_private(&policy
, 1, ipv6_list
, 0, 0);
1200 tt_int_op(smartlist_len(policy
), OP_EQ
, 1);
1201 tt_assert(test_policy_has_address_helper(policy
, &ipv6_addr
));
1202 addr_policy_list_free(policy
);
1205 /* test that IPv4 and IPv6 addresses are rejected on an IPv4/IPv6 exit */
1206 policies_parse_exit_policy_reject_private(&policy
, 1, both_list
, 0, 0);
1208 tt_int_op(smartlist_len(policy
), OP_EQ
, 2);
1209 tt_assert(test_policy_has_address_helper(policy
, &ipv4_addr
));
1210 tt_assert(test_policy_has_address_helper(policy
, &ipv6_addr
));
1211 addr_policy_list_free(policy
);
1214 /* Test that lists with duplicate entries produce the same results */
1215 policies_parse_exit_policy_reject_private(&policy
, 1, dupl_list
, 0, 0);
1217 tt_int_op(smartlist_len(policy
), OP_EQ
, 2);
1218 tt_assert(test_policy_has_address_helper(policy
, &ipv4_addr
));
1219 tt_assert(test_policy_has_address_helper(policy
, &ipv6_addr
));
1220 addr_policy_list_free(policy
);
1224 addr_policy_list_free(policy
);
1225 smartlist_free(ipv4_list
);
1226 smartlist_free(ipv6_list
);
1227 smartlist_free(both_list
);
1228 smartlist_free(dupl_list
);
1231 static smartlist_t
*test_configured_ports
= NULL
;
1233 /** Returns test_configured_ports */
1234 static const smartlist_t
*
1235 mock_get_configured_ports(void)
1237 return test_configured_ports
;
1240 /** Run unit tests for rejecting publicly routable configured port addresses
1241 * on this exit relay using policies_parse_exit_policy_reject_private */
1243 test_policies_reject_port_address(void *arg
)
1245 smartlist_t
*policy
= NULL
;
1246 port_cfg_t
*ipv4_port
= NULL
;
1247 port_cfg_t
*ipv6_port
= NULL
;
1250 test_configured_ports
= smartlist_new();
1252 ipv4_port
= port_cfg_new(0);
1253 tor_addr_from_ipv4h(&ipv4_port
->addr
, TEST_IPV4_ADDR
);
1254 smartlist_add(test_configured_ports
, ipv4_port
);
1256 ipv6_port
= port_cfg_new(0);
1257 tor_addr_parse(&ipv6_port
->addr
, TEST_IPV6_ADDR
);
1258 smartlist_add(test_configured_ports
, ipv6_port
);
1260 MOCK(get_configured_ports
, mock_get_configured_ports
);
1262 /* test that an IPv4 port is rejected on an IPv4-only exit, but an IPv6 port
1263 * is NOT rejected (all IPv6 addresses are rejected by
1264 * policies_parse_exit_policy_internal on IPv4-only exits, so
1265 * policies_parse_exit_policy_reject_private doesn't need to do anything
1266 * with IPv6 addresses on IPv4-only exits) */
1267 policies_parse_exit_policy_reject_private(&policy
, 0, NULL
, 0, 1);
1269 tt_int_op(smartlist_len(policy
), OP_EQ
, 1);
1270 tt_assert(test_policy_has_address_helper(policy
, &ipv4_port
->addr
));
1271 addr_policy_list_free(policy
);
1274 /* test that IPv4 and IPv6 ports are rejected on an IPv4/IPv6 exit */
1275 policies_parse_exit_policy_reject_private(&policy
, 1, NULL
, 0, 1);
1277 tt_int_op(smartlist_len(policy
), OP_EQ
, 2);
1278 tt_assert(test_policy_has_address_helper(policy
, &ipv4_port
->addr
));
1279 tt_assert(test_policy_has_address_helper(policy
, &ipv6_port
->addr
));
1280 addr_policy_list_free(policy
);
1284 addr_policy_list_free(policy
);
1285 if (test_configured_ports
) {
1286 SMARTLIST_FOREACH(test_configured_ports
,
1287 port_cfg_t
*, p
, port_cfg_free(p
));
1288 smartlist_free(test_configured_ports
);
1289 test_configured_ports
= NULL
;
1291 UNMOCK(get_configured_ports
);
1294 static smartlist_t
*mock_ipv4_addrs
= NULL
;
1295 static smartlist_t
*mock_ipv6_addrs
= NULL
;
1297 /* mock get_interface_address6_list, returning a deep copy of the template
1298 * address list ipv4_interface_address_list or ipv6_interface_address_list */
1299 static smartlist_t
*
1300 mock_get_interface_address6_list(int severity
,
1302 int include_internal
)
1305 (void)include_internal
;
1306 smartlist_t
*clone_list
= smartlist_new();
1307 smartlist_t
*template_list
= NULL
;
1309 if (family
== AF_INET
) {
1310 template_list
= mock_ipv4_addrs
;
1311 } else if (family
== AF_INET6
) {
1312 template_list
= mock_ipv6_addrs
;
1317 tt_assert(template_list
);
1319 SMARTLIST_FOREACH_BEGIN(template_list
, tor_addr_t
*, src_addr
) {
1320 tor_addr_t
*dest_addr
= tor_malloc(sizeof(tor_addr_t
));
1321 memset(dest_addr
, 0, sizeof(*dest_addr
));
1322 tor_addr_copy_tight(dest_addr
, src_addr
);
1323 smartlist_add(clone_list
, dest_addr
);
1324 } SMARTLIST_FOREACH_END(src_addr
);
1329 interface_address6_list_free(clone_list
);
1333 /** Run unit tests for rejecting publicly routable interface addresses on this
