1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2008, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 const char policies_c_id
[] = \
11 * \brief Code to parse and use address policies and exit policies.
17 /** Policy that addresses for incoming SOCKS connections must match. */
18 static smartlist_t
*socks_policy
= NULL
;
19 /** Policy that addresses for incoming directory connections must match. */
20 static smartlist_t
*dir_policy
= NULL
;
21 /** Policy that addresses for incoming router descriptors must match in order
22 * to be published by us. */
23 static smartlist_t
*authdir_reject_policy
= NULL
;
24 /** Policy that addresses for incoming router descriptors must match in order
25 * to be marked as valid in our networkstatus. */
26 static smartlist_t
*authdir_invalid_policy
= NULL
;
27 /** Policy that addresses for incoming router descriptors must <b>not</b>
28 * match in order to not be marked as BadDirectory. */
29 static smartlist_t
*authdir_baddir_policy
= NULL
;
30 /** Policy that addresses for incoming router descriptors must <b>not</b>
31 * match in order to not be marked as BadExit. */
32 static smartlist_t
*authdir_badexit_policy
= NULL
;
34 /** Parsed addr_policy_t describing which addresses we believe we can start
36 static smartlist_t
*reachable_or_addr_policy
= NULL
;
37 /** Parsed addr_policy_t describing which addresses we believe we can connect
38 * to directories at. */
39 static smartlist_t
*reachable_dir_addr_policy
= NULL
;
41 /** Element of an exit policy summary */
42 typedef struct policy_summary_item_t
{
43 uint16_t prt_min
; /**< Lowest port number to accept/reject. */
44 uint16_t prt_max
; /**< Highest port number to accept/reject. */
45 uint64_t reject_count
; /**< Number of IP-Addresses that are rejected to
47 int accepted
:1; /** Has this port already been accepted */
48 } policy_summary_item_t
;
50 /** Private networks. This list is used in two places, once to expand the
51 * "private" keyword when parsing our own exit policy, secondly to ignore
52 * just such networks when building exit policy summaries. It is important
53 * that all authorities agree on that list when creating summaries, so don't
54 * just change this without a proper migration plan and a proposal and stuff.
56 static const char *private_nets
[] = {
57 "0.0.0.0/8", "169.254.0.0/16",
58 "127.0.0.0/8", "192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12",
59 // "fc00::/7", "fe80::/10", "fec0::/10", "::/127",
62 /** Replace all "private" entries in *<b>policy</b> with their expanded
65 policy_expand_private(smartlist_t
**policy
)
67 uint16_t port_min
, port_max
;
72 if (!*policy
) /*XXXX disallow NULL policies? */
75 tmp
= smartlist_create();
77 SMARTLIST_FOREACH(*policy
, addr_policy_t
*, p
,
79 if (! p
->is_private
) {
80 smartlist_add(tmp
, p
);
83 for (i
= 0; private_nets
[i
]; ++i
) {
85 memcpy(&policy
, p
, sizeof(addr_policy_t
));
86 policy
.is_private
= 0;
87 policy
.is_canonical
= 0;
88 if (tor_addr_parse_mask_ports(private_nets
[i
], &policy
.addr
,
89 &policy
.maskbits
, &port_min
, &port_max
)<0) {
92 smartlist_add(tmp
, addr_policy_get_canonical_entry(&policy
));
97 smartlist_free(*policy
);
102 * Given a linked list of config lines containing "allow" and "deny"
103 * tokens, parse them and append the result to <b>dest</b>. Return -1
104 * if any tokens are malformed (and don't append any), else return 0.
106 * If <b>assume_action</b> is nonnegative, then insert its action
107 * (ADDR_POLICY_ACCEPT or ADDR_POLICY_REJECT) for items that specify no
111 parse_addr_policy(config_line_t
*cfg
, smartlist_t
**dest
,
115 smartlist_t
*entries
;
122 result
= smartlist_create();
123 entries
= smartlist_create();
124 for (; cfg
; cfg
= cfg
->next
) {
125 smartlist_split_string(entries
, cfg
->value
, ",",
126 SPLIT_SKIP_SPACE
|SPLIT_IGNORE_BLANK
, 0);
127 SMARTLIST_FOREACH(entries
, const char *, ent
,
129 log_debug(LD_CONFIG
,"Adding new entry '%s'",ent
);
130 item
= router_parse_addr_policy_item_from_string(ent
, assume_action
);
132 smartlist_add(result
, item
);
134 log_warn(LD_CONFIG
,"Malformed policy '%s'.", ent
);
138 SMARTLIST_FOREACH(entries
, char *, ent
, tor_free(ent
));
139 smartlist_clear(entries
);
141 smartlist_free(entries
);
143 addr_policy_list_free(result
);
145 policy_expand_private(&result
);
148 smartlist_add_all(*dest
, result
);
149 smartlist_free(result
);
158 /** Helper: parse the Reachable(Dir|OR)?Addresses fields into
159 * reachable_(or|dir)_addr_policy. The options should already have
160 * been validated by validate_addr_policies.
163 parse_reachable_addresses(void)
165 or_options_t
*options
= get_options();
168 if (options
->ReachableDirAddresses
&&
169 options
->ReachableORAddresses
&&
170 options
->ReachableAddresses
) {
172 "Both ReachableDirAddresses and ReachableORAddresses are set. "
173 "ReachableAddresses setting will be ignored.");
175 addr_policy_list_free(reachable_or_addr_policy
);
176 reachable_or_addr_policy
= NULL
;
177 if (!options
->ReachableORAddresses
&& options
->ReachableAddresses
)
179 "Using ReachableAddresses as ReachableORAddresses.");
180 if (parse_addr_policy(options
->ReachableORAddresses
?
