| blob | 734558d836b78742681859c5d87129f952003dbe |
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2015, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 /**
7 * \file policies.c
8 * \brief Code to parse and use address policies and exit policies.
9 **/
11 #define POLICIES_PRIVATE
24 /** Policy that addresses for incoming SOCKS connections must match. */
26 /** Policy that addresses for incoming directory connections must match. */
28 /** Policy that addresses for incoming router descriptors must match in order
29 * to be published by us. */
31 /** Policy that addresses for incoming router descriptors must match in order
32 * to be marked as valid in our networkstatus. */
34 /** Policy that addresses for incoming router descriptors must <b>not</b>
35 * match in order to not be marked as BadExit. */
38 /** Parsed addr_policy_t describing which addresses we believe we can start
39 * circuits at. */
41 /** Parsed addr_policy_t describing which addresses we believe we can connect
42 * to directories at. */
45 /** Element of an exit policy summary */
50 this port range. */
54 /** Private networks. This list is used in two places, once to expand the
55 * "private" keyword when parsing our own exit policy, secondly to ignore
56 * just such networks when building exit policy summaries. It is important
57 * that all authorities agree on that list when creating summaries, so don't
58 * just change this without a proper migration plan and a proposal and stuff.
59 */
65 NULL
66 };
78 /** Replace all "private" entries in *<b>policy</b> with their expanded
79 * equivalents. */
80 void
82 {
97 }
99 addr_policy_t newpolicy;
107 }
109 }
115 }
117 /** Expand each of the AF_UNSPEC elements in *<b>policy</b> (which indicate
118 * protocol-neutral wildcards) into a pair of wildcard elements: one IPv4-
119 * specific and one IPv6-specific. */
120 void
122 {
133 addr_policy_t newpolicy_ipv4;
134 addr_policy_t newpolicy_ipv6;
143 }
153 }
158 }
160 /**
161 * Given a linked list of config lines containing "accept[6]" and "reject[6]"
162 * tokens, parse them and append the result to <b>dest</b>. Return -1
163 * if any tokens are malformed (and don't append any), else return 0.
164 *
165 * If <b>assume_action</b> is nonnegative, then insert its action
166 * (ADDR_POLICY_ACCEPT or ADDR_POLICY_REJECT) for items that specify no
167 * action.
168 */
169 static int
172 {
195 /* the error is so severe the entire list should be discarded */
200 /* the error is minor: don't add the item, but keep processing the
201 * rest of the policies in the list */
204 ent);
205 }
209 }
222 }
223 }
226 }
228 /** Helper: parse the Reachable(Dir|OR)?Addresses fields into
229 * reachable_(or|dir)_addr_policy. The options should already have
230 * been validated by validate_addr_policies.
231 */
232 static int
234 {
242 "Both ReachableDirAddresses and ReachableORAddresses are set. "
244 }
258 }
273 }
275 /* We ignore ReachableAddresses for relays */
279 || (reachable_dir_addr_policy
282 "ReachableAddresses, ReachableORAddresses, or "
283 "ReachableDirAddresses reject all addresses. Please accept "
286 && ((reachable_or_addr_policy
288 || (reachable_dir_addr_policy
291 "ReachableAddresses, ReachableORAddresses, or "
292 "ReachableDirAddresses reject all IPv4 addresses. "
295 && ((reachable_or_addr_policy
297 || (reachable_dir_addr_policy
300 "(ClientUseIPv6 1 or UseBridges 1), but "
301 "ReachableAddresses, ReachableORAddresses, or "
302 "ReachableDirAddresses reject all IPv6 addresses. "
304 }
305 }
308 }
310 /* Return true iff ClientUseIPv4 0 or ClientUseIPv6 0 might block any OR or Dir
311 * address:port combination. */
312 static int
314 {
316 /* Assume every non-bridge relay has an IPv4 address.
317 * Clients which use bridges may only know the IPv6 address of their
318 * bridge. */
322 }
324 /** Return true iff the firewall options, including ClientUseIPv4 0 and
325 * ClientUseIPv6 0, might block any OR address:port combination.
326 * Address preferences may still change which address is selected even if
327 * this function returns false.
328 */
329 int
331 {
333 }
335 /** Return true iff the firewall options, including ClientUseIPv4 0 and
336 * ClientUseIPv6 0, might block any Dir address:port combination.
337 * Address preferences may still change which address is selected even if
338 * this function returns false.
339 */
340 int
342 {
344 }
346 /** Return true iff <b>policy</b> (possibly NULL) will allow a
347 * connection to <b>addr</b>:<b>port</b>.
348 */
349 static int
352 {
353 addr_policy_result_t p;
365 }
366 }
368 /** Return true iff <b> policy</b> (possibly NULL) will allow a connection to
369 * <b>addr</b>:<b>port</b>. <b>addr</b> is an IPv4 address given in host
370 * order. */
371 /* XXXX deprecate when possible. */
372 static int
375 {
376 tor_addr_t a;
379 }
381 /** Return true iff we think our firewall will let us make a connection to
382 * addr:port.
383 *
384 * If we are configured as a server, ignore any address family preference and
385 * just use IPv4.
386 * Otherwise:
387 * - return false for all IPv4 addresses:
388 * - if ClientUseIPv4 is 0, or
389 * if pref_only and pref_ipv6 are both true;
390 * - return false for all IPv6 addresses:
391 * - if fascist_firewall_use_ipv6() is 0, or
392 * - if pref_only is true and pref_ipv6 is false.
