1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2009, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
8 * \brief Code to parse and use address policies and exit policies.
14 /** Policy that addresses for incoming SOCKS connections must match. */
15 static smartlist_t
*socks_policy
= NULL
;
16 /** Policy that addresses for incoming directory connections must match. */
17 static smartlist_t
*dir_policy
= NULL
;
18 /** Policy that addresses for incoming router descriptors must match in order
19 * to be published by us. */
20 static smartlist_t
*authdir_reject_policy
= NULL
;
21 /** Policy that addresses for incoming router descriptors must match in order
22 * to be marked as valid in our networkstatus. */
23 static smartlist_t
*authdir_invalid_policy
= NULL
;
24 /** Policy that addresses for incoming router descriptors must <b>not</b>
25 * match in order to not be marked as BadDirectory. */
26 static smartlist_t
*authdir_baddir_policy
= NULL
;
27 /** Policy that addresses for incoming router descriptors must <b>not</b>
28 * match in order to not be marked as BadExit. */
29 static smartlist_t
*authdir_badexit_policy
= NULL
;
31 /** Parsed addr_policy_t describing which addresses we believe we can start
33 static smartlist_t
*reachable_or_addr_policy
= NULL
;
34 /** Parsed addr_policy_t describing which addresses we believe we can connect
35 * to directories at. */
36 static smartlist_t
*reachable_dir_addr_policy
= NULL
;
38 /** Element of an exit policy summary */
39 typedef struct policy_summary_item_t
{
40 uint16_t prt_min
; /**< Lowest port number to accept/reject. */
41 uint16_t prt_max
; /**< Highest port number to accept/reject. */
42 uint64_t reject_count
; /**< Number of IP-Addresses that are rejected to
44 int accepted
:1; /** Has this port already been accepted */
45 } policy_summary_item_t
;
47 /** Private networks. This list is used in two places, once to expand the
48 * "private" keyword when parsing our own exit policy, secondly to ignore
49 * just such networks when building exit policy summaries. It is important
50 * that all authorities agree on that list when creating summaries, so don't
51 * just change this without a proper migration plan and a proposal and stuff.
53 static const char *private_nets
[] = {
54 "0.0.0.0/8", "169.254.0.0/16",
55 "127.0.0.0/8", "192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12",
56 // "fc00::/7", "fe80::/10", "fec0::/10", "::/127",
59 /** Replace all "private" entries in *<b>policy</b> with their expanded
62 policy_expand_private(smartlist_t
**policy
)
64 uint16_t port_min
, port_max
;
69 if (!*policy
) /*XXXX disallow NULL policies? */
72 tmp
= smartlist_create();
74 SMARTLIST_FOREACH(*policy
, addr_policy_t
*, p
,
76 if (! p
->is_private
) {
77 smartlist_add(tmp
, p
);
80 for (i
= 0; private_nets
[i
]; ++i
) {
82 memcpy(&policy
, p
, sizeof(addr_policy_t
));
83 policy
.is_private
= 0;
84 policy
.is_canonical
= 0;
85 if (tor_addr_parse_mask_ports(private_nets
[i
], &policy
.addr
,
86 &policy
.maskbits
, &port_min
, &port_max
)<0) {
89 smartlist_add(tmp
, addr_policy_get_canonical_entry(&policy
));
94 smartlist_free(*policy
);
99 * Given a linked list of config lines containing "allow" and "deny"
100 * tokens, parse them and append the result to <b>dest</b>. Return -1
101 * if any tokens are malformed (and don't append any), else return 0.
103 * If <b>assume_action</b> is nonnegative, then insert its action
104 * (ADDR_POLICY_ACCEPT or ADDR_POLICY_REJECT) for items that specify no
108 parse_addr_policy(config_line_t
*cfg
, smartlist_t
**dest
,
112 smartlist_t
*entries
;
119 result
= smartlist_create();
120 entries
= smartlist_create();
121 for (; cfg
; cfg
= cfg
->next
) {
122 smartlist_split_string(entries
, cfg
->value
, ",",
123 SPLIT_SKIP_SPACE
|SPLIT_IGNORE_BLANK
, 0);
124 SMARTLIST_FOREACH(entries
, const char *, ent
,
126 log_debug(LD_CONFIG
,"Adding new entry '%s'",ent
);
127 item
= router_parse_addr_policy_item_from_string(ent
, assume_action
);
129 smartlist_add(result
, item
);
131 log_warn(LD_CONFIG
,"Malformed policy '%s'.", ent
);
135 SMARTLIST_FOREACH(entries
, char *, ent
, tor_free(ent
));
136 smartlist_clear(entries
);
138 smartlist_free(entries
);
140 addr_policy_list_free(result
);
142 policy_expand_private(&result
);
145 smartlist_add_all(*dest
, result
);
146 smartlist_free(result
);
155 /** Helper: parse the Reachable(Dir|OR)?Addresses fields into
156 * reachable_(or|dir)_addr_policy. The options should already have
157 * been validated by validate_addr_policies.
160 parse_reachable_addresses(void)
162 or_options_t
*options
= get_options();
165 if (options
->ReachableDirAddresses
&&
166 options
->ReachableORAddresses
&&
167 options
->ReachableAddresses
) {
169 "Both ReachableDirAddresses and ReachableORAddresses are set. "
170 "ReachableAddresses setting will be ignored.");
172 addr_policy_list_free(reachable_or_addr_policy
);
173 reachable_or_addr_policy
= NULL
;
174 if (!options
->ReachableORAddresses
&& options
->ReachableAddresses
)
176 "Using ReachableAddresses as ReachableORAddresses.");
177 if (parse_addr_policy(options
->ReachableORAddresses
?
