policies.c 108 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436243724382439244024412442244324442445244624472448244924502451245224532454245524562457245824592460246124622463246424652466246724682469247024712472247324742475247624772478247924802481248224832484248524862487248824892490249124922493249424952496249724982499250025012502250325042505250625072508250925102511251225132514251525162517251825192520252125222523252425252526252725282529253025312532253325342535253625372538253925402541254225432544254525462547254825492550255125522553255425552556255725582559256025612562256325642565256625672568256925702571257225732574257525762577257825792580258125822583258425852586258725882589259025912592259325942595259625972598259926002601260226032604260526062607260826092610261126122613261426152616261726182619262026212622262326242625262626272628262926302631263226332634263526362637263826392640264126422643264426452646264726482649265026512652265326542655265626572658265926602661266226632664266526662667266826692670267126722673267426752676267726782679268026812682268326842685268626872688268926902691269226932694269526962697269826992700270127022703270427052706270727082709271027112712271327142715271627172718271927202721272227232724272527262727272827292730273127322733273427352736273727382739274027412742274327442745274627472748274927502751275227532754275527562757275827592760276127622763276427652766276727682769277027712772277327742775277627772778277927802781278227832784278527862787278827892790279127922793279427952796279727982799280028012802280328042805280628072808280928102811281228132814281528162817281828192820282128222823282428252826282728282829283028312832283328342835283628372838283928402841284228432844284528462847284828492850285128522853285428552856285728582859286028612862286328642865286628672868286928702871287228732874287528762877287828792880288128822883288428852886288728882889289028912892289328942895289628972898289929002901290229032904290529062907290829092910291129122913291429152916291729182919292029212922292329242925292629272928292929302931293229332934293529362937293829392940294129422943294429452946294729482949295029512952295329542955295629572958295929602961296229632964296529662967296829692970297129722973297429752976297729782979298029812982298329842985298629872988298929902991299229932994299529962997299829993000300130023003300430053006300730083009301030113012301330143015301630173018301930203021302230233024302530263027302830293030303130323033303430353036303730383039304030413042304330443045304630473048304930503051305230533054305530563057305830593060306130623063306430653066306730683069307030713072307330743075307630773078307930803081308230833084308530863087308830893090309130923093309430953096309730983099310031013102310331043105310631073108310931103111311231133114
  1. /* Copyright (c) 2001-2004, Roger Dingledine.
  2. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  3. * Copyright (c) 2007-2017, The Tor Project, Inc. */
  4. /* See LICENSE for licensing information */
  5. /**
  6. * \file policies.c
  7. * \brief Code to parse and use address policies and exit policies.
  8. *
  9. * We have two key kinds of address policy: full and compressed. A full
  10. * policy is an array of accept/reject patterns, to be applied in order.
  11. * A short policy is simply a list of ports. This module handles both
  12. * kinds, including generic functions to apply them to addresses, and
  13. * also including code to manage the global policies that we apply to
  14. * incoming and outgoing connections.
  15. **/
  16. #define POLICIES_PRIVATE
  17. #include "or.h"
  18. #include "config.h"
  19. #include "dirserv.h"
  20. #include "microdesc.h"
  21. #include "networkstatus.h"
  22. #include "nodelist.h"
  23. #include "policies.h"
  24. #include "router.h"
  25. #include "routerparse.h"
  26. #include "geoip.h"
  27. #include "ht.h"
  28. /** Policy that addresses for incoming SOCKS connections must match. */
  29. static smartlist_t *socks_policy = NULL;
  30. /** Policy that addresses for incoming directory connections must match. */
  31. static smartlist_t *dir_policy = NULL;
  32. /** Policy that addresses for incoming router descriptors must match in order
  33. * to be published by us. */
  34. static smartlist_t *authdir_reject_policy = NULL;
  35. /** Policy that addresses for incoming router descriptors must match in order
  36. * to be marked as valid in our networkstatus. */
  37. static smartlist_t *authdir_invalid_policy = NULL;
  38. /** Policy that addresses for incoming router descriptors must <b>not</b>
  39. * match in order to not be marked as BadExit. */
  40. static smartlist_t *authdir_badexit_policy = NULL;
  41. /** Parsed addr_policy_t describing which addresses we believe we can start
  42. * circuits at. */
  43. static smartlist_t *reachable_or_addr_policy = NULL;
  44. /** Parsed addr_policy_t describing which addresses we believe we can connect
  45. * to directories at. */
  46. static smartlist_t *reachable_dir_addr_policy = NULL;
  47. /** Element of an exit policy summary */
  48. typedef struct policy_summary_item_t {
  49. uint16_t prt_min; /**< Lowest port number to accept/reject. */
  50. uint16_t prt_max; /**< Highest port number to accept/reject. */
  51. uint64_t reject_count; /**< Number of IP-Addresses that are rejected to
  52. this port range. */
  53. unsigned int accepted:1; /** Has this port already been accepted */
  54. } policy_summary_item_t;
  55. /** Private networks. This list is used in two places, once to expand the
  56. * "private" keyword when parsing our own exit policy, secondly to ignore
  57. * just such networks when building exit policy summaries. It is important
  58. * that all authorities agree on that list when creating summaries, so don't
  59. * just change this without a proper migration plan and a proposal and stuff.
  60. */
  61. static const char *private_nets[] = {
  62. "0.0.0.0/8", "169.254.0.0/16",
  63. "127.0.0.0/8", "192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12",
  64. "[::]/8",
  65. "[fc00::]/7", "[fe80::]/10", "[fec0::]/10", "[ff00::]/8", "[::]/127",
  66. NULL
  67. };
  68. static int policies_parse_exit_policy_internal(
  69. config_line_t *cfg,
  70. smartlist_t **dest,
  71. int ipv6_exit,
  72. int rejectprivate,
  73. const smartlist_t *configured_addresses,
  74. int reject_interface_addresses,
  75. int reject_configured_port_addresses,
  76. int add_default_policy,
  77. int add_reduced_policy);
  78. /** Replace all "private" entries in *<b>policy</b> with their expanded
  79. * equivalents. */
  80. void
  81. policy_expand_private(smartlist_t **policy)
  82. {
  83. uint16_t port_min, port_max;
  84. int i;
  85. smartlist_t *tmp;
  86. if (!*policy) /*XXXX disallow NULL policies? */
  87. return;
  88. tmp = smartlist_new();
  89. SMARTLIST_FOREACH_BEGIN(*policy, addr_policy_t *, p) {
  90. if (! p->is_private) {
  91. smartlist_add(tmp, p);
  92. continue;
  93. }
  94. for (i = 0; private_nets[i]; ++i) {
  95. addr_policy_t newpolicy;
  96. memcpy(&newpolicy, p, sizeof(addr_policy_t));
  97. newpolicy.is_private = 0;
  98. newpolicy.is_canonical = 0;
  99. if (tor_addr_parse_mask_ports(private_nets[i], 0,
  100. &newpolicy.addr,
  101. &newpolicy.maskbits, &port_min, &port_max)<0) {
  102. tor_assert_unreached();
  103. }
  104. smartlist_add(tmp, addr_policy_get_canonical_entry(&newpolicy));
  105. }
  106. addr_policy_free(p);
  107. } SMARTLIST_FOREACH_END(p);
  108. smartlist_free(*policy);
  109. *policy = tmp;
  110. }
  111. /** Expand each of the AF_UNSPEC elements in *<b>policy</b> (which indicate
  112. * protocol-neutral wildcards) into a pair of wildcard elements: one IPv4-
  113. * specific and one IPv6-specific. */
  114. void
  115. policy_expand_unspec(smartlist_t **policy)
  116. {
  117. smartlist_t *tmp;
  118. if (!*policy)
  119. return;
  120. tmp = smartlist_new();
  121. SMARTLIST_FOREACH_BEGIN(*policy, addr_policy_t *, p) {
  122. sa_family_t family = tor_addr_family(&p->addr);
  123. if (family == AF_INET6 || family == AF_INET || p->is_private) {
  124. smartlist_add(tmp, p);
  125. } else if (family == AF_UNSPEC) {
  126. addr_policy_t newpolicy_ipv4;
  127. addr_policy_t newpolicy_ipv6;
  128. memcpy(&newpolicy_ipv4, p, sizeof(addr_policy_t));
  129. memcpy(&newpolicy_ipv6, p, sizeof(addr_policy_t));
  130. newpolicy_ipv4.is_canonical = 0;
  131. newpolicy_ipv6.is_canonical = 0;
  132. if (p->maskbits != 0) {
  133. log_warn(LD_BUG, "AF_UNSPEC policy with maskbits==%d", p->maskbits);
  134. newpolicy_ipv4.maskbits = 0;
  135. newpolicy_ipv6.maskbits = 0;
  136. }
  137. tor_addr_from_ipv4h(&newpolicy_ipv4.addr, 0);
  138. tor_addr_from_ipv6_bytes(&newpolicy_ipv6.addr,
  139. "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");
  140. smartlist_add(tmp, addr_policy_get_canonical_entry(&newpolicy_ipv4));
  141. smartlist_add(tmp, addr_policy_get_canonical_entry(&newpolicy_ipv6));
  142. addr_policy_free(p);
  143. } else {
  144. log_warn(LD_BUG, "Funny-looking address policy with family %d", family);
  145. smartlist_add(tmp, p);
  146. }
  147. } SMARTLIST_FOREACH_END(p);
  148. smartlist_free(*policy);
  149. *policy = tmp;
  150. }
  151. /**
  152. * Given a linked list of config lines containing "accept[6]" and "reject[6]"
  153. * tokens, parse them and append the result to <b>dest</b>. Return -1
  154. * if any tokens are malformed (and don't append any), else return 0.
  155. *
  156. * If <b>assume_action</b> is nonnegative, then insert its action
  157. * (ADDR_POLICY_ACCEPT or ADDR_POLICY_REJECT) for items that specify no
  158. * action.
  159. */
  160. static int
  161. parse_addr_policy(config_line_t *cfg, smartlist_t **dest,
  162. int assume_action)
  163. {
  164. smartlist_t *result;
  165. smartlist_t *entries;
  166. addr_policy_t *item;
  167. int malformed_list;
  168. int r = 0;
  169. if (!cfg)
  170. return 0;
  171. result = smartlist_new();
  172. entries = smartlist_new();
  173. for (; cfg; cfg = cfg->next) {
  174. smartlist_split_string(entries, cfg->value, ",",
  175. SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0);
  176. SMARTLIST_FOREACH_BEGIN(entries, const char *, ent) {
  177. log_debug(LD_CONFIG,"Adding new entry '%s'",ent);
  178. malformed_list = 0;
  179. item = router_parse_addr_policy_item_from_string(ent, assume_action,
  180. &malformed_list);
  181. if (item) {
  182. smartlist_add(result, item);
  183. } else if (malformed_list) {
  184. /* the error is so severe the entire list should be discarded */
  185. log_warn(LD_CONFIG, "Malformed policy '%s'. Discarding entire policy "
  186. "list.", ent);
  187. r = -1;
  188. } else {
  189. /* the error is minor: don't add the item, but keep processing the
  190. * rest of the policies in the list */
  191. log_debug(LD_CONFIG, "Ignored policy '%s' due to non-fatal error. "
  192. "The remainder of the policy list will be used.",
  193. ent);
  194. }
  195. } SMARTLIST_FOREACH_END(ent);
  196. SMARTLIST_FOREACH(entries, char *, ent, tor_free(ent));
  197. smartlist_clear(entries);
  198. }
  199. smartlist_free(entries);
  200. if (r == -1) {
  201. addr_policy_list_free(result);
  202. } else {
  203. policy_expand_private(&result);
  204. policy_expand_unspec(&result);
  205. if (*dest) {
  206. smartlist_add_all(*dest, result);
  207. smartlist_free(result);
  208. } else {
  209. *dest = result;
  210. }
  211. }
  212. return r;
  213. }
  214. /** Helper: parse the Reachable(Dir|OR)?Addresses fields into
  215. * reachable_(or|dir)_addr_policy. The options should already have
  216. * been validated by validate_addr_policies.
  217. */
  218. static int
  219. parse_reachable_addresses(void)
  220. {
  221. const or_options_t *options = get_options();
  222. int ret = 0;
  223. if (options->ReachableDirAddresses &&
  224. options->ReachableORAddresses &&
  225. options->ReachableAddresses) {
  226. log_warn(LD_CONFIG,
  227. "Both ReachableDirAddresses and ReachableORAddresses are set. "
  228. "ReachableAddresses setting will be ignored.");
  229. }
  230. addr_policy_list_free(reachable_or_addr_policy);
  231. reachable_or_addr_policy = NULL;
  232. if (!options->ReachableORAddresses && options->ReachableAddresses)
  233. log_info(LD_CONFIG,
  234. "Using ReachableAddresses as ReachableORAddresses.");
  235. if (parse_addr_policy(options->ReachableORAddresses ?
  236. options->ReachableORAddresses :
  237. options->ReachableAddresses,
  238. &reachable_or_addr_policy, ADDR_POLICY_ACCEPT)) {
  239. log_warn(LD_CONFIG,
  240. "Error parsing Reachable%sAddresses entry; ignoring.",
  241. options->ReachableORAddresses ? "OR" : "");
  242. ret = -1;
  243. }
  244. addr_policy_list_free(reachable_dir_addr_policy);
  245. reachable_dir_addr_policy = NULL;
  246. if (!options->ReachableDirAddresses && options->ReachableAddresses)
  247. log_info(LD_CONFIG,
  248. "Using ReachableAddresses as ReachableDirAddresses");
  249. if (parse_addr_policy(options->ReachableDirAddresses ?
  250. options->ReachableDirAddresses :
  251. options->ReachableAddresses,
  252. &reachable_dir_addr_policy, ADDR_POLICY_ACCEPT)) {
  253. if (options->ReachableDirAddresses)
  254. log_warn(LD_CONFIG,
  255. "Error parsing ReachableDirAddresses entry; ignoring.");
  256. ret = -1;
  257. }
  258. /* We ignore ReachableAddresses for relays */
  259. if (!server_mode(options)) {
  260. if (policy_is_reject_star(reachable_or_addr_policy, AF_UNSPEC, 0)
  261. || policy_is_reject_star(reachable_dir_addr_policy, AF_UNSPEC,0)) {
  262. log_warn(LD_CONFIG, "Tor cannot connect to the Internet if "
  263. "ReachableAddresses, ReachableORAddresses, or "
  264. "ReachableDirAddresses reject all addresses. Please accept "
  265. "some addresses in these options.");
  266. } else if (options->ClientUseIPv4 == 1
  267. && (policy_is_reject_star(reachable_or_addr_policy, AF_INET, 0)
  268. || policy_is_reject_star(reachable_dir_addr_policy, AF_INET, 0))) {
  269. log_warn(LD_CONFIG, "You have set ClientUseIPv4 1, but "
  270. "ReachableAddresses, ReachableORAddresses, or "
  271. "ReachableDirAddresses reject all IPv4 addresses. "
  272. "Tor will not connect using IPv4.");
  273. } else if (fascist_firewall_use_ipv6(options)
  274. && (policy_is_reject_star(reachable_or_addr_policy, AF_INET6, 0)
  275. || policy_is_reject_star(reachable_dir_addr_policy, AF_INET6, 0))) {
  276. log_warn(LD_CONFIG, "You have configured tor to use or prefer IPv6 "
  277. "(or UseBridges 1), but "
  278. "ReachableAddresses, ReachableORAddresses, or "
  279. "ReachableDirAddresses reject all IPv6 addresses. "
  280. "Tor will not connect using IPv6.");
  281. }
  282. }
  283. return ret;
  284. }
  285. /* Return true iff ClientUseIPv4 0 or ClientUseIPv6 0 might block any OR or Dir
  286. * address:port combination. */
  287. static int
  288. firewall_is_fascist_impl(void)
  289. {
  290. const or_options_t *options = get_options();
  291. /* Assume every non-bridge relay has an IPv4 address.
  292. * Clients which use bridges may only know the IPv6 address of their
  293. * bridge, but they will connect regardless of the ClientUseIPv6 setting. */
  294. return options->ClientUseIPv4 == 0;
  295. }
  296. /** Return true iff the firewall options, including ClientUseIPv4 0 and
  297. * ClientUseIPv6 0, might block any OR address:port combination.
  298. * Address preferences may still change which address is selected even if
  299. * this function returns false.
  300. */
  301. int
  302. firewall_is_fascist_or(void)
  303. {
  304. return (reachable_or_addr_policy != NULL || firewall_is_fascist_impl());
  305. }
  306. /** Return true iff the firewall options, including ClientUseIPv4 0 and
  307. * ClientUseIPv6 0, might block any Dir address:port combination.
  308. * Address preferences may still change which address is selected even if
  309. * this function returns false.
