| blob | 2aa6373f3e9b9d5ed39aca3c93fdf31c10f92fb5 |
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2016, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 /**
7 * \file policies.c
8 * \brief Code to parse and use address policies and exit policies.
9 *
10 * We have two key kinds of address policy: full and compressed. A full
11 * policy is an array of accept/reject patterns, to be applied in order.
12 * A short policy is simply a list of ports. This module handles both
13 * kinds, including generic functions to apply them to addresses, and
14 * also including code to manage the global policies that we apply to
15 * incoming and outgoing connections.
16 **/
18 #define POLICIES_PRIVATE
32 /** Policy that addresses for incoming SOCKS connections must match. */
34 /** Policy that addresses for incoming directory connections must match. */
36 /** Policy that addresses for incoming router descriptors must match in order
37 * to be published by us. */
39 /** Policy that addresses for incoming router descriptors must match in order
40 * to be marked as valid in our networkstatus. */
42 /** Policy that addresses for incoming router descriptors must <b>not</b>
43 * match in order to not be marked as BadExit. */
46 /** Parsed addr_policy_t describing which addresses we believe we can start
47 * circuits at. */
49 /** Parsed addr_policy_t describing which addresses we believe we can connect
50 * to directories at. */
53 /** Element of an exit policy summary */
58 this port range. */
62 /** Private networks. This list is used in two places, once to expand the
63 * "private" keyword when parsing our own exit policy, secondly to ignore
64 * just such networks when building exit policy summaries. It is important
65 * that all authorities agree on that list when creating summaries, so don't
66 * just change this without a proper migration plan and a proposal and stuff.
67 */
73 NULL
74 };
86 /** Replace all "private" entries in *<b>policy</b> with their expanded
87 * equivalents. */
88 void
90 {
105 }
107 addr_policy_t newpolicy;
115 }
117 }
123 }
125 /** Expand each of the AF_UNSPEC elements in *<b>policy</b> (which indicate
126 * protocol-neutral wildcards) into a pair of wildcard elements: one IPv4-
127 * specific and one IPv6-specific. */
128 void
130 {
141 addr_policy_t newpolicy_ipv4;
142 addr_policy_t newpolicy_ipv6;
151 }
161 }
166 }
168 /**
169 * Given a linked list of config lines containing "accept[6]" and "reject[6]"
170 * tokens, parse them and append the result to <b>dest</b>. Return -1
171 * if any tokens are malformed (and don't append any), else return 0.
172 *
173 * If <b>assume_action</b> is nonnegative, then insert its action
174 * (ADDR_POLICY_ACCEPT or ADDR_POLICY_REJECT) for items that specify no
175 * action.
176 */
177 static int
180 {
203 /* the error is so severe the entire list should be discarded */
208 /* the error is minor: don't add the item, but keep processing the
209 * rest of the policies in the list */
212 ent);
213 }
217 }
230 }
231 }
234 }
236 /** Helper: parse the Reachable(Dir|OR)?Addresses fields into
237 * reachable_(or|dir)_addr_policy. The options should already have
238 * been validated by validate_addr_policies.
239 */
240 static int
242 {
250 "Both ReachableDirAddresses and ReachableORAddresses are set. "
252 }
266 }
281 }
283 /* We ignore ReachableAddresses for relays */
288 "ReachableAddresses, ReachableORAddresses, or "
289 "ReachableDirAddresses reject all addresses. Please accept "
295 "ReachableAddresses, ReachableORAddresses, or "
296 "ReachableDirAddresses reject all IPv4 addresses. "
302 "(or UseBridges 1), but "
303 "ReachableAddresses, ReachableORAddresses, or "
304 "ReachableDirAddresses reject all IPv6 addresses. "
306 }
307 }
310 }
312 /* Return true iff ClientUseIPv4 0 or ClientUseIPv6 0 might block any OR or Dir
313 * address:port combination. */
314 static int
316 {
318 /* Assume every non-bridge relay has an IPv4 address.
319 * Clients which use bridges may only know the IPv6 address of their
320 * bridge, but they will connect regardless of the ClientUseIPv6 setting. */
322 }
324 /** Return true iff the firewall options, including ClientUseIPv4 0 and
325 * ClientUseIPv6 0, might block any OR address:port combination.
326 * Address preferences may still change which address is selected even if
327 * this function returns false.
328 */
329 int
331 {
333 }
335 /** Return true iff the firewall options, including ClientUseIPv4 0 and
336 * ClientUseIPv6 0, might block any Dir address:port combination.
337 * Address preferences may still change which address is selected even if
338 * this function returns false.
339 */
340 int
342 {
344 }
346 /** Return true iff <b>policy</b> (possibly NULL) will allow a
347 * connection to <b>addr</b>:<b>port</b>.
348 */
349 static int
352 {
353 addr_policy_result_t p;
365 }
366 }
368 /** Return true iff <b> policy</b> (possibly NULL) will allow a connection to
369 * <b>addr</b>:<b>port</b>. <b>addr</b> is an IPv4 address given in host
370 * order. */
371 /* XXXX deprecate when possible. */
372 static int
375 {
376 tor_addr_t a;
379 }
381 /** Return true iff we think our firewall will let us make a connection to
382 * addr:port.
383 *
384 * If we are configured as a server, ignore any address family preference and
385 * just use IPv4.
386 * Otherwise:
387 * - return false for all IPv4 addresses:
388 * - if ClientUseIPv4 is 0, or
389 * if pref_only and pref_ipv6 are both true;
390 * - return false for all IPv6 addresses:
391 * - if fascist_firewall_use_ipv6() is 0, or
392 * - if pref_only is true and pref_ipv6 is false.
393 *
394 * Return false if addr is NULL or tor_addr_is_null(), or if port is 0. */
395 STATIC int
400 {
406 }
408 /* Clients stop using IPv4 if it's disabled. In most cases, clients also
409 * stop using IPv4 if it's not preferred.