178 options
->ReachableORAddresses
:
179 options
->ReachableAddresses
,
180 &reachable_or_addr_policy
, ADDR_POLICY_ACCEPT
)) {
182 "Error parsing Reachable%sAddresses entry; ignoring.",
183 options
->ReachableORAddresses
? "OR" : "");
187 addr_policy_list_free(reachable_dir_addr_policy
);
188 reachable_dir_addr_policy
= NULL
;
189 if (!options
->ReachableDirAddresses
&& options
->ReachableAddresses
)
191 "Using ReachableAddresses as ReachableDirAddresses");
192 if (parse_addr_policy(options
->ReachableDirAddresses
?
193 options
->ReachableDirAddresses
:
194 options
->ReachableAddresses
,
195 &reachable_dir_addr_policy
, ADDR_POLICY_ACCEPT
)) {
196 if (options
->ReachableDirAddresses
)
198 "Error parsing ReachableDirAddresses entry; ignoring.");
204 /** Return true iff the firewall options might block any address:port
208 firewall_is_fascist_or(void)
210 return reachable_or_addr_policy
!= NULL
;
213 /** Return true iff <b>policy</b> (possibly NULL) will allow a
214 * connection to <b>addr</b>:<b>port</b>.
217 addr_policy_permits_tor_addr(const tor_addr_t
*addr
, uint16_t port
,
220 addr_policy_result_t p
;
221 p
= compare_tor_addr_to_addr_policy(addr
, port
, policy
);
223 case ADDR_POLICY_PROBABLY_ACCEPTED
:
224 case ADDR_POLICY_ACCEPTED
:
226 case ADDR_POLICY_PROBABLY_REJECTED
:
227 case ADDR_POLICY_REJECTED
:
230 log_warn(LD_BUG
, "Unexpected result: %d", (int)p
);
235 /** Return true iff <b> policy</b> (possibly NULL) will allow a connection to
236 * <b>addr</b>:<b>port</b>. <b>addr</b> is an IPv4 address given in host
238 /* XXXX deprecate when possible. */
240 addr_policy_permits_address(uint32_t addr
, uint16_t port
,
244 tor_addr_from_ipv4h(&a
, addr
);
245 return addr_policy_permits_tor_addr(&a
, port
, policy
);
248 /** Return true iff we think our firewall will let us make an OR connection to
251 fascist_firewall_allows_address_or(const tor_addr_t
*addr
, uint16_t port
)
253 return addr_policy_permits_tor_addr(addr
, port
,
254 reachable_or_addr_policy
);
257 /** Return true iff we think our firewall will let us make an OR connection to
260 fascist_firewall_allows_or(routerinfo_t
*ri
)
262 /* XXXX proposal 118 */
264 tor_addr_from_ipv4h(&addr
, ri
->addr
);
265 return fascist_firewall_allows_address_or(&addr
, ri
->or_port
);
268 /** Return true iff we think our firewall will let us make a directory
269 * connection to addr:port. */
271 fascist_firewall_allows_address_dir(const tor_addr_t
*addr
, uint16_t port
)
273 return addr_policy_permits_tor_addr(addr
, port
,
274 reachable_dir_addr_policy
);
277 /** Return 1 if <b>addr</b> is permitted to connect to our dir port,
278 * based on <b>dir_policy</b>. Else return 0.
281 dir_policy_permits_address(const tor_addr_t
*addr
)
283 return addr_policy_permits_tor_addr(addr
, 1, dir_policy
);
286 /** Return 1 if <b>addr</b> is permitted to connect to our socks port,
287 * based on <b>socks_policy</b>. Else return 0.
290 socks_policy_permits_address(const tor_addr_t
*addr
)
292 return addr_policy_permits_tor_addr(addr
, 1, socks_policy
);
295 /** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
296 * directory, based on <b>authdir_reject_policy</b>. Else return 0.
299 authdir_policy_permits_address(uint32_t addr
, uint16_t port
)
301 return addr_policy_permits_address(addr
, port
, authdir_reject_policy
);
304 /** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
305 * directory, based on <b>authdir_invalid_policy</b>. Else return 0.
308 authdir_policy_valid_address(uint32_t addr
, uint16_t port
)
310 return addr_policy_permits_address(addr
, port
, authdir_invalid_policy
);
313 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad dir,
314 * based on <b>authdir_baddir_policy</b>. Else return 0.
317 authdir_policy_baddir_address(uint32_t addr
, uint16_t port
)
319 return ! addr_policy_permits_address(addr
, port
, authdir_baddir_policy
);
322 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
323 * based on <b>authdir_badexit_policy</b>. Else return 0.
326 authdir_policy_badexit_address(uint32_t addr
, uint16_t port
)
328 return ! addr_policy_permits_address(addr
, port
, authdir_badexit_policy
);
331 #define REJECT(arg) \
332 STMT_BEGIN *msg = tor_strdup(arg); goto err; STMT_END
334 /** Config helper: If there's any problem with the policy configuration
335 * options in <b>options</b>, return -1 and set <b>msg</b> to a newly
336 * allocated description of the error. Else return 0. */
338 validate_addr_policies(or_options_t
*options
, char **msg
)
340 /* XXXX Maybe merge this into parse_policies_from_options, to make sure
341 * that the two can't go out of sync. */
343 smartlist_t
*addr_policy
=NULL
;
346 if (policies_parse_exit_policy(options
->ExitPolicy
, &addr_policy
,
347 options
->ExitPolicyRejectPrivate
, NULL
,
348 !options
->BridgeRelay
))
349 REJECT("Error in ExitPolicy entry.");
351 /* The rest of these calls *append* to addr_policy. So don't actually
352 * use the results for anything other than checking if they parse! */
353 if (parse_addr_policy(options
->DirPolicy
, &addr_policy
, -1))
354 REJECT("Error in DirPolicy entry.");
355 if (parse_addr_policy(options
->SocksPolicy
, &addr_policy
, -1))
356 REJECT("Error in SocksPolicy entry.");
357 if (parse_addr_policy(options
->AuthDirReject
, &addr_policy
,
359 REJECT("Error in AuthDirReject entry.");
360 if (parse_addr_policy(options
->AuthDirInvalid
, &addr_policy
,
362 REJECT("Error in AuthDirInvalid entry.");
363 if (parse_addr_policy(options
->AuthDirBadDir
, &addr_policy
,
365 REJECT("Error in AuthDirBadDir entry.");
366 if (parse_addr_policy(options
->AuthDirBadExit
, &addr_policy
,
368 REJECT("Error in AuthDirBadExit entry.");
370 if (parse_addr_policy(options
->ReachableAddresses
, &addr_policy
,
372 REJECT("Error in ReachableAddresses entry.");
373 if (parse_addr_policy(options
->ReachableORAddresses
, &addr_policy
,
375 REJECT("Error in ReachableORAddresses entry.");
376 if (parse_addr_policy(options
->ReachableDirAddresses
, &addr_policy
,
378 REJECT("Error in ReachableDirAddresses entry.");
379 if (parse_addr_policy(options
->AuthDirReject
, &addr_policy
,
381 REJECT("Error in AuthDirReject entry.");
382 if (parse_addr_policy(options
->AuthDirInvalid
, &addr_policy
,
384 REJECT("Error in AuthDirInvalid entry.");
387 addr_policy_list_free(addr_policy
);
388 return *msg
? -1 : 0;
392 /** Parse <b>string</b> in the same way that the exit policy
393 * is parsed, and put the processed version in *<b>policy</b>.
