policies.c 109 KB

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798991001011021031041051061071081091101111121131141151161171181191201211221231241251261271281291301311321331341351361371381391401411421431441451461471481491501511521531541551561571581591601611621631641651661671681691701711721731741751761771781791801811821831841851861871881891901911921931941951961971981992002012022032042052062072082092102112122132142152162172182192202212222232242252262272282292302312322332342352362372382392402412422432442452462472482492502512522532542552562572582592602612622632642652662672682692702712722732742752762772782792802812822832842852862872882892902912922932942952962972982993003013023033043053063073083093103113123133143153163173183193203213223233243253263273283293303313323333343353363373383393403413423433443453463473483493503513523533543553563573583593603613623633643653663673683693703713723733743753763773783793803813823833843853863873883893903913923933943953963973983994004014024034044054064074084094104114124134144154164174184194204214224234244254264274284294304314324334344354364374384394404414424434444454464474484494504514524534544554564574584594604614624634644654664674684694704714724734744754764774784794804814824834844854864874884894904914924934944954964974984995005015025035045055065075085095105115125135145155165175185195205215225235245255265275285295305315325335345355365375385395405415425435445455465475485495505515525535545555565575585595605615625635645655665675685695705715725735745755765775785795805815825835845855865875885895905915925935945955965975985996006016026036046056066076086096106116126136146156166176186196206216226236246256266276286296306316326336346356366376386396406416426436446456466476486496506516526536546556566576586596606616626636646656666676686696706716726736746756766776786796806816826836846856866876886896906916926936946956966976986997007017027037047057067077087097107117127137147157167177187197207217227237247257267277287297307317327337347357367377387397407417427437447457467477487497507517527537547557567577587597607617627637647657667677687697707717727737747757767777787797807817827837847857867877887897907917927937947957967977987998008018028038048058068078088098108118128138148158168178188198208218228238248258268278288298308318328338348358368378388398408418428438448458468478488498508518528538548558568578588598608618628638648658668678688698708718728738748758768778788798808818828838848858868878888898908918928938948958968978988999009019029039049059069079089099109119129139149159169179189199209219229239249259269279289299309319329339349359369379389399409419429439449459469479489499509519529539549559569579589599609619629639649659669679689699709719729739749759769779789799809819829839849859869879889899909919929939949959969979989991000100110021003100410051006100710081009101010111012101310141015101610171018101910201021102210231024102510261027102810291030103110321033103410351036103710381039104010411042104310441045104610471048104910501051105210531054105510561057105810591060106110621063106410651066106710681069107010711072107310741075107610771078107910801081108210831084108510861087108810891090109110921093109410951096109710981099110011011102110311041105110611071108110911101111111211131114111511161117111811191120112111221123112411251126112711281129113011311132113311341135113611371138113911401141114211431144114511461147114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177117811791180118111821183118411851186118711881189119011911192119311941195119611971198119912001201120212031204120512061207120812091210121112121213121412151216121712181219122012211222122312241225122612271228122912301231123212331234123512361237123812391240124112421243124412451246124712481249125012511252125312541255125612571258125912601261126212631264126512661267126812691270127112721273127412751276127712781279128012811282128312841285128612871288128912901291129212931294129512961297129812991300130113021303130413051306130713081309131013111312131313141315131613171318131913201321132213231324132513261327132813291330133113321333133413351336133713381339134013411342134313441345134613471348134913501351135213531354135513561357135813591360136113621363136413651366136713681369137013711372137313741375137613771378137913801381138213831384138513861387138813891390139113921393139413951396139713981399140014011402140314041405140614071408140914101411141214131414141514161417141814191420142114221423142414251426142714281429143014311432143314341435143614371438143914401441144214431444144514461447144814491450145114521453145414551456145714581459146014611462146314641465146614671468146914701471147214731474147514761477147814791480148114821483148414851486148714881489149014911492149314941495149614971498149915001501150215031504150515061507150815091510151115121513151415151516151715181519152015211522152315241525152615271528152915301531153215331534153515361537153815391540154115421543154415451546154715481549155015511552155315541555155615571558155915601561156215631564156515661567156815691570157115721573157415751576157715781579158015811582158315841585158615871588158915901591159215931594159515961597159815991600160116021603160416051606160716081609161016111612161316141615161616171618161916201621162216231624162516261627162816291630163116321633163416351636163716381639164016411642164316441645164616471648164916501651165216531654165516561657165816591660166116621663166416651666166716681669167016711672167316741675167616771678167916801681168216831684168516861687168816891690169116921693169416951696169716981699170017011702170317041705170617071708170917101711171217131714171517161717171817191720172117221723172417251726172717281729173017311732173317341735173617371738173917401741174217431744174517461747174817491750175117521753175417551756175717581759176017611762176317641765176617671768176917701771177217731774177517761777177817791780178117821783178417851786178717881789179017911792179317941795179617971798179918001801180218031804180518061807180818091810181118121813181418151816181718181819182018211822182318241825182618271828182918301831183218331834183518361837183818391840184118421843184418451846184718481849185018511852185318541855185618571858185918601861186218631864186518661867186818691870187118721873187418751876187718781879188018811882188318841885188618871888188918901891189218931894189518961897189818991900190119021903190419051906190719081909191019111912191319141915191619171918191919201921192219231924192519261927192819291930193119321933193419351936193719381939194019411942194319441945194619471948194919501951195219531954195519561957195819591960196119621963196419651966196719681969197019711972197319741975197619771978197919801981198219831984198519861987198819891990199119921993199419951996199719981999200020012002200320042005200620072008200920102011201220132014201520162017201820192020202120222023202420252026202720282029203020312032203320342035203620372038203920402041204220432044204520462047204820492050205120522053205420552056205720582059206020612062206320642065206620672068206920702071207220732074207520762077207820792080208120822083208420852086208720882089209020912092209320942095209620972098209921002101210221032104210521062107210821092110211121122113211421152116211721182119212021212122212321242125212621272128212921302131213221332134213521362137213821392140214121422143214421452146214721482149215021512152215321542155215621572158215921602161216221632164216521662167216821692170217121722173217421752176217721782179218021812182218321842185218621872188218921902191219221932194219521962197219821992200220122022203220422052206220722082209221022112212221322142215221622172218221922202221222222232224222522262227222822292230223122322233223422352236223722382239224022412242224322442245224622472248224922502251225222532254225522562257225822592260226122622263226422652266226722682269227022712272227322742275227622772278227922802281228222832284228522862287228822892290229122922293229422952296229722982299230023012302230323042305230623072308230923102311231223132314231523162317231823192320232123222323232423252326232723282329233023312332233323342335233623372338233923402341234223432344234523462347234823492350235123522353235423552356235723582359236023612362236323642365236623672368236923702371237223732374237523762377237823792380238123822383238423852386238723882389239023912392239323942395239623972398239924002401240224032404240524062407240824092410241124122413241424152416241724182419242024212422242324242425242624272428242924302431243224332434243524362437243824392440244124422443244424452446244724482449245024512452245324542455245624572458245924602461246224632464246524662467246824692470247124722473247424752476247724782479248024812482248324842485248624872488248924902491249224932494249524962497249824992500250125022503250425052506250725082509251025112512251325142515251625172518251925202521252225232524252525262527252825292530253125322533253425352536253725382539254025412542254325442545254625472548254925502551255225532554255525562557255825592560256125622563256425652566256725682569257025712572257325742575257625772578257925802581258225832584258525862587258825892590259125922593259425952596259725982599260026012602260326042605260626072608260926102611261226132614261526162617261826192620262126222623262426252626262726282629263026312632263326342635263626372638263926402641264226432644264526462647264826492650265126522653265426552656265726582659266026612662266326642665266626672668266926702671267226732674267526762677267826792680268126822683268426852686268726882689269026912692269326942695269626972698269927002701270227032704270527062707270827092710271127122713271427152716271727182719272027212722272327242725272627272728272927302731273227332734273527362737273827392740274127422743274427452746274727482749275027512752275327542755275627572758275927602761276227632764276527662767276827692770277127722773277427752776277727782779278027812782278327842785278627872788278927902791279227932794279527962797279827992800280128022803280428052806280728082809281028112812281328142815281628172818281928202821282228232824282528262827282828292830283128322833283428352836283728382839284028412842284328442845284628472848284928502851285228532854285528562857285828592860286128622863286428652866286728682869287028712872287328742875287628772878287928802881288228832884288528862887288828892890289128922893289428952896289728982899290029012902290329042905290629072908290929102911291229132914291529162917291829192920292129222923292429252926292729282929293029312932293329342935293629372938293929402941294229432944294529462947294829492950295129522953295429552956295729582959296029612962296329642965296629672968296929702971297229732974297529762977297829792980298129822983298429852986298729882989299029912992299329942995299629972998299930003001300230033004300530063007300830093010301130123013301430153016301730183019302030213022302330243025302630273028302930303031303230333034303530363037303830393040304130423043304430453046304730483049305030513052305330543055305630573058305930603061306230633064306530663067306830693070307130723073307430753076307730783079308030813082308330843085308630873088308930903091309230933094309530963097309830993100310131023103310431053106310731083109311031113112311331143115311631173118311931203121312231233124312531263127312831293130313131323133313431353136313731383139314031413142314331443145314631473148314931503151
  1. /* Copyright (c) 2001-2004, Roger Dingledine.
  2. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  3. * Copyright (c) 2007-2017, The Tor Project, Inc. */
  4. /* See LICENSE for licensing information */
  5. /**
  6. * \file policies.c
  7. * \brief Code to parse and use address policies and exit policies.
  8. *
  9. * We have two key kinds of address policy: full and compressed. A full
  10. * policy is an array of accept/reject patterns, to be applied in order.
  11. * A short policy is simply a list of ports. This module handles both
  12. * kinds, including generic functions to apply them to addresses, and
  13. * also including code to manage the global policies that we apply to
  14. * incoming and outgoing connections.
