| blob | 6947222b2ef98d95b5ef274386cb66365a164be7 |
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2011, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 /**
7 * \file policies.c
8 * \brief Code to parse and use address policies and exit policies.
9 **/
18 /** Policy that addresses for incoming SOCKS connections must match. */
20 /** Policy that addresses for incoming directory connections must match. */
22 /** Policy that addresses for incoming router descriptors must match in order
23 * to be published by us. */
25 /** Policy that addresses for incoming router descriptors must match in order
26 * to be marked as valid in our networkstatus. */
28 /** Policy that addresses for incoming router descriptors must <b>not</b>
29 * match in order to not be marked as BadDirectory. */
31 /** Policy that addresses for incoming router descriptors must <b>not</b>
32 * match in order to not be marked as BadExit. */
35 /** Parsed addr_policy_t describing which addresses we believe we can start
36 * circuits at. */
38 /** Parsed addr_policy_t describing which addresses we believe we can connect
39 * to directories at. */
42 /** Element of an exit policy summary */
47 this port range. */
51 /** Private networks. This list is used in two places, once to expand the
52 * "private" keyword when parsing our own exit policy, secondly to ignore
53 * just such networks when building exit policy summaries. It is important
54 * that all authorities agree on that list when creating summaries, so don't
55 * just change this without a proper migration plan and a proposal and stuff.
56 */
60 // "fc00::/7", "fe80::/10", "fec0::/10", "::/127",
61 NULL };
63 /** Replace all "private" entries in *<b>policy</b> with their expanded
64 * equivalents. */
65 void
67 {
79 {
83 }
85 addr_policy_t policy;
92 }
94 }
96 });
100 }
102 /**
103 * Given a linked list of config lines containing "allow" and "deny"
104 * tokens, parse them and append the result to <b>dest</b>. Return -1
105 * if any tokens are malformed (and don't append any), else return 0.
106 *
107 * If <b>assume_action</b> is nonnegative, then insert its action
108 * (ADDR_POLICY_ACCEPT or ADDR_POLICY_REJECT) for items that specify no
109 * action.
110 */
111 static int
114 {
129 {
137 }
138 });
141 }
153 }
154 }
157 }
159 /** Helper: parse the Reachable(Dir|OR)?Addresses fields into
160 * reachable_(or|dir)_addr_policy. The options should already have
161 * been validated by validate_addr_policies.
162 */
163 static int
165 {
173 "Both ReachableDirAddresses and ReachableORAddresses are set. "
175 }
189 }
204 }
206 }
208 /** Return true iff the firewall options might block any address:port
209 * combination.
210 */
211 int
213 {
215 }
217 /** Return true iff <b>policy</b> (possibly NULL) will allow a
218 * connection to <b>addr</b>:<b>port</b>.
219 */
220 static int
223 {
224 addr_policy_result_t p;
236 }
237 }
239 /** Return true iff <b> policy</b> (possibly NULL) will allow a connection to
240 * <b>addr</b>:<b>port</b>. <b>addr</b> is an IPv4 address given in host
241 * order. */
242 /* XXXX deprecate when possible. */
243 static int
246 {
247 tor_addr_t a;
250 }
252 /** Return true iff we think our firewall will let us make an OR connection to
253 * addr:port. */
254 int
256 {
258 reachable_or_addr_policy);
259 }
261 /** Return true iff we think our firewall will let us make an OR connection to
262 * <b>ri</b>. */
263 int
265 {
266 /* XXXX proposal 118 */
267 tor_addr_t addr;
270 }
272 /** Return true iff we think our firewall will let us make a directory
273 * connection to addr:port. */
274 int
276 {
278 reachable_dir_addr_policy);
279 }
281 /** Return 1 if <b>addr</b> is permitted to connect to our dir port,
282 * based on <b>dir_policy</b>. Else return 0.
283 */
284 int
286 {
288 }
290 /** Return 1 if <b>addr</b> is permitted to connect to our socks port,
291 * based on <b>socks_policy</b>. Else return 0.
292 */
293 int
295 {
297 }
299 /** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
300 * directory, based on <b>authdir_reject_policy</b>. Else return 0.
