1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2008, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
8 * \brief Code to parse and use address policies and exit policies.
14 /** Policy that addresses for incoming SOCKS connections must match. */
15 static smartlist_t
*socks_policy
= NULL
;
16 /** Policy that addresses for incoming directory connections must match. */
17 static smartlist_t
*dir_policy
= NULL
;
18 /** Policy that addresses for incoming router descriptors must match in order
19 * to be published by us. */
20 static smartlist_t
*authdir_reject_policy
= NULL
;
21 /** Policy that addresses for incoming router descriptors must match in order
22 * to be marked as valid in our networkstatus. */
23 static smartlist_t
*authdir_invalid_policy
= NULL
;
24 /** Policy that addresses for incoming router descriptors must <b>not</b>
25 * match in order to not be marked as BadDirectory. */
26 static smartlist_t
*authdir_baddir_policy
= NULL
;
27 /** Policy that addresses for incoming router descriptors must <b>not</b>
28 * match in order to not be marked as BadExit. */
29 static smartlist_t
*authdir_badexit_policy
= NULL
;
31 /** Parsed addr_policy_t describing which addresses we believe we can start
33 static smartlist_t
*reachable_or_addr_policy
= NULL
;
34 /** Parsed addr_policy_t describing which addresses we believe we can connect
35 * to directories at. */
36 static smartlist_t
*reachable_dir_addr_policy
= NULL
;
38 /** Element of an exit policy summary */
39 typedef struct policy_summary_item_t
{
40 uint16_t prt_min
; /**< Lowest port number to accept/reject. */
41 uint16_t prt_max
; /**< Highest port number to accept/reject. */
42 uint64_t reject_count
; /**< Number of IP-Addresses that are rejected to
44 int accepted
:1; /** Has this port already been accepted */
45 } policy_summary_item_t
;
47 /** Private networks. This list is used in two places, once to expand the
48 * "private" keyword when parsing our own exit policy, secondly to ignore
49 * just such networks when building exit policy summaries. It is important
50 * that all authorities agree on that list when creating summaries, so don't
51 * just change this without a proper migration plan and a proposal and stuff.
53 static const char *private_nets
[] = {
54 "0.0.0.0/8", "169.254.0.0/16",
55 "127.0.0.0/8", "192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12",
56 // "fc00::/7", "fe80::/10", "fec0::/10", "::/127",
59 /** Replace all "private" entries in *<b>policy</b> with their expanded
62 policy_expand_private(smartlist_t
**policy
)
64 uint16_t port_min
, port_max
;
69 if (!*policy
) /*XXXX disallow NULL policies? */
72 tmp
= smartlist_create();
74 SMARTLIST_FOREACH(*policy
, addr_policy_t
*, p
,
76 if (! p
->is_private
) {
77 smartlist_add(tmp
, p
);
80 for (i
= 0; private_nets
[i
]; ++i
) {
82 memcpy(&policy
, p
, sizeof(addr_policy_t
));
83 policy
.is_private
= 0;
84 policy
.is_canonical
= 0;
85 if (tor_addr_parse_mask_ports(private_nets
[i
], &policy
.addr
,
86 &policy
.maskbits
, &port_min
, &port_max
)<0) {
89 smartlist_add(tmp
, addr_policy_get_canonical_entry(&policy
));
94 smartlist_free(*policy
);
99 * Given a linked list of config lines containing "allow" and "deny"
100 * tokens, parse them and append the result to <b>dest</b>. Return -1
101 * if any tokens are malformed (and don't append any), else return 0.
103 * If <b>assume_action</b> is nonnegative, then insert its action
104 * (ADDR_POLICY_ACCEPT or ADDR_POLICY_REJECT) for items that specify no
108 parse_addr_policy(config_line_t
*cfg
, smartlist_t
**dest
,
112 smartlist_t
*entries
;
119 result
= smartlist_create();
120 entries
= smartlist_create();
121 for (; cfg
; cfg
= cfg
->next
) {
122 smartlist_split_string(entries
, cfg
->value
, ",",
123 SPLIT_SKIP_SPACE
|SPLIT_IGNORE_BLANK
, 0);
124 SMARTLIST_FOREACH(entries
, const char *, ent
,
126 log_debug(LD_CONFIG
,"Adding new entry '%s'",ent
);
127 item
= router_parse_addr_policy_item_from_string(ent
, assume_action
);
129 smartlist_add(result
, item
);
131 log_warn(LD_CONFIG
,"Malformed policy '%s'.", ent
);
135 SMARTLIST_FOREACH(entries
, char *, ent
, tor_free(ent
));
136 smartlist_clear(entries
);
138 smartlist_free(entries
);
140 addr_policy_list_free(result
);
142 policy_expand_private(&result
);
145 smartlist_add_all(*dest
, result
);
146 smartlist_free(result
);
155 /** Helper: parse the Reachable(Dir|OR)?Addresses fields into
156 * reachable_(or|dir)_addr_policy. The options should already have
157 * been validated by validate_addr_policies.
160 parse_reachable_addresses(void)
162 or_options_t
*options
= get_options();
165 if (options
->ReachableDirAddresses
&&
166 options
->ReachableORAddresses
&&
167 options
->ReachableAddresses
) {
169 "Both ReachableDirAddresses and ReachableORAddresses are set. "
170 "ReachableAddresses setting will be ignored.");
172 addr_policy_list_free(reachable_or_addr_policy
);
173 reachable_or_addr_policy
= NULL
;
174 if (!options
->ReachableORAddresses
&& options
->ReachableAddresses
)
176 "Using ReachableAddresses as ReachableORAddresses.");
177 if (parse_addr_policy(options
->ReachableORAddresses
?