394 * Ignore port specifiers.
397 load_policy_from_option(config_line_t
*config
, smartlist_t
**policy
,
401 addr_policy_list_free(*policy
);
403 r
= parse_addr_policy(config
, policy
, assume_action
);
408 SMARTLIST_FOREACH_BEGIN(*policy
, addr_policy_t
*, n
) {
409 /* ports aren't used in these. */
410 if (n
->prt_min
> 1 || n
->prt_max
!= 65535) {
411 addr_policy_t newp
, *c
;
412 memcpy(&newp
, n
, sizeof(newp
));
414 newp
.prt_max
= 65535;
415 newp
.is_canonical
= 0;
416 c
= addr_policy_get_canonical_entry(&newp
);
417 SMARTLIST_REPLACE_CURRENT(*policy
, n
, c
);
420 } SMARTLIST_FOREACH_END(n
);
425 /** Set all policies based on <b>options</b>, which should have been validated
426 * first by validate_addr_policies. */
428 policies_parse_from_options(or_options_t
*options
)
431 if (load_policy_from_option(options
->SocksPolicy
, &socks_policy
, -1) < 0)
433 if (load_policy_from_option(options
->DirPolicy
, &dir_policy
, -1) < 0)
435 if (load_policy_from_option(options
->AuthDirReject
,
436 &authdir_reject_policy
, ADDR_POLICY_REJECT
) < 0)
438 if (load_policy_from_option(options
->AuthDirInvalid
,
439 &authdir_invalid_policy
, ADDR_POLICY_REJECT
) < 0)
441 if (load_policy_from_option(options
->AuthDirBadDir
,
442 &authdir_baddir_policy
, ADDR_POLICY_REJECT
) < 0)
444 if (load_policy_from_option(options
->AuthDirBadExit
,
445 &authdir_badexit_policy
, ADDR_POLICY_REJECT
) < 0)
447 if (parse_reachable_addresses() < 0)
452 /** Compare two provided address policy items, and return -1, 0, or 1
453 * if the first is less than, equal to, or greater than the second. */
455 cmp_single_addr_policy(addr_policy_t
*a
, addr_policy_t
*b
)
458 if ((r
=((int)a
->policy_type
- (int)b
->policy_type
)))
460 if ((r
=((int)a
->is_private
- (int)b
->is_private
)))
462 if ((r
=tor_addr_compare(&a
->addr
, &b
->addr
, CMP_EXACT
)))
464 if ((r
=((int)a
->maskbits
- (int)b
->maskbits
)))
466 if ((r
=((int)a
->prt_min
- (int)b
->prt_min
)))
468 if ((r
=((int)a
->prt_max
- (int)b
->prt_max
)))
473 /** Like cmp_single_addr_policy() above, but looks at the
474 * whole set of policies in each case. */
476 cmp_addr_policies(smartlist_t
*a
, smartlist_t
*b
)
479 int len_a
= a
? smartlist_len(a
) : 0;
480 int len_b
= b
? smartlist_len(b
) : 0;
482 for (i
= 0; i
< len_a
&& i
< len_b
; ++i
) {
483 if ((r
= cmp_single_addr_policy(smartlist_get(a
, i
), smartlist_get(b
, i
))))
486 if (i
== len_a
&& i
== len_b
)
494 /** Node in hashtable used to store address policy entries. */
495 typedef struct policy_map_ent_t
{
496 HT_ENTRY(policy_map_ent_t
) node
;
497 addr_policy_t
*policy
;
500 static HT_HEAD(policy_map
, policy_map_ent_t
) policy_root
= HT_INITIALIZER();
502 /** Return true iff a and b are equal. */
504 policy_eq(policy_map_ent_t
*a
, policy_map_ent_t
*b
)
506 return cmp_single_addr_policy(a
->policy
, b
->policy
) == 0;
509 /** Return a hashcode for <b>ent</b> */
511 policy_hash(policy_map_ent_t
*ent
)
513 addr_policy_t
*a
= ent
->policy
;
518 r
= tor_addr_hash(&a
->addr
);
519 r
+= a
->prt_min
<< 8;
520 r
+= a
->prt_max
<< 16;
522 if (a
->policy_type
== ADDR_POLICY_REJECT
)
528 HT_PROTOTYPE(policy_map
, policy_map_ent_t
, node
, policy_hash
,
530 HT_GENERATE(policy_map
, policy_map_ent_t
, node
, policy_hash
,
531 policy_eq
, 0.6, malloc
, realloc
, free
)
533 /** Given a pointer to an addr_policy_t, return a copy of the pointer to the
534 * "canonical" copy of that addr_policy_t; the canonical copy is a single
535 * reference-counted object. */
537 addr_policy_get_canonical_entry(addr_policy_t
*e
)
539 policy_map_ent_t search
, *found
;
544 found
= HT_FIND(policy_map
, &policy_root
, &search
);
546 found
= tor_malloc_zero(sizeof(policy_map_ent_t
));
547 found
->policy
= tor_memdup(e
, sizeof(addr_policy_t
));
548 found
->policy
->is_canonical
= 1;
549 found
->policy
->refcnt
= 0;
550 HT_INSERT(policy_map
, &policy_root
, found
);
553 tor_assert(!cmp_single_addr_policy(found
->policy
, e
));
554 ++found
->policy
->refcnt
;
555 return found
->policy
;
558 /** As compare_tor_addr_to_addr_policy, but instead of a tor_addr_t, takes