  15. **/
  16. #define POLICIES_PRIVATE
  17. #include "or.h"
  18. #include "bridges.h"
  19. #include "config.h"
  20. #include "dirserv.h"
  21. #include "microdesc.h"
  22. #include "networkstatus.h"
  23. #include "nodelist.h"
  24. #include "policies.h"
  25. #include "router.h"
  26. #include "routerparse.h"
  27. #include "geoip.h"
  28. #include "ht.h"
  29. /** Policy that addresses for incoming SOCKS connections must match. */
  30. static smartlist_t *socks_policy = NULL;
  31. /** Policy that addresses for incoming directory connections must match. */
  32. static smartlist_t *dir_policy = NULL;
  33. /** Policy that addresses for incoming router descriptors must match in order
  34. * to be published by us. */
  35. static smartlist_t *authdir_reject_policy = NULL;
  36. /** Policy that addresses for incoming router descriptors must match in order
  37. * to be marked as valid in our networkstatus. */
  38. static smartlist_t *authdir_invalid_policy = NULL;
  39. /** Policy that addresses for incoming router descriptors must <b>not</b>
  40. * match in order to not be marked as BadExit. */
  41. static smartlist_t *authdir_badexit_policy = NULL;
  42. /** Parsed addr_policy_t describing which addresses we believe we can start
  43. * circuits at. */
  44. static smartlist_t *reachable_or_addr_policy = NULL;
  45. /** Parsed addr_policy_t describing which addresses we believe we can connect
  46. * to directories at. */
  47. static smartlist_t *reachable_dir_addr_policy = NULL;
  48. /** Element of an exit policy summary */
  49. typedef struct policy_summary_item_t {
  50. uint16_t prt_min; /**< Lowest port number to accept/reject. */
  51. uint16_t prt_max; /**< Highest port number to accept/reject. */
  52. uint64_t reject_count; /**< Number of IP-Addresses that are rejected to
  53. this port range. */
  54. unsigned int accepted:1; /** Has this port already been accepted */
  55. } policy_summary_item_t;
  56. /** Private networks. This list is used in two places, once to expand the
  57. * "private" keyword when parsing our own exit policy, secondly to ignore
  58. * just such networks when building exit policy summaries. It is important
  59. * that all authorities agree on that list when creating summaries, so don't
  60. * just change this without a proper migration plan and a proposal and stuff.
  61. */
  62. static const char *private_nets[] = {
  63. "0.0.0.0/8", "169.254.0.0/16",
  64. "127.0.0.0/8", "192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12",
  65. "[::]/8",
  66. "[fc00::]/7", "[fe80::]/10", "[fec0::]/10", "[ff00::]/8", "[::]/127",
  67. NULL
  68. };
  69. static int policies_parse_exit_policy_internal(
  70. config_line_t *cfg,
  71. smartlist_t **dest,
  72. int ipv6_exit,
  73. int rejectprivate,
  74. const smartlist_t *configured_addresses,
  75. int reject_interface_addresses,
  76. int reject_configured_port_addresses,
  77. int add_default_policy,
  78. int add_reduced_policy);
  79. /** Replace all "private" entries in *<b>policy</b> with their expanded
  80. * equivalents. */
  81. void
  82. policy_expand_private(smartlist_t **policy)
  83. {
  84. uint16_t port_min, port_max;
  85. int i;
  86. smartlist_t *tmp;
  87. if (!*policy) /*XXXX disallow NULL policies? */
  88. return;
  89. tmp = smartlist_new();
  90. SMARTLIST_FOREACH_BEGIN(*policy, addr_policy_t *, p) {
  91. if (! p->is_private) {
  92. smartlist_add(tmp, p);
  93. continue;
  94. }
  95. for (i = 0; private_nets[i]; ++i) {
  96. addr_policy_t newpolicy;
  97. memcpy(&newpolicy, p, sizeof(addr_policy_t));
  98. newpolicy.is_private = 0;
  99. newpolicy.is_canonical = 0;
  100. if (tor_addr_parse_mask_ports(private_nets[i], 0,
  101. &newpolicy.addr,
  102. &newpolicy.maskbits, &port_min, &port_max)<0) {
  103. tor_assert_unreached();
  104. }
  105. smartlist_add(tmp, addr_policy_get_canonical_entry(&newpolicy));
  106. }
  107. addr_policy_free(p);
  108. } SMARTLIST_FOREACH_END(p);
  109. smartlist_free(*policy);
  110. *policy = tmp;
  111. }
  112. /** Expand each of the AF_UNSPEC elements in *<b>policy</b> (which indicate
  113. * protocol-neutral wildcards) into a pair of wildcard elements: one IPv4-
  114. * specific and one IPv6-specific. */
  115. void
  116. policy_expand_unspec(smartlist_t **policy)
  117. {
  118. smartlist_t *tmp;
  119. if (!*policy)
  120. return;
  121. tmp = smartlist_new();
  122. SMARTLIST_FOREACH_BEGIN(*policy, addr_policy_t *, p) {
  123. sa_family_t family = tor_addr_family(&p->addr);
  124. if (family == AF_INET6 || family == AF_INET || p->is_private) {
  125. smartlist_add(tmp, p);
  126. } else if (family == AF_UNSPEC) {
  127. addr_policy_t newpolicy_ipv4;
  128. addr_policy_t newpolicy_ipv6;
  129. memcpy(&newpolicy_ipv4, p, sizeof(addr_policy_t));
  130. memcpy(&newpolicy_ipv6, p, sizeof(addr_policy_t));
  131. newpolicy_ipv4.is_canonical = 0;
  132. newpolicy_ipv6.is_canonical = 0;
  133. if (p->maskbits != 0) {
  134. log_warn(LD_BUG, "AF_UNSPEC policy with maskbits==%d", p->maskbits);
  135. newpolicy_ipv4.maskbits = 0;
  136. newpolicy_ipv6.maskbits = 0;
  137. }
  138. tor_addr_from_ipv4h(&newpolicy_ipv4.addr, 0);
  139. tor_addr_from_ipv6_bytes(&newpolicy_ipv6.addr,
  140. "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");
  141. smartlist_add(tmp, addr_policy_get_canonical_entry(&newpolicy_ipv4));
  142. smartlist_add(tmp, addr_policy_get_canonical_entry(&newpolicy_ipv6));
  143. addr_policy_free(p);
  144. } else {
  145. log_warn(LD_BUG, "Funny-looking address policy with family %d", family);
  146. smartlist_add(tmp, p);
  147. }
  148. } SMARTLIST_FOREACH_END(p);
  149. smartlist_free(*policy);
  150. *policy = tmp;
  151. }
  152. /**
  153. * Given a linked list of config lines containing "accept[6]" and "reject[6]"
  154. * tokens, parse them and append the result to <b>dest</b>. Return -1
  155. * if any tokens are malformed (and don't append any), else return 0.
  156. *
  157. * If <b>assume_action</b> is nonnegative, then insert its action
  158. * (ADDR_POLICY_ACCEPT or ADDR_POLICY_REJECT) for items that specify no
  159. * action.
  160. */
  161. static int
  162. parse_addr_policy(config_line_t *cfg, smartlist_t **dest,
  163. int assume_action)
  164. {
  165. smartlist_t *result;
  166. smartlist_t *entries;
  167. addr_policy_t *item;
  168. int malformed_list;
  169. int r = 0;
  170. if (!cfg)
  171. return 0;
  172. result = smartlist_new();
  173. entries = smartlist_new();
  174. for (; cfg; cfg = cfg->next) {
  175. smartlist_split_string(entries, cfg->value, ",",
  176. SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0);
  177. SMARTLIST_FOREACH_BEGIN(entries, const char *, ent) {
  178. log_debug(LD_CONFIG,"Adding new entry '%s'",ent);
  179. malformed_list = 0;
  180. item = router_parse_addr_policy_item_from_string(ent, assume_action,
  181. &malformed_list);
  182. if (item) {
  183. smartlist_add(result, item);
  184. } else if (malformed_list) {
  185. /* the error is so severe the entire list should be discarded */
  186. log_warn(LD_CONFIG, "Malformed policy '%s'. Discarding entire policy "
  187. "list.", ent);
  188. r = -1;
  189. } else {
  190. /* the error is minor: don't add the item, but keep processing the
  191. * rest of the policies in the list */
  192. log_debug(LD_CONFIG, "Ignored policy '%s' due to non-fatal error. "
  193. "The remainder of the policy list will be used.",
  194. ent);
  195. }
  196. } SMARTLIST_FOREACH_END(ent);
  197. SMARTLIST_FOREACH(entries, char *, ent, tor_free(ent));
  198. smartlist_clear(entries);
  199. }
  200. smartlist_free(entries);
  201. if (r == -1) {
  202. addr_policy_list_free(result);
  203. } else {
  204. policy_expand_private(&result);
  205. policy_expand_unspec(&result);
  206. if (*dest) {
  207. smartlist_add_all(*dest, result);
  208. smartlist_free(result);
  209. } else {
  210. *dest = result;
  211. }
  212. }
  213. return r;
  214. }
  215. /** Helper: parse the Reachable(Dir|OR)?Addresses fields into
  216. * reachable_(or|dir)_addr_policy. The options should already have
  217. * been validated by validate_addr_policies.
  218. */
  219. static int
  220. parse_reachable_addresses(void)
  221. {
  222. const or_options_t *options = get_options();
  223. int ret = 0;
  224. if (options->ReachableDirAddresses &&
  225. options->ReachableORAddresses &&
  226. options->ReachableAddresses) {
  227. log_warn(LD_CONFIG,
  228. "Both ReachableDirAddresses and ReachableORAddresses are set. "
  229. "ReachableAddresses setting will be ignored.");
  230. }
  231. addr_policy_list_free(reachable_or_addr_policy);
  232. reachable_or_addr_policy = NULL;
  233. if (!options->ReachableORAddresses && options->ReachableAddresses)
  234. log_info(LD_CONFIG,
  235. "Using ReachableAddresses as ReachableORAddresses.");
  236. if (parse_addr_policy(options->ReachableORAddresses ?
  237. options->ReachableORAddresses :
  238. options->ReachableAddresses,
  239. &reachable_or_addr_policy, ADDR_POLICY_ACCEPT)) {
  240. log_warn(LD_CONFIG,
  241. "Error parsing Reachable%sAddresses entry; ignoring.",
  242. options->ReachableORAddresses ? "OR" : "");
  243. ret = -1;
  244. }
  245. addr_policy_list_free(reachable_dir_addr_policy);
  246. reachable_dir_addr_policy = NULL;
  247. if (!options->ReachableDirAddresses && options->ReachableAddresses)
  248. log_info(LD_CONFIG,
  249. "Using ReachableAddresses as ReachableDirAddresses");
  250. if (parse_addr_policy(options->ReachableDirAddresses ?
