| blob | f0f96e659badd3df7cad84c6924966a35aa2fe71 |
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2008, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
5 /* $Id$ */
9 /**
10 * \file policies.c
11 * \brief Code to parse and use address policies and exit policies.
12 **/
17 /** Policy that addresses for incoming SOCKS connections must match. */
19 /** Policy that addresses for incoming directory connections must match. */
21 /** Policy that addresses for incoming router descriptors must match in order
22 * to be published by us. */
24 /** Policy that addresses for incoming router descriptors must match in order
25 * to be marked as valid in our networkstatus. */
27 /** Policy that addresses for incoming router descriptors must <b>not</b>
28 * match in order to not be marked as BadDirectory. */
30 /** Policy that addresses for incoming router descriptors must <b>not</b>
31 * match in order to not be marked as BadExit. */
34 /** Parsed addr_policy_t describing which addresses we believe we can start
35 * circuits at. */
37 /** Parsed addr_policy_t describing which addresses we believe we can connect
38 * to directories at. */
41 /** Element of an exit policy summary */
46 this portrange. */
52 void policy_summary_reject(smartlist_t *summary, maskbits_t maskbits, uint16_t prt_min, uint16_t prt_max);
55 policy_summary_item_t* policy_summary_item_split(policy_summary_item_t* old, uint16_t new_starts);
57 /** Private networks. This list is used in two places, once to expand the
58 * "private" keyword when parsing our own exit policy, secondly to ignore
59 * just such networks when building exit policy summaries. It is important
60 * that all authorities agree on that list when creating summaries, so don't
61 * just change this without a proper migration plan and a proposal and stuff.
62 */
66 // "fc00::/7", "fe80::/10", "fec0::/10", "::/127",
67 NULL };
69 /** Replace all "private" entries in *<b>policy</b> with their expanded
70 * equivalents. */
71 void
73 {
85 {
89 }
91 addr_policy_t policy;
98 }
100 }
102 });
106 }
108 /**
109 * Given a linked list of config lines containing "allow" and "deny"
110 * tokens, parse them and append the result to <b>dest</b>. Return -1
111 * if any tokens are malformed (and don't append any), else return 0.
112 */
113 static int
116 {
131 {
139 }
140 });
143 }
155 }
156 }
159 }
161 /** Helper: parse the Reachable(Dir|OR)?Addresses fields into
162 * reachable_(or|dir)_addr_policy. The options should already have
163 * been validated by validate_addr_policies.
164 */
165 static int
167 {
175 "Both ReachableDirAddresses and ReachableORAddresses are set. "
177 }
191 }
206 }
208 }
210 /** Return true iff the firewall options might block any address:port
211 * combination.
212 */
213 int
215 {
217 }
219 /** Return true iff <b>policy</b> (possibly NULL) will allow a
220 * connection to <b>addr</b>:<b>port</b>.
221 */
222 static int
225 {
226 addr_policy_result_t p;
238 }
239 }
241 /* DOCDOC XXXX021 deprecate? */
242 static int
245 {
246 tor_addr_t a;
249 }
251 /** Return true iff we think our firewall will let us make an OR connection to
252 * addr:port. */
253 int
255 {
257 reachable_or_addr_policy);
258 }
260 /** DOCDOC */
261 int
263 {
264 /* XXXX021 proposal 118 */
265 tor_addr_t addr;
268 }
270 /** Return true iff we think our firewall will let us make a directory
271 * connection to addr:port. */
272 int
274 {
276 reachable_dir_addr_policy);
277 }
279 /** Return 1 if <b>addr</b> is permitted to connect to our dir port,
280 * based on <b>dir_policy</b>. Else return 0.
281 */
282 int
284 {
286 }
288 /** Return 1 if <b>addr</b> is permitted to connect to our socks port,
289 * based on <b>socks_policy</b>. Else return 0.
290 */
291 int
293 {
295 }
297 /** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
298 * directory, based on <b>authdir_reject_policy</b>. Else return 0.
299 */
300 int
302 {
304 }
306 /** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
307 * directory, based on <b>authdir_invalid_policy</b>. Else return 0.
308 */
309 int
311 {
313 }
315 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad dir,
316 * based on <b>authdir_baddir_policy</b>. Else return 0.
317 */
318 int
320 {
322 }
324 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
325 * based on <b>authdir_badexit_policy</b>. Else return 0.