181 options
->ReachableORAddresses
:
182 options
->ReachableAddresses
,
183 &reachable_or_addr_policy
, ADDR_POLICY_ACCEPT
)) {
185 "Error parsing Reachable%sAddresses entry; ignoring.",
186 options
->ReachableORAddresses
? "OR" : "");
190 addr_policy_list_free(reachable_dir_addr_policy
);
191 reachable_dir_addr_policy
= NULL
;
192 if (!options
->ReachableDirAddresses
&& options
->ReachableAddresses
)
194 "Using ReachableAddresses as ReachableDirAddresses");
195 if (parse_addr_policy(options
->ReachableDirAddresses
?
196 options
->ReachableDirAddresses
:
197 options
->ReachableAddresses
,
198 &reachable_dir_addr_policy
, ADDR_POLICY_ACCEPT
)) {
199 if (options
->ReachableDirAddresses
)
201 "Error parsing ReachableDirAddresses entry; ignoring.");
207 /** Return true iff the firewall options might block any address:port
211 firewall_is_fascist_or(void)
213 return reachable_or_addr_policy
!= NULL
;
216 /** Return true iff <b>policy</b> (possibly NULL) will allow a
217 * connection to <b>addr</b>:<b>port</b>.
220 addr_policy_permits_tor_addr(const tor_addr_t
*addr
, uint16_t port
,
223 addr_policy_result_t p
;
224 p
= compare_tor_addr_to_addr_policy(addr
, port
, policy
);
226 case ADDR_POLICY_PROBABLY_ACCEPTED
:
227 case ADDR_POLICY_ACCEPTED
:
229 case ADDR_POLICY_PROBABLY_REJECTED
:
230 case ADDR_POLICY_REJECTED
:
233 log_warn(LD_BUG
, "Unexpected result: %d", (int)p
);
238 /** Return true iff <b> policy</b> (possibly NULL) will allow a connection to
239 * <b>addr</b>:<b>port</b>. <b>addr</b> is an IPv4 address given in host
241 /* XXXX deprecate when possible. */
243 addr_policy_permits_address(uint32_t addr
, uint16_t port
,
247 tor_addr_from_ipv4h(&a
, addr
);
248 return addr_policy_permits_tor_addr(&a
, port
, policy
);
251 /** Return true iff we think our firewall will let us make an OR connection to
254 fascist_firewall_allows_address_or(const tor_addr_t
*addr
, uint16_t port
)
256 return addr_policy_permits_tor_addr(addr
, port
,
257 reachable_or_addr_policy
);
260 /** Return true iff we think our firewall will let us make an OR connection to
263 fascist_firewall_allows_or(routerinfo_t
*ri
)
265 /* XXXX proposal 118 */
267 tor_addr_from_ipv4h(&addr
, ri
->addr
);
268 return fascist_firewall_allows_address_or(&addr
, ri
->or_port
);
271 /** Return true iff we think our firewall will let us make a directory
272 * connection to addr:port. */
274 fascist_firewall_allows_address_dir(const tor_addr_t
*addr
, uint16_t port
)
276 return addr_policy_permits_tor_addr(addr
, port
,
277 reachable_dir_addr_policy
);
280 /** Return 1 if <b>addr</b> is permitted to connect to our dir port,
281 * based on <b>dir_policy</b>. Else return 0.
284 dir_policy_permits_address(const tor_addr_t
*addr
)
286 return addr_policy_permits_tor_addr(addr
, 1, dir_policy
);
289 /** Return 1 if <b>addr</b> is permitted to connect to our socks port,
290 * based on <b>socks_policy</b>. Else return 0.
293 socks_policy_permits_address(const tor_addr_t
*addr
)
295 return addr_policy_permits_tor_addr(addr
, 1, socks_policy
);
298 /** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
299 * directory, based on <b>authdir_reject_policy</b>. Else return 0.
302 authdir_policy_permits_address(uint32_t addr
, uint16_t port
)
304 return addr_policy_permits_address(addr
, port
, authdir_reject_policy
);
307 /** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
308 * directory, based on <b>authdir_invalid_policy</b>. Else return 0.
311 authdir_policy_valid_address(uint32_t addr
, uint16_t port
)
313 return addr_policy_permits_address(addr
, port
, authdir_invalid_policy
);
316 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad dir,
317 * based on <b>authdir_baddir_policy</b>. Else return 0.
320 authdir_policy_baddir_address(uint32_t addr
, uint16_t port
)
322 return ! addr_policy_permits_address(addr
, port
, authdir_baddir_policy
);
325 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
326 * based on <b>authdir_badexit_policy</b>. Else return 0.
