| blob | f8c36c784ba0734cbcb6dfb9e526c249cf864c8b |
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2011, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 /**
7 * \file policies.c
8 * \brief Code to parse and use address policies and exit policies.
9 **/
14 /** Policy that addresses for incoming SOCKS connections must match. */
16 /** Policy that addresses for incoming directory connections must match. */
18 /** Policy that addresses for incoming router descriptors must match in order
19 * to be published by us. */
21 /** Policy that addresses for incoming router descriptors must match in order
22 * to be marked as valid in our networkstatus. */
24 /** Policy that addresses for incoming router descriptors must <b>not</b>
25 * match in order to not be marked as BadDirectory. */
27 /** Policy that addresses for incoming router descriptors must <b>not</b>
28 * match in order to not be marked as BadExit. */
31 /** Parsed addr_policy_t describing which addresses we believe we can start
32 * circuits at. */
34 /** Parsed addr_policy_t describing which addresses we believe we can connect
35 * to directories at. */
38 /** Element of an exit policy summary */
43 this port range. */
47 /** Private networks. This list is used in two places, once to expand the
48 * "private" keyword when parsing our own exit policy, secondly to ignore
49 * just such networks when building exit policy summaries. It is important
50 * that all authorities agree on that list when creating summaries, so don't
51 * just change this without a proper migration plan and a proposal and stuff.
52 */
56 // "fc00::/7", "fe80::/10", "fec0::/10", "::/127",
57 NULL };
59 /** Replace all "private" entries in *<b>policy</b> with their expanded
60 * equivalents. */
61 void
63 {
75 {
79 }
81 addr_policy_t policy;
88 }
90 }
92 });
96 }
98 /**
99 * Given a linked list of config lines containing "allow" and "deny"
100 * tokens, parse them and append the result to <b>dest</b>. Return -1
101 * if any tokens are malformed (and don't append any), else return 0.
102 *
103 * If <b>assume_action</b> is nonnegative, then insert its action
104 * (ADDR_POLICY_ACCEPT or ADDR_POLICY_REJECT) for items that specify no
105 * action.
106 */
107 static int
110 {
125 {
133 }
134 });
137 }
149 }
150 }
153 }
155 /** Helper: parse the Reachable(Dir|OR)?Addresses fields into
156 * reachable_(or|dir)_addr_policy. The options should already have
157 * been validated by validate_addr_policies.
158 */
159 static int
161 {
169 "Both ReachableDirAddresses and ReachableORAddresses are set. "
171 }
185 }
200 }
202 }
204 /** Return true iff the firewall options might block any address:port
205 * combination.
206 */
207 int
209 {
211 }
213 /** Return true iff <b>policy</b> (possibly NULL) will allow a
214 * connection to <b>addr</b>:<b>port</b>.
215 */
216 static int
219 {
220 addr_policy_result_t p;
232 }
233 }
235 /** Return true iff <b> policy</b> (possibly NULL) will allow a connection to
236 * <b>addr</b>:<b>port</b>. <b>addr</b> is an IPv4 address given in host
237 * order. */
238 /* XXXX deprecate when possible. */
239 static int
242 {
243 tor_addr_t a;
246 }
248 /** Return true iff we think our firewall will let us make an OR connection to
249 * addr:port. */
250 int
252 {
254 reachable_or_addr_policy);
255 }
257 /** Return true iff we think our firewall will let us make an OR connection to
258 * <b>ri</b>. */
259 int
261 {
262 /* XXXX proposal 118 */
263 tor_addr_t addr;
266 }
268 /** Return true iff we think our firewall will let us make a directory
269 * connection to addr:port. */
270 int
272 {
274 reachable_dir_addr_policy);
275 }
277 /** Return 1 if <b>addr</b> is permitted to connect to our dir port,
278 * based on <b>dir_policy</b>. Else return 0.
279 */
280 int
282 {
284 }
286 /** Return 1 if <b>addr</b> is permitted to connect to our socks port,
287 * based on <b>socks_policy</b>. Else return 0.
288 */
289 int
291 {
293 }
295 /** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
296 * directory, based on <b>authdir_reject_policy</b>. Else return 0.