  310. */
  311. int
  312. firewall_is_fascist_dir(void)
  313. {
  314. return (reachable_dir_addr_policy != NULL || firewall_is_fascist_impl());
  315. }
  316. /** Return true iff <b>policy</b> (possibly NULL) will allow a
  317. * connection to <b>addr</b>:<b>port</b>.
  318. */
  319. static int
  320. addr_policy_permits_tor_addr(const tor_addr_t *addr, uint16_t port,
  321. smartlist_t *policy)
  322. {
  323. addr_policy_result_t p;
  324. p = compare_tor_addr_to_addr_policy(addr, port, policy);
  325. switch (p) {
  326. case ADDR_POLICY_PROBABLY_ACCEPTED:
  327. case ADDR_POLICY_ACCEPTED:
  328. return 1;
  329. case ADDR_POLICY_PROBABLY_REJECTED:
  330. case ADDR_POLICY_REJECTED:
  331. return 0;
  332. default:
  333. log_warn(LD_BUG, "Unexpected result: %d", (int)p);
  334. return 0;
  335. }
  336. }
  337. /** Return true iff <b> policy</b> (possibly NULL) will allow a connection to
  338. * <b>addr</b>:<b>port</b>. <b>addr</b> is an IPv4 address given in host
  339. * order. */
  340. /* XXXX deprecate when possible. */
  341. static int
  342. addr_policy_permits_address(uint32_t addr, uint16_t port,
  343. smartlist_t *policy)
  344. {
  345. tor_addr_t a;
  346. tor_addr_from_ipv4h(&a, addr);
  347. return addr_policy_permits_tor_addr(&a, port, policy);
  348. }
  349. /** Return true iff we think our firewall will let us make a connection to
  350. * addr:port.
  351. *
  352. * If we are configured as a server, ignore any address family preference and
  353. * just use IPv4.
  354. * Otherwise:
  355. * - return false for all IPv4 addresses:
  356. * - if ClientUseIPv4 is 0, or
  357. * if pref_only and pref_ipv6 are both true;
  358. * - return false for all IPv6 addresses:
  359. * - if fascist_firewall_use_ipv6() is 0, or
  360. * - if pref_only is true and pref_ipv6 is false.
  361. *
  362. * Return false if addr is NULL or tor_addr_is_null(), or if port is 0. */
  363. STATIC int
  364. fascist_firewall_allows_address(const tor_addr_t *addr,
  365. uint16_t port,
  366. smartlist_t *firewall_policy,
  367. int pref_only, int pref_ipv6)
  368. {
  369. const or_options_t *options = get_options();
  370. const int client_mode = !server_mode(options);
  371. if (!addr || tor_addr_is_null(addr) || !port) {
  372. return 0;
  373. }
  374. /* Clients stop using IPv4 if it's disabled. In most cases, clients also
  375. * stop using IPv4 if it's not preferred.
  376. * Servers must have IPv4 enabled and preferred. */
  377. if (tor_addr_family(addr) == AF_INET && client_mode &&
  378. (!options->ClientUseIPv4 || (pref_only && pref_ipv6))) {
  379. return 0;
  380. }
  381. /* Clients and Servers won't use IPv6 unless it's enabled (and in most
  382. * cases, IPv6 must also be preferred before it will be used). */
  383. if (tor_addr_family(addr) == AF_INET6 &&
  384. (!fascist_firewall_use_ipv6(options) || (pref_only && !pref_ipv6))) {
  385. return 0;
  386. }
  387. return addr_policy_permits_tor_addr(addr, port,
  388. firewall_policy);
  389. }
  390. /** Is this client configured to use IPv6?
  391. * Returns true if the client might use IPv6 for some of its connections
  392. * (including dual-stack and IPv6-only clients), and false if it will never
  393. * use IPv6 for any connections.
  394. * Use node_ipv6_or/dir_preferred() when checking a specific node and OR/Dir
  395. * port: it supports bridge client per-node IPv6 preferences.
  396. */
  397. int
  398. fascist_firewall_use_ipv6(const or_options_t *options)
  399. {
  400. /* Clients use IPv6 if it's set, or they use bridges, or they don't use
  401. * IPv4, or they prefer it.
  402. * ClientPreferIPv6DirPort is deprecated, but check it anyway. */
  403. return (options->ClientUseIPv6 == 1 || options->ClientUseIPv4 == 0 ||
  404. options->ClientPreferIPv6ORPort == 1 ||
  405. options->ClientPreferIPv6DirPort == 1 || options->UseBridges == 1);
  406. }
  407. /** Do we prefer to connect to IPv6, ignoring ClientPreferIPv6ORPort and
  408. * ClientPreferIPv6DirPort?
  409. * If we're unsure, return -1, otherwise, return 1 for IPv6 and 0 for IPv4.
  410. */
  411. static int
  412. fascist_firewall_prefer_ipv6_impl(const or_options_t *options)
  413. {
  414. /*
  415. Cheap implementation of config options ClientUseIPv4 & ClientUseIPv6 --
  416. If we're a server or IPv6 is disabled, use IPv4.
  417. If IPv4 is disabled, use IPv6.
  418. */
  419. if (server_mode(options) || !fascist_firewall_use_ipv6(options)) {
  420. return 0;
  421. }
  422. if (!options->ClientUseIPv4) {
  423. return 1;
  424. }
  425. return -1;
  426. }
  427. /** Do we prefer to connect to IPv6 ORPorts?
  428. * Use node_ipv6_or_preferred() whenever possible: it supports bridge client
  429. * per-node IPv6 preferences.
  430. */
  431. int
  432. fascist_firewall_prefer_ipv6_orport(const or_options_t *options)
  433. {
  434. int pref_ipv6 = fascist_firewall_prefer_ipv6_impl(options);
  435. if (pref_ipv6 >= 0) {
  436. return pref_ipv6;
  437. }
  438. /* We can use both IPv4 and IPv6 - which do we prefer? */
  439. if (options->ClientPreferIPv6ORPort == 1) {
  440. return 1;
  441. }
  442. return 0;
  443. }
  444. /** Do we prefer to connect to IPv6 DirPorts?
  445. *
  446. * (node_ipv6_dir_preferred() doesn't support bridge client per-node IPv6
  447. * preferences. There's no reason to use it instead of this function.)
  448. */
  449. int
  450. fascist_firewall_prefer_ipv6_dirport(const or_options_t *options)
  451. {
  452. int pref_ipv6 = fascist_firewall_prefer_ipv6_impl(options);
  453. if (pref_ipv6 >= 0) {
  454. return pref_ipv6;
  455. }
  456. /* We can use both IPv4 and IPv6 - which do we prefer? */
  457. if (options->ClientPreferIPv6DirPort == 1) {
  458. return 1;
  459. }
  460. return 0;
  461. }
  462. /** Return true iff we think our firewall will let us make a connection to
  463. * addr:port. Uses ReachableORAddresses or ReachableDirAddresses based on
  464. * fw_connection.
  465. * If pref_only is true, return true if addr is in the client's preferred
  466. * address family, which is IPv6 if pref_ipv6 is true, and IPv4 otherwise.
  467. * If pref_only is false, ignore pref_ipv6, and return true if addr is allowed.
  468. */
  469. int
  470. fascist_firewall_allows_address_addr(const tor_addr_t *addr, uint16_t port,
  471. firewall_connection_t fw_connection,
  472. int pref_only, int pref_ipv6)
  473. {
  474. if (fw_connection == FIREWALL_OR_CONNECTION) {
  475. return fascist_firewall_allows_address(addr, port,
  476. reachable_or_addr_policy,
  477. pref_only, pref_ipv6);
  478. } else if (fw_connection == FIREWALL_DIR_CONNECTION) {
  479. return fascist_firewall_allows_address(addr, port,
  480. reachable_dir_addr_policy,
  481. pref_only, pref_ipv6);
  482. } else {
  483. log_warn(LD_BUG, "Bad firewall_connection_t value %d.",
  484. fw_connection);
  485. return 0;
  486. }
  487. }
  488. /** Return true iff we think our firewall will let us make a connection to
  489. * addr:port (ap). Uses ReachableORAddresses or ReachableDirAddresses based on
  490. * fw_connection.
  491. * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
  492. */
  493. static int
  494. fascist_firewall_allows_address_ap(const tor_addr_port_t *ap,
  495. firewall_connection_t fw_connection,
  496. int pref_only, int pref_ipv6)
  497. {
  498. tor_assert(ap);
  499. return fascist_firewall_allows_address_addr(&ap->addr, ap->port,
  500. fw_connection, pref_only,
  501. pref_ipv6);
  502. }
  503. /* Return true iff we think our firewall will let us make a connection to
  504. * ipv4h_or_addr:ipv4_or_port. ipv4h_or_addr is interpreted in host order.
  505. * Uses ReachableORAddresses or ReachableDirAddresses based on
  506. * fw_connection.
  507. * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
  508. */
  509. static int
  510. fascist_firewall_allows_address_ipv4h(uint32_t ipv4h_or_addr,
  511. uint16_t ipv4_or_port,
  512. firewall_connection_t fw_connection,
  513. int pref_only, int pref_ipv6)
  514. {
  515. tor_addr_t ipv4_or_addr;
  516. tor_addr_from_ipv4h(&ipv4_or_addr, ipv4h_or_addr);
  517. return fascist_firewall_allows_address_addr(&ipv4_or_addr, ipv4_or_port,
  518. fw_connection, pref_only,
  519. pref_ipv6);
  520. }
  521. /** Return true iff we think our firewall will let us make a connection to
  522. * ipv4h_addr/ipv6_addr. Uses ipv4_orport/ipv6_orport/ReachableORAddresses or
  523. * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
  524. * <b>fw_connection</b>.
  525. * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
  526. */
  527. static int
  528. fascist_firewall_allows_base(uint32_t ipv4h_addr, uint16_t ipv4_orport,
  529. uint16_t ipv4_dirport,
  530. const tor_addr_t *ipv6_addr, uint16_t ipv6_orport,
  531. uint16_t ipv6_dirport,
  532. firewall_connection_t fw_connection,
  533. int pref_only, int pref_ipv6)
  534. {
  535. if (fascist_firewall_allows_address_ipv4h(ipv4h_addr,
  536. (fw_connection == FIREWALL_OR_CONNECTION
  537. ? ipv4_orport
  538. : ipv4_dirport),
  539. fw_connection,
  540. pref_only, pref_ipv6)) {
  541. return 1;
  542. }
  543. if (fascist_firewall_allows_address_addr(ipv6_addr,
  544. (fw_connection == FIREWALL_OR_CONNECTION
  545. ? ipv6_orport
  546. : ipv6_dirport),
  547. fw_connection,
  548. pref_only, pref_ipv6)) {
  549. return 1;
  550. }
  551. return 0;
  552. }
  553. /** Like fascist_firewall_allows_base(), but takes ri. */
  554. static int
  555. fascist_firewall_allows_ri_impl(const routerinfo_t *ri,
  556. firewall_connection_t fw_connection,
  557. int pref_only, int pref_ipv6)
  558. {
  559. if (!ri) {
  560. return 0;
  561. }
  562. /* Assume IPv4 and IPv6 DirPorts are the same */
  563. return fascist_firewall_allows_base(ri->addr, ri->or_port, ri->dir_port,
  564. &ri->ipv6_addr, ri->ipv6_orport,
  565. ri->dir_port, fw_connection, pref_only,
  566. pref_ipv6);
  567. }
  568. /** Like fascist_firewall_allows_rs, but takes pref_ipv6. */
  569. static int
  570. fascist_firewall_allows_rs_impl(const routerstatus_t *rs,
  571. firewall_connection_t fw_connection,
  572. int pref_only, int pref_ipv6)
  573. {
  574. if (!rs) {
  575. return 0;
  576. }
  577. /* Assume IPv4 and IPv6 DirPorts are the same */
  578. return fascist_firewall_allows_base(rs->addr, rs->or_port, rs->dir_port,
  579. &rs->ipv6_addr, rs->ipv6_orport,
  580. rs->dir_port, fw_connection, pref_only,
  581. pref_ipv6);
  582. }
  583. /** Like fascist_firewall_allows_base(), but takes rs.
  584. * When rs is a fake_status from a dir_server_t, it can have a reachable
  585. * address, even when the corresponding node does not.
  586. * nodes can be missing addresses when there's no consensus (IPv4 and IPv6),
  587. * or when there is a microdescriptor consensus, but no microdescriptors
  588. * (microdescriptors have IPv6, the microdesc consensus does not). */
  589. int
  590. fascist_firewall_allows_rs(const routerstatus_t *rs,
  591. firewall_connection_t fw_connection, int pref_only)
  592. {
  593. if (!rs) {
  594. return 0;
  595. }
  596. /* We don't have access to the node-specific IPv6 preference, so use the
  597. * generic IPv6 preference instead. */
  598. const or_options_t *options = get_options();
  599. int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
  600. ? fascist_firewall_prefer_ipv6_orport(options)
  601. : fascist_firewall_prefer_ipv6_dirport(options));
  602. return fascist_firewall_allows_rs_impl(rs, fw_connection, pref_only,
  603. pref_ipv6);
  604. }
  605. /** Return true iff we think our firewall will let us make a connection to
  606. * ipv6_addr:ipv6_orport based on ReachableORAddresses.
  607. * If <b>fw_connection</b> is FIREWALL_DIR_CONNECTION, returns 0.
  608. * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
  609. */
  610. static int
  611. fascist_firewall_allows_md_impl(const microdesc_t *md,
  612. firewall_connection_t fw_connection,
  613. int pref_only, int pref_ipv6)
  614. {
  615. if (!md) {
  616. return 0;
  617. }
  618. /* Can't check dirport, it doesn't have one */
  619. if (fw_connection == FIREWALL_DIR_CONNECTION) {
  620. return 0;
  621. }
  622. /* Also can't check IPv4, doesn't have that either */
  623. return fascist_firewall_allows_address_addr(&md->ipv6_addr, md->ipv6_orport,
  624. fw_connection, pref_only,
  625. pref_ipv6);
  626. }
  627. /** Like fascist_firewall_allows_base(), but takes node, and looks up pref_ipv6
  628. * from node_ipv6_or/dir_preferred(). */
  629. int
  630. fascist_firewall_allows_node(const node_t *node,
  631. firewall_connection_t fw_connection,
  632. int pref_only)
  633. {
  634. if (!node) {
  635. return 0;
  636. }
  637. node_assert_ok(node);
  638. const int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
  639. ? node_ipv6_or_preferred(node)
  640. : node_ipv6_dir_preferred(node));
  641. /* Sometimes, the rs is missing the IPv6 address info, and we need to go
  642. * all the way to the md */
  643. if (node->ri && fascist_firewall_allows_ri_impl(node->ri, fw_connection,
  644. pref_only, pref_ipv6)) {
  645. return 1;
  646. } else if (node->rs && fascist_firewall_allows_rs_impl(node->rs,
  647. fw_connection,
  648. pref_only,
  649. pref_ipv6)) {
  650. return 1;
  651. } else if (node->md && fascist_firewall_allows_md_impl(node->md,
  652. fw_connection,
  653. pref_only,
  654. pref_ipv6)) {
  655. return 1;
  656. } else {
  657. /* If we know nothing, assume it's unreachable, we'll never get an address
  658. * to connect to. */
  659. return 0;
  660. }
  661. }
  662. /** Like fascist_firewall_allows_rs(), but takes ds. */
  663. int
  664. fascist_firewall_allows_dir_server(const dir_server_t *ds,
  665. firewall_connection_t fw_connection,
  666. int pref_only)
  667. {
  668. if (!ds) {
  669. return 0;
  670. }
  671. /* A dir_server_t always has a fake_status. As long as it has the same
  672. * addresses/ports in both fake_status and dir_server_t, this works fine.
  673. * (See #17867.)
  674. * fascist_firewall_allows_rs only checks the addresses in fake_status. */
  675. return fascist_firewall_allows_rs(&ds->fake_status, fw_connection,
  676. pref_only);
  677. }
  678. /** If a and b are both valid and allowed by fw_connection,
  679. * choose one based on want_a and return it.
  680. * Otherwise, return whichever is allowed.
  681. * Otherwise, return NULL.
  682. * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
  683. */
  684. static const tor_addr_port_t *
  685. fascist_firewall_choose_address_impl(const tor_addr_port_t *a,
  686. const tor_addr_port_t *b,
  687. int want_a,
  688. firewall_connection_t fw_connection,
  689. int pref_only, int pref_ipv6)
  690. {
  691. const tor_addr_port_t *use_a = NULL;
  692. const tor_addr_port_t *use_b = NULL;
  693. if (fascist_firewall_allows_address_ap(a, fw_connection, pref_only,
  694. pref_ipv6)) {
  695. use_a = a;
  696. }
  697. if (fascist_firewall_allows_address_ap(b, fw_connection, pref_only,
  698. pref_ipv6)) {
  699. use_b = b;
  700. }
  701. /* If both are allowed */
  702. if (use_a && use_b) {
  703. /* Choose a if we want it */
  704. return (want_a ? use_a : use_b);
  705. } else {
  706. /* Choose a if we have it */
  707. return (use_a ? use_a : use_b);
  708. }
  709. }
  710. /** If a and b are both valid and preferred by fw_connection,
  711. * choose one based on want_a and return it.