1334 * exit relay using policies_parse_exit_policy_reject_private */
1336 test_policies_reject_interface_address(void *arg
)
1338 smartlist_t
*policy
= NULL
;
1339 smartlist_t
*public_ipv4_addrs
=
1340 get_interface_address6_list(LOG_INFO
, AF_INET
, 0);
1341 smartlist_t
*public_ipv6_addrs
=
1342 get_interface_address6_list(LOG_INFO
, AF_INET6
, 0);
1343 tor_addr_t ipv4_addr
, ipv6_addr
;
1346 /* test that no addresses are rejected when none are supplied/requested */
1347 policies_parse_exit_policy_reject_private(&policy
, 0, NULL
, 0, 0);
1348 tt_ptr_op(policy
, OP_EQ
, NULL
);
1350 /* test that only IPv4 interface addresses are rejected on an IPv4-only exit
1351 * (and allow for duplicates)
1353 policies_parse_exit_policy_reject_private(&policy
, 0, NULL
, 1, 0);
1355 tt_assert(smartlist_len(policy
) <= smartlist_len(public_ipv4_addrs
));
1356 addr_policy_list_free(policy
);
1360 /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6
1361 * exit (and allow for duplicates) */
1362 policies_parse_exit_policy_reject_private(&policy
, 1, NULL
, 1, 0);
1364 tt_assert(smartlist_len(policy
) <= (smartlist_len(public_ipv4_addrs
)
1365 + smartlist_len(public_ipv6_addrs
)));
1366 addr_policy_list_free(policy
);
1370 /* Now do it all again, but mocked */
1371 tor_addr_from_ipv4h(&ipv4_addr
, TEST_IPV4_ADDR
);
1372 mock_ipv4_addrs
= smartlist_new();
1373 smartlist_add(mock_ipv4_addrs
, (void *)&ipv4_addr
);
1375 tor_addr_parse(&ipv6_addr
, TEST_IPV6_ADDR
);
1376 mock_ipv6_addrs
= smartlist_new();
1377 smartlist_add(mock_ipv6_addrs
, (void *)&ipv6_addr
);
1379 MOCK(get_interface_address6_list
, mock_get_interface_address6_list
);
1381 /* test that no addresses are rejected when none are supplied/requested */
1382 policies_parse_exit_policy_reject_private(&policy
, 0, NULL
, 0, 0);
1383 tt_ptr_op(policy
, OP_EQ
, NULL
);
1385 /* test that only IPv4 interface addresses are rejected on an IPv4-only exit
1387 policies_parse_exit_policy_reject_private(&policy
, 0, NULL
, 1, 0);
1389 tt_assert(smartlist_len(policy
) == smartlist_len(mock_ipv4_addrs
));
1390 addr_policy_list_free(policy
);
1393 /* test that IPv4 and IPv6 interface addresses are rejected on an IPv4/IPv6
1395 policies_parse_exit_policy_reject_private(&policy
, 1, NULL
, 1, 0);
1397 tt_assert(smartlist_len(policy
) == (smartlist_len(mock_ipv4_addrs
)
1398 + smartlist_len(mock_ipv6_addrs
)));
1399 addr_policy_list_free(policy
);
1403 addr_policy_list_free(policy
);
1404 interface_address6_list_free(public_ipv4_addrs
);
1405 interface_address6_list_free(public_ipv6_addrs
);
1407 UNMOCK(get_interface_address6_list
);
1408 /* we don't use interface_address6_list_free on these lists because their
1409 * address pointers are stack-based */
1410 smartlist_free(mock_ipv4_addrs
);
1411 smartlist_free(mock_ipv6_addrs
);
1414 #undef TEST_IPV4_ADDR
1415 #undef TEST_IPV6_ADDR
1418 test_dump_exit_policy_to_string(void *arg
)
1421 addr_policy_t
*policy_entry
;
1422 int malformed_list
= -1;
1424 routerinfo_t
*ri
= tor_malloc_zero(sizeof(routerinfo_t
));
1428 ri
->policy_is_reject_star
= 1;
1429 ri
->exit_policy
= NULL
; // expecting "reject *:*"
1430 ep
= router_dump_exit_policy_to_string(ri
,1,1);
1432 tt_str_op("reject *:*",OP_EQ
, ep
);
1436 ri
->exit_policy
= smartlist_new();
1437 ri
->policy_is_reject_star
= 0;
1439 policy_entry
= router_parse_addr_policy_item_from_string("accept *:*", -1,
1442 smartlist_add(ri
->exit_policy
,policy_entry
);
1444 ep
= router_dump_exit_policy_to_string(ri
,1,1);
1446 tt_str_op("accept *:*",OP_EQ
, ep
);
1450 policy_entry
= router_parse_addr_policy_item_from_string("reject *:25", -1,
1453 smartlist_add(ri
->exit_policy
,policy_entry
);
1455 ep
= router_dump_exit_policy_to_string(ri
,1,1);
1457 tt_str_op("accept *:*\nreject *:25",OP_EQ
, ep
);
1462 router_parse_addr_policy_item_from_string("reject 8.8.8.8:*", -1,
1465 smartlist_add(ri
->exit_policy
,policy_entry
);
1467 ep
= router_dump_exit_policy_to_string(ri
,1,1);
1469 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*",OP_EQ
, ep
);
1473 router_parse_addr_policy_item_from_string("reject6 [FC00::]/7:*", -1,
1476 smartlist_add(ri
->exit_policy
,policy_entry
);
1478 ep
= router_dump_exit_policy_to_string(ri
,1,1);
1480 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*\n"
1481 "reject6 [fc00::]/7:*",OP_EQ
, ep
);
