| blob | 506edec394f95a8d6a99bc8e8762a08f37c1eff9 |
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2015, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 /**
7 * \file policies.c
8 * \brief Code to parse and use address policies and exit policies.
9 **/
11 #define POLICIES_PRIVATE
24 /** Policy that addresses for incoming SOCKS connections must match. */
26 /** Policy that addresses for incoming directory connections must match. */
28 /** Policy that addresses for incoming router descriptors must match in order
29 * to be published by us. */
31 /** Policy that addresses for incoming router descriptors must match in order
32 * to be marked as valid in our networkstatus. */
34 /** Policy that addresses for incoming router descriptors must <b>not</b>
35 * match in order to not be marked as BadExit. */
38 /** Parsed addr_policy_t describing which addresses we believe we can start
39 * circuits at. */
41 /** Parsed addr_policy_t describing which addresses we believe we can connect
42 * to directories at. */
45 /** Element of an exit policy summary */
50 this port range. */
54 /** Private networks. This list is used in two places, once to expand the
55 * "private" keyword when parsing our own exit policy, secondly to ignore
56 * just such networks when building exit policy summaries. It is important
57 * that all authorities agree on that list when creating summaries, so don't
58 * just change this without a proper migration plan and a proposal and stuff.
59 */
65 NULL
66 };
78 /** Replace all "private" entries in *<b>policy</b> with their expanded
79 * equivalents. */
80 void
82 {
97 }
99 addr_policy_t newpolicy;
107 }
109 }
115 }
117 /** Expand each of the AF_UNSPEC elements in *<b>policy</b> (which indicate
118 * protocol-neutral wildcards) into a pair of wildcard elements: one IPv4-
119 * specific and one IPv6-specific. */
120 void
122 {
133 addr_policy_t newpolicy_ipv4;
134 addr_policy_t newpolicy_ipv6;
143 }
153 }
158 }
160 /**
161 * Given a linked list of config lines containing "accept[6]" and "reject[6]"
162 * tokens, parse them and append the result to <b>dest</b>. Return -1
163 * if any tokens are malformed (and don't append any), else return 0.
164 *
165 * If <b>assume_action</b> is nonnegative, then insert its action
166 * (ADDR_POLICY_ACCEPT or ADDR_POLICY_REJECT) for items that specify no
167 * action.
168 */
169 static int
172 {
195 /* the error is so severe the entire list should be discarded */
200 /* the error is minor: don't add the item, but keep processing the
201 * rest of the policies in the list */
204 ent);
205 }
209 }
222 }
223 }
226 }
228 /** Helper: parse the Reachable(Dir|OR)?Addresses fields into
229 * reachable_(or|dir)_addr_policy. The options should already have
230 * been validated by validate_addr_policies.
231 */
232 static int
234 {
242 "Both ReachableDirAddresses and ReachableORAddresses are set. "
244 }
258 }
273 }
275 /* We ignore ReachableAddresses for relays */
279 || (reachable_dir_addr_policy
282 "ReachableAddresses, ReachableORAddresses, or "
283 "ReachableDirAddresses reject all addresses. Please accept "
286 && ((reachable_or_addr_policy
288 || (reachable_dir_addr_policy
291 "ReachableAddresses, ReachableORAddresses, or "
292 "ReachableDirAddresses reject all IPv4 addresses. "
295 && ((reachable_or_addr_policy
297 || (reachable_dir_addr_policy
300 "(ClientUseIPv6 1 or UseBridges 1), but "
301 "ReachableAddresses, ReachableORAddresses, or "
302 "ReachableDirAddresses reject all IPv6 addresses. "
304 }
305 }
308 }
310 /* Return true iff ClientUseIPv4 0 or ClientUseIPv6 0 might block any OR or Dir
311 * address:port combination. */
312 static int
314 {
316 /* Assume every non-bridge relay has an IPv4 address.
317 * Clients which use bridges may only know the IPv6 address of their
318 * bridge. */
322 }
324 /** Return true iff the firewall options, including ClientUseIPv4 0 and
325 * ClientUseIPv6 0, might block any OR address:port combination.
326 */
327 int
329 {
331 }
333 /** Return true iff the firewall options, including ClientUseIPv4 0 and
334 * ClientUseIPv6 0, might block any Dir address:port combination.
335 */
336 int
338 {
340 }
342 /** Return true iff <b>policy</b> (possibly NULL) will allow a
343 * connection to <b>addr</b>:<b>port</b>.
344 */
345 static int
348 {
349 addr_policy_result_t p;
361 }
362 }
364 /** Return true iff <b> policy</b> (possibly NULL) will allow a connection to
365 * <b>addr</b>:<b>port</b>. <b>addr</b> is an IPv4 address given in host
366 * order. */
367 /* XXXX deprecate when possible. */
368 static int
371 {
372 tor_addr_t a;
375 }
377 /** Return true iff we think our firewall will let us make a connection to
378 * addr:port.
379 *
380 * If we are configured as a server, ignore any address family preference and
381 * just use IPv4.
382 * Otherwise:
383 * - return false for all IPv4 addresses:
384 * - if ClientUseIPv4 is 0, or
385 * if pref_only and pref_ipv6 are both true;
386 * - return false for all IPv6 addresses:
387 * - if fascist_firewall_use_ipv6() is 0, or
388 * - if pref_only is true and pref_ipv6 is false.
389 *
390 * Return false if addr is NULL or tor_addr_is_null(), or if port is 0. */
391 STATIC int
396 {
401 }
408 /* Bridges can always use IPv6 */
412 }
415 firewall_policy);
416 }
418 /** Is this client configured to use IPv6?
