| blob | ece48b16e35bafcaf071cff367cd308c8e575b3a |
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2008, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
5 /* $Id$ */
9 /**
10 * \file policies.c
11 * \brief Code to parse and use address policies and exit policies.
12 **/
17 /** Policy that addresses for incoming SOCKS connections must match. */
19 /** Policy that addresses for incoming directory connections must match. */
21 /** Policy that addresses for incoming router descriptors must match in order
22 * to be published by us. */
24 /** Policy that addresses for incoming router descriptors must match in order
25 * to be marked as valid in our networkstatus. */
27 /** Policy that addresses for incoming router descriptors must <b>not</b>
28 * match in order to not be marked as BadDirectory. */
30 /** Policy that addresses for incoming router descriptors must <b>not</b>
31 * match in order to not be marked as BadExit. */
34 /** Parsed addr_policy_t describing which addresses we believe we can start
35 * circuits at. */
37 /** Parsed addr_policy_t describing which addresses we believe we can connect
38 * to directories at. */
41 /** Element of an exit policy summary */
46 this portrange. */
50 /** Private networks. This list is used in two places, once to expand the
51 * "private" keyword when parsing our own exit policy, secondly to ignore
52 * just such networks when building exit policy summaries. It is important
53 * that all authorities agree on that list when creating summaries, so don't
54 * just change this without a proper migration plan and a proposal and stuff.
55 */
59 // "fc00::/7", "fe80::/10", "fec0::/10", "::/127",
60 NULL };
62 /** Replace all "private" entries in *<b>policy</b> with their expanded
63 * equivalents. */
64 void
66 {
78 {
82 }
84 addr_policy_t policy;
91 }
93 }
95 });
99 }
101 /**
102 * Given a linked list of config lines containing "allow" and "deny"
103 * tokens, parse them and append the result to <b>dest</b>. Return -1
104 * if any tokens are malformed (and don't append any), else return 0.
105 *
106 * If <b>assume_action</b> is nonnegative, then insert its action
107 * (ADDR_POLICY_ACCEPT or ADDR_POLICY_REJECT) for items that specify no
108 * action.
109 */
110 static int
113 {
128 {
136 }
137 });
140 }
152 }
153 }
156 }
158 /** Helper: parse the Reachable(Dir|OR)?Addresses fields into
159 * reachable_(or|dir)_addr_policy. The options should already have
160 * been validated by validate_addr_policies.
161 */
162 static int
164 {
172 "Both ReachableDirAddresses and ReachableORAddresses are set. "
174 }
188 }
203 }
205 }
207 /** Return true iff the firewall options might block any address:port
208 * combination.
209 */
210 int
212 {
214 }
216 /** Return true iff <b>policy</b> (possibly NULL) will allow a
217 * connection to <b>addr</b>:<b>port</b>.
218 */
219 static int
222 {
223 addr_policy_result_t p;
235 }
236 }
238 /** Return true iff <b> policy</b> (possibly NULL) will allow a connection to
239 * <b>addr</b>:<b>port</b>. <b>addr</b> is an IPv4 address given in host
240 * order. */
241 /* XXXX deprecate when possible. */
242 static int
245 {
246 tor_addr_t a;
249 }
251 /** Return true iff we think our firewall will let us make an OR connection to
252 * addr:port. */
253 int
255 {
257 reachable_or_addr_policy);
258 }
260 /** Return true iff we think our firewall will let us make an OR connection to
261 * <b>ri</b>. */
262 int
264 {
265 /* XXXX proposal 118 */
266 tor_addr_t addr;
269 }
271 /** Return true iff we think our firewall will let us make a directory
272 * connection to addr:port. */
273 int
275 {
277 reachable_dir_addr_policy);
278 }
280 /** Return 1 if <b>addr</b> is permitted to connect to our dir port,
281 * based on <b>dir_policy</b>. Else return 0.
282 */
283 int
285 {
287 }
289 /** Return 1 if <b>addr</b> is permitted to connect to our socks port,
290 * based on <b>socks_policy</b>. Else return 0.
291 */
292 int
294 {
296 }
298 /** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
299 * directory, based on <b>authdir_reject_policy</b>. Else return 0.
300 */
301 int
303 {
305 }
307 /** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
308 * directory, based on <b>authdir_invalid_policy</b>. Else return 0.
309 */
310 int
312 {
314 }
316 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad dir,
317 * based on <b>authdir_baddir_policy</b>. Else return 0.
318 */
319 int
321 {
323 }
325 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
326 * based on <b>authdir_badexit_policy</b>. Else return 0.