1485 router_parse_addr_policy_item_from_string("accept6 [c000::]/3:*", -1,
1488 smartlist_add(ri
->exit_policy
,policy_entry
);
1490 ep
= router_dump_exit_policy_to_string(ri
,1,1);
1492 tt_str_op("accept *:*\nreject *:25\nreject 8.8.8.8:*\n"
1493 "reject6 [fc00::]/7:*\naccept6 [c000::]/3:*",OP_EQ
, ep
);
1497 if (ri
->exit_policy
) {
1498 SMARTLIST_FOREACH(ri
->exit_policy
, addr_policy_t
*,
1499 entry
, addr_policy_free(entry
));
1500 smartlist_free(ri
->exit_policy
);
1506 static routerinfo_t
*mock_desc_routerinfo
= NULL
;
1507 static int routerinfo_err
;
1509 static const routerinfo_t
*
1510 mock_router_get_my_routerinfo_with_err(int *err
)
1512 if (routerinfo_err
) {
1514 *err
= routerinfo_err
;
1522 return mock_desc_routerinfo
;
1525 #define DEFAULT_POLICY_STRING "reject *:*"
1526 #define TEST_IPV4_ADDR (0x02040608)
1527 #define TEST_IPV6_ADDR ("2003::ef01")
1529 static or_options_t mock_options
;
1531 static const or_options_t
*
1532 mock_get_options(void)
1534 return &mock_options
;
1537 /** Run unit tests for generating summary lines of exit policies */
1539 test_policies_getinfo_helper_policies(void *arg
)
1543 size_t ipv4_len
= 0, ipv6_len
= 0;
1544 char *answer
= NULL
;
1545 const char *errmsg
= NULL
;
1546 routerinfo_t mock_my_routerinfo
;
1548 memset(&mock_my_routerinfo
, 0, sizeof(mock_my_routerinfo
));
1550 rv
= getinfo_helper_policies(NULL
, "exit-policy/default", &answer
, &errmsg
);
1551 tt_int_op(rv
, OP_EQ
, 0);
1552 tt_ptr_op(answer
, OP_NE
, NULL
);
1553 tt_assert(strlen(answer
) > 0);
1556 rv
= getinfo_helper_policies(NULL
, "exit-policy/reject-private/default",
1558 tt_int_op(rv
, OP_EQ
, 0);
1559 tt_ptr_op(answer
, OP_NE
, NULL
);
1560 tt_assert(strlen(answer
) > 0);
1563 memset(&mock_my_routerinfo
, 0, sizeof(routerinfo_t
));
1564 MOCK(router_get_my_routerinfo_with_err
,
1565 mock_router_get_my_routerinfo_with_err
);
1566 mock_my_routerinfo
.exit_policy
= smartlist_new();
1567 mock_desc_routerinfo
= &mock_my_routerinfo
;
1569 memset(&mock_options
, 0, sizeof(or_options_t
));
1570 MOCK(get_options
, mock_get_options
);
1572 rv
= getinfo_helper_policies(NULL
, "exit-policy/reject-private/relay",
1574 tt_int_op(rv
, OP_EQ
, 0);
1575 tt_ptr_op(answer
, OP_NE
, NULL
);
1576 tt_assert(strlen(answer
) == 0);
1579 rv
= getinfo_helper_policies(NULL
, "exit-policy/ipv4", &answer
,
1581 tt_int_op(rv
, OP_EQ
, 0);
1582 tt_ptr_op(answer
, OP_NE
, NULL
);
1583 ipv4_len
= strlen(answer
);
1584 tt_assert(ipv4_len
== 0 || ipv4_len
== strlen(DEFAULT_POLICY_STRING
));
1585 tt_assert(ipv4_len
== 0 || !strcasecmp(answer
, DEFAULT_POLICY_STRING
));
1588 rv
= getinfo_helper_policies(NULL
, "exit-policy/ipv6", &answer
,
1590 tt_int_op(rv
, OP_EQ
, 0);
1591 tt_ptr_op(answer
, OP_NE
, NULL
);
1592 ipv6_len
= strlen(answer
);
1593 tt_assert(ipv6_len
== 0 || ipv6_len
== strlen(DEFAULT_POLICY_STRING
));
1594 tt_assert(ipv6_len
== 0 || !strcasecmp(answer
, DEFAULT_POLICY_STRING
));
1597 rv
= getinfo_helper_policies(NULL
, "exit-policy/full", &answer
,
1599 tt_int_op(rv
, OP_EQ
, 0);
1600 tt_ptr_op(answer
, OP_NE
, NULL
);
1601 /* It's either empty or it's the default */
1602 tt_assert(strlen(answer
) == 0 || !strcasecmp(answer
, DEFAULT_POLICY_STRING
));
1605 mock_my_routerinfo
.addr
= TEST_IPV4_ADDR
;
1606 tor_addr_parse(&mock_my_routerinfo
.ipv6_addr
, TEST_IPV6_ADDR
);
1607 append_exit_policy_string(&mock_my_routerinfo
.exit_policy
, "accept *4:*");
1608 append_exit_policy_string(&mock_my_routerinfo
.exit_policy
, "reject *6:*");
1610 mock_options
.IPv6Exit
= 1;
1611 tor_addr_from_ipv4h(
1612 &mock_options
.OutboundBindAddresses
[OUTBOUND_ADDR_EXIT
][0],
1615 &mock_options
.OutboundBindAddresses
[OUTBOUND_ADDR_EXIT
][1],
1618 mock_options
.ExitPolicyRejectPrivate
= 1;
1619 mock_options
.ExitPolicyRejectLocalInterfaces
= 1;
1621 rv
= getinfo_helper_policies(NULL
, "exit-policy/reject-private/relay",
1623 tt_int_op(rv
, OP_EQ
, 0);
1624 tt_ptr_op(answer
, OP_NE
, NULL
);
1625 tt_assert(strlen(answer
) > 0);
1628 mock_options
.ExitPolicyRejectPrivate
= 1;
1629 mock_options
.ExitPolicyRejectLocalInterfaces
= 0;
1631 rv
= getinfo_helper_policies(NULL
, "exit-policy/reject-private/relay",
1633 tt_int_op(rv
, OP_EQ
, 0);
1634 tt_ptr_op(answer
, OP_NE
, NULL
);
1635 tt_assert(strlen(answer
) > 0);
1638 mock_options
.ExitPolicyRejectPrivate
= 0;
1639 mock_options
.ExitPolicyRejectLocalInterfaces
= 1;
1641 rv
= getinfo_helper_policies(NULL