419 * Clients use IPv6 if ClientUseIPv6 is 1, or UseBridges is 1.
420 */
422 {
424 }
426 /** Do we prefer to connect to IPv6, ignoring ClientPreferIPv6ORPort and
427 * ClientPreferIPv6DirPort?
428 * If we're unsure, return -1, otherwise, return 1 for IPv6 and 0 for IPv4.
429 */
430 static int
432 {
433 /*
434 Cheap implementation of config options ClientUseIPv4 & ClientUseIPv6 --
435 If we're a server or IPv6 is disabled, use IPv4.
436 If IPv4 is disabled, use IPv6.
437 */
441 }
445 }
448 }
450 /** Do we prefer to connect to IPv6 ORPorts?
451 */
452 int
454 {
459 }
461 /* We can use both IPv4 and IPv6 - which do we prefer? */
464 }
466 /* For bridge clients, ClientPreferIPv6ORPort auto means "prefer IPv6". */
469 }
472 }
474 /** Do we prefer to connect to IPv6 DirPorts?
475 */
476 int
478 {
483 }
485 /* We can use both IPv4 and IPv6 - which do we prefer? */
488 }
490 /* For bridge clients, ClientPreferIPv6ORPort auto means "prefer IPv6".
491 * XX/teor - do bridge clients ever use a DirPort? */
494 }
497 }
499 /** Return true iff we think our firewall will let us make a connection to
500 * addr:port. Uses ReachableORAddresses or ReachableDirAddresses based on
501 * fw_connection.
502 * If pref_only, return false if addr is not in the client's preferred address
503 * family.
504 */
505 int
507 firewall_connection_t fw_connection,
509 {
514 reachable_or_addr_policy,
515 pref_only,
519 reachable_dir_addr_policy,
520 pref_only,
524 fw_connection);
526 }
527 }
529 /** Return true iff we think our firewall will let us make a connection to
530 * addr:port (ap). Uses ReachableORAddresses or ReachableDirAddresses based on
531 * fw_connection.
532 * If pref_only, return false if addr is not in the client's preferred address
533 * family.
534 */
535 int
537 firewall_connection_t fw_connection,
539 {
543 }
545 /* Return true iff we think our firewall will let us make a connection to
546 * ipv4h_or_addr:ipv4_or_port. ipv4h_or_addr is interpreted in host order.
547 * Uses ReachableORAddresses or ReachableDirAddresses based on
548 * fw_connection.
549 * If pref_only, return false if addr is not in the client's preferred address
550 * family. */
551 int
554 firewall_connection_t fw_connection,
556 {
557 tor_addr_t ipv4_or_addr;
561 }
563 /** Return true iff we think our firewall will let us make a connection to
564 * ipv4h_addr/ipv6_addr. Uses ipv4_orport/ipv6_orport/ReachableORAddresses or
565 * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
566 * <b>fw_connection</b>.
567 * If pref_only, return false if addr is not in the client's preferred address
568 * family. */
569 static int
574 firewall_connection_t fw_connection,
576 {
579 ? ipv4_orport
581 fw_connection,
582 pref_only)) {
584 }
588 ? ipv6_orport
590 fw_connection,
591 pref_only)) {
593 }
596 }
598 /** Like fascist_firewall_allows_ri, but doesn't consult the node. */
599 static int
601 firewall_connection_t fw_connection,
603 {
606 }
608 /* Assume IPv4 and IPv6 DirPorts are the same */
612 }
614 /** Like fascist_firewall_allows_rs, but doesn't consult the node. */
615 static int
617 firewall_connection_t fw_connection,
619 {
622 }
624 /* Assume IPv4 and IPv6 DirPorts are the same */
628 }
630 /** Return true iff we think our firewall will let us make a connection to
631 * <b>rs</b> on either its IPv4 or IPv6 address. Uses
632 * or_port/ipv6_orport/ReachableORAddresses or dir_port/ReachableDirAddresses
633 * based on IPv4/IPv6 and <b>fw_connection</b>.
634 * If pref_only, return false if addr is not in the client's preferred address
635 * family.
636 * Consults the corresponding node if the addresses in rs are not permitted. */
637 int
640 {
643 }
645 /* Assume IPv4 and IPv6 DirPorts are the same */
651 }
652 }
654 /** Like fascist_firewall_allows_md, but doesn't consult the node. */
655 static int
657 firewall_connection_t fw_connection,
659 {
662 }
664 /* Can't check dirport, it doesn't have one */
667 }
669 /* Also can't check IPv4, doesn't have that either */
672 }
674 /** Return true iff we think our firewall will let us make a connection to
675 * <b>node</b>:
676 * - if <b>preferred</b> is true, on its preferred address,
677 * - if not, on either its IPv4 or IPv6 address.
678 * Uses or_port/ipv6_orport/ReachableORAddresses or
679 * dir_port/ReachableDirAddresses based on IPv4/IPv6 and <b>fw_connection</b>.
680 * If pref_only, return false if addr is not in the client's preferred address
681 * family. */
682 int
684 firewall_connection_t fw_connection,
686 {
689 }
693 /* Sometimes, the rs is missing the IPv6 address info, and we need to go
694 * all the way to the md */
696 pref_only)) {
699 fw_connection,
700 pref_only)) {
703 fw_connection,
704 pref_only)) {
707 /* If we know nothing, assume it's unreachable, we'll never get an address
708 * to connect to. */
710 }
711 }
713 /** Return true iff we think our firewall will let us make a connection to
714 * <b>ds</b> on either its IPv4 or IPv6 address. Uses ReachableORAddresses or
715 * ReachableDirAddresses based on <b>fw_connection</b> (some directory
716 * connections are tunneled over ORPorts).