393 *
394 * Return false if addr is NULL or tor_addr_is_null(), or if port is 0. */
395 STATIC int
400 {
405 }
412 /* Bridges can always use IPv6 */
416 }
419 firewall_policy);
420 }
422 /** Is this client configured to use IPv6?
423 */
425 {
426 /* Clients use IPv6 if it's set, or they use bridges, or they don't use
427 * IPv4 */
430 }
432 /** Do we prefer to connect to IPv6, ignoring ClientPreferIPv6ORPort and
433 * ClientPreferIPv6DirPort?
434 * If we're unsure, return -1, otherwise, return 1 for IPv6 and 0 for IPv4.
435 */
436 static int
438 {
439 /*
440 Cheap implementation of config options ClientUseIPv4 & ClientUseIPv6 --
441 If we're a server or IPv6 is disabled, use IPv4.
442 If IPv4 is disabled, use IPv6.
443 */
447 }
451 }
454 }
456 /** Do we prefer to connect to IPv6 ORPorts?
457 */
458 int
460 {
465 }
467 /* We can use both IPv4 and IPv6 - which do we prefer? */
470 }
472 /* For bridge clients, ClientPreferIPv6ORPort auto means "prefer IPv6". */
475 }
478 }
480 /** Do we prefer to connect to IPv6 DirPorts?
481 */
482 int
484 {
489 }
491 /* We can use both IPv4 and IPv6 - which do we prefer? */
494 }
496 /* For bridge clients, ClientPreferIPv6ORPort auto means "prefer IPv6".
497 * XX/teor - do bridge clients ever use a DirPort? */
500 }
503 }
505 /** Return true iff we think our firewall will let us make a connection to
506 * addr:port. Uses ReachableORAddresses or ReachableDirAddresses based on
507 * fw_connection.
508 * If pref_only, return false if addr is not in the client's preferred address
509 * family.
510 */
511 int
513 firewall_connection_t fw_connection,
515 {
520 reachable_or_addr_policy,
521 pref_only,
525 reachable_dir_addr_policy,
526 pref_only,
530 fw_connection);
532 }
533 }
535 /** Return true iff we think our firewall will let us make a connection to
536 * addr:port (ap). Uses ReachableORAddresses or ReachableDirAddresses based on
537 * fw_connection.
538 * If pref_only, return false if addr is not in the client's preferred address
539 * family.
540 */
541 int
543 firewall_connection_t fw_connection,
545 {
549 }
551 /* Return true iff we think our firewall will let us make a connection to
552 * ipv4h_or_addr:ipv4_or_port. ipv4h_or_addr is interpreted in host order.
553 * Uses ReachableORAddresses or ReachableDirAddresses based on
554 * fw_connection.
555 * If pref_only, return false if addr is not in the client's preferred address
556 * family. */
557 int
560 firewall_connection_t fw_connection,
562 {
563 tor_addr_t ipv4_or_addr;
567 }
569 /** Return true iff we think our firewall will let us make a connection to
570 * ipv4h_addr/ipv6_addr. Uses ipv4_orport/ipv6_orport/ReachableORAddresses or
571 * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
572 * <b>fw_connection</b>.
573 * If pref_only, return false if addr is not in the client's preferred address
574 * family. */
575 static int
580 firewall_connection_t fw_connection,
582 {
585 ? ipv4_orport
587 fw_connection,
588 pref_only)) {
590 }
594 ? ipv6_orport
596 fw_connection,
597 pref_only)) {
599 }
602 }
604 /** Like fascist_firewall_allows_ri, but doesn't consult the node. */
605 static int
607 firewall_connection_t fw_connection,
609 {
612 }
614 /* Assume IPv4 and IPv6 DirPorts are the same */
618 }
620 /** Like fascist_firewall_allows_rs, but doesn't consult the node. */
621 static int
623 firewall_connection_t fw_connection,
625 {
628 }
630 /* Assume IPv4 and IPv6 DirPorts are the same */
634 }
636 /** Return true iff we think our firewall will let us make a connection to
637 * <b>rs</b> on either its IPv4 or IPv6 address. Uses
638 * or_port/ipv6_orport/ReachableORAddresses or dir_port/ReachableDirAddresses
639 * based on IPv4/IPv6 and <b>fw_connection</b>.
640 * If pref_only, return false if addr is not in the client's preferred address
641 * family.
642 * Consults the corresponding node if the addresses in rs are not permitted. */
643 int
646 {
649 }
651 /* Assume IPv4 and IPv6 DirPorts are the same */
657 }
658 }
660 /** Like fascist_firewall_allows_md, but doesn't consult the node. */
661 static int
663 firewall_connection_t fw_connection,
665 {
668 }
670 /* Can't check dirport, it doesn't have one */
673 }
675 /* Also can't check IPv4, doesn't have that either */
678 }
680 /** Return true iff we think our firewall will let us make a connection to
681 * <b>node</b>:
682 * - if <b>preferred</b> is true, on its preferred address,
683 * - if not, on either its IPv4 or IPv6 address.
684 * Uses or_port/ipv6_orport/ReachableORAddresses or
685 * dir_port/ReachableDirAddresses based on IPv4/IPv6 and <b>fw_connection</b>.