, "exit-policy/reject-private/relay",
1643 tt_int_op(rv
, OP_EQ
, 0);
1644 tt_ptr_op(answer
, OP_NE
, NULL
);
1645 tt_assert(strlen(answer
) > 0);
1648 mock_options
.ExitPolicyRejectPrivate
= 0;
1649 mock_options
.ExitPolicyRejectLocalInterfaces
= 0;
1651 rv
= getinfo_helper_policies(NULL
, "exit-policy/reject-private/relay",
1653 tt_int_op(rv
, OP_EQ
, 0);
1654 tt_ptr_op(answer
, OP_NE
, NULL
);
1655 tt_assert(strlen(answer
) == 0);
1658 rv
= getinfo_helper_policies(NULL
, "exit-policy/ipv4", &answer
,
1660 tt_int_op(rv
, OP_EQ
, 0);
1661 tt_ptr_op(answer
, OP_NE
, NULL
);
1662 ipv4_len
= strlen(answer
);
1663 tt_assert(ipv4_len
> 0);
1666 rv
= getinfo_helper_policies(NULL
, "exit-policy/ipv6", &answer
,
1668 tt_int_op(rv
, OP_EQ
, 0);
1669 tt_ptr_op(answer
, OP_NE
, NULL
);
1670 ipv6_len
= strlen(answer
);
1671 tt_assert(ipv6_len
> 0);
1674 rv
= getinfo_helper_policies(NULL
, "exit-policy/full", &answer
,
1676 tt_int_op(rv
, OP_EQ
, 0);
1677 tt_ptr_op(answer
, OP_NE
, NULL
);
1678 tt_assert(strlen(answer
) > 0);
1679 tt_assert(strlen(answer
) == ipv4_len
+ ipv6_len
+ 1);
1682 routerinfo_err
= TOR_ROUTERINFO_ERROR_NO_EXT_ADDR
;
1683 rv
= getinfo_helper_policies(NULL
, "exit-policy/full", &answer
,
1685 tt_int_op(rv
, OP_EQ
, -1);
1686 tt_ptr_op(answer
, OP_EQ
, NULL
);
1687 tt_ptr_op(errmsg
, OP_NE
, NULL
);
1688 tt_str_op(errmsg
, OP_EQ
, "No known exit address yet");
1690 routerinfo_err
= TOR_ROUTERINFO_ERROR_CANNOT_PARSE
;
1691 rv
= getinfo_helper_policies(NULL
, "exit-policy/full", &answer
,
1693 tt_int_op(rv
, OP_EQ
, -1);
1694 tt_ptr_op(answer
, OP_EQ
, NULL
);
1695 tt_ptr_op(errmsg
, OP_NE
, NULL
);
1696 tt_str_op(errmsg
, OP_EQ
, "Cannot parse descriptor");
1698 routerinfo_err
= TOR_ROUTERINFO_ERROR_NOT_A_SERVER
;
1699 rv
= getinfo_helper_policies(NULL
, "exit-policy/full", &answer
,
1701 tt_int_op(rv
, OP_EQ
, 0);
1702 tt_ptr_op(answer
, OP_EQ
, NULL
);
1703 tt_ptr_op(errmsg
, OP_NE
, NULL
);
1704 tt_str_op(errmsg
, OP_EQ
, "Not running in server mode");
1706 routerinfo_err
= TOR_ROUTERINFO_ERROR_DIGEST_FAILED
;
1707 rv
= getinfo_helper_policies(NULL
, "exit-policy/full", &answer
,
1710 tt_int_op(rv
, OP_EQ
, -1);
1711 tt_ptr_op(answer
, OP_EQ
, NULL
);
1712 tt_ptr_op(errmsg
, OP_NE
, NULL
);
1713 tt_str_op(errmsg
, OP_EQ
, "Key digest failed");
1715 routerinfo_err
= TOR_ROUTERINFO_ERROR_CANNOT_GENERATE
;
1716 rv
= getinfo_helper_policies(NULL
, "exit-policy/full", &answer
,
1718 tt_int_op(rv
, OP_EQ
, -1);
1719 tt_ptr_op(answer
, OP_EQ
, NULL
);
1720 tt_ptr_op(errmsg
, OP_NE
, NULL
);
1721 tt_str_op(errmsg
, OP_EQ
, "Cannot generate descriptor");
1723 routerinfo_err
= TOR_ROUTERINFO_ERROR_DESC_REBUILDING
;
1724 rv
= getinfo_helper_policies(NULL
, "exit-policy/full", &answer
,
1726 tt_int_op(rv
, OP_EQ
, -1);
1727 tt_ptr_op(answer
, OP_EQ
, NULL
);
1728 tt_ptr_op(errmsg
, OP_NE
, NULL
);
1729 tt_str_op(errmsg
, OP_EQ
, "Descriptor still rebuilding - not ready yet");
1733 UNMOCK(get_options
);
1734 UNMOCK(router_get_my_routerinfo
);
1735 addr_policy_list_free(mock_my_routerinfo
.exit_policy
);
1738 #undef DEFAULT_POLICY_STRING
1739 #undef TEST_IPV4_ADDR
1740 #undef TEST_IPV6_ADDR
1742 #define TEST_IPV4_ADDR_STR "1.2.3.4"
1743 #define TEST_IPV6_ADDR_STR "[1002::4567]"
1744 #define REJECT_IPv4_FINAL_STR "reject 0.0.0.0/0:*"
1745 #define REJECT_IPv6_FINAL_STR "reject [::]/0:*"
1747 #define OTHER_IPV4_ADDR_STR "6.7.8.9"
1748 #define OTHER_IPV6_ADDR_STR "[afff::]"
1750 /** Run unit tests for fascist_firewall_allows_address */
1752 test_policies_fascist_firewall_allows_address(void *arg
)
1755 tor_addr_t ipv4_addr
, ipv6_addr
, r_ipv4_addr
, r_ipv6_addr
;
1756 tor_addr_t n_ipv4_addr
, n_ipv6_addr
;
1757 const uint16_t port
= 1234;
1758 smartlist_t
*policy
= NULL
;
1759 smartlist_t
*e_policy
= NULL
;
1760 addr_policy_t
*item
= NULL
;
1761 int malformed_list
= 0;
1763 /* Setup the options and the items in the policies */
1764 memset(&mock_options
, 0, sizeof(or_options_t
));
1765 MOCK(get_options
, mock_get_options
);
1767 policy
= smartlist_new();
1768 item
= router_parse_addr_policy_item_from_string("accept "
1769 TEST_IPV4_ADDR_STR
":*",
1773 tt_assert(!malformed_list
);
1774 smartlist_add(policy
, item
);
1775 item
= router_parse_addr_policy_item_from_string("accept "
1780 tt_assert(!malformed_list
);
1781 smartlist_add(policy
, item
);
1782 /* Normally, policy_expand_unspec would do this for us */
1783 item