717 * If pref_only, return false if addr is not in the client's preferred address
718 * family. */
719 int
721 firewall_connection_t fw_connection,
723 {
726 }
728 /* A dir_server_t always has a fake_status. As long as it has the same
729 * addresses/ports in both fake_status and dir_server_t, this works fine.
730 * (See #17867.)
731 * This function relies on fascist_firewall_allows_rs looking up the node on
732 * failure, because it will get the latest info for the relay. */
734 pref_only);
735 }
737 /** If a and b are both valid and allowed by fw_connection,
738 * choose one based on want_a and return it.
739 * Otherwise, return whichever is allowed.
740 * Otherwise, return NULL.
741 * If pref_only, only return an address if it's in the client's preferred
742 * address family. */
747 firewall_connection_t fw_connection,
749 {
755 }
759 }
761 /* If both are allowed */
763 /* Choose a if we want it */
766 /* Choose a if we have it */
768 }
769 }
771 /** If a and b are both valid and preferred by fw_connection,
772 * choose one based on want_a and return it.
773 * Otherwise, return whichever is preferred.
774 * If neither are preferred, and pref_only is false:
775 * - If a and b are both allowed by fw_connection,
776 * choose one based on want_a and return it.
777 * - Otherwise, return whichever is preferred.
778 * Otherwise, return NULL. */
783 firewall_connection_t fw_connection,
785 {
788 fw_connection,
791 /* If there is a preferred address, use it. If we can only use preferred
792 * addresses, and neither address is preferred, pref will be NULL, and we
793 * want to return NULL, so return it. */
796 /* If there's no preferred address, and we can return addresses that are
797 * not preferred, use an address that's allowed */
800 }
801 }
803 /** Copy an address and port into <b>ap</b> that we think our firewall will
804 * let us connect to. Uses ipv4_addr/ipv6_addr and
805 * ipv4_orport/ipv6_orport/ReachableORAddresses or
806 * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
807 * <b>fw_connection</b>.
808 * If pref_only, only choose preferred addresses. In either case, choose
809 * a preferred address before an address that's not preferred.
810 * If neither address is chosen, return 0, else return 1. */
811 static int
818 firewall_connection_t fw_connection,
821 {
823 /* This argument is ignored as long as the address pair is IPv4/IPv6,
824 * because we always have a preference in a client.
825 * For bridge clients, this selects the preferred address, which was
826 * previously IPv6 (if a bridge has both), so we keep that behaviour. */
832 tor_addr_port_t ipv4_ap;
835 ? ipv4_orport
838 tor_addr_port_t ipv6_ap;
841 ? ipv6_orport
845 bridge_client_prefer_ipv4,
854 }
855 }
857 /** Like fascist_firewall_choose_address_base, but takes a host-order IPv4
858 * address as the first parameter. */
859 static int
866 firewall_connection_t fw_connection,
869 {
870 tor_addr_t ipv4_addr;
876 }
878 #define IPV6_OR_LOOKUP(r, identity_digest, ipv6_or_ap) \
879 STMT_BEGIN \
880 if (!(r)->ipv6_orport || tor_addr_is_null(&(r)->ipv6_addr)) { \
881 const node_t *node = node_get_by_id((identity_digest)); \
882 if (node) { \
883 node_get_pref_ipv6_orport(node, &(ipv6_or_ap)); \
884 } else { \
885 tor_addr_make_null(&(ipv6_or_ap).addr, AF_INET6); \
886 (ipv6_or_ap).port = 0; \
887 } \
888 } else { \
889 tor_addr_copy(&(ipv6_or_ap).addr, &(r)->ipv6_addr); \
890 (ipv6_or_ap).port = (r)->ipv6_orport; \
891 } \
892 STMT_END
894 /** Copy an address and port from <b>rs</b> into <b>ap</b> that we think our
895 * firewall will let us connect to. Uses ipv4h_addr/ipv6_addr and
896 * ipv4_orport/ipv6_orport/ReachableORAddresses or
897 * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
898 * <b>fw_connection</b>.
899 * If pref_only, only choose preferred addresses. In either case, choose
900 * a preferred address before an address that's not preferred.
901 * If neither address is chosen, return 0, else return 1.
902 * Consults the corresponding node if the addresses in rs are not valid. */
903 int
905 firewall_connection_t fw_connection,
907 {
910 }
914 /* Don't do the lookup if the IPv6 address/port in rs is OK.
915 * If it's OK, assume the dir_port is also OK. */
916 tor_addr_port_t ipv6_or_ap;
919 /* Assume IPv4 and IPv6 DirPorts are the same.
920 * Assume the IPv6 OR and Dir addresses are the same. */
927 fw_connection,
928 pref_only,
929 ap);
930 }
932 /** Copy an address and port from <b>node</b> into <b>ap</b> that we think our
933 * firewall will let us connect to. Uses ipv4h_addr/ipv6_addr and
934 * ipv4_orport/ipv6_orport/ReachableORAddresses or
935 * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
936 * <b>fw_connection</b>.
937 * If pref_only, only choose preferred addresses. In either case, choose
938 * a preferred address before an address that's not preferred.