686 * If pref_only, return false if addr is not in the client's preferred address
687 * family. */
688 int
690 firewall_connection_t fw_connection,
692 {
695 }
699 /* Sometimes, the rs is missing the IPv6 address info, and we need to go
700 * all the way to the md */
702 pref_only)) {
705 fw_connection,
706 pref_only)) {
709 fw_connection,
710 pref_only)) {
713 /* If we know nothing, assume it's unreachable, we'll never get an address
714 * to connect to. */
716 }
717 }
719 /** Return true iff we think our firewall will let us make a connection to
720 * <b>ds</b> on either its IPv4 or IPv6 address. Uses ReachableORAddresses or
721 * ReachableDirAddresses based on <b>fw_connection</b> (some directory
722 * connections are tunneled over ORPorts).
723 * If pref_only, return false if addr is not in the client's preferred address
724 * family. */
725 int
727 firewall_connection_t fw_connection,
729 {
732 }
734 /* A dir_server_t always has a fake_status. As long as it has the same
735 * addresses/ports in both fake_status and dir_server_t, this works fine.
736 * (See #17867.)
737 * This function relies on fascist_firewall_allows_rs looking up the node on
738 * failure, because it will get the latest info for the relay. */
740 pref_only);
741 }
743 /** If a and b are both valid and allowed by fw_connection,
744 * choose one based on want_a and return it.
745 * Otherwise, return whichever is allowed.
746 * Otherwise, return NULL.
747 * If pref_only, only return an address if it's in the client's preferred
748 * address family. */
753 firewall_connection_t fw_connection,
755 {
761 }
765 }
767 /* If both are allowed */
769 /* Choose a if we want it */
772 /* Choose a if we have it */
774 }
775 }
777 /** If a and b are both valid and preferred by fw_connection,
778 * choose one based on want_a and return it.
779 * Otherwise, return whichever is preferred.
780 * If neither are preferred, and pref_only is false:
781 * - If a and b are both allowed by fw_connection,
782 * choose one based on want_a and return it.
783 * - Otherwise, return whichever is preferred.
784 * Otherwise, return NULL. */
789 firewall_connection_t fw_connection,
791 {
794 fw_connection,
797 /* If there is a preferred address, use it. If we can only use preferred
798 * addresses, and neither address is preferred, pref will be NULL, and we
799 * want to return NULL, so return it. */
802 /* If there's no preferred address, and we can return addresses that are
803 * not preferred, use an address that's allowed */
806 }
807 }
809 /** Copy an address and port into <b>ap</b> that we think our firewall will
810 * let us connect to. Uses ipv4_addr/ipv6_addr and
811 * ipv4_orport/ipv6_orport/ReachableORAddresses or
812 * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
813 * <b>fw_connection</b>.
814 * If pref_only, only choose preferred addresses. In either case, choose
815 * a preferred address before an address that's not preferred.
816 * If neither address is chosen, return 0, else return 1. */
817 static int
824 firewall_connection_t fw_connection,
827 {
829 /* This argument is ignored as long as the address pair is IPv4/IPv6,
830 * because we always have a preference in a client.
831 * For bridge clients, this selects the preferred address, which was
832 * previously IPv6 (if a bridge has both), so we keep that behaviour. */
838 tor_addr_port_t ipv4_ap;
841 ? ipv4_orport
844 tor_addr_port_t ipv6_ap;
847 ? ipv6_orport
851 bridge_client_prefer_ipv4,
860 }
861 }
863 /** Like fascist_firewall_choose_address_base, but takes a host-order IPv4
864 * address as the first parameter. */
865 static int
872 firewall_connection_t fw_connection,
875 {
876 tor_addr_t ipv4_addr;
882 }
884 #define IPV6_OR_LOOKUP(r, identity_digest, ipv6_or_ap) \
885 STMT_BEGIN \
886 if (!(r)->ipv6_orport || tor_addr_is_null(&(r)->ipv6_addr)) { \
887 const node_t *node = node_get_by_id((identity_digest)); \
888 if (node) { \
889 node_get_pref_ipv6_orport(node, &(ipv6_or_ap)); \
890 } else { \
891 tor_addr_make_null(&(ipv6_or_ap).addr, AF_INET6); \
892 (ipv6_or_ap).port = 0; \
893 } \
894 } else { \
895 tor_addr_copy(&(ipv6_or_ap).addr, &(r)->ipv6_addr); \
896 (ipv6_or_ap).port = (r)->ipv6_orport; \
897 } \
898 STMT_END
900 /** Copy an address and port from <b>rs</b> into <b>ap</b> that we think our
901 * firewall will let us connect to. Uses ipv4h_addr/ipv6_addr and
902 * ipv4_orport/ipv6_orport/ReachableORAddresses or
903 * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
904 * <b>fw_connection</b>.
905 * If pref_only, only choose preferred addresses. In either case, choose
906 * a preferred address before an address that's not preferred.
907 * If neither address is chosen, return 0, else return 1.
908 * Consults the corresponding node if the addresses in rs are not valid. */
909 int
911 firewall_connection_t fw_connection,
913 {
916 }
920 /* Don't do the lookup if the IPv6 address/port in rs is OK.
921 * If it's OK, assume the dir_port is also OK. */
922 tor_addr_port_t ipv6_or_ap;
925 /* Assume IPv4 and IPv6 DirPorts are the same.
926 * Assume the IPv6 OR and Dir addresses are the same. */
933 fw_connection,
934 pref_only,
935 ap);
936 }
938 /** Copy an address and port from <b>node</b> into <b>ap</b> that we think our
939 * firewall will let us connect to. Uses ipv4h_addr/ipv6_addr and
940 * ipv4_orport/ipv6_orport/ReachableORAddresses or
941 * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
942 * <b>fw_connection</b>.
943 * If pref_only, only choose preferred addresses. In either case, choose
944 * a preferred address before an address that's not preferred.