  251. options->ReachableDirAddresses :
  252. options->ReachableAddresses,
  253. &reachable_dir_addr_policy, ADDR_POLICY_ACCEPT)) {
  254. if (options->ReachableDirAddresses)
  255. log_warn(LD_CONFIG,
  256. "Error parsing ReachableDirAddresses entry; ignoring.");
  257. ret = -1;
  258. }
  259. /* We ignore ReachableAddresses for relays */
  260. if (!server_mode(options)) {
  261. if (policy_is_reject_star(reachable_or_addr_policy, AF_UNSPEC, 0)
  262. || policy_is_reject_star(reachable_dir_addr_policy, AF_UNSPEC,0)) {
  263. log_warn(LD_CONFIG, "Tor cannot connect to the Internet if "
  264. "ReachableAddresses, ReachableORAddresses, or "
  265. "ReachableDirAddresses reject all addresses. Please accept "
  266. "some addresses in these options.");
  267. } else if (options->ClientUseIPv4 == 1
  268. && (policy_is_reject_star(reachable_or_addr_policy, AF_INET, 0)
  269. || policy_is_reject_star(reachable_dir_addr_policy, AF_INET, 0))) {
  270. log_warn(LD_CONFIG, "You have set ClientUseIPv4 1, but "
  271. "ReachableAddresses, ReachableORAddresses, or "
  272. "ReachableDirAddresses reject all IPv4 addresses. "
  273. "Tor will not connect using IPv4.");
  274. } else if (fascist_firewall_use_ipv6(options)
  275. && (policy_is_reject_star(reachable_or_addr_policy, AF_INET6, 0)
  276. || policy_is_reject_star(reachable_dir_addr_policy, AF_INET6, 0))) {
  277. log_warn(LD_CONFIG, "You have configured tor to use or prefer IPv6 "
  278. "(or UseBridges 1), but "
  279. "ReachableAddresses, ReachableORAddresses, or "
  280. "ReachableDirAddresses reject all IPv6 addresses. "
  281. "Tor will not connect using IPv6.");
  282. }
  283. }
  284. return ret;
  285. }
  286. /* Return true iff ClientUseIPv4 0 or ClientUseIPv6 0 might block any OR or Dir
  287. * address:port combination. */
  288. static int
  289. firewall_is_fascist_impl(void)
  290. {
  291. const or_options_t *options = get_options();
  292. /* Assume every non-bridge relay has an IPv4 address.
  293. * Clients which use bridges may only know the IPv6 address of their
  294. * bridge, but they will connect regardless of the ClientUseIPv6 setting. */
  295. return options->ClientUseIPv4 == 0;
  296. }
  297. /** Return true iff the firewall options, including ClientUseIPv4 0 and
  298. * ClientUseIPv6 0, might block any OR address:port combination.
  299. * Address preferences may still change which address is selected even if
  300. * this function returns false.
  301. */
  302. int
  303. firewall_is_fascist_or(void)
  304. {
  305. return (reachable_or_addr_policy != NULL || firewall_is_fascist_impl());
  306. }
  307. /** Return true iff the firewall options, including ClientUseIPv4 0 and
  308. * ClientUseIPv6 0, might block any Dir address:port combination.
  309. * Address preferences may still change which address is selected even if
  310. * this function returns false.
  311. */
  312. int
  313. firewall_is_fascist_dir(void)
  314. {
  315. return (reachable_dir_addr_policy != NULL || firewall_is_fascist_impl());
  316. }
  317. /** Return true iff <b>policy</b> (possibly NULL) will allow a
  318. * connection to <b>addr</b>:<b>port</b>.
  319. */
  320. static int
  321. addr_policy_permits_tor_addr(const tor_addr_t *addr, uint16_t port,
  322. smartlist_t *policy)
  323. {
  324. addr_policy_result_t p;
  325. p = compare_tor_addr_to_addr_policy(addr, port, policy);
  326. switch (p) {
  327. case ADDR_POLICY_PROBABLY_ACCEPTED:
  328. case ADDR_POLICY_ACCEPTED:
  329. return 1;
  330. case ADDR_POLICY_PROBABLY_REJECTED:
  331. case ADDR_POLICY_REJECTED:
  332. return 0;
  333. default:
  334. log_warn(LD_BUG, "Unexpected result: %d", (int)p);
  335. return 0;
  336. }
  337. }
  338. /** Return true iff <b> policy</b> (possibly NULL) will allow a connection to
  339. * <b>addr</b>:<b>port</b>. <b>addr</b> is an IPv4 address given in host
  340. * order. */
  341. /* XXXX deprecate when possible. */
  342. static int
  343. addr_policy_permits_address(uint32_t addr, uint16_t port,
  344. smartlist_t *policy)
  345. {
  346. tor_addr_t a;
  347. tor_addr_from_ipv4h(&a, addr);
  348. return addr_policy_permits_tor_addr(&a, port, policy);
  349. }
  350. /** Return true iff we think our firewall will let us make a connection to
  351. * addr:port.
  352. *
  353. * If we are configured as a server, ignore any address family preference and
  354. * just use IPv4.
  355. * Otherwise:
  356. * - return false for all IPv4 addresses:
  357. * - if ClientUseIPv4 is 0, or
  358. * if pref_only and pref_ipv6 are both true;
  359. * - return false for all IPv6 addresses:
  360. * - if fascist_firewall_use_ipv6() is 0, or
  361. * - if pref_only is true and pref_ipv6 is false.
  362. *
  363. * Return false if addr is NULL or tor_addr_is_null(), or if port is 0. */
  364. STATIC int
  365. fascist_firewall_allows_address(const tor_addr_t *addr,
  366. uint16_t port,
  367. smartlist_t *firewall_policy,
  368. int pref_only, int pref_ipv6)
  369. {
  370. const or_options_t *options = get_options();
  371. const int client_mode = !server_mode(options);
  372. if (!addr || tor_addr_is_null(addr) || !port) {
  373. return 0;
  374. }
  375. /* Clients stop using IPv4 if it's disabled. In most cases, clients also
  376. * stop using IPv4 if it's not preferred.
  377. * Servers must have IPv4 enabled and preferred. */
  378. if (tor_addr_family(addr) == AF_INET && client_mode &&
  379. (!options->ClientUseIPv4 || (pref_only && pref_ipv6))) {
  380. return 0;
  381. }
  382. /* Clients and Servers won't use IPv6 unless it's enabled (and in most
  383. * cases, IPv6 must also be preferred before it will be used). */
  384. if (tor_addr_family(addr) == AF_INET6 &&
  385. (!fascist_firewall_use_ipv6(options) || (pref_only && !pref_ipv6))) {
  386. return 0;
  387. }
  388. return addr_policy_permits_tor_addr(addr, port,
  389. firewall_policy);
  390. }
  391. /** Is this client configured to use IPv6?
  392. * Returns true if the client might use IPv6 for some of its connections
  393. * (including dual-stack and IPv6-only clients), and false if it will never
  394. * use IPv6 for any connections.
  395. * Use node_ipv6_or/dir_preferred() when checking a specific node and OR/Dir
  396. * port: it supports bridge client per-node IPv6 preferences.
  397. */
  398. int
  399. fascist_firewall_use_ipv6(const or_options_t *options)
  400. {
  401. /* Clients use IPv6 if it's set, or they use bridges, or they don't use
  402. * IPv4, or they prefer it.
  403. * ClientPreferIPv6DirPort is deprecated, but check it anyway. */
  404. return (options->ClientUseIPv6 == 1 || options->ClientUseIPv4 == 0 ||
  405. options->ClientPreferIPv6ORPort == 1 ||
  406. options->ClientPreferIPv6DirPort == 1 || options->UseBridges == 1);
  407. }
  408. /** Do we prefer to connect to IPv6, ignoring ClientPreferIPv6ORPort and
  409. * ClientPreferIPv6DirPort?
  410. * If we're unsure, return -1, otherwise, return 1 for IPv6 and 0 for IPv4.
  411. */
  412. static int
  413. fascist_firewall_prefer_ipv6_impl(const or_options_t *options)
  414. {
  415. /*
  416. Cheap implementation of config options ClientUseIPv4 & ClientUseIPv6 --
  417. If we're a server or IPv6 is disabled, use IPv4.
  418. If IPv4 is disabled, use IPv6.
  419. */
  420. if (server_mode(options) || !fascist_firewall_use_ipv6(options)) {
  421. return 0;
  422. }
  423. if (!options->ClientUseIPv4) {
  424. return 1;
  425. }
  426. return -1;
  427. }
  428. /** Do we prefer to connect to IPv6 ORPorts?
  429. * Use node_ipv6_or_preferred() whenever possible: it supports bridge client
  430. * per-node IPv6 preferences.
  431. */
  432. int
  433. fascist_firewall_prefer_ipv6_orport(const or_options_t *options)
  434. {
  435. int pref_ipv6 = fascist_firewall_prefer_ipv6_impl(options);
  436. if (pref_ipv6 >= 0) {
  437. return pref_ipv6;
  438. }
  439. /* We can use both IPv4 and IPv6 - which do we prefer? */
  440. if (options->ClientPreferIPv6ORPort == 1) {
  441. return 1;
  442. }
  443. return 0;
  444. }
  445. /** Do we prefer to connect to IPv6 DirPorts?
  446. *
  447. * (node_ipv6_dir_preferred() doesn't support bridge client per-node IPv6
  448. * preferences. There's no reason to use it instead of this function.)
  449. */
  450. int
  451. fascist_firewall_prefer_ipv6_dirport(const or_options_t *options)
  452. {
  453. int pref_ipv6 = fascist_firewall_prefer_ipv6_impl(options);
  454. if (pref_ipv6 >= 0) {
  455. return pref_ipv6;
  456. }
  457. /* We can use both IPv4 and IPv6 - which do we prefer? */
  458. if (options->ClientPreferIPv6DirPort == 1) {
  459. return 1;
  460. }
  461. return 0;
  462. }
  463. /** Return true iff we think our firewall will let us make a connection to
  464. * addr:port. Uses ReachableORAddresses or ReachableDirAddresses based on
  465. * fw_connection.
  466. * If pref_only is true, return true if addr is in the client's preferred
  467. * address family, which is IPv6 if pref_ipv6 is true, and IPv4 otherwise.
  468. * If pref_only is false, ignore pref_ipv6, and return true if addr is allowed.