939 * If neither address is chosen, return 0, else return 1. */
940 int
942 firewall_connection_t fw_connection,
944 {
947 }
951 tor_addr_port_t ipv4_or_ap;
953 tor_addr_port_t ipv4_dir_ap;
956 tor_addr_port_t ipv6_or_ap;
958 tor_addr_port_t ipv6_dir_ap;
961 /* Assume the IPv6 OR and Dir addresses are the same. */
968 fw_connection,
969 pref_only,
970 ap);
971 }
973 /** Copy an address and port from <b>ds</b> into <b>ap</b> that we think our
974 * firewall will let us connect to. Uses ipv4h_addr/ipv6_addr and
975 * ipv4_orport/ipv6_orport/ReachableORAddresses or
976 * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
977 * <b>fw_connection</b>.
978 * If pref_only, only choose preferred addresses. In either case, choose
979 * a preferred address before an address that's not preferred.
980 * If neither address is chosen, return 0, else return 1. */
981 int
983 firewall_connection_t fw_connection,
985 {
988 }
990 /* A dir_server_t always has a fake_status. As long as it has the same
991 * addresses/ports in both fake_status and dir_server_t, this works fine.
992 * (See #17867.)
993 * This function relies on fascist_firewall_choose_address_rs looking up the
994 * addresses from the node if it can, because that will get the latest info
995 * for the relay. */
998 }
1000 /** Return 1 if <b>addr</b> is permitted to connect to our dir port,
1001 * based on <b>dir_policy</b>. Else return 0.
1002 */
1003 int
1005 {
1007 }
1009 /** Return 1 if <b>addr</b> is permitted to connect to our socks port,
1010 * based on <b>socks_policy</b>. Else return 0.
1011 */
1012 int
1014 {
1016 }
1018 /** Return true iff the address <b>addr</b> is in a country listed in the
1019 * case-insensitive list of country codes <b>cc_list</b>. */
1020 static int
1022 {
1023 country_t country;
1025 tor_addr_t tar;
1029 /* XXXXipv6 */
1034 }
1036 /** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
1037 * directory, based on <b>authdir_reject_policy</b>. Else return 0.
1038 */
1039 int
1041 {
1045 }
1047 /** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
1048 * directory, based on <b>authdir_invalid_policy</b>. Else return 0.
1049 */
1050 int
1052 {
1056 }
1058 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
1059 * based on <b>authdir_badexit_policy</b>. Else return 0.
1060 */
1061 int
1063 {
1067 }
1069 #define REJECT(arg) \
1070 STMT_BEGIN *msg = tor_strdup(arg); goto err; STMT_END
1072 /** Config helper: If there's any problem with the policy configuration
1073 * options in <b>options</b>, return -1 and set <b>msg</b> to a newly
1074 * allocated description of the error. Else return 0. */
1075 int
1077 {
1078 /* XXXX Maybe merge this into parse_policies_from_options, to make sure
1079 * that the two can't go out of sync. */
1086 }
1097 exitrelay_setting_is_auto &&
1098 policy_accepts_something) {
1099 /* Policy accepts something */
1102 "Tor is running as an exit relay%s. If you did not want this "
1103 "behavior, please set the ExitRelay option to 0. If you do "
1104 "want to run an exit Relay, please set the ExitRelay option "
1110 "In a future version of Tor, ExitRelay 0 may become the "
1112 }
1113 }
1115 /* The rest of these calls *append* to addr_policy. So don't actually
1116 * use the results for anything other than checking if they parse! */
1122 ADDR_POLICY_REJECT))
1125 ADDR_POLICY_REJECT))
1128 ADDR_POLICY_REJECT))
1132 ADDR_POLICY_ACCEPT))
1135 ADDR_POLICY_ACCEPT))
1138 ADDR_POLICY_ACCEPT))
1141 err:
1144 #undef REJECT
1145 }
1147 /** Parse <b>string</b> in the same way that the exit policy
1148 * is parsed, and put the processed version in *<b>policy</b>.
1149 * Ignore port specifiers.