945 * If neither address is chosen, return 0, else return 1. */
946 int
948 firewall_connection_t fw_connection,
950 {
953 }
957 tor_addr_port_t ipv4_or_ap;
959 tor_addr_port_t ipv4_dir_ap;
962 tor_addr_port_t ipv6_or_ap;
964 tor_addr_port_t ipv6_dir_ap;
967 /* Assume the IPv6 OR and Dir addresses are the same. */
974 fw_connection,
975 pref_only,
976 ap);
977 }
979 /** Copy an address and port from <b>ds</b> into <b>ap</b> that we think our
980 * firewall will let us connect to. Uses ipv4h_addr/ipv6_addr and
981 * ipv4_orport/ipv6_orport/ReachableORAddresses or
982 * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
983 * <b>fw_connection</b>.
984 * If pref_only, only choose preferred addresses. In either case, choose
985 * a preferred address before an address that's not preferred.
986 * If neither address is chosen, return 0, else return 1. */
987 int
989 firewall_connection_t fw_connection,
991 {
994 }
996 /* A dir_server_t always has a fake_status. As long as it has the same
997 * addresses/ports in both fake_status and dir_server_t, this works fine.
998 * (See #17867.)
999 * This function relies on fascist_firewall_choose_address_rs looking up the
1000 * addresses from the node if it can, because that will get the latest info
1001 * for the relay. */
1004 }
1006 /** Return 1 if <b>addr</b> is permitted to connect to our dir port,
1007 * based on <b>dir_policy</b>. Else return 0.
1008 */
1009 int
1011 {
1013 }
1015 /** Return 1 if <b>addr</b> is permitted to connect to our socks port,
1016 * based on <b>socks_policy</b>. Else return 0.
1017 */
1018 int
1020 {
1022 }
1024 /** Return true iff the address <b>addr</b> is in a country listed in the
1025 * case-insensitive list of country codes <b>cc_list</b>. */
1026 static int
1028 {
1029 country_t country;
1031 tor_addr_t tar;
1035 /* XXXXipv6 */
1040 }
1042 /** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
1043 * directory, based on <b>authdir_reject_policy</b>. Else return 0.
1044 */
1045 int
1047 {
1051 }
1053 /** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
1054 * directory, based on <b>authdir_invalid_policy</b>. Else return 0.
1055 */
1056 int
1058 {
1062 }
1064 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
1065 * based on <b>authdir_badexit_policy</b>. Else return 0.
1066 */
1067 int
1069 {
1073 }
1075 #define REJECT(arg) \
1076 STMT_BEGIN *msg = tor_strdup(arg); goto err; STMT_END
1078 /** Config helper: If there's any problem with the policy configuration
1079 * options in <b>options</b>, return -1 and set <b>msg</b> to a newly
1080 * allocated description of the error. Else return 0. */
1081 int
1083 {
1084 /* XXXX Maybe merge this into parse_policies_from_options, to make sure
1085 * that the two can't go out of sync. */
1092 }
1103 exitrelay_setting_is_auto &&
1104 policy_accepts_something) {
1105 /* Policy accepts something */
1108 "Tor is running as an exit relay%s. If you did not want this "
1109 "behavior, please set the ExitRelay option to 0. If you do "
1110 "want to run an exit Relay, please set the ExitRelay option "
1116 "In a future version of Tor, ExitRelay 0 may become the "
1118 }
1119 }
1121 /* The rest of these calls *append* to addr_policy. So don't actually
1122 * use the results for anything other than checking if they parse! */
1128 ADDR_POLICY_REJECT))
1131 ADDR_POLICY_REJECT))
1134 ADDR_POLICY_REJECT))
1138 ADDR_POLICY_ACCEPT))
1141 ADDR_POLICY_ACCEPT))
1144 ADDR_POLICY_ACCEPT))
1147 err:
1150 #undef REJECT
1151 }
1153 /** Parse <b>string</b> in the same way that the exit policy
1154 * is parsed, and put the processed version in *<b>policy</b>.
1155 * Ignore port specifiers.