  469. */
  470. int
  471. fascist_firewall_allows_address_addr(const tor_addr_t *addr, uint16_t port,
  472. firewall_connection_t fw_connection,
  473. int pref_only, int pref_ipv6)
  474. {
  475. if (fw_connection == FIREWALL_OR_CONNECTION) {
  476. return fascist_firewall_allows_address(addr, port,
  477. reachable_or_addr_policy,
  478. pref_only, pref_ipv6);
  479. } else if (fw_connection == FIREWALL_DIR_CONNECTION) {
  480. return fascist_firewall_allows_address(addr, port,
  481. reachable_dir_addr_policy,
  482. pref_only, pref_ipv6);
  483. } else {
  484. log_warn(LD_BUG, "Bad firewall_connection_t value %d.",
  485. fw_connection);
  486. return 0;
  487. }
  488. }
  489. /** Return true iff we think our firewall will let us make a connection to
  490. * addr:port (ap). Uses ReachableORAddresses or ReachableDirAddresses based on
  491. * fw_connection.
  492. * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
  493. */
  494. static int
  495. fascist_firewall_allows_address_ap(const tor_addr_port_t *ap,
  496. firewall_connection_t fw_connection,
  497. int pref_only, int pref_ipv6)
  498. {
  499. tor_assert(ap);
  500. return fascist_firewall_allows_address_addr(&ap->addr, ap->port,
  501. fw_connection, pref_only,
  502. pref_ipv6);
  503. }
  504. /* Return true iff we think our firewall will let us make a connection to
  505. * ipv4h_or_addr:ipv4_or_port. ipv4h_or_addr is interpreted in host order.
  506. * Uses ReachableORAddresses or ReachableDirAddresses based on
  507. * fw_connection.
  508. * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
  509. */
  510. static int
  511. fascist_firewall_allows_address_ipv4h(uint32_t ipv4h_or_addr,
  512. uint16_t ipv4_or_port,
  513. firewall_connection_t fw_connection,
  514. int pref_only, int pref_ipv6)
  515. {
  516. tor_addr_t ipv4_or_addr;
  517. tor_addr_from_ipv4h(&ipv4_or_addr, ipv4h_or_addr);
  518. return fascist_firewall_allows_address_addr(&ipv4_or_addr, ipv4_or_port,
  519. fw_connection, pref_only,
  520. pref_ipv6);
  521. }
  522. /** Return true iff we think our firewall will let us make a connection to
  523. * ipv4h_addr/ipv6_addr. Uses ipv4_orport/ipv6_orport/ReachableORAddresses or
  524. * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
  525. * <b>fw_connection</b>.
  526. * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
  527. */
  528. static int
  529. fascist_firewall_allows_base(uint32_t ipv4h_addr, uint16_t ipv4_orport,
  530. uint16_t ipv4_dirport,
  531. const tor_addr_t *ipv6_addr, uint16_t ipv6_orport,
  532. uint16_t ipv6_dirport,
  533. firewall_connection_t fw_connection,
  534. int pref_only, int pref_ipv6)
  535. {
  536. if (fascist_firewall_allows_address_ipv4h(ipv4h_addr,
  537. (fw_connection == FIREWALL_OR_CONNECTION
  538. ? ipv4_orport
  539. : ipv4_dirport),
  540. fw_connection,
  541. pref_only, pref_ipv6)) {
  542. return 1;
  543. }
  544. if (fascist_firewall_allows_address_addr(ipv6_addr,
  545. (fw_connection == FIREWALL_OR_CONNECTION
  546. ? ipv6_orport
  547. : ipv6_dirport),
  548. fw_connection,
  549. pref_only, pref_ipv6)) {
  550. return 1;
  551. }
  552. return 0;
  553. }
  554. /** Like fascist_firewall_allows_base(), but takes ri. */
  555. static int
  556. fascist_firewall_allows_ri_impl(const routerinfo_t *ri,
  557. firewall_connection_t fw_connection,
  558. int pref_only, int pref_ipv6)
  559. {
  560. if (!ri) {
  561. return 0;
  562. }
  563. /* Assume IPv4 and IPv6 DirPorts are the same */
  564. return fascist_firewall_allows_base(ri->addr, ri->or_port, ri->dir_port,
  565. &ri->ipv6_addr, ri->ipv6_orport,
  566. ri->dir_port, fw_connection, pref_only,
  567. pref_ipv6);
  568. }
  569. /** Like fascist_firewall_allows_rs, but takes pref_ipv6. */
  570. static int
  571. fascist_firewall_allows_rs_impl(const routerstatus_t *rs,
  572. firewall_connection_t fw_connection,
  573. int pref_only, int pref_ipv6)
  574. {
  575. if (!rs) {
  576. return 0;
  577. }
  578. /* Assume IPv4 and IPv6 DirPorts are the same */
  579. return fascist_firewall_allows_base(rs->addr, rs->or_port, rs->dir_port,
  580. &rs->ipv6_addr, rs->ipv6_orport,
  581. rs->dir_port, fw_connection, pref_only,
  582. pref_ipv6);
  583. }
  584. /** Like fascist_firewall_allows_base(), but takes rs.
  585. * When rs is a fake_status from a dir_server_t, it can have a reachable
  586. * address, even when the corresponding node does not.
  587. * nodes can be missing addresses when there's no consensus (IPv4 and IPv6),
  588. * or when there is a microdescriptor consensus, but no microdescriptors
  589. * (microdescriptors have IPv6, the microdesc consensus does not). */
  590. int
  591. fascist_firewall_allows_rs(const routerstatus_t *rs,
  592. firewall_connection_t fw_connection, int pref_only)
  593. {
  594. if (!rs) {
  595. return 0;
  596. }
  597. /* We don't have access to the node-specific IPv6 preference, so use the
  598. * generic IPv6 preference instead. */
  599. const or_options_t *options = get_options();
  600. int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
  601. ? fascist_firewall_prefer_ipv6_orport(options)
  602. : fascist_firewall_prefer_ipv6_dirport(options));
  603. return fascist_firewall_allows_rs_impl(rs, fw_connection, pref_only,
  604. pref_ipv6);
  605. }
  606. /** Return true iff we think our firewall will let us make a connection to
  607. * ipv6_addr:ipv6_orport based on ReachableORAddresses.
  608. * If <b>fw_connection</b> is FIREWALL_DIR_CONNECTION, returns 0.
  609. * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
  610. */
  611. static int
  612. fascist_firewall_allows_md_impl(const microdesc_t *md,
  613. firewall_connection_t fw_connection,
  614. int pref_only, int pref_ipv6)
  615. {
  616. if (!md) {
  617. return 0;
  618. }
  619. /* Can't check dirport, it doesn't have one */
  620. if (fw_connection == FIREWALL_DIR_CONNECTION) {
  621. return 0;
  622. }
  623. /* Also can't check IPv4, doesn't have that either */
  624. return fascist_firewall_allows_address_addr(&md->ipv6_addr, md->ipv6_orport,
  625. fw_connection, pref_only,
  626. pref_ipv6);
  627. }
  628. /** Like fascist_firewall_allows_base(), but takes node, and looks up pref_ipv6
  629. * from node_ipv6_or/dir_preferred(). */
  630. int
  631. fascist_firewall_allows_node(const node_t *node,
  632. firewall_connection_t fw_connection,
  633. int pref_only)
  634. {
  635. if (!node) {
  636. return 0;
  637. }
  638. node_assert_ok(node);
  639. const int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
  640. ? node_ipv6_or_preferred(node)
  641. : node_ipv6_dir_preferred(node));
  642. /* Sometimes, the rs is missing the IPv6 address info, and we need to go
  643. * all the way to the md */
  644. if (node->ri && fascist_firewall_allows_ri_impl(node->ri, fw_connection,
  645. pref_only, pref_ipv6)) {
  646. return 1;
  647. } else if (node->rs && fascist_firewall_allows_rs_impl(node->rs,
  648. fw_connection,
  649. pref_only,
  650. pref_ipv6)) {
  651. return 1;
  652. } else if (node->md && fascist_firewall_allows_md_impl(node->md,
  653. fw_connection,
  654. pref_only,
  655. pref_ipv6)) {
  656. return 1;
  657. } else {
  658. /* If we know nothing, assume it's unreachable, we'll never get an address
  659. * to connect to. */
  660. return 0;
  661. }
  662. }
  663. /** Like fascist_firewall_allows_rs(), but takes ds. */
  664. int
  665. fascist_firewall_allows_dir_server(const dir_server_t *ds,
  666. firewall_connection_t fw_connection,
  667. int pref_only)
  668. {
  669. if (!ds) {
  670. return 0;
  671. }
  672. /* A dir_server_t always has a fake_status. As long as it has the same
  673. * addresses/ports in both fake_status and dir_server_t, this works fine.
  674. * (See #17867.)
  675. * fascist_firewall_allows_rs only checks the addresses in fake_status. */
  676. return fascist_firewall_allows_rs(&ds->fake_status, fw_connection,
  677. pref_only);
  678. }
  679. /** If a and b are both valid and allowed by fw_connection,
  680. * choose one based on want_a and return it.
  681. * Otherwise, return whichever is allowed.
  682. * Otherwise, return NULL.
  683. * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
  684. */
  685. static const tor_addr_port_t *
  686. fascist_firewall_choose_address_impl(const tor_addr_port_t *a,
  687. const tor_addr_port_t *b,
  688. int want_a,
  689. firewall_connection_t fw_connection,
  690. int pref_only, int pref_ipv6)
  691. {
  692. const tor_addr_port_t *use_a = NULL;
  693. const tor_addr_port_t *use_b = NULL;
  694. if (fascist_firewall_allows_address_ap(a, fw_connection, pref_only,
  695. pref_ipv6)) {
  696. use_a = a;
  697. }
  698. if (fascist_firewall_allows_address_ap(b, fw_connection, pref_only,
  699. pref_ipv6)) {
  700. use_b = b;
  701. }
  702. /* If both are allowed */
  703. if (use_a && use_b) {
  704. /* Choose a if we want it */
  705. return (want_a ? use_a : use_b);
  706. } else {
  707. /* Choose a if we have it */
  708. return (use_a ? use_a : use_b);
  709. }
  710. }
  711. /** If a and b are both valid and preferred by fw_connection,
  712. * choose one based on want_a and return it.
  713. * Otherwise, return whichever is preferred.
  714. * If neither are preferred, and pref_only is false:
  715. * - If a and b are both allowed by fw_connection,
  716. * choose one based on want_a and return it.
  717. * - Otherwise, return whichever is preferred.