410 * Servers must have IPv4 enabled and preferred. */
414 }
416 /* Clients and Servers won't use IPv6 unless it's enabled (and in most
417 * cases, IPv6 must also be preferred before it will be used). */
421 }
424 firewall_policy);
425 }
427 /** Is this client configured to use IPv6?
428 * Returns true if the client might use IPv6 for some of its connections
429 * (including dual-stack and IPv6-only clients), and false if it will never
430 * use IPv6 for any connections.
431 * Use node_ipv6_or/dir_preferred() when checking a specific node and OR/Dir
432 * port: it supports bridge client per-node IPv6 preferences.
433 */
434 int
436 {
437 /* Clients use IPv6 if it's set, or they use bridges, or they don't use
438 * IPv4, or they prefer it.
439 * ClientPreferIPv6DirPort is deprecated, but check it anyway. */
443 }
445 /** Do we prefer to connect to IPv6, ignoring ClientPreferIPv6ORPort and
446 * ClientPreferIPv6DirPort?
447 * If we're unsure, return -1, otherwise, return 1 for IPv6 and 0 for IPv4.
448 */
449 static int
451 {
452 /*
453 Cheap implementation of config options ClientUseIPv4 & ClientUseIPv6 --
454 If we're a server or IPv6 is disabled, use IPv4.
455 If IPv4 is disabled, use IPv6.
456 */
460 }
464 }
467 }
469 /** Do we prefer to connect to IPv6 ORPorts?
470 * Use node_ipv6_or_preferred() whenever possible: it supports bridge client
471 * per-node IPv6 preferences.
472 */
473 int
475 {
480 }
482 /* We can use both IPv4 and IPv6 - which do we prefer? */
485 }
488 }
490 /** Do we prefer to connect to IPv6 DirPorts?
491 *
492 * (node_ipv6_dir_preferred() doesn't support bridge client per-node IPv6
493 * preferences. There's no reason to use it instead of this function.)
494 */
495 int
497 {
502 }
504 /* We can use both IPv4 and IPv6 - which do we prefer? */
507 }
510 }
512 /** Return true iff we think our firewall will let us make a connection to
513 * addr:port. Uses ReachableORAddresses or ReachableDirAddresses based on
514 * fw_connection.
515 * If pref_only is true, return true if addr is in the client's preferred
516 * address family, which is IPv6 if pref_ipv6 is true, and IPv4 otherwise.
517 * If pref_only is false, ignore pref_ipv6, and return true if addr is allowed.
518 */
519 int
521 firewall_connection_t fw_connection,
523 {
526 reachable_or_addr_policy,
530 reachable_dir_addr_policy,
534 fw_connection);
536 }
537 }
539 /** Return true iff we think our firewall will let us make a connection to
540 * addr:port (ap). Uses ReachableORAddresses or ReachableDirAddresses based on
541 * fw_connection.
542 * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
543 */
544 static int
546 firewall_connection_t fw_connection,
548 {
552 pref_ipv6);
553 }
555 /* Return true iff we think our firewall will let us make a connection to
556 * ipv4h_or_addr:ipv4_or_port. ipv4h_or_addr is interpreted in host order.
557 * Uses ReachableORAddresses or ReachableDirAddresses based on
558 * fw_connection.
559 * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
560 */
561 static int
564 firewall_connection_t fw_connection,
566 {
567 tor_addr_t ipv4_or_addr;
571 pref_ipv6);
572 }
574 /** Return true iff we think our firewall will let us make a connection to
575 * ipv4h_addr/ipv6_addr. Uses ipv4_orport/ipv6_orport/ReachableORAddresses or
576 * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
577 * <b>fw_connection</b>.
578 * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
579 */
580 static int
585 firewall_connection_t fw_connection,
587 {
590 ? ipv4_orport
592 fw_connection,
595 }
599 ? ipv6_orport
601 fw_connection,
604 }
607 }
609 /** Like fascist_firewall_allows_base(), but takes ri. */
610 static int
612 firewall_connection_t fw_connection,
614 {
617 }
619 /* Assume IPv4 and IPv6 DirPorts are the same */
623 pref_ipv6);
624 }
626 /** Like fascist_firewall_allows_rs, but takes pref_ipv6. */
627 static int
629 firewall_connection_t fw_connection,
631 {
634 }
636 /* Assume IPv4 and IPv6 DirPorts are the same */
640 pref_ipv6);
641 }
643 /** Like fascist_firewall_allows_base(), but takes rs.
644 * When rs is a fake_status from a dir_server_t, it can have a reachable
645 * address, even when the corresponding node does not.
646 * nodes can be missing addresses when there's no consensus (IPv4 and IPv6),
647 * or when there is a microdescriptor consensus, but no microdescriptors
648 * (microdescriptors have IPv6, the microdesc consensus does not). */
649 int
652 {
655 }
657 /* We don't have access to the node-specific IPv6 preference, so use the
658 * generic IPv6 preference instead. */
665 pref_ipv6);
666 }
668 /** Return true iff we think our firewall will let us make a connection to
669 * ipv6_addr:ipv6_orport based on ReachableORAddresses.
670 * If <b>fw_connection</b> is FIREWALL_DIR_CONNECTION, returns 0.
671 * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
672 */
673 static int
675 firewall_connection_t fw_connection,
677 {
680 }
682 /* Can't check dirport, it doesn't have one */
685 }
687 /* Also can't check IPv4, doesn't have that either */
690 pref_ipv6);
691 }
693 /** Like fascist_firewall_allows_base(), but takes node, and looks up pref_ipv6
694 * from node_ipv6_or/dir_preferred(). */
695 int
697 firewall_connection_t fw_connection,
699 {
702 }
710 /* Sometimes, the rs is missing the IPv6 address info, and we need to go
711 * all the way to the md */
716 fw_connection,
717 pref_only,
718 pref_ipv6)) {
721 fw_connection,
722 pref_only,
723 pref_ipv6)) {
726 /* If we know nothing, assume it's unreachable, we'll never get an address
727 * to connect to. */
729 }
730 }
732 /** Like fascist_firewall_allows_rs(), but takes ds. */
733 int
735 firewall_connection_t fw_connection,
737 {
740 }
742 /* A dir_server_t always has a fake_status. As long as it has the same
743 * addresses/ports in both fake_status and dir_server_t, this works fine.