327 */
328 int
330 {
332 }
334 #define REJECT(arg) \
335 STMT_BEGIN *msg = tor_strdup(arg); goto err; STMT_END
337 /** Config helper: If there's any problem with the policy configuration
338 * options in <b>options</b>, return -1 and set <b>msg</b> to a newly
339 * allocated description of the error. Else return 0. */
340 int
342 {
343 /* XXXX Maybe merge this into parse_policies_from_options, to make sure
344 * that the two can't go out of sync. */
353 /* The rest of these calls *append* to addr_policy. So don't actually
354 * use the results for anything other than checking if they parse! */
360 ADDR_POLICY_REJECT))
363 ADDR_POLICY_REJECT))
366 ADDR_POLICY_REJECT))
369 ADDR_POLICY_REJECT))
373 ADDR_POLICY_ACCEPT))
376 ADDR_POLICY_ACCEPT))
379 ADDR_POLICY_ACCEPT))
382 ADDR_POLICY_REJECT))
385 ADDR_POLICY_REJECT))
388 err:
391 #undef REJECT
392 }
394 /** Parse <b>string</b> in the same way that the exit policy
395 * is parsed, and put the processed version in *<b>policy</b>.
396 * Ignore port specifiers.
397 */
398 static int
401 {
408 }
411 /* ports aren't used in these. */
420 }
422 }
424 }
426 /** Set all policies based on <b>options</b>, which should have been validated
427 * first by validate_addr_policies. */
428 int
430 {
451 }
453 /** Compare two provided address policy items, and return -1, 0, or 1
454 * if the first is less than, equal to, or greater than the second. */
455 static int
457 {
472 }
474 /** Like cmp_single_addr_policy() above, but looks at the
475 * whole set of policies in each case. */
476 int
478 {
486 }
491 else
493 }
495 /** Node in hashtable used to store address policy entries. */
503 /** Return true iff a and b are equal. */
506 {
508 }
510 /** Return a hashcode for <b>ent</b> */
511 static unsigned int
513 {
518 else
527 }
530 policy_eq)
534 /** Given a pointer to an addr_policy_t, return a copy of the pointer to the
535 * "canonical" copy of that addr_policy_t; the canonical copy is a single
536 * reference-counted object. */
537 addr_policy_t *
539 {
552 }
557 }
559 /** As compare_to_addr_to_addr_policy, but instead of a tor_addr_t, takes
560 * in host order. */
561 addr_policy_result_t
563 {
564 /*XXXX deprecate this function when possible. */
565 tor_addr_t a;
568 }
570 /** Decide whether a given addr:port is definitely accepted,
571 * definitely rejected, probably accepted, or probably rejected by a
572 * given policy. If <b>addr</b> is 0, we don't know the IP of the
573 * target address. If <b>port</b> is 0, we don't know the port of the
574 * target address.
575 *
576 * For now, the algorithm is pretty simple: we look for definite and
577 * uncertain matches. The first definite match is what we guess; if
578 * it was preceded by no uncertain matches of the opposite policy,
579 * then the guess is definite; otherwise it is probable. (If we
580 * have a known addr and port, all matches are definite; if we have an
581 * unknown addr/port, any address/port ranges other than "all" are
582 * uncertain.)
583 *
584 * We could do better by assuming that some ranges never match typical
585 * addresses (127.0.0.1, and so on). But we'll try this for now.
586 */
587 addr_policy_result_t
590 {
605 /* Address is unknown. */
608 /* The port definitely matches. */
613 }
615 /* The port maybe matches. */
617 }
619 /* Address is known */
621 CMP_SEMANTIC)) {
623 /* Exact match for the policy */
627 }
628 }
629 }
633 else
635 }
638 /* If we already hit a clause that might trigger a 'reject', than we
639 * can't be sure of this certain 'accept'.*/
641 ADDR_POLICY_ACCEPTED;
644 ADDR_POLICY_REJECTED;
645 }
646 }
647 }
649 /* accept all by default. */
651 }
653 /** Return true iff the address policy <b>a</b> covers every case that
654 * would be covered by <b>b</b>, so that a,b is redundant. */
655 static int
657 {
658 /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces
659 * to "accept *:80". */
661 /* a has more fixed bits than b; it can't possibly cover b. */
663 }
665 /* There's a fixed bit in a that's set differently in b. */
667 }
669 }
671 /** Return true iff the address policies <b>a</b> and <b>b</b> intersect,
672 * that is, there exists an address/port that is covered by <b>a</b> that
673 * is also covered by <b>b</b>.
674 */
675 static int
677 {
678 maskbits_t minbits;
679 /* All the bits we care about are those that are set in both
680 * netmasks. If they are equal in a and b's networkaddresses
681 * then the networks intersect. If there is a difference,
682 * then they do not. */
685 else
692 }
694 /** Add the exit policy described by <b>more</b> to <b>policy</b>.
695 */
696 static void
698 {
699 config_line_t tmp;
706 }
707 }
709 /** Detect and excise "dead code" from the policy *<b>dest</b>. */
710 static void
712 {
716 /* Step one: find a *:* entry and cut off everything after it. */
720 /* This is a catch-all line -- later lines are unreachable. */
725 }
727 }
728 }
730 /* Step two: for every entry, see if there's a redundant entry
731 * later on, and remove it. */
745 }
746 }
747 }
749 /* Step three: for every entry A, see if there's an entry B making this one
750 * redundant later on. This is the case if A and B are of the same type
751 * (accept/reject), A is a subset of B, and there is no other entry of
752 * different type in between those two that intersects with A.
753 *
754 * Anybody want to doublecheck the logic here? XXX
755 */
759 // tor_assert(j > i); // j starts out at i+1; j only increases; i only
760 // // decreases.