  718. * Otherwise, return NULL. */
  719. STATIC const tor_addr_port_t *
  720. fascist_firewall_choose_address(const tor_addr_port_t *a,
  721. const tor_addr_port_t *b,
  722. int want_a,
  723. firewall_connection_t fw_connection,
  724. int pref_only, int pref_ipv6)
  725. {
  726. const tor_addr_port_t *pref = fascist_firewall_choose_address_impl(
  727. a, b, want_a,
  728. fw_connection,
  729. 1, pref_ipv6);
  730. if (pref_only || pref) {
  731. /* If there is a preferred address, use it. If we can only use preferred
  732. * addresses, and neither address is preferred, pref will be NULL, and we
  733. * want to return NULL, so return it. */
  734. return pref;
  735. } else {
  736. /* If there's no preferred address, and we can return addresses that are
  737. * not preferred, use an address that's allowed */
  738. return fascist_firewall_choose_address_impl(a, b, want_a, fw_connection,
  739. 0, pref_ipv6);
  740. }
  741. }
  742. /** Copy an address and port into <b>ap</b> that we think our firewall will
  743. * let us connect to. Uses ipv4_addr/ipv6_addr and
  744. * ipv4_orport/ipv6_orport/ReachableORAddresses or
  745. * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
  746. * <b>fw_connection</b>.
  747. * If pref_only, only choose preferred addresses. In either case, choose
  748. * a preferred address before an address that's not preferred.
  749. * If both addresses could be chosen (they are both preferred or both allowed)
  750. * choose IPv6 if pref_ipv6 is true, otherwise choose IPv4.
  751. * If neither address is chosen, return 0, else return 1. */
  752. static int
  753. fascist_firewall_choose_address_base(const tor_addr_t *ipv4_addr,
  754. uint16_t ipv4_orport,
  755. uint16_t ipv4_dirport,
  756. const tor_addr_t *ipv6_addr,
  757. uint16_t ipv6_orport,
  758. uint16_t ipv6_dirport,
  759. firewall_connection_t fw_connection,
  760. int pref_only,
  761. int pref_ipv6,
  762. tor_addr_port_t* ap)
  763. {
  764. const tor_addr_port_t *result = NULL;
  765. const int want_ipv4 = !pref_ipv6;
  766. tor_assert(ipv6_addr);
  767. tor_assert(ap);
  768. tor_addr_make_null(&ap->addr, AF_UNSPEC);
  769. ap->port = 0;
  770. tor_addr_port_t ipv4_ap;
  771. tor_addr_copy(&ipv4_ap.addr, ipv4_addr);
  772. ipv4_ap.port = (fw_connection == FIREWALL_OR_CONNECTION
  773. ? ipv4_orport
  774. : ipv4_dirport);
  775. tor_addr_port_t ipv6_ap;
  776. tor_addr_copy(&ipv6_ap.addr, ipv6_addr);
  777. ipv6_ap.port = (fw_connection == FIREWALL_OR_CONNECTION
  778. ? ipv6_orport
  779. : ipv6_dirport);
  780. result = fascist_firewall_choose_address(&ipv4_ap, &ipv6_ap,
  781. want_ipv4,
  782. fw_connection, pref_only,
  783. pref_ipv6);
  784. if (result) {
  785. tor_addr_copy(&ap->addr, &result->addr);
  786. ap->port = result->port;
  787. return 1;
  788. } else {
  789. return 0;
  790. }
  791. }
  792. /** Like fascist_firewall_choose_address_base(), but takes a host-order IPv4
  793. * address as the first parameter. */
  794. static int
  795. fascist_firewall_choose_address_ipv4h(uint32_t ipv4h_addr,
  796. uint16_t ipv4_orport,
  797. uint16_t ipv4_dirport,
  798. const tor_addr_t *ipv6_addr,
  799. uint16_t ipv6_orport,
  800. uint16_t ipv6_dirport,
  801. firewall_connection_t fw_connection,
  802. int pref_only,
  803. int pref_ipv6,
  804. tor_addr_port_t* ap)
  805. {
  806. tor_addr_t ipv4_addr;
  807. tor_addr_from_ipv4h(&ipv4_addr, ipv4h_addr);
  808. tor_assert(ap);
  809. tor_addr_make_null(&ap->addr, AF_UNSPEC);
  810. ap->port = 0;
  811. return fascist_firewall_choose_address_base(&ipv4_addr, ipv4_orport,
  812. ipv4_dirport, ipv6_addr,
  813. ipv6_orport, ipv6_dirport,
  814. fw_connection, pref_only,
  815. pref_ipv6, ap);
  816. }
  817. /* Some microdescriptor consensus methods have no IPv6 addresses in rs: they
  818. * are in the microdescriptors. For these consensus methods, we can't rely on
  819. * the node's IPv6 address until its microdescriptor is available (when using
  820. * microdescs).
  821. * But for bridges, rewrite_node_address_for_bridge() updates node->ri with
  822. * the configured address, so we can trust bridge addresses.
  823. * (Bridges could gain an IPv6 address if their microdescriptor arrives, but
  824. * this will never be their preferred address: that is in the config.)
  825. * Returns true if the node needs a microdescriptor for its IPv6 address, and
  826. * false if the addresses in the node are already up-to-date.
  827. */
  828. static int
  829. node_awaiting_ipv6(const or_options_t* options, const node_t *node)
  830. {
  831. tor_assert(node);
  832. /* There's no point waiting for an IPv6 address if we'd never use it */
  833. if (!fascist_firewall_use_ipv6(options)) {
  834. return 0;
  835. }
  836. /* If the node has an IPv6 address, we're not waiting */
  837. if (node_has_ipv6_addr(node)) {
  838. return 0;
  839. }
  840. /* If the current consensus method and flavour has IPv6 addresses, we're not
  841. * waiting */
  842. if (networkstatus_consensus_has_ipv6(options)) {
  843. return 0;
  844. }
  845. /* Bridge clients never use the address from a bridge's md, so there's no
  846. * need to wait for it. */
  847. if (node_is_a_configured_bridge(node)) {
  848. return 0;
  849. }
  850. /* We are waiting if we_use_microdescriptors_for_circuits() and we have no
  851. * md. */
  852. return (!node->md && we_use_microdescriptors_for_circuits(options));
  853. }
  854. /** Like fascist_firewall_choose_address_base(), but takes <b>rs</b>.
  855. * Consults the corresponding node, then falls back to rs if node is NULL.
  856. * This should only happen when there's no valid consensus, and rs doesn't
  857. * correspond to a bridge client's bridge.
  858. */
  859. int
  860. fascist_firewall_choose_address_rs(const routerstatus_t *rs,
  861. firewall_connection_t fw_connection,
  862. int pref_only, tor_addr_port_t* ap)
  863. {
  864. if (!rs) {
  865. return 0;
  866. }
  867. tor_assert(ap);
  868. tor_addr_make_null(&ap->addr, AF_UNSPEC);
  869. ap->port = 0;
  870. const or_options_t *options = get_options();
  871. const node_t *node = node_get_by_id(rs->identity_digest);
  872. if (node && !node_awaiting_ipv6(options, node)) {
  873. return fascist_firewall_choose_address_node(node, fw_connection, pref_only,
  874. ap);
  875. } else {
  876. /* There's no node-specific IPv6 preference, so use the generic IPv6
  877. * preference instead. */
  878. int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
  879. ? fascist_firewall_prefer_ipv6_orport(options)
  880. : fascist_firewall_prefer_ipv6_dirport(options));
  881. /* Assume IPv4 and IPv6 DirPorts are the same.
  882. * Assume the IPv6 OR and Dir addresses are the same. */
  883. return fascist_firewall_choose_address_ipv4h(rs->addr,
  884. rs->or_port,
  885. rs->dir_port,
  886. &rs->ipv6_addr,
  887. rs->ipv6_orport,
  888. rs->dir_port,
  889. fw_connection,
  890. pref_only,
  891. pref_ipv6,
  892. ap);
  893. }
  894. }
  895. /** Like fascist_firewall_choose_address_base(), but takes <b>node</b>, and
  896. * looks up the node's IPv6 preference rather than taking an argument
  897. * for pref_ipv6. */
  898. int
  899. fascist_firewall_choose_address_node(const node_t *node,
  900. firewall_connection_t fw_connection,
  901. int pref_only, tor_addr_port_t *ap)
  902. {
  903. if (!node) {
  904. return 0;
  905. }
  906. node_assert_ok(node);
  907. tor_assert(ap);
  908. tor_addr_make_null(&ap->addr, AF_UNSPEC);
  909. ap->port = 0;
  910. /* Calling fascist_firewall_choose_address_node() when the node is missing
  911. * IPv6 information breaks IPv6-only clients.
  912. * If the node is a hard-coded fallback directory or authority, call
  913. * fascist_firewall_choose_address_rs() on the fake (hard-coded) routerstatus
  914. * for the node.
  915. * If it is not hard-coded, check that the node has a microdescriptor, full
  916. * descriptor (routerinfo), or is one of our configured bridges before
  917. * calling this function. */
  918. if (BUG(node_awaiting_ipv6(get_options(), node))) {
  919. return 0;
  920. }
  921. const int pref_ipv6_node = (fw_connection == FIREWALL_OR_CONNECTION
  922. ? node_ipv6_or_preferred(node)
  923. : node_ipv6_dir_preferred(node));
  924. tor_addr_port_t ipv4_or_ap;
  925. node_get_prim_orport(node, &ipv4_or_ap);
  926. tor_addr_port_t ipv4_dir_ap;
  927. node_get_prim_dirport(node, &ipv4_dir_ap);
  928. tor_addr_port_t ipv6_or_ap;
  929. node_get_pref_ipv6_orport(node, &ipv6_or_ap);
  930. tor_addr_port_t ipv6_dir_ap;
  931. node_get_pref_ipv6_dirport(node, &ipv6_dir_ap);
  932. /* Assume the IPv6 OR and Dir addresses are the same. */
  933. return fascist_firewall_choose_address_base(&ipv4_or_ap.addr,
  934. ipv4_or_ap.port,
  935. ipv4_dir_ap.port,
  936. &ipv6_or_ap.addr,
  937. ipv6_or_ap.port,
  938. ipv6_dir_ap.port,
  939. fw_connection,
  940. pref_only,
  941. pref_ipv6_node,
  942. ap);
  943. }
  944. /** Like fascist_firewall_choose_address_rs(), but takes <b>ds</b>. */
  945. int
  946. fascist_firewall_choose_address_dir_server(const dir_server_t *ds,
  947. firewall_connection_t fw_connection,
  948. int pref_only,
  949. tor_addr_port_t *ap)
  950. {
  951. if (!ds) {
  952. return 0;
  953. }
  954. tor_assert(ap);
  955. tor_addr_make_null(&ap->addr, AF_UNSPEC);
  956. ap->port = 0;
  957. /* A dir_server_t always has a fake_status. As long as it has the same
  958. * addresses/ports in both fake_status and dir_server_t, this works fine.