1150 */
1151 static int
1155 {
1163 }
1166 /* ports aren't used in these. */
1177 }
1179 }
1182 }
1184 }
1186 /** Set all policies based on <b>options</b>, which should have been validated
1187 * first by validate_addr_policies. */
1188 int
1190 {
1210 }
1212 /** Compare two provided address policy items, and return -1, 0, or 1
1213 * if the first is less than, equal to, or greater than the second. */
1214 static int
1216 {
1222 /* refcnt and is_canonical are irrelevant to equality,
1223 * they are hash table implementation details */
1233 }
1235 /** Like cmp_single_addr_policy() above, but looks at the
1236 * whole set of policies in each case. */
1237 int
1239 {
1247 }
1252 else
1254 }
1256 /** Node in hashtable used to store address policy entries. */
1262 /* DOCDOC policy_root */
1265 /** Return true iff a and b are equal. */
1268 {
1270 }
1272 /** Return a hashcode for <b>ent</b> */
1273 static unsigned int
1275 {
1277 addr_policy_t aa;
1290 }
1293 }
1296 policy_eq)
1300 /** Given a pointer to an addr_policy_t, return a copy of the pointer to the
1301 * "canonical" copy of that addr_policy_t; the canonical copy is a single
1302 * reference-counted object. */
1303 addr_policy_t *
1305 {
1318 }
1323 }
1325 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
1326 * addr and port are both known. */
1327 static addr_policy_result_t
1330 {
1331 /* We know the address and port, and we know the policy, so we can just
1332 * compute an exact match. */
1337 }
1338 /* Address is known */
1340 CMP_EXACT)) {
1342 /* Exact match for the policy */
1345 }
1346 }
1349 /* accept all by default. */
1351 }
1353 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
1354 * addr is known but port is not. */
1355 static addr_policy_result_t
1358 {
1359 /* We look to see if there's a definite match. If so, we return that
1360 match's value, unless there's an intervening possible match that says
1361 something different. */
1368 }
1370 CMP_EXACT)) {
1372 /* Definitely matches, since it covers all ports. */
1374 /* If we already hit a clause that might trigger a 'reject', than we
1375 * can't be sure of this certain 'accept'.*/
1377 ADDR_POLICY_ACCEPTED;
1380 ADDR_POLICY_REJECTED;
1381 }
1383 /* Might match. */
1386 else
1388 }
1389 }
1392 /* accept all by default. */
1394 }
1396 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
1397 * port is known but address is not. */
1398 static addr_policy_result_t
1401 {
1402 /* We look to see if there's a definite match. If so, we return that
1403 match's value, unless there's an intervening possible match that says
1404 something different. */
1411 }
1414 /* Definitely matches, since it covers all addresses. */
1416 /* If we already hit a clause that might trigger a 'reject', than we
1417 * can't be sure of this certain 'accept'.*/
1419 ADDR_POLICY_ACCEPTED;
1422 ADDR_POLICY_REJECTED;
1423 }
1425 /* Might match. */
1428 else
1430 }
1431 }
1434 /* accept all by default. */
1436 }
1438 /** Decide whether a given addr:port is definitely accepted,
1439 * definitely rejected, probably accepted, or probably rejected by a
1440 * given policy. If <b>addr</b> is 0, we don't know the IP of the
1441 * target address. If <b>port</b> is 0, we don't know the port of the
1442 * target address. (At least one of <b>addr</b> and <b>port</b> must be
1443 * provided. If you want to know whether a policy would definitely reject
1444 * an unknown address:port, use policy_is_reject_star().)
1445 *
1446 * We could do better by assuming that some ranges never match typical
1447 * addresses (127.0.0.1, and so on). But we'll try this for now.
1448 */
1452 {
1454 /* no policy? accept all. */
1461 }
1467 }
1468 }
1470 /** Return true iff the address policy <b>a</b> covers every case that
1471 * would be covered by <b>b</b>, so that a,b is redundant. */
1472 static int
1474 {
1476 /* You can't cover a different family. */
1478 }
1479 /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces
1480 * to "accept *:80". */
1482 /* a has more fixed bits than b; it can't possibly cover b. */
1484 }
1486 /* There's a fixed bit in a that's set differently in b. */
1488 }
1490 }
1492 /** Return true iff the address policies <b>a</b> and <b>b</b> intersect,
1493 * that is, there exists an address/port that is covered by <b>a</b> that
1494 * is also covered by <b>b</b>.
1495 */
1496 static int
1498 {
1499 maskbits_t minbits;
1500 /* All the bits we care about are those that are set in both
1501 * netmasks. If they are equal in a and b's networkaddresses
1502 * then the networks intersect. If there is a difference,
1503 * then they do not. */
1506 else
1513 }
1515 /** Add the exit policy described by <b>more</b> to <b>policy</b>.
1516 */
1517 STATIC void
1519 {
1520 config_line_t tmp;
1527 }
1528 }
1530 /** Add "reject <b>addr</b>:*" to <b>dest</b>, creating the list as needed. */
1531 void
1533 {
1551 }
1553 /* Is addr public for the purposes of rejection? */
1554 static int
1556 {
1559 }
1561 /* Add "reject <b>addr</b>:*" to <b>dest</b>, creating the list as needed.
1562 * Filter the address, only adding an IPv4 reject rule if ipv4_rules
1563 * is true, and similarly for ipv6_rules. Check each address returns true for
1564 * tor_addr_is_public_for_reject before adding it.
1565 */
1566 static void
1571 {
1575 /* Only reject IP addresses which are public */
1578 /* Reject IPv4 addresses and IPv6 addresses based on the filters */
1582 }
1583 }
1584 }
1586 /** Add "reject addr:*" to <b>dest</b>, for each addr in addrs, creating the
1587 * list as needed. */
1588 void
1591 {
1598 }
1600 /** Add "reject addr:*" to <b>dest</b>, for each addr in addrs, creating the
1601 * list as needed. Filter using */
1602 static void
1607 {
1614 }
1616 /** Detect and excise "dead code" from the policy *<b>dest</b>. */
1617 static void
1619 {
1623 /* Step one: kill every ipv4 thing after *4:*, every IPv6 thing after *6:*
1624 */
1625 {
1628 sa_family_t family;
1636 }
1639 /* This is a catch-all line -- later lines are unreachable. */
1644 }
1645 }
1646 }
1647 }
1649 /* Step two: for every entry, see if there's a redundant entry
1650 * later on, and remove it. */
1664 }
1665 }
1666 }
1668 /* Step three: for every entry A, see if there's an entry B making this one
1669 * redundant later on. This is the case if A and B are of the same type
1670 * (accept/reject), A is a subset of B, and there is no other entry of
1671 * different type in between those two that intersects with A.
1672 *
1673 * Anybody want to double-check the logic here? XXX
1674 */
1678 // tor_assert(j > i); // j starts out at i+1; j only increases; i only
1679 // // decreases.