= router_parse_addr_policy_item_from_string(REJECT_IPv4_FINAL_STR
,
1787 tt_assert(!malformed_list
);
1788 smartlist_add(policy
, item
);
1789 item
= router_parse_addr_policy_item_from_string(REJECT_IPv6_FINAL_STR
,
1793 tt_assert(!malformed_list
);
1794 smartlist_add(policy
, item
);
1797 e_policy
= smartlist_new();
1800 char *polstr = policy_dump_to_string(policy, 1, 1);
1801 printf("%s\n", polstr);
1805 /* Parse the addresses */
1806 tor_addr_parse(&ipv4_addr
, TEST_IPV4_ADDR_STR
);
1807 tor_addr_parse(&ipv6_addr
, TEST_IPV6_ADDR_STR
);
1808 tor_addr_parse(&r_ipv4_addr
, OTHER_IPV4_ADDR_STR
);
1809 tor_addr_parse(&r_ipv6_addr
, OTHER_IPV6_ADDR_STR
);
1810 tor_addr_make_null(&n_ipv4_addr
, AF_INET
);
1811 tor_addr_make_null(&n_ipv6_addr
, AF_INET6
);
1813 /* Test the function's address matching with IPv4 and IPv6 on */
1814 memset(&mock_options
, 0, sizeof(or_options_t
));
1815 mock_options
.ClientUseIPv4
= 1;
1816 mock_options
.ClientUseIPv6
= 1;
1817 mock_options
.UseBridges
= 0;
1819 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 0, 0),
1821 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 0, 0),
1823 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 0, 0),
1825 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 0, 0),
1828 /* Preferring IPv4 */
1829 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 1, 0),
1831 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 1, 0),
1833 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 1, 0),
1835 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 1, 0),
1838 /* Preferring IPv6 */
1839 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 1, 1),
1841 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 1, 1),
1843 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 1, 1),
1845 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 1, 1),
1848 /* Test the function's address matching with UseBridges on */
1849 memset(&mock_options
, 0, sizeof(or_options_t
));
1850 mock_options
.ClientUseIPv4
= 1;
1851 mock_options
.ClientUseIPv6
= 1;
1852 mock_options
.UseBridges
= 1;
1854 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 0, 0),
1856 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 0, 0),
1858 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 0, 0),
1860 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 0, 0),
1863 /* Preferring IPv4 */
1864 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 1, 0),
1866 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 1, 0),
1868 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 1, 0),
1870 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 1, 0),
1873 /* Preferring IPv6 */
1874 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 1, 1),
1876 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 1, 1),
1878 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 1, 1),
1880 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 1, 1),
1883 /* bridge clients always use IPv6, regardless of ClientUseIPv6 */
1884 mock_options
.ClientUseIPv4
= 1;
1885 mock_options
.ClientUseIPv6
= 0;
1886 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 0, 0),
1888 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 0, 0),
1890 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 0, 0),
1892 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 0, 0),
1895 /* Test the function's address matching with IPv4 on */
1896 memset(&mock_options
, 0, sizeof(or_options_t
));
1897 mock_options
.ClientUseIPv4
= 1;
1898 mock_options
.ClientUseIPv6
= 0;
1899 mock_options
.UseBridges
= 0;
1901 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 0, 0),
1903 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 0, 0),
1905 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 0, 0),
1907 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 0, 0),
1910 /* Test the function's address matching with IPv6 on */
1911 memset(&mock_options
, 0, sizeof(or_options_t
));
1912 mock_options
.ClientUseIPv4
= 0;
1913 mock_options
.ClientUseIPv6
= 1;
1914 mock_options
.UseBridges
= 0;
1916 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 0, 0),
1918 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 0, 0),
1920 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 0, 0),
1922 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 0, 0),
1925 /* Test the function's address matching with ClientUseIPv4 0.