  959. * (See #17867.)
  960. * This function relies on fascist_firewall_choose_address_rs looking up the
  961. * node if it can, because that will get the latest info for the relay. */
  962. return fascist_firewall_choose_address_rs(&ds->fake_status, fw_connection,
  963. pref_only, ap);
  964. }
  965. /** Return 1 if <b>addr</b> is permitted to connect to our dir port,
  966. * based on <b>dir_policy</b>. Else return 0.
  967. */
  968. int
  969. dir_policy_permits_address(const tor_addr_t *addr)
  970. {
  971. return addr_policy_permits_tor_addr(addr, 1, dir_policy);
  972. }
  973. /** Return 1 if <b>addr</b> is permitted to connect to our socks port,
  974. * based on <b>socks_policy</b>. Else return 0.
  975. */
  976. int
  977. socks_policy_permits_address(const tor_addr_t *addr)
  978. {
  979. return addr_policy_permits_tor_addr(addr, 1, socks_policy);
  980. }
  981. /** Return true iff the address <b>addr</b> is in a country listed in the
  982. * case-insensitive list of country codes <b>cc_list</b>. */
  983. static int
  984. addr_is_in_cc_list(uint32_t addr, const smartlist_t *cc_list)
  985. {
  986. country_t country;
  987. const char *name;
  988. tor_addr_t tar;
  989. if (!cc_list)
  990. return 0;
  991. /* XXXXipv6 */
  992. tor_addr_from_ipv4h(&tar, addr);
  993. country = geoip_get_country_by_addr(&tar);
  994. name = geoip_get_country_name(country);
  995. return smartlist_contains_string_case(cc_list, name);
  996. }
  997. /** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
  998. * directory, based on <b>authdir_reject_policy</b>. Else return 0.
  999. */
  1000. int
  1001. authdir_policy_permits_address(uint32_t addr, uint16_t port)
  1002. {
  1003. if (! addr_policy_permits_address(addr, port, authdir_reject_policy))
  1004. return 0;
  1005. return !addr_is_in_cc_list(addr, get_options()->AuthDirRejectCCs);
  1006. }
  1007. /** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
  1008. * directory, based on <b>authdir_invalid_policy</b>. Else return 0.
  1009. */
  1010. int
  1011. authdir_policy_valid_address(uint32_t addr, uint16_t port)
  1012. {
  1013. if (! addr_policy_permits_address(addr, port, authdir_invalid_policy))
  1014. return 0;
  1015. return !addr_is_in_cc_list(addr, get_options()->AuthDirInvalidCCs);
  1016. }
  1017. /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
  1018. * based on <b>authdir_badexit_policy</b>. Else return 0.
  1019. */
  1020. int
  1021. authdir_policy_badexit_address(uint32_t addr, uint16_t port)
  1022. {
  1023. if (! addr_policy_permits_address(addr, port, authdir_badexit_policy))
  1024. return 1;
  1025. return addr_is_in_cc_list(addr, get_options()->AuthDirBadExitCCs);
  1026. }
  1027. #define REJECT(arg) \
  1028. STMT_BEGIN *msg = tor_strdup(arg); goto err; STMT_END
  1029. /** Config helper: If there's any problem with the policy configuration
  1030. * options in <b>options</b>, return -1 and set <b>msg</b> to a newly
  1031. * allocated description of the error. Else return 0. */
  1032. int
  1033. validate_addr_policies(const or_options_t *options, char **msg)
  1034. {
  1035. /* XXXX Maybe merge this into parse_policies_from_options, to make sure
  1036. * that the two can't go out of sync. */
  1037. smartlist_t *addr_policy=NULL;
  1038. *msg = NULL;
  1039. if (policies_parse_exit_policy_from_options(options,0,NULL,&addr_policy)) {
  1040. REJECT("Error in ExitPolicy entry.");
  1041. }
  1042. static int warned_about_exitrelay = 0;
  1043. const int exitrelay_setting_is_auto = options->ExitRelay == -1;
  1044. const int policy_accepts_something =
  1045. ! (policy_is_reject_star(addr_policy, AF_INET, 1) &&
  1046. policy_is_reject_star(addr_policy, AF_INET6, 1));
  1047. if (server_mode(options) &&
  1048. ! warned_about_exitrelay &&
  1049. exitrelay_setting_is_auto &&
  1050. policy_accepts_something) {
  1051. /* Policy accepts something */
  1052. warned_about_exitrelay = 1;
  1053. log_warn(LD_CONFIG,
  1054. "Tor is running as an exit relay%s. If you did not want this "
  1055. "behavior, please set the ExitRelay option to 0. If you do "
  1056. "want to run an exit Relay, please set the ExitRelay option "
  1057. "to 1 to disable this warning, and for forward compatibility.",
  1058. options->ExitPolicy == NULL ?
  1059. " with the default exit policy" : "");
  1060. if (options->ExitPolicy == NULL && options->ReducedExitPolicy == 0) {
  1061. log_warn(LD_CONFIG,
  1062. "In a future version of Tor, ExitRelay 0 may become the "
  1063. "default when no ExitPolicy is given.");
  1064. }
  1065. }
  1066. /* The rest of these calls *append* to addr_policy. So don't actually
  1067. * use the results for anything other than checking if they parse! */
  1068. if (parse_addr_policy(options->DirPolicy, &addr_policy, -1))
  1069. REJECT("Error in DirPolicy entry.");
  1070. if (parse_addr_policy(options->SocksPolicy, &addr_policy, -1))
  1071. REJECT("Error in SocksPolicy entry.");
  1072. if (parse_addr_policy(options->AuthDirReject, &addr_policy,
  1073. ADDR_POLICY_REJECT))
  1074. REJECT("Error in AuthDirReject entry.");
  1075. if (parse_addr_policy(options->AuthDirInvalid, &addr_policy,
  1076. ADDR_POLICY_REJECT))
  1077. REJECT("Error in AuthDirInvalid entry.");
  1078. if (parse_addr_policy(options->AuthDirBadExit, &addr_policy,
  1079. ADDR_POLICY_REJECT))
  1080. REJECT("Error in AuthDirBadExit entry.");
  1081. if (parse_addr_policy(options->ReachableAddresses, &addr_policy,
  1082. ADDR_POLICY_ACCEPT))
  1083. REJECT("Error in ReachableAddresses entry.");
  1084. if (parse_addr_policy(options->ReachableORAddresses, &addr_policy,
  1085. ADDR_POLICY_ACCEPT))
  1086. REJECT("Error in ReachableORAddresses entry.");
  1087. if (parse_addr_policy(options->ReachableDirAddresses, &addr_policy,
  1088. ADDR_POLICY_ACCEPT))
  1089. REJECT("Error in ReachableDirAddresses entry.");
  1090. err:
  1091. addr_policy_list_free(addr_policy);
  1092. return *msg ? -1 : 0;
  1093. #undef REJECT
  1094. }
  1095. /** Parse <b>string</b> in the same way that the exit policy
  1096. * is parsed, and put the processed version in *<b>policy</b>.
  1097. * Ignore port specifiers.
  1098. */
  1099. static int
  1100. load_policy_from_option(config_line_t *config, const char *option_name,
  1101. smartlist_t **policy,
  1102. int assume_action)
  1103. {
  1104. int r;
  1105. int killed_any_ports = 0;
  1106. addr_policy_list_free(*policy);
  1107. *policy = NULL;
  1108. r = parse_addr_policy(config, policy, assume_action);
  1109. if (r < 0) {
  1110. return -1;
  1111. }
  1112. if (*policy) {
  1113. SMARTLIST_FOREACH_BEGIN(*policy, addr_policy_t *, n) {
  1114. /* ports aren't used in these. */
  1115. if (n->prt_min > 1 || n->prt_max != 65535) {
  1116. addr_policy_t newp, *c;
  1117. memcpy(&newp, n, sizeof(newp));
  1118. newp.prt_min = 1;
  1119. newp.prt_max = 65535;
  1120. newp.is_canonical = 0;
  1121. c = addr_policy_get_canonical_entry(&newp);
  1122. SMARTLIST_REPLACE_CURRENT(*policy, n, c);
  1123. addr_policy_free(n);
  1124. killed_any_ports = 1;
  1125. }
  1126. } SMARTLIST_FOREACH_END(n);
  1127. }
  1128. if (killed_any_ports) {
  1129. log_warn(LD_CONFIG, "Ignoring ports in %s option.", option_name);
  1130. }
  1131. return 0;
  1132. }
  1133. /** Set all policies based on <b>options</b>, which should have been validated
  1134. * first by validate_addr_policies. */
  1135. int
  1136. policies_parse_from_options(const or_options_t *options)
  1137. {
  1138. int ret = 0;
  1139. if (load_policy_from_option(options->SocksPolicy, "SocksPolicy",
  1140. &socks_policy, -1) < 0)
  1141. ret = -1;
  1142. if (load_policy_from_option(options->DirPolicy, "DirPolicy",
  1143. &dir_policy, -1) < 0)
  1144. ret = -1;
  1145. if (load_policy_from_option(options->AuthDirReject, "AuthDirReject",
  1146. &authdir_reject_policy, ADDR_POLICY_REJECT) < 0)
  1147. ret = -1;
  1148. if (load_policy_from_option(options->AuthDirInvalid, "AuthDirInvalid",
  1149. &authdir_invalid_policy, ADDR_POLICY_REJECT) < 0)
  1150. ret = -1;
  1151. if (load_policy_from_option(options->AuthDirBadExit, "AuthDirBadExit",
  1152. &authdir_badexit_policy, ADDR_POLICY_REJECT) < 0)
  1153. ret = -1;
  1154. if (parse_reachable_addresses() < 0)
  1155. ret = -1;
  1156. return ret;
  1157. }
  1158. /** Compare two provided address policy items, and renturn -1, 0, or 1
  1159. * if the first is less than, equal to, or greater than the second. */
  1160. static int
  1161. single_addr_policy_eq(const addr_policy_t *a, const addr_policy_t *b)
  1162. {
  1163. int r;
  1164. #define CMP_FIELD(field) do { \
  1165. if (a->field != b->field) { \
  1166. return 0; \
  1167. } \
  1168. } while (0)
  1169. CMP_FIELD(policy_type);
  1170. CMP_FIELD(is_private);
  1171. /* refcnt and is_canonical are irrelevant to equality,
  1172. * they are hash table implementation details */
  1173. if ((r=tor_addr_compare(&a->addr, &b->addr, CMP_EXACT)))
  1174. return 0;
  1175. CMP_FIELD(maskbits);
  1176. CMP_FIELD(prt_min);
  1177. CMP_FIELD(prt_max);
  1178. #undef CMP_FIELD
  1179. return 1;
  1180. }
  1181. /** As single_addr_policy_eq, but compare every element of two policies.