329 authdir_policy_badexit_address(uint32_t addr
, uint16_t port
)
331 return ! addr_policy_permits_address(addr
, port
, authdir_badexit_policy
);
334 #define REJECT(arg) \
335 STMT_BEGIN *msg = tor_strdup(arg); goto err; STMT_END
337 /** Config helper: If there's any problem with the policy configuration
338 * options in <b>options</b>, return -1 and set <b>msg</b> to a newly
339 * allocated description of the error. Else return 0. */
341 validate_addr_policies(or_options_t
*options
, char **msg
)
343 /* XXXX Maybe merge this into parse_policies_from_options, to make sure
344 * that the two can't go out of sync. */
346 smartlist_t
*addr_policy
=NULL
;
349 if (policies_parse_exit_policy(options
->ExitPolicy
, &addr_policy
,
350 options
->ExitPolicyRejectPrivate
, NULL
))
351 REJECT("Error in ExitPolicy entry.");
353 /* The rest of these calls *append* to addr_policy. So don't actually
354 * use the results for anything other than checking if they parse! */
355 if (parse_addr_policy(options
->DirPolicy
, &addr_policy
, -1))
356 REJECT("Error in DirPolicy entry.");
357 if (parse_addr_policy(options
->SocksPolicy
, &addr_policy
, -1))
358 REJECT("Error in SocksPolicy entry.");
359 if (parse_addr_policy(options
->AuthDirReject
, &addr_policy
,
361 REJECT("Error in AuthDirReject entry.");
362 if (parse_addr_policy(options
->AuthDirInvalid
, &addr_policy
,
364 REJECT("Error in AuthDirInvalid entry.");
365 if (parse_addr_policy(options
->AuthDirBadDir
, &addr_policy
,
367 REJECT("Error in AuthDirBadDir entry.");
368 if (parse_addr_policy(options
->AuthDirBadExit
, &addr_policy
,
370 REJECT("Error in AuthDirBadExit entry.");
372 if (parse_addr_policy(options
->ReachableAddresses
, &addr_policy
,
374 REJECT("Error in ReachableAddresses entry.");
375 if (parse_addr_policy(options
->ReachableORAddresses
, &addr_policy
,
377 REJECT("Error in ReachableORAddresses entry.");
378 if (parse_addr_policy(options
->ReachableDirAddresses
, &addr_policy
,
380 REJECT("Error in ReachableDirAddresses entry.");
381 if (parse_addr_policy(options
->AuthDirReject
, &addr_policy
,
383 REJECT("Error in AuthDirReject entry.");
384 if (parse_addr_policy(options
->AuthDirInvalid
, &addr_policy
,
386 REJECT("Error in AuthDirInvalid entry.");
389 addr_policy_list_free(addr_policy
);
390 return *msg
? -1 : 0;
394 /** Parse <b>string</b> in the same way that the exit policy
395 * is parsed, and put the processed version in *<b>policy</b>.
396 * Ignore port specifiers.
399 load_policy_from_option(config_line_t
*config
, smartlist_t
**policy
,
403 addr_policy_list_free(*policy
);
405 r
= parse_addr_policy(config
, policy
, assume_action
);
410 SMARTLIST_FOREACH_BEGIN(*policy
, addr_policy_t
*, n
) {
411 /* ports aren't used in these. */
412 if (n
->prt_min
> 1 || n
->prt_max
!= 65535) {
413 addr_policy_t newp
, *c
;
414 memcpy(&newp
, n
, sizeof(newp
));
416 newp
.prt_max
= 65535;
417 c
= addr_policy_get_canonical_entry(&newp
);
418 SMARTLIST_REPLACE_CURRENT(*policy
, n
, c
);
421 } SMARTLIST_FOREACH_END(n
);
426 /** Set all policies based on <b>options</b>, which should have been validated
427 * first by validate_addr_policies. */
429 policies_parse_from_options(or_options_t
*options
)
432 if (load_policy_from_option(options
->SocksPolicy
, &socks_policy
, -1) < 0)
434 if (load_policy_from_option(options
->DirPolicy
, &dir_policy
, -1) < 0)
436 if (load_policy_from_option(options
->AuthDirReject
,
437 &authdir_reject_policy
, ADDR_POLICY_REJECT
) < 0)
439 if (load_policy_from_option(options
->AuthDirInvalid
,
440 &authdir_invalid_policy
, ADDR_POLICY_REJECT
) < 0)
442 if (load_policy_from_option(options
->AuthDirBadDir
,
443 &authdir_baddir_policy
, ADDR_POLICY_REJECT
) < 0)
445 if (load_policy_from_option(options
->AuthDirBadExit
,
446 &authdir_badexit_policy
, ADDR_POLICY_REJECT
) < 0)
448 if (parse_reachable_addresses() < 0)
453 /** Compare two provided address policy items, and return -1, 0, or 1
454 * if the first is less than, equal to, or greater than the second. */
456 cmp_single_addr_policy(addr_policy_t
*a
, addr_policy_t
*b
)
459 if ((r
=((int)a
->policy_type
- (int)b
->policy_type
)))
461 if ((r
=((int)a
->is_private
- (int)b
->is_private
)))
463 if ((r
=tor_addr_compare(&a
->addr
, &b
->addr
, CMP_EXACT
)))
465 if ((r
=((int)a
->maskbits
- (int)b
->maskbits
)))
467 if ((r
=((int)a
->prt_min
- (int)b
->prt_min
)))
469 if ((r
=((int)a
->prt_max
- (int)b
->prt_max
)))
474 /** Like cmp_single_addr_policy() above, but looks at the
475 * whole set of policies in each case. */
477 cmp_addr_policies(smartlist_t
*a
, smartlist_t
*b
)
480 int len_a
= a
? smartlist_len(a
) : 0;
481 int len_b
= b
? smartlist_len(b
) : 0;
483 for (i
= 0; i
< len_a
&& i
< len_b
; ++i
) {
484 if ((r
= cmp_single_addr_policy(smartlist_get(a
, i
), smartlist_get(b
, i
))))
487 if (i
== len_a
&& i
== len_b
)