326 */
327 int
329 {
331 }
333 #define REJECT(arg) \
334 STMT_BEGIN *msg = tor_strdup(arg); goto err; STMT_END
336 /** Config helper: If there's any problem with the policy configuration
337 * options in <b>options</b>, return -1 and set <b>msg</b> to a newly
338 * allocated description of the error. Else return 0. */
339 int
341 {
342 /* XXXX Maybe merge this into parse_policies_from_options, to make sure
343 * that the two can't go out of sync. */
352 /* The rest of these calls *append* to addr_policy. So don't actually
353 * use the results for anything other than checking if they parse! */
359 ADDR_POLICY_REJECT))
362 ADDR_POLICY_REJECT))
365 ADDR_POLICY_REJECT))
368 ADDR_POLICY_REJECT))
372 ADDR_POLICY_ACCEPT))
375 ADDR_POLICY_ACCEPT))
378 ADDR_POLICY_ACCEPT))
381 ADDR_POLICY_REJECT))
384 ADDR_POLICY_REJECT))
387 err:
390 #undef REJECT
391 }
393 /** Parse <b>string</b> in the same way that the exit policy
394 * is parsed, and put the processed version in *<b>policy</b>.
395 * Ignore port specifiers.
396 */
397 static int
400 {
407 }
410 /* ports aren't used. */
413 });
414 }
416 }
418 /** Set all policies based on <b>options</b>, which should have been validated
419 * first by validate_addr_policies. */
420 int
422 {
443 }
445 /** Compare two provided address policy items, and return -1, 0, or 1
446 * if the first is less than, equal to, or greater than the second. */
447 static int
449 {
464 }
466 /** Like cmp_single_addr_policy() above, but looks at the
467 * whole set of policies in each case. */
468 int
470 {
478 }
483 else
485 }
487 /** Node in hashtable used to store address policy entries. */
495 /** Return true iff a and b are equal. */
498 {
500 }
502 /** Return a hashcode for <b>ent</b> */
503 static unsigned int
505 {
510 else
519 }
522 policy_eq)
526 /** Given a pointer to an addr_policy_t, return a copy of the pointer to the
527 * "canonical" copy of that addr_policy_t; the canonical copy is a single
528 * reference-counted object. */
529 addr_policy_t *
531 {
544 }
549 }
551 /** DOCDOC */
552 addr_policy_result_t
554 {
555 /*XXXX021 deprecate this function? */
556 tor_addr_t a;
559 }
561 /** Decide whether a given addr:port is definitely accepted,
562 * definitely rejected, probably accepted, or probably rejected by a
563 * given policy. If <b>addr</b> is 0, we don't know the IP of the
564 * target address. If <b>port</b> is 0, we don't know the port of the
565 * target address.
566 *
567 * For now, the algorithm is pretty simple: we look for definite and
568 * uncertain matches. The first definite match is what we guess; if
569 * it was preceded by no uncertain matches of the opposite policy,
570 * then the guess is definite; otherwise it is probable. (If we
571 * have a known addr and port, all matches are definite; if we have an
572 * unknown addr/port, any address/port ranges other than "all" are
573 * uncertain.)
574 *
575 * We could do better by assuming that some ranges never match typical
576 * addresses (127.0.0.1, and so on). But we'll try this for now.
577 */
578 addr_policy_result_t
581 {
596 /* Address is unknown. */
599 /* The port definitely matches. */
604 }
606 /* The port maybe matches. */
608 }
610 /* Address is known */
612 CMP_SEMANTIC)) {
614 /* Exact match for the policy */
618 }
619 }
620 }
624 else
626 }
629 /* If we already hit a clause that might trigger a 'reject', than we
630 * can't be sure of this certain 'accept'.*/
632 ADDR_POLICY_ACCEPTED;
635 ADDR_POLICY_REJECTED;
636 }
637 }
638 }
640 /* accept all by default. */
642 }
644 /** Return true iff the address policy <b>a</b> covers every case that
645 * would be covered by <b>b</b>, so that a,b is redundant. */
646 static int
648 {
649 /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces
650 * to "accept *:80". */
652 /* a has more fixed bits than b; it can't possibly cover b. */
654 }
656 /* There's a fixed bit in a that's set differently in b. */
658 }
660 }
662 /** Return true iff the address policies <b>a</b> and <b>b</b> intersect,
663 * that is, there exists an address/port that is covered by <b>a</b> that
664 * is also covered by <b>b</b>.
665 */
666 static int
668 {
669 maskbits_t minbits;
670 /* All the bits we care about are those that are set in both
671 * netmasks. If they are equal in a and b's networkaddresses
672 * then the networks intersect. If there is a difference,
673 * then they do not. */
676 else
683 }
685 /** Add the exit policy described by <b>more</b> to <b>policy</b>.
686 */
687 static void
689 {
690 config_line_t tmp;
697 }
698 }
700 /** Detect and excise "dead code" from the policy *<b>dest</b>. */
701 static void
703 {
707 /* Step one: find a *:* entry and cut off everything after it. */
711 /* This is a catch-all line -- later lines are unreachable. */
716 }
718 }
719 }
721 /* Step two: for every entry, see if there's a redundant entry
722 * later on, and remove it. */
736 }
737 }
738 }
740 /* Step three: for every entry A, see if there's an entry B making this one
741 * redundant later on. This is the case if A and B are of the same type
742 * (accept/reject), A is a subset of B, and there is no other entry of
743 * different type in between those two that intersects with A.