  1182. */
  1183. int
  1184. addr_policies_eq(const smartlist_t *a, const smartlist_t *b)
  1185. {
  1186. int i;
  1187. int len_a = a ? smartlist_len(a) : 0;
  1188. int len_b = b ? smartlist_len(b) : 0;
  1189. if (len_a != len_b)
  1190. return 0;
  1191. for (i = 0; i < len_a; ++i) {
  1192. if (! single_addr_policy_eq(smartlist_get(a, i), smartlist_get(b, i)))
  1193. return 0;
  1194. }
  1195. return 1;
  1196. }
  1197. /** Node in hashtable used to store address policy entries. */
  1198. typedef struct policy_map_ent_t {
  1199. HT_ENTRY(policy_map_ent_t) node;
  1200. addr_policy_t *policy;
  1201. } policy_map_ent_t;
  1202. /* DOCDOC policy_root */
  1203. static HT_HEAD(policy_map, policy_map_ent_t) policy_root = HT_INITIALIZER();
  1204. /** Return true iff a and b are equal. */
  1205. static inline int
  1206. policy_eq(policy_map_ent_t *a, policy_map_ent_t *b)
  1207. {
  1208. return single_addr_policy_eq(a->policy, b->policy);
  1209. }
  1210. /** Return a hashcode for <b>ent</b> */
  1211. static unsigned int
  1212. policy_hash(const policy_map_ent_t *ent)
  1213. {
  1214. const addr_policy_t *a = ent->policy;
  1215. addr_policy_t aa;
  1216. memset(&aa, 0, sizeof(aa));
  1217. aa.prt_min = a->prt_min;
  1218. aa.prt_max = a->prt_max;
  1219. aa.maskbits = a->maskbits;
  1220. aa.policy_type = a->policy_type;
  1221. aa.is_private = a->is_private;
  1222. if (a->is_private) {
  1223. aa.is_private = 1;
  1224. } else {
  1225. tor_addr_copy_tight(&aa.addr, &a->addr);
  1226. }
  1227. return (unsigned) siphash24g(&aa, sizeof(aa));
  1228. }
  1229. HT_PROTOTYPE(policy_map, policy_map_ent_t, node, policy_hash,
  1230. policy_eq)
  1231. HT_GENERATE2(policy_map, policy_map_ent_t, node, policy_hash,
  1232. policy_eq, 0.6, tor_reallocarray_, tor_free_)
  1233. /** Given a pointer to an addr_policy_t, return a copy of the pointer to the
  1234. * "canonical" copy of that addr_policy_t; the canonical copy is a single
  1235. * reference-counted object. */
  1236. addr_policy_t *
  1237. addr_policy_get_canonical_entry(addr_policy_t *e)
  1238. {
  1239. policy_map_ent_t search, *found;
  1240. if (e->is_canonical)
  1241. return e;
  1242. search.policy = e;
  1243. found = HT_FIND(policy_map, &policy_root, &search);
  1244. if (!found) {
  1245. found = tor_malloc_zero(sizeof(policy_map_ent_t));
  1246. found->policy = tor_memdup(e, sizeof(addr_policy_t));
  1247. found->policy->is_canonical = 1;
  1248. found->policy->refcnt = 0;
  1249. HT_INSERT(policy_map, &policy_root, found);
  1250. }
  1251. tor_assert(single_addr_policy_eq(found->policy, e));
  1252. ++found->policy->refcnt;
  1253. return found->policy;
  1254. }
  1255. /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
  1256. * addr and port are both known. */
  1257. static addr_policy_result_t
  1258. compare_known_tor_addr_to_addr_policy(const tor_addr_t *addr, uint16_t port,
  1259. const smartlist_t *policy)
  1260. {
  1261. /* We know the address and port, and we know the policy, so we can just
  1262. * compute an exact match. */
  1263. SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, tmpe) {
  1264. if (tmpe->addr.family == AF_UNSPEC) {
  1265. log_warn(LD_BUG, "Policy contains an AF_UNSPEC address, which only "
  1266. "matches other AF_UNSPEC addresses.");
  1267. }
  1268. /* Address is known */
  1269. if (!tor_addr_compare_masked(addr, &tmpe->addr, tmpe->maskbits,
  1270. CMP_EXACT)) {
  1271. if (port >= tmpe->prt_min && port <= tmpe->prt_max) {
  1272. /* Exact match for the policy */
  1273. return tmpe->policy_type == ADDR_POLICY_ACCEPT ?
  1274. ADDR_POLICY_ACCEPTED : ADDR_POLICY_REJECTED;
  1275. }
  1276. }
  1277. } SMARTLIST_FOREACH_END(tmpe);
  1278. /* accept all by default. */
  1279. return ADDR_POLICY_ACCEPTED;
  1280. }
  1281. /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
  1282. * addr is known but port is not. */
  1283. static addr_policy_result_t
  1284. compare_known_tor_addr_to_addr_policy_noport(const tor_addr_t *addr,
  1285. const smartlist_t *policy)
  1286. {
  1287. /* We look to see if there's a definite match. If so, we return that
  1288. match's value, unless there's an intervening possible match that says
  1289. something different. */
  1290. int maybe_accept = 0, maybe_reject = 0;
  1291. SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, tmpe) {
  1292. if (tmpe->addr.family == AF_UNSPEC) {
  1293. log_warn(LD_BUG, "Policy contains an AF_UNSPEC address, which only "
  1294. "matches other AF_UNSPEC addresses.");
  1295. }
  1296. if (!tor_addr_compare_masked(addr, &tmpe->addr, tmpe->maskbits,
  1297. CMP_EXACT)) {
  1298. if (tmpe->prt_min <= 1 && tmpe->prt_max >= 65535) {
  1299. /* Definitely matches, since it covers all ports. */
  1300. if (tmpe->policy_type == ADDR_POLICY_ACCEPT) {
  1301. /* If we already hit a clause that might trigger a 'reject', than we
  1302. * can't be sure of this certain 'accept'.*/
  1303. return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED :
  1304. ADDR_POLICY_ACCEPTED;
  1305. } else {
  1306. return maybe_accept ? ADDR_POLICY_PROBABLY_REJECTED :
  1307. ADDR_POLICY_REJECTED;
  1308. }
  1309. } else {
  1310. /* Might match. */
  1311. if (tmpe->policy_type == ADDR_POLICY_REJECT)
  1312. maybe_reject = 1;
  1313. else
  1314. maybe_accept = 1;
  1315. }
  1316. }
  1317. } SMARTLIST_FOREACH_END(tmpe);
  1318. /* accept all by default. */
  1319. return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED : ADDR_POLICY_ACCEPTED;
  1320. }
  1321. /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
  1322. * port is known but address is not. */
  1323. static addr_policy_result_t
  1324. compare_unknown_tor_addr_to_addr_policy(uint16_t port,
  1325. const smartlist_t *policy)
  1326. {
  1327. /* We look to see if there's a definite match. If so, we return that
  1328. match's value, unless there's an intervening possible match that says
  1329. something different. */
  1330. int maybe_accept = 0, maybe_reject = 0;
  1331. SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, tmpe) {
  1332. if (tmpe->addr.family == AF_UNSPEC) {
  1333. log_warn(LD_BUG, "Policy contains an AF_UNSPEC address, which only "
  1334. "matches other AF_UNSPEC addresses.");
  1335. }
  1336. if (tmpe->prt_min <= port && port <= tmpe->prt_max) {
  1337. if (tmpe->maskbits == 0) {
  1338. /* Definitely matches, since it covers all addresses. */
  1339. if (tmpe->policy_type == ADDR_POLICY_ACCEPT) {
  1340. /* If we already hit a clause that might trigger a 'reject', than we
  1341. * can't be sure of this certain 'accept'.*/
  1342. return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED :
  1343. ADDR_POLICY_ACCEPTED;
  1344. } else {
  1345. return maybe_accept ? ADDR_POLICY_PROBABLY_REJECTED :
  1346. ADDR_POLICY_REJECTED;
  1347. }
  1348. } else {
  1349. /* Might match. */
  1350. if (tmpe->policy_type == ADDR_POLICY_REJECT)
  1351. maybe_reject = 1;
  1352. else
  1353. maybe_accept = 1;
  1354. }
  1355. }
  1356. } SMARTLIST_FOREACH_END(tmpe);
  1357. /* accept all by default. */
  1358. return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED : ADDR_POLICY_ACCEPTED;
  1359. }
  1360. /** Decide whether a given addr:port is definitely accepted,
  1361. * definitely rejected, probably accepted, or probably rejected by a
  1362. * given policy. If <b>addr</b> is 0, we don't know the IP of the
  1363. * target address. If <b>port</b> is 0, we don't know the port of the
  1364. * target address. (At least one of <b>addr</b> and <b>port</b> must be
  1365. * provided. If you want to know whether a policy would definitely reject
  1366. * an unknown address:port, use policy_is_reject_star().)
  1367. *
  1368. * We could do better by assuming that some ranges never match typical
  1369. * addresses (127.0.0.1, and so on). But we'll try this for now.