178 options
->ReachableORAddresses
:
179 options
->ReachableAddresses
,
180 &reachable_or_addr_policy
, ADDR_POLICY_ACCEPT
)) {
182 "Error parsing Reachable%sAddresses entry; ignoring.",
183 options
->ReachableORAddresses
? "OR" : "");
187 addr_policy_list_free(reachable_dir_addr_policy
);
188 reachable_dir_addr_policy
= NULL
;
189 if (!options
->ReachableDirAddresses
&& options
->ReachableAddresses
)
191 "Using ReachableAddresses as ReachableDirAddresses");
192 if (parse_addr_policy(options
->ReachableDirAddresses
?
193 options
->ReachableDirAddresses
:
194 options
->ReachableAddresses
,
195 &reachable_dir_addr_policy
, ADDR_POLICY_ACCEPT
)) {
196 if (options
->ReachableDirAddresses
)
198 "Error parsing ReachableDirAddresses entry; ignoring.");
204 /** Return true iff the firewall options might block any address:port
208 firewall_is_fascist_or(void)
210 return reachable_or_addr_policy
!= NULL
;
213 /** Return true iff <b>policy</b> (possibly NULL) will allow a
214 * connection to <b>addr</b>:<b>port</b>.
217 addr_policy_permits_tor_addr(const tor_addr_t
*addr
, uint16_t port
,
220 addr_policy_result_t p
;
221 p
= compare_tor_addr_to_addr_policy(addr
, port
, policy
);
223 case ADDR_POLICY_PROBABLY_ACCEPTED
:
224 case ADDR_POLICY_ACCEPTED
:
226 case ADDR_POLICY_PROBABLY_REJECTED
:
227 case ADDR_POLICY_REJECTED
:
230 log_warn(LD_BUG
, "Unexpected result: %d", (int)p
);
235 /** Return true iff <b> policy</b> (possibly NULL) will allow a connection to
236 * <b>addr</b>:<b>port</b>. <b>addr</b> is an IPv4 address given in host
238 /* XXXX deprecate when possible. */
240 addr_policy_permits_address(uint32_t addr
, uint16_t port
,
244 tor_addr_from_ipv4h(&a
, addr
);
245 return addr_policy_permits_tor_addr(&a
, port
, policy
);
248 /** Return true iff we think our firewall will let us make an OR connection to
251 fascist_firewall_allows_address_or(const tor_addr_t
*addr
, uint16_t port
)
253 return addr_policy_permits_tor_addr(addr
, port
,
254 reachable_or_addr_policy
);
257 /** Return true iff we think our firewall will let us make an OR connection to
260 fascist_firewall_allows_or(routerinfo_t
*ri
)
262 /* XXXX proposal 118 */
264 tor_addr_from_ipv4h(&addr
, ri
->addr
);
265 return fascist_firewall_allows_address_or(&addr
, ri
->or_port
);
268 /** Return true iff we think our firewall will let us make a directory
269 * connection to addr:port. */
271 fascist_firewall_allows_address_dir(const tor_addr_t
*addr
, uint16_t port
)
273 return addr_policy_permits_tor_addr(addr
, port
,
274 reachable_dir_addr_policy
);
277 /** Return 1 if <b>addr</b> is permitted to connect to our dir port,
278 * based on <b>dir_policy</b>. Else return 0.
281 dir_policy_permits_address(const tor_addr_t
*addr
)
283 return addr_policy_permits_tor_addr(addr
, 1, dir_policy
);
286 /** Return 1 if <b>addr</b> is permitted to connect to our socks port,
287 * based on <b>socks_policy</b>. Else return 0.
290 socks_policy_permits_address(const tor_addr_t
*addr
)
292 return addr_policy_permits_tor_addr(addr
, 1, socks_policy
);
295 /** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
296 * directory, based on <b>authdir_reject_policy</b>. Else return 0.
299 authdir_policy_permits_address(uint32_t addr
, uint16_t port
)
301 return addr_policy_permits_address(addr
, port
, authdir_reject_policy
);
304 /** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
305 * directory, based on <b>authdir_invalid_policy</b>. Else return 0.
308 authdir_policy_valid_address(uint32_t addr
, uint16_t port
)
310 return addr_policy_permits_address(addr
, port
, authdir_invalid_policy
);
313 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad dir,
314 * based on <b>authdir_baddir_policy</b>. Else return 0.
317 authdir_policy_baddir_address(uint32_t addr
, uint16_t port
)
319 return ! addr_policy_permits_address(addr
, port
, authdir_baddir_policy
);
322 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
323 * based on <b>authdir_badexit_policy</b>. Else return 0.