  712. * Otherwise, return whichever is preferred.
  713. * If neither are preferred, and pref_only is false:
  714. * - If a and b are both allowed by fw_connection,
  715. * choose one based on want_a and return it.
  716. * - Otherwise, return whichever is preferred.
  717. * Otherwise, return NULL. */
  718. STATIC const tor_addr_port_t *
  719. fascist_firewall_choose_address(const tor_addr_port_t *a,
  720. const tor_addr_port_t *b,
  721. int want_a,
  722. firewall_connection_t fw_connection,
  723. int pref_only, int pref_ipv6)
  724. {
  725. const tor_addr_port_t *pref = fascist_firewall_choose_address_impl(
  726. a, b, want_a,
  727. fw_connection,
  728. 1, pref_ipv6);
  729. if (pref_only || pref) {
  730. /* If there is a preferred address, use it. If we can only use preferred
  731. * addresses, and neither address is preferred, pref will be NULL, and we
  732. * want to return NULL, so return it. */
  733. return pref;
  734. } else {
  735. /* If there's no preferred address, and we can return addresses that are
  736. * not preferred, use an address that's allowed */
  737. return fascist_firewall_choose_address_impl(a, b, want_a, fw_connection,
  738. 0, pref_ipv6);
  739. }
  740. }
  741. /** Copy an address and port into <b>ap</b> that we think our firewall will
  742. * let us connect to. Uses ipv4_addr/ipv6_addr and
  743. * ipv4_orport/ipv6_orport/ReachableORAddresses or
  744. * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
  745. * <b>fw_connection</b>.
  746. * If pref_only, only choose preferred addresses. In either case, choose
  747. * a preferred address before an address that's not preferred.
  748. * If both addresses could be chosen (they are both preferred or both allowed)
  749. * choose IPv6 if pref_ipv6 is true, otherwise choose IPv4.
  750. * If neither address is chosen, return 0, else return 1. */
  751. static int
  752. fascist_firewall_choose_address_base(const tor_addr_t *ipv4_addr,
  753. uint16_t ipv4_orport,
  754. uint16_t ipv4_dirport,
  755. const tor_addr_t *ipv6_addr,
  756. uint16_t ipv6_orport,
  757. uint16_t ipv6_dirport,
  758. firewall_connection_t fw_connection,
  759. int pref_only,
  760. int pref_ipv6,
  761. tor_addr_port_t* ap)
  762. {
  763. const tor_addr_port_t *result = NULL;
  764. const int want_ipv4 = !pref_ipv6;
  765. tor_assert(ipv6_addr);
  766. tor_assert(ap);
  767. tor_addr_port_t ipv4_ap;
  768. tor_addr_copy(&ipv4_ap.addr, ipv4_addr);
  769. ipv4_ap.port = (fw_connection == FIREWALL_OR_CONNECTION
  770. ? ipv4_orport
  771. : ipv4_dirport);
  772. tor_addr_port_t ipv6_ap;
  773. tor_addr_copy(&ipv6_ap.addr, ipv6_addr);
  774. ipv6_ap.port = (fw_connection == FIREWALL_OR_CONNECTION
  775. ? ipv6_orport
  776. : ipv6_dirport);
  777. result = fascist_firewall_choose_address(&ipv4_ap, &ipv6_ap,
  778. want_ipv4,
  779. fw_connection, pref_only,
  780. pref_ipv6);
  781. if (result) {
  782. tor_addr_copy(&ap->addr, &result->addr);
  783. ap->port = result->port;
  784. return 1;
  785. } else {
  786. return 0;
  787. }
  788. }
  789. /** Like fascist_firewall_choose_address_base(), but takes a host-order IPv4
  790. * address as the first parameter. */
  791. static int
  792. fascist_firewall_choose_address_ipv4h(uint32_t ipv4h_addr,
  793. uint16_t ipv4_orport,
  794. uint16_t ipv4_dirport,
  795. const tor_addr_t *ipv6_addr,
  796. uint16_t ipv6_orport,
  797. uint16_t ipv6_dirport,
  798. firewall_connection_t fw_connection,
  799. int pref_only,
  800. int pref_ipv6,
  801. tor_addr_port_t* ap)
  802. {
  803. tor_addr_t ipv4_addr;
  804. tor_addr_from_ipv4h(&ipv4_addr, ipv4h_addr);
  805. return fascist_firewall_choose_address_base(&ipv4_addr, ipv4_orport,
  806. ipv4_dirport, ipv6_addr,
  807. ipv6_orport, ipv6_dirport,
  808. fw_connection, pref_only,
  809. pref_ipv6, ap);
  810. }
  811. /* The microdescriptor consensus has no IPv6 addresses in rs: they are in
  812. * the microdescriptors. This means we can't rely on the node's IPv6 address
  813. * until its microdescriptor is available (when using microdescs).
  814. * But for bridges, rewrite_node_address_for_bridge() updates node->ri with
  815. * the configured address, so we can trust bridge addresses.
  816. * (Bridges could gain an IPv6 address if their microdescriptor arrives, but
  817. * this will never be their preferred address: that is in the config.)
  818. * Returns true if the node needs a microdescriptor for its IPv6 address, and
  819. * false if the addresses in the node are already up-to-date.
  820. */
  821. static int
  822. node_awaiting_ipv6(const or_options_t* options, const node_t *node)
  823. {
  824. tor_assert(node);
  825. /* There's no point waiting for an IPv6 address if we'd never use it */
  826. if (!fascist_firewall_use_ipv6(options)) {
  827. return 0;
  828. }
  829. /* We are waiting if we_use_microdescriptors_for_circuits() and we have no
  830. * md. Bridges have a ri based on their config. They would never use the
  831. * address from their md, so there's no need to wait for it. */
  832. return (!node->md && we_use_microdescriptors_for_circuits(options) &&
  833. !node->ri);
  834. }
  835. /** Like fascist_firewall_choose_address_base(), but takes <b>rs</b>.
  836. * Consults the corresponding node, then falls back to rs if node is NULL.
  837. * This should only happen when there's no valid consensus, and rs doesn't
  838. * correspond to a bridge client's bridge.
  839. */
  840. int
  841. fascist_firewall_choose_address_rs(const routerstatus_t *rs,
  842. firewall_connection_t fw_connection,
  843. int pref_only, tor_addr_port_t* ap)
  844. {
  845. if (!rs) {
  846. return 0;
  847. }
  848. tor_assert(ap);
  849. const or_options_t *options = get_options();
  850. const node_t *node = node_get_by_id(rs->identity_digest);
  851. if (node && !node_awaiting_ipv6(options, node)) {
  852. return fascist_firewall_choose_address_node(node, fw_connection, pref_only,
  853. ap);
  854. } else {
  855. /* There's no node-specific IPv6 preference, so use the generic IPv6
  856. * preference instead. */
  857. int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
  858. ? fascist_firewall_prefer_ipv6_orport(options)
  859. : fascist_firewall_prefer_ipv6_dirport(options));
  860. /* Assume IPv4 and IPv6 DirPorts are the same.
  861. * Assume the IPv6 OR and Dir addresses are the same. */
  862. return fascist_firewall_choose_address_ipv4h(rs->addr,
  863. rs->or_port,
  864. rs->dir_port,
  865. &rs->ipv6_addr,
  866. rs->ipv6_orport,
  867. rs->dir_port,
  868. fw_connection,
  869. pref_only,
  870. pref_ipv6,
  871. ap);
  872. }
  873. }
  874. /** Like fascist_firewall_choose_address_base(), but takes <b>node</b>, and
  875. * looks up the node's IPv6 preference rather than taking an argument
  876. * for pref_ipv6. */
  877. int
  878. fascist_firewall_choose_address_node(const node_t *node,
  879. firewall_connection_t fw_connection,
  880. int pref_only, tor_addr_port_t *ap)
  881. {
  882. if (!node) {
  883. return 0;
  884. }
  885. node_assert_ok(node);
  886. /* Calling fascist_firewall_choose_address_node() when the node is missing
  887. * IPv6 information breaks IPv6-only clients.
  888. * If the node is a hard-coded fallback directory or authority, call
  889. * fascist_firewall_choose_address_rs() on the fake (hard-coded) routerstatus
  890. * for the node.
  891. * If it is not hard-coded, check that the node has a microdescriptor, full
  892. * descriptor (routerinfo), or is one of our configured bridges before
  893. * calling this function. */
  894. if (BUG(node_awaiting_ipv6(get_options(), node))) {
  895. return 0;
  896. }
  897. const int pref_ipv6_node = (fw_connection == FIREWALL_OR_CONNECTION
  898. ? node_ipv6_or_preferred(node)
  899. : node_ipv6_dir_preferred(node));
  900. tor_addr_port_t ipv4_or_ap;
  901. node_get_prim_orport(node, &ipv4_or_ap);
  902. tor_addr_port_t ipv4_dir_ap;
  903. node_get_prim_dirport(node, &ipv4_dir_ap);
  904. tor_addr_port_t ipv6_or_ap;
  905. node_get_pref_ipv6_orport(node, &ipv6_or_ap);
  906. tor_addr_port_t ipv6_dir_ap;
  907. node_get_pref_ipv6_dirport(node, &ipv6_dir_ap);
  908. /* Assume the IPv6 OR and Dir addresses are the same. */
  909. return fascist_firewall_choose_address_base(&ipv4_or_ap.addr,
  910. ipv4_or_ap.port,
  911. ipv4_dir_ap.port,
  912. &ipv6_or_ap.addr,
  913. ipv6_or_ap.port,
  914. ipv6_dir_ap.port,
  915. fw_connection,
  916. pref_only,
  917. pref_ipv6_node,
  918. ap);
  919. }
  920. /** Like fascist_firewall_choose_address_rs(), but takes <b>ds</b>. */
  921. int
  922. fascist_firewall_choose_address_dir_server(const dir_server_t *ds,
  923. firewall_connection_t fw_connection,
  924. int pref_only,
  925. tor_addr_port_t *ap)
  926. {
  927. if (!ds) {
  928. return 0;
  929. }
  930. /* A dir_server_t always has a fake_status. As long as it has the same
  931. * addresses/ports in both fake_status and dir_server_t, this works fine.
  932. * (See #17867.)
  933. * This function relies on fascist_firewall_choose_address_rs looking up the
  934. * node if it can, because that will get the latest info for the relay. */
  935. return fascist_firewall_choose_address_rs(&ds->fake_status, fw_connection,
  936. pref_only, ap);
  937. }
  938. /** Return 1 if <b>addr</b> is permitted to connect to our dir port,
  939. * based on <b>dir_policy</b>. Else return 0.
  940. */
  941. int
  942. dir_policy_permits_address(const tor_addr_t *addr)
  943. {
  944. return addr_policy_permits_tor_addr(addr, 1, dir_policy);
  945. }
  946. /** Return 1 if <b>addr</b> is permitted to connect to our socks port,
  947. * based on <b>socks_policy</b>. Else return 0.
  948. */
  949. int
  950. socks_policy_permits_address(const tor_addr_t *addr)
  951. {
  952. return addr_policy_permits_tor_addr(addr, 1, socks_policy);
  953. }
  954. /** Return true iff the address <b>addr</b> is in a country listed in the
  955. * case-insensitive list of country codes <b>cc_list</b>. */
  956. static int
  957. addr_is_in_cc_list(uint32_t addr, const smartlist_t *cc_list)
  958. {
  959. country_t country;
  960. const char *name;
  961. tor_addr_t tar;
  962. if (!cc_list)
  963. return 0;
  964. /* XXXXipv6 */
  965. tor_addr_from_ipv4h(&tar, addr);
  966. country = geoip_get_country_by_addr(&tar);
  967. name = geoip_get_country_name(country);
  968. return smartlist_contains_string_case(cc_list, name);
  969. }
  970. /** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
  971. * directory, based on <b>authdir_reject_policy</b>. Else return 0.
  972. */
  973. int
  974. authdir_policy_permits_address(uint32_t addr, uint16_t port)
  975. {
  976. if (! addr_policy_permits_address(addr, port, authdir_reject_policy))
  977. return 0;
  978. return !addr_is_in_cc_list(addr, get_options()->AuthDirRejectCCs);
  979. }
  980. /** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
  981. * directory, based on <b>authdir_invalid_policy</b>. Else return 0.
  982. */
  983. int
  984. authdir_policy_valid_address(uint32_t addr, uint16_t port)
  985. {
  986. if (! addr_policy_permits_address(addr, port, authdir_invalid_policy))
  987. return 0;
  988. return !addr_is_in_cc_list(addr, get_options()->AuthDirInvalidCCs);
  989. }
  990. /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
  991. * based on <b>authdir_badexit_policy</b>. Else return 0.
  992. */
  993. int
  994. authdir_policy_badexit_address(uint32_t addr, uint16_t port)
  995. {
  996. if (! addr_policy_permits_address(addr, port, authdir_badexit_policy))
  997. return 1;
  998. return addr_is_in_cc_list(addr, get_options()->AuthDirBadExitCCs);
  999. }
  1000. #define REJECT(arg) \
  1001. STMT_BEGIN *msg = tor_strdup(arg); goto err; STMT_END
  1002. /** Config helper: If there's any problem with the policy configuration
  1003. * options in <b>options</b>, return -1 and set <b>msg</b> to a newly
  1004. * allocated description of the error. Else return 0. */
  1005. int
  1006. validate_addr_policies(const or_options_t *options, char **msg)
  1007. {
  1008. /* XXXX Maybe merge this into parse_policies_from_options, to make sure
  1009. * that the two can't go out of sync. */
  1010. smartlist_t *addr_policy=NULL;
  1011. *msg = NULL;
  1012. if (policies_parse_exit_policy_from_options(options,0,NULL,&addr_policy)) {
  1013. REJECT("Error in ExitPolicy entry.");
  1014. }
  1015. static int warned_about_exitrelay = 0;
  1016. const int exitrelay_setting_is_auto = options->ExitRelay == -1;
  1017. const int policy_accepts_something =
  1018. ! (policy_is_reject_star(addr_policy, AF_INET, 1) &&
  1019. policy_is_reject_star(addr_policy, AF_INET6, 1));
  1020. if (server_mode(options) &&
  1021. ! warned_about_exitrelay &&
  1022. exitrelay_setting_is_auto &&
  1023. policy_accepts_something) {
  1024. /* Policy accepts something */
  1025. warned_about_exitrelay = 1;
  1026. log_warn(LD_CONFIG,
  1027. "Tor is running as an exit relay%s. If you did not want this "
  1028. "behavior, please set the ExitRelay option to 0. If you do "
  1029. "want to run an exit Relay, please set the ExitRelay option "
  1030. "to 1 to disable this warning, and for forward compatibility.",
  1031. options->ExitPolicy == NULL ?
  1032. " with the default exit policy" : "");
  1033. if (options->ExitPolicy == NULL && options->ReducedExitPolicy == 0) {
  1034. log_warn(LD_CONFIG,
  1035. "In a future version of Tor, ExitRelay 0 may become the "
  1036. "default when no ExitPolicy is given.");
  1037. }
  1038. }
  1039. /* The rest of these calls *append* to addr_policy. So don't actually
  1040. * use the results for anything other than checking if they parse! */
  1041. if (parse_addr_policy(options->DirPolicy, &addr_policy, -1))
  1042. REJECT("Error in DirPolicy entry.");
  1043. if (parse_addr_policy(options->SocksPolicy, &addr_policy, -1))
  1044. REJECT("Error in SocksPolicy entry.");
  1045. if (parse_addr_policy(options->AuthDirReject, &addr_policy,
  1046. ADDR_POLICY_REJECT))
  1047. REJECT("Error in AuthDirReject entry.");
  1048. if (parse_addr_policy(options->AuthDirInvalid, &addr_policy,
  1049. ADDR_POLICY_REJECT))
  1050. REJECT("Error in AuthDirInvalid entry.");
  1051. if (parse_addr_policy(options->AuthDirBadExit, &addr_policy,
  1052. ADDR_POLICY_REJECT))
  1053. REJECT("Error in AuthDirBadExit entry.");
  1054. if (parse_addr_policy(options->ReachableAddresses, &addr_policy,
  1055. ADDR_POLICY_ACCEPT))
  1056. REJECT("Error in ReachableAddresses entry.");
  1057. if (parse_addr_policy(options->ReachableORAddresses, &addr_policy,
  1058. ADDR_POLICY_ACCEPT))
  1059. REJECT("Error in ReachableORAddresses entry.");
  1060. if (parse_addr_policy(options->ReachableDirAddresses, &addr_policy,
  1061. ADDR_POLICY_ACCEPT))
  1062. REJECT("Error in ReachableDirAddresses entry.");
  1063. err:
  1064. addr_policy_list_free(addr_policy);
  1065. return *msg ? -1 : 0;
  1066. #undef REJECT
  1067. }
  1068. /** Parse <b>string</b> in the same way that the exit policy
  1069. * is parsed, and put the processed version in *<b>policy</b>.