301 */
302 int
304 {
306 }
308 /** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
309 * directory, based on <b>authdir_invalid_policy</b>. Else return 0.
310 */
311 int
313 {
315 }
317 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad dir,
318 * based on <b>authdir_baddir_policy</b>. Else return 0.
319 */
320 int
322 {
324 }
326 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
327 * based on <b>authdir_badexit_policy</b>. Else return 0.
328 */
329 int
331 {
333 }
335 #define REJECT(arg) \
336 STMT_BEGIN *msg = tor_strdup(arg); goto err; STMT_END
338 /** Config helper: If there's any problem with the policy configuration
339 * options in <b>options</b>, return -1 and set <b>msg</b> to a newly
340 * allocated description of the error. Else return 0. */
341 int
343 {
344 /* XXXX Maybe merge this into parse_policies_from_options, to make sure
345 * that the two can't go out of sync. */
355 /* The rest of these calls *append* to addr_policy. So don't actually
356 * use the results for anything other than checking if they parse! */
362 ADDR_POLICY_REJECT))
365 ADDR_POLICY_REJECT))
368 ADDR_POLICY_REJECT))
371 ADDR_POLICY_REJECT))
375 ADDR_POLICY_ACCEPT))
378 ADDR_POLICY_ACCEPT))
381 ADDR_POLICY_ACCEPT))
384 err:
387 #undef REJECT
388 }
390 /** Parse <b>string</b> in the same way that the exit policy
391 * is parsed, and put the processed version in *<b>policy</b>.
392 * Ignore port specifiers.
393 */
394 static int
397 {
404 }
407 /* ports aren't used in these. */
417 }
419 }
421 }
423 /** Set all policies based on <b>options</b>, which should have been validated
424 * first by validate_addr_policies. */
425 int
427 {
448 }
450 /** Compare two provided address policy items, and return -1, 0, or 1
451 * if the first is less than, equal to, or greater than the second. */
452 static int
454 {
469 }
471 /** Like cmp_single_addr_policy() above, but looks at the
472 * whole set of policies in each case. */
473 int
475 {
483 }
488 else
490 }
492 /** Node in hashtable used to store address policy entries. */
500 /** Return true iff a and b are equal. */
503 {
505 }
507 /** Return a hashcode for <b>ent</b> */
508 static unsigned int
510 {
515 else
524 }
527 policy_eq)
531 /** Given a pointer to an addr_policy_t, return a copy of the pointer to the
532 * "canonical" copy of that addr_policy_t; the canonical copy is a single
533 * reference-counted object. */
534 addr_policy_t *
536 {
549 }
554 }
556 /** As compare_tor_addr_to_addr_policy, but instead of a tor_addr_t, takes
557 * in host order. */
558 addr_policy_result_t
561 {
562 /*XXXX deprecate this function when possible. */
563 tor_addr_t a;
566 }
568 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
569 * addr and port are both known. */
570 static addr_policy_result_t
573 {
574 /* We know the address and port, and we know the policy, so we can just
575 * compute an exact match. */
577 /* Address is known */
579 CMP_EXACT)) {
581 /* Exact match for the policy */
584 }
585 }
588 /* accept all by default. */
590 }
592 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
593 * addr is known but port is not. */
594 static addr_policy_result_t
597 {
598 /* We look to see if there's a definite match. If so, we return that
599 match's value, unless there's an intervening possible match that says
600 something different. */
605 CMP_EXACT)) {
607 /* Definitely matches, since it covers all ports. */
609 /* If we already hit a clause that might trigger a 'reject', than we
610 * can't be sure of this certain 'accept'.*/
612 ADDR_POLICY_ACCEPTED;
615 ADDR_POLICY_REJECTED;
616 }
618 /* Might match. */
621 else
623 }
624 }
627 /* accept all by default. */
629 }
631 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
632 * port is known but address is not. */
633 static addr_policy_result_t
636 {
637 /* We look to see if there's a definite match. If so, we return that
638 match's value, unless there's an intervening possible match that says
639 something different. */
645 /* Definitely matches, since it covers all addresses. */
647 /* If we already hit a clause that might trigger a 'reject', than we
648 * can't be sure of this certain 'accept'.*/
650 ADDR_POLICY_ACCEPTED;
653 ADDR_POLICY_REJECTED;
654 }
656 /* Might match. */
659 else
661 }
662 }
665 /* accept all by default. */
667 }
669 /** Decide whether a given addr:port is definitely accepted,
670 * definitely rejected, probably accepted, or probably rejected by a
671 * given policy. If <b>addr</b> is 0, we don't know the IP of the
672 * target address. If <b>port</b> is 0, we don't know the port of the
673 * target address. (At least one of <b>addr</b> and <b>port</b> must be
674 * provided. If you want to know whether a policy would definitely reject
675 * an unknown address:port, use policy_is_reject_star().)