561 compare_addr_to_addr_policy(uint32_t addr
, uint16_t port
,
562 const smartlist_t
*policy
)
564 /*XXXX deprecate this function when possible. */
566 tor_addr_from_ipv4h(&a
, addr
);
567 return compare_tor_addr_to_addr_policy(&a
, port
, policy
);
570 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
571 * addr and port are both known. */
572 static addr_policy_result_t
573 compare_known_tor_addr_to_addr_policy(const tor_addr_t
*addr
, uint16_t port
,
574 const smartlist_t
*policy
)
576 /* We know the address and port, and we know the policy, so we can just
577 * compute an exact match. */
578 SMARTLIST_FOREACH_BEGIN(policy
, addr_policy_t
*, tmpe
) {
579 /* Address is known */
580 if (!tor_addr_compare_masked(addr
, &tmpe
->addr
, tmpe
->maskbits
,
582 if (port
>= tmpe
->prt_min
&& port
<= tmpe
->prt_max
) {
583 /* Exact match for the policy */
584 return tmpe
->policy_type
== ADDR_POLICY_ACCEPT
?
585 ADDR_POLICY_ACCEPTED
: ADDR_POLICY_REJECTED
;
588 } SMARTLIST_FOREACH_END(tmpe
);
590 /* accept all by default. */
591 return ADDR_POLICY_ACCEPTED
;
594 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
595 * addr is known but port is not. */
596 static addr_policy_result_t
597 compare_known_tor_addr_to_addr_policy_noport(const tor_addr_t
*addr
,
598 const smartlist_t
*policy
)
600 /* We look to see if there's a definite match. If so, we return that
601 match's value, unless there's an intervening possible match that says
602 something different. */
603 int maybe_accept
= 0, maybe_reject
= 0;
605 SMARTLIST_FOREACH_BEGIN(policy
, addr_policy_t
*, tmpe
) {
606 if (!tor_addr_compare_masked(addr
, &tmpe
->addr
, tmpe
->maskbits
,
608 if (tmpe
->prt_min
<= 1 && tmpe
->prt_max
>= 65535) {
609 /* Definitely matches, since it covers all ports. */
610 if (tmpe
->policy_type
== ADDR_POLICY_ACCEPT
) {
611 /* If we already hit a clause that might trigger a 'reject', than we
612 * can't be sure of this certain 'accept'.*/
613 return maybe_reject
? ADDR_POLICY_PROBABLY_ACCEPTED
:
614 ADDR_POLICY_ACCEPTED
;
616 return maybe_accept
? ADDR_POLICY_PROBABLY_REJECTED
:
617 ADDR_POLICY_REJECTED
;
621 if (tmpe
->policy_type
== ADDR_POLICY_REJECT
)
627 } SMARTLIST_FOREACH_END(tmpe
);
629 /* accept all by default. */
630 return maybe_reject
? ADDR_POLICY_PROBABLY_ACCEPTED
: ADDR_POLICY_ACCEPTED
;
633 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
634 * port is known but address is not. */
635 static addr_policy_result_t
636 compare_unknown_tor_addr_to_addr_policy(uint16_t port
,
637 const smartlist_t
*policy
)
639 /* We look to see if there's a definite match. If so, we return that
640 match's value, unless there's an intervening possible match that says
641 something different. */
642 int maybe_accept
= 0, maybe_reject
= 0;
644 SMARTLIST_FOREACH_BEGIN(policy
, addr_policy_t
*, tmpe
) {
645 if (tmpe
->prt_min
<= port
&& port
<= tmpe
->prt_max
) {
646 if (tmpe
->maskbits
== 0) {
647 /* Definitely matches, since it covers all addresses. */
648 if (tmpe
->policy_type
== ADDR_POLICY_ACCEPT
) {
649 /* If we already hit a clause that might trigger a 'reject', than we
650 * can't be sure of this certain 'accept'.*/
651 return maybe_reject
? ADDR_POLICY_PROBABLY_ACCEPTED
:
652 ADDR_POLICY_ACCEPTED
;
654 return maybe_accept
? ADDR_POLICY_PROBABLY_REJECTED
:
655 ADDR_POLICY_REJECTED
;
659 if (tmpe
->policy_type
== ADDR_POLICY_REJECT
)
665 } SMARTLIST_FOREACH_END(tmpe
);
667 /* accept all by default. */
668 return maybe_reject
? ADDR_POLICY_PROBABLY_ACCEPTED
: ADDR_POLICY_ACCEPTED
;
671 /** Decide whether a given addr:port is definitely accepted,
672 * definitely rejected, probably accepted, or probably rejected by a
673 * given policy. If <b>addr</b> is 0, we don't know the IP of the
674 * target address. If <b>port</b> is 0, we don't know the port of the
675 * target address. (At least one of <b>addr</b> and <b>port</b> must be
676 * provided. If you want to know whether a policy would definitely reject
677 * an unknown address:port, use policy_is_reject_star().)
