| blob | a2ab13a90a6ede26c8bc674fee454ec91f964017 |
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2008, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 /**
7 * \file policies.c
8 * \brief Code to parse and use address policies and exit policies.
9 **/
14 /** Policy that addresses for incoming SOCKS connections must match. */
16 /** Policy that addresses for incoming directory connections must match. */
18 /** Policy that addresses for incoming router descriptors must match in order
19 * to be published by us. */
21 /** Policy that addresses for incoming router descriptors must match in order
22 * to be marked as valid in our networkstatus. */
24 /** Policy that addresses for incoming router descriptors must <b>not</b>
25 * match in order to not be marked as BadDirectory. */
27 /** Policy that addresses for incoming router descriptors must <b>not</b>
28 * match in order to not be marked as BadExit. */
31 /** Parsed addr_policy_t describing which addresses we believe we can start
32 * circuits at. */
34 /** Parsed addr_policy_t describing which addresses we believe we can connect
35 * to directories at. */
38 /** Element of an exit policy summary */
43 this portrange. */
47 /** Private networks. This list is used in two places, once to expand the
48 * "private" keyword when parsing our own exit policy, secondly to ignore
49 * just such networks when building exit policy summaries. It is important
50 * that all authorities agree on that list when creating summaries, so don't
51 * just change this without a proper migration plan and a proposal and stuff.
52 */
56 // "fc00::/7", "fe80::/10", "fec0::/10", "::/127",
57 NULL };
59 /** Replace all "private" entries in *<b>policy</b> with their expanded
60 * equivalents. */
61 void
63 {
75 {
79 }
81 addr_policy_t policy;
88 }
90 }
92 });
96 }
98 /**
99 * Given a linked list of config lines containing "allow" and "deny"
100 * tokens, parse them and append the result to <b>dest</b>. Return -1
101 * if any tokens are malformed (and don't append any), else return 0.
102 *
103 * If <b>assume_action</b> is nonnegative, then insert its action
104 * (ADDR_POLICY_ACCEPT or ADDR_POLICY_REJECT) for items that specify no
105 * action.
106 */
107 static int
110 {
125 {
133 }
134 });
137 }
149 }
150 }
153 }
155 /** Helper: parse the Reachable(Dir|OR)?Addresses fields into
156 * reachable_(or|dir)_addr_policy. The options should already have
157 * been validated by validate_addr_policies.
158 */
159 static int
161 {
169 "Both ReachableDirAddresses and ReachableORAddresses are set. "
171 }
185 }
200 }
202 }
204 /** Return true iff the firewall options might block any address:port
205 * combination.
206 */
207 int
209 {
211 }
213 /** Return true iff <b>policy</b> (possibly NULL) will allow a
214 * connection to <b>addr</b>:<b>port</b>.
215 */
216 static int
219 {
220 addr_policy_result_t p;
232 }
233 }
235 /** Return true iff <b> policy</b> (possibly NULL) will allow a connection to
236 * <b>addr</b>:<b>port</b>. <b>addr</b> is an IPv4 address given in host
237 * order. */
238 /* XXXX deprecate when possible. */
239 static int
242 {
243 tor_addr_t a;
246 }
248 /** Return true iff we think our firewall will let us make an OR connection to
249 * addr:port. */
250 int
252 {
254 reachable_or_addr_policy);
255 }
257 /** Return true iff we think our firewall will let us make an OR connection to
258 * <b>ri</b>. */
259 int
261 {
262 /* XXXX proposal 118 */
263 tor_addr_t addr;
266 }
268 /** Return true iff we think our firewall will let us make a directory
269 * connection to addr:port. */
270 int
272 {
274 reachable_dir_addr_policy);
275 }
277 /** Return 1 if <b>addr</b> is permitted to connect to our dir port,
278 * based on <b>dir_policy</b>. Else return 0.
279 */
280 int
282 {
284 }
286 /** Return 1 if <b>addr</b> is permitted to connect to our socks port,
287 * based on <b>socks_policy</b>. Else return 0.
288 */
289 int
291 {
293 }
295 /** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
296 * directory, based on <b>authdir_reject_policy</b>. Else return 0.