676 *
677 * We could do better by assuming that some ranges never match typical
678 * addresses (127.0.0.1, and so on). But we'll try this for now.
679 */
680 addr_policy_result_t
683 {
685 /* no policy? accept all. */
694 }
695 }
697 /** Return true iff the address policy <b>a</b> covers every case that
698 * would be covered by <b>b</b>, so that a,b is redundant. */
699 static int
701 {
702 /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces
703 * to "accept *:80". */
705 /* a has more fixed bits than b; it can't possibly cover b. */
707 }
709 /* There's a fixed bit in a that's set differently in b. */
711 }
713 }
715 /** Return true iff the address policies <b>a</b> and <b>b</b> intersect,
716 * that is, there exists an address/port that is covered by <b>a</b> that
717 * is also covered by <b>b</b>.
718 */
719 static int
721 {
722 maskbits_t minbits;
723 /* All the bits we care about are those that are set in both
724 * netmasks. If they are equal in a and b's networkaddresses
725 * then the networks intersect. If there is a difference,
726 * then they do not. */
729 else
736 }
738 /** Add the exit policy described by <b>more</b> to <b>policy</b>.
739 */
740 static void
742 {
743 config_line_t tmp;
750 }
751 }
753 /** Detect and excise "dead code" from the policy *<b>dest</b>. */
754 static void
756 {
760 /* Step one: find a *:* entry and cut off everything after it. */
764 /* This is a catch-all line -- later lines are unreachable. */
769 }
771 }
772 }
774 /* Step two: for every entry, see if there's a redundant entry
775 * later on, and remove it. */
789 }
790 }
791 }
793 /* Step three: for every entry A, see if there's an entry B making this one
794 * redundant later on. This is the case if A and B are of the same type
795 * (accept/reject), A is a subset of B, and there is no other entry of
796 * different type in between those two that intersects with A.
797 *
798 * Anybody want to double-check the logic here? XXX
799 */
803 // tor_assert(j > i); // j starts out at i+1; j only increases; i only
804 // // decreases.
819 }
820 }
821 }
822 }
823 }
825 #define DEFAULT_EXIT_POLICY \
828 "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
830 /** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>. If
831 * cfg doesn't end in an absolute accept or reject and if
832 * <b>add_default_policy</b> is true, add the default exit
833 * policy afterwards. If <b>rejectprivate</b> is true, prepend
834 * "reject private:*" to the policy. Return -1 if we can't parse cfg,
835 * else return 0.
836 */
837 int
841 {
848 }
849 }
854 else
859 }
861 /** Replace the exit policy of <b>r</b> with reject *:*. */
862 void
864 {
870 }
872 /** Return 1 if there is at least one /8 subnet in <b>policy</b> that
873 * allows exiting to <b>port</b>. Otherwise, return 0. */
874 static int
876 {
878 /* Is this /8 rejected (1), or undecided (0)? */
892 /* Calculate the first and last subnet that this exit policy touches
893 * and set it as loop boundaries. */
895 tor_addr_t addr;
904 /* We found an allowed subnet of at least size /8. Done
905 * for this port! */
909 }
910 }
911 });
913 }
915 /** Return true iff <b>ri</b> is "useful as an exit node", meaning
916 * it allows exit to at least one /8 address space for at least
917 * two of ports 80, 443, and 6667. */
918 int
920 {
929 }
931 }
933 /** Return false if <b>policy</b> might permit access to some addr:port;
934 * otherwise if we are certain it rejects everything, return true. */
935 int
937 {
947 });
949 }
951 /** Write a single address policy to the buf_len byte buffer at buf. Return
952 * the number of characters written, or -1 on failure. */
953 int
956 {
966 /* write accept/reject 1.2.3.4 */
971 else
978 addrpart);
982 /* If the maskbits is 32 we don't need to give it. If the mask is 0,
983 * we already wrote "*". */
988 }
990 /* There is no port set; write ":*" */
996 /* There is only one port; write ":80". */
1002 /* There is a range of ports; write ":79-80". */
1008 }
1011 else
1015 }
1017 /** Create a new exit policy summary, initially only with a single
1018 * port 1-64k item */
1019 /* XXXX This entire thing will do most stuff in O(N^2), or worse. Use an
1020 * RB-tree if that turns out to matter. */
1023 {
1037 }
1039 /** Split the summary item in <b>item</b> at the port <b>new_starts</b>.