679 * We could do better by assuming that some ranges never match typical
680 * addresses (127.0.0.1, and so on). But we'll try this for now.
683 compare_tor_addr_to_addr_policy(const tor_addr_t
*addr
, uint16_t port
,
684 const smartlist_t
*policy
)
687 /* no policy? accept all. */
688 return ADDR_POLICY_ACCEPTED
;
689 } else if (tor_addr_is_null(addr
)) {
690 tor_assert(port
!= 0);
691 return compare_unknown_tor_addr_to_addr_policy(port
, policy
);
692 } else if (port
== 0) {
693 return compare_known_tor_addr_to_addr_policy_noport(addr
, policy
);
695 return compare_known_tor_addr_to_addr_policy(addr
, port
, policy
);
699 /** Return true iff the address policy <b>a</b> covers every case that
700 * would be covered by <b>b</b>, so that a,b is redundant. */
702 addr_policy_covers(addr_policy_t
*a
, addr_policy_t
*b
)
704 /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces
705 * to "accept *:80". */
706 if (a
->maskbits
> b
->maskbits
) {
707 /* a has more fixed bits than b; it can't possibly cover b. */
710 if (tor_addr_compare_masked(&a
->addr
, &b
->addr
, a
->maskbits
, CMP_EXACT
)) {
711 /* There's a fixed bit in a that's set differently in b. */
714 return (a
->prt_min
<= b
->prt_min
&& a
->prt_max
>= b
->prt_max
);
717 /** Return true iff the address policies <b>a</b> and <b>b</b> intersect,
718 * that is, there exists an address/port that is covered by <b>a</b> that
719 * is also covered by <b>b</b>.
722 addr_policy_intersects(addr_policy_t
*a
, addr_policy_t
*b
)
725 /* All the bits we care about are those that are set in both
726 * netmasks. If they are equal in a and b's networkaddresses
727 * then the networks intersect. If there is a difference,
728 * then they do not. */
729 if (a
->maskbits
< b
->maskbits
)
730 minbits
= a
->maskbits
;
732 minbits
= b
->maskbits
;
733 if (tor_addr_compare_masked(&a
->addr
, &b
->addr
, minbits
, CMP_EXACT
))
735 if (a
->prt_max
< b
->prt_min
|| b
->prt_max
< a
->prt_min
)
740 /** Add the exit policy described by <b>more</b> to <b>policy</b>.
743 append_exit_policy_string(smartlist_t
**policy
, const char *more
)
748 tmp
.value
= (char*) more
;
750 if (parse_addr_policy(&tmp
, policy
, -1)<0) {
751 log_warn(LD_BUG
, "Unable to parse internally generated policy %s",more
);
755 /** Detect and excise "dead code" from the policy *<b>dest</b>. */
757 exit_policy_remove_redundancies(smartlist_t
*dest
)
759 addr_policy_t
*ap
, *tmp
, *victim
;
762 /* Step one: find a *:* entry and cut off everything after it. */
763 for (i
= 0; i
< smartlist_len(dest
); ++i
) {
764 ap
= smartlist_get(dest
, i
);
765 if (ap
->maskbits
== 0 && ap
->prt_min
<= 1 && ap
->prt_max
>= 65535) {
766 /* This is a catch-all line -- later lines are unreachable. */
767 while (i
+1 < smartlist_len(dest
)) {
768 victim
= smartlist_get(dest
, i
+1);
769 smartlist_del(dest
, i
+1);
770 addr_policy_free(victim
);
776 /* Step two: for every entry, see if there's a redundant entry
777 * later on, and remove it. */
778 for (i
= 0; i
< smartlist_len(dest
)-1; ++i
) {
779 ap
= smartlist_get(dest
, i
);
780 for (j
= i
+1; j
< smartlist_len(dest
); ++j
) {
781 tmp
= smartlist_get(dest
, j
);
783 if (addr_policy_covers(ap
, tmp
)) {
784 char p1
[POLICY_BUF_LEN
], p2
[POLICY_BUF_LEN
];
785 policy_write_item(p1
, sizeof(p1
), tmp
, 0);
786 policy_write_item(p2
, sizeof(p2
), ap
, 0);
787 log(LOG_DEBUG
, LD_CONFIG
, "Removing exit policy %s (%d). It is made "
788 "redundant by %s (%d).", p1
, j
, p2
, i
);
789 smartlist_del_keeporder(dest
, j
--);
790 addr_policy_free(tmp
);
795 /* Step three: for every entry A, see if there's an entry B making this one
796 * redundant later on. This is the case if A and B are of the same type
797 * (accept/reject), A is a subset of B, and there is no other entry of
798 * different type in between those two that intersects with A.