1156 */
1157 static int
1161 {
1169 }
1172 /* ports aren't used in these. */
1183 }
1185 }
1188 }
1190 }
1192 /** Set all policies based on <b>options</b>, which should have been validated
1193 * first by validate_addr_policies. */
1194 int
1196 {
1216 }
1218 /** Compare two provided address policy items, and return -1, 0, or 1
1219 * if the first is less than, equal to, or greater than the second. */
1220 static int
1222 {
1228 /* refcnt and is_canonical are irrelevant to equality,
1229 * they are hash table implementation details */
1239 }
1241 /** Like cmp_single_addr_policy() above, but looks at the
1242 * whole set of policies in each case. */
1243 int
1245 {
1253 }
1258 else
1260 }
1262 /** Node in hashtable used to store address policy entries. */
1268 /* DOCDOC policy_root */
1271 /** Return true iff a and b are equal. */
1274 {
1276 }
1278 /** Return a hashcode for <b>ent</b> */
1279 static unsigned int
1281 {
1283 addr_policy_t aa;
1296 }
1299 }
1302 policy_eq)
1306 /** Given a pointer to an addr_policy_t, return a copy of the pointer to the
1307 * "canonical" copy of that addr_policy_t; the canonical copy is a single
1308 * reference-counted object. */
1309 addr_policy_t *
1311 {
1324 }
1329 }
1331 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
1332 * addr and port are both known. */
1333 static addr_policy_result_t
1336 {
1337 /* We know the address and port, and we know the policy, so we can just
1338 * compute an exact match. */
1343 }
1344 /* Address is known */
1346 CMP_EXACT)) {
1348 /* Exact match for the policy */
1351 }
1352 }
1355 /* accept all by default. */
1357 }
1359 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
1360 * addr is known but port is not. */
1361 static addr_policy_result_t
1364 {
1365 /* We look to see if there's a definite match. If so, we return that
1366 match's value, unless there's an intervening possible match that says
1367 something different. */
1374 }
1376 CMP_EXACT)) {
1378 /* Definitely matches, since it covers all ports. */
1380 /* If we already hit a clause that might trigger a 'reject', than we
1381 * can't be sure of this certain 'accept'.*/
1383 ADDR_POLICY_ACCEPTED;
1386 ADDR_POLICY_REJECTED;
1387 }
1389 /* Might match. */
1392 else
1394 }
1395 }
1398 /* accept all by default. */
1400 }
1402 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
1403 * port is known but address is not. */
1404 static addr_policy_result_t
1407 {
1408 /* We look to see if there's a definite match. If so, we return that
1409 match's value, unless there's an intervening possible match that says
1410 something different. */
1417 }
1420 /* Definitely matches, since it covers all addresses. */
1422 /* If we already hit a clause that might trigger a 'reject', than we
1423 * can't be sure of this certain 'accept'.*/
1425 ADDR_POLICY_ACCEPTED;
1428 ADDR_POLICY_REJECTED;
1429 }
1431 /* Might match. */
1434 else
1436 }
1437 }
1440 /* accept all by default. */
1442 }
1444 /** Decide whether a given addr:port is definitely accepted,
1445 * definitely rejected, probably accepted, or probably rejected by a
1446 * given policy. If <b>addr</b> is 0, we don't know the IP of the
1447 * target address. If <b>port</b> is 0, we don't know the port of the
1448 * target address. (At least one of <b>addr</b> and <b>port</b> must be
1449 * provided. If you want to know whether a policy would definitely reject
1450 * an unknown address:port, use policy_is_reject_star().)
1451 *
1452 * We could do better by assuming that some ranges never match typical
1453 * addresses (127.0.0.1, and so on). But we'll try this for now.
1454 */
1458 {
1460 /* no policy? accept all. */
1467 }
1473 }
1474 }
1476 /** Return true iff the address policy <b>a</b> covers every case that
1477 * would be covered by <b>b</b>, so that a,b is redundant. */
1478 static int
1480 {
1482 /* You can't cover a different family. */
1484 }
1485 /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces
1486 * to "accept *:80". */
1488 /* a has more fixed bits than b; it can't possibly cover b. */
1490 }
1492 /* There's a fixed bit in a that's set differently in b. */
1494 }
1496 }
1498 /** Return true iff the address policies <b>a</b> and <b>b</b> intersect,
1499 * that is, there exists an address/port that is covered by <b>a</b> that
1500 * is also covered by <b>b</b>.
1501 */
1502 static int
1504 {
1505 maskbits_t minbits;
1506 /* All the bits we care about are those that are set in both
1507 * netmasks. If they are equal in a and b's networkaddresses
1508 * then the networks intersect. If there is a difference,
1509 * then they do not. */
1512 else
1519 }
1521 /** Add the exit policy described by <b>more</b> to <b>policy</b>.
1522 */
1523 STATIC void
1525 {
1526 config_line_t tmp;
1533 }
1534 }
1536 /** Add "reject <b>addr</b>:*" to <b>dest</b>, creating the list as needed. */
1537 void
1539 {
1557 }
1559 /* Is addr public for the purposes of rejection? */
1560 static int
1562 {
1565 }
1567 /* Add "reject <b>addr</b>:*" to <b>dest</b>, creating the list as needed.
1568 * Filter the address, only adding an IPv4 reject rule if ipv4_rules
1569 * is true, and similarly for ipv6_rules. Check each address returns true for
1570 * tor_addr_is_public_for_reject before adding it.
1571 */
1572 static void
1577 {
1581 /* Only reject IP addresses which are public */
1584 /* Reject IPv4 addresses and IPv6 addresses based on the filters */
1588 }
1589 }
1590 }
1592 /** Add "reject addr:*" to <b>dest</b>, for each addr in addrs, creating the
1593 * list as needed. */
1594 void
1597 {
1604 }
1606 /** Add "reject addr:*" to <b>dest</b>, for each addr in addrs, creating the
1607 * list as needed. Filter using */
1608 static void
1613 {
1620 }
1622 /** Detect and excise "dead code" from the policy *<b>dest</b>. */
1623 static void
1625 {
1629 /* Step one: kill every ipv4 thing after *4:*, every IPv6 thing after *6:*
1630 */
1631 {
1634 sa_family_t family;
1642 }
1645 /* This is a catch-all line -- later lines are unreachable. */
1650 }
1651 }
1652 }
1653 }
1655 /* Step two: for every entry, see if there's a redundant entry
1656 * later on, and remove it. */
1670 }
1671 }
1672 }
1674 /* Step three: for every entry A, see if there's an entry B making this one
1675 * redundant later on. This is the case if A and B are of the same type
1676 * (accept/reject), A is a subset of B, and there is no other entry of
1677 * different type in between those two that intersects with A.
1678 *
1679 * Anybody want to double-check the logic here? XXX
1680 */
1684 // tor_assert(j > i); // j starts out at i+1; j only increases; i only
1685 // // decreases.