495 /** Node in hashtable used to store address policy entries. */
496 typedef struct policy_map_ent_t
{
497 HT_ENTRY(policy_map_ent_t
) node
;
498 addr_policy_t
*policy
;
501 static HT_HEAD(policy_map
, policy_map_ent_t
) policy_root
= HT_INITIALIZER();
503 /** Return true iff a and b are equal. */
505 policy_eq(policy_map_ent_t
*a
, policy_map_ent_t
*b
)
507 return cmp_single_addr_policy(a
->policy
, b
->policy
) == 0;
510 /** Return a hashcode for <b>ent</b> */
512 policy_hash(policy_map_ent_t
*ent
)
514 addr_policy_t
*a
= ent
->policy
;
519 r
= tor_addr_hash(&a
->addr
);
520 r
+= a
->prt_min
<< 8;
521 r
+= a
->prt_max
<< 16;
523 if (a
->policy_type
== ADDR_POLICY_REJECT
)
529 HT_PROTOTYPE(policy_map
, policy_map_ent_t
, node
, policy_hash
,
531 HT_GENERATE(policy_map
, policy_map_ent_t
, node
, policy_hash
,
532 policy_eq
, 0.6, malloc
, realloc
, free
)
534 /** Given a pointer to an addr_policy_t, return a copy of the pointer to the
535 * "canonical" copy of that addr_policy_t; the canonical copy is a single
536 * reference-counted object. */
538 addr_policy_get_canonical_entry(addr_policy_t
*e
)
540 policy_map_ent_t search
, *found
;
545 found
= HT_FIND(policy_map
, &policy_root
, &search
);
547 found
= tor_malloc_zero(sizeof(policy_map_ent_t
));
548 found
->policy
= tor_memdup(e
, sizeof(addr_policy_t
));
549 found
->policy
->is_canonical
= 1;
550 found
->policy
->refcnt
= 0;
551 HT_INSERT(policy_map
, &policy_root
, found
);
554 tor_assert(!cmp_single_addr_policy(found
->policy
, e
));
555 ++found
->policy
->refcnt
;
556 return found
->policy
;
559 /** As compare_to_addr_to_addr_policy, but instead of a tor_addr_t, takes
562 compare_addr_to_addr_policy(uint32_t addr
, uint16_t port
, smartlist_t
*policy
)
564 /*XXXX deprecate this function when possible. */
566 tor_addr_from_ipv4h(&a
, addr
);
567 return compare_tor_addr_to_addr_policy(&a
, port
, policy
);
570 /** Decide whether a given addr:port is definitely accepted,
571 * definitely rejected, probably accepted, or probably rejected by a
572 * given policy. If <b>addr</b> is 0, we don't know the IP of the
573 * target address. If <b>port</b> is 0, we don't know the port of the
576 * For now, the algorithm is pretty simple: we look for definite and
577 * uncertain matches. The first definite match is what we guess; if
578 * it was preceded by no uncertain matches of the opposite policy,
579 * then the guess is definite; otherwise it is probable. (If we
580 * have a known addr and port, all matches are definite; if we have an
581 * unknown addr/port, any address/port ranges other than "all" are
584 * We could do better by assuming that some ranges never match typical
585 * addresses (127.0.0.1, and so on). But we'll try this for now.
588 compare_tor_addr_to_addr_policy(const tor_addr_t
*addr
, uint16_t port
,
591 int maybe_reject
= 0;
592 int maybe_accept
= 0;
597 addr_is_unknown
= tor_addr_is_null(addr
);
599 len
= policy
? smartlist_len(policy
) : 0;
601 for (i
= 0; i
< len
; ++i
) {
602 addr_policy_t
*tmpe
= smartlist_get(policy
, i
);
604 if (addr_is_unknown
) {
605 /* Address is unknown. */
606 if ((port
>= tmpe
->prt_min
&& port
<= tmpe
->prt_max
) ||
607 (!port
&& tmpe
->prt_min
<=1 && tmpe
->prt_max
>=65535)) {
608 /* The port definitely matches. */
609 if (tmpe
->maskbits
== 0) {
615 /* The port maybe matches. */
619 /* Address is known */
620 if (!tor_addr_compare_masked(addr
, &tmpe
->addr
, tmpe
->maskbits
,
622 if (port
>= tmpe
->prt_min
&& port
<= tmpe
->prt_max
) {
623 /* Exact match for the policy */
631 if (tmpe
->policy_type
== ADDR_POLICY_REJECT
)
637 if (tmpe
->policy_type
== ADDR_POLICY_ACCEPT
) {
638 /* If we already hit a clause that might trigger a 'reject', than we
639 * can't be sure of this certain 'accept'.*/
640 return maybe_reject
? ADDR_POLICY_PROBABLY_ACCEPTED
:
641 ADDR_POLICY_ACCEPTED
;
643 return maybe_accept
? ADDR_POLICY_PROBABLY_REJECTED
:
644 ADDR_POLICY_REJECTED
;
649 /* accept all by default. */
650 return maybe_reject
? ADDR_POLICY_PROBABLY_ACCEPTED
: ADDR_POLICY_ACCEPTED
;
653 /** Return true iff the address policy <b>a</b> covers every case that
654 * would be covered by <b>b</b>, so that a,b is redundant. */
656 addr_policy_covers(addr_policy_t
*a
, addr_policy_t
*b
)
658 /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces
659 * to "accept *:80". */
660 if (a
->maskbits
> b
->maskbits
) {
661 /* a has more fixed bits than b; it can't possibly cover b. */
664 if (tor_addr_compare_masked(&a
->addr
, &b
->addr
, a
->maskbits
, CMP_SEMANTIC
)) {
665 /* There's a fixed bit in a that's set differently in b. */
668 return (a
->prt_min
<= b
->prt_min
&& a
->prt_max
>= b
->prt_max
);
671 /** Return true iff the address policies <b>a</b> and <b>b</b> intersect,
672 * that is, there exists an address/port that is covered by <b>a</b> that
673 * is also covered by <b>b</b>.