  1070. * Ignore port specifiers.
  1071. */
  1072. static int
  1073. load_policy_from_option(config_line_t *config, const char *option_name,
  1074. smartlist_t **policy,
  1075. int assume_action)
  1076. {
  1077. int r;
  1078. int killed_any_ports = 0;
  1079. addr_policy_list_free(*policy);
  1080. *policy = NULL;
  1081. r = parse_addr_policy(config, policy, assume_action);
  1082. if (r < 0) {
  1083. return -1;
  1084. }
  1085. if (*policy) {
  1086. SMARTLIST_FOREACH_BEGIN(*policy, addr_policy_t *, n) {
  1087. /* ports aren't used in these. */
  1088. if (n->prt_min > 1 || n->prt_max != 65535) {
  1089. addr_policy_t newp, *c;
  1090. memcpy(&newp, n, sizeof(newp));
  1091. newp.prt_min = 1;
  1092. newp.prt_max = 65535;
  1093. newp.is_canonical = 0;
  1094. c = addr_policy_get_canonical_entry(&newp);
  1095. SMARTLIST_REPLACE_CURRENT(*policy, n, c);
  1096. addr_policy_free(n);
  1097. killed_any_ports = 1;
  1098. }
  1099. } SMARTLIST_FOREACH_END(n);
  1100. }
  1101. if (killed_any_ports) {
  1102. log_warn(LD_CONFIG, "Ignoring ports in %s option.", option_name);
  1103. }
  1104. return 0;
  1105. }
  1106. /** Set all policies based on <b>options</b>, which should have been validated
  1107. * first by validate_addr_policies. */
  1108. int
  1109. policies_parse_from_options(const or_options_t *options)
  1110. {
  1111. int ret = 0;
  1112. if (load_policy_from_option(options->SocksPolicy, "SocksPolicy",
  1113. &socks_policy, -1) < 0)
  1114. ret = -1;
  1115. if (load_policy_from_option(options->DirPolicy, "DirPolicy",
  1116. &dir_policy, -1) < 0)
  1117. ret = -1;
  1118. if (load_policy_from_option(options->AuthDirReject, "AuthDirReject",
  1119. &authdir_reject_policy, ADDR_POLICY_REJECT) < 0)
  1120. ret = -1;
  1121. if (load_policy_from_option(options->AuthDirInvalid, "AuthDirInvalid",
  1122. &authdir_invalid_policy, ADDR_POLICY_REJECT) < 0)
  1123. ret = -1;
  1124. if (load_policy_from_option(options->AuthDirBadExit, "AuthDirBadExit",
  1125. &authdir_badexit_policy, ADDR_POLICY_REJECT) < 0)
  1126. ret = -1;
  1127. if (parse_reachable_addresses() < 0)
  1128. ret = -1;
  1129. return ret;
  1130. }
  1131. /** Compare two provided address policy items, and renturn -1, 0, or 1
  1132. * if the first is less than, equal to, or greater than the second. */
  1133. static int
  1134. single_addr_policy_eq(const addr_policy_t *a, const addr_policy_t *b)
  1135. {
  1136. int r;
  1137. #define CMP_FIELD(field) do { \
  1138. if (a->field != b->field) { \
  1139. return 0; \
  1140. } \
  1141. } while (0)
  1142. CMP_FIELD(policy_type);
  1143. CMP_FIELD(is_private);
  1144. /* refcnt and is_canonical are irrelevant to equality,
  1145. * they are hash table implementation details */
  1146. if ((r=tor_addr_compare(&a->addr, &b->addr, CMP_EXACT)))
  1147. return 0;
  1148. CMP_FIELD(maskbits);
  1149. CMP_FIELD(prt_min);
  1150. CMP_FIELD(prt_max);
  1151. #undef CMP_FIELD
  1152. return 1;
  1153. }
  1154. /** As single_addr_policy_eq, but compare every element of two policies.
  1155. */
  1156. int
  1157. addr_policies_eq(const smartlist_t *a, const smartlist_t *b)
  1158. {
  1159. int i;
  1160. int len_a = a ? smartlist_len(a) : 0;
  1161. int len_b = b ? smartlist_len(b) : 0;
  1162. if (len_a != len_b)
  1163. return 0;
  1164. for (i = 0; i < len_a; ++i) {
  1165. if (! single_addr_policy_eq(smartlist_get(a, i), smartlist_get(b, i)))
  1166. return 0;
  1167. }
  1168. return 1;
  1169. }
  1170. /** Node in hashtable used to store address policy entries. */
  1171. typedef struct policy_map_ent_t {
  1172. HT_ENTRY(policy_map_ent_t) node;
  1173. addr_policy_t *policy;
  1174. } policy_map_ent_t;
  1175. /* DOCDOC policy_root */
  1176. static HT_HEAD(policy_map, policy_map_ent_t) policy_root = HT_INITIALIZER();
  1177. /** Return true iff a and b are equal. */
  1178. static inline int
  1179. policy_eq(policy_map_ent_t *a, policy_map_ent_t *b)
  1180. {
  1181. return single_addr_policy_eq(a->policy, b->policy);
  1182. }
  1183. /** Return a hashcode for <b>ent</b> */
  1184. static unsigned int
  1185. policy_hash(const policy_map_ent_t *ent)
  1186. {
  1187. const addr_policy_t *a = ent->policy;
  1188. addr_policy_t aa;
  1189. memset(&aa, 0, sizeof(aa));
  1190. aa.prt_min = a->prt_min;
  1191. aa.prt_max = a->prt_max;
  1192. aa.maskbits = a->maskbits;
  1193. aa.policy_type = a->policy_type;
  1194. aa.is_private = a->is_private;
  1195. if (a->is_private) {
  1196. aa.is_private = 1;
  1197. } else {
  1198. tor_addr_copy_tight(&aa.addr, &a->addr);
  1199. }
  1200. return (unsigned) siphash24g(&aa, sizeof(aa));
  1201. }
  1202. HT_PROTOTYPE(policy_map, policy_map_ent_t, node, policy_hash,
  1203. policy_eq)
  1204. HT_GENERATE2(policy_map, policy_map_ent_t, node, policy_hash,
  1205. policy_eq, 0.6, tor_reallocarray_, tor_free_)
  1206. /** Given a pointer to an addr_policy_t, return a copy of the pointer to the
  1207. * "canonical" copy of that addr_policy_t; the canonical copy is a single
  1208. * reference-counted object. */
  1209. addr_policy_t *
  1210. addr_policy_get_canonical_entry(addr_policy_t *e)
  1211. {
  1212. policy_map_ent_t search, *found;
  1213. if (e->is_canonical)
  1214. return e;
  1215. search.policy = e;
  1216. found = HT_FIND(policy_map, &policy_root, &search);
  1217. if (!found) {
  1218. found = tor_malloc_zero(sizeof(policy_map_ent_t));
  1219. found->policy = tor_memdup(e, sizeof(addr_policy_t));
  1220. found->policy->is_canonical = 1;
  1221. found->policy->refcnt = 0;
  1222. HT_INSERT(policy_map, &policy_root, found);
  1223. }
  1224. tor_assert(single_addr_policy_eq(found->policy, e));
  1225. ++found->policy->refcnt;
  1226. return found->policy;
  1227. }
  1228. /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
  1229. * addr and port are both known. */
  1230. static addr_policy_result_t
  1231. compare_known_tor_addr_to_addr_policy(const tor_addr_t *addr, uint16_t port,
  1232. const smartlist_t *policy)
  1233. {
  1234. /* We know the address and port, and we know the policy, so we can just
  1235. * compute an exact match. */
  1236. SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, tmpe) {
  1237. if (tmpe->addr.family == AF_UNSPEC) {
  1238. log_warn(LD_BUG, "Policy contains an AF_UNSPEC address, which only "
  1239. "matches other AF_UNSPEC addresses.");
  1240. }
  1241. /* Address is known */
  1242. if (!tor_addr_compare_masked(addr, &tmpe->addr, tmpe->maskbits,
  1243. CMP_EXACT)) {
  1244. if (port >= tmpe->prt_min && port <= tmpe->prt_max) {
  1245. /* Exact match for the policy */
  1246. return tmpe->policy_type == ADDR_POLICY_ACCEPT ?
  1247. ADDR_POLICY_ACCEPTED : ADDR_POLICY_REJECTED;
  1248. }
  1249. }
  1250. } SMARTLIST_FOREACH_END(tmpe);
  1251. /* accept all by default. */
  1252. return ADDR_POLICY_ACCEPTED;
  1253. }
  1254. /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
  1255. * addr is known but port is not. */
  1256. static addr_policy_result_t
  1257. compare_known_tor_addr_to_addr_policy_noport(const tor_addr_t *addr,
  1258. const smartlist_t *policy)
  1259. {
  1260. /* We look to see if there's a definite match. If so, we return that
  1261. match's value, unless there's an intervening possible match that says
  1262. something different. */
  1263. int maybe_accept = 0, maybe_reject = 0;
  1264. SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, tmpe) {
  1265. if (tmpe->addr.family == AF_UNSPEC) {
  1266. log_warn(LD_BUG, "Policy contains an AF_UNSPEC address, which only "
  1267. "matches other AF_UNSPEC addresses.");
  1268. }
  1269. if (!tor_addr_compare_masked(addr, &tmpe->addr, tmpe->maskbits,
  1270. CMP_EXACT)) {
  1271. if (tmpe->prt_min <= 1 && tmpe->prt_max >= 65535) {
  1272. /* Definitely matches, since it covers all ports. */
  1273. if (tmpe->policy_type == ADDR_POLICY_ACCEPT) {
  1274. /* If we already hit a clause that might trigger a 'reject', than we
  1275. * can't be sure of this certain 'accept'.*/
  1276. return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED :
  1277. ADDR_POLICY_ACCEPTED;
  1278. } else {
  1279. return maybe_accept ? ADDR_POLICY_PROBABLY_REJECTED :
  1280. ADDR_POLICY_REJECTED;
  1281. }
  1282. } else {
  1283. /* Might match. */
  1284. if (tmpe->policy_type == ADDR_POLICY_REJECT)
  1285. maybe_reject = 1;
  1286. else
  1287. maybe_accept = 1;
  1288. }
  1289. }
  1290. } SMARTLIST_FOREACH_END(tmpe);
  1291. /* accept all by default. */
  1292. return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED : ADDR_POLICY_ACCEPTED;
  1293. }
  1294. /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
  1295. * port is known but address is not. */
  1296. static addr_policy_result_t
  1297. compare_unknown_tor_addr_to_addr_policy(uint16_t port,
  1298. const smartlist_t *policy)
  1299. {
  1300. /* We look to see if there's a definite match. If so, we return that
  1301. match's value, unless there's an intervening possible match that says
  1302. something different. */
  1303. int maybe_accept = 0, maybe_reject = 0;
  1304. SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, tmpe) {
  1305. if (tmpe->addr.family == AF_UNSPEC) {
  1306. log_warn(LD_BUG, "Policy contains an AF_UNSPEC address, which only "
  1307. "matches other AF_UNSPEC addresses.");
  1308. }
  1309. if (tmpe->prt_min <= port && port <= tmpe->prt_max) {
  1310. if (tmpe->maskbits == 0) {
  1311. /* Definitely matches, since it covers all addresses. */
  1312. if (tmpe->policy_type == ADDR_POLICY_ACCEPT) {
  1313. /* If we already hit a clause that might trigger a 'reject', than we
  1314. * can't be sure of this certain 'accept'.*/
  1315. return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED :
  1316. ADDR_POLICY_ACCEPTED;
  1317. } else {
  1318. return maybe_accept ? ADDR_POLICY_PROBABLY_REJECTED :
  1319. ADDR_POLICY_REJECTED;
  1320. }
  1321. } else {
  1322. /* Might match. */
  1323. if (tmpe->policy_type == ADDR_POLICY_REJECT)
  1324. maybe_reject = 1;
  1325. else
  1326. maybe_accept = 1;
  1327. }
  1328. }
  1329. } SMARTLIST_FOREACH_END(tmpe);
  1330. /* accept all by default. */
  1331. return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED : ADDR_POLICY_ACCEPTED;
  1332. }
  1333. /** Decide whether a given addr:port is definitely accepted,
  1334. * definitely rejected, probably accepted, or probably rejected by a
  1335. * given policy. If <b>addr</b> is 0, we don't know the IP of the
  1336. * target address. If <b>port</b> is 0, we don't know the port of the
  1337. * target address. (At least one of <b>addr</b> and <b>port</b> must be
  1338. * provided. If you want to know whether a policy would definitely reject
  1339. * an unknown address:port, use policy_is_reject_star().)
  1340. *
  1341. * We could do better by assuming that some ranges never match typical
  1342. * addresses (127.0.0.1, and so on). But we'll try this for now.
  1343. */
  1344. MOCK_IMPL(addr_policy_result_t,
  1345. compare_tor_addr_to_addr_policy,(const tor_addr_t *addr, uint16_t port,
  1346. const smartlist_t *policy))
  1347. {
  1348. if (!policy) {
  1349. /* no policy? accept all. */
  1350. return ADDR_POLICY_ACCEPTED;
  1351. } else if (addr == NULL || tor_addr_is_null(addr)) {
  1352. if (port == 0) {
  1353. log_info(LD_BUG, "Rejecting null address with 0 port (family %d)",
  1354. addr ? tor_addr_family(addr) : -1);
  1355. return ADDR_POLICY_REJECTED;
  1356. }
  1357. return compare_unknown_tor_addr_to_addr_policy(port, policy);
  1358. } else if (port == 0) {
  1359. return compare_known_tor_addr_to_addr_policy_noport(addr, policy);
  1360. } else {
  1361. return compare_known_tor_addr_to_addr_policy(addr, port, policy);
  1362. }
  1363. }
  1364. /** Return true iff the address policy <b>a</b> covers every case that
  1365. * would be covered by <b>b</b>, so that a,b is redundant. */
  1366. static int
  1367. addr_policy_covers(addr_policy_t *a, addr_policy_t *b)
  1368. {
  1369. if (tor_addr_family(&a->addr) != tor_addr_family(&b->addr)) {
  1370. /* You can't cover a different family. */
  1371. return 0;
  1372. }
  1373. /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces
  1374. * to "accept *:80". */
  1375. if (a->maskbits > b->maskbits) {
  1376. /* a has more fixed bits than b; it can't possibly cover b. */
  1377. return 0;
  1378. }
  1379. if (tor_addr_compare_masked(&a->addr, &b->addr, a->maskbits, CMP_EXACT)) {
  1380. /* There's a fixed bit in a that's set differently in b. */
  1381. return 0;
  1382. }
  1383. return (a->prt_min <= b->prt_min && a->prt_max >= b->prt_max);
  1384. }
  1385. /** Return true iff the address policies <b>a</b> and <b>b</b> intersect,
  1386. * that is, there exists an address/port that is covered by <b>a</b> that
  1387. * is also covered by <b>b</b>.
  1388. */
  1389. static int
  1390. addr_policy_intersects(addr_policy_t *a, addr_policy_t *b)
  1391. {
  1392. maskbits_t minbits;
  1393. /* All the bits we care about are those that are set in both
  1394. * netmasks. If they are equal in a and b's networkaddresses
  1395. * then the networks intersect. If there is a difference,
  1396. * then they do not. */
  1397. if (a->maskbits < b->maskbits)
  1398. minbits = a->maskbits;
  1399. else
  1400. minbits = b->maskbits;
  1401. if (tor_addr_compare_masked(&a->addr, &b->addr, minbits, CMP_EXACT))
  1402. return 0;
  1403. if (a->prt_max < b->prt_min || b->prt_max < a->prt_min)
  1404. return 0;
  1405. return 1;
  1406. }
  1407. /** Add the exit policy described by <b>more</b> to <b>policy</b>.
