| blob | a852ce192b5c854d6a00576994852348056ec87a |
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2009, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 /**
7 * \file policies.c
8 * \brief Code to parse and use address policies and exit policies.
9 **/
14 /** Policy that addresses for incoming SOCKS connections must match. */
16 /** Policy that addresses for incoming directory connections must match. */
18 /** Policy that addresses for incoming router descriptors must match in order
19 * to be published by us. */
21 /** Policy that addresses for incoming router descriptors must match in order
22 * to be marked as valid in our networkstatus. */
24 /** Policy that addresses for incoming router descriptors must <b>not</b>
25 * match in order to not be marked as BadDirectory. */
27 /** Policy that addresses for incoming router descriptors must <b>not</b>
28 * match in order to not be marked as BadExit. */
31 /** Parsed addr_policy_t describing which addresses we believe we can start
32 * circuits at. */
34 /** Parsed addr_policy_t describing which addresses we believe we can connect
35 * to directories at. */
38 /** Element of an exit policy summary */
43 this port range. */
47 /** Private networks. This list is used in two places, once to expand the
48 * "private" keyword when parsing our own exit policy, secondly to ignore
49 * just such networks when building exit policy summaries. It is important
50 * that all authorities agree on that list when creating summaries, so don't
51 * just change this without a proper migration plan and a proposal and stuff.
52 */
56 // "fc00::/7", "fe80::/10", "fec0::/10", "::/127",
57 NULL };
59 /** Replace all "private" entries in *<b>policy</b> with their expanded
60 * equivalents. */
61 void
63 {
75 {
79 }
81 addr_policy_t policy;
88 }
90 }
92 });
96 }
98 /**
99 * Given a linked list of config lines containing "allow" and "deny"
100 * tokens, parse them and append the result to <b>dest</b>. Return -1
101 * if any tokens are malformed (and don't append any), else return 0.
102 *
103 * If <b>assume_action</b> is nonnegative, then insert its action
104 * (ADDR_POLICY_ACCEPT or ADDR_POLICY_REJECT) for items that specify no
105 * action.
106 */
107 static int
110 {
125 {
133 }
134 });
137 }
149 }
150 }
153 }
155 /** Helper: parse the Reachable(Dir|OR)?Addresses fields into
156 * reachable_(or|dir)_addr_policy. The options should already have
157 * been validated by validate_addr_policies.
158 */
159 static int
161 {
169 "Both ReachableDirAddresses and ReachableORAddresses are set. "
171 }
185 }
200 }
202 }
204 /** Return true iff the firewall options might block any address:port
205 * combination.
206 */
207 int
209 {
211 }
213 /** Return true iff <b>policy</b> (possibly NULL) will allow a
214 * connection to <b>addr</b>:<b>port</b>.
215 */
216 static int
219 {
220 addr_policy_result_t p;
232 }
233 }
235 /** Return true iff <b> policy</b> (possibly NULL) will allow a connection to
236 * <b>addr</b>:<b>port</b>. <b>addr</b> is an IPv4 address given in host
237 * order. */
238 /* XXXX deprecate when possible. */
239 static int
242 {
243 tor_addr_t a;
246 }
248 /** Return true iff we think our firewall will let us make an OR connection to
249 * addr:port. */
250 int
252 {
254 reachable_or_addr_policy);
255 }
257 /** Return true iff we think our firewall will let us make an OR connection to
258 * <b>ri</b>. */
259 int
261 {
262 /* XXXX proposal 118 */
263 tor_addr_t addr;
266 }
268 /** Return true iff we think our firewall will let us make a directory
269 * connection to addr:port. */
270 int
272 {
274 reachable_dir_addr_policy);
275 }
277 /** Return 1 if <b>addr</b> is permitted to connect to our dir port,
278 * based on <b>dir_policy</b>. Else return 0.
279 */
280 int
282 {
284 }
286 /** Return 1 if <b>addr</b> is permitted to connect to our socks port,
287 * based on <b>socks_policy</b>. Else return 0.
288 */
289 int
291 {
293 }
295 /** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
296 * directory, based on <b>authdir_reject_policy</b>. Else return 0.