744 *
745 * Anybody want to doublecheck the logic here? XXX
746 */
750 // tor_assert(j > i); // j starts out at i+1; j only increases; i only
751 // // decreases.
766 }
767 }
768 }
769 }
770 }
772 #define DEFAULT_EXIT_POLICY \
776 "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
778 /** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>. If
779 * cfg doesn't end in an absolute accept or reject, add the default exit
780 * policy afterwards. If <b>rejectprivate</b> is true, prepend
781 * "reject private:*" to the policy. Return -1 if we can't parse cfg,
782 * else return 0.
783 */
784 int
787 {
794 }
795 }
803 }
805 /** Replace the exit policy of <b>r</b> with reject *:*. */
806 void
808 {
814 }
816 /** Return true iff <b>ri</b> is "useful as an exit node", meaning
817 * it allows exit to at least one /8 address space for at least
818 * two of ports 80, 443, and 6667. */
819 int
821 {
836 /* We have a match that is at least a /8. */
840 }
841 });
842 }
844 }
846 /** Return false if <b>policy</b> might permit access to some addr:port;
847 * otherwise if we are certain it rejects everything, return true. */
848 int
850 {
860 });
862 }
864 /** Write a single address policy to the buf_len byte buffer at buf. Return
865 * the number of characters written, or -1 on failure. */
866 int
869 {
879 /* write accept/reject 1.2.3.4 */
884 else
891 addrpart);
895 /* If the maskbits is 32 we don't need to give it. If the mask is 0,
896 * we already wrote "*". */
901 }
903 /* There is no port set; write ":*" */
909 /* There is only one port; write ":80". */
915 /* There is a range of ports; write ":79-80". */
921 }
924 else
928 }
930 /** Create a new exit policy summary, initially only with a single
931 * port 1-64k item */
932 /* XXXX This entire thing will do most stuff in O(N^2), or worse. Use an
933 * RB-tree if that turns out to matter. */
934 smartlist_t *
936 {
950 }
952 /** Split the summary item in <b>item</b> at the port <b>new_starts</b>.
953 * The current item is changed to end at new-starts - 1, the new item
954 * copies reject_count and accepted from the old item,
955 * starts at new_starts and ends at the port where the original item
956 * previously ended.
957 */
958 policy_summary_item_t*
973 }
975 /* XXXX Nick says I'm going to hell for this. If he feels charitably towards
976 * my immortal soul, he can clean it up himself. */
977 #define AT(x) ((policy_summary_item_t*)smartlist_get(summary, x))
979 #define REJECT_CUTOFF_COUNT (1<<25)
980 /* Split an exit policy summary so that prt_min and prt_max
981 * fall at exactly the start and end of an item respectively.
982 */
983 int
986 {
990 /* XXXX Do a binary search if run time matters */
992 i++;
997 i++;
998 }
1002 i++;
1007 }
1010 }
1012 /** Mark port ranges as accepted if they are below the reject_count */
1013 void
1016 {
1023 i++;
1024 }
1026 }
1028 /** Count the number of addresses in a network with prefixlen maskbits
1029 * against the given portrange. */
1030 void
1032 maskbits_t maskbits,
1034 {
1036 /* XXX: ipv4 specific */
1041 i++;
1042 }
1044 }
1046 /** Add a single exit policy item to our summary:
1047 * If it is an accept ignore it unless it is for all IP addresses
1048 * ("*"), i.e. it's prefixlen/maskbits is 0, else call
1049 * policy_summary_accept().
1050 * If it's a reject ignore it if it is about one of the private
1051 * networks, else call policy_summary_reject().
1052 */
1053 void
1055 {
1059 }
1065 tor_addr_t addr;
1066 maskbits_t maskbits;
1070 }
1075 }
1076 }
1080 }
1083 }
1085 /** Create a string representing a summary for an exit policy.
1086 * The summary will either be an "accept" plus a comma-seperated list of port
1087 * ranges or a "reject" plus portranges, depending on which is shorter.
1088 */
1091 {
1101 /* Create the summary list */
1104 });
1106 /* Now create two lists of strings, one for accepted and one
1107 * for rejected ports. We take care to merge ranges so that
1108 * we avoid getting stuff like "1-4,5-9,10", instead we want
1109 * "1-10"
1110 */
1123 else
1128 else
1135 };
1136 i++;
1137 };
1139 /* Figure out which of the two stringlists will be shorter and use
1140 * that to build the result
1141 */
1153 }
1159 /* cleanup */
1172 }
1174 /** Implementation for GETINFO control command: knows the answer for questions
1175 * about "exit-policy/..." */
1176 int
1179 {
1183 }
1185 }
1187 /** Release all storage held by <b>p</b>. */
1188 void
1190 {
1194 }
1196 /** Release all storage held by <b>p</b>. */
1197 void
1199 {
1209 }
1210 }
1212 }
1213 }
1214 }
1216 /** Release all storage held by policy variables. */
1217 void
1219 {
1240 }
1242 /* vim:set et ts=2 shiftwidth=2: */