744 * (See #17867.)
745 * fascist_firewall_allows_rs only checks the addresses in fake_status. */
747 pref_only);
748 }
750 /** If a and b are both valid and allowed by fw_connection,
751 * choose one based on want_a and return it.
752 * Otherwise, return whichever is allowed.
753 * Otherwise, return NULL.
754 * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
755 */
760 firewall_connection_t fw_connection,
762 {
767 pref_ipv6)) {
769 }
772 pref_ipv6)) {
774 }
776 /* If both are allowed */
778 /* Choose a if we want it */
781 /* Choose a if we have it */
783 }
784 }
786 /** If a and b are both valid and preferred by fw_connection,
787 * choose one based on want_a and return it.
788 * Otherwise, return whichever is preferred.
789 * If neither are preferred, and pref_only is false:
790 * - If a and b are both allowed by fw_connection,
791 * choose one based on want_a and return it.
792 * - Otherwise, return whichever is preferred.
793 * Otherwise, return NULL. */
798 firewall_connection_t fw_connection,
800 {
803 fw_connection,
806 /* If there is a preferred address, use it. If we can only use preferred
807 * addresses, and neither address is preferred, pref will be NULL, and we
808 * want to return NULL, so return it. */
811 /* If there's no preferred address, and we can return addresses that are
812 * not preferred, use an address that's allowed */
815 }
816 }
818 /** Copy an address and port into <b>ap</b> that we think our firewall will
819 * let us connect to. Uses ipv4_addr/ipv6_addr and
820 * ipv4_orport/ipv6_orport/ReachableORAddresses or
821 * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
822 * <b>fw_connection</b>.
823 * If pref_only, only choose preferred addresses. In either case, choose
824 * a preferred address before an address that's not preferred.
825 * If both addresses could be chosen (they are both preferred or both allowed)
826 * choose IPv6 if pref_ipv6 is true, otherwise choose IPv4.
827 * If neither address is chosen, return 0, else return 1. */
828 static int
835 firewall_connection_t fw_connection,
839 {
846 tor_addr_port_t ipv4_ap;
849 ? ipv4_orport
852 tor_addr_port_t ipv6_ap;
855 ? ipv6_orport
859 want_ipv4,
861 pref_ipv6);
869 }
870 }
872 /** Like fascist_firewall_choose_address_base(), but takes a host-order IPv4
873 * address as the first parameter. */
874 static int
881 firewall_connection_t fw_connection,
885 {
886 tor_addr_t ipv4_addr;
893 }
895 /* The microdescriptor consensus has no IPv6 addresses in rs: they are in
896 * the microdescriptors. This means we can't rely on the node's IPv6 address
897 * until its microdescriptor is available (when using microdescs).
898 * But for bridges, rewrite_node_address_for_bridge() updates node->ri with
899 * the configured address, so we can trust bridge addresses.
900 * (Bridges could gain an IPv6 address if their microdescriptor arrives, but
901 * this will never be their preferred address: that is in the config.)
902 * Returns true if the node needs a microdescriptor for its IPv6 address, and
903 * false if the addresses in the node are already up-to-date.
904 */
905 static int
907 {
910 /* There's no point waiting for an IPv6 address if we'd never use it */
913 }
915 /* We are waiting if we_use_microdescriptors_for_circuits() and we have no
916 * md. Bridges have a ri based on their config. They would never use the
917 * address from their md, so there's no need to wait for it. */
920 }
922 /** Like fascist_firewall_choose_address_base(), but takes <b>rs</b>.
923 * Consults the corresponding node, then falls back to rs if node is NULL.
924 * This should only happen when there's no valid consensus, and rs doesn't
925 * correspond to a bridge client's bridge.
926 */
927 int
929 firewall_connection_t fw_connection,
931 {
934 }
943 ap);
945 /* There's no node-specific IPv6 preference, so use the generic IPv6
946 * preference instead. */
951 /* Assume IPv4 and IPv6 DirPorts are the same.
952 * Assume the IPv6 OR and Dir addresses are the same. */
959 fw_connection,
960 pref_only,
961 pref_ipv6,
962 ap);
963 }
964 }
966 /** Like fascist_firewall_choose_address_base(), but takes <b>node</b>, and
967 * looks up the node's IPv6 preference rather than taking an argument
968 * for pref_ipv6. */
969 int
971 firewall_connection_t fw_connection,
973 {
976 }
980 /* Calling fascist_firewall_choose_address_node() when the node is missing
981 * IPv6 information breaks IPv6-only clients.
982 * If the node is a hard-coded fallback directory or authority, call
983 * fascist_firewall_choose_address_rs() on the fake (hard-coded) routerstatus
984 * for the node.
985 * If it is not hard-coded, check that the node has a microdescriptor, full
986 * descriptor (routerinfo), or is one of our configured bridges before
987 * calling this function. */
990 }
996 tor_addr_port_t ipv4_or_ap;
998 tor_addr_port_t ipv4_dir_ap;
1001 tor_addr_port_t ipv6_or_ap;
1003 tor_addr_port_t ipv6_dir_ap;
1006 /* Assume the IPv6 OR and Dir addresses are the same. */
1013 fw_connection,
1014 pref_only,
1015 pref_ipv6_node,
1016 ap);
1017 }
1019 /** Like fascist_firewall_choose_address_rs(), but takes <b>ds</b>. */
1020 int
1022 firewall_connection_t fw_connection,
1025 {
1028 }
1030 /* A dir_server_t always has a fake_status. As long as it has the same
1031 * addresses/ports in both fake_status and dir_server_t, this works fine.
1032 * (See #17867.)