326 authdir_policy_badexit_address(uint32_t addr
, uint16_t port
)
328 return ! addr_policy_permits_address(addr
, port
, authdir_badexit_policy
);
331 #define REJECT(arg) \
332 STMT_BEGIN *msg = tor_strdup(arg); goto err; STMT_END
334 /** Config helper: If there's any problem with the policy configuration
335 * options in <b>options</b>, return -1 and set <b>msg</b> to a newly
336 * allocated description of the error. Else return 0. */
338 validate_addr_policies(or_options_t
*options
, char **msg
)
340 /* XXXX Maybe merge this into parse_policies_from_options, to make sure
341 * that the two can't go out of sync. */
343 smartlist_t
*addr_policy
=NULL
;
346 if (policies_parse_exit_policy(options
->ExitPolicy
, &addr_policy
,
347 options
->ExitPolicyRejectPrivate
, NULL
))
348 REJECT("Error in ExitPolicy entry.");
350 /* The rest of these calls *append* to addr_policy. So don't actually
351 * use the results for anything other than checking if they parse! */
352 if (parse_addr_policy(options
->DirPolicy
, &addr_policy
, -1))
353 REJECT("Error in DirPolicy entry.");
354 if (parse_addr_policy(options
->SocksPolicy
, &addr_policy
, -1))
355 REJECT("Error in SocksPolicy entry.");
356 if (parse_addr_policy(options
->AuthDirReject
, &addr_policy
,
358 REJECT("Error in AuthDirReject entry.");
359 if (parse_addr_policy(options
->AuthDirInvalid
, &addr_policy
,
361 REJECT("Error in AuthDirInvalid entry.");
362 if (parse_addr_policy(options
->AuthDirBadDir
, &addr_policy
,
364 REJECT("Error in AuthDirBadDir entry.");
365 if (parse_addr_policy(options
->AuthDirBadExit
, &addr_policy
,
367 REJECT("Error in AuthDirBadExit entry.");
369 if (parse_addr_policy(options
->ReachableAddresses
, &addr_policy
,
371 REJECT("Error in ReachableAddresses entry.");
372 if (parse_addr_policy(options
->ReachableORAddresses
, &addr_policy
,
374 REJECT("Error in ReachableORAddresses entry.");
375 if (parse_addr_policy(options
->ReachableDirAddresses
, &addr_policy
,
377 REJECT("Error in ReachableDirAddresses entry.");
378 if (parse_addr_policy(options
->AuthDirReject
, &addr_policy
,
380 REJECT("Error in AuthDirReject entry.");
381 if (parse_addr_policy(options
->AuthDirInvalid
, &addr_policy
,
383 REJECT("Error in AuthDirInvalid entry.");
386 addr_policy_list_free(addr_policy
);
387 return *msg
? -1 : 0;
391 /** Parse <b>string</b> in the same way that the exit policy
392 * is parsed, and put the processed version in *<b>policy</b>.
393 * Ignore port specifiers.
396 load_policy_from_option(config_line_t
*config
, smartlist_t
**policy
,
400 addr_policy_list_free(*policy
);
402 r
= parse_addr_policy(config
, policy
, assume_action
);
407 SMARTLIST_FOREACH_BEGIN(*policy
, addr_policy_t
*, n
) {
408 /* ports aren't used in these. */
409 if (n
->prt_min
> 1 || n
->prt_max
!= 65535) {
410 addr_policy_t newp
, *c
;
411 memcpy(&newp
, n
, sizeof(newp
));
413 newp
.prt_max
= 65535;
414 c
= addr_policy_get_canonical_entry(&newp
);
415 SMARTLIST_REPLACE_CURRENT(*policy
, n
, c
);
418 } SMARTLIST_FOREACH_END(n
);
423 /** Set all policies based on <b>options</b>, which should have been validated
424 * first by validate_addr_policies. */
426 policies_parse_from_options(or_options_t
*options
)
429 if (load_policy_from_option(options
->SocksPolicy
, &socks_policy
, -1) < 0)
431 if (load_policy_from_option(options
->DirPolicy
, &dir_policy
, -1) < 0)
433 if (load_policy_from_option(options
->AuthDirReject
,
434 &authdir_reject_policy
, ADDR_POLICY_REJECT
) < 0)
436 if (load_policy_from_option(options
->AuthDirInvalid
,
437 &authdir_invalid_policy
, ADDR_POLICY_REJECT
) < 0)
439 if (load_policy_from_option(options
->AuthDirBadDir
,
440 &authdir_baddir_policy
, ADDR_POLICY_REJECT
) < 0)
442 if (load_policy_from_option(options
->AuthDirBadExit
,
443 &authdir_badexit_policy
, ADDR_POLICY_REJECT
) < 0)
445 if (parse_reachable_addresses() < 0)
450 /** Compare two provided address policy items, and return -1, 0, or 1
451 * if the first is less than, equal to, or greater than the second. */
453 cmp_single_addr_policy(addr_policy_t
*a
, addr_policy_t
*b
)
456 if ((r
=((int)a
->policy_type
- (int)b
->policy_type
)))
458 if ((r
=((int)a
->is_private
- (int)b
->is_private
)))
460 if ((r
=tor_addr_compare(&a
->addr
, &b
->addr
, CMP_EXACT
)))
462 if ((r
=((int)a
->maskbits
- (int)b
->maskbits
)))
464 if ((r
=((int)a
->prt_min
- (int)b
->prt_min
)))
466 if ((r
=((int)a
->prt_max
- (int)b
->prt_max
)))
471 /** Like cmp_single_addr_policy() above, but looks at the
472 * whole set of policies in each case. */
474 cmp_addr_policies(smartlist_t
*a
, smartlist_t
*b
)
477 int len_a
= a
? smartlist_len(a
) : 0;
478 int len_b
= b
? smartlist_len(b
) : 0;
480 for (i
= 0; i
< len_a
&& i
< len_b
; ++i
) {
481 if ((r
= cmp_single_addr_policy(smartlist_get(a
, i
), smartlist_get(b
, i
))))
484 if (i
== len_a
&& i
== len_b
)
492 /** Node in hashtable used to store address policy entries. */
493 typedef struct policy_map_ent_t
{
494 HT_ENTRY(policy_map_ent_t
) node
;
495 addr_policy_t
*policy
;
498 static HT_HEAD(policy_map
, policy_map_ent_t
) policy_root
= HT_INITIALIZER();
500 /** Return true iff a and b are equal. */
502 policy_eq(policy_map_ent_t
*a
, policy_map_ent_t
*b
)
504 return cmp_single_addr_policy(a
->policy
, b
->policy