1694 }
1695 }
1696 }
1697 }
1698 }
1700 /** Reject private helper for policies_parse_exit_policy_internal: rejects
1701 * publicly routable addresses on this exit relay.
1702 *
1703 * Add reject entries to the linked list *dest:
1704 * - if configured_addresses is non-NULL, add entries that reject each
1705 * tor_addr_t* in the list as a destination.
1706 * - if reject_interface_addresses is true, add entries that reject each
1707 * public IPv4 and IPv6 address of each interface on this machine.
1708 * - if reject_configured_port_addresses is true, add entries that reject
1709 * each IPv4 and IPv6 address configured for a port.
1710 *
1711 * IPv6 entries are only added if ipv6_exit is true. (All IPv6 addresses are
1712 * already blocked by policies_parse_exit_policy_internal if ipv6_exit is
1713 * false.)
1714 *
1715 * The list *dest is created as needed.
1716 */
1717 void
1724 {
1727 /* Reject configured addresses, if they are from public netblocks. */
1731 }
1733 /* Reject configured port addresses, if they are from public netblocks. */
1739 /* Only reject port IP addresses, not port unix sockets */
1742 }
1744 }
1746 /* Reject local addresses from public netblocks on any interface. */
1750 /* Reject public IPv4 addresses on any interface */
1755 /* Don't look for IPv6 addresses if we're configured as IPv4-only */
1757 /* Reject public IPv6 addresses on any interface */
1761 }
1762 }
1764 /* If addresses were added multiple times, remove all but one of them. */
1767 }
1768 }
1770 /**
1771 * Iterate through <b>policy</b> looking for redundant entries. Log a
1772 * warning message with the first redundant entry, if any is found.
1773 */
1774 static void
1776 {
1781 sa_family_t family;
1785 /* Look for accept/reject *[4|6|]:* entires */
1788 /* accept/reject *:* may have already been expanded into
1789 * accept/reject *4:*,accept/reject *6:*
1790 * But handle both forms.
1791 */
1794 }
1797 }
1798 }
1800 /* We also find accept *4:*,reject *6:* ; and
1801 * accept *4:*,<other policies>,accept *6:* ; and similar.
1802 * That's ok, because they make any subsequent entries redundant. */
1805 /* if we're not on the final entry in the list */
1808 }
1810 }
1813 /* Work out if there are redundant trailing entries in the policy list */
1816 /* Longest possible policy is
1817 * "accept6 ffff:ffff:..255/128:10000-65535",
1818 * which contains a max-length IPv6 address, plus 24 characters. */
1823 /* since we've already parsed the policy into an addr_policy_t struct,
1824 * we might not log exactly what the user typed in */
1827 "redundant, as it follows accept/reject *:* rules for both "
1828 "IPv4 and IPv6. They will be removed from the exit policy. (Use "
1830 line);
1831 }
1832 }
1834 #define DEFAULT_EXIT_POLICY \
1837 "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
1839 /** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>.
1840 *
1841 * If <b>ipv6_exit</b> is false, prepend "reject *6:*" to the policy.
1842 *
1843 * If <b>rejectprivate</b> is true:
1844 * - prepend "reject private:*" to the policy.
1845 * - prepend entries that reject publicly routable addresses on this exit
1846 * relay by calling policies_parse_exit_policy_reject_private
1847 *
1848 * If cfg doesn't end in an absolute accept or reject and if
1849 * <b>add_default_policy</b> is true, add the default exit
1850 * policy afterwards.
1851 *
1852 * Return -1 if we can't parse cfg, else return 0.
1853 *
1854 * This function is used to parse the exit policy from our torrc. For
1855 * the functions used to parse the exit policy from a router descriptor,
1856 * see router_add_exit_policy.
1857 */
1858 static int
1867 {
1870 }
1872 /* Reject IPv4 and IPv6 reserved private netblocks */
1874 /* Reject IPv4 and IPv6 publicly routable addresses on this exit relay */
1877 configured_addresses,
1878 reject_interface_addresses,
1879 reject_configured_port_addresses);
1880 }
1884 /* Before we add the default policy and final rejects, check to see if
1885 * there are any lines after accept *:* or reject *:*. These lines have no
1886 * effect, and are most likely an error. */
1894 }
1898 }
1900 /** Parse exit policy in <b>cfg</b> into <b>dest</b> smartlist.
1901 *
1902 * Prepend an entry that rejects all IPv6 destinations unless
1903 * <b>EXIT_POLICY_IPV6_ENABLED</b> bit is set in <b>options</b> bitmask.
1904 *
1905 * If <b>EXIT_POLICY_REJECT_PRIVATE</b> bit is set in <b>options</b>:
1906 * - prepend an entry that rejects all destinations in all netblocks
1907 * reserved for private use.
1908 * - prepend entries that reject publicly routable addresses on this exit
1909 * relay by calling policies_parse_exit_policy_internal
1910 *
1911 * If <b>EXIT_POLICY_ADD_DEFAULT</b> bit is set in <b>options</b>, append
1912 * default exit policy entries to <b>result</b> smartlist.
1913 */
1914 int
1916 exit_policy_parser_cfg_t options,
1918 {
1924 reject_private,
1925 configured_addresses,
1926 reject_private,
1927 reject_private,
1928 add_default);
1929 }
1931 /** Helper function that adds a copy of addr to a smartlist as long as it is
1932 * non-NULL and not tor_addr_is_null().