1033 * This function relies on fascist_firewall_choose_address_rs looking up the
1034 * node if it can, because that will get the latest info for the relay. */
1037 }
1039 /** Return 1 if <b>addr</b> is permitted to connect to our dir port,
1040 * based on <b>dir_policy</b>. Else return 0.
1041 */
1042 int
1044 {
1046 }
1048 /** Return 1 if <b>addr</b> is permitted to connect to our socks port,
1049 * based on <b>socks_policy</b>. Else return 0.
1050 */
1051 int
1053 {
1055 }
1057 /** Return true iff the address <b>addr</b> is in a country listed in the
1058 * case-insensitive list of country codes <b>cc_list</b>. */
1059 static int
1061 {
1062 country_t country;
1064 tor_addr_t tar;
1068 /* XXXXipv6 */
1073 }
1075 /** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
1076 * directory, based on <b>authdir_reject_policy</b>. Else return 0.
1077 */
1078 int
1080 {
1084 }
1086 /** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
1087 * directory, based on <b>authdir_invalid_policy</b>. Else return 0.
1088 */
1089 int
1091 {
1095 }
1097 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
1098 * based on <b>authdir_badexit_policy</b>. Else return 0.
1099 */
1100 int
1102 {
1106 }
1108 #define REJECT(arg) \
1109 STMT_BEGIN *msg = tor_strdup(arg); goto err; STMT_END
1111 /** Config helper: If there's any problem with the policy configuration
1112 * options in <b>options</b>, return -1 and set <b>msg</b> to a newly
1113 * allocated description of the error. Else return 0. */
1114 int
1116 {
1117 /* XXXX Maybe merge this into parse_policies_from_options, to make sure
1118 * that the two can't go out of sync. */
1125 }
1136 exitrelay_setting_is_auto &&
1137 policy_accepts_something) {
1138 /* Policy accepts something */
1141 "Tor is running as an exit relay%s. If you did not want this "
1142 "behavior, please set the ExitRelay option to 0. If you do "
1143 "want to run an exit Relay, please set the ExitRelay option "
1149 "In a future version of Tor, ExitRelay 0 may become the "
1151 }
1152 }
1154 /* The rest of these calls *append* to addr_policy. So don't actually
1155 * use the results for anything other than checking if they parse! */
1161 ADDR_POLICY_REJECT))
1164 ADDR_POLICY_REJECT))
1167 ADDR_POLICY_REJECT))
1171 ADDR_POLICY_ACCEPT))
1174 ADDR_POLICY_ACCEPT))
1177 ADDR_POLICY_ACCEPT))
1180 err:
1183 #undef REJECT
1184 }
1186 /** Parse <b>string</b> in the same way that the exit policy
1187 * is parsed, and put the processed version in *<b>policy</b>.
1188 * Ignore port specifiers.
1189 */
1190 static int
1194 {
1202 }
1205 /* ports aren't used in these. */
1216 }
1218 }
1221 }
1223 }
1225 /** Set all policies based on <b>options</b>, which should have been validated
1226 * first by validate_addr_policies. */
1227 int
1229 {
1249 }
1251 /** Compare two provided address policy items, and renturn -1, 0, or 1
1252 * if the first is less than, equal to, or greater than the second. */
1253 static int
1255 {
1257 #define CMP_FIELD(field) do { \
1258 if (a->field != b->field) { \
1259 return 0; \
1260 } \
1261 } while (0)
1264 /* refcnt and is_canonical are irrelevant to equality,
1265 * they are hash table implementation details */
1271 #undef CMP_FIELD
1273 }
1275 /** As single_addr_policy_eq, but compare every element of two policies.
1276 */
1277 int
1279 {
1290 }
1293 }
1295 /** Node in hashtable used to store address policy entries. */
1301 /* DOCDOC policy_root */
1304 /** Return true iff a and b are equal. */
1307 {
1309 }
1311 /** Return a hashcode for <b>ent</b> */
1312 static unsigned int
1314 {
1316 addr_policy_t aa;
1329 }
1332 }
1335 policy_eq)
1339 /** Given a pointer to an addr_policy_t, return a copy of the pointer to the
1340 * "canonical" copy of that addr_policy_t; the canonical copy is a single
1341 * reference-counted object. */
1342 addr_policy_t *
1344 {
1357 }
1362 }
1364 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
1365 * addr and port are both known. */
1366 static addr_policy_result_t
1369 {
1370 /* We know the address and port, and we know the policy, so we can just
1371 * compute an exact match. */
1376 }
1377 /* Address is known */
1379 CMP_EXACT)) {
1381 /* Exact match for the policy */
1384 }
1385 }
1388 /* accept all by default. */
1390 }
1392 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
1393 * addr is known but port is not. */
1394 static addr_policy_result_t
1397 {
1398 /* We look to see if there's a definite match. If so, we return that
1399 match's value, unless there's an intervening possible match that says
1400 something different. */
1407 }
1409 CMP_EXACT)) {
1411 /* Definitely matches, since it covers all ports. */
1413 /* If we already hit a clause that might trigger a 'reject', than we
1414 * can't be sure of this certain 'accept'.*/
1416 ADDR_POLICY_ACCEPTED;
1419 ADDR_POLICY_REJECTED;
1420 }
1422 /* Might match. */
1425 else
1427 }
1428 }
1431 /* accept all by default. */
1433 }
1435 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
1436 * port is known but address is not. */
1437 static addr_policy_result_t
1440 {
1441 /* We look to see if there's a definite match. If so, we return that
1442 match's value, unless there's an intervening possible match that says
1443 something different. */
1450 }
1453 /* Definitely matches, since it covers all addresses. */
1455 /* If we already hit a clause that might trigger a 'reject', than we
1456 * can't be sure of this certain 'accept'.*/
1458 ADDR_POLICY_ACCEPTED;
1461 ADDR_POLICY_REJECTED;
1462 }
1464 /* Might match. */
1467 else
1469 }
1470 }
1473 /* accept all by default. */
1475 }
1477 /** Decide whether a given addr:port is definitely accepted,
1478 * definitely rejected, probably accepted, or probably rejected by a
1479 * given policy. If <b>addr</b> is 0, we don't know the IP of the
1480 * target address. If <b>port</b> is 0, we don't know the port of the
1481 * target address. (At least one of <b>addr</b> and <b>port</b> must be
1482 * provided. If you want to know whether a policy would definitely reject
1483 * an unknown address:port, use policy_is_reject_star().)