1926 * This means "use IPv6" regardless of the other settings. */
1927 memset(&mock_options
, 0, sizeof(or_options_t
));
1928 mock_options
.ClientUseIPv4
= 0;
1929 mock_options
.ClientUseIPv6
= 0;
1930 mock_options
.UseBridges
= 0;
1932 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, policy
, 0, 0),
1934 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, policy
, 0, 0),
1936 tt_int_op(fascist_firewall_allows_address(&r_ipv4_addr
, port
, policy
, 0, 0),
1938 tt_int_op(fascist_firewall_allows_address(&r_ipv6_addr
, port
, policy
, 0, 0),
1941 /* Test the function's address matching for unusual inputs */
1942 memset(&mock_options
, 0, sizeof(or_options_t
));
1943 mock_options
.ClientUseIPv4
= 1;
1944 mock_options
.ClientUseIPv6
= 1;
1945 mock_options
.UseBridges
= 1;
1947 /* NULL and tor_addr_is_null addresses are rejected */
1948 tt_int_op(fascist_firewall_allows_address(NULL
, port
, policy
, 0, 0), OP_EQ
,
1950 tt_int_op(fascist_firewall_allows_address(&n_ipv4_addr
, port
, policy
, 0, 0),
1952 tt_int_op(fascist_firewall_allows_address(&n_ipv6_addr
, port
, policy
, 0, 0),
1955 /* zero ports are rejected */
1956 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, 0, policy
, 0, 0),
1958 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, 0, policy
, 0, 0),
1961 /* NULL and empty policies accept everything */
1962 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, NULL
, 0, 0),
1964 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, NULL
, 0, 0),
1966 tt_int_op(fascist_firewall_allows_address(&ipv4_addr
, port
, e_policy
, 0, 0),
1968 tt_int_op(fascist_firewall_allows_address(&ipv6_addr
, port
, e_policy
, 0, 0),
1972 addr_policy_free(item
);
1973 addr_policy_list_free(policy
);
1974 addr_policy_list_free(e_policy
);
1975 UNMOCK(get_options
);
1978 #undef REJECT_IPv4_FINAL_STR
1979 #undef REJECT_IPv6_FINAL_STR
1980 #undef OTHER_IPV4_ADDR_STR
1981 #undef OTHER_IPV6_ADDR_STR
1983 #define TEST_IPV4_OR_PORT 1234
1984 #define TEST_IPV4_DIR_PORT 2345
1985 #define TEST_IPV6_OR_PORT 61234
1986 #define TEST_IPV6_DIR_PORT 62345
1988 /* Check that fascist_firewall_choose_address_rs() returns the expected
1990 #define CHECK_CHOSEN_ADDR_RS(fake_rs, fw_connection, pref_only, expect_rv, \
1993 tor_addr_port_t chosen_rs_ap; \
1994 tor_addr_make_null(&chosen_rs_ap.addr, AF_INET); \
1995 chosen_rs_ap.port = 0; \
1996 fascist_firewall_choose_address_rs(&(fake_rs), (fw_connection), \
1997 (pref_only), &chosen_rs_ap); \
1998 tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_rs_ap.addr)); \
1999 tt_int_op((expect_ap).port, OP_EQ, chosen_rs_ap.port); \
2002 /* Check that fascist_firewall_choose_address_node() returns the expected
2004 #define CHECK_CHOSEN_ADDR_NODE(fake_node, fw_connection, pref_only, \
2005 expect_rv, expect_ap) \
2007 tor_addr_port_t chosen_node_ap; \
2008 tor_addr_make_null(&chosen_node_ap.addr, AF_INET); \
2009 chosen_node_ap.port = 0; \
2010 fascist_firewall_choose_address_node(&(fake_node),(fw_connection), \
2011 (pref_only), &chosen_node_ap); \
2012 tt_assert(tor_addr_eq(&(expect_ap).addr, &chosen_node_ap.addr)); \
2013 tt_int_op((expect_ap).port, OP_EQ, chosen_node_ap.port); \
2016 /* Check that fascist_firewall_choose_address_rs and
2017 * fascist_firewall_choose_address_node() both return the expected results. */
2018 #define CHECK_CHOSEN_ADDR_RN(fake_rs, fake_node, fw_connection, pref_only, \
2019 expect_rv, expect_ap) \
2021 CHECK_CHOSEN_ADDR_RS(fake_rs, fw_connection, pref_only, expect_rv, \
2023 CHECK_CHOSEN_ADDR_NODE(fake_node, fw_connection, pref_only, expect_rv, \
2027 /** Run unit tests for fascist_firewall_choose_address */
2029 test_policies_fascist_firewall_choose_address(void *arg
)
2032 tor_addr_port_t ipv4_or_ap
, ipv4_dir_ap
, ipv6_or_ap
, ipv6_dir_ap
;
2033 tor_addr_port_t n_ipv4_ap
, n_ipv6_ap
;
2035 /* Setup the options */
2036 memset(&mock_options
, 0, sizeof(or_options_t
));
2037 MOCK(get_options
, mock_get_options
);
2039 /* Parse the addresses */
2040 tor_addr_parse(&ipv4_or_ap
.addr
, TEST_IPV4_ADDR_STR
);
2041 ipv4_or_ap
.port
= TEST_IPV4_OR_PORT
;
2042 tor_addr_parse(&ipv4_dir_ap
.addr
, TEST_IPV4_ADDR_STR
);
2043 ipv4_dir_ap
.port
= TEST_IPV4_DIR_PORT
;
2045 tor_addr_parse(&ipv6_or_ap
.addr
, TEST_IPV6_ADDR_STR
);
2046 ipv6_or_ap
.port
= TEST_IPV6_OR_PORT
;
2047 tor_addr_parse(&ipv6_dir_ap
.addr
, TEST_IPV6_ADDR_STR
);
2048 ipv6_dir_ap
.port
= TEST_IPV6_DIR_PORT
;
2050 tor_addr_make_null(&n_ipv4_ap
.addr
, AF_INET
);
2052 tor_addr_make_null(&n_ipv6_ap
.addr
, AF_INET6
);
2055 /* Sanity check fascist_firewall_choose_address with IPv4 and IPv6 on */
2056 memset(&mock_options
, 0, sizeof(or_options_t
));
2057 mock_options
.ClientUseIPv4
= 1;
2058 mock_options
.ClientUseIPv6
= 1;
2059 mock_options
.UseBridges
= 0;
2062 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 1,
2063 FIREWALL_OR_CONNECTION
, 0, 0)
2065 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 1,
2066 FIREWALL_OR_CONNECTION
, 1, 0)
2068 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap
, &ipv6_dir_ap
, 1,
2069 FIREWALL_DIR_CONNECTION
, 0, 0)
2071 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap
, &ipv6_dir_ap
, 1,
2072 FIREWALL_DIR_CONNECTION
, 1, 0)
2076 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 0,
2077 FIREWALL_OR_CONNECTION
, 0, 1)
2079 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 0,
2080 FIREWALL_OR_CONNECTION
, 1, 1)
2082 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap
, &ipv6_dir_ap
, 0,
2083 FIREWALL_DIR_CONNECTION
, 0, 1)
2085 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap
, &ipv6_dir_ap
, 0,
2086 FIREWALL_DIR_CONNECTION
, 1, 1)
2089 /* Unusual inputs */
2091 /* null preferred OR addresses */
2092 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &n_ipv6_ap
, 0,
2093 FIREWALL_OR_CONNECTION
, 0, 1)
2095 tt_assert(fascist_firewall_choose_address(&n_ipv4_ap
, &ipv6_or_ap
, 1,
2096 FIREWALL_OR_CONNECTION
, 0, 0)
2099 /* null both OR addresses */
2100 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap
, &n_ipv6_ap
, 0,
2101 FIREWALL_OR_CONNECTION
, 0, 1),
2103 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap
, &n_ipv6_ap
, 1,
2104 FIREWALL_OR_CONNECTION
, 0, 0),
2107 /* null preferred Dir addresses */
2108 tt_assert(fascist_firewall_choose_address(&ipv4_dir_ap
, &n_ipv6_ap
, 0,
2109 FIREWALL_DIR_CONNECTION
, 0, 1)
2111 tt_assert(fascist_firewall_choose_address(&n_ipv4_ap
, &ipv6_dir_ap
, 1,
2112 FIREWALL_DIR_CONNECTION
, 0, 0)
2115 /* null both Dir addresses */
2116 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap
, &n_ipv6_ap
, 0,
2117 FIREWALL_DIR_CONNECTION
, 0, 1),
2119 tt_ptr_op(fascist_firewall_choose_address(&n_ipv4_ap
, &n_ipv6_ap
, 1,
2120 FIREWALL_DIR_CONNECTION
, 0, 0),
2123 /* Prefer IPv4 but want IPv6 (contradictory) */
2124 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 0,
2125 FIREWALL_OR_CONNECTION
, 0, 0)
2127 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 0,
2128 FIREWALL_OR_CONNECTION
, 1, 0)
2131 /* Prefer IPv6 but want IPv4 (contradictory) */
2132 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 1,
2133 FIREWALL_OR_CONNECTION
, 0, 1)
2135 tt_assert(fascist_firewall_choose_address(&ipv4_or_ap
, &ipv6_or_ap
, 1,
2136 FIREWALL_OR_CONNECTION
, 1, 1)
2139 /* Make a fake rs. There will be no corresponding node.