297 */
298 int
300 {
302 }
304 /** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
305 * directory, based on <b>authdir_invalid_policy</b>. Else return 0.
306 */
307 int
309 {
311 }
313 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad dir,
314 * based on <b>authdir_baddir_policy</b>. Else return 0.
315 */
316 int
318 {
320 }
322 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
323 * based on <b>authdir_badexit_policy</b>. Else return 0.
324 */
325 int
327 {
329 }
331 #define REJECT(arg) \
332 STMT_BEGIN *msg = tor_strdup(arg); goto err; STMT_END
334 /** Config helper: If there's any problem with the policy configuration
335 * options in <b>options</b>, return -1 and set <b>msg</b> to a newly
336 * allocated description of the error. Else return 0. */
337 int
339 {
340 /* XXXX Maybe merge this into parse_policies_from_options, to make sure
341 * that the two can't go out of sync. */
350 /* The rest of these calls *append* to addr_policy. So don't actually
351 * use the results for anything other than checking if they parse! */
357 ADDR_POLICY_REJECT))
360 ADDR_POLICY_REJECT))
363 ADDR_POLICY_REJECT))
366 ADDR_POLICY_REJECT))
370 ADDR_POLICY_ACCEPT))
373 ADDR_POLICY_ACCEPT))
376 ADDR_POLICY_ACCEPT))
379 ADDR_POLICY_REJECT))
382 ADDR_POLICY_REJECT))
385 err:
388 #undef REJECT
389 }
391 /** Parse <b>string</b> in the same way that the exit policy
392 * is parsed, and put the processed version in *<b>policy</b>.
393 * Ignore port specifiers.
394 */
395 static int
398 {
405 }
408 /* ports aren't used in these. */
417 }
419 }
421 }
423 /** Set all policies based on <b>options</b>, which should have been validated
424 * first by validate_addr_policies. */
425 int
427 {
448 }
450 /** Compare two provided address policy items, and return -1, 0, or 1
451 * if the first is less than, equal to, or greater than the second. */
452 static int
454 {
469 }
471 /** Like cmp_single_addr_policy() above, but looks at the
472 * whole set of policies in each case. */
473 int
475 {
483 }
488 else
490 }
492 /** Node in hashtable used to store address policy entries. */
500 /** Return true iff a and b are equal. */
503 {
505 }
507 /** Return a hashcode for <b>ent</b> */
508 static unsigned int
510 {
515 else
524 }
527 policy_eq)
531 /** Given a pointer to an addr_policy_t, return a copy of the pointer to the
532 * "canonical" copy of that addr_policy_t; the canonical copy is a single
533 * reference-counted object. */
534 addr_policy_t *
536 {
549 }
554 }
556 /** As compare_tor_addr_to_addr_policy, but instead of a tor_addr_t, takes
557 * in host order. */
558 addr_policy_result_t
561 {
562 /*XXXX deprecate this function when possible. */
563 tor_addr_t a;
566 }
568 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
569 * addr and port are both known. */
570 static addr_policy_result_t
573 {
574 /* We know the address and port, and we know the policy, so we can just
575 * compute an exact match. */
577 /* Address is known */
579 CMP_EXACT)) {
581 /* Exact match for the policy */
584 }
585 }
588 /* accept all by default. */
590 }
592 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
593 * addr is known but port is not. */
594 static addr_policy_result_t
597 {
598 /* We look to see if there's a definite match. If so, we return that
599 match's value, unless there's an intervening possible match that says
600 something different. */
605 CMP_EXACT)) {
607 /* Definitely matches, since it covers all ports. */
609 /* If we already hit a clause that might trigger a 'reject', than we
610 * can't be sure of this certain 'accept'.*/
612 ADDR_POLICY_ACCEPTED;
615 ADDR_POLICY_REJECTED;
616 }
618 /* Might match. */
621 else
623 }
624 }
627 /* accept all by default. */
629 }
631 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
632 * port is known but address is not. */
633 static addr_policy_result_t
636 {
637 /* We look to see if there's a definite match. If so, we return that
638 match's value, unless there's an intervening possible match that says
639 something different. */
645 /* Definitely matches, since it covers all addresses. */
647 /* If we already hit a clause that might trigger a 'reject', than we
648 * can't be sure of this certain 'accept'.*/
650 ADDR_POLICY_ACCEPTED;
653 ADDR_POLICY_REJECTED;
654 }
656 /* Might match. */
659 else
661 }
662 }
665 /* accept all by default. */
667 }
669 /** Decide whether a given addr:port is definitely accepted,
670 * definitely rejected, probably accepted, or probably rejected by a
671 * given policy. If <b>addr</b> is 0, we don't know the IP of the
672 * target address. If <b>port</b> is 0, we don't know the port of the
673 * target address. (At least one of <b>addr</b> and <b>port</b> must be
674 * provided. If you want to know whether a policy would definitely reject
675 * an unknown address:port, use policy_is_reject_star().)