1484 *
1485 * We could do better by assuming that some ranges never match typical
1486 * addresses (127.0.0.1, and so on). But we'll try this for now.
1487 */
1491 {
1493 /* no policy? accept all. */
1500 }
1506 }
1507 }
1509 /** Return true iff the address policy <b>a</b> covers every case that
1510 * would be covered by <b>b</b>, so that a,b is redundant. */
1511 static int
1513 {
1515 /* You can't cover a different family. */
1517 }
1518 /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces
1519 * to "accept *:80". */
1521 /* a has more fixed bits than b; it can't possibly cover b. */
1523 }
1525 /* There's a fixed bit in a that's set differently in b. */
1527 }
1529 }
1531 /** Return true iff the address policies <b>a</b> and <b>b</b> intersect,
1532 * that is, there exists an address/port that is covered by <b>a</b> that
1533 * is also covered by <b>b</b>.
1534 */
1535 static int
1537 {
1538 maskbits_t minbits;
1539 /* All the bits we care about are those that are set in both
1540 * netmasks. If they are equal in a and b's networkaddresses
1541 * then the networks intersect. If there is a difference,
1542 * then they do not. */
1545 else
1552 }
1554 /** Add the exit policy described by <b>more</b> to <b>policy</b>.
1555 */
1556 STATIC void
1558 {
1559 config_line_t tmp;
1566 }
1567 }
1569 /** Add "reject <b>addr</b>:*" to <b>dest</b>, creating the list as needed. */
1570 void
1572 {
1590 }
1592 /* Is addr public for the purposes of rejection? */
1593 static int
1595 {
1598 }
1600 /* Add "reject <b>addr</b>:*" to <b>dest</b>, creating the list as needed.
1601 * Filter the address, only adding an IPv4 reject rule if ipv4_rules
1602 * is true, and similarly for ipv6_rules. Check each address returns true for
1603 * tor_addr_is_public_for_reject before adding it.
1604 */
1605 static void
1610 {
1614 /* Only reject IP addresses which are public */
1617 /* Reject IPv4 addresses and IPv6 addresses based on the filters */
1621 }
1622 }
1623 }
1625 /** Add "reject addr:*" to <b>dest</b>, for each addr in addrs, creating the
1626 * list as needed. */
1627 void
1630 {
1637 }
1639 /** Add "reject addr:*" to <b>dest</b>, for each addr in addrs, creating the
1640 * list as needed. Filter using */
1641 static void
1646 {
1653 }
1655 /** Detect and excise "dead code" from the policy *<b>dest</b>. */
1656 static void
1658 {
1662 /* Step one: kill every ipv4 thing after *4:*, every IPv6 thing after *6:*
1663 */
1664 {
1667 sa_family_t family;
1675 }
1678 /* This is a catch-all line -- later lines are unreachable. */
1683 }
1684 }
1685 }
1686 }
1688 /* Step two: for every entry, see if there's a redundant entry
1689 * later on, and remove it. */
1703 }
1704 }
1705 }
1707 /* Step three: for every entry A, see if there's an entry B making this one
1708 * redundant later on. This is the case if A and B are of the same type
1709 * (accept/reject), A is a subset of B, and there is no other entry of
1710 * different type in between those two that intersects with A.
1711 *
1712 * Anybody want to double-check the logic here? XXX
1713 */
1717 // tor_assert(j > i); // j starts out at i+1; j only increases; i only
1718 // // decreases.
1733 }
1734 }
1735 }
1736 }
1737 }
1739 /** Reject private helper for policies_parse_exit_policy_internal: rejects
1740 * publicly routable addresses on this exit relay.
1741 *
1742 * Add reject entries to the linked list *<b>dest</b>:
1743 * <ul>
1744 * <li>if configured_addresses is non-NULL, add entries that reject each
1745 * tor_addr_t in the list as a destination.
1746 * <li>if reject_interface_addresses is true, add entries that reject each
1747 * public IPv4 and IPv6 address of each interface on this machine.
1748 * <li>if reject_configured_port_addresses is true, add entries that reject
1749 * each IPv4 and IPv6 address configured for a port.
1750 * </ul>
1751 *
1752 * IPv6 entries are only added if ipv6_exit is true. (All IPv6 addresses are
1753 * already blocked by policies_parse_exit_policy_internal if ipv6_exit is
1754 * false.)
1755 *
1756 * The list in <b>dest</b> is created as needed.
1757 */
1758 void
1765 {
1768 /* Reject configured addresses, if they are from public netblocks. */
1772 }
1774 /* Reject configured port addresses, if they are from public netblocks. */
1780 /* Only reject port IP addresses, not port unix sockets */
1783 }
1785 }
1787 /* Reject local addresses from public netblocks on any interface. */
1791 /* Reject public IPv4 addresses on any interface */
1796 /* Don't look for IPv6 addresses if we're configured as IPv4-only */
1798 /* Reject public IPv6 addresses on any interface */
1802 }
1803 }
1805 /* If addresses were added multiple times, remove all but one of them. */
1808 }
1809 }
1811 /**
1812 * Iterate through <b>policy</b> looking for redundant entries. Log a
1813 * warning message with the first redundant entry, if any is found.
1814 */
1815 static void
1817 {
1822 sa_family_t family;
1826 /* Look for accept/reject *[4|6|]:* entires */
1829 /* accept/reject *:* may have already been expanded into
1830 * accept/reject *4:*,accept/reject *6:*
1831 * But handle both forms.