800 * Anybody want to double-check the logic here? XXX
802 for (i
= 0; i
< smartlist_len(dest
)-1; ++i
) {
803 ap
= smartlist_get(dest
, i
);
804 for (j
= i
+1; j
< smartlist_len(dest
); ++j
) {
805 // tor_assert(j > i); // j starts out at i+1; j only increases; i only
807 tmp
= smartlist_get(dest
, j
);
808 if (ap
->policy_type
!= tmp
->policy_type
) {
809 if (addr_policy_intersects(ap
, tmp
))
811 } else { /* policy_types are equal. */
812 if (addr_policy_covers(tmp
, ap
)) {
813 char p1
[POLICY_BUF_LEN
], p2
[POLICY_BUF_LEN
];
814 policy_write_item(p1
, sizeof(p1
), ap
, 0);
815 policy_write_item(p2
, sizeof(p2
), tmp
, 0);
816 log(LOG_DEBUG
, LD_CONFIG
, "Removing exit policy %s. It is already "
817 "covered by %s.", p1
, p2
);
818 smartlist_del_keeporder(dest
, i
--);
819 addr_policy_free(ap
);
827 #define DEFAULT_EXIT_POLICY \
828 "reject *:25,reject *:119,reject *:135-139,reject *:445," \
829 "reject *:563,reject *:1214,reject *:4661-4666," \
830 "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
832 /** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>. If
833 * cfg doesn't end in an absolute accept or reject and if
834 * <b>add_default_policy</b> is true, add the default exit
835 * policy afterwards. If <b>rejectprivate</b> is true, prepend
836 * "reject private:*" to the policy. Return -1 if we can't parse cfg,
840 policies_parse_exit_policy(config_line_t
*cfg
, smartlist_t
**dest
,
841 int rejectprivate
, const char *local_address
,
842 int add_default_policy
)
845 append_exit_policy_string(dest
, "reject private:*");
847 char buf
[POLICY_BUF_LEN
];
848 tor_snprintf(buf
, sizeof(buf
), "reject %s:*", local_address
);
849 append_exit_policy_string(dest
, buf
);
852 if (parse_addr_policy(cfg
, dest
, -1))
854 if (add_default_policy
)
855 append_exit_policy_string(dest
, DEFAULT_EXIT_POLICY
);
857 append_exit_policy_string(dest
, "reject *:*");
858 exit_policy_remove_redundancies(*dest
);
863 /** Replace the exit policy of <b>r</b> with reject *:*. */
865 policies_set_router_exitpolicy_to_reject_all(routerinfo_t
*r
)
868 addr_policy_list_free(r
->exit_policy
);
869 r
->exit_policy
= smartlist_create();
870 item
= router_parse_addr_policy_item_from_string("reject *:*", -1);
871 smartlist_add(r
->exit_policy
, item
);
874 /** Return true iff <b>ri</b> is "useful as an exit node", meaning
875 * it allows exit to at least one /8 address space for at least
876 * two of ports 80, 443, and 6667. */
878 exit_policy_is_general_exit(smartlist_t
*policy
)
880 static const int ports
[] = { 80, 443, 6667 };
883 if (!policy
) /*XXXX disallow NULL policies? */
886 for (i
= 0; i
< 3; ++i
) {
887 SMARTLIST_FOREACH(policy
, addr_policy_t
*, p
, {
888 if (p
->prt_min
> ports
[i
] || p
->prt_max
< ports
[i
])
889 continue; /* Doesn't cover our port. */
891 continue; /* Narrower than a /8. */
892 if (tor_addr_is_loopback(&p
->addr
))
893 continue; /* 127.x or ::1. */
894 /* We have a match that is at least a /8. */
895 if (p
->policy_type
== ADDR_POLICY_ACCEPT
) {
897 break; /* stop considering this port */
901 return n_allowed
>= 2;
904 /** Return false if <b>policy</b> might permit access to some addr:port;
905 * otherwise if we are certain it rejects everything, return true. */
907 policy_is_reject_star(const smartlist_t
*policy
)
909 if (!policy
) /*XXXX disallow NULL policies? */
911 SMARTLIST_FOREACH(policy
, addr_policy_t
*, p
, {
912 if (p
->policy_type
== ADDR_POLICY_ACCEPT
)
914 else if (p
->policy_type
== ADDR_POLICY_REJECT
&&
915 p
->prt_min
<= 1 && p
->prt_max
== 65535 &&
922 /** Write a single address policy to the buf_len byte buffer at buf. Return
923 * the number of characters written, or -1 on failure. */
925 policy_write_item(char *buf
, size_t buflen
, addr_policy_t
*policy
,
929 char addrbuf
[TOR_ADDR_BUF_LEN
];
930 const char *addrpart
;
932 const int is_accept
= policy
->policy_type
== ADDR_POLICY_ACCEPT
;
933 const int is_ip6
= tor_addr_family(&policy
->addr
) == AF_INET6
;
935 tor_addr_to_str(addrbuf
, &policy
->addr
, sizeof(addrbuf
), 1);
937 /* write accept/reject 1.2.3.4 */
938 if (policy
->is_private
)
939 addrpart
= "private";
940 else if (policy
->maskbits
== 0)
945 result
= tor_snprintf(buf
, buflen
, "%s%s%s %s",
946 (is_ip6
&&format_for_desc
)?"opt ":"",
947 is_accept
? "accept" : "reject",
948 (is_ip6
&&format_for_desc
)?"6":"",
952 written
+= strlen(buf
);
953 /* If the maskbits is 32 we don't need to give it. If the mask is 0,
954 * we already wrote "*". */
955 if (policy
->maskbits
< 32 && policy
->maskbits
> 0) {
956 if (tor_snprintf(buf
+written
, buflen
-written
, "/%d", policy
->maskbits
)<0)
958 written
+= strlen(buf
+written
);
960 if (policy
->prt_min
<= 1 && policy
->prt_max
== 65535) {
961 /* There is no port set; write ":*" */
962 if (written
+4 > buflen
)
964 strlcat(buf
+written
, ":*", buflen
-written
);
966 } else if (policy
->prt_min
== policy
->prt_max
) {
967 /* There is only one port; write ":80". */
968 result
= tor_snprintf(buf
+written
, buflen
-written
, ":%d", policy
->prt_min
);
973 /* There is a range of ports; write ":79-80". */
974 result
= tor_snprintf(buf
+written
, buflen
-written
, ":%d-%d",
975 policy
->prt_min
, policy
->prt_max
);
980 if (written
< buflen
)
988 /** Create a new exit policy summary, initially only with a single
990 /* XXXX This entire thing will do most stuff in O(N^2), or worse. Use an
991 * RB-tree if that turns out to matter. */
993 policy_summary_create(void)
995 smartlist_t
*summary
;
996 policy_summary_item_t
* item
;
998 item
= tor_malloc_zero(sizeof(policy_summary_item_t
));
1000 item
->prt_max
= 65535;
1001 item
->reject_count
= 0;
1004 summary
= smartlist_create();
1005 smartlist_add(summary
, item
);
1010 /** Split the summary item in <b>item</b> at the port <b>new_starts</b>.
