policies.h 8.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187
  1. /* Copyright (c) 2001 Matej Pfajfar.
  2. * Copyright (c) 2001-2004, Roger Dingledine.
  3. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  4. * Copyright (c) 2007-2018, The Tor Project, Inc. */
  5. /* See LICENSE for licensing information */
  6. /**
  7. * \file policies.h
  8. * \brief Header file for policies.c.
  9. **/
  10. #ifndef TOR_POLICIES_H
  11. #define TOR_POLICIES_H
  12. /* (length of
  13. * "accept6 [ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]/128:65535-65535\n"
  14. * plus a terminating NUL, rounded up to a nice number.)
  15. */
  16. #define POLICY_BUF_LEN 72
  17. #define EXIT_POLICY_IPV6_ENABLED (1 << 0)
  18. #define EXIT_POLICY_REJECT_PRIVATE (1 << 1)
  19. #define EXIT_POLICY_ADD_DEFAULT (1 << 2)
  20. #define EXIT_POLICY_REJECT_LOCAL_INTERFACES (1 << 3)
  21. #define EXIT_POLICY_ADD_REDUCED (1 << 4)
  22. #define EXIT_POLICY_OPTION_MAX EXIT_POLICY_ADD_REDUCED
  23. /* All options set: used for unit testing */
  24. #define EXIT_POLICY_OPTION_ALL ((EXIT_POLICY_OPTION_MAX << 1) - 1)
  25. typedef enum firewall_connection_t {
  26. FIREWALL_OR_CONNECTION = 0,
  27. FIREWALL_DIR_CONNECTION = 1
  28. } firewall_connection_t;
  29. typedef int exit_policy_parser_cfg_t;
  30. /** Outcome of applying an address policy to an address. */
  31. typedef enum {
  32. /** The address was accepted */
  33. ADDR_POLICY_ACCEPTED=0,
  34. /** The address was rejected */
  35. ADDR_POLICY_REJECTED=-1,
  36. /** Part of the address was unknown, but as far as we can tell, it was
  37. * accepted. */
  38. ADDR_POLICY_PROBABLY_ACCEPTED=1,
  39. /** Part of the address was unknown, but as far as we can tell, it was
  40. * rejected. */
  41. ADDR_POLICY_PROBABLY_REJECTED=2,
  42. } addr_policy_result_t;
  43. /** A single entry in a parsed policy summary, describing a range of ports. */
  44. typedef struct short_policy_entry_t {
  45. uint16_t min_port, max_port;
  46. } short_policy_entry_t;
  47. /** A short_poliy_t is the parsed version of a policy summary. */
  48. typedef struct short_policy_t {
  49. /** True if the members of 'entries' are port ranges to accept; false if
  50. * they are port ranges to reject */
  51. unsigned int is_accept : 1;
  52. /** The actual number of values in 'entries'. */
  53. unsigned int n_entries : 31;
  54. /** An array of 0 or more short_policy_entry_t values, each describing a
  55. * range of ports that this policy accepts or rejects (depending on the
  56. * value of is_accept).
  57. */
  58. short_policy_entry_t entries[FLEXIBLE_ARRAY_MEMBER];
  59. } short_policy_t;
  60. int firewall_is_fascist_or(void);
  61. int firewall_is_fascist_dir(void);
  62. int fascist_firewall_use_ipv6(const or_options_t *options);
  63. int fascist_firewall_prefer_ipv6_orport(const or_options_t *options);
  64. int fascist_firewall_prefer_ipv6_dirport(const or_options_t *options);
  65. int fascist_firewall_allows_address_addr(const tor_addr_t *addr,
  66. uint16_t port,
  67. firewall_connection_t fw_connection,
  68. int pref_only, int pref_ipv6);
  69. int fascist_firewall_allows_rs(const routerstatus_t *rs,
  70. firewall_connection_t fw_connection,
  71. int pref_only);
  72. int fascist_firewall_allows_node(const node_t *node,
  73. firewall_connection_t fw_connection,
  74. int pref_only);
  75. int fascist_firewall_allows_dir_server(const dir_server_t *ds,
  76. firewall_connection_t fw_connection,
  77. int pref_only);
  78. void fascist_firewall_choose_address_rs(const routerstatus_t *rs,
  79. firewall_connection_t fw_connection,
  80. int pref_only, tor_addr_port_t* ap);
  81. void fascist_firewall_choose_address_node(const node_t *node,
  82. firewall_connection_t fw_connection,
  83. int pref_only, tor_addr_port_t* ap);
  84. void fascist_firewall_choose_address_dir_server(const dir_server_t *ds,
  85. firewall_connection_t fw_connection,
  86. int pref_only, tor_addr_port_t* ap);
  87. int dir_policy_permits_address(const tor_addr_t *addr);