297 */
298 int
300 {
302 }
304 /** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
305 * directory, based on <b>authdir_invalid_policy</b>. Else return 0.
306 */
307 int
309 {
311 }
313 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad dir,
314 * based on <b>authdir_baddir_policy</b>. Else return 0.
315 */
316 int
318 {
320 }
322 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
323 * based on <b>authdir_badexit_policy</b>. Else return 0.
324 */
325 int
327 {
329 }
331 #define REJECT(arg) \
332 STMT_BEGIN *msg = tor_strdup(arg); goto err; STMT_END
334 /** Config helper: If there's any problem with the policy configuration
335 * options in <b>options</b>, return -1 and set <b>msg</b> to a newly
336 * allocated description of the error. Else return 0. */
337 int
339 {
340 /* XXXX Maybe merge this into parse_policies_from_options, to make sure
341 * that the two can't go out of sync. */
350 /* The rest of these calls *append* to addr_policy. So don't actually
351 * use the results for anything other than checking if they parse! */
357 ADDR_POLICY_REJECT))
360 ADDR_POLICY_REJECT))
363 ADDR_POLICY_REJECT))
366 ADDR_POLICY_REJECT))
370 ADDR_POLICY_ACCEPT))
373 ADDR_POLICY_ACCEPT))
376 ADDR_POLICY_ACCEPT))
379 ADDR_POLICY_REJECT))
382 ADDR_POLICY_REJECT))
385 err:
388 #undef REJECT
389 }
391 /** Parse <b>string</b> in the same way that the exit policy
392 * is parsed, and put the processed version in *<b>policy</b>.
393 * Ignore port specifiers.
394 */
395 static int
398 {
405 }
408 /* ports aren't used in these. */
418 }
420 }
422 }
424 /** Set all policies based on <b>options</b>, which should have been validated
425 * first by validate_addr_policies. */
426 int
428 {
449 }
451 /** Compare two provided address policy items, and return -1, 0, or 1
452 * if the first is less than, equal to, or greater than the second. */
453 static int
455 {
470 }
472 /** Like cmp_single_addr_policy() above, but looks at the
473 * whole set of policies in each case. */
474 int
476 {
484 }
489 else
491 }
493 /** Node in hashtable used to store address policy entries. */
501 /** Return true iff a and b are equal. */
504 {
506 }
508 /** Return a hashcode for <b>ent</b> */
509 static unsigned int
511 {
516 else
525 }
528 policy_eq)
532 /** Given a pointer to an addr_policy_t, return a copy of the pointer to the
533 * "canonical" copy of that addr_policy_t; the canonical copy is a single
534 * reference-counted object. */
535 addr_policy_t *
537 {
550 }
555 }
557 /** As compare_tor_addr_to_addr_policy, but instead of a tor_addr_t, takes
558 * in host order. */
559 addr_policy_result_t
562 {
563 /*XXXX deprecate this function when possible. */
564 tor_addr_t a;
567 }
569 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
570 * addr and port are both known. */
571 static addr_policy_result_t
574 {
575 /* We know the address and port, and we know the policy, so we can just
576 * compute an exact match. */
578 /* Address is known */
580 CMP_EXACT)) {
582 /* Exact match for the policy */
585 }
586 }
589 /* accept all by default. */
591 }
593 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
594 * addr is known but port is not. */
595 static addr_policy_result_t
598 {
599 /* We look to see if there's a definite match. If so, we return that
600 match's value, unless there's an intervening possible match that says
601 something different. */
606 CMP_EXACT)) {
608 /* Definitely matches, since it covers all ports. */
610 /* If we already hit a clause that might trigger a 'reject', than we
611 * can't be sure of this certain 'accept'.*/
613 ADDR_POLICY_ACCEPTED;
616 ADDR_POLICY_REJECTED;
617 }
619 /* Might match. */
622 else
624 }
625 }
628 /* accept all by default. */
630 }
632 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
633 * port is known but address is not. */
634 static addr_policy_result_t
637 {
638 /* We look to see if there's a definite match. If so, we return that
639 match's value, unless there's an intervening possible match that says
640 something different. */
646 /* Definitely matches, since it covers all addresses. */
648 /* If we already hit a clause that might trigger a 'reject', than we
649 * can't be sure of this certain 'accept'.*/
651 ADDR_POLICY_ACCEPTED;
654 ADDR_POLICY_REJECTED;
655 }
657 /* Might match. */
660 else
662 }
663 }
666 /* accept all by default. */
668 }
670 /** Decide whether a given addr:port is definitely accepted,
671 * definitely rejected, probably accepted, or probably rejected by a
672 * given policy. If <b>addr</b> is 0, we don't know the IP of the
673 * target address. If <b>port</b> is 0, we don't know the port of the
674 * target address. (At least one of <b>addr</b> and <b>port</b> must be
675 * provided. If you want to know whether a policy would definitely reject
676 * an unknown address:port, use policy_is_reject_star().)