775 }
776 }
777 }
778 }
779 }
781 #define DEFAULT_EXIT_POLICY \
784 "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
786 /** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>. If
787 * cfg doesn't end in an absolute accept or reject, add the default exit
788 * policy afterwards. If <b>rejectprivate</b> is true, prepend
789 * "reject private:*" to the policy. Return -1 if we can't parse cfg,
790 * else return 0.
791 */
792 int
795 {
802 }
803 }
811 }
813 /** Replace the exit policy of <b>r</b> with reject *:*. */
814 void
816 {
822 }
824 /** Return true iff <b>ri</b> is "useful as an exit node", meaning
825 * it allows exit to at least one /8 address space for at least
826 * two of ports 80, 443, and 6667. */
827 int
829 {
844 /* We have a match that is at least a /8. */
848 }
849 });
850 }
852 }
854 /** Return false if <b>policy</b> might permit access to some addr:port;
855 * otherwise if we are certain it rejects everything, return true. */
856 int
858 {
868 });
870 }
872 /** Write a single address policy to the buf_len byte buffer at buf. Return
873 * the number of characters written, or -1 on failure. */
874 int
877 {
887 /* write accept/reject 1.2.3.4 */
892 else
899 addrpart);
903 /* If the maskbits is 32 we don't need to give it. If the mask is 0,
904 * we already wrote "*". */
909 }
911 /* There is no port set; write ":*" */
917 /* There is only one port; write ":80". */
923 /* There is a range of ports; write ":79-80". */
929 }
932 else
936 }
938 /** Create a new exit policy summary, initially only with a single
939 * port 1-64k item */
940 /* XXXX This entire thing will do most stuff in O(N^2), or worse. Use an
941 * RB-tree if that turns out to matter. */
944 {
958 }
960 /** Split the summary item in <b>item</b> at the port <b>new_starts</b>.
961 * The current item is changed to end at new-starts - 1, the new item
962 * copies reject_count and accepted from the old item,
963 * starts at new_starts and ends at the port where the original item
964 * previously ended.
965 */
968 {
982 }
984 /* XXXX Nick says I'm going to hell for this. If he feels charitably towards
985 * my immortal soul, he can clean it up himself. */
986 #define AT(x) ((policy_summary_item_t*)smartlist_get(summary, x))
988 #define REJECT_CUTOFF_COUNT (1<<25)
989 /** Split an exit policy summary so that prt_min and prt_max
990 * fall at exactly the start and end of an item respectively.
991 */
992 static int
995 {
999 /* XXXX Do a binary search if run time matters */
1001 i++;
1006 i++;
1007 }
1011 i++;
1016 }
1019 }
1021 /** Mark port ranges as accepted if they are below the reject_count */
1022 static void
1025 {
1032 i++;
1033 }
1035 }
1037 /** Count the number of addresses in a network with prefixlen maskbits
1038 * against the given portrange. */
1039 static void
1041 maskbits_t maskbits,
1043 {
1045 /* XXX: ipv4 specific */
1050 i++;
1051 }
1053 }
1055 /** Add a single exit policy item to our summary:
1056 * If it is an accept ignore it unless it is for all IP addresses
1057 * ("*"), i.e. it's prefixlen/maskbits is 0, else call
1058 * policy_summary_accept().
1059 * If it's a reject ignore it if it is about one of the private
1060 * networks, else call policy_summary_reject().
1061 */
1062 static void
1064 {
1068 }
1074 tor_addr_t addr;
1075 maskbits_t maskbits;
1079 }
1084 }
1085 }
1089 }
1092 }
1094 /** Create a string representing a summary for an exit policy.
1095 * The summary will either be an "accept" plus a comma-seperated list of port
1096 * ranges or a "reject" plus portranges, depending on which is shorter.
1097 *
1098 * If no exits are allowed at all then NULL is returned, if no ports
1099 * are blocked instead of "reject " we return "accept 1-65535" (this
1100 * is an exception to the shorter-representation-wins rule).
1101 */
1104 {
1114 /* Create the summary list */
1117 });
1119 /* Now create two lists of strings, one for accepted and one
1120 * for rejected ports. We take care to merge ranges so that
1121 * we avoid getting stuff like "1-4,5-9,10", instead we want
1122 * "1-10"
1123 */
1136 else
1141 else
1148 };
1149 i++;
1150 };
1152 /* Figure out which of the two stringlists will be shorter and use
1153 * that to build the result
1154 */
1158 }
1162 }
1175 c--;
1189 }
1196 cleanup:
1197 /* cleanup */
1210 }
1212 /** Implementation for GETINFO control command: knows the answer for questions
1213 * about "exit-policy/..." */
1214 int
1217 {
1221 }
1223 }
1225 /** Release all storage held by <b>p</b>. */
1226 void
1228 {
1232 }
1234 /** Release all storage held by <b>p</b>. */
1235 void
1237 {
1247 }
1248 }
1250 }
1251 }
1252 }
1254 /** Release all storage held by policy variables. */
1255 void
1257 {
1278 }