1832 */
1835 }
1838 }
1839 }
1841 /* We also find accept *4:*,reject *6:* ; and
1842 * accept *4:*,<other policies>,accept *6:* ; and similar.
1843 * That's ok, because they make any subsequent entries redundant. */
1846 /* if we're not on the final entry in the list */
1849 }
1851 }
1854 /* Work out if there are redundant trailing entries in the policy list */
1857 /* Longest possible policy is
1858 * "accept6 ffff:ffff:..255/128:10000-65535",
1859 * which contains a max-length IPv6 address, plus 24 characters. */
1864 /* since we've already parsed the policy into an addr_policy_t struct,
1865 * we might not log exactly what the user typed in */
1868 "redundant, as it follows accept/reject *:* rules for both "
1869 "IPv4 and IPv6. They will be removed from the exit policy. (Use "
1871 line);
1872 }
1873 }
1875 #define DEFAULT_EXIT_POLICY \
1878 "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
1880 /** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>.
1881 *
1882 * If <b>ipv6_exit</b> is false, prepend "reject *6:*" to the policy.
1883 *
1884 * If <b>configured_addresses</b> contains addresses:
1885 * - prepend entries that reject the addresses in this list. These may be the
1886 * advertised relay addresses and/or the outbound bind addresses,
1887 * depending on the ExitPolicyRejectPrivate and
1888 * ExitPolicyRejectLocalInterfaces settings.
1889 * If <b>rejectprivate</b> is true:
1890 * - prepend "reject private:*" to the policy.
1891 * If <b>reject_interface_addresses</b> is true:
1892 * - prepend entries that reject publicly routable interface addresses on
1893 * this exit relay by calling policies_parse_exit_policy_reject_private
1894 * If <b>reject_configured_port_addresses</b> is true:
1895 * - prepend entries that reject all configured port addresses
1896 *
1897 * If cfg doesn't end in an absolute accept or reject and if
1898 * <b>add_default_policy</b> is true, add the default exit
1899 * policy afterwards.
1900 *
1901 * Return -1 if we can't parse cfg, else return 0.
1902 *
1903 * This function is used to parse the exit policy from our torrc. For
1904 * the functions used to parse the exit policy from a router descriptor,
1905 * see router_add_exit_policy.
1906 */
1907 static int
1916 {
1919 }
1921 /* Reject IPv4 and IPv6 reserved private netblocks */
1923 }
1925 /* Consider rejecting IPv4 and IPv6 advertised relay addresses, outbound bind
1926 * addresses, publicly routable addresses, and configured port addresses
1927 * on this exit relay */
1929 configured_addresses,
1930 reject_interface_addresses,
1931 reject_configured_port_addresses);
1936 /* Before we add the default policy and final rejects, check to see if
1937 * there are any lines after accept *:* or reject *:*. These lines have no
1938 * effect, and are most likely an error. */
1946 }
1950 }
1952 /** Parse exit policy in <b>cfg</b> into <b>dest</b> smartlist.
1953 *
1954 * Prepend an entry that rejects all IPv6 destinations unless
1955 * <b>EXIT_POLICY_IPV6_ENABLED</b> bit is set in <b>options</b> bitmask.
1956 *
1957 * If <b>EXIT_POLICY_REJECT_PRIVATE</b> bit is set in <b>options</b>:
1958 * - prepend an entry that rejects all destinations in all netblocks
1959 * reserved for private use.
1960 * - prepend entries that reject the advertised relay addresses in
1961 * configured_addresses
1962 * If <b>EXIT_POLICY_REJECT_LOCAL_INTERFACES</b> bit is set in <b>options</b>:
1963 * - prepend entries that reject publicly routable addresses on this exit
1964 * relay by calling policies_parse_exit_policy_internal
1965 * - prepend entries that reject the outbound bind addresses in
1966 * configured_addresses
1967 * - prepend entries that reject all configured port addresses
1968 *
1969 * If <b>EXIT_POLICY_ADD_DEFAULT</b> bit is set in <b>options</b>, append
1970 * default exit policy entries to <b>result</b> smartlist.
1971 */
1972 int
1974 exit_policy_parser_cfg_t options,
1976 {
1984 reject_private,
1985 configured_addresses,
1986 reject_local_interfaces,
1987 reject_local_interfaces,
1988 add_default);
1989 }
1991 /** Helper function that adds a copy of addr to a smartlist as long as it is
1992 * non-NULL and not tor_addr_is_null().
1993 *
1994 * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
1995 */
1996 static void
1998 {
2003 }
2004 }
2006 /** Helper function that adds ipv4h_addr to a smartlist as a tor_addr_t *,
2007 * as long as it is not tor_addr_is_null(), by converting it to a tor_addr_t
2008 * and passing it to policies_add_addr_to_smartlist.
2009 *
2010 * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
2011 */
2012 static void
2014 {
2016 tor_addr_t ipv4_tor_addr;
2019 }
2020 }
2022 /** Helper function that adds copies of or_options->OutboundBindAddresses
2023 * to a smartlist as tor_addr_t *, as long as or_options is non-NULL, and
2024 * the addresses are not tor_addr_is_null(), by passing them to
2025 * policies_add_addr_to_smartlist.
2026 *
2027 * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
2028 */
2029 static void
2032 {
2039 }
2040 }
2041 }
2042 }
2043 }
2045 /** Parse <b>ExitPolicy</b> member of <b>or_options</b> into <b>result</b>
2046 * smartlist.
2047 * If <b>or_options->IPv6Exit</b> is false, prepend an entry that
2048 * rejects all IPv6 destinations.
2049 *
2050 * If <b>or_options->ExitPolicyRejectPrivate</b> is true:
2051 * - prepend an entry that rejects all destinations in all netblocks reserved
2052 * for private use.
2053 * - if local_address is non-zero, treat it as a host-order IPv4 address, and
2054 * add it to the list of configured addresses.
2055 * - if ipv6_local_address is non-NULL, and not the null tor_addr_t, add it
2056 * to the list of configured addresses.