  88. int socks_policy_permits_address(const tor_addr_t *addr);
  89. int authdir_policy_permits_address(uint32_t addr, uint16_t port);
  90. int authdir_policy_valid_address(uint32_t addr, uint16_t port);
  91. int authdir_policy_badexit_address(uint32_t addr, uint16_t port);
  92. int validate_addr_policies(const or_options_t *options, char **msg);
  93. void policy_expand_private(smartlist_t **policy);
  94. void policy_expand_unspec(smartlist_t **policy);
  95. int policies_parse_from_options(const or_options_t *options);
  96. addr_policy_t *addr_policy_get_canonical_entry(addr_policy_t *ent);
  97. int addr_policies_eq(const smartlist_t *a, const smartlist_t *b);
  98. MOCK_DECL(addr_policy_result_t, compare_tor_addr_to_addr_policy,
  99. (const tor_addr_t *addr, uint16_t port, const smartlist_t *policy));
  100. addr_policy_result_t compare_tor_addr_to_node_policy(const tor_addr_t *addr,
  101. uint16_t port, const node_t *node);
  102. int policies_parse_exit_policy_from_options(
  103. const or_options_t *or_options,
  104. uint32_t local_address,
  105. const tor_addr_t *ipv6_local_address,
  106. smartlist_t **result);
  107. struct config_line_t;
  108. int policies_parse_exit_policy(struct config_line_t *cfg, smartlist_t **dest,
  109. exit_policy_parser_cfg_t options,
  110. const smartlist_t *configured_addresses);
  111. void policies_parse_exit_policy_reject_private(
  112. smartlist_t **dest,
  113. int ipv6_exit,
  114. const smartlist_t *configured_addresses,
  115. int reject_interface_addresses,
  116. int reject_configured_port_addresses);
  117. void policies_exit_policy_append_reject_star(smartlist_t **dest);
  118. void addr_policy_append_reject_addr(smartlist_t **dest,
  119. const tor_addr_t *addr);
  120. void addr_policy_append_reject_addr_list(smartlist_t **dest,
  121. const smartlist_t *addrs);
  122. void policies_set_node_exitpolicy_to_reject_all(node_t *exitrouter);
  123. int exit_policy_is_general_exit(smartlist_t *policy);
  124. int policy_is_reject_star(const smartlist_t *policy, sa_family_t family,
  125. int reject_by_default);
  126. char * policy_dump_to_string(const smartlist_t *policy_list,
  127. int include_ipv4,
  128. int include_ipv6);
  129. int getinfo_helper_policies(control_connection_t *conn,
  130. const char *question, char **answer,
  131. const char **errmsg);
  132. int policy_write_item(char *buf, size_t buflen, const addr_policy_t *item,
  133. int format_for_desc);
  134. void addr_policy_list_free_(smartlist_t *p);
  135. #define addr_policy_list_free(lst) \
  136. FREE_AND_NULL(smartlist_t, addr_policy_list_free_, (lst))
  137. void addr_policy_free_(addr_policy_t *p);
  138. #define addr_policy_free(p) \
  139. FREE_AND_NULL(addr_policy_t, addr_policy_free_, (p))
  140. void policies_free_all(void);
  141. char *policy_summarize(smartlist_t *policy, sa_family_t family);
  142. short_policy_t *parse_short_policy(const char *summary);
  143. char *write_short_policy(const short_policy_t *policy);
  144. void short_policy_free_(short_policy_t *policy);
  145. #define short_policy_free(p) \
  146. FREE_AND_NULL(short_policy_t, short_policy_free_, (p))
  147. int short_policy_is_reject_star(const short_policy_t *policy);
  148. addr_policy_result_t compare_tor_addr_to_short_policy(
  149. const tor_addr_t *addr, uint16_t port,
  150. const short_policy_t *policy);
  151. #ifdef POLICIES_PRIVATE
  152. STATIC void append_exit_policy_string(smartlist_t **policy, const char *more);
  153. STATIC int fascist_firewall_allows_address(const tor_addr_t *addr,
  154. uint16_t port,
  155. smartlist_t *firewall_policy,
  156. int pref_only, int pref_ipv6);
  157. STATIC const tor_addr_port_t * fascist_firewall_choose_address(
  158. const tor_addr_port_t *a,
  159. const tor_addr_port_t *b,
  160. int want_a,
  161. firewall_connection_t fw_connection,
  162. int pref_only, int pref_ipv6);
  163. #endif /* defined(POLICIES_PRIVATE) */
  164. #endif /* !defined(TOR_POLICIES_H) */