src/or/policies.h

   1 /* Copyright (c) 2001 Matej Pfajfar.
   2  * Copyright (c) 2001-2004, Roger Dingledine.
   3  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
   4  * Copyright (c) 2007-2017, The Tor Project, Inc. */
   5 /* See LICENSE for licensing information */
   6
   7 /**
   8  * \file policies.h
   9  * \brief Header file for policies.c.
  10  **/
  11
  12 #ifndef TOR_POLICIES_H
  13 #define TOR_POLICIES_H
  14
  15 /* (length of
  16  * "accept6 [ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]/128:65535-65535\n"
  17  * plus a terminating NUL, rounded up to a nice number.)
  18  */
  19 #define POLICY_BUF_LEN 72
  20
  21 #define EXIT_POLICY_IPV6_ENABLED             (1 << 0)
  22 #define EXIT_POLICY_REJECT_PRIVATE           (1 << 1)
  23 #define EXIT_POLICY_ADD_DEFAULT              (1 << 2)
  24 #define EXIT_POLICY_REJECT_LOCAL_INTERFACES  (1 << 3)
  25 #define EXIT_POLICY_OPTION_MAX             EXIT_POLICY_REJECT_LOCAL_INTERFACES
  26 /* All options set: used for unit testing */
  27 #define EXIT_POLICY_OPTION_ALL             ((EXIT_POLICY_OPTION_MAX << 1) - 1)
  28
  29 typedef enum firewall_connection_t {
  30   FIREWALL_OR_CONNECTION      = 0,
  31   FIREWALL_DIR_CONNECTION     = 1
  32 } firewall_connection_t;
  33
  34 typedef int exit_policy_parser_cfg_t;
  35
  36 int firewall_is_fascist_or(void);
  37 int firewall_is_fascist_dir(void);
  38 int fascist_firewall_use_ipv6(const or_options_t *options);
  39 int fascist_firewall_prefer_ipv6_orport(const or_options_t *options);
  40 int fascist_firewall_prefer_ipv6_dirport(const or_options_t *options);
  41
  42 int fascist_firewall_allows_address_addr(const tor_addr_t *addr,
  43                                          uint16_t port,
  44                                          firewall_connection_t fw_connection,
  45                                          int pref_only, int pref_ipv6);
  46
  47 int fascist_firewall_allows_rs(const routerstatus_t *rs,
  48                                firewall_connection_t fw_connection,
  49                                int pref_only);
  50 int fascist_firewall_allows_node(const node_t *node,
  51                                  firewall_connection_t fw_connection,
  52                                  int pref_only);
  53 int fascist_firewall_allows_dir_server(const dir_server_t *ds,
  54                                        firewall_connection_t fw_connection,
  55                                        int pref_only);
  56
  57 int fascist_firewall_choose_address_rs(const routerstatus_t *rs,
  58                                        firewall_connection_t fw_connection,
  59                                        int pref_only, tor_addr_port_t* ap);
  60 int fascist_firewall_choose_address_node(const node_t *node,
  61                                          firewall_connection_t fw_connection,
  62                                          int pref_only, tor_addr_port_t* ap);
  63 int fascist_firewall_choose_address_dir_server(const dir_server_t *ds,
  64                                           firewall_connection_t fw_connection,
  65                                           int pref_only, tor_addr_port_t* ap);
  66
  67 int dir_policy_permits_address(const tor_addr_t *addr);
  68 int socks_policy_permits_address(const tor_addr_t *addr);
  69 int authdir_policy_permits_address(uint32_t addr, uint16_t port);
  70 int authdir_policy_valid_address(uint32_t addr, uint16_t port);
  71 int authdir_policy_badexit_address(uint32_t addr, uint16_t port);
  72
  73 int validate_addr_policies(const or_options_t *options, char **msg);
  74 void policy_expand_private(smartlist_t **policy);
  75 void policy_expand_unspec(smartlist_t **policy);
  76 int policies_parse_from_options(const or_options_t *options);
  77
  78 addr_policy_t *addr_policy_get_canonical_entry(addr_policy_t *ent);
  79 int addr_policies_eq(const smartlist_t *a, const smartlist_t *b);
  80 MOCK_DECL(addr_policy_result_t, compare_tor_addr_to_addr_policy,
  81     (const tor_addr_t *addr, uint16_t port, const smartlist_t *policy));
  82 addr_policy_result_t compare_tor_addr_to_node_policy(const tor_addr_t *addr,
  83                               uint16_t port, const node_t *node);
  84
  85 int policies_parse_exit_policy_from_options(
  86                                           const or_options_t *or_options,
  87                                           uint32_t local_address,
  88                                           const tor_addr_t *ipv6_local_address,
  89                                           smartlist_t **result);
  90 int policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest,
  91                                exit_policy_parser_cfg_t options,
  92                                const smartlist_t *configured_addresses);
  93 void policies_parse_exit_policy_reject_private(
  94                                       smartlist_t **dest,
  95                                       int ipv6_exit,
  96                                       const smartlist_t *configured_addresses,
  97                                       int reject_interface_addresses,
  98                                       int reject_configured_port_addresses);
  99 void policies_exit_policy_append_reject_star(smartlist_t **dest);
 100 void addr_policy_append_reject_addr(smartlist_t **dest,
 101                                     const tor_addr_t *addr);
 102 void addr_policy_append_reject_addr_list(smartlist_t **dest,
 103                                          const smartlist_t *addrs);
 104 void policies_set_node_exitpolicy_to_reject_all(node_t *exitrouter);
 105 int exit_policy_is_general_exit(smartlist_t *policy);
 106 int policy_is_reject_star(const smartlist_t *policy, sa_family_t family,
 107                           int reject_by_default);
 108 char * policy_dump_to_string(const smartlist_t *policy_list,
 109                              int include_ipv4,
 110                              int include_ipv6);
 111 int getinfo_helper_policies(control_connection_t *conn,
 112                             const char *question, char **answer,
 113                             const char **errmsg);
 114 int policy_write_item(char *buf, size_t buflen, const addr_policy_t *item,
 115                       int format_for_desc);
 116
 117 void addr_policy_list_free(smartlist_t *p);
 118 void addr_policy_free(addr_policy_t *p);
 119 void policies_free_all(void);
 120
 121 char *policy_summarize(smartlist_t *policy, sa_family_t family);
 122
 123 short_policy_t *parse_short_policy(const char *summary);
 124 char *write_short_policy(const short_policy_t *policy);
 125 void short_policy_free(short_policy_t *policy);
 126 int short_policy_is_reject_star(const short_policy_t *policy);
 127 addr_policy_result_t compare_tor_addr_to_short_policy(
 128                           const tor_addr_t *addr, uint16_t port,
 129                           const short_policy_t *policy);
 130
 131 #ifdef POLICIES_PRIVATE
 132 STATIC void append_exit_policy_string(smartlist_t **policy, const char *more);
 133 STATIC int fascist_firewall_allows_address(const tor_addr_t *addr,
 134                                            uint16_t port,
 135                                            smartlist_t *firewall_policy,
 136                                            int pref_only, int pref_ipv6);
 137 STATIC const tor_addr_port_t * fascist_firewall_choose_address(
 138                                           const tor_addr_port_t *a,
 139                                           const tor_addr_port_t *b,
 140                                           int want_a,
 141                                           firewall_connection_t fw_connection,
 142                                           int pref_only, int pref_ipv6);
 143
 144 #endif /* defined(POLICIES_PRIVATE) */
 145
 146 #endif /* !defined(TOR_POLICIES_H) */
 147