676 addr_policy_intersects(addr_policy_t
*a
, addr_policy_t
*b
)
679 /* All the bits we care about are those that are set in both
680 * netmasks. If they are equal in a and b's networkaddresses
681 * then the networks intersect. If there is a difference,
682 * then they do not. */
683 if (a
->maskbits
< b
->maskbits
)
684 minbits
= a
->maskbits
;
686 minbits
= b
->maskbits
;
687 if (tor_addr_compare_masked(&a
->addr
, &b
->addr
, minbits
, CMP_SEMANTIC
))
689 if (a
->prt_max
< b
->prt_min
|| b
->prt_max
< a
->prt_min
)
694 /** Add the exit policy described by <b>more</b> to <b>policy</b>.
697 append_exit_policy_string(smartlist_t
**policy
, const char *more
)
702 tmp
.value
= (char*) more
;
704 if (parse_addr_policy(&tmp
, policy
, -1)<0) {
705 log_warn(LD_BUG
, "Unable to parse internally generated policy %s",more
);
709 /** Detect and excise "dead code" from the policy *<b>dest</b>. */
711 exit_policy_remove_redundancies(smartlist_t
*dest
)
713 addr_policy_t
*ap
, *tmp
, *victim
;
716 /* Step one: find a *:* entry and cut off everything after it. */
717 for (i
= 0; i
< smartlist_len(dest
); ++i
) {
718 ap
= smartlist_get(dest
, i
);
719 if (ap
->maskbits
== 0 && ap
->prt_min
<= 1 && ap
->prt_max
>= 65535) {
720 /* This is a catch-all line -- later lines are unreachable. */
721 while (i
+1 < smartlist_len(dest
)) {
722 victim
= smartlist_get(dest
, i
+1);
723 smartlist_del(dest
, i
+1);
724 addr_policy_free(victim
);
730 /* Step two: for every entry, see if there's a redundant entry
731 * later on, and remove it. */
732 for (i
= 0; i
< smartlist_len(dest
)-1; ++i
) {
733 ap
= smartlist_get(dest
, i
);
734 for (j
= i
+1; j
< smartlist_len(dest
); ++j
) {
735 tmp
= smartlist_get(dest
, j
);
737 if (addr_policy_covers(ap
, tmp
)) {
738 char p1
[POLICY_BUF_LEN
], p2
[POLICY_BUF_LEN
];
739 policy_write_item(p1
, sizeof(p1
), tmp
, 0);
740 policy_write_item(p2
, sizeof(p2
), ap
, 0);
741 log(LOG_DEBUG
, LD_CONFIG
, "Removing exit policy %s (%d). It is made "
742 "redundant by %s (%d).", p1
, j
, p2
, i
);
743 smartlist_del_keeporder(dest
, j
--);
744 addr_policy_free(tmp
);
749 /* Step three: for every entry A, see if there's an entry B making this one
750 * redundant later on. This is the case if A and B are of the same type
751 * (accept/reject), A is a subset of B, and there is no other entry of
752 * different type in between those two that intersects with A.
754 * Anybody want to doublecheck the logic here? XXX
756 for (i
= 0; i
< smartlist_len(dest
)-1; ++i
) {
757 ap
= smartlist_get(dest
, i
);
758 for (j
= i
+1; j
< smartlist_len(dest
); ++j
) {
759 // tor_assert(j > i); // j starts out at i+1; j only increases; i only
761 tmp
= smartlist_get(dest
, j
);
762 if (ap
->policy_type
!= tmp
->policy_type
) {
763 if (addr_policy_intersects(ap
, tmp
))
765 } else { /* policy_types are equal. */
766 if (addr_policy_covers(tmp
, ap
)) {
767 char p1
[POLICY_BUF_LEN
], p2
[POLICY_BUF_LEN
];
768 policy_write_item(p1
, sizeof(p1
), ap
, 0);
769 policy_write_item(p2
, sizeof(p2
), tmp
, 0);
770 log(LOG_DEBUG
, LD_CONFIG
, "Removing exit policy %s. It is already "
771 "covered by %s.", p1
, p2
);
772 smartlist_del_keeporder(dest
, i
--);
773 addr_policy_free(ap
);
781 #define DEFAULT_EXIT_POLICY \
782 "reject *:25,reject *:119,reject *:135-139,reject *:445," \
783 "reject *:563,reject *:1214,reject *:4661-4666," \
784 "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
786 /** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>. If
787 * cfg doesn't end in an absolute accept or reject, add the default exit
788 * policy afterwards. If <b>rejectprivate</b> is true, prepend
789 * "reject private:*" to the policy. Return -1 if we can't parse cfg,
793 policies_parse_exit_policy(config_line_t
*cfg
, smartlist_t
**dest
,
794 int rejectprivate
, const char *local_address
)
797 append_exit_policy_string(dest
, "reject private:*");
799 char buf
[POLICY_BUF_LEN
];
800 tor_snprintf(buf
, sizeof(buf
), "reject %s:*", local_address
);