676 *
677 * We could do better by assuming that some ranges never match typical
678 * addresses (127.0.0.1, and so on). But we'll try this for now.
679 */
680 addr_policy_result_t
683 {
685 /* no policy? accept all. */
694 }
695 }
697 /** Return true iff the address policy <b>a</b> covers every case that
698 * would be covered by <b>b</b>, so that a,b is redundant. */
699 static int
701 {
702 /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces
703 * to "accept *:80". */
705 /* a has more fixed bits than b; it can't possibly cover b. */
707 }
709 /* There's a fixed bit in a that's set differently in b. */
711 }
713 }
715 /** Return true iff the address policies <b>a</b> and <b>b</b> intersect,
716 * that is, there exists an address/port that is covered by <b>a</b> that
717 * is also covered by <b>b</b>.
718 */
719 static int
721 {
722 maskbits_t minbits;
723 /* All the bits we care about are those that are set in both
724 * netmasks. If they are equal in a and b's networkaddresses
725 * then the networks intersect. If there is a difference,
726 * then they do not. */
729 else
736 }
738 /** Add the exit policy described by <b>more</b> to <b>policy</b>.
739 */
740 static void
742 {
743 config_line_t tmp;
750 }
751 }
753 /** Detect and excise "dead code" from the policy *<b>dest</b>. */
754 static void
756 {
760 /* Step one: find a *:* entry and cut off everything after it. */
764 /* This is a catch-all line -- later lines are unreachable. */
769 }
771 }
772 }
774 /* Step two: for every entry, see if there's a redundant entry
775 * later on, and remove it. */
789 }
790 }
791 }
793 /* Step three: for every entry A, see if there's an entry B making this one
794 * redundant later on. This is the case if A and B are of the same type
795 * (accept/reject), A is a subset of B, and there is no other entry of
796 * different type in between those two that intersects with A.
797 *
798 * Anybody want to doublecheck the logic here? XXX
799 */
803 // tor_assert(j > i); // j starts out at i+1; j only increases; i only
804 // // decreases.
819 }
820 }
821 }
822 }
823 }
825 #define DEFAULT_EXIT_POLICY \
828 "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
830 /** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>. If
831 * cfg doesn't end in an absolute accept or reject, add the default exit
832 * policy afterwards. If <b>rejectprivate</b> is true, prepend
833 * "reject private:*" to the policy. Return -1 if we can't parse cfg,
834 * else return 0.
835 */
836 int
839 {
846 }
847 }
855 }
857 /** Replace the exit policy of <b>r</b> with reject *:*. */
858 void
860 {
866 }
868 /** Return true iff <b>ri</b> is "useful as an exit node", meaning
869 * it allows exit to at least one /8 address space for at least
870 * two of ports 80, 443, and 6667. */
871 int
873 {
888 /* We have a match that is at least a /8. */
892 }
893 });
894 }
896 }
898 /** Return false if <b>policy</b> might permit access to some addr:port;
899 * otherwise if we are certain it rejects everything, return true. */
900 int
902 {
912 });
914 }
916 /** Write a single address policy to the buf_len byte buffer at buf. Return
917 * the number of characters written, or -1 on failure. */
918 int
921 {
931 /* write accept/reject 1.2.3.4 */
936 else
943 addrpart);
947 /* If the maskbits is 32 we don't need to give it. If the mask is 0,
948 * we already wrote "*". */
953 }
955 /* There is no port set; write ":*" */
961 /* There is only one port; write ":80". */
967 /* There is a range of ports; write ":79-80". */
973 }
976 else
980 }
982 /** Create a new exit policy summary, initially only with a single
983 * port 1-64k item */
984 /* XXXX This entire thing will do most stuff in O(N^2), or worse. Use an
985 * RB-tree if that turns out to matter. */
988 {
1002 }
1004 /** Split the summary item in <b>item</b> at the port <b>new_starts</b>.