1933 *
1934 * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
1935 */
1936 static void
1938 {
1943 }
1944 }
1946 /** Helper function that adds ipv4h_addr to a smartlist as a tor_addr_t *,
1947 * as long as it is not tor_addr_is_null(), by converting it to a tor_addr_t
1948 * and passing it to policies_add_addr_to_smartlist.
1949 *
1950 * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
1951 */
1952 static void
1954 {
1956 tor_addr_t ipv4_tor_addr;
1959 }
1960 }
1962 /** Helper function that adds copies of
1963 * or_options->OutboundBindAddressIPv[4|6]_ to a smartlist as tor_addr_t *, as
1964 * long as or_options is non-NULL, and the addresses are not
1965 * tor_addr_is_null(), by passing them to policies_add_addr_to_smartlist.
1966 *
1967 * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
1968 */
1969 static void
1972 {
1978 }
1979 }
1981 /** Parse <b>ExitPolicy</b> member of <b>or_options</b> into <b>result</b>
1982 * smartlist.
1983 * If <b>or_options->IPv6Exit</b> is false, prepend an entry that
1984 * rejects all IPv6 destinations.
1985 *
1986 * If <b>or_options->ExitPolicyRejectPrivate</b> is true:
1987 * - prepend an entry that rejects all destinations in all netblocks reserved
1988 * for private use.
1989 * - if local_address is non-zero, treat it as a host-order IPv4 address, and
1990 * add it to the list of configured addresses.
1991 * - if ipv6_local_address is non-NULL, and not the null tor_addr_t, add it
1992 * to the list of configured addresses.
1993 * - if or_options->OutboundBindAddressIPv4_ is not the null tor_addr_t, add
1994 * it to the list of configured addresses.
1995 * - if or_options->OutboundBindAddressIPv6_ is not the null tor_addr_t, add
1996 * it to the list of configured addresses.
1997 *
1998 * If <b>or_options->BridgeRelay</b> is false, append entries of default
1999 * Tor exit policy into <b>result</b> smartlist.
2000 *
2001 * If or_options->ExitRelay is false, then make our exit policy into
2002 * "reject *:*" regardless.
2003 */
2004 int
2009 {
2014 /* Short-circuit for non-exit relays */
2019 }
2023 /* Configure the parser */
2026 }
2030 }
2034 }
2036 /* Copy the configured addresses into the tor_addr_t* list */
2040 or_options);
2043 configured_addresses);
2049 }
2051 /** Add "reject *:*" to the end of the policy in *<b>dest</b>, allocating
2052 * *<b>dest</b> as needed. */
2053 void
2055 {
2058 }
2060 /** Replace the exit policy of <b>node</b> with reject *:* */
2061 void
2063 {
2065 }
2067 /** Return 1 if there is at least one /8 subnet in <b>policy</b> that
2068 * allows exiting to <b>port</b>. Otherwise, return 0. */
2069 static int
2071 {
2073 /* Is this /8 rejected (1), or undecided (0)? */
2089 /* Calculate the first and last subnet that this exit policy touches
2090 * and set it as loop boundaries. */
2092 tor_addr_t addr;
2101 /* We found an allowed subnet of at least size /8. Done
2102 * for this port! */
2106 }
2107 }
2110 }
2112 /** Return true iff <b>ri</b> is "useful as an exit node", meaning
2113 * it allows exit to at least one /8 address space for at least
2114 * two of ports 80, 443, and 6667. */
2115 int
2117 {
2126 }
2128 }
2130 /** Return false if <b>policy</b> might permit access to some addr:port;
2131 * otherwise if we are certain it rejects everything, return true. */
2132 int
2134 {
2148 }
2151 }
2153 /** Write a single address policy to the buf_len byte buffer at buf. Return
2154 * the number of characters written, or -1 on failure. */
2155 int
2158 {
2169 /* write accept/reject 1.2.3.4 */
2179 else
2183 }
2188 addrpart);
2192 /* If the maskbits is 32 (IPv4) or 128 (IPv6) we don't need to give it. If
2193 the mask is 0, we already wrote "*". */
2198 }
2200 /* There is no port set; write ":*" */
2206 /* There is only one port; write ":80". */
2212 /* There is a range of ports; write ":79-80". */
2218 }
2221 else
2225 }
2227 /** Create a new exit policy summary, initially only with a single
2228 * port 1-64k item */
2229 /* XXXX This entire thing will do most stuff in O(N^2), or worse. Use an
2230 * RB-tree if that turns out to matter. */
2233 {
2247 }
2249 /** Split the summary item in <b>item</b> at the port <b>new_starts</b>.
2250 * The current item is changed to end at new-starts - 1, the new item
2251 * copies reject_count and accepted from the old item,
2252 * starts at new_starts and ends at the port where the original item
2253 * previously ended.
2254 */
2257 {
2271 }
2273 /* XXXX Nick says I'm going to hell for this. If he feels charitably towards
2274 * my immortal soul, he can clean it up himself. */
2275 #define AT(x) ((policy_summary_item_t*)smartlist_get(summary, x))
2277 #define REJECT_CUTOFF_COUNT (1<<25)
2278 /** Split an exit policy summary so that prt_min and prt_max
2279 * fall at exactly the start and end of an item respectively.
2280 */
2281 static int
2284 {
2290 i++;
2295 i++;
2296 }
2300 i++;
2305 }
2308 }
2310 /** Mark port ranges as accepted if they are below the reject_count */
2311 static void
2314 {
2321 i++;
2322 }
2324 }
2326 /** Count the number of addresses in a network with prefixlen maskbits
2327 * against the given portrange. */
2328 static void
2330 maskbits_t maskbits,
2332 {
2334 /* XXX: ipv4 specific */
2339 i++;
2340 }
2342 }
2344 /** Add a single exit policy item to our summary:
2345 * If it is an accept ignore it unless it is for all IP addresses
2346 * ("*"), i.e. it's prefixlen/maskbits is 0, else call
2347 * policy_summary_accept().