1700 }
1701 }
1702 }
1703 }
1704 }
1706 /** Reject private helper for policies_parse_exit_policy_internal: rejects
1707 * publicly routable addresses on this exit relay.
1708 *
1709 * Add reject entries to the linked list *dest:
1710 * - if configured_addresses is non-NULL, add entries that reject each
1711 * tor_addr_t* in the list as a destination.
1712 * - if reject_interface_addresses is true, add entries that reject each
1713 * public IPv4 and IPv6 address of each interface on this machine.
1714 * - if reject_configured_port_addresses is true, add entries that reject
1715 * each IPv4 and IPv6 address configured for a port.
1716 *
1717 * IPv6 entries are only added if ipv6_exit is true. (All IPv6 addresses are
1718 * already blocked by policies_parse_exit_policy_internal if ipv6_exit is
1719 * false.)
1720 *
1721 * The list *dest is created as needed.
1722 */
1723 void
1730 {
1733 /* Reject configured addresses, if they are from public netblocks. */
1737 }
1739 /* Reject configured port addresses, if they are from public netblocks. */
1745 /* Only reject port IP addresses, not port unix sockets */
1748 }
1750 }
1752 /* Reject local addresses from public netblocks on any interface. */
1756 /* Reject public IPv4 addresses on any interface */
1761 /* Don't look for IPv6 addresses if we're configured as IPv4-only */
1763 /* Reject public IPv6 addresses on any interface */
1767 }
1768 }
1770 /* If addresses were added multiple times, remove all but one of them. */
1773 }
1774 }
1776 /**
1777 * Iterate through <b>policy</b> looking for redundant entries. Log a
1778 * warning message with the first redundant entry, if any is found.
1779 */
1780 static void
1782 {
1787 sa_family_t family;
1791 /* Look for accept/reject *[4|6|]:* entires */
1794 /* accept/reject *:* may have already been expanded into
1795 * accept/reject *4:*,accept/reject *6:*
1796 * But handle both forms.
1797 */
1800 }
1803 }
1804 }
1806 /* We also find accept *4:*,reject *6:* ; and
1807 * accept *4:*,<other policies>,accept *6:* ; and similar.
1808 * That's ok, because they make any subsequent entries redundant. */
1811 /* if we're not on the final entry in the list */
1814 }
1816 }
1819 /* Work out if there are redundant trailing entries in the policy list */
1822 /* Longest possible policy is
1823 * "accept6 ffff:ffff:..255/128:10000-65535",
1824 * which contains a max-length IPv6 address, plus 24 characters. */
1829 /* since we've already parsed the policy into an addr_policy_t struct,
1830 * we might not log exactly what the user typed in */
1833 "redundant, as it follows accept/reject *:* rules for both "
1834 "IPv4 and IPv6. They will be removed from the exit policy. (Use "
1836 line);
1837 }
1838 }
1840 #define DEFAULT_EXIT_POLICY \
1843 "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
1845 /** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>.
1846 *
1847 * If <b>ipv6_exit</b> is false, prepend "reject *6:*" to the policy.
1848 *
1849 * If <b>rejectprivate</b> is true:
1850 * - prepend "reject private:*" to the policy.
1851 * - prepend entries that reject publicly routable addresses on this exit
1852 * relay by calling policies_parse_exit_policy_reject_private
1853 *
1854 * If cfg doesn't end in an absolute accept or reject and if
1855 * <b>add_default_policy</b> is true, add the default exit
1856 * policy afterwards.
1857 *
1858 * Return -1 if we can't parse cfg, else return 0.
1859 *
1860 * This function is used to parse the exit policy from our torrc. For
1861 * the functions used to parse the exit policy from a router descriptor,
1862 * see router_add_exit_policy.
1863 */
1864 static int
1873 {
1876 }
1878 /* Reject IPv4 and IPv6 reserved private netblocks */
1880 /* Reject IPv4 and IPv6 publicly routable addresses on this exit relay */
1883 configured_addresses,
1884 reject_interface_addresses,
1885 reject_configured_port_addresses);
1886 }
1890 /* Before we add the default policy and final rejects, check to see if
1891 * there are any lines after accept *:* or reject *:*. These lines have no
1892 * effect, and are most likely an error. */
1900 }
1904 }
1906 /** Parse exit policy in <b>cfg</b> into <b>dest</b> smartlist.
1907 *
1908 * Prepend an entry that rejects all IPv6 destinations unless
1909 * <b>EXIT_POLICY_IPV6_ENABLED</b> bit is set in <b>options</b> bitmask.
1910 *
1911 * If <b>EXIT_POLICY_REJECT_PRIVATE</b> bit is set in <b>options</b>:
1912 * - prepend an entry that rejects all destinations in all netblocks
1913 * reserved for private use.
1914 * - prepend entries that reject publicly routable addresses on this exit
1915 * relay by calling policies_parse_exit_policy_internal
1916 *
1917 * If <b>EXIT_POLICY_ADD_DEFAULT</b> bit is set in <b>options</b>, append
1918 * default exit policy entries to <b>result</b> smartlist.
1919 */
1920 int
1922 exit_policy_parser_cfg_t options,
1924 {
1930 reject_private,
1931 configured_addresses,
1932 reject_private,
1933 reject_private,
1934 add_default);
1935 }
1937 /** Helper function that adds a copy of addr to a smartlist as long as it is
1938 * non-NULL and not tor_addr_is_null().