2140 * This is what happens when there's no consensus and we're bootstrapping
2141 * from authorities / fallbacks. */
2142 routerstatus_t fake_rs
;
2143 memset(&fake_rs
, 0, sizeof(routerstatus_t
));
2144 /* In a routerstatus, the OR and Dir addresses are the same */
2145 fake_rs
.addr
= tor_addr_to_ipv4h(&ipv4_or_ap
.addr
);
2146 fake_rs
.or_port
= ipv4_or_ap
.port
;
2147 fake_rs
.dir_port
= ipv4_dir_ap
.port
;
2149 tor_addr_copy(&fake_rs
.ipv6_addr
, &ipv6_or_ap
.addr
);
2150 fake_rs
.ipv6_orport
= ipv6_or_ap
.port
;
2151 /* In a routerstatus, the IPv4 and IPv6 DirPorts are the same.*/
2152 ipv6_dir_ap
.port
= TEST_IPV4_DIR_PORT
;
2154 /* Make a fake node. Even though it contains the fake_rs, a lookup won't
2155 * find the node from the rs, because they're not in the hash table. */
2157 memset(&fake_node
, 0, sizeof(node_t
));
2158 fake_node
.rs
= &fake_rs
;
2160 /* Choose an address with IPv4 and IPv6 on */
2161 memset(&mock_options
, 0, sizeof(or_options_t
));
2162 mock_options
.ClientUseIPv4
= 1;
2163 mock_options
.ClientUseIPv6
= 1;
2164 mock_options
.UseBridges
= 0;
2166 /* Preferring IPv4 */
2167 mock_options
.ClientPreferIPv6ORPort
= 0;
2168 mock_options
.ClientPreferIPv6DirPort
= 0;
2169 /* Simulate the initialisation of fake_node.ipv6_preferred */
2170 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2173 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2175 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2177 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2179 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2182 /* Auto (Preferring IPv4) */
2183 mock_options
.ClientPreferIPv6ORPort
= -1;
2184 mock_options
.ClientPreferIPv6DirPort
= -1;
2185 /* Simulate the initialisation of fake_node.ipv6_preferred */
2186 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2189 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2191 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2193 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2195 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2198 /* Preferring IPv6 */
2199 mock_options
.ClientPreferIPv6ORPort
= 1;
2200 mock_options
.ClientPreferIPv6DirPort
= 1;
2201 /* Simulate the initialisation of fake_node.ipv6_preferred */
2202 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2205 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2207 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2209 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2211 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2214 /* Preferring IPv4 OR / IPv6 Dir */
2215 mock_options
.ClientPreferIPv6ORPort
= 0;
2216 mock_options
.ClientPreferIPv6DirPort
= 1;
2217 /* Simulate the initialisation of fake_node.ipv6_preferred */
2218 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2221 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2223 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2225 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2227 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2230 /* Preferring IPv6 OR / IPv4 Dir */
2231 mock_options
.ClientPreferIPv6ORPort
= 1;
2232 mock_options
.ClientPreferIPv6DirPort
= 0;
2233 /* Simulate the initialisation of fake_node.ipv6_preferred */
2234 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2237 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2239 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2241 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2243 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2246 /* Choose an address with UseBridges on */
2247 memset(&mock_options
, 0, sizeof(or_options_t
));
2248 mock_options
.UseBridges
= 1;
2249 mock_options
.ClientUseIPv4
= 1;
2250 mock_options
.ClientUseIPv6
= 1;
2252 /* Preferring IPv4 */
2253 mock_options
.ClientPreferIPv6ORPort
= 0;
2254 mock_options
.ClientPreferIPv6DirPort
= 0;
2255 /* Simulate the initialisation of fake_node.ipv6_preferred */
2256 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2259 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2261 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2263 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2265 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2269 * - bridge clients prefer the configured bridge OR address from the node,
2270 * (the configured address family sets node.ipv6_preferred)
2271 * - other clients prefer IPv4 OR by default (see above),
2272 * - all clients, including bridge clients, prefer IPv4 Dir by default.