2348 * If it's a reject ignore it if it is about one of the private
2349 * networks, else call policy_summary_reject().
2350 */
2351 static void
2353 {
2357 }
2363 tor_addr_t addr;
2364 maskbits_t maskbits;
2368 }
2373 }
2374 }
2378 }
2381 }
2383 /** Create a string representing a summary for an exit policy.
2384 * The summary will either be an "accept" plus a comma-separated list of port
2385 * ranges or a "reject" plus port-ranges, depending on which is shorter.
2386 *
2387 * If no exits are allowed at all then "reject 1-65535" is returned. If no
2388 * ports are blocked instead of "reject " we return "accept 1-65535". (These
2389 * are an exception to the shorter-representation-wins rule).
2390 */
2393 {
2403 /* Create the summary list */
2408 }
2411 /* XXXX-ipv6 More family work is needed */
2415 /* Now create two lists of strings, one for accepted and one
2416 * for rejected ports. We take care to merge ranges so that
2417 * we avoid getting stuff like "1-4,5-9,10", instead we want
2418 * "1-10"
2419 */
2432 else
2437 else
2444 };
2445 i++;
2446 };
2448 /* Figure out which of the two stringlists will be shorter and use
2449 * that to build the result
2450 */
2454 }
2458 }
2471 c--;
2482 }
2486 cleanup:
2487 /* cleanup */
2500 }
2502 /** Convert a summarized policy string into a short_policy_t. Return NULL
2503 * if the string is not well-formed. */
2504 short_policy_t *
2506 {
2523 }
2540 }
2543 /* unrecognized entry format. skip it. */
2545 }
2547 /* empty; skip it. */
2548 /* XXX This happens to be unreachable, since if len==0, then *summary is
2549 * ',' or '\0', and the TOR_ISDIGIT test above would have failed. */
2551 }
2561 }
2567 }
2573 }
2577 n_entries++;
2578 }
2584 }
2586 {
2592 }
2598 }
2600 /** Write <b>policy</b> back out into a string. Used only for unit tests
2601 * currently. */
2604 {
2617 }
2620 }
2625 }
2627 /** Release all storage held in <b>policy</b>. */
2628 void
2630 {
2632 }
2634 /** See whether the <b>addr</b>:<b>port</b> address is likely to be accepted
2635 * or rejected by the summarized policy <b>policy</b>. Return values are as
2636 * for compare_tor_addr_to_addr_policy. Unlike the regular addr_policy
2637 * functions, requires the <b>port</b> be specified. */
2638 addr_policy_result_t
2641 {
2660 }
2661 }
2665 else
2668 /* ???? are these right? -NM */
2669 /* We should be sure not to return ADDR_POLICY_ACCEPTED in the accept
2670 * case here, because it would cause clients to believe that the node
2671 * allows exit enclaving. Trying it anyway would open up a cool attack
2672 * where the node refuses due to exitpolicy, the client reacts in
2673 * surprise by rewriting the node's exitpolicy to reject *:*, and then
2674 * a bad guy targets users by causing them to attempt such connections
2675 * to 98% of the exits.
2676 *
2677 * Once microdescriptors can handle addresses in special cases (e.g. if
2678 * we ever solve ticket 1774), we can provide certainty here. -RD */
2681 else
2683 }
2685 /** Return true iff <b>policy</b> seems reject all ports */
2686 int
2688 {
2689 /* This doesn't need to be as much on the lookout as policy_is_reject_star,
2690 * since policy summaries are from the consensus or from consensus
2691 * microdescs.
2692 */
2694 /* Check for an exact match of "reject 1-65535". */
2698 }
2700 /** Decide whether addr:port is probably or definitely accepted or rejected by
2701 * <b>node</b>. See compare_tor_addr_to_addr_policy for details on addr/port
2702 * interpretation. */
2703 addr_policy_result_t
2706 {
2718 else
2720 }
2727 else
2732 }
2733 }
2735 /**
2736 * Given <b>policy_list</b>, a list of addr_policy_t, produce a string
2737 * representation of the list.
2738 * If <b>include_ipv4</b> is true, include IPv4 entries.
2739 * If <b>include_ipv6</b> is true, include IPv6 entries.
2740 */
2745 {
2756 }
2759 }
2768 }
2775 done:
2780 }
2782 /** Implementation for GETINFO control command: knows the answer for questions
2783 * about "exit-policy/..." */
2784 int
2788 {
2800 /* IPv6 addresses are in "[]" and contain ":",
2801 * IPv4 addresses are not in "[]" and contain "." */
2803 priv++;
2804 }
2818 }
2823 }
2828 /* Copy the configured addresses into the tor_addr_t* list */
2832 options);
2837 configured_addresses,
2858 }
2863 }
2866 }
2868 }
2870 /** Release all storage held by <b>p</b>. */
2871 void
2873 {
2878 }
2880 /** Release all storage held by <b>p</b>. */
2881 void
2883 {
2895 }
2896 }
2898 }
2899 }
2901 /** Release all storage held by policy variables. */
2902 void
2904 {
2928 /* Note the first 10 cached policies to try to figure out where they
2929 * might be coming from. */
2935 }
2936 }
2938 }