1939 *
1940 * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
1941 */
1942 static void
1944 {
1949 }
1950 }
1952 /** Helper function that adds ipv4h_addr to a smartlist as a tor_addr_t *,
1953 * as long as it is not tor_addr_is_null(), by converting it to a tor_addr_t
1954 * and passing it to policies_add_addr_to_smartlist.
1955 *
1956 * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
1957 */
1958 static void
1960 {
1962 tor_addr_t ipv4_tor_addr;
1965 }
1966 }
1968 /** Helper function that adds copies of
1969 * or_options->OutboundBindAddressIPv[4|6]_ to a smartlist as tor_addr_t *, as
1970 * long as or_options is non-NULL, and the addresses are not
1971 * tor_addr_is_null(), by passing them to policies_add_addr_to_smartlist.
1972 *
1973 * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
1974 */
1975 static void
1978 {
1984 }
1985 }
1987 /** Parse <b>ExitPolicy</b> member of <b>or_options</b> into <b>result</b>
1988 * smartlist.
1989 * If <b>or_options->IPv6Exit</b> is false, prepend an entry that
1990 * rejects all IPv6 destinations.
1991 *
1992 * If <b>or_options->ExitPolicyRejectPrivate</b> is true:
1993 * - prepend an entry that rejects all destinations in all netblocks reserved
1994 * for private use.
1995 * - if local_address is non-zero, treat it as a host-order IPv4 address, and
1996 * add it to the list of configured addresses.
1997 * - if ipv6_local_address is non-NULL, and not the null tor_addr_t, add it
1998 * to the list of configured addresses.
1999 * - if or_options->OutboundBindAddressIPv4_ is not the null tor_addr_t, add
2000 * it to the list of configured addresses.
2001 * - if or_options->OutboundBindAddressIPv6_ is not the null tor_addr_t, add
2002 * it to the list of configured addresses.
2003 *
2004 * If <b>or_options->BridgeRelay</b> is false, append entries of default
2005 * Tor exit policy into <b>result</b> smartlist.
2006 *
2007 * If or_options->ExitRelay is false, then make our exit policy into
2008 * "reject *:*" regardless.
2009 */
2010 int
2015 {
2020 /* Short-circuit for non-exit relays */
2025 }
2029 /* Configure the parser */
2032 }
2036 }
2040 }
2042 /* Copy the configured addresses into the tor_addr_t* list */
2046 or_options);
2049 configured_addresses);
2055 }
2057 /** Add "reject *:*" to the end of the policy in *<b>dest</b>, allocating
2058 * *<b>dest</b> as needed. */
2059 void
2061 {
2064 }
2066 /** Replace the exit policy of <b>node</b> with reject *:* */
2067 void
2069 {
2071 }
2073 /** Return 1 if there is at least one /8 subnet in <b>policy</b> that
2074 * allows exiting to <b>port</b>. Otherwise, return 0. */
2075 static int
2077 {
2079 /* Is this /8 rejected (1), or undecided (0)? */
2095 /* Calculate the first and last subnet that this exit policy touches
2096 * and set it as loop boundaries. */
2098 tor_addr_t addr;
2107 /* We found an allowed subnet of at least size /8. Done
2108 * for this port! */
2112 }
2113 }
2116 }
2118 /** Return true iff <b>ri</b> is "useful as an exit node", meaning
2119 * it allows exit to at least one /8 address space for at least
2120 * two of ports 80, 443, and 6667. */
2121 int
2123 {
2132 }
2134 }
2136 /** Return false if <b>policy</b> might permit access to some addr:port;
2137 * otherwise if we are certain it rejects everything, return true. */
2138 int
2140 {
2154 }
2157 }
2159 /** Write a single address policy to the buf_len byte buffer at buf. Return
2160 * the number of characters written, or -1 on failure. */
2161 int
2164 {
2175 /* write accept/reject 1.2.3.4 */
2185 else
2189 }
2194 addrpart);
2198 /* If the maskbits is 32 (IPv4) or 128 (IPv6) we don't need to give it. If
2199 the mask is 0, we already wrote "*". */
2204 }
2206 /* There is no port set; write ":*" */
2212 /* There is only one port; write ":80". */
2218 /* There is a range of ports; write ":79-80". */
2224 }
2227 else
2231 }
2233 /** Create a new exit policy summary, initially only with a single
2234 * port 1-64k item */
2235 /* XXXX This entire thing will do most stuff in O(N^2), or worse. Use an
2236 * RB-tree if that turns out to matter. */
2239 {
2253 }
2255 /** Split the summary item in <b>item</b> at the port <b>new_starts</b>.
2256 * The current item is changed to end at new-starts - 1, the new item
2257 * copies reject_count and accepted from the old item,
2258 * starts at new_starts and ends at the port where the original item
2259 * previously ended.
2260 */
2263 {
2277 }
2279 /* XXXX Nick says I'm going to hell for this. If he feels charitably towards
2280 * my immortal soul, he can clean it up himself. */
2281 #define AT(x) ((policy_summary_item_t*)smartlist_get(summary, x))
2283 #define REJECT_CUTOFF_COUNT (1<<25)
2284 /** Split an exit policy summary so that prt_min and prt_max
2285 * fall at exactly the start and end of an item respectively.
2286 */
2287 static int
2290 {
2296 i++;
2301 i++;
2302 }
2306 i++;
2311 }
2314 }
2316 /** Mark port ranges as accepted if they are below the reject_count */
2317 static void
2320 {
2327 i++;
2328 }
2330 }
2332 /** Count the number of addresses in a network with prefixlen maskbits
2333 * against the given portrange. */
2334 static void
2336 maskbits_t maskbits,
2338 {
2340 /* XXX: ipv4 specific */
2345 i++;
2346 }
2348 }
2350 /** Add a single exit policy item to our summary:
2351 * If it is an accept ignore it unless it is for all IP addresses
2352 * ("*"), i.e. it's prefixlen/maskbits is 0, else call
2353 * policy_summary_accept().