677 *
678 * We could do better by assuming that some ranges never match typical
679 * addresses (127.0.0.1, and so on). But we'll try this for now.
680 */
681 addr_policy_result_t
684 {
686 /* no policy? accept all. */
695 }
696 }
698 /** Return true iff the address policy <b>a</b> covers every case that
699 * would be covered by <b>b</b>, so that a,b is redundant. */
700 static int
702 {
703 /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces
704 * to "accept *:80". */
706 /* a has more fixed bits than b; it can't possibly cover b. */
708 }
710 /* There's a fixed bit in a that's set differently in b. */
712 }
714 }
716 /** Return true iff the address policies <b>a</b> and <b>b</b> intersect,
717 * that is, there exists an address/port that is covered by <b>a</b> that
718 * is also covered by <b>b</b>.
719 */
720 static int
722 {
723 maskbits_t minbits;
724 /* All the bits we care about are those that are set in both
725 * netmasks. If they are equal in a and b's networkaddresses
726 * then the networks intersect. If there is a difference,
727 * then they do not. */
730 else
737 }
739 /** Add the exit policy described by <b>more</b> to <b>policy</b>.
740 */
741 static void
743 {
744 config_line_t tmp;
751 }
752 }
754 /** Detect and excise "dead code" from the policy *<b>dest</b>. */
755 static void
757 {
761 /* Step one: find a *:* entry and cut off everything after it. */
765 /* This is a catch-all line -- later lines are unreachable. */
770 }
772 }
773 }
775 /* Step two: for every entry, see if there's a redundant entry
776 * later on, and remove it. */
790 }
791 }
792 }
794 /* Step three: for every entry A, see if there's an entry B making this one
795 * redundant later on. This is the case if A and B are of the same type
796 * (accept/reject), A is a subset of B, and there is no other entry of
797 * different type in between those two that intersects with A.
798 *
799 * Anybody want to double-check the logic here? XXX
800 */
804 // tor_assert(j > i); // j starts out at i+1; j only increases; i only
805 // // decreases.
820 }
821 }
822 }
823 }
824 }
826 #define DEFAULT_EXIT_POLICY \
829 "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
831 /** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>. If
832 * cfg doesn't end in an absolute accept or reject, add the default exit
833 * policy afterwards. If <b>rejectprivate</b> is true, prepend
834 * "reject private:*" to the policy. Return -1 if we can't parse cfg,
835 * else return 0.
836 */
837 int
840 {
847 }
848 }
856 }
858 /** Replace the exit policy of <b>r</b> with reject *:*. */
859 void
861 {
867 }
869 /** Return true iff <b>ri</b> is "useful as an exit node", meaning
870 * it allows exit to at least one /8 address space for at least
871 * two of ports 80, 443, and 6667. */
872 int
874 {
891 /* We have a match that is at least a /8. */
895 }
896 });
897 }
899 }
901 /** Return false if <b>policy</b> might permit access to some addr:port;
902 * otherwise if we are certain it rejects everything, return true. */
903 int
905 {
915 });
917 }
919 /** Write a single address policy to the buf_len byte buffer at buf. Return
920 * the number of characters written, or -1 on failure. */
921 int
924 {
934 /* write accept/reject 1.2.3.4 */
939 else
946 addrpart);
950 /* If the maskbits is 32 we don't need to give it. If the mask is 0,
951 * we already wrote "*". */
956 }
958 /* There is no port set; write ":*" */
964 /* There is only one port; write ":80". */
970 /* There is a range of ports; write ":79-80". */
976 }
979 else
983 }
985 /** Create a new exit policy summary, initially only with a single
986 * port 1-64k item */
987 /* XXXX This entire thing will do most stuff in O(N^2), or worse. Use an
988 * RB-tree if that turns out to matter. */
991 {
1005 }
1007 /** Split the summary item in <b>item</b> at the port <b>new_starts</b>.