) == 0;
507 /** Return a hashcode for <b>ent</b> */
509 policy_hash(policy_map_ent_t
*ent
)
511 addr_policy_t
*a
= ent
->policy
;
516 r
= tor_addr_hash(&a
->addr
);
517 r
+= a
->prt_min
<< 8;
518 r
+= a
->prt_max
<< 16;
520 if (a
->policy_type
== ADDR_POLICY_REJECT
)
526 HT_PROTOTYPE(policy_map
, policy_map_ent_t
, node
, policy_hash
,
528 HT_GENERATE(policy_map
, policy_map_ent_t
, node
, policy_hash
,
529 policy_eq
, 0.6, malloc
, realloc
, free
)
531 /** Given a pointer to an addr_policy_t, return a copy of the pointer to the
532 * "canonical" copy of that addr_policy_t; the canonical copy is a single
533 * reference-counted object. */
535 addr_policy_get_canonical_entry(addr_policy_t
*e
)
537 policy_map_ent_t search
, *found
;
542 found
= HT_FIND(policy_map
, &policy_root
, &search
);
544 found
= tor_malloc_zero(sizeof(policy_map_ent_t
));
545 found
->policy
= tor_memdup(e
, sizeof(addr_policy_t
));
546 found
->policy
->is_canonical
= 1;
547 found
->policy
->refcnt
= 0;
548 HT_INSERT(policy_map
, &policy_root
, found
);
551 tor_assert(!cmp_single_addr_policy(found
->policy
, e
));
552 ++found
->policy
->refcnt
;
553 return found
->policy
;
556 /** As compare_tor_addr_to_addr_policy, but instead of a tor_addr_t, takes
559 compare_addr_to_addr_policy(uint32_t addr
, uint16_t port
,
560 const smartlist_t
*policy
)
562 /*XXXX deprecate this function when possible. */
564 tor_addr_from_ipv4h(&a
, addr
);
565 return compare_tor_addr_to_addr_policy(&a
, port
, policy
);
568 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
569 * addr and port are both known. */
570 static addr_policy_result_t
571 compare_known_tor_addr_to_addr_policy(const tor_addr_t
*addr
, uint16_t port
,
572 const smartlist_t
*policy
)
574 /* We know the address and port, and we know the policy, so we can just
575 * compute an exact match. */
576 SMARTLIST_FOREACH_BEGIN(policy
, addr_policy_t
*, tmpe
) {
577 /* Address is known */
578 if (!tor_addr_compare_masked(addr
, &tmpe
->addr
, tmpe
->maskbits
,
580 if (port
>= tmpe
->prt_min
&& port
<= tmpe
->prt_max
) {
581 /* Exact match for the policy */
582 return tmpe
->policy_type
== ADDR_POLICY_ACCEPT
?
583 ADDR_POLICY_ACCEPTED
: ADDR_POLICY_REJECTED
;
586 } SMARTLIST_FOREACH_END(tmpe
);
588 /* accept all by default. */
589 return ADDR_POLICY_ACCEPTED
;
592 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
593 * addr is known but port is not. */
594 static addr_policy_result_t
595 compare_known_tor_addr_to_addr_policy_noport(const tor_addr_t
*addr
,
596 const smartlist_t
*policy
)
598 /* We look to see if there's a definite match. If so, we return that
599 match's value, unless there's an intervening possible match that says
600 something different. */
601 int maybe_accept
= 0, maybe_reject
= 0;
603 SMARTLIST_FOREACH_BEGIN(policy
, addr_policy_t
*, tmpe
) {
604 if (!tor_addr_compare_masked(addr
, &tmpe
->addr
, tmpe
->maskbits
,
606 if (tmpe
->prt_min
<= 1 && tmpe
->prt_max
>= 65535) {
607 /* Definitely matches, since it covers all ports. */
608 if (tmpe
->policy_type
== ADDR_POLICY_ACCEPT
) {
609 /* If we already hit a clause that might trigger a 'reject', than we
610 * can't be sure of this certain 'accept'.*/
611 return maybe_reject
? ADDR_POLICY_PROBABLY_ACCEPTED
:
612 ADDR_POLICY_ACCEPTED
;
614 return maybe_accept
? ADDR_POLICY_PROBABLY_REJECTED
:
615 ADDR_POLICY_REJECTED
;
619 if (tmpe
->policy_type
== ADDR_POLICY_REJECT
)
625 } SMARTLIST_FOREACH_END(tmpe
);
627 /* accept all by default. */
628 return maybe_reject
? ADDR_POLICY_PROBABLY_ACCEPTED
: ADDR_POLICY_ACCEPTED
;
631 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
632 * port is known but address is not. */
633 static addr_policy_result_t
634 compare_unknown_tor_addr_to_addr_policy(uint16_t port
,
635 const smartlist_t
*policy
)
637 /* We look to see if there's a definite match. If so, we return that
638 match's value, unless there's an intervening possible match that says
639 something different. */
640 int maybe_accept
= 0, maybe_reject
= 0;
642 SMARTLIST_FOREACH_BEGIN(policy
, addr_policy_t
*, tmpe
) {
643 if (tmpe
->prt_min
<= port
&& port
<= tmpe
->prt_max
) {
644 if (tmpe
->maskbits
== 0) {
645 /* Definitely matches, since it covers all addresses. */
646 if (tmpe
->policy_type
== ADDR_POLICY_ACCEPT
) {
647 /* If we already hit a clause that might trigger a 'reject', than we
648 * can't be sure of this certain 'accept'.*/
649 return maybe_reject
? ADDR_POLICY_PROBABLY_ACCEPTED
:
650 ADDR_POLICY_ACCEPTED
;
652 return maybe_accept
? ADDR_POLICY_PROBABLY_REJECTED
:
653 ADDR_POLICY_REJECTED
;
657 if (tmpe
->policy_type
== ADDR_POLICY_REJECT
)
663 } SMARTLIST_FOREACH_END(tmpe
);
665 /* accept all by default. */
666 return maybe_reject
? ADDR_POLICY_PROBABLY_ACCEPTED
: ADDR_POLICY_ACCEPTED
;
669 /** Decide whether a given addr:port is definitely accepted,
670 * definitely rejected, probably accepted, or probably rejected by a
671 * given policy. If <b>addr</b> is 0, we don't know the IP of the
672 * target address. If <b>port</b> is 0, we don't know the port of the
673 * target address. (At least one of <b>addr</b> and <b>port</b> must be
674 * provided. If you want to know whether a policy would definitely reject
675 * an unknown address:port, use policy_is_reject_star().)