2354 * If it's a reject ignore it if it is about one of the private
2355 * networks, else call policy_summary_reject().
2356 */
2357 static void
2359 {
2363 }
2369 tor_addr_t addr;
2370 maskbits_t maskbits;
2374 }
2379 }
2380 }
2384 }
2387 }
2389 /** Create a string representing a summary for an exit policy.
2390 * The summary will either be an "accept" plus a comma-separated list of port
2391 * ranges or a "reject" plus port-ranges, depending on which is shorter.
2392 *
2393 * If no exits are allowed at all then "reject 1-65535" is returned. If no
2394 * ports are blocked instead of "reject " we return "accept 1-65535". (These
2395 * are an exception to the shorter-representation-wins rule).
2396 */
2399 {
2409 /* Create the summary list */
2414 }
2417 /* XXXX-ipv6 More family work is needed */
2421 /* Now create two lists of strings, one for accepted and one
2422 * for rejected ports. We take care to merge ranges so that
2423 * we avoid getting stuff like "1-4,5-9,10", instead we want
2424 * "1-10"
2425 */
2438 else
2443 else
2450 };
2451 i++;
2452 };
2454 /* Figure out which of the two stringlists will be shorter and use
2455 * that to build the result
2456 */
2460 }
2464 }
2477 c--;
2488 }
2492 cleanup:
2493 /* cleanup */
2506 }
2508 /** Convert a summarized policy string into a short_policy_t. Return NULL
2509 * if the string is not well-formed. */
2510 short_policy_t *
2512 {
2529 }
2546 }
2549 /* unrecognized entry format. skip it. */
2551 }
2553 /* empty; skip it. */
2554 /* XXX This happens to be unreachable, since if len==0, then *summary is
2555 * ',' or '\0', and the TOR_ISDIGIT test above would have failed. */
2557 }
2567 }
2573 }
2579 }
2583 n_entries++;
2584 }
2590 }
2592 {
2598 }
2604 }
2606 /** Write <b>policy</b> back out into a string. Used only for unit tests
2607 * currently. */
2610 {
2623 }
2626 }
2631 }
2633 /** Release all storage held in <b>policy</b>. */
2634 void
2636 {
2638 }
2640 /** See whether the <b>addr</b>:<b>port</b> address is likely to be accepted
2641 * or rejected by the summarized policy <b>policy</b>. Return values are as
2642 * for compare_tor_addr_to_addr_policy. Unlike the regular addr_policy
2643 * functions, requires the <b>port</b> be specified. */
2644 addr_policy_result_t
2647 {
2666 }
2667 }
2671 else
2674 /* ???? are these right? -NM */
2675 /* We should be sure not to return ADDR_POLICY_ACCEPTED in the accept
2676 * case here, because it would cause clients to believe that the node
2677 * allows exit enclaving. Trying it anyway would open up a cool attack
2678 * where the node refuses due to exitpolicy, the client reacts in
2679 * surprise by rewriting the node's exitpolicy to reject *:*, and then
2680 * a bad guy targets users by causing them to attempt such connections
2681 * to 98% of the exits.
2682 *
2683 * Once microdescriptors can handle addresses in special cases (e.g. if
2684 * we ever solve ticket 1774), we can provide certainty here. -RD */
2687 else
2689 }
2691 /** Return true iff <b>policy</b> seems reject all ports */
2692 int
2694 {
2695 /* This doesn't need to be as much on the lookout as policy_is_reject_star,
2696 * since policy summaries are from the consensus or from consensus
2697 * microdescs.
2698 */
2700 /* Check for an exact match of "reject 1-65535". */
2704 }
2706 /** Decide whether addr:port is probably or definitely accepted or rejected by
2707 * <b>node</b>. See compare_tor_addr_to_addr_policy for details on addr/port
2708 * interpretation. */
2709 addr_policy_result_t
2712 {
2724 else
2726 }
2733 else
2738 }
2739 }
2741 /**
2742 * Given <b>policy_list</b>, a list of addr_policy_t, produce a string
2743 * representation of the list.
2744 * If <b>include_ipv4</b> is true, include IPv4 entries.
2745 * If <b>include_ipv6</b> is true, include IPv6 entries.
2746 */
2751 {
2762 }
2765 }
2774 }
2781 done:
2786 }
2788 /** Implementation for GETINFO control command: knows the answer for questions
2789 * about "exit-policy/..." */
2790 int
2794 {
2806 /* IPv6 addresses are in "[]" and contain ":",
2807 * IPv4 addresses are not in "[]" and contain "." */
2809 priv++;
2810 }
2824 }
2829 }
2834 /* Copy the configured addresses into the tor_addr_t* list */
2838 options);
2843 configured_addresses,
2864 }
2869 }
2872 }
2874 }
2876 /** Release all storage held by <b>p</b>. */
2877 void
2879 {
2884 }
2886 /** Release all storage held by <b>p</b>. */
2887 void
2889 {
2901 }
2902 }
2904 }
2905 }
2907 /** Release all storage held by policy variables. */
2908 void
2910 {
2934 /* Note the first 10 cached policies to try to figure out where they
2935 * might be coming from. */
2941 }
2942 }
2944 }