801 append_exit_policy_string(dest
, buf
);
804 if (parse_addr_policy(cfg
, dest
, -1))
806 append_exit_policy_string(dest
, DEFAULT_EXIT_POLICY
);
808 exit_policy_remove_redundancies(*dest
);
813 /** Replace the exit policy of <b>r</b> with reject *:*. */
815 policies_set_router_exitpolicy_to_reject_all(routerinfo_t
*r
)
818 addr_policy_list_free(r
->exit_policy
);
819 r
->exit_policy
= smartlist_create();
820 item
= router_parse_addr_policy_item_from_string("reject *:*", -1);
821 smartlist_add(r
->exit_policy
, item
);
824 /** Return true iff <b>ri</b> is "useful as an exit node", meaning
825 * it allows exit to at least one /8 address space for at least
826 * two of ports 80, 443, and 6667. */
828 exit_policy_is_general_exit(smartlist_t
*policy
)
830 static const int ports
[] = { 80, 443, 6667 };
833 if (!policy
) /*XXXX disallow NULL policies? */
836 for (i
= 0; i
< 3; ++i
) {
837 SMARTLIST_FOREACH(policy
, addr_policy_t
*, p
, {
838 if (p
->prt_min
> ports
[i
] || p
->prt_max
< ports
[i
])
839 continue; /* Doesn't cover our port. */
841 continue; /* Narrower than a /8. */
842 if (tor_addr_is_loopback(&p
->addr
))
843 continue; /* 127.x or ::1. */
844 /* We have a match that is at least a /8. */
845 if (p
->policy_type
== ADDR_POLICY_ACCEPT
) {
847 break; /* stop considering this port */
851 return n_allowed
>= 2;
854 /** Return false if <b>policy</b> might permit access to some addr:port;
855 * otherwise if we are certain it rejects everything, return true. */
857 policy_is_reject_star(smartlist_t
*policy
)
859 if (!policy
) /*XXXX disallow NULL policies? */
861 SMARTLIST_FOREACH(policy
, addr_policy_t
*, p
, {
862 if (p
->policy_type
== ADDR_POLICY_ACCEPT
)
864 else if (p
->policy_type
== ADDR_POLICY_REJECT
&&
865 p
->prt_min
<= 1 && p
->prt_max
== 65535 &&
872 /** Write a single address policy to the buf_len byte buffer at buf. Return
873 * the number of characters written, or -1 on failure. */
875 policy_write_item(char *buf
, size_t buflen
, addr_policy_t
*policy
,
879 char addrbuf
[TOR_ADDR_BUF_LEN
];
880 const char *addrpart
;
882 const int is_accept
= policy
->policy_type
== ADDR_POLICY_ACCEPT
;
883 const int is_ip6
= tor_addr_family(&policy
->addr
) == AF_INET6
;
885 tor_addr_to_str(addrbuf
, &policy
->addr
, sizeof(addrbuf
), 1);
887 /* write accept/reject 1.2.3.4 */
888 if (policy
->is_private
)
889 addrpart
= "private";
890 else if (policy
->maskbits
== 0)
895 result
= tor_snprintf(buf
, buflen
, "%s%s%s %s",
896 (is_ip6
&&format_for_desc
)?"opt ":"",
897 is_accept
? "accept" : "reject",
898 (is_ip6
&&format_for_desc
)?"6":"",
902 written
+= strlen(buf
);
903 /* If the maskbits is 32 we don't need to give it. If the mask is 0,
904 * we already wrote "*". */
905 if (policy
->maskbits
< 32 && policy
->maskbits
> 0) {
906 if (tor_snprintf(buf
+written
, buflen
-written
, "/%d", policy
->maskbits
)<0)
908 written
+= strlen(buf
+written
);
910 if (policy
->prt_min
<= 1 && policy
->prt_max
== 65535) {
911 /* There is no port set; write ":*" */
912 if (written
+4 > buflen
)
914 strlcat(buf
+written
, ":*", buflen
-written
);
916 } else if (policy
->prt_min
== policy
->prt_max
) {
917 /* There is only one port; write ":80". */
918 result
= tor_snprintf(buf
+written
, buflen
-written
, ":%d", policy
->prt_min
);
923 /* There is a range of ports; write ":79-80". */
924 result
= tor_snprintf(buf
+written
, buflen
-written
, ":%d-%d",
925 policy
->prt_min
, policy
->prt_max
);
930 if (written
< buflen
)
938 /** Create a new exit policy summary, initially only with a single
940 /* XXXX This entire thing will do most stuff in O(N^2), or worse. Use an
941 * RB-tree if that turns out to matter. */
943 policy_summary_create(void)
945 smartlist_t
*summary
;
946 policy_summary_item_t
* item
;
948 item
= tor_malloc_zero(sizeof(policy_summary_item_t
));
950 item
->prt_max
= 65535;
951 item
->reject_count
= 0;
954 summary
= smartlist_create();
955 smartlist_add(summary
, item
);
960 /** Split the summary item in <b>item</b> at the port <b>new_starts</b>.