677 * We could do better by assuming that some ranges never match typical
678 * addresses (127.0.0.1, and so on). But we'll try this for now.
681 compare_tor_addr_to_addr_policy(const tor_addr_t
*addr
, uint16_t port
,
682 const smartlist_t
*policy
)
685 /* no policy? accept all. */
686 return ADDR_POLICY_ACCEPTED
;
687 } else if (tor_addr_is_null(addr
)) {
688 tor_assert(port
!= 0);
689 return compare_unknown_tor_addr_to_addr_policy(port
, policy
);
690 } else if (port
== 0) {
691 return compare_known_tor_addr_to_addr_policy_noport(addr
, policy
);
693 return compare_known_tor_addr_to_addr_policy(addr
, port
, policy
);
697 /** Return true iff the address policy <b>a</b> covers every case that
698 * would be covered by <b>b</b>, so that a,b is redundant. */
700 addr_policy_covers(addr_policy_t
*a
, addr_policy_t
*b
)
702 /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces
703 * to "accept *:80". */
704 if (a
->maskbits
> b
->maskbits
) {
705 /* a has more fixed bits than b; it can't possibly cover b. */
708 if (tor_addr_compare_masked(&a
->addr
, &b
->addr
, a
->maskbits
, CMP_EXACT
)) {
709 /* There's a fixed bit in a that's set differently in b. */
712 return (a
->prt_min
<= b
->prt_min
&& a
->prt_max
>= b
->prt_max
);
715 /** Return true iff the address policies <b>a</b> and <b>b</b> intersect,
716 * that is, there exists an address/port that is covered by <b>a</b> that
717 * is also covered by <b>b</b>.
720 addr_policy_intersects(addr_policy_t
*a
, addr_policy_t
*b
)
723 /* All the bits we care about are those that are set in both
724 * netmasks. If they are equal in a and b's networkaddresses
725 * then the networks intersect. If there is a difference,
726 * then they do not. */
727 if (a
->maskbits
< b
->maskbits
)
728 minbits
= a
->maskbits
;
730 minbits
= b
->maskbits
;
731 if (tor_addr_compare_masked(&a
->addr
, &b
->addr
, minbits
, CMP_EXACT
))
733 if (a
->prt_max
< b
->prt_min
|| b
->prt_max
< a
->prt_min
)
738 /** Add the exit policy described by <b>more</b> to <b>policy</b>.
741 append_exit_policy_string(smartlist_t
**policy
, const char *more
)
746 tmp
.value
= (char*) more
;
748 if (parse_addr_policy(&tmp
, policy
, -1)<0) {
749 log_warn(LD_BUG
, "Unable to parse internally generated policy %s",more
);
753 /** Detect and excise "dead code" from the policy *<b>dest</b>. */
755 exit_policy_remove_redundancies(smartlist_t
*dest
)
757 addr_policy_t
*ap
, *tmp
, *victim
;
760 /* Step one: find a *:* entry and cut off everything after it. */
761 for (i
= 0; i
< smartlist_len(dest
); ++i
) {
762 ap
= smartlist_get(dest
, i
);
763 if (ap
->maskbits
== 0 && ap
->prt_min
<= 1 && ap
->prt_max
>= 65535) {
764 /* This is a catch-all line -- later lines are unreachable. */
765 while (i
+1 < smartlist_len(dest
)) {
766 victim
= smartlist_get(dest
, i
+1);
767 smartlist_del(dest
, i
+1);
768 addr_policy_free(victim
);
774 /* Step two: for every entry, see if there's a redundant entry
775 * later on, and remove it. */
776 for (i
= 0; i
< smartlist_len(dest
)-1; ++i
) {
777 ap
= smartlist_get(dest
, i
);
778 for (j
= i
+1; j
< smartlist_len(dest
); ++j
) {
779 tmp
= smartlist_get(dest
, j
);
781 if (addr_policy_covers(ap
, tmp
)) {
782 char p1
[POLICY_BUF_LEN
], p2
[POLICY_BUF_LEN
];
783 policy_write_item(p1
, sizeof(p1
), tmp
, 0);
784 policy_write_item(p2
, sizeof(p2
), ap
, 0);
785 log(LOG_DEBUG
, LD_CONFIG
, "Removing exit policy %s (%d). It is made "
786 "redundant by %s (%d).", p1
, j
, p2
, i
);
787 smartlist_del_keeporder(dest
, j
--);
788 addr_policy_free(tmp
);
793 /* Step three: for every entry A, see if there's an entry B making this one
794 * redundant later on. This is the case if A and B are of the same type
795 * (accept/reject), A is a subset of B, and there is no other entry of
796 * different type in between those two that intersects with A.