  1408. */
  1409. STATIC void
  1410. append_exit_policy_string(smartlist_t **policy, const char *more)
  1411. {
  1412. config_line_t tmp;
  1413. tmp.key = NULL;
  1414. tmp.value = (char*) more;
  1415. tmp.next = NULL;
  1416. if (parse_addr_policy(&tmp, policy, -1)<0) {
  1417. log_warn(LD_BUG, "Unable to parse internally generated policy %s",more);
  1418. }
  1419. }
  1420. /** Add "reject <b>addr</b>:*" to <b>dest</b>, creating the list as needed. */
  1421. void
  1422. addr_policy_append_reject_addr(smartlist_t **dest, const tor_addr_t *addr)
  1423. {
  1424. tor_assert(dest);
  1425. tor_assert(addr);
  1426. addr_policy_t p, *add;
  1427. memset(&p, 0, sizeof(p));
  1428. p.policy_type = ADDR_POLICY_REJECT;
  1429. p.maskbits = tor_addr_family(addr) == AF_INET6 ? 128 : 32;
  1430. tor_addr_copy(&p.addr, addr);
  1431. p.prt_min = 1;
  1432. p.prt_max = 65535;
  1433. add = addr_policy_get_canonical_entry(&p);
  1434. if (!*dest)
  1435. *dest = smartlist_new();
  1436. smartlist_add(*dest, add);
  1437. log_debug(LD_CONFIG, "Adding a reject ExitPolicy 'reject %s:*'",
  1438. fmt_addr(addr));
  1439. }
  1440. /* Is addr public for the purposes of rejection? */
  1441. static int
  1442. tor_addr_is_public_for_reject(const tor_addr_t *addr)
  1443. {
  1444. return (!tor_addr_is_null(addr) && !tor_addr_is_internal(addr, 0)
  1445. && !tor_addr_is_multicast(addr));
  1446. }
  1447. /* Add "reject <b>addr</b>:*" to <b>dest</b>, creating the list as needed.
  1448. * Filter the address, only adding an IPv4 reject rule if ipv4_rules
  1449. * is true, and similarly for ipv6_rules. Check each address returns true for
  1450. * tor_addr_is_public_for_reject before adding it.
  1451. */
  1452. static void
  1453. addr_policy_append_reject_addr_filter(smartlist_t **dest,
  1454. const tor_addr_t *addr,
  1455. int ipv4_rules,
  1456. int ipv6_rules)
  1457. {
  1458. tor_assert(dest);
  1459. tor_assert(addr);
  1460. /* Only reject IP addresses which are public */
  1461. if (tor_addr_is_public_for_reject(addr)) {
  1462. /* Reject IPv4 addresses and IPv6 addresses based on the filters */
  1463. int is_ipv4 = tor_addr_is_v4(addr);
  1464. if ((is_ipv4 && ipv4_rules) || (!is_ipv4 && ipv6_rules)) {
  1465. addr_policy_append_reject_addr(dest, addr);
  1466. }
  1467. }
  1468. }
  1469. /** Add "reject addr:*" to <b>dest</b>, for each addr in addrs, creating the
  1470. * list as needed. */
  1471. void
  1472. addr_policy_append_reject_addr_list(smartlist_t **dest,
  1473. const smartlist_t *addrs)
  1474. {
  1475. tor_assert(dest);
  1476. tor_assert(addrs);
  1477. SMARTLIST_FOREACH_BEGIN(addrs, tor_addr_t *, addr) {
  1478. addr_policy_append_reject_addr(dest, addr);
  1479. } SMARTLIST_FOREACH_END(addr);
  1480. }
  1481. /** Add "reject addr:*" to <b>dest</b>, for each addr in addrs, creating the
  1482. * list as needed. Filter using */
  1483. static void
  1484. addr_policy_append_reject_addr_list_filter(smartlist_t **dest,
  1485. const smartlist_t *addrs,
  1486. int ipv4_rules,
  1487. int ipv6_rules)
  1488. {
  1489. tor_assert(dest);
  1490. tor_assert(addrs);
  1491. SMARTLIST_FOREACH_BEGIN(addrs, tor_addr_t *, addr) {
  1492. addr_policy_append_reject_addr_filter(dest, addr, ipv4_rules, ipv6_rules);
  1493. } SMARTLIST_FOREACH_END(addr);
  1494. }
  1495. /** Detect and excise "dead code" from the policy *<b>dest</b>. */
  1496. static void
  1497. exit_policy_remove_redundancies(smartlist_t *dest)
  1498. {
  1499. addr_policy_t *ap, *tmp;
  1500. int i, j;
  1501. /* Step one: kill every ipv4 thing after *4:*, every IPv6 thing after *6:*
  1502. */
  1503. {
  1504. int kill_v4=0, kill_v6=0;
  1505. for (i = 0; i < smartlist_len(dest); ++i) {
  1506. sa_family_t family;
  1507. ap = smartlist_get(dest, i);
  1508. family = tor_addr_family(&ap->addr);
  1509. if ((family == AF_INET && kill_v4) ||
  1510. (family == AF_INET6 && kill_v6)) {
  1511. smartlist_del_keeporder(dest, i--);
  1512. addr_policy_free(ap);
  1513. continue;
  1514. }
  1515. if (ap->maskbits == 0 && ap->prt_min <= 1 && ap->prt_max >= 65535) {
  1516. /* This is a catch-all line -- later lines are unreachable. */
  1517. if (family == AF_INET) {
  1518. kill_v4 = 1;
  1519. } else if (family == AF_INET6) {
  1520. kill_v6 = 1;
  1521. }
  1522. }
  1523. }
  1524. }
  1525. /* Step two: for every entry, see if there's a redundant entry
  1526. * later on, and remove it. */
  1527. for (i = 0; i < smartlist_len(dest)-1; ++i) {
  1528. ap = smartlist_get(dest, i);
  1529. for (j = i+1; j < smartlist_len(dest); ++j) {
  1530. tmp = smartlist_get(dest, j);
  1531. tor_assert(j > i);
  1532. if (addr_policy_covers(ap, tmp)) {
  1533. char p1[POLICY_BUF_LEN], p2[POLICY_BUF_LEN];
  1534. policy_write_item(p1, sizeof(p1), tmp, 0);
  1535. policy_write_item(p2, sizeof(p2), ap, 0);
  1536. log_debug(LD_CONFIG, "Removing exit policy %s (%d). It is made "
  1537. "redundant by %s (%d).", p1, j, p2, i);
  1538. smartlist_del_keeporder(dest, j--);
  1539. addr_policy_free(tmp);
  1540. }
  1541. }
  1542. }
  1543. /* Step three: for every entry A, see if there's an entry B making this one
  1544. * redundant later on. This is the case if A and B are of the same type
  1545. * (accept/reject), A is a subset of B, and there is no other entry of
  1546. * different type in between those two that intersects with A.
  1547. *
  1548. * Anybody want to double-check the logic here? XXX
  1549. */
  1550. for (i = 0; i < smartlist_len(dest)-1; ++i) {
  1551. ap = smartlist_get(dest, i);
  1552. for (j = i+1; j < smartlist_len(dest); ++j) {
  1553. // tor_assert(j > i); // j starts out at i+1; j only increases; i only
  1554. // // decreases.
  1555. tmp = smartlist_get(dest, j);
  1556. if (ap->policy_type != tmp->policy_type) {
  1557. if (addr_policy_intersects(ap, tmp))
  1558. break;
  1559. } else { /* policy_types are equal. */
  1560. if (addr_policy_covers(tmp, ap)) {
  1561. char p1[POLICY_BUF_LEN], p2[POLICY_BUF_LEN];
  1562. policy_write_item(p1, sizeof(p1), ap, 0);
  1563. policy_write_item(p2, sizeof(p2), tmp, 0);
  1564. log_debug(LD_CONFIG, "Removing exit policy %s. It is already "
  1565. "covered by %s.", p1, p2);
  1566. smartlist_del_keeporder(dest, i--);
  1567. addr_policy_free(ap);
  1568. break;
  1569. }
  1570. }
  1571. }
  1572. }
  1573. }
  1574. /** Reject private helper for policies_parse_exit_policy_internal: rejects
  1575. * publicly routable addresses on this exit relay.
  1576. *
  1577. * Add reject entries to the linked list *<b>dest</b>:
  1578. * <ul>
  1579. * <li>if configured_addresses is non-NULL, add entries that reject each
  1580. * tor_addr_t in the list as a destination.
  1581. * <li>if reject_interface_addresses is true, add entries that reject each
  1582. * public IPv4 and IPv6 address of each interface on this machine.
  1583. * <li>if reject_configured_port_addresses is true, add entries that reject
  1584. * each IPv4 and IPv6 address configured for a port.
  1585. * </ul>
  1586. *
  1587. * IPv6 entries are only added if ipv6_exit is true. (All IPv6 addresses are
  1588. * already blocked by policies_parse_exit_policy_internal if ipv6_exit is
  1589. * false.)
  1590. *
  1591. * The list in <b>dest</b> is created as needed.
  1592. */
  1593. void
  1594. policies_parse_exit_policy_reject_private(
  1595. smartlist_t **dest,
  1596. int ipv6_exit,
  1597. const smartlist_t *configured_addresses,
  1598. int reject_interface_addresses,
  1599. int reject_configured_port_addresses)
  1600. {
  1601. tor_assert(dest);
  1602. /* Reject configured addresses, if they are from public netblocks. */
  1603. if (configured_addresses) {
  1604. addr_policy_append_reject_addr_list_filter(dest, configured_addresses,
  1605. 1, ipv6_exit);
  1606. }
  1607. /* Reject configured port addresses, if they are from public netblocks. */
  1608. if (reject_configured_port_addresses) {
  1609. const smartlist_t *port_addrs = get_configured_ports();
  1610. SMARTLIST_FOREACH_BEGIN(port_addrs, port_cfg_t *, port) {
  1611. /* Only reject port IP addresses, not port unix sockets */
  1612. if (!port->is_unix_addr) {
  1613. addr_policy_append_reject_addr_filter(dest, &port->addr, 1, ipv6_exit);
  1614. }
  1615. } SMARTLIST_FOREACH_END(port);
  1616. }
  1617. /* Reject local addresses from public netblocks on any interface. */
  1618. if (reject_interface_addresses) {
  1619. smartlist_t *public_addresses = NULL;
  1620. /* Reject public IPv4 addresses on any interface */
  1621. public_addresses = get_interface_address6_list(LOG_INFO, AF_INET, 0);
  1622. addr_policy_append_reject_addr_list_filter(dest, public_addresses, 1, 0);
  1623. free_interface_address6_list(public_addresses);
  1624. /* Don't look for IPv6 addresses if we're configured as IPv4-only */
  1625. if (ipv6_exit) {
  1626. /* Reject public IPv6 addresses on any interface */
  1627. public_addresses = get_interface_address6_list(LOG_INFO, AF_INET6, 0);
  1628. addr_policy_append_reject_addr_list_filter(dest, public_addresses, 0, 1);
  1629. free_interface_address6_list(public_addresses);
  1630. }
  1631. }
  1632. /* If addresses were added multiple times, remove all but one of them. */
  1633. if (*dest) {
  1634. exit_policy_remove_redundancies(*dest);
  1635. }
  1636. }
  1637. /**
  1638. * Iterate through <b>policy</b> looking for redundant entries. Log a
  1639. * warning message with the first redundant entry, if any is found.
  1640. */
  1641. static void
  1642. policies_log_first_redundant_entry(const smartlist_t *policy)
  1643. {
  1644. int found_final_effective_entry = 0;
  1645. int first_redundant_entry = 0;
  1646. tor_assert(policy);
  1647. SMARTLIST_FOREACH_BEGIN(policy, const addr_policy_t *, p) {
  1648. sa_family_t family;
  1649. int found_ipv4_wildcard = 0, found_ipv6_wildcard = 0;
  1650. const int i = p_sl_idx;
  1651. /* Look for accept/reject *[4|6|]:* entires */
  1652. if (p->prt_min <= 1 && p->prt_max == 65535 && p->maskbits == 0) {
  1653. family = tor_addr_family(&p->addr);
  1654. /* accept/reject *:* may have already been expanded into
  1655. * accept/reject *4:*,accept/reject *6:*
  1656. * But handle both forms.
  1657. */
  1658. if (family == AF_INET || family == AF_UNSPEC) {
  1659. found_ipv4_wildcard = 1;
  1660. }
  1661. if (family == AF_INET6 || family == AF_UNSPEC) {
  1662. found_ipv6_wildcard = 1;
  1663. }
  1664. }
  1665. /* We also find accept *4:*,reject *6:* ; and
  1666. * accept *4:*,<other policies>,accept *6:* ; and similar.
  1667. * That's ok, because they make any subsequent entries redundant. */
  1668. if (found_ipv4_wildcard && found_ipv6_wildcard) {
  1669. found_final_effective_entry = 1;
  1670. /* if we're not on the final entry in the list */
  1671. if (i < smartlist_len(policy) - 1) {
  1672. first_redundant_entry = i + 1;
  1673. }
  1674. break;
  1675. }
  1676. } SMARTLIST_FOREACH_END(p);
  1677. /* Work out if there are redundant trailing entries in the policy list */
  1678. if (found_final_effective_entry && first_redundant_entry > 0) {
  1679. const addr_policy_t *p;
  1680. /* Longest possible policy is
  1681. * "accept6 ffff:ffff:..255/128:10000-65535",
  1682. * which contains a max-length IPv6 address, plus 24 characters. */
  1683. char line[TOR_ADDR_BUF_LEN + 32];
  1684. tor_assert(first_redundant_entry < smartlist_len(policy));
  1685. p = smartlist_get(policy, first_redundant_entry);
  1686. /* since we've already parsed the policy into an addr_policy_t struct,
  1687. * we might not log exactly what the user typed in */
  1688. policy_write_item(line, TOR_ADDR_BUF_LEN + 32, p, 0);
  1689. log_warn(LD_DIR, "Exit policy '%s' and all following policies are "
  1690. "redundant, as it follows accept/reject *:* rules for both "
  1691. "IPv4 and IPv6. They will be removed from the exit policy. (Use "
  1692. "accept/reject *:* as the last entry in any exit policy.)",
  1693. line);
  1694. }
  1695. }
  1696. #define DEFAULT_EXIT_POLICY \
  1697. "reject *:25,reject *:119,reject *:135-139,reject *:445," \
  1698. "reject *:563,reject *:1214,reject *:4661-4666," \
  1699. "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
  1700. #define REDUCED_EXIT_POLICY \
  1701. "accept *:20-23,accept *:43,accept *:53,accept *:79-81,accept *:88," \
  1702. "accept *:110,accept *:143,accept *:194,accept *:220,accept *:389," \
  1703. "accept *:443,accept *:464,accept *:465,accept *:531,accept *:543-544," \
  1704. "accept *:554,accept *:563,accept *:587,accept *:636,accept *:706," \
  1705. "accept *:749,accept *:873,accept *:902-904,accept *:981,accept *:989-995," \
  1706. "accept *:1194,accept *:1220,accept *:1293,accept *:1500,accept *:1533," \
  1707. "accept *:1677,accept *:1723,accept *:1755,accept *:1863," \
  1708. "accept *:2082-2083,accept *:2086-2087,accept *:2095-2096," \
  1709. "accept *:2102-2104,accept *:3128,accept *:3389,accept *:3690," \
  1710. "accept *:4321,accept *:4643,accept *:5050,accept *:5190," \
  1711. "accept *:5222-5223,accept *:5228,accept *:5900,accept *:6660-6669," \
  1712. "accept *:6679,accept *:6697,accept *:8000,accept *:8008,accept *:8074," \
  1713. "accept *:8080,accept *:8082,accept *:8087-8088,accept *:8232-8233," \
  1714. "accept *:8332-8333,accept *:8443,accept *:8888,accept *:9418," \
  1715. "accept *:9999,accept *:10000,accept *:11371,accept *:19294," \
  1716. "accept *:19638,accept *:50002,accept *:64738,reject *:*"
  1717. /** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>.
  1718. *
  1719. * If <b>ipv6_exit</b> is false, prepend "reject *6:*" to the policy.
  1720. *
  1721. * If <b>configured_addresses</b> contains addresses:
  1722. * - prepend entries that reject the addresses in this list. These may be the
  1723. * advertised relay addresses and/or the outbound bind addresses,
  1724. * depending on the ExitPolicyRejectPrivate and
  1725. * ExitPolicyRejectLocalInterfaces settings.
  1726. * If <b>rejectprivate</b> is true:
  1727. * - prepend "reject private:*" to the policy.
  1728. * If <b>reject_interface_addresses</b> is true:
  1729. * - prepend entries that reject publicly routable interface addresses on
  1730. * this exit relay by calling policies_parse_exit_policy_reject_private
  1731. * If <b>reject_configured_port_addresses</b> is true:
  1732. * - prepend entries that reject all configured port addresses
  1733. *
  1734. * If cfg doesn't end in an absolute accept or reject and if
  1735. * <b>add_default_policy</b> is true, add the default exit
  1736. * policy afterwards.
  1737. *
  1738. * Return -1 if we can't parse cfg, else return 0.