961 * The current item is changed to end at new-starts - 1, the new item
962 * copies reject_count and accepted from the old item,
963 * starts at new_starts and ends at the port where the original item
966 static policy_summary_item_t
*
967 policy_summary_item_split(policy_summary_item_t
* old
, uint16_t new_starts
)
969 policy_summary_item_t
* new;
971 new = tor_malloc_zero(sizeof(policy_summary_item_t
));
972 new->prt_min
= new_starts
;
973 new->prt_max
= old
->prt_max
;
974 new->reject_count
= old
->reject_count
;
975 new->accepted
= old
->accepted
;
977 old
->prt_max
= new_starts
-1;
979 tor_assert(old
->prt_min
<= old
->prt_max
);
980 tor_assert(new->prt_min
<= new->prt_max
);
984 /* XXXX Nick says I'm going to hell for this. If he feels charitably towards
985 * my immortal soul, he can clean it up himself. */
986 #define AT(x) ((policy_summary_item_t*)smartlist_get(summary, x))
988 #define REJECT_CUTOFF_COUNT (1<<25)
989 /** Split an exit policy summary so that prt_min and prt_max
990 * fall at exactly the start and end of an item respectively.
993 policy_summary_split(smartlist_t
*summary
,
994 uint16_t prt_min
, uint16_t prt_max
)
999 /* XXXX Do a binary search if run time matters */
1000 while (AT(i
)->prt_max
< prt_min
)
1002 if (AT(i
)->prt_min
!= prt_min
) {
1003 policy_summary_item_t
* new_item
;
1004 new_item
= policy_summary_item_split(AT(i
), prt_min
);
1005 smartlist_insert(summary
, i
+1, new_item
);
1010 while (AT(i
)->prt_max
< prt_max
)
1012 if (AT(i
)->prt_max
!= prt_max
) {
1013 policy_summary_item_t
* new_item
;
1014 new_item
= policy_summary_item_split(AT(i
), prt_max
+1);
1015 smartlist_insert(summary
, i
+1, new_item
);
1018 return start_at_index
;
1021 /** Mark port ranges as accepted if they are below the reject_count */
1023 policy_summary_accept(smartlist_t
*summary
,
1024 uint16_t prt_min
, uint16_t prt_max
)
1026 int i
= policy_summary_split(summary
, prt_min
, prt_max
);
1027 while (i
< smartlist_len(summary
) &&
1028 AT(i
)->prt_max
<= prt_max
) {
1029 if (!AT(i
)->accepted
&&
1030 AT(i
)->reject_count
<= REJECT_CUTOFF_COUNT
)
1031 AT(i
)->accepted
= 1;
1034 tor_assert(i
< smartlist_len(summary
) || prt_max
==65535);
1037 /** Count the number of addresses in a network with prefixlen maskbits
1038 * against the given portrange. */
1040 policy_summary_reject(smartlist_t
*summary
,
1041 maskbits_t maskbits
,
1042 uint16_t prt_min
, uint16_t prt_max
)
1044 int i
= policy_summary_split(summary
, prt_min
, prt_max
);
1045 /* XXX: ipv4 specific */
1046 uint64_t count
= (U64_LITERAL(1) << (32-maskbits
));
1047 while (i
< smartlist_len(summary
) &&
1048 AT(i
)->prt_max
<= prt_max
) {
1049 AT(i
)->reject_count
+= count
;
1052 tor_assert(i
< smartlist_len(summary
) || prt_max
==65535);
1055 /** Add a single exit policy item to our summary:
1056 * If it is an accept ignore it unless it is for all IP addresses
1057 * ("*"), i.e. it's prefixlen/maskbits is 0, else call
1058 * policy_summary_accept().
1059 * If it's a reject ignore it if it is about one of the private
1060 * networks, else call policy_summary_reject().
1063 policy_summary_add_item(smartlist_t
*summary
, addr_policy_t
*p
)
1065 if (p
->policy_type
== ADDR_POLICY_ACCEPT
) {
1066 if (p
->maskbits
== 0) {
1067 policy_summary_accept(summary
, p
->prt_min
, p
->prt_max
);
1069 } else if (p
->policy_type
== ADDR_POLICY_REJECT
) {
1073 for (i
= 0; private_nets
[i
]; ++i
) {
1075 maskbits_t maskbits
;
1076 if (tor_addr_parse_mask_ports(private_nets
[i
], &addr
,
1077 &maskbits
, NULL
, NULL
)<0) {
1080 if (tor_addr_compare(&p
->addr
, &addr
, CMP_EXACT
) == 0 &&
1081 p
->maskbits
== maskbits
) {
1088 policy_summary_reject(summary
, p
->maskbits
, p
->prt_min
, p
->prt_max
);
1094 /** Create a string representing a summary for an exit policy.
1095 * The summary will either be an "accept" plus a comma-seperated list of port
1096 * ranges or a "reject" plus portranges, depending on which is shorter.
1098 * If no exits are allowed at all then NULL is returned, if no ports
1099 * are blocked instead of "reject " we return "accept 1-65535" (this
1100 * is an exception to the shorter-representation-wins rule).