798 * Anybody want to doublecheck the logic here? XXX
800 for (i
= 0; i
< smartlist_len(dest
)-1; ++i
) {
801 ap
= smartlist_get(dest
, i
);
802 for (j
= i
+1; j
< smartlist_len(dest
); ++j
) {
803 // tor_assert(j > i); // j starts out at i+1; j only increases; i only
805 tmp
= smartlist_get(dest
, j
);
806 if (ap
->policy_type
!= tmp
->policy_type
) {
807 if (addr_policy_intersects(ap
, tmp
))
809 } else { /* policy_types are equal. */
810 if (addr_policy_covers(tmp
, ap
)) {
811 char p1
[POLICY_BUF_LEN
], p2
[POLICY_BUF_LEN
];
812 policy_write_item(p1
, sizeof(p1
), ap
, 0);
813 policy_write_item(p2
, sizeof(p2
), tmp
, 0);
814 log(LOG_DEBUG
, LD_CONFIG
, "Removing exit policy %s. It is already "
815 "covered by %s.", p1
, p2
);
816 smartlist_del_keeporder(dest
, i
--);
817 addr_policy_free(ap
);
825 #define DEFAULT_EXIT_POLICY \
826 "reject *:25,reject *:119,reject *:135-139,reject *:445," \
827 "reject *:563,reject *:1214,reject *:4661-4666," \
828 "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
830 /** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>. If
831 * cfg doesn't end in an absolute accept or reject, add the default exit
832 * policy afterwards. If <b>rejectprivate</b> is true, prepend
833 * "reject private:*" to the policy. Return -1 if we can't parse cfg,
837 policies_parse_exit_policy(config_line_t
*cfg
, smartlist_t
**dest
,
838 int rejectprivate
, const char *local_address
)
841 append_exit_policy_string(dest
, "reject private:*");
843 char buf
[POLICY_BUF_LEN
];
844 tor_snprintf(buf
, sizeof(buf
), "reject %s:*", local_address
);
845 append_exit_policy_string(dest
, buf
);
848 if (parse_addr_policy(cfg
, dest
, -1))
850 append_exit_policy_string(dest
, DEFAULT_EXIT_POLICY
);
852 exit_policy_remove_redundancies(*dest
);
857 /** Replace the exit policy of <b>r</b> with reject *:*. */
859 policies_set_router_exitpolicy_to_reject_all(routerinfo_t
*r
)
862 addr_policy_list_free(r
->exit_policy
);
863 r
->exit_policy
= smartlist_create();
864 item
= router_parse_addr_policy_item_from_string("reject *:*", -1);
865 smartlist_add(r
->exit_policy
, item
);
868 /** Return true iff <b>ri</b> is "useful as an exit node", meaning
869 * it allows exit to at least one /8 address space for at least
870 * two of ports 80, 443, and 6667. */
872 exit_policy_is_general_exit(smartlist_t
*policy
)
874 static const int ports
[] = { 80, 443, 6667 };
877 if (!policy
) /*XXXX disallow NULL policies? */
880 for (i
= 0; i
< 3; ++i
) {
881 SMARTLIST_FOREACH(policy
, addr_policy_t
*, p
, {
882 if (p
->prt_min
> ports
[i
] || p
->prt_max
< ports
[i
])
883 continue; /* Doesn't cover our port. */
885 continue; /* Narrower than a /8. */
886 if (tor_addr_is_loopback(&p
->addr
))
887 continue; /* 127.x or ::1. */
888 /* We have a match that is at least a /8. */
889 if (p
->policy_type
== ADDR_POLICY_ACCEPT
) {
891 break; /* stop considering this port */
895 return n_allowed
>= 2;
898 /** Return false if <b>policy</b> might permit access to some addr:port;
899 * otherwise if we are certain it rejects everything, return true. */
901 policy_is_reject_star(const smartlist_t
*policy
)
903 if (!policy
) /*XXXX disallow NULL policies? */
905 SMARTLIST_FOREACH(policy
, addr_policy_t
*, p
, {
906 if (p
->policy_type
== ADDR_POLICY_ACCEPT
)
908 else if (p
->policy_type
== ADDR_POLICY_REJECT
&&
909 p
->prt_min
<= 1 && p
->prt_max
== 65535 &&
916 /** Write a single address policy to the buf_len byte buffer at buf. Return
917 * the number of characters written, or -1 on failure. */
919 policy_write_item(char *buf
, size_t buflen
, addr_policy_t
*policy
,
923 char addrbuf
[TOR_ADDR_BUF_LEN
];
924 const char *addrpart
;
926 const int is_accept
= policy
->policy_type
== ADDR_POLICY_ACCEPT
;
927 const int is_ip6
= tor_addr_family(&policy
->addr
) == AF_INET6
;
929 tor_addr_to_str(addrbuf
, &policy
->addr
, sizeof(addrbuf
), 1);
931 /* write accept/reject 1.2.3.4 */
932 if (policy
->is_private
)
933 addrpart
= "private";
934 else if (policy
->maskbits
== 0)
939 result
= tor_snprintf(buf
, buflen
, "%s%s%s %s",
940 (is_ip6
&&format_for_desc
)?"opt ":"",
941 is_accept
? "accept" : "reject",
942 (is_ip6
&&format_for_desc
)?"6":"",
946 written
+= strlen(buf
);
947 /* If the maskbits is 32 we don't need to give it. If the mask is 0,
948 * we already wrote "*". */
949 if (policy
->maskbits
< 32 && policy
->maskbits
> 0) {
950 if (tor_snprintf(buf
+written
, buflen
-written
, "/%d", policy
->maskbits
)<0)
952 written
+= strlen(buf
+written
);
954 if (policy
->prt_min
<= 1 && policy
->prt_max
== 65535) {
955 /* There is no port set; write ":*" */
956 if (written
+4 > buflen
)
958 strlcat(buf
+written
, ":*", buflen
-written
);
960 } else if (policy
->prt_min
== policy
->prt_max
) {
961 /* There is only one port; write ":80". */
962 result
= tor_snprintf(buf
+written
, buflen
-written
, ":%d", policy
->prt_min
);
967 /* There is a range of ports; write ":79-80". */
968 result
= tor_snprintf(buf
+written
, buflen
-written
, ":%d-%d",
969 policy
->prt_min
, policy
->prt_max
);
974 if (written
< buflen
)
982 /** Create a new exit policy summary, initially only with a single
984 /* XXXX This entire thing will do most stuff in O(N^2), or worse. Use an
985 * RB-tree if that turns out to matter. */
987 policy_summary_create(void)
989 smartlist_t
*summary
;
990 policy_summary_item_t
* item
;
992 item
= tor_malloc_zero(sizeof(policy_summary_item_t
));
994 item
->prt_max
= 65535;
995 item
->reject_count
= 0;
998 summary
= smartlist_create();
999 smartlist_add(summary
, item
);
1004 /** Split the summary item in <b>item</b> at the port <b>new_starts</b>.