1011 * The current item is changed to end at new-starts - 1, the new item
1012 * copies reject_count and accepted from the old item,
1013 * starts at new_starts and ends at the port where the original item
1016 static policy_summary_item_t
*
1017 policy_summary_item_split(policy_summary_item_t
* old
, uint16_t new_starts
)
1019 policy_summary_item_t
* new;
1021 new = tor_malloc_zero(sizeof(policy_summary_item_t
));
1022 new->prt_min
= new_starts
;
1023 new->prt_max
= old
->prt_max
;
1024 new->reject_count
= old
->reject_count
;
1025 new->accepted
= old
->accepted
;
1027 old
->prt_max
= new_starts
-1;
1029 tor_assert(old
->prt_min
<= old
->prt_max
);
1030 tor_assert(new->prt_min
<= new->prt_max
);
1034 /* XXXX Nick says I'm going to hell for this. If he feels charitably towards
1035 * my immortal soul, he can clean it up himself. */
1036 #define AT(x) ((policy_summary_item_t*)smartlist_get(summary, x))
1038 #define REJECT_CUTOFF_COUNT (1<<25)
1039 /** Split an exit policy summary so that prt_min and prt_max
1040 * fall at exactly the start and end of an item respectively.
1043 policy_summary_split(smartlist_t
*summary
,
1044 uint16_t prt_min
, uint16_t prt_max
)
1049 /* XXXX Do a binary search if run time matters */
1050 while (AT(i
)->prt_max
< prt_min
)
1052 if (AT(i
)->prt_min
!= prt_min
) {
1053 policy_summary_item_t
* new_item
;
1054 new_item
= policy_summary_item_split(AT(i
), prt_min
);
1055 smartlist_insert(summary
, i
+1, new_item
);
1060 while (AT(i
)->prt_max
< prt_max
)
1062 if (AT(i
)->prt_max
!= prt_max
) {
1063 policy_summary_item_t
* new_item
;
1064 new_item
= policy_summary_item_split(AT(i
), prt_max
+1);
1065 smartlist_insert(summary
, i
+1, new_item
);
1068 return start_at_index
;
1071 /** Mark port ranges as accepted if they are below the reject_count */
1073 policy_summary_accept(smartlist_t
*summary
,
1074 uint16_t prt_min
, uint16_t prt_max
)
1076 int i
= policy_summary_split(summary
, prt_min
, prt_max
);
1077 while (i
< smartlist_len(summary
) &&
1078 AT(i
)->prt_max
<= prt_max
) {
1079 if (!AT(i
)->accepted
&&
1080 AT(i
)->reject_count
<= REJECT_CUTOFF_COUNT
)
1081 AT(i
)->accepted
= 1;
1084 tor_assert(i
< smartlist_len(summary
) || prt_max
==65535);
1087 /** Count the number of addresses in a network with prefixlen maskbits
1088 * against the given portrange. */
1090 policy_summary_reject(smartlist_t
*summary
,
1091 maskbits_t maskbits
,
1092 uint16_t prt_min
, uint16_t prt_max
)
1094 int i
= policy_summary_split(summary
, prt_min
, prt_max
);
1095 /* XXX: ipv4 specific */
1096 uint64_t count
= (U64_LITERAL(1) << (32-maskbits
));
1097 while (i
< smartlist_len(summary
) &&
1098 AT(i
)->prt_max
<= prt_max
) {
1099 AT(i
)->reject_count
+= count
;
1102 tor_assert(i
< smartlist_len(summary
) || prt_max
==65535);
1105 /** Add a single exit policy item to our summary:
1106 * If it is an accept ignore it unless it is for all IP addresses
1107 * ("*"), i.e. it's prefixlen/maskbits is 0, else call
1108 * policy_summary_accept().
1109 * If it's a reject ignore it if it is about one of the private
1110 * networks, else call policy_summary_reject().
1113 policy_summary_add_item(smartlist_t
*summary
, addr_policy_t
*p
)
1115 if (p
->policy_type
== ADDR_POLICY_ACCEPT
) {
1116 if (p
->maskbits
== 0) {
1117 policy_summary_accept(summary
, p
->prt_min
, p
->prt_max
);
1119 } else if (p
->policy_type
== ADDR_POLICY_REJECT
) {
1123 for (i
= 0; private_nets
[i
]; ++i
) {
1125 maskbits_t maskbits
;
1126 if (tor_addr_parse_mask_ports(private_nets
[i
], &addr
,
1127 &maskbits
, NULL
, NULL
)<0) {
1130 if (tor_addr_compare(&p
->addr
, &addr
, CMP_EXACT
) == 0 &&
1131 p
->maskbits
== maskbits
) {
1138 policy_summary_reject(summary
, p
->maskbits
, p
->prt_min
, p
->prt_max
);
1144 /** Create a string representing a summary for an exit policy.
1145 * The summary will either be an "accept" plus a comma-separated list of port
1146 * ranges or a "reject" plus port-ranges, depending on which is shorter.
1148 * If no exits are allowed at all then NULL is returned, if no ports
1149 * are blocked instead of "reject " we return "accept 1-65535" (this
1150 * is an exception to the shorter-representation-wins rule).