1005 * The current item is changed to end at new-starts - 1, the new item
1006 * copies reject_count and accepted from the old item,
1007 * starts at new_starts and ends at the port where the original item
1008 * previously ended.
1009 */
1012 {
1026 }
1028 /* XXXX Nick says I'm going to hell for this. If he feels charitably towards
1029 * my immortal soul, he can clean it up himself. */
1030 #define AT(x) ((policy_summary_item_t*)smartlist_get(summary, x))
1032 #define REJECT_CUTOFF_COUNT (1<<25)
1033 /** Split an exit policy summary so that prt_min and prt_max
1034 * fall at exactly the start and end of an item respectively.
1035 */
1036 static int
1039 {
1043 /* XXXX Do a binary search if run time matters */
1045 i++;
1050 i++;
1051 }
1055 i++;
1060 }
1063 }
1065 /** Mark port ranges as accepted if they are below the reject_count */
1066 static void
1069 {
1076 i++;
1077 }
1079 }
1081 /** Count the number of addresses in a network with prefixlen maskbits
1082 * against the given portrange. */
1083 static void
1085 maskbits_t maskbits,
1087 {
1089 /* XXX: ipv4 specific */
1094 i++;
1095 }
1097 }
1099 /** Add a single exit policy item to our summary:
1100 * If it is an accept ignore it unless it is for all IP addresses
1101 * ("*"), i.e. it's prefixlen/maskbits is 0, else call
1102 * policy_summary_accept().
1103 * If it's a reject ignore it if it is about one of the private
1104 * networks, else call policy_summary_reject().
1105 */
1106 static void
1108 {
1112 }
1118 tor_addr_t addr;
1119 maskbits_t maskbits;
1123 }
1128 }
1129 }
1133 }
1136 }
1138 /** Create a string representing a summary for an exit policy.
1139 * The summary will either be an "accept" plus a comma-seperated list of port
1140 * ranges or a "reject" plus portranges, depending on which is shorter.
1141 *
1142 * If no exits are allowed at all then NULL is returned, if no ports
1143 * are blocked instead of "reject " we return "accept 1-65535" (this
1144 * is an exception to the shorter-representation-wins rule).
1145 */
1148 {
1158 /* Create the summary list */
1161 });
1163 /* Now create two lists of strings, one for accepted and one
1164 * for rejected ports. We take care to merge ranges so that
1165 * we avoid getting stuff like "1-4,5-9,10", instead we want
1166 * "1-10"
1167 */
1180 else
1185 else
1192 };
1193 i++;
1194 };
1196 /* Figure out which of the two stringlists will be shorter and use
1197 * that to build the result
1198 */
1202 }
1206 }
1219 c--;
1233 }
1240 cleanup:
1241 /* cleanup */
1254 }
1256 /** Implementation for GETINFO control command: knows the answer for questions
1257 * about "exit-policy/..." */
1258 int
1261 {
1265 }
1267 }
1269 /** Release all storage held by <b>p</b>. */
1270 void
1272 {
1276 }
1278 /** Release all storage held by <b>p</b>. */
1279 void
1281 {
1291 }
1292 }
1294 }
1295 }
1296 }
1298 /** Release all storage held by policy variables. */
1299 void
1301 {
1327 /* Note the first 10 cached policies to try to figure out where they
1328 * might be coming from. */
1334 }
1335 }
1337 }