1103 policy_summarize(smartlist_t
*policy
)
1105 smartlist_t
*summary
= policy_summary_create();
1106 smartlist_t
*accepts
, *rejects
;
1107 int i
, last
, start_prt
;
1108 size_t accepts_len
, rejects_len
, shorter_len
, final_size
;
1109 char *accepts_str
= NULL
, *rejects_str
= NULL
, *shorter_str
, *result
;
1114 /* Create the summary list */
1115 SMARTLIST_FOREACH(policy
, addr_policy_t
*, p
, {
1116 policy_summary_add_item(summary
, p
);
1119 /* Now create two lists of strings, one for accepted and one
1120 * for rejected ports. We take care to merge ranges so that
1121 * we avoid getting stuff like "1-4,5-9,10", instead we want
1126 accepts
= smartlist_create();
1127 rejects
= smartlist_create();
1129 last
= i
== smartlist_len(summary
)-1;
1131 AT(i
)->accepted
!= AT(i
+1)->accepted
) {
1132 char buf
[POLICY_BUF_LEN
];
1134 if (start_prt
== AT(i
)->prt_max
)
1135 tor_snprintf(buf
, sizeof(buf
), "%d", start_prt
);
1137 tor_snprintf(buf
, sizeof(buf
), "%d-%d", start_prt
, AT(i
)->prt_max
);
1139 if (AT(i
)->accepted
)
1140 smartlist_add(accepts
, tor_strdup(buf
));
1142 smartlist_add(rejects
, tor_strdup(buf
));
1147 start_prt
= AT(i
+1)->prt_min
;
1152 /* Figure out which of the two stringlists will be shorter and use
1153 * that to build the result
1155 if (smartlist_len(accepts
) == 0) { /* no exits at all */
1156 result
= tor_strdup("reject 1-65535");
1159 if (smartlist_len(rejects
) == 0) { /* no rejects at all */
1160 result
= tor_strdup("accept 1-65535");
1164 accepts_str
= smartlist_join_strings(accepts
, ",", 0, &accepts_len
);
1165 rejects_str
= smartlist_join_strings(rejects
, ",", 0, &rejects_len
);
1167 if (rejects_len
> MAX_EXITPOLICY_SUMMARY_LEN
&&
1168 accepts_len
> MAX_EXITPOLICY_SUMMARY_LEN
) {
1170 shorter_str
= accepts_str
;
1173 c
= shorter_str
+ (MAX_EXITPOLICY_SUMMARY_LEN
-strlen(prefix
)-1);
1174 while (*c
!= ',' && c
>= shorter_str
)
1176 tor_assert(c
>= shorter_str
);
1177 tor_assert(*c
== ',');
1180 shorter_len
= strlen(shorter_str
);
1181 } else if (rejects_len
< accepts_len
) {
1182 shorter_str
= rejects_str
;
1183 shorter_len
= rejects_len
;
1186 shorter_str
= accepts_str
;
1187 shorter_len
= accepts_len
;
1191 final_size
= strlen(prefix
)+1+shorter_len
+1;
1192 tor_assert(final_size
<= MAX_EXITPOLICY_SUMMARY_LEN
+1);
1193 result
= tor_malloc(final_size
);
1194 tor_snprintf(result
, final_size
, "%s %s", prefix
, shorter_str
);
1198 SMARTLIST_FOREACH(summary
, policy_summary_item_t
*, s
, tor_free(s
));
1199 smartlist_free(summary
);
1201 tor_free(accepts_str
);
1202 SMARTLIST_FOREACH(accepts
, char *, s
, tor_free(s
));
1203 smartlist_free(accepts
);
1205 tor_free(rejects_str
);
1206 SMARTLIST_FOREACH(rejects
, char *, s
, tor_free(s
));
1207 smartlist_free(rejects
);
1212 /** Implementation for GETINFO control command: knows the answer for questions
1213 * about "exit-policy/..." */
1215 getinfo_helper_policies(control_connection_t
*conn
,
1216 const char *question
, char **answer
)
1219 if (!strcmp(question
, "exit-policy/default")) {
1220 *answer
= tor_strdup(DEFAULT_EXIT_POLICY
);
1225 /** Release all storage held by <b>p</b>. */
1227 addr_policy_list_free(smartlist_t
*lst
)
1230 SMARTLIST_FOREACH(lst
, addr_policy_t
*, policy
, addr_policy_free(policy
));
1231 smartlist_free(lst
);
1234 /** Release all storage held by <b>p</b>. */
1236 addr_policy_free(addr_policy_t
*p
)
1239 if (--p
->refcnt
<= 0) {
1240 if (p
->is_canonical
) {
1241 policy_map_ent_t search
, *found
;
1243 found
= HT_REMOVE(policy_map
, &policy_root
, &search
);
1245 tor_assert(p
== found
->policy
);
1254 /** Release all storage held by policy variables. */
1256 policies_free_all(void)
1258 addr_policy_list_free(reachable_or_addr_policy
);
1259 reachable_or_addr_policy
= NULL
;
1260 addr_policy_list_free(reachable_dir_addr_policy
);
1261 reachable_dir_addr_policy
= NULL
;
1262 addr_policy_list_free(socks_policy
);
1263 socks_policy
= NULL
;
1264 addr_policy_list_free(dir_policy
);
1266 addr_policy_list_free(authdir_reject_policy
);
1267 authdir_reject_policy
= NULL
;
1268 addr_policy_list_free(authdir_invalid_policy
);
1269 authdir_invalid_policy
= NULL
;
1270 addr_policy_list_free(authdir_baddir_policy
);
1271 authdir_baddir_policy
= NULL
;
1272 addr_policy_list_free(authdir_badexit_policy
);
1273 authdir_badexit_policy
= NULL
;
1275 if (!HT_EMPTY(&policy_root
))
1276 log_warn(LD_MM
, "Still had some address policies cached at shutdown.");
1277 HT_CLEAR(policy_map
, &policy_root
);