1008 * The current item is changed to end at new-starts - 1, the new item
1009 * copies reject_count and accepted from the old item,
1010 * starts at new_starts and ends at the port where the original item
1011 * previously ended.
1012 */
1015 {
1029 }
1031 /* XXXX Nick says I'm going to hell for this. If he feels charitably towards
1032 * my immortal soul, he can clean it up himself. */
1033 #define AT(x) ((policy_summary_item_t*)smartlist_get(summary, x))
1035 #define REJECT_CUTOFF_COUNT (1<<25)
1036 /** Split an exit policy summary so that prt_min and prt_max
1037 * fall at exactly the start and end of an item respectively.
1038 */
1039 static int
1042 {
1046 /* XXXX Do a binary search if run time matters */
1048 i++;
1053 i++;
1054 }
1058 i++;
1063 }
1066 }
1068 /** Mark port ranges as accepted if they are below the reject_count */
1069 static void
1072 {
1079 i++;
1080 }
1082 }
1084 /** Count the number of addresses in a network with prefixlen maskbits
1085 * against the given portrange. */
1086 static void
1088 maskbits_t maskbits,
1090 {
1092 /* XXX: ipv4 specific */
1097 i++;
1098 }
1100 }
1102 /** Add a single exit policy item to our summary:
1103 * If it is an accept ignore it unless it is for all IP addresses
1104 * ("*"), i.e. it's prefixlen/maskbits is 0, else call
1105 * policy_summary_accept().
1106 * If it's a reject ignore it if it is about one of the private
1107 * networks, else call policy_summary_reject().
1108 */
1109 static void
1111 {
1115 }
1121 tor_addr_t addr;
1122 maskbits_t maskbits;
1126 }
1131 }
1132 }
1136 }
1139 }
1141 /** Create a string representing a summary for an exit policy.
1142 * The summary will either be an "accept" plus a comma-separated list of port
1143 * ranges or a "reject" plus port-ranges, depending on which is shorter.
1144 *
1145 * If no exits are allowed at all then NULL is returned, if no ports
1146 * are blocked instead of "reject " we return "accept 1-65535" (this
1147 * is an exception to the shorter-representation-wins rule).
1148 */
1151 {
1161 /* Create the summary list */
1164 });
1166 /* Now create two lists of strings, one for accepted and one
1167 * for rejected ports. We take care to merge ranges so that
1168 * we avoid getting stuff like "1-4,5-9,10", instead we want
1169 * "1-10"
1170 */
1183 else
1188 else
1195 };
1196 i++;
1197 };
1199 /* Figure out which of the two stringlists will be shorter and use
1200 * that to build the result
1201 */
1205 }
1209 }
1222 c--;
1236 }
1243 cleanup:
1244 /* cleanup */
1257 }
1259 /** Implementation for GETINFO control command: knows the answer for questions
1260 * about "exit-policy/..." */
1261 int
1264 {
1268 }
1270 }
1272 /** Release all storage held by <b>p</b>. */
1273 void
1275 {
1279 }
1281 /** Release all storage held by <b>p</b>. */
1282 void
1284 {
1294 }
1295 }
1297 }
1298 }
1299 }
1301 /** Release all storage held by policy variables. */
1302 void
1304 {
1330 /* Note the first 10 cached policies to try to figure out where they
1331 * might be coming from. */
1337 }
1338 }
1340 }