2057 * If <b>or_options->ExitPolicyRejectLocalInterfaces</b> is true:
2058 * - if or_options->OutboundBindAddresses[][0] (=IPv4) is not the null
2059 * tor_addr_t, add it to the list of configured addresses.
2060 * - if or_options->OutboundBindAddresses[][1] (=IPv6) is not the null
2061 * tor_addr_t, add it to the list of configured addresses.
2062 *
2063 * If <b>or_options->BridgeRelay</b> is false, append entries of default
2064 * Tor exit policy into <b>result</b> smartlist.
2065 *
2066 * If or_options->ExitRelay is false, then make our exit policy into
2067 * "reject *:*" regardless.
2068 */
2069 int
2074 {
2079 /* Short-circuit for non-exit relays */
2084 }
2088 /* Configure the parser */
2091 }
2095 }
2099 }
2103 }
2105 /* Copy the configured addresses into the tor_addr_t* list */
2109 }
2113 or_options);
2114 }
2117 configured_addresses);
2123 }
2125 /** Add "reject *:*" to the end of the policy in *<b>dest</b>, allocating
2126 * *<b>dest</b> as needed. */
2127 void
2129 {
2132 }
2134 /** Replace the exit policy of <b>node</b> with reject *:* */
2135 void
2137 {
2139 }
2141 /** Return 1 if there is at least one /8 subnet in <b>policy</b> that
2142 * allows exiting to <b>port</b>. Otherwise, return 0. */
2143 static int
2145 {
2147 /* Is this /8 rejected (1), or undecided (0)? */
2163 /* Calculate the first and last subnet that this exit policy touches
2164 * and set it as loop boundaries. */
2166 tor_addr_t addr;
2173 }
2177 /* We found an allowed subnet of at least size /8. Done
2178 * for this port! */
2182 }
2183 }
2186 }
2188 /** Return true iff <b>ri</b> is "useful as an exit node", meaning
2189 * it allows exit to at least one /8 address space for at least
2190 * two of ports 80, 443, and 6667. */
2191 int
2193 {
2202 }
2204 }
2206 /** Return false if <b>policy</b> might permit access to some addr:port;
2207 * otherwise if we are certain it rejects everything, return true. If no
2208 * part of <b>policy</b> matches, return <b>default_reject</b>.
2209 * NULL policies are allowed, and treated as empty. */
2210 int
2213 {
2227 }
2230 }
2232 /** Write a single address policy to the buf_len byte buffer at buf. Return
2233 * the number of characters written, or -1 on failure. */
2234 int
2237 {
2248 /* write accept/reject 1.2.3.4 */
2258 else
2262 }
2267 addrpart);
2271 /* If the maskbits is 32 (IPv4) or 128 (IPv6) we don't need to give it. If
2272 the mask is 0, we already wrote "*". */
2277 }
2279 /* There is no port set; write ":*" */
2285 /* There is only one port; write ":80". */
2291 /* There is a range of ports; write ":79-80". */
2297 }
2300 else
2304 }
2306 /** Create a new exit policy summary, initially only with a single
2307 * port 1-64k item */
2308 /* XXXX This entire thing will do most stuff in O(N^2), or worse. Use an
2309 * RB-tree if that turns out to matter. */
2312 {
2326 }
2328 /** Split the summary item in <b>item</b> at the port <b>new_starts</b>.
2329 * The current item is changed to end at new-starts - 1, the new item
2330 * copies reject_count and accepted from the old item,
2331 * starts at new_starts and ends at the port where the original item
2332 * previously ended.
2333 */
2336 {
2350 }
2352 /* XXXX Nick says I'm going to hell for this. If he feels charitably towards
2353 * my immortal soul, he can clean it up himself. */
2354 #define AT(x) ((policy_summary_item_t*)smartlist_get(summary, x))
2356 #define IPV4_BITS (32)
2357 /* Every IPv4 address is counted as one rejection */
2358 #define REJECT_CUTOFF_SCALE_IPV4 (0)
2359 /* Ports are rejected in an IPv4 summary if they are rejected in more than two
2360 * IPv4 /8 address blocks */
2361 #define REJECT_CUTOFF_COUNT_IPV4 (U64_LITERAL(1) << \
2362 (IPV4_BITS - REJECT_CUTOFF_SCALE_IPV4 - 7))
2364 #define IPV6_BITS (128)
2365 /* IPv6 /64s are counted as one rejection, anything smaller is ignored */
2366 #define REJECT_CUTOFF_SCALE_IPV6 (64)
2367 /* Ports are rejected in an IPv6 summary if they are rejected in more than one
2368 * IPv6 /16 address block.
2369 * This is rougly equivalent to the IPv4 cutoff, as only five IPv6 /12s (and
2370 * some scattered smaller blocks) have been allocated to the RIRs.
2371 * Network providers are typically allocated one or more IPv6 /32s.
2372 */
2373 #define REJECT_CUTOFF_COUNT_IPV6 (U64_LITERAL(1) << \
2374 (IPV6_BITS - REJECT_CUTOFF_SCALE_IPV6 - 16))
2376 /** Split an exit policy summary so that prt_min and prt_max
2377 * fall at exactly the start and end of an item respectively.