1153 policy_summarize(smartlist_t
*policy
)
1155 smartlist_t
*summary
= policy_summary_create();
1156 smartlist_t
*accepts
, *rejects
;
1157 int i
, last
, start_prt
;
1158 size_t accepts_len
, rejects_len
, shorter_len
, final_size
;
1159 char *accepts_str
= NULL
, *rejects_str
= NULL
, *shorter_str
, *result
;
1164 /* Create the summary list */
1165 SMARTLIST_FOREACH(policy
, addr_policy_t
*, p
, {
1166 policy_summary_add_item(summary
, p
);
1169 /* Now create two lists of strings, one for accepted and one
1170 * for rejected ports. We take care to merge ranges so that
1171 * we avoid getting stuff like "1-4,5-9,10", instead we want
1176 accepts
= smartlist_create();
1177 rejects
= smartlist_create();
1179 last
= i
== smartlist_len(summary
)-1;
1181 AT(i
)->accepted
!= AT(i
+1)->accepted
) {
1182 char buf
[POLICY_BUF_LEN
];
1184 if (start_prt
== AT(i
)->prt_max
)
1185 tor_snprintf(buf
, sizeof(buf
), "%d", start_prt
);
1187 tor_snprintf(buf
, sizeof(buf
), "%d-%d", start_prt
, AT(i
)->prt_max
);
1189 if (AT(i
)->accepted
)
1190 smartlist_add(accepts
, tor_strdup(buf
));
1192 smartlist_add(rejects
, tor_strdup(buf
));
1197 start_prt
= AT(i
+1)->prt_min
;
1202 /* Figure out which of the two stringlists will be shorter and use
1203 * that to build the result
1205 if (smartlist_len(accepts
) == 0) { /* no exits at all */
1206 result
= tor_strdup("reject 1-65535");
1209 if (smartlist_len(rejects
) == 0) { /* no rejects at all */
1210 result
= tor_strdup("accept 1-65535");
1214 accepts_str
= smartlist_join_strings(accepts
, ",", 0, &accepts_len
);
1215 rejects_str
= smartlist_join_strings(rejects
, ",", 0, &rejects_len
);
1217 if (rejects_len
> MAX_EXITPOLICY_SUMMARY_LEN
&&
1218 accepts_len
> MAX_EXITPOLICY_SUMMARY_LEN
) {
1220 shorter_str
= accepts_str
;
1223 c
= shorter_str
+ (MAX_EXITPOLICY_SUMMARY_LEN
-strlen(prefix
)-1);
1224 while (*c
!= ',' && c
>= shorter_str
)
1226 tor_assert(c
>= shorter_str
);
1227 tor_assert(*c
== ',');
1230 shorter_len
= strlen(shorter_str
);
1231 } else if (rejects_len
< accepts_len
) {
1232 shorter_str
= rejects_str
;
1233 shorter_len
= rejects_len
;
1236 shorter_str
= accepts_str
;
1237 shorter_len
= accepts_len
;
1241 final_size
= strlen(prefix
)+1+shorter_len
+1;
1242 tor_assert(final_size
<= MAX_EXITPOLICY_SUMMARY_LEN
+1);
1243 result
= tor_malloc(final_size
);
1244 tor_snprintf(result
, final_size
, "%s %s", prefix
, shorter_str
);
1248 SMARTLIST_FOREACH(summary
, policy_summary_item_t
*, s
, tor_free(s
));
1249 smartlist_free(summary
);
1251 tor_free(accepts_str
);
1252 SMARTLIST_FOREACH(accepts
, char *, s
, tor_free(s
));
1253 smartlist_free(accepts
);
1255 tor_free(rejects_str
);
1256 SMARTLIST_FOREACH(rejects
, char *, s
, tor_free(s
));
1257 smartlist_free(rejects
);
1262 /** Implementation for GETINFO control command: knows the answer for questions
1263 * about "exit-policy/..." */
1265 getinfo_helper_policies(control_connection_t
*conn
,
1266 const char *question
, char **answer
)
1269 if (!strcmp(question
, "exit-policy/default")) {
1270 *answer
= tor_strdup(DEFAULT_EXIT_POLICY
);
1275 /** Release all storage held by <b>p</b>. */
1277 addr_policy_list_free(smartlist_t
*lst
)
1281 SMARTLIST_FOREACH(lst
, addr_policy_t
*, policy
, addr_policy_free(policy
));
1282 smartlist_free(lst
);
1285 /** Release all storage held by <b>p</b>. */
1287 addr_policy_free(addr_policy_t
*p
)
1292 if (--p
->refcnt
<= 0) {
1293 if (p
->is_canonical
) {
1294 policy_map_ent_t search
, *found
;
1296 found
= HT_REMOVE(policy_map
, &policy_root
, &search
);
1298 tor_assert(p
== found
->policy
);
1306 /** Release all storage held by policy variables. */
1308 policies_free_all(void)
1310 addr_policy_list_free(reachable_or_addr_policy
);
1311 reachable_or_addr_policy
= NULL
;
1312 addr_policy_list_free(reachable_dir_addr_policy
);
1313 reachable_dir_addr_policy
= NULL
;
1314 addr_policy_list_free(socks_policy
);
1315 socks_policy
= NULL
;
1316 addr_policy_list_free(dir_policy
);
1318 addr_policy_list_free(authdir_reject_policy
);
1319 authdir_reject_policy
= NULL
;
1320 addr_policy_list_free(authdir_invalid_policy
);
1321 authdir_invalid_policy
= NULL
;
1322 addr_policy_list_free(authdir_baddir_policy
);
1323 authdir_baddir_policy
= NULL
;
1324 addr_policy_list_free(authdir_badexit_policy
);
1325 authdir_badexit_policy
= NULL
;
1327 if (!HT_EMPTY(&policy_root
)) {
1328 policy_map_ent_t
**ent
;
1330 char buf
[POLICY_BUF_LEN
];
1332 log_warn(LD_MM
, "Still had %d address policies cached at shutdown.",
1333 (int)HT_SIZE(&policy_root
));
1335 /* Note the first 10 cached policies to try to figure out where they
1336 * might be coming from. */
1337 HT_FOREACH(ent
, policy_map
, &policy_root
) {
1340 if (policy_write_item(buf
, sizeof(buf
), (*ent
)->policy
, 0) >= 0)
1341 log_warn(LD_MM
," %d [%d]: %s", n
, (*ent
)->policy
->refcnt
, buf
);
1344 HT_CLEAR(policy_map
, &policy_root
);