1005 * The current item is changed to end at new-starts - 1, the new item
1006 * copies reject_count and accepted from the old item,
1007 * starts at new_starts and ends at the port where the original item
1010 static policy_summary_item_t
*
1011 policy_summary_item_split(policy_summary_item_t
* old
, uint16_t new_starts
)
1013 policy_summary_item_t
* new;
1015 new = tor_malloc_zero(sizeof(policy_summary_item_t
));
1016 new->prt_min
= new_starts
;
1017 new->prt_max
= old
->prt_max
;
1018 new->reject_count
= old
->reject_count
;
1019 new->accepted
= old
->accepted
;
1021 old
->prt_max
= new_starts
-1;
1023 tor_assert(old
->prt_min
<= old
->prt_max
);
1024 tor_assert(new->prt_min
<= new->prt_max
);
1028 /* XXXX Nick says I'm going to hell for this. If he feels charitably towards
1029 * my immortal soul, he can clean it up himself. */
1030 #define AT(x) ((policy_summary_item_t*)smartlist_get(summary, x))
1032 #define REJECT_CUTOFF_COUNT (1<<25)
1033 /** Split an exit policy summary so that prt_min and prt_max
1034 * fall at exactly the start and end of an item respectively.
1037 policy_summary_split(smartlist_t
*summary
,
1038 uint16_t prt_min
, uint16_t prt_max
)
1043 /* XXXX Do a binary search if run time matters */
1044 while (AT(i
)->prt_max
< prt_min
)
1046 if (AT(i
)->prt_min
!= prt_min
) {
1047 policy_summary_item_t
* new_item
;
1048 new_item
= policy_summary_item_split(AT(i
), prt_min
);
1049 smartlist_insert(summary
, i
+1, new_item
);
1054 while (AT(i
)->prt_max
< prt_max
)
1056 if (AT(i
)->prt_max
!= prt_max
) {
1057 policy_summary_item_t
* new_item
;
1058 new_item
= policy_summary_item_split(AT(i
), prt_max
+1);
1059 smartlist_insert(summary
, i
+1, new_item
);
1062 return start_at_index
;
1065 /** Mark port ranges as accepted if they are below the reject_count */
1067 policy_summary_accept(smartlist_t
*summary
,
1068 uint16_t prt_min
, uint16_t prt_max
)
1070 int i
= policy_summary_split(summary
, prt_min
, prt_max
);
1071 while (i
< smartlist_len(summary
) &&
1072 AT(i
)->prt_max
<= prt_max
) {
1073 if (!AT(i
)->accepted
&&
1074 AT(i
)->reject_count
<= REJECT_CUTOFF_COUNT
)
1075 AT(i
)->accepted
= 1;
1078 tor_assert(i
< smartlist_len(summary
) || prt_max
==65535);
1081 /** Count the number of addresses in a network with prefixlen maskbits
1082 * against the given portrange. */
1084 policy_summary_reject(smartlist_t
*summary
,
1085 maskbits_t maskbits
,
1086 uint16_t prt_min
, uint16_t prt_max
)
1088 int i
= policy_summary_split(summary
, prt_min
, prt_max
);
1089 /* XXX: ipv4 specific */
1090 uint64_t count
= (U64_LITERAL(1) << (32-maskbits
));
1091 while (i
< smartlist_len(summary
) &&
1092 AT(i
)->prt_max
<= prt_max
) {
1093 AT(i
)->reject_count
+= count
;
1096 tor_assert(i
< smartlist_len(summary
) || prt_max
==65535);
1099 /** Add a single exit policy item to our summary:
1100 * If it is an accept ignore it unless it is for all IP addresses
1101 * ("*"), i.e. it's prefixlen/maskbits is 0, else call
1102 * policy_summary_accept().
1103 * If it's a reject ignore it if it is about one of the private
1104 * networks, else call policy_summary_reject().
1107 policy_summary_add_item(smartlist_t
*summary
, addr_policy_t
*p
)
1109 if (p
->policy_type
== ADDR_POLICY_ACCEPT
) {
1110 if (p
->maskbits
== 0) {
1111 policy_summary_accept(summary
, p
->prt_min
, p
->prt_max
);
1113 } else if (p
->policy_type
== ADDR_POLICY_REJECT
) {
1117 for (i
= 0; private_nets
[i
]; ++i
) {
1119 maskbits_t maskbits
;
1120 if (tor_addr_parse_mask_ports(private_nets
[i
], &addr
,
1121 &maskbits
, NULL
, NULL
)<0) {
1124 if (tor_addr_compare(&p
->addr
, &addr
, CMP_EXACT
) == 0 &&
1125 p
->maskbits
== maskbits
) {
1132 policy_summary_reject(summary
, p
->maskbits
, p
->prt_min
, p
->prt_max
);
1138 /** Create a string representing a summary for an exit policy.
1139 * The summary will either be an "accept" plus a comma-seperated list of port
1140 * ranges or a "reject" plus portranges, depending on which is shorter.
1142 * If no exits are allowed at all then NULL is returned, if no ports
1143 * are blocked instead of "reject " we return "accept 1-65535" (this
1144 * is an exception to the shorter-representation-wins rule).