1040 * The current item is changed to end at new-starts - 1, the new item
1041 * copies reject_count and accepted from the old item,
1042 * starts at new_starts and ends at the port where the original item
1043 * previously ended.
1044 */
1047 {
1061 }
1063 /* XXXX Nick says I'm going to hell for this. If he feels charitably towards
1064 * my immortal soul, he can clean it up himself. */
1065 #define AT(x) ((policy_summary_item_t*)smartlist_get(summary, x))
1067 #define REJECT_CUTOFF_COUNT (1<<25)
1068 /** Split an exit policy summary so that prt_min and prt_max
1069 * fall at exactly the start and end of an item respectively.
1070 */
1071 static int
1074 {
1078 /* XXXX Do a binary search if run time matters */
1080 i++;
1085 i++;
1086 }
1090 i++;
1095 }
1098 }
1100 /** Mark port ranges as accepted if they are below the reject_count */
1101 static void
1104 {
1111 i++;
1112 }
1114 }
1116 /** Count the number of addresses in a network with prefixlen maskbits
1117 * against the given portrange. */
1118 static void
1120 maskbits_t maskbits,
1122 {
1124 /* XXX: ipv4 specific */
1129 i++;
1130 }
1132 }
1134 /** Add a single exit policy item to our summary:
1135 * If it is an accept ignore it unless it is for all IP addresses
1136 * ("*"), i.e. it's prefixlen/maskbits is 0, else call
1137 * policy_summary_accept().
1138 * If it's a reject ignore it if it is about one of the private
1139 * networks, else call policy_summary_reject().
1140 */
1141 static void
1143 {
1147 }
1153 tor_addr_t addr;
1154 maskbits_t maskbits;
1158 }
1163 }
1164 }
1168 }
1171 }
1173 /** Create a string representing a summary for an exit policy.
1174 * The summary will either be an "accept" plus a comma-separated list of port
1175 * ranges or a "reject" plus port-ranges, depending on which is shorter.
1176 *
1177 * If no exits are allowed at all then NULL is returned, if no ports
1178 * are blocked instead of "reject " we return "accept 1-65535" (this
1179 * is an exception to the shorter-representation-wins rule).
1180 */
1183 {
1193 /* Create the summary list */
1196 });
1198 /* Now create two lists of strings, one for accepted and one
1199 * for rejected ports. We take care to merge ranges so that
1200 * we avoid getting stuff like "1-4,5-9,10", instead we want
1201 * "1-10"
1202 */
1215 else
1220 else
1227 };
1228 i++;
1229 };
1231 /* Figure out which of the two stringlists will be shorter and use
1232 * that to build the result
1233 */
1237 }
1241 }
1254 c--;
1268 }
1275 cleanup:
1276 /* cleanup */
1289 }
1291 /** Implementation for GETINFO control command: knows the answer for questions
1292 * about "exit-policy/..." */
1293 int
1297 {
1302 }
1304 }
1306 /** Release all storage held by <b>p</b>. */
1307 void
1309 {
1314 }
1316 /** Release all storage held by <b>p</b>. */
1317 void
1319 {
1331 }
1332 }
1334 }
1335 }
1337 /** Release all storage held by policy variables. */
1338 void
1340 {
1366 /* Note the first 10 cached policies to try to figure out where they
1367 * might be coming from. */
1373 }
1374 }
1376 }