297 */
298 int
300 {
302 }
304 /** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
305 * directory, based on <b>authdir_invalid_policy</b>. Else return 0.
306 */
307 int
309 {
311 }
313 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad dir,
314 * based on <b>authdir_baddir_policy</b>. Else return 0.
315 */
316 int
318 {
320 }
322 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
323 * based on <b>authdir_badexit_policy</b>. Else return 0.
324 */
325 int
327 {
329 }
331 #define REJECT(arg) \
332 STMT_BEGIN *msg = tor_strdup(arg); goto err; STMT_END
334 /** Config helper: If there's any problem with the policy configuration
335 * options in <b>options</b>, return -1 and set <b>msg</b> to a newly
336 * allocated description of the error. Else return 0. */
337 int
339 {
340 /* XXXX Maybe merge this into parse_policies_from_options, to make sure
341 * that the two can't go out of sync. */
351 /* The rest of these calls *append* to addr_policy. So don't actually
352 * use the results for anything other than checking if they parse! */
358 ADDR_POLICY_REJECT))
361 ADDR_POLICY_REJECT))
364 ADDR_POLICY_REJECT))
367 ADDR_POLICY_REJECT))
371 ADDR_POLICY_ACCEPT))
374 ADDR_POLICY_ACCEPT))
377 ADDR_POLICY_ACCEPT))
380 ADDR_POLICY_REJECT))
383 ADDR_POLICY_REJECT))
386 err:
389 #undef REJECT
390 }
392 /** Parse <b>string</b> in the same way that the exit policy
393 * is parsed, and put the processed version in *<b>policy</b>.
394 * Ignore port specifiers.
395 */
396 static int
399 {
406 }
409 /* ports aren't used in these. */
419 }
421 }
423 }
425 /** Set all policies based on <b>options</b>, which should have been validated
426 * first by validate_addr_policies. */
427 int
429 {
450 }
452 /** Compare two provided address policy items, and return -1, 0, or 1
453 * if the first is less than, equal to, or greater than the second. */
454 static int
456 {
471 }
473 /** Like cmp_single_addr_policy() above, but looks at the
474 * whole set of policies in each case. */
475 int
477 {
485 }
490 else
492 }
494 /** Node in hashtable used to store address policy entries. */
502 /** Return true iff a and b are equal. */
505 {
507 }
509 /** Return a hashcode for <b>ent</b> */
510 static unsigned int
512 {
517 else
526 }
529 policy_eq)
533 /** Given a pointer to an addr_policy_t, return a copy of the pointer to the
534 * "canonical" copy of that addr_policy_t; the canonical copy is a single
535 * reference-counted object. */
536 addr_policy_t *
538 {
551 }
556 }
558 /** As compare_tor_addr_to_addr_policy, but instead of a tor_addr_t, takes
559 * in host order. */
560 addr_policy_result_t
563 {
564 /*XXXX deprecate this function when possible. */
565 tor_addr_t a;
568 }
570 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
571 * addr and port are both known. */
572 static addr_policy_result_t
575 {
576 /* We know the address and port, and we know the policy, so we can just
577 * compute an exact match. */
579 /* Address is known */
581 CMP_EXACT)) {
583 /* Exact match for the policy */
586 }
587 }
590 /* accept all by default. */
592 }
594 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
595 * addr is known but port is not. */
596 static addr_policy_result_t
599 {
600 /* We look to see if there's a definite match. If so, we return that
601 match's value, unless there's an intervening possible match that says
602 something different. */
607 CMP_EXACT)) {
609 /* Definitely matches, since it covers all ports. */
611 /* If we already hit a clause that might trigger a 'reject', than we
612 * can't be sure of this certain 'accept'.*/
614 ADDR_POLICY_ACCEPTED;
617 ADDR_POLICY_REJECTED;
618 }
620 /* Might match. */
623 else
625 }
626 }
629 /* accept all by default. */
631 }
633 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
634 * port is known but address is not. */
635 static addr_policy_result_t
638 {
639 /* We look to see if there's a definite match. If so, we return that
640 match's value, unless there's an intervening possible match that says
641 something different. */
647 /* Definitely matches, since it covers all addresses. */
649 /* If we already hit a clause that might trigger a 'reject', than we
650 * can't be sure of this certain 'accept'.*/
652 ADDR_POLICY_ACCEPTED;
655 ADDR_POLICY_REJECTED;
656 }
658 /* Might match. */
661 else
663 }
664 }
667 /* accept all by default. */
669 }
671 /** Decide whether a given addr:port is definitely accepted,
672 * definitely rejected, probably accepted, or probably rejected by a
673 * given policy. If <b>addr</b> is 0, we don't know the IP of the
674 * target address. If <b>port</b> is 0, we don't know the port of the
675 * target address. (At least one of <b>addr</b> and <b>port</b> must be
676 * provided. If you want to know whether a policy would definitely reject
677 * an unknown address:port, use policy_is_reject_star().)