  1739. *
  1740. * This function is used to parse the exit policy from our torrc. For
  1741. * the functions used to parse the exit policy from a router descriptor,
  1742. * see router_add_exit_policy.
  1743. */
  1744. static int
  1745. policies_parse_exit_policy_internal(config_line_t *cfg,
  1746. smartlist_t **dest,
  1747. int ipv6_exit,
  1748. int rejectprivate,
  1749. const smartlist_t *configured_addresses,
  1750. int reject_interface_addresses,
  1751. int reject_configured_port_addresses,
  1752. int add_default_policy,
  1753. int add_reduced_policy)
  1754. {
  1755. if (!ipv6_exit) {
  1756. append_exit_policy_string(dest, "reject *6:*");
  1757. }
  1758. if (rejectprivate) {
  1759. /* Reject IPv4 and IPv6 reserved private netblocks */
  1760. append_exit_policy_string(dest, "reject private:*");
  1761. }
  1762. /* Consider rejecting IPv4 and IPv6 advertised relay addresses, outbound bind
  1763. * addresses, publicly routable addresses, and configured port addresses
  1764. * on this exit relay */
  1765. policies_parse_exit_policy_reject_private(dest, ipv6_exit,
  1766. configured_addresses,
  1767. reject_interface_addresses,
  1768. reject_configured_port_addresses);
  1769. if (parse_addr_policy(cfg, dest, -1))
  1770. return -1;
  1771. /* Before we add the default policy and final rejects, check to see if
  1772. * there are any lines after accept *:* or reject *:*. These lines have no
  1773. * effect, and are most likely an error. */
  1774. policies_log_first_redundant_entry(*dest);
  1775. if (add_reduced_policy) {
  1776. append_exit_policy_string(dest, REDUCED_EXIT_POLICY);
  1777. } else if (add_default_policy) {
  1778. append_exit_policy_string(dest, DEFAULT_EXIT_POLICY);
  1779. } else {
  1780. append_exit_policy_string(dest, "reject *4:*");
  1781. append_exit_policy_string(dest, "reject *6:*");
  1782. }
  1783. exit_policy_remove_redundancies(*dest);
  1784. return 0;
  1785. }
  1786. /** Parse exit policy in <b>cfg</b> into <b>dest</b> smartlist.
  1787. *
  1788. * Prepend an entry that rejects all IPv6 destinations unless
  1789. * <b>EXIT_POLICY_IPV6_ENABLED</b> bit is set in <b>options</b> bitmask.
  1790. *
  1791. * If <b>EXIT_POLICY_REJECT_PRIVATE</b> bit is set in <b>options</b>:
  1792. * - prepend an entry that rejects all destinations in all netblocks
  1793. * reserved for private use.
  1794. * - prepend entries that reject the advertised relay addresses in
  1795. * configured_addresses
  1796. * If <b>EXIT_POLICY_REJECT_LOCAL_INTERFACES</b> bit is set in <b>options</b>:
  1797. * - prepend entries that reject publicly routable addresses on this exit
  1798. * relay by calling policies_parse_exit_policy_internal
  1799. * - prepend entries that reject the outbound bind addresses in
  1800. * configured_addresses
  1801. * - prepend entries that reject all configured port addresses
  1802. *
  1803. * If <b>EXIT_POLICY_ADD_DEFAULT</b> bit is set in <b>options</b>, append
  1804. * default exit policy entries to <b>result</b> smartlist.
  1805. */
  1806. int
  1807. policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest,
  1808. exit_policy_parser_cfg_t options,
  1809. const smartlist_t *configured_addresses)
  1810. {
  1811. int ipv6_enabled = (options & EXIT_POLICY_IPV6_ENABLED) ? 1 : 0;
  1812. int reject_private = (options & EXIT_POLICY_REJECT_PRIVATE) ? 1 : 0;
  1813. int add_default = (options & EXIT_POLICY_ADD_DEFAULT) ? 1 : 0;
  1814. int reject_local_interfaces = (options &
  1815. EXIT_POLICY_REJECT_LOCAL_INTERFACES) ? 1 : 0;
  1816. int add_reduced = (options & EXIT_POLICY_ADD_REDUCED) ? 1 : 0;
  1817. return policies_parse_exit_policy_internal(cfg,dest,ipv6_enabled,
  1818. reject_private,
  1819. configured_addresses,
  1820. reject_local_interfaces,
  1821. reject_local_interfaces,
  1822. add_default,
  1823. add_reduced);
  1824. }
  1825. /** Helper function that adds a copy of addr to a smartlist as long as it is
  1826. * non-NULL and not tor_addr_is_null().
  1827. *
  1828. * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
  1829. */
  1830. static void
  1831. policies_copy_addr_to_smartlist(smartlist_t *addr_list, const tor_addr_t *addr)
  1832. {
  1833. if (addr && !tor_addr_is_null(addr)) {
  1834. tor_addr_t *addr_copy = tor_malloc(sizeof(tor_addr_t));
  1835. tor_addr_copy(addr_copy, addr);
  1836. smartlist_add(addr_list, addr_copy);
  1837. }
  1838. }
  1839. /** Helper function that adds ipv4h_addr to a smartlist as a tor_addr_t *,
  1840. * as long as it is not tor_addr_is_null(), by converting it to a tor_addr_t
  1841. * and passing it to policies_add_addr_to_smartlist.
  1842. *
  1843. * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
  1844. */
  1845. static void
  1846. policies_copy_ipv4h_to_smartlist(smartlist_t *addr_list, uint32_t ipv4h_addr)
  1847. {
  1848. if (ipv4h_addr) {
  1849. tor_addr_t ipv4_tor_addr;
  1850. tor_addr_from_ipv4h(&ipv4_tor_addr, ipv4h_addr);
  1851. policies_copy_addr_to_smartlist(addr_list, &ipv4_tor_addr);
  1852. }
  1853. }
  1854. /** Helper function that adds copies of or_options->OutboundBindAddresses
  1855. * to a smartlist as tor_addr_t *, as long as or_options is non-NULL, and
  1856. * the addresses are not tor_addr_is_null(), by passing them to
  1857. * policies_add_addr_to_smartlist.
  1858. *
  1859. * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
  1860. */
  1861. static void
  1862. policies_copy_outbound_addresses_to_smartlist(smartlist_t *addr_list,
  1863. const or_options_t *or_options)
  1864. {
  1865. if (or_options) {
  1866. for (int i=0;i<OUTBOUND_ADDR_MAX;i++) {
  1867. for (int j=0;j<2;j++) {
  1868. if (!tor_addr_is_null(&or_options->OutboundBindAddresses[i][j])) {
  1869. policies_copy_addr_to_smartlist(addr_list,
  1870. &or_options->OutboundBindAddresses[i][j]);
  1871. }
  1872. }
  1873. }
  1874. }
  1875. }
  1876. /** Parse <b>ExitPolicy</b> member of <b>or_options</b> into <b>result</b>
  1877. * smartlist.
  1878. * If <b>or_options->IPv6Exit</b> is false, prepend an entry that
  1879. * rejects all IPv6 destinations.
  1880. *
  1881. * If <b>or_options->ExitPolicyRejectPrivate</b> is true:
  1882. * - prepend an entry that rejects all destinations in all netblocks reserved
  1883. * for private use.
  1884. * - if local_address is non-zero, treat it as a host-order IPv4 address, and
  1885. * add it to the list of configured addresses.
  1886. * - if ipv6_local_address is non-NULL, and not the null tor_addr_t, add it
  1887. * to the list of configured addresses.
  1888. * If <b>or_options->ExitPolicyRejectLocalInterfaces</b> is true:
  1889. * - if or_options->OutboundBindAddresses[][0] (=IPv4) is not the null
  1890. * tor_addr_t, add it to the list of configured addresses.
  1891. * - if or_options->OutboundBindAddresses[][1] (=IPv6) is not the null
  1892. * tor_addr_t, add it to the list of configured addresses.
  1893. *
  1894. * If <b>or_options->BridgeRelay</b> is false, append entries of default
  1895. * Tor exit policy into <b>result</b> smartlist.
  1896. *
  1897. * If or_options->ExitRelay is false, then make our exit policy into
  1898. * "reject *:*" regardless.
  1899. */
  1900. int
  1901. policies_parse_exit_policy_from_options(const or_options_t *or_options,
  1902. uint32_t local_address,
  1903. const tor_addr_t *ipv6_local_address,
  1904. smartlist_t **result)
  1905. {
  1906. exit_policy_parser_cfg_t parser_cfg = 0;
  1907. smartlist_t *configured_addresses = NULL;
  1908. int rv = 0;
  1909. /* Short-circuit for non-exit relays */
  1910. if (or_options->ExitRelay == 0) {
  1911. append_exit_policy_string(result, "reject *4:*");
  1912. append_exit_policy_string(result, "reject *6:*");
  1913. return 0;
  1914. }
  1915. configured_addresses = smartlist_new();
  1916. /* Configure the parser */
  1917. if (or_options->IPv6Exit) {
  1918. parser_cfg |= EXIT_POLICY_IPV6_ENABLED;
  1919. }
  1920. if (or_options->ExitPolicyRejectPrivate) {
  1921. parser_cfg |= EXIT_POLICY_REJECT_PRIVATE;
  1922. }
  1923. if (!or_options->BridgeRelay) {
  1924. if (or_options->ReducedExitPolicy)
  1925. parser_cfg |= EXIT_POLICY_ADD_REDUCED;
  1926. else
  1927. parser_cfg |= EXIT_POLICY_ADD_DEFAULT;
  1928. }
  1929. if (or_options->ExitPolicyRejectLocalInterfaces) {
  1930. parser_cfg |= EXIT_POLICY_REJECT_LOCAL_INTERFACES;
  1931. }
  1932. /* Copy the configured addresses into the tor_addr_t* list */
  1933. if (or_options->ExitPolicyRejectPrivate) {
  1934. policies_copy_ipv4h_to_smartlist(configured_addresses, local_address);
  1935. policies_copy_addr_to_smartlist(configured_addresses, ipv6_local_address);
  1936. }
  1937. if (or_options->ExitPolicyRejectLocalInterfaces) {
  1938. policies_copy_outbound_addresses_to_smartlist(configured_addresses,
  1939. or_options);
  1940. }
  1941. rv = policies_parse_exit_policy(or_options->ExitPolicy, result, parser_cfg,
  1942. configured_addresses);
  1943. SMARTLIST_FOREACH(configured_addresses, tor_addr_t *, a, tor_free(a));
  1944. smartlist_free(configured_addresses);
  1945. return rv;
  1946. }
  1947. /** Add "reject *:*" to the end of the policy in *<b>dest</b>, allocating
  1948. * *<b>dest</b> as needed. */
  1949. void
  1950. policies_exit_policy_append_reject_star(smartlist_t **dest)
  1951. {
  1952. append_exit_policy_string(dest, "reject *4:*");
  1953. append_exit_policy_string(dest, "reject *6:*");
  1954. }
  1955. /** Replace the exit policy of <b>node</b> with reject *:* */
  1956. void
  1957. policies_set_node_exitpolicy_to_reject_all(node_t *node)
  1958. {
  1959. node->rejects_all = 1;
  1960. }
  1961. /** Return 1 if there is at least one /8 subnet in <b>policy</b> that
  1962. * allows exiting to <b>port</b>. Otherwise, return 0. */
  1963. static int
  1964. exit_policy_is_general_exit_helper(smartlist_t *policy, int port)
  1965. {
  1966. uint32_t mask, ip, i;
  1967. /* Is this /8 rejected (1), or undecided (0)? */
  1968. char subnet_status[256];
  1969. memset(subnet_status, 0, sizeof(subnet_status));
  1970. SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, p) {
  1971. if (tor_addr_family(&p->addr) != AF_INET)
  1972. continue; /* IPv4 only for now */
  1973. if (p->prt_min > port || p->prt_max < port)
  1974. continue; /* Doesn't cover our port. */
  1975. mask = 0;
  1976. tor_assert(p->maskbits <= 32);
  1977. if (p->maskbits)
  1978. mask = UINT32_MAX<<(32-p->maskbits);
  1979. ip = tor_addr_to_ipv4h(&p->addr);
  1980. /* Calculate the first and last subnet that this exit policy touches
  1981. * and set it as loop boundaries. */
  1982. for (i = ((mask & ip)>>24); i <= (~((mask & ip) ^ mask)>>24); ++i) {
  1983. tor_addr_t addr;
  1984. if (subnet_status[i] != 0)
  1985. continue; /* We already reject some part of this /8 */
  1986. tor_addr_from_ipv4h(&addr, i<<24);
  1987. if (tor_addr_is_internal(&addr, 0) &&
  1988. !get_options()->DirAllowPrivateAddresses) {
  1989. continue; /* Local or non-routable addresses */
  1990. }
  1991. if (p->policy_type == ADDR_POLICY_ACCEPT) {
  1992. if (p->maskbits > 8)
  1993. continue; /* Narrower than a /8. */
  1994. /* We found an allowed subnet of at least size /8. Done
  1995. * for this port! */
  1996. return 1;
  1997. } else if (p->policy_type == ADDR_POLICY_REJECT) {
  1998. subnet_status[i] = 1;
  1999. }
  2000. }
  2001. } SMARTLIST_FOREACH_END(p);
  2002. return 0;
  2003. }
  2004. /** Return true iff <b>ri</b> is "useful as an exit node", meaning
  2005. * it allows exit to at least one /8 address space for each of ports 80
  2006. * and 443. */
  2007. int
  2008. exit_policy_is_general_exit(smartlist_t *policy)
  2009. {
  2010. if (!policy) /*XXXX disallow NULL policies? */
  2011. return 0;
  2012. return (exit_policy_is_general_exit_helper(policy, 80) &&
  2013. exit_policy_is_general_exit_helper(policy, 443));
  2014. }
  2015. /** Return false if <b>policy</b> might permit access to some addr:port;
  2016. * otherwise if we are certain it rejects everything, return true. If no
  2017. * part of <b>policy</b> matches, return <b>default_reject</b>.
  2018. * NULL policies are allowed, and treated as empty. */
  2019. int
  2020. policy_is_reject_star(const smartlist_t *policy, sa_family_t family,
  2021. int default_reject)
  2022. {
  2023. if (!policy)
  2024. return default_reject;
  2025. SMARTLIST_FOREACH_BEGIN(policy, const addr_policy_t *, p) {
  2026. if (p->policy_type == ADDR_POLICY_ACCEPT &&
  2027. (tor_addr_family(&p->addr) == family ||
  2028. tor_addr_family(&p->addr) == AF_UNSPEC)) {
  2029. return 0;
  2030. } else if (p->policy_type == ADDR_POLICY_REJECT &&
  2031. p->prt_min <= 1 && p->prt_max == 65535 &&
  2032. p->maskbits == 0 &&
  2033. (tor_addr_family(&p->addr) == family ||
  2034. tor_addr_family(&p->addr) == AF_UNSPEC)) {
  2035. return 1;
  2036. }
  2037. } SMARTLIST_FOREACH_END(p);
  2038. return default_reject;
  2039. }
  2040. /** Write a single address policy to the buf_len byte buffer at buf. Return
  2041. * the number of characters written, or -1 on failure. */
  2042. int
  2043. policy_write_item(char *buf, size_t buflen, const addr_policy_t *policy,
  2044. int format_for_desc)
  2045. {
  2046. size_t written = 0;
  2047. char addrbuf[TOR_ADDR_BUF_LEN];
  2048. const char *addrpart;
  2049. int result;
  2050. const int is_accept = policy->policy_type == ADDR_POLICY_ACCEPT;
  2051. const sa_family_t family = tor_addr_family(&policy->addr);
  2052. const int is_ip6 = (family == AF_INET6);
  2053. tor_addr_to_str(addrbuf, &policy->addr, sizeof(addrbuf), 1);
  2054. /* write accept/reject 1.2.3.4 */
  2055. if (policy->is_private) {
  2056. addrpart = "private";
  2057. } else if (policy->maskbits == 0) {
  2058. if (format_for_desc)
  2059. addrpart = "*";
  2060. else if (family == AF_INET6)
  2061. addrpart = "*6";
  2062. else if (family == AF_INET)
  2063. addrpart = "*4";
  2064. else
  2065. addrpart = "*";
  2066. } else {
  2067. addrpart = addrbuf;
  2068. }
  2069. result = tor_snprintf(buf, buflen, "%s%s %s",
  2070. is_accept ? "accept" : "reject",
  2071. (is_ip6&&format_for_desc)?"6":"",
  2072. addrpart);
  2073. if (result < 0)
  2074. return -1;
  2075. written += strlen(buf);
  2076. /* If the maskbits is 32 (IPv4) or 128 (IPv6) we don't need to give it. If
  2077. the mask is 0, we already wrote "*". */
  2078. if (policy->maskbits < (is_ip6?128:32) && policy->maskbits > 0) {
  2079. if (tor_snprintf(buf+written, buflen-written, "/%d", policy->maskbits)<0)
  2080. return -1;
  2081. written += strlen(buf+written);
  2082. }
  2083. if (policy->prt_min <= 1 && policy->prt_max == 65535) {
  2084. /* There is no port set; write ":*" */
  2085. if (written+4 > buflen)
  2086. return -1;
  2087. strlcat(buf+written, ":*", buflen-written);
  2088. written += 2;
  2089. } else if (policy->prt_min == policy->prt_max) {
  2090. /* There is only one port; write ":80". */
  2091. result = tor_snprintf(buf+written, buflen-written, ":%d", policy->prt_min);
  2092. if (result<0)
  2093. return -1;
  2094. written += result;
  2095. } else {
  2096. /* There is a range of ports; write ":79-80". */
  2097. result = tor_snprintf(buf+written, buflen-written, ":%d-%d",
  2098. policy->prt_min, policy->prt_max);
  2099. if (result<0)
  2100. return -1;
  2101. written += result;
  2102. }
  2103. if (written < buflen)
  2104. buf[written] = '\0';
  2105. else
  2106. return -1;
  2107. return (int)written;
  2108. }
  2109. /** Create a new exit policy summary, initially only with a single
  2110. * port 1-64k item */
  2111. /* XXXX This entire thing will do most stuff in O(N^2), or worse. Use an
  2112. * RB-tree if that turns out to matter. */
  2113. static smartlist_t *
  2114. policy_summary_create(void)
  2115. {
  2116. smartlist_t *summary;
  2117. policy_summary_item_t* item;
  2118. item = tor_malloc_zero(sizeof(policy_summary_item_t));
  2119. item->prt_min = 1;
  2120. item->prt_max = 65535;
  2121. item->reject_count = 0;
  2122. item->accepted = 0;
  2123. summary = smartlist_new();
  2124. smartlist_add(summary, item);
  2125. return summary;
  2126. }
  2127. /** Split the summary item in <b>item</b> at the port <b>new_starts</b>.