  1370. */
  1371. MOCK_IMPL(addr_policy_result_t,
  1372. compare_tor_addr_to_addr_policy,(const tor_addr_t *addr, uint16_t port,
  1373. const smartlist_t *policy))
  1374. {
  1375. if (!policy) {
  1376. /* no policy? accept all. */
  1377. return ADDR_POLICY_ACCEPTED;
  1378. } else if (addr == NULL || tor_addr_is_null(addr)) {
  1379. if (port == 0) {
  1380. log_info(LD_BUG, "Rejecting null address with 0 port (family %d)",
  1381. addr ? tor_addr_family(addr) : -1);
  1382. return ADDR_POLICY_REJECTED;
  1383. }
  1384. return compare_unknown_tor_addr_to_addr_policy(port, policy);
  1385. } else if (port == 0) {
  1386. return compare_known_tor_addr_to_addr_policy_noport(addr, policy);
  1387. } else {
  1388. return compare_known_tor_addr_to_addr_policy(addr, port, policy);
  1389. }
  1390. }
  1391. /** Return true iff the address policy <b>a</b> covers every case that
  1392. * would be covered by <b>b</b>, so that a,b is redundant. */
  1393. static int
  1394. addr_policy_covers(addr_policy_t *a, addr_policy_t *b)
  1395. {
  1396. if (tor_addr_family(&a->addr) != tor_addr_family(&b->addr)) {
  1397. /* You can't cover a different family. */
  1398. return 0;
  1399. }
  1400. /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces
  1401. * to "accept *:80". */
  1402. if (a->maskbits > b->maskbits) {
  1403. /* a has more fixed bits than b; it can't possibly cover b. */
  1404. return 0;
  1405. }
  1406. if (tor_addr_compare_masked(&a->addr, &b->addr, a->maskbits, CMP_EXACT)) {
  1407. /* There's a fixed bit in a that's set differently in b. */
  1408. return 0;
  1409. }
  1410. return (a->prt_min <= b->prt_min && a->prt_max >= b->prt_max);
  1411. }
  1412. /** Return true iff the address policies <b>a</b> and <b>b</b> intersect,
  1413. * that is, there exists an address/port that is covered by <b>a</b> that
  1414. * is also covered by <b>b</b>.
  1415. */
  1416. static int
  1417. addr_policy_intersects(addr_policy_t *a, addr_policy_t *b)
  1418. {
  1419. maskbits_t minbits;
  1420. /* All the bits we care about are those that are set in both
  1421. * netmasks. If they are equal in a and b's networkaddresses
  1422. * then the networks intersect. If there is a difference,
  1423. * then they do not. */
  1424. if (a->maskbits < b->maskbits)
  1425. minbits = a->maskbits;
  1426. else
  1427. minbits = b->maskbits;
  1428. if (tor_addr_compare_masked(&a->addr, &b->addr, minbits, CMP_EXACT))
  1429. return 0;
  1430. if (a->prt_max < b->prt_min || b->prt_max < a->prt_min)
  1431. return 0;
  1432. return 1;
  1433. }
  1434. /** Add the exit policy described by <b>more</b> to <b>policy</b>.
  1435. */
  1436. STATIC void
  1437. append_exit_policy_string(smartlist_t **policy, const char *more)
  1438. {
  1439. config_line_t tmp;
  1440. tmp.key = NULL;
  1441. tmp.value = (char*) more;
  1442. tmp.next = NULL;
  1443. if (parse_addr_policy(&tmp, policy, -1)<0) {
  1444. log_warn(LD_BUG, "Unable to parse internally generated policy %s",more);
  1445. }
  1446. }
  1447. /** Add "reject <b>addr</b>:*" to <b>dest</b>, creating the list as needed. */
  1448. void
  1449. addr_policy_append_reject_addr(smartlist_t **dest, const tor_addr_t *addr)
  1450. {
  1451. tor_assert(dest);
  1452. tor_assert(addr);
  1453. addr_policy_t p, *add;
  1454. memset(&p, 0, sizeof(p));
  1455. p.policy_type = ADDR_POLICY_REJECT;
  1456. p.maskbits = tor_addr_family(addr) == AF_INET6 ? 128 : 32;
  1457. tor_addr_copy(&p.addr, addr);
  1458. p.prt_min = 1;
  1459. p.prt_max = 65535;
  1460. add = addr_policy_get_canonical_entry(&p);
  1461. if (!*dest)
  1462. *dest = smartlist_new();
  1463. smartlist_add(*dest, add);
  1464. log_debug(LD_CONFIG, "Adding a reject ExitPolicy 'reject %s:*'",
  1465. fmt_addr(addr));
  1466. }
  1467. /* Is addr public for the purposes of rejection? */
  1468. static int
  1469. tor_addr_is_public_for_reject(const tor_addr_t *addr)
  1470. {
  1471. return (!tor_addr_is_null(addr) && !tor_addr_is_internal(addr, 0)
  1472. && !tor_addr_is_multicast(addr));
  1473. }
  1474. /* Add "reject <b>addr</b>:*" to <b>dest</b>, creating the list as needed.
  1475. * Filter the address, only adding an IPv4 reject rule if ipv4_rules
  1476. * is true, and similarly for ipv6_rules. Check each address returns true for
  1477. * tor_addr_is_public_for_reject before adding it.
  1478. */
  1479. static void
  1480. addr_policy_append_reject_addr_filter(smartlist_t **dest,
  1481. const tor_addr_t *addr,
  1482. int ipv4_rules,
  1483. int ipv6_rules)
  1484. {
  1485. tor_assert(dest);
  1486. tor_assert(addr);
  1487. /* Only reject IP addresses which are public */
  1488. if (tor_addr_is_public_for_reject(addr)) {
  1489. /* Reject IPv4 addresses and IPv6 addresses based on the filters */
  1490. int is_ipv4 = tor_addr_is_v4(addr);
  1491. if ((is_ipv4 && ipv4_rules) || (!is_ipv4 && ipv6_rules)) {
  1492. addr_policy_append_reject_addr(dest, addr);
  1493. }
  1494. }
  1495. }
  1496. /** Add "reject addr:*" to <b>dest</b>, for each addr in addrs, creating the
  1497. * list as needed. */
  1498. void
  1499. addr_policy_append_reject_addr_list(smartlist_t **dest,
  1500. const smartlist_t *addrs)
  1501. {
  1502. tor_assert(dest);
  1503. tor_assert(addrs);
  1504. SMARTLIST_FOREACH_BEGIN(addrs, tor_addr_t *, addr) {
  1505. addr_policy_append_reject_addr(dest, addr);
  1506. } SMARTLIST_FOREACH_END(addr);
  1507. }
  1508. /** Add "reject addr:*" to <b>dest</b>, for each addr in addrs, creating the
  1509. * list as needed. Filter using */
  1510. static void
  1511. addr_policy_append_reject_addr_list_filter(smartlist_t **dest,
  1512. const smartlist_t *addrs,
  1513. int ipv4_rules,
  1514. int ipv6_rules)
  1515. {
  1516. tor_assert(dest);
  1517. tor_assert(addrs);
  1518. SMARTLIST_FOREACH_BEGIN(addrs, tor_addr_t *, addr) {
  1519. addr_policy_append_reject_addr_filter(dest, addr, ipv4_rules, ipv6_rules);
  1520. } SMARTLIST_FOREACH_END(addr);
  1521. }
  1522. /** Detect and excise "dead code" from the policy *<b>dest</b>. */
  1523. static void
  1524. exit_policy_remove_redundancies(smartlist_t *dest)
  1525. {
  1526. addr_policy_t *ap, *tmp;
  1527. int i, j;
  1528. /* Step one: kill every ipv4 thing after *4:*, every IPv6 thing after *6:*
  1529. */
  1530. {
  1531. int kill_v4=0, kill_v6=0;
  1532. for (i = 0; i < smartlist_len(dest); ++i) {
  1533. sa_family_t family;
  1534. ap = smartlist_get(dest, i);
  1535. family = tor_addr_family(&ap->addr);
  1536. if ((family == AF_INET && kill_v4) ||
  1537. (family == AF_INET6 && kill_v6)) {
  1538. smartlist_del_keeporder(dest, i--);
  1539. addr_policy_free(ap);
  1540. continue;
  1541. }
  1542. if (ap->maskbits == 0 && ap->prt_min <= 1 && ap->prt_max >= 65535) {
  1543. /* This is a catch-all line -- later lines are unreachable. */
  1544. if (family == AF_INET) {
  1545. kill_v4 = 1;
  1546. } else if (family == AF_INET6) {
  1547. kill_v6 = 1;
  1548. }
  1549. }
  1550. }
  1551. }
  1552. /* Step two: for every entry, see if there's a redundant entry
  1553. * later on, and remove it. */
  1554. for (i = 0; i < smartlist_len(dest)-1; ++i) {
  1555. ap = smartlist_get(dest, i);
  1556. for (j = i+1; j < smartlist_len(dest); ++j) {
  1557. tmp = smartlist_get(dest, j);
  1558. tor_assert(j > i);
  1559. if (addr_policy_covers(ap, tmp)) {
  1560. char p1[POLICY_BUF_LEN], p2[POLICY_BUF_LEN];
  1561. policy_write_item(p1, sizeof(p1), tmp, 0);
  1562. policy_write_item(p2, sizeof(p2), ap, 0);
  1563. log_debug(LD_CONFIG, "Removing exit policy %s (%d). It is made "
  1564. "redundant by %s (%d).", p1, j, p2, i);
  1565. smartlist_del_keeporder(dest, j--);
  1566. addr_policy_free(tmp);
  1567. }
  1568. }
  1569. }
  1570. /* Step three: for every entry A, see if there's an entry B making this one
  1571. * redundant later on. This is the case if A and B are of the same type
  1572. * (accept/reject), A is a subset of B, and there is no other entry of
  1573. * different type in between those two that intersects with A.
  1574. *
  1575. * Anybody want to double-check the logic here? XXX
  1576. */
  1577. for (i = 0; i < smartlist_len(dest)-1; ++i) {
  1578. ap = smartlist_get(dest, i);
  1579. for (j = i+1; j < smartlist_len(dest); ++j) {
  1580. // tor_assert(j > i); // j starts out at i+1; j only increases; i only
  1581. // // decreases.
  1582. tmp = smartlist_get(dest, j);
  1583. if (ap->policy_type != tmp->policy_type) {
  1584. if (addr_policy_intersects(ap, tmp))
  1585. break;
  1586. } else { /* policy_types are equal. */
  1587. if (addr_policy_covers(tmp, ap)) {
  1588. char p1[POLICY_BUF_LEN], p2[POLICY_BUF_LEN];
  1589. policy_write_item(p1, sizeof(p1), ap, 0);
  1590. policy_write_item(p2, sizeof(p2), tmp, 0);
  1591. log_debug(LD_CONFIG, "Removing exit policy %s. It is already "
  1592. "covered by %s.", p1, p2);
  1593. smartlist_del_keeporder(dest, i--);
  1594. addr_policy_free(ap);
  1595. break;
  1596. }
  1597. }
  1598. }
  1599. }
  1600. }
  1601. /** Reject private helper for policies_parse_exit_policy_internal: rejects
  1602. * publicly routable addresses on