1147 policy_summarize(smartlist_t
*policy
)
1149 smartlist_t
*summary
= policy_summary_create();
1150 smartlist_t
*accepts
, *rejects
;
1151 int i
, last
, start_prt
;
1152 size_t accepts_len
, rejects_len
, shorter_len
, final_size
;
1153 char *accepts_str
= NULL
, *rejects_str
= NULL
, *shorter_str
, *result
;
1158 /* Create the summary list */
1159 SMARTLIST_FOREACH(policy
, addr_policy_t
*, p
, {
1160 policy_summary_add_item(summary
, p
);
1163 /* Now create two lists of strings, one for accepted and one
1164 * for rejected ports. We take care to merge ranges so that
1165 * we avoid getting stuff like "1-4,5-9,10", instead we want
1170 accepts
= smartlist_create();
1171 rejects
= smartlist_create();
1173 last
= i
== smartlist_len(summary
)-1;
1175 AT(i
)->accepted
!= AT(i
+1)->accepted
) {
1176 char buf
[POLICY_BUF_LEN
];
1178 if (start_prt
== AT(i
)->prt_max
)
1179 tor_snprintf(buf
, sizeof(buf
), "%d", start_prt
);
1181 tor_snprintf(buf
, sizeof(buf
), "%d-%d", start_prt
, AT(i
)->prt_max
);
1183 if (AT(i
)->accepted
)
1184 smartlist_add(accepts
, tor_strdup(buf
));
1186 smartlist_add(rejects
, tor_strdup(buf
));
1191 start_prt
= AT(i
+1)->prt_min
;
1196 /* Figure out which of the two stringlists will be shorter and use
1197 * that to build the result
1199 if (smartlist_len(accepts
) == 0) { /* no exits at all */
1200 result
= tor_strdup("reject 1-65535");
1203 if (smartlist_len(rejects
) == 0) { /* no rejects at all */
1204 result
= tor_strdup("accept 1-65535");
1208 accepts_str
= smartlist_join_strings(accepts
, ",", 0, &accepts_len
);
1209 rejects_str
= smartlist_join_strings(rejects
, ",", 0, &rejects_len
);
1211 if (rejects_len
> MAX_EXITPOLICY_SUMMARY_LEN
&&
1212 accepts_len
> MAX_EXITPOLICY_SUMMARY_LEN
) {
1214 shorter_str
= accepts_str
;
1217 c
= shorter_str
+ (MAX_EXITPOLICY_SUMMARY_LEN
-strlen(prefix
)-1);
1218 while (*c
!= ',' && c
>= shorter_str
)
1220 tor_assert(c
>= shorter_str
);
1221 tor_assert(*c
== ',');
1224 shorter_len
= strlen(shorter_str
);
1225 } else if (rejects_len
< accepts_len
) {
1226 shorter_str
= rejects_str
;
1227 shorter_len
= rejects_len
;
1230 shorter_str
= accepts_str
;
1231 shorter_len
= accepts_len
;
1235 final_size
= strlen(prefix
)+1+shorter_len
+1;
1236 tor_assert(final_size
<= MAX_EXITPOLICY_SUMMARY_LEN
+1);
1237 result
= tor_malloc(final_size
);
1238 tor_snprintf(result
, final_size
, "%s %s", prefix
, shorter_str
);
1242 SMARTLIST_FOREACH(summary
, policy_summary_item_t
*, s
, tor_free(s
));
1243 smartlist_free(summary
);
1245 tor_free(accepts_str
);
1246 SMARTLIST_FOREACH(accepts
, char *, s
, tor_free(s
));
1247 smartlist_free(accepts
);
1249 tor_free(rejects_str
);
1250 SMARTLIST_FOREACH(rejects
, char *, s
, tor_free(s
));
1251 smartlist_free(rejects
);
1256 /** Implementation for GETINFO control command: knows the answer for questions
1257 * about "exit-policy/..." */
1259 getinfo_helper_policies(control_connection_t
*conn
,
1260 const char *question
, char **answer
)
1263 if (!strcmp(question
, "exit-policy/default")) {
1264 *answer
= tor_strdup(DEFAULT_EXIT_POLICY
);
1269 /** Release all storage held by <b>p</b>. */
1271 addr_policy_list_free(smartlist_t
*lst
)
1274 SMARTLIST_FOREACH(lst
, addr_policy_t
*, policy
, addr_policy_free(policy
));
1275 smartlist_free(lst
);
1278 /** Release all storage held by <b>p</b>. */
1280 addr_policy_free(addr_policy_t
*p
)
1283 if (--p
->refcnt
<= 0) {
1284 if (p
->is_canonical
) {
1285 policy_map_ent_t search
, *found
;
1287 found
= HT_REMOVE(policy_map
, &policy_root
, &search
);
1289 tor_assert(p
== found
->policy
);
1298 /** Release all storage held by policy variables. */
1300 policies_free_all(void)
1302 addr_policy_list_free(reachable_or_addr_policy
);
1303 reachable_or_addr_policy
= NULL
;
1304 addr_policy_list_free(reachable_dir_addr_policy
);
1305 reachable_dir_addr_policy
= NULL
;
1306 addr_policy_list_free(socks_policy
);
1307 socks_policy
= NULL
;
1308 addr_policy_list_free(dir_policy
);
1310 addr_policy_list_free(authdir_reject_policy
);
1311 authdir_reject_policy
= NULL
;
1312 addr_policy_list_free(authdir_invalid_policy
);
1313 authdir_invalid_policy
= NULL
;
1314 addr_policy_list_free(authdir_baddir_policy
);
1315 authdir_baddir_policy
= NULL
;
1316 addr_policy_list_free(authdir_badexit_policy
);
1317 authdir_badexit_policy
= NULL
;
1319 if (!HT_EMPTY(&policy_root
)) {
1320 policy_map_ent_t
**ent
;
1322 char buf
[POLICY_BUF_LEN
];
1324 log_warn(LD_MM
, "Still had %d address policies cached at shutdown.",
1325 (int)HT_SIZE(&policy_root
));
1327 /* Note the first 10 cached policies to try to figure out where they
1328 * might be coming from. */
1329 HT_FOREACH(ent
, policy_map
, &policy_root
) {
1332 if (policy_write_item(buf
, sizeof(buf
), (*ent
)->policy
, 0) >= 0)
1333 log_warn(LD_MM
," %d [%d]: %s", n
, (*ent
)->policy
->refcnt
, buf
);
1336 HT_CLEAR(policy_map
, &policy_root
);