  2128. * The current item is changed to end at new-starts - 1, the new item
  2129. * copies reject_count and accepted from the old item,
  2130. * starts at new_starts and ends at the port where the original item
  2131. * previously ended.
  2132. */
  2133. static policy_summary_item_t*
  2134. policy_summary_item_split(policy_summary_item_t* old, uint16_t new_starts)
  2135. {
  2136. policy_summary_item_t* new;
  2137. new = tor_malloc_zero(sizeof(policy_summary_item_t));
  2138. new->prt_min = new_starts;
  2139. new->prt_max = old->prt_max;
  2140. new->reject_count = old->reject_count;
  2141. new->accepted = old->accepted;
  2142. old->prt_max = new_starts-1;
  2143. tor_assert(old->prt_min <= old->prt_max);
  2144. tor_assert(new->prt_min <= new->prt_max);
  2145. return new;
  2146. }
  2147. /* XXXX Nick says I'm going to hell for this. If he feels charitably towards
  2148. * my immortal soul, he can clean it up himself. */
  2149. #define AT(x) ((policy_summary_item_t*)smartlist_get(summary, x))
  2150. #define IPV4_BITS (32)
  2151. /* Every IPv4 address is counted as one rejection */
  2152. #define REJECT_CUTOFF_SCALE_IPV4 (0)
  2153. /* Ports are rejected in an IPv4 summary if they are rejected in more than two
  2154. * IPv4 /8 address blocks */
  2155. #define REJECT_CUTOFF_COUNT_IPV4 (U64_LITERAL(1) << \
  2156. (IPV4_BITS - REJECT_CUTOFF_SCALE_IPV4 - 7))
  2157. #define IPV6_BITS (128)
  2158. /* IPv6 /64s are counted as one rejection, anything smaller is ignored */
  2159. #define REJECT_CUTOFF_SCALE_IPV6 (64)
  2160. /* Ports are rejected in an IPv6 summary if they are rejected in more than one
  2161. * IPv6 /16 address block.
  2162. * This is rougly equivalent to the IPv4 cutoff, as only five IPv6 /12s (and
  2163. * some scattered smaller blocks) have been allocated to the RIRs.
  2164. * Network providers are typically allocated one or more IPv6 /32s.
  2165. */
  2166. #define REJECT_CUTOFF_COUNT_IPV6 (U64_LITERAL(1) << \
  2167. (IPV6_BITS - REJECT_CUTOFF_SCALE_IPV6 - 16))
  2168. /** Split an exit policy summary so that prt_min and prt_max
  2169. * fall at exactly the start and end of an item respectively.
  2170. */
  2171. static int
  2172. policy_summary_split(smartlist_t *summary,
  2173. uint16_t prt_min, uint16_t prt_max)
  2174. {
  2175. int start_at_index;
  2176. int i = 0;
  2177. while (AT(i)->prt_max < prt_min)
  2178. i++;
  2179. if (AT(i)->prt_min != prt_min) {
  2180. policy_summary_item_t* new_item;
  2181. new_item = policy_summary_item_split(AT(i), prt_min);
  2182. smartlist_insert(summary, i+1, new_item);
  2183. i++;
  2184. }
  2185. start_at_index = i;
  2186. while (AT(i)->prt_max < prt_max)
  2187. i++;
  2188. if (AT(i)->prt_max != prt_max) {
  2189. policy_summary_item_t* new_item;
  2190. new_item = policy_summary_item_split(AT(i), prt_max+1);
  2191. smartlist_insert(summary, i+1, new_item);
  2192. }
  2193. return start_at_index;
  2194. }
  2195. /** Mark port ranges as accepted if they are below the reject_count for family
  2196. */
  2197. static void
  2198. policy_summary_accept(smartlist_t *summary,
  2199. uint16_t prt_min, uint16_t prt_max,
  2200. sa_family_t family)
  2201. {
  2202. tor_assert_nonfatal_once(family == AF_INET || family == AF_INET6);
  2203. uint64_t family_reject_count = ((family == AF_INET) ?
  2204. REJECT_CUTOFF_COUNT_IPV4 :
  2205. REJECT_CUTOFF_COUNT_IPV6);
  2206. int i = policy_summary_split(summary, prt_min, prt_max);
  2207. while (i < smartlist_len(summary) &&
  2208. AT(i)->prt_max <= prt_max) {
  2209. if (!AT(i)->accepted &&
  2210. AT(i)->reject_count <= family_reject_count)
  2211. AT(i)->accepted = 1;
  2212. i++;
  2213. }
  2214. tor_assert(i < smartlist_len(summary) || prt_max==65535);
  2215. }
  2216. /** Count the number of addresses in a network in family with prefixlen
  2217. * maskbits against the given portrange. */
  2218. static void
  2219. policy_summary_reject(smartlist_t *summary,
  2220. maskbits_t maskbits,
  2221. uint16_t prt_min, uint16_t prt_max,
  2222. sa_family_t family)
  2223. {
  2224. tor_assert_nonfatal_once(family == AF_INET || family == AF_INET6);
  2225. int i = policy_summary_split(summary, prt_min, prt_max);
  2226. /* The length of a single address mask */
  2227. int addrbits = (family == AF_INET) ? IPV4_BITS : IPV6_BITS;
  2228. tor_assert_nonfatal_once(addrbits >= maskbits);
  2229. /* We divide IPv6 address counts by (1 << scale) to keep them in a uint64_t
  2230. */
  2231. int scale = ((family == AF_INET) ?
  2232. REJECT_CUTOFF_SCALE_IPV4 :
  2233. REJECT_CUTOFF_SCALE_IPV6);
  2234. tor_assert_nonfatal_once(addrbits >= scale);
  2235. if (maskbits > (addrbits - scale)) {
  2236. tor_assert_nonfatal_once(family == AF_INET6);
  2237. /* The address range is so small, we'd need billions of them to reach the
  2238. * rejection limit. So we ignore this range in the reject count. */
  2239. return;
  2240. }
  2241. uint64_t count = 0;
  2242. if (addrbits - scale - maskbits >= 64) {
  2243. tor_assert_nonfatal_once(family == AF_INET6);
  2244. /* The address range is so large, it's an automatic rejection for all ports
  2245. * in the range. */
  2246. count = UINT64_MAX;
  2247. } else {
  2248. count = (U64_LITERAL(1) << (addrbits - scale - maskbits));
  2249. }
  2250. tor_assert_nonfatal_once(count > 0);
  2251. while (i < smartlist_len(summary) &&
  2252. AT(i)->prt_max <= prt_max) {
  2253. if (AT(i)->reject_count <= UINT64_MAX - count) {
  2254. AT(i)->reject_count += count;
  2255. } else {
  2256. /* IPv4 would require a 4-billion address redundant policy to get here,
  2257. * but IPv6 just needs to have ::/0 */
  2258. if (family == AF_INET) {
  2259. tor_assert_nonfatal_unreached_once();
  2260. }
  2261. /* If we do get here, use saturating arithmetic */
  2262. AT(i)->reject_count = UINT64_MAX;
  2263. }
  2264. i++;
  2265. }
  2266. tor_assert(i < smartlist_len(summary) || prt_max==65535);
  2267. }
  2268. /** Add a single exit policy item to our summary:
  2269. *
  2270. * If it is an accept, ignore it unless it is for all IP addresses
  2271. * ("*", i.e. its prefixlen/maskbits is 0). Otherwise call
  2272. * policy_summary_accept().
  2273. *
  2274. * If it is a reject, ignore it if it is about one of the private
  2275. * networks. Otherwise call policy_summary_reject().
  2276. */
  2277. static void
  2278. policy_summary_add_item(smartlist_t *summary, addr_policy_t *p)
  2279. {
  2280. if (p->policy_type == ADDR_POLICY_ACCEPT) {
  2281. if (p->maskbits == 0) {
  2282. policy_summary_accept(summary, p->prt_min, p->prt_max, p->addr.family);
  2283. }
  2284. } else if (p->policy_type == ADDR_POLICY_REJECT) {
  2285. int is_private = 0;
  2286. int i;
  2287. for (i = 0; private_nets[i]; ++i) {
  2288. tor_addr_t addr;
  2289. maskbits_t maskbits;
  2290. if (tor_addr_parse_mask_ports(private_nets[i], 0, &addr,
  2291. &maskbits, NULL, NULL)<0) {
  2292. tor_assert(0);
  2293. }
  2294. if (tor_addr_compare(&p->addr, &addr, CMP_EXACT) == 0 &&
  2295. p->maskbits == maskbits) {
  2296. is_private = 1;
  2297. break;
  2298. }
  2299. }
  2300. if (!is_private) {
  2301. policy_summary_reject(summary, p->maskbits, p->prt_min, p->prt_max,
  2302. p->addr.family);
  2303. }
  2304. } else
  2305. tor_assert(0);
  2306. }
  2307. /** Create a string representing a summary for an exit policy.
  2308. * The summary will either be an "accept" plus a comma-separated list of port
  2309. * ranges or a "reject" plus port-ranges, depending on which is shorter.
  2310. *
  2311. * If no exits are allowed at all then "reject 1-65535" is returned. If no
  2312. * ports are blocked instead of "reject " we return "accept 1-65535". (These
  2313. * are an exception to the shorter-representation-wins rule).
  2314. */
  2315. char *
  2316. policy_summarize(smartlist_t *policy, sa_family_t family)
  2317. {
  2318. smartlist_t *summary = policy_summary_create();
  2319. smartlist_t *accepts, *rejects;
  2320. int i, last, start_prt;
  2321. size_t accepts_len, rejects_len;
  2322. char *accepts_str = NULL, *rejects_str = NULL, *shorter_str, *result;
  2323. const char *prefix;
  2324. tor_assert(policy);
  2325. /* Create the summary list */
  2326. SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, p) {
  2327. sa_family_t f = tor_addr_family(&p->addr);
  2328. if (f != AF_INET && f != AF_INET6) {
  2329. log_warn(LD_BUG, "Weird family when summarizing address policy");
  2330. }
  2331. if (f != family)
  2332. continue;
  2333. policy_summary_add_item(summary, p);
  2334. } SMARTLIST_FOREACH_END(p);
  2335. /* Now create two lists of strings, one for accepted and one
  2336. * for rejected ports. We take care to merge ranges so that
  2337. * we avoid getting stuff like "1-4,5-9,10", instead we want
  2338. * "1-10"
  2339. */
  2340. i = 0;
  2341. start_prt = 1;
  2342. accepts = smartlist_new();
  2343. rejects = smartlist_new();
  2344. while (1) {
  2345. last = i == smartlist_len(summary)-1;
  2346. if (last ||
  2347. AT(i)->accepted != AT(i+1)->accepted) {
  2348. char buf[POLICY_BUF_LEN];
  2349. if (start_prt == AT(i)->prt_max)
  2350. tor_snprintf(buf, sizeof(buf), "%d", start_prt);
  2351. else
  2352. tor_snprintf(buf, sizeof(buf), "%d-%d", start_prt, AT(i)->prt_max);
  2353. if (AT(i)->accepted)
  2354. smartlist_add_strdup(accepts, buf);
  2355. else
  2356. smartlist_add_strdup(rejects, buf);
  2357. if (last)
  2358. break;
  2359. start_prt = AT(i+1)->prt_min;
  2360. };
  2361. i++;
  2362. };
  2363. /* Figure out which of the two stringlists will be shorter and use
  2364. * that to build the result
  2365. */
  2366. if (smartlist_len(accepts) == 0) { /* no exits at all */
  2367. result = tor_strdup("reject 1-65535");
  2368. goto cleanup;
  2369. }
  2370. if (smartlist_len(rejects) == 0) { /* no rejects at all */
  2371. result = tor_strdup("accept 1-65535");
  2372. goto cleanup;
  2373. }
  2374. accepts_str = smartlist_join_strings(accepts, ",", 0, &accepts_len);
  2375. rejects_str = smartlist_join_strings(rejects, ",", 0, &rejects_len);
  2376. if (rejects_len > MAX_EXITPOLICY_SUMMARY_LEN-strlen("reject")-1 &&
  2377. accepts_len > MAX_EXITPOLICY_SUMMARY_LEN-strlen("accept")-1) {
  2378. char *c;
  2379. shorter_str = accepts_str;
  2380. prefix = "accept";
  2381. c = shorter_str + (MAX_EXITPOLICY_SUMMARY_LEN-strlen(prefix)-1);
  2382. while (*c != ',' && c >= shorter_str)
  2383. c--;
  2384. tor_assert(c >= shorter_str);
  2385. tor_assert(*c == ',');
  2386. *c = '\0';
  2387. } else if (rejects_len < accepts_len) {
  2388. shorter_str = rejects_str;
  2389. prefix = "reject";
  2390. } else {
  2391. shorter_str = accepts_str;
  2392. prefix = "accept";
  2393. }
  2394. tor_asprintf(&result, "%s %s", prefix, shorter_str);
  2395. cleanup:
  2396. /* cleanup */
  2397. SMARTLIST_FOREACH(summary, policy_summary_item_t *, s, tor_free(s));
  2398. smartlist_free(summary);
  2399. tor_free(accepts_str);
  2400. SMARTLIST_FOREACH(accepts, char *, s, tor_free(s));
  2401. smartlist_free(accepts);
  2402. tor_free(rejects_str);
  2403. SMARTLIST_FOREACH(rejects, char *, s, tor_free(s));
  2404. smartlist_free(rejects);
  2405. return result;
  2406. }
  2407. /** Convert a summarized policy string into a short_policy_t. Return NULL
  2408. * if the string is not well-formed. */
  2409. short_policy_t *
  2410. parse_short_policy(const char *summary)
  2411. {
  2412. const char *orig_summary = summary;
  2413. short_policy_t *result;
  2414. int is_accept;
  2415. int n_entries;
  2416. short_policy_entry_t entries[MAX_EXITPOLICY_SUMMARY_LEN]; /* overkill */
  2417. const char *next;
  2418. if (!strcmpstart(summary, "accept ")) {
  2419. is_accept = 1;
  2420. summary += strlen("accept ");
  2421. } else if (!strcmpstart(summary, "reject ")) {
  2422. is_accept = 0;
  2423. summary += strlen("reject ");
  2424. } else {
  2425. log_fn(LOG_PROTOCOL_WARN, LD_DIR, "Unrecognized policy summary keyword");
  2426. return NULL;
  2427. }
  2428. n_entries = 0;
  2429. for ( ; *summary; summary = next) {
  2430. const char *comma = strchr(summary, ',');
  2431. unsigned low, high;
  2432. char dummy;
  2433. char ent_buf[32];
  2434. size_t len;
  2435. next = comma ? comma+1 : strchr(summary, '\0');
  2436. len = comma ? (size_t)(comma - summary) : strlen(summary);
  2437. if (n_entries == MAX_EXITPOLICY_SUMMARY_LEN) {
  2438. log_fn(LOG_PROTOCOL_WARN, LD_DIR, "Impossibly long policy summary %s",
  2439. escaped(orig_summary));
  2440. return NULL;
  2441. }
  2442. if (! TOR_ISDIGIT(*summary) || len > (sizeof(ent_buf)-1)) {
  2443. /* unrecognized entry format. skip it. */
  2444. continue;
  2445. }
  2446. if (len < 1) {
  2447. /* empty; skip it. */
  2448. /* XXX This happens to be unreachable, since if len==0, then *summary is
  2449. * ',' or '\0', and the TOR_ISDIGIT test above would have failed. */
  2450. continue;
  2451. }
  2452. memcpy(ent_buf, summary, len);
  2453. ent_buf[len] = '\0';
  2454. if (tor_sscanf(ent_buf, "%u-%u%c", &low, &high, &dummy) == 2) {
  2455. if (low<1 || low>65535 || high<1 || high>65535 || low>high) {
  2456. log_fn(LOG_PROTOCOL_WARN, LD_DIR,