2378 */
2379 static int
2382 {
2388 i++;
2393 i++;
2394 }
2398 i++;
2403 }
2406 }
2408 /** Mark port ranges as accepted if they are below the reject_count for family
2409 */
2410 static void
2413 sa_family_t family)
2414 {
2417 REJECT_CUTOFF_COUNT_IPV4 :
2418 REJECT_CUTOFF_COUNT_IPV6);
2426 i++;
2427 }
2429 }
2431 /** Count the number of addresses in a network in family with prefixlen
2432 * maskbits against the given portrange. */
2433 static void
2435 maskbits_t maskbits,
2437 sa_family_t family)
2438 {
2443 /* The length of a single address mask */
2447 /* We divide IPv6 address counts by (1 << scale) to keep them in a uint64_t
2448 */
2450 REJECT_CUTOFF_SCALE_IPV4 :
2451 REJECT_CUTOFF_SCALE_IPV6);
2456 /* The address range is so small, we'd need billions of them to reach the
2457 * rejection limit. So we ignore this range in the reject count. */
2459 }
2464 /* The address range is so large, it's an automatic rejection for all ports
2465 * in the range. */
2469 }
2476 /* IPv4 would require a 4-billion address redundant policy to get here,
2477 * but IPv6 just needs to have ::/0 */
2480 }
2481 /* If we do get here, use saturating arithmetic */
2483 }
2484 i++;
2485 }
2487 }
2489 /** Add a single exit policy item to our summary:
2490 *
2491 * If it is an accept, ignore it unless it is for all IP addresses
2492 * ("*", i.e. its prefixlen/maskbits is 0). Otherwise call
2493 * policy_summary_accept().
2494 *
2495 * If it is a reject, ignore it if it is about one of the private
2496 * networks. Otherwise call policy_summary_reject().
2497 */
2498 static void
2500 {
2504 }
2510 tor_addr_t addr;
2511 maskbits_t maskbits;
2515 }
2520 }
2521 }
2526 }
2529 }
2531 /** Create a string representing a summary for an exit policy.
2532 * The summary will either be an "accept" plus a comma-separated list of port
2533 * ranges or a "reject" plus port-ranges, depending on which is shorter.
2534 *
2535 * If no exits are allowed at all then "reject 1-65535" is returned. If no
2536 * ports are blocked instead of "reject " we return "accept 1-65535". (These
2537 * are an exception to the shorter-representation-wins rule).
2538 */
2541 {
2551 /* Create the summary list */
2556 }
2562 /* Now create two lists of strings, one for accepted and one
2563 * for rejected ports. We take care to merge ranges so that
2564 * we avoid getting stuff like "1-4,5-9,10", instead we want
2565 * "1-10"
2566 */
2579 else
2584 else
2591 };
2592 i++;
2593 };
2595 /* Figure out which of the two stringlists will be shorter and use
2596 * that to build the result
2597 */
2601 }
2605 }
2618 c--;
2629 }
2633 cleanup:
2634 /* cleanup */
2647 }
2649 /** Convert a summarized policy string into a short_policy_t. Return NULL
2650 * if the string is not well-formed. */
2651 short_policy_t *
2653 {
2670 }
2687 }
2690 /* unrecognized entry format. skip it. */
2692 }
2694 /* empty; skip it. */
2695 /* XXX This happens to be unreachable, since if len==0, then *summary is
2696 * ',' or '\0', and the TOR_ISDIGIT test above would have failed. */
2698 }
2708 }
2714 }
2720 }
2724 n_entries++;
2725 }
2731 }
2733 {
2739 }
2745 }
2747 /** Write <b>policy</b> back out into a string. */
2750 {
2763 }
2766 }
2771 }
2773 /** Release all storage held in <b>policy</b>. */
2774 void
2776 {
2778 }
2780 /** See whether the <b>addr</b>:<b>port</b> address is likely to be accepted
2781 * or rejected by the summarized policy <b>policy</b>. Return values are as
2782 * for compare_tor_addr_to_addr_policy. Unlike the regular addr_policy
2783 * functions, requires the <b>port</b> be specified. */
2784 addr_policy_result_t
2787 {
2806 }
2807 }
2811 else
2814 /* ???? are these right? -NM */
2815 /* We should be sure not to return ADDR_POLICY_ACCEPTED in the accept
2816 * case here, because it would cause clients to believe that the node
2817 * allows exit enclaving. Trying it anyway would open up a cool attack
2818 * where the node refuses due to exitpolicy, the client reacts in
2819 * surprise by rewriting the node's exitpolicy to reject *:*, and then
2820 * an adversary targets users by causing them to attempt such connections
2821 * to 98% of the exits.
2822 *
2823 * Once microdescriptors can handle addresses in special cases (e.g. if
2824 * we ever solve ticket 1774), we can provide certainty here. -RD */
2827 else
2829 }
2831 /** Return true iff <b>policy</b> seems reject all ports */
2832 int
2834 {
2835 /* This doesn't need to be as much on the lookout as policy_is_reject_star,
2836 * since policy summaries are from the consensus or from consensus
2837 * microdescs.
2838 */
2840 /* Check for an exact match of "reject 1-65535". */
2844 }
2846 /** Decide whether addr:port is probably or definitely accepted or rejected by
2847 * <b>node</b>. See compare_tor_addr_to_addr_policy for details on addr/port
2848 * interpretation. */
2849 addr_policy_result_t
2852 {
2864 else
2866 }
2873 else
2878 }
2879 }
2881 /**
2882 * Given <b>policy_list</b>, a list of addr_policy_t, produce a string
2883 * representation of the list.
2884 * If <b>include_ipv4</b> is true, include IPv4 entries.
2885 * If <b>include_ipv6</b> is true, include IPv6 entries.
2886 */
2891 {
2902 }
2905 }
2914 }
2921 done:
2926 }
2928 /** Implementation for GETINFO control command: knows the answer for questions
2929 * about "exit-policy/..." */
2930 int
2934 {
2946 /* IPv6 addresses are in "[]" and contain ":",
2947 * IPv4 addresses are not in "[]" and contain "." */
2949 priv++;
2950 }
2964 }
2970 }
2975 /* Copy the configured addresses into the tor_addr_t* list */
2979 }
2983 options);
2984 }
2989 configured_addresses,
3011 }
3016 }
3019 }
3021 }
3023 /** Release all storage held by <b>p</b>. */
3024 void
3026 {
3031 }
3033 /** Release all storage held by <b>p</b>. */
3034 void
3036 {
3048 }
3049 }
3051 }
3052 }
3054 /** Release all storage held by policy variables. */
3055 void
3057 {
3081 /* Note the first 10 cached policies to try to figure out where they
3082 * might be coming from. */
3088 }
3089 }
3091 }