2274 mock_options
.ClientPreferIPv6ORPort
= -1;
2275 mock_options
.ClientPreferIPv6DirPort
= -1;
2277 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2278 * configured with an IPv4 address */
2279 fake_node
.ipv6_preferred
= 0;
2280 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 0, 1, ipv4_or_ap
);
2281 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 1, 1, ipv4_or_ap
);
2282 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2284 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2287 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2288 * configured with an IPv6 address */
2289 fake_node
.ipv6_preferred
= 1;
2290 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 0, 1, ipv6_or_ap
);
2291 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 1, 1, ipv6_or_ap
);
2292 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2294 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2297 /* When a rs has no node, it defaults to IPv4 under auto. */
2298 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_OR_CONNECTION
, 0, 1, ipv4_or_ap
);
2299 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_OR_CONNECTION
, 1, 1, ipv4_or_ap
);
2300 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_DIR_CONNECTION
, 0, 1, ipv4_dir_ap
);
2301 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_DIR_CONNECTION
, 1, 1, ipv4_dir_ap
);
2303 /* Preferring IPv6 */
2304 mock_options
.ClientPreferIPv6ORPort
= 1;
2305 mock_options
.ClientPreferIPv6DirPort
= 1;
2306 /* Simulate the initialisation of fake_node.ipv6_preferred */
2307 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2310 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2312 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2314 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2316 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2319 /* In the default configuration (Auto / IPv6 off), bridge clients should
2320 * use both IPv4 and IPv6, but only prefer IPv6 for bridges configured with
2321 * an IPv6 address, regardless of ClientUseIPv6. (See above.) */
2322 mock_options
.ClientUseIPv6
= 0;
2323 mock_options
.ClientPreferIPv6ORPort
= -1;
2324 mock_options
.ClientPreferIPv6DirPort
= -1;
2325 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2326 * configured with an IPv4 address */
2327 fake_node
.ipv6_preferred
= 0;
2328 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 0, 1, ipv4_or_ap
);
2329 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 1, 1, ipv4_or_ap
);
2330 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2332 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2335 /* Simulate the initialisation of fake_node.ipv6_preferred with a bridge
2336 * configured with an IPv6 address */
2337 fake_node
.ipv6_preferred
= 1;
2338 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 0, 1, ipv6_or_ap
);
2339 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_OR_CONNECTION
, 1, 1, ipv6_or_ap
);
2340 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2342 CHECK_CHOSEN_ADDR_NODE(fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2345 /* When a rs has no node, it defaults to IPv4 under auto. */
2346 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_OR_CONNECTION
, 0, 1, ipv4_or_ap
);
2347 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_OR_CONNECTION
, 1, 1, ipv4_or_ap
);
2348 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_DIR_CONNECTION
, 0, 1, ipv4_dir_ap
);
2349 CHECK_CHOSEN_ADDR_RS(fake_rs
, FIREWALL_DIR_CONNECTION
, 1, 1, ipv4_dir_ap
);
2351 /* Choose an address with IPv4 on */
2352 memset(&mock_options
, 0, sizeof(or_options_t
));
2353 mock_options
.ClientUseIPv4
= 1;
2354 mock_options
.ClientUseIPv6
= 0;
2355 /* Simulate the initialisation of fake_node.ipv6_preferred */
2356 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2359 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2361 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2363 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2365 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2368 /* Choose an address with IPv6 on */
2369 memset(&mock_options
, 0, sizeof(or_options_t
));
2370 mock_options
.ClientUseIPv4
= 0;
2371 mock_options
.ClientUseIPv6
= 1;
2372 /* Simulate the initialisation of fake_node.ipv6_preferred */
2373 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2376 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2378 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2380 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2382 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2385 /* Choose an address with ClientUseIPv4 0.
2386 * This means "use IPv6" regardless of the other settings. */
2387 memset(&mock_options
, 0, sizeof(or_options_t
));
2388 mock_options
.ClientUseIPv4
= 0;
2389 mock_options
.ClientUseIPv6
= 0;
2390 /* Simulate the initialisation of fake_node.ipv6_preferred */
2391 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2394 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2396 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2398 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2400 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2403 /* Choose an address with ORPort_set 1 (server mode).
2404 * This means "use IPv4" regardless of the other settings. */
2405 memset(&mock_options
, 0, sizeof(or_options_t
));
2406 mock_options
.ORPort_set
= 1;
2407 mock_options
.ClientUseIPv4
= 0;
2408 mock_options
.ClientUseIPv6
= 1;
2409 mock_options
.ClientPreferIPv6ORPort
= 1;
2410 mock_options
.ClientPreferIPv6DirPort
= 1;
2412 /* Simulate the initialisation of fake_node.ipv6_preferred */
2413 fake_node
.ipv6_preferred
= fascist_firewall_prefer_ipv6_orport(
2416 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 0, 1,
2418 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_OR_CONNECTION
, 1, 1,
2420 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 0, 1,
2422 CHECK_CHOSEN_ADDR_RN(fake_rs
, fake_node
, FIREWALL_DIR_CONNECTION
, 1, 1,
2426 UNMOCK(get_options
);
2429 #undef TEST_IPV4_ADDR_STR
2430 #undef TEST_IPV6_ADDR_STR
2431 #undef TEST_IPV4_OR_PORT
2432 #undef TEST_IPV4_DIR_PORT
2433 #undef TEST_IPV6_OR_PORT
2434 #undef TEST_IPV6_DIR_PORT
2436 #undef CHECK_CHOSEN_ADDR_RS
2437 #undef CHECK_CHOSEN_ADDR_NODE
2438 #undef CHECK_CHOSEN_ADDR_RN
2440 struct testcase_t policy_tests
[] = {
2441 { "router_dump_exit_policy_to_string", test_dump_exit_policy_to_string
, 0,
2443 { "general", test_policies_general
, 0, NULL
, NULL
},
2444 { "getinfo_helper_policies", test_policies_getinfo_helper_policies
, 0, NULL
,
2446 { "reject_exit_address", test_policies_reject_exit_address
, 0, NULL
, NULL
},
2447 { "reject_interface_address", test_policies_reject_interface_address
, 0,
2449 { "reject_port_address", test_policies_reject_port_address
, 0, NULL
, NULL
},
2450 { "fascist_firewall_allows_address",
2451 test_policies_fascist_firewall_allows_address
, 0, NULL
, NULL
},
2452 { "fascist_firewall_choose_address",
2453 test_policies_fascist_firewall_choose_address
, 0, NULL
, NULL
},