  2457. "Found bad entry in policy summary %s", escaped(orig_summary));
  2458. return NULL;
  2459. }
  2460. } else if (tor_sscanf(ent_buf, "%u%c", &low, &dummy) == 1) {
  2461. if (low<1 || low>65535) {
  2462. log_fn(LOG_PROTOCOL_WARN, LD_DIR,
  2463. "Found bad entry in policy summary %s", escaped(orig_summary));
  2464. return NULL;
  2465. }
  2466. high = low;
  2467. } else {
  2468. log_fn(LOG_PROTOCOL_WARN, LD_DIR,"Found bad entry in policy summary %s",
  2469. escaped(orig_summary));
  2470. return NULL;
  2471. }
  2472. entries[n_entries].min_port = low;
  2473. entries[n_entries].max_port = high;
  2474. n_entries++;
  2475. }
  2476. if (n_entries == 0) {
  2477. log_fn(LOG_PROTOCOL_WARN, LD_DIR,
  2478. "Found no port-range entries in summary %s", escaped(orig_summary));
  2479. return NULL;
  2480. }
  2481. {
  2482. size_t size = offsetof(short_policy_t, entries) +
  2483. sizeof(short_policy_entry_t)*(n_entries);
  2484. result = tor_malloc_zero(size);
  2485. tor_assert( (char*)&result->entries[n_entries-1] < ((char*)result)+size);
  2486. }
  2487. result->is_accept = is_accept;
  2488. result->n_entries = n_entries;
  2489. memcpy(result->entries, entries, sizeof(short_policy_entry_t)*n_entries);
  2490. return result;
  2491. }
  2492. /** Write <b>policy</b> back out into a string. */
  2493. char *
  2494. write_short_policy(const short_policy_t *policy)
  2495. {
  2496. int i;
  2497. char *answer;
  2498. smartlist_t *sl = smartlist_new();
  2499. smartlist_add_asprintf(sl, "%s", policy->is_accept ? "accept " : "reject ");
  2500. for (i=0; i < policy->n_entries; i++) {
  2501. const short_policy_entry_t *e = &policy->entries[i];
  2502. if (e->min_port == e->max_port) {
  2503. smartlist_add_asprintf(sl, "%d", e->min_port);
  2504. } else {
  2505. smartlist_add_asprintf(sl, "%d-%d", e->min_port, e->max_port);
  2506. }
  2507. if (i < policy->n_entries-1)
  2508. smartlist_add_strdup(sl, ",");
  2509. }
  2510. answer = smartlist_join_strings(sl, "", 0, NULL);
  2511. SMARTLIST_FOREACH(sl, char *, a, tor_free(a));
  2512. smartlist_free(sl);
  2513. return answer;
  2514. }
  2515. /** Release all storage held in <b>policy</b>. */
  2516. void
  2517. short_policy_free(short_policy_t *policy)
  2518. {
  2519. tor_free(policy);
  2520. }
  2521. /** See whether the <b>addr</b>:<b>port</b> address is likely to be accepted
  2522. * or rejected by the summarized policy <b>policy</b>. Return values are as
  2523. * for compare_tor_addr_to_addr_policy. Unlike the regular addr_policy
  2524. * functions, requires the <b>port</b> be specified. */
  2525. addr_policy_result_t
  2526. compare_tor_addr_to_short_policy(const tor_addr_t *addr, uint16_t port,
  2527. const short_policy_t *policy)
  2528. {
  2529. int i;
  2530. int found_match = 0;
  2531. int accept_;
  2532. tor_assert(port != 0);
  2533. if (addr && tor_addr_is_null(addr))
  2534. addr = NULL; /* Unspec means 'no address at all,' in this context. */
  2535. if (addr && get_options()->ClientRejectInternalAddresses &&
  2536. (tor_addr_is_internal(addr, 0) || tor_addr_is_loopback(addr)))
  2537. return ADDR_POLICY_REJECTED;
  2538. for (i=0; i < policy->n_entries; ++i) {
  2539. const short_policy_entry_t *e = &policy->entries[i];
  2540. if (e->min_port <= port && port <= e->max_port) {
  2541. found_match = 1;
  2542. break;
  2543. }
  2544. }
  2545. if (found_match)
  2546. accept_ = policy->is_accept;
  2547. else
  2548. accept_ = ! policy->is_accept;
  2549. /* ???? are these right? -NM */
  2550. /* We should be sure not to return ADDR_POLICY_ACCEPTED in the accept
  2551. * case here, because it would cause clients to believe that the node
  2552. * allows exit enclaving. Trying it anyway would open up a cool attack
  2553. * where the node refuses due to exitpolicy, the client reacts in
  2554. * surprise by rewriting the node's exitpolicy to reject *:*, and then
  2555. * an adversary targets users by causing them to attempt such connections
  2556. * to 98% of the exits.
  2557. *
  2558. * Once microdescriptors can handle addresses in special cases (e.g. if
  2559. * we ever solve ticket 1774), we can provide certainty here. -RD */
  2560. if (accept_)
  2561. return ADDR_POLICY_PROBABLY_ACCEPTED;
  2562. else
  2563. return ADDR_POLICY_REJECTED;
  2564. }
  2565. /** Return true iff <b>policy</b> seems reject all ports */
  2566. int
  2567. short_policy_is_reject_star(const short_policy_t *policy)
  2568. {
  2569. /* This doesn't need to be as much on the lookout as policy_is_reject_star,
  2570. * since policy summaries are from the consensus or from consensus
  2571. * microdescs.
  2572. */
  2573. tor_assert(policy);
  2574. /* Check for an exact match of "reject 1-65535". */
  2575. return (policy->is_accept == 0 && policy->n_entries == 1 &&
  2576. policy->entries[0].min_port == 1 &&
  2577. policy->entries[0].max_port == 65535);
  2578. }
  2579. /** Decide whether addr:port is probably or definitely accepted or rejected by
  2580. * <b>node</b>. See compare_tor_addr_to_addr_policy for details on addr/port
  2581. * interpretation. */
  2582. addr_policy_result_t
  2583. compare_tor_addr_to_node_policy(const tor_addr_t *addr, uint16_t port,
  2584. const node_t *node)
  2585. {
  2586. if (node->rejects_all)
  2587. return ADDR_POLICY_REJECTED;
  2588. if (addr && tor_addr_family(addr) == AF_INET6) {
  2589. const short_policy_t *p = NULL;
  2590. if (node->ri)
  2591. p = node->ri->ipv6_exit_policy;
  2592. else if (node->md)
  2593. p = node->md->ipv6_exit_policy;
  2594. if (p)
  2595. return compare_tor_addr_to_short_policy(addr, port, p);
  2596. else
  2597. return ADDR_POLICY_REJECTED;
  2598. }
  2599. if (node->ri) {
  2600. return compare_tor_addr_to_addr_policy(addr, port, node->ri->exit_policy);
  2601. } else if (node->md) {
  2602. if (node->md->exit_policy == NULL)
  2603. return ADDR_POLICY_REJECTED;
  2604. else
  2605. return compare_tor_addr_to_short_policy(addr, port,
  2606. node->md->exit_policy);
  2607. } else {
  2608. return ADDR_POLICY_PROBABLY_REJECTED;
  2609. }
  2610. }
  2611. /**
  2612. * Given <b>policy_list</b>, a list of addr_policy_t, produce a string
  2613. * representation of the list.
  2614. * If <b>include_ipv4</b> is true, include IPv4 entries.
  2615. * If <b>include_ipv6</b> is true, include IPv6 entries.
  2616. */
  2617. char *
  2618. policy_dump_to_string(const smartlist_t *policy_list,
  2619. int include_ipv4,
  2620. int include_ipv6)
  2621. {
  2622. smartlist_t *policy_string_list;
  2623. char *policy_string = NULL;
  2624. policy_string_list = smartlist_new();
  2625. SMARTLIST_FOREACH_BEGIN(policy_list, addr_policy_t *, tmpe) {
  2626. char *pbuf;
  2627. int bytes_written_to_pbuf;
  2628. if ((tor_addr_family(&tmpe->addr) == AF_INET6) && (!include_ipv6)) {
  2629. continue; /* Don't include IPv6 parts of address policy */
  2630. }
  2631. if ((tor_addr_family(&tmpe->addr) == AF_INET) && (!include_ipv4)) {
  2632. continue; /* Don't include IPv4 parts of address policy */
  2633. }
  2634. pbuf = tor_malloc(POLICY_BUF_LEN);
  2635. bytes_written_to_pbuf = policy_write_item(pbuf,POLICY_BUF_LEN, tmpe, 1);
  2636. if (bytes_written_to_pbuf < 0) {
  2637. log_warn(LD_BUG, "policy_dump_to_string ran out of room!");
  2638. tor_free(pbuf);
  2639. goto done;
  2640. }
  2641. smartlist_add(policy_string_list,pbuf);
  2642. } SMARTLIST_FOREACH_END(tmpe);
  2643. policy_string = smartlist_join_strings(policy_string_list, "\n", 0, NULL);
  2644. done:
  2645. SMARTLIST_FOREACH(policy_string_list, char *, str, tor_free(str));
  2646. smartlist_free(policy_string_list);
  2647. return policy_string;
  2648. }
  2649. /** Implementation for GETINFO control command: knows the answer for questions
  2650. * about "exit-policy/..." */
  2651. int
  2652. getinfo_helper_policies(control_connection_t *conn,
  2653. const char *question, char **answer,
  2654. const char **errmsg)
  2655. {
  2656. (void) conn;
  2657. (void) errmsg;
  2658. if (!strcmp(question, "exit-policy/default")) {
  2659. *answer = tor_strdup(DEFAULT_EXIT_POLICY);
  2660. } else if (!strcmp(question, "exit-policy/reject-private/default")) {
  2661. smartlist_t *private_policy_strings;
  2662. const char **priv = private_nets;
  2663. private_policy_strings = smartlist_new();
  2664. while (*priv != NULL) {
  2665. /* IPv6 addresses are in "[]" and contain ":",
  2666. * IPv4 addresses are not in "[]" and contain "." */
  2667. smartlist_add_asprintf(private_policy_strings, "reject %s:*", *priv);
  2668. priv++;
  2669. }
  2670. *answer = smartlist_join_strings(private_policy_strings,
  2671. ",", 0, NULL);
  2672. SMARTLIST_FOREACH(private_policy_strings, char *, str, tor_free(str));
  2673. smartlist_free(private_policy_strings);
  2674. } else if (!strcmp(question, "exit-policy/reject-private/relay")) {
  2675. const or_options_t *options = get_options();
  2676. const routerinfo_t *me = router_get_my_routerinfo();
  2677. if (!me) {
  2678. *errmsg = "router_get_my_routerinfo returned NULL";
  2679. return -1;
  2680. }
  2681. if (!options->ExitPolicyRejectPrivate &&
  2682. !options->ExitPolicyRejectLocalInterfaces) {
  2683. *answer = tor_strdup("");
  2684. return 0;
  2685. }
  2686. smartlist_t *private_policy_list = smartlist_new();
  2687. smartlist_t *configured_addresses = smartlist_new();
  2688. /* Copy the configured addresses into the tor_addr_t* list */
  2689. if (options->ExitPolicyRejectPrivate) {
  2690. policies_copy_ipv4h_to_smartlist(configured_addresses, me->addr);
  2691. policies_copy_addr_to_smartlist(configured_addresses, &me->ipv6_addr);
  2692. }
  2693. if (options->ExitPolicyRejectLocalInterfaces) {
  2694. policies_copy_outbound_addresses_to_smartlist(configured_addresses,
  2695. options);
  2696. }
  2697. policies_parse_exit_policy_reject_private(
  2698. &private_policy_list,
  2699. options->IPv6Exit,
  2700. configured_addresses,
  2701. options->ExitPolicyRejectLocalInterfaces,
  2702. options->ExitPolicyRejectLocalInterfaces);
  2703. *answer = policy_dump_to_string(private_policy_list, 1, 1);
  2704. addr_policy_list_free(private_policy_list);
  2705. SMARTLIST_FOREACH(configured_addresses, tor_addr_t *, a, tor_free(a));
  2706. smartlist_free(configured_addresses);
  2707. } else if (!strcmpstart(question, "exit-policy/")) {
  2708. const routerinfo_t *me = router_get_my_routerinfo();
  2709. int include_ipv4 = 0;
  2710. int include_ipv6 = 0;
  2711. if (!strcmp(question, "exit-policy/ipv4")) {
  2712. include_ipv4 = 1;
  2713. } else if (!strcmp(question, "exit-policy/ipv6")) {
  2714. include_ipv6 = 1;
  2715. } else if (!strcmp(question, "exit-policy/full")) {
  2716. include_ipv4 = include_ipv6 = 1;
  2717. } else {
  2718. return 0; /* No such key. */
  2719. }
  2720. if (!me) {
  2721. *errmsg = "router_get_my_routerinfo returned NULL";
  2722. return -1;
  2723. }
  2724. *answer = router_dump_exit_policy_to_string(me,include_ipv4,include_ipv6);
  2725. }
  2726. return 0;
  2727. }
  2728. /** Release all storage held by <b>p</b>. */
  2729. void
  2730. addr_policy_list_free(smartlist_t *lst)
  2731. {
  2732. if (!lst)
  2733. return;
  2734. SMARTLIST_FOREACH(lst, addr_policy_t *, policy, addr_policy_free(policy));
  2735. smartlist_free(lst);
  2736. }
  2737. /** Release all storage held by <b>p</b>. */
  2738. void
  2739. addr_policy_free(addr_policy_t *p)
  2740. {
  2741. if (!p)
  2742. return;
  2743. if (--p->refcnt <= 0) {
  2744. if (p->is_canonical) {
  2745. policy_map_ent_t search, *found;
  2746. search.policy = p;
  2747. found = HT_REMOVE(policy_map, &policy_root, &search);
  2748. if (found) {
  2749. tor_assert(p == found->policy);
  2750. tor_free(found);
  2751. }
  2752. }
  2753. tor_free(p);
  2754. }
  2755. }
  2756. /** Release all storage held by policy variables. */
  2757. void
  2758. policies_free_all(void)
  2759. {
  2760. addr_policy_list_free(reachable_or_addr_policy);
  2761. reachable_or_addr_policy = NULL;
  2762. addr_policy_list_free(reachable_dir_addr_policy);
  2763. reachable_dir_addr_policy = NULL;
  2764. addr_policy_list_free(socks_policy);
  2765. socks_policy = NULL;
  2766. addr_policy_list_free(dir_policy);
  2767. dir_policy = NULL;
  2768. addr_policy_list_free(authdir_reject_policy);
  2769. authdir_reject_policy = NULL;
  2770. addr_policy_list_free(authdir_invalid_policy);
  2771. authdir_invalid_policy = NULL;
  2772. addr_policy_list_free(authdir_badexit_policy);
  2773. authdir_badexit_policy = NULL;
  2774. if (!HT_EMPTY(&policy_root)) {
  2775. policy_map_ent_t **ent;
  2776. int n = 0;
  2777. char buf[POLICY_BUF_LEN];
  2778. log_warn(LD_MM, "Still had %d address policies cached at shutdown.",
  2779. (int)HT_SIZE(&policy_root));
  2780. /* Note the first 10 cached policies to try to figure out where they
  2781. * might be coming from. */
  2782. HT_FOREACH(ent, policy_map, &policy_root) {
  2783. if (++n > 10)
  2784. break;
  2785. if (policy_write_item(buf, sizeof(buf), (*ent)->policy, 0) >= 0)
  2786. log_warn(LD_MM," %d [%d]: %s", n, (*ent)->policy->refcnt, buf);
  2787. }
  2788. }
  2789. HT_CLEAR(policy_map, &policy_root);
  2790. }