678 *
679 * We could do better by assuming that some ranges never match typical
680 * addresses (127.0.0.1, and so on). But we'll try this for now.
681 */
682 addr_policy_result_t
685 {
687 /* no policy? accept all. */
696 }
697 }
699 /** Return true iff the address policy <b>a</b> covers every case that
700 * would be covered by <b>b</b>, so that a,b is redundant. */
701 static int
703 {
704 /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces
705 * to "accept *:80". */
707 /* a has more fixed bits than b; it can't possibly cover b. */
709 }
711 /* There's a fixed bit in a that's set differently in b. */
713 }
715 }
717 /** Return true iff the address policies <b>a</b> and <b>b</b> intersect,
718 * that is, there exists an address/port that is covered by <b>a</b> that
719 * is also covered by <b>b</b>.
720 */
721 static int
723 {
724 maskbits_t minbits;
725 /* All the bits we care about are those that are set in both
726 * netmasks. If they are equal in a and b's networkaddresses
727 * then the networks intersect. If there is a difference,
728 * then they do not. */
731 else
738 }
740 /** Add the exit policy described by <b>more</b> to <b>policy</b>.
741 */
742 static void
744 {
745 config_line_t tmp;
752 }
753 }
755 /** Detect and excise "dead code" from the policy *<b>dest</b>. */
756 static void
758 {
762 /* Step one: find a *:* entry and cut off everything after it. */
766 /* This is a catch-all line -- later lines are unreachable. */
771 }
773 }
774 }
776 /* Step two: for every entry, see if there's a redundant entry
777 * later on, and remove it. */
791 }
792 }
793 }
795 /* Step three: for every entry A, see if there's an entry B making this one
796 * redundant later on. This is the case if A and B are of the same type
797 * (accept/reject), A is a subset of B, and there is no other entry of
798 * different type in between those two that intersects with A.
799 *
800 * Anybody want to double-check the logic here? XXX
801 */
805 // tor_assert(j > i); // j starts out at i+1; j only increases; i only
806 // // decreases.
821 }
822 }
823 }
824 }
825 }
827 #define DEFAULT_EXIT_POLICY \
830 "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
832 /** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>. If
833 * cfg doesn't end in an absolute accept or reject and if
834 * <b>add_default_policy</b> is true, add the default exit
835 * policy afterwards. If <b>rejectprivate</b> is true, prepend
836 * "reject private:*" to the policy. Return -1 if we can't parse cfg,
837 * else return 0.
838 */
839 int
843 {
850 }
851 }
856 else
861 }
863 /** Replace the exit policy of <b>r</b> with reject *:*. */
864 void
866 {
872 }
874 /** Return true iff <b>ri</b> is "useful as an exit node", meaning
875 * it allows exit to at least one /8 address space for at least
876 * two of ports 80, 443, and 6667. */
877 int
879 {
894 /* We have a match that is at least a /8. */
898 }
899 });
900 }
902 }
904 /** Return false if <b>policy</b> might permit access to some addr:port;
905 * otherwise if we are certain it rejects everything, return true. */
906 int
908 {
918 });
920 }
922 /** Write a single address policy to the buf_len byte buffer at buf. Return
923 * the number of characters written, or -1 on failure. */
924 int
927 {
937 /* write accept/reject 1.2.3.4 */
942 else
949 addrpart);
953 /* If the maskbits is 32 we don't need to give it. If the mask is 0,
954 * we already wrote "*". */
959 }
961 /* There is no port set; write ":*" */
967 /* There is only one port; write ":80". */
973 /* There is a range of ports; write ":79-80". */
979 }
982 else
986 }
988 /** Create a new exit policy summary, initially only with a single
989 * port 1-64k item */
990 /* XXXX This entire thing will do most stuff in O(N^2), or worse. Use an
991 * RB-tree if that turns out to matter. */
994 {
1008 }
1010 /** Split the summary item in <b>item</b> at the port <b>new_starts</b>.
1011 * The current item is changed to end at new-starts - 1, the new item
1012 * copies reject_count and accepted from the old item,
1013 * starts at new_starts and ends at the port where the original item
1014 * previously ended.
1015 */
1018 {
1032 }
1034 /* XXXX Nick says I'm going to hell for this. If he feels charitably towards
1035 * my immortal soul, he can clean it up himself. */
1036 #define AT(x) ((policy_summary_item_t*)smartlist_get(summary, x))
1038 #define REJECT_CUTOFF_COUNT (1<<25)
1039 /** Split an exit policy summary so that prt_min and prt_max
1040 * fall at exactly the start and end of an item respectively.
1041 */
1042 static int
1045 {
1049 /* XXXX Do a binary search if run time matters */
1051 i++;
1056 i++;
1057 }
1061 i++;
1066 }
1069 }
1071 /** Mark port ranges as accepted if they are below the reject_count */
1072 static void
1075 {
1082 i++;
1083 }
1085 }
1087 /** Count the number of addresses in a network with prefixlen maskbits
1088 * against the given portrange. */
1089 static void
1091 maskbits_t maskbits,
1093 {
1095 /* XXX: ipv4 specific */
1100 i++;
1101 }
1103 }
1105 /** Add a single exit policy item to our summary:
1106 * If it is an accept ignore it unless it is for all IP addresses
1107 * ("*"), i.e. it's prefixlen/maskbits is 0, else call
1108 * policy_summary_accept().
1109 * If it's a reject ignore it if it is about one of the private
1110 * networks, else call policy_summary_reject().
1111 */
1112 static void
1114 {
1118 }
1124 tor_addr_t addr;
1125 maskbits_t maskbits;
1129 }
1134 }
1135 }
1139 }
1142 }
1144 /** Create a string representing a summary for an exit policy.
1145 * The summary will either be an "accept" plus a comma-separated list of port
1146 * ranges or a "reject" plus port-ranges, depending on which is shorter.
1147 *
1148 * If no exits are allowed at all then NULL is returned, if no ports
1149 * are blocked instead of "reject " we return "accept 1-65535" (this
1150 * is an exception to the shorter-representation-wins rule).
1151 */
1154 {
1164 /* Create the summary list */
1167 });
1169 /* Now create two lists of strings, one for accepted and one
1170 * for rejected ports. We take care to merge ranges so that
1171 * we avoid getting stuff like "1-4,5-9,10", instead we want
1172 * "1-10"
1173 */
1186 else
1191 else
1198 };
1199 i++;
1200 };
1202 /* Figure out which of the two stringlists will be shorter and use
1203 * that to build the result
1204 */
1208 }
1212 }
1225 c--;
1239 }
1246 cleanup:
1247 /* cleanup */
1260 }
1262 /** Implementation for GETINFO control command: knows the answer for questions
1263 * about "exit-policy/..." */
1264 int
1267 {
1271 }
1273 }
1275 /** Release all storage held by <b>p</b>. */
1276 void
1278 {
1283 }
1285 /** Release all storage held by <b>p</b>. */
1286 void
1288 {
1300 }
1301 }
1303 }
1304 }
1306 /** Release all storage held by policy variables. */
1307 void
1309 {
1335 /* Note the first 10 cached policies to try to figure out where they
1336 * might be coming from. */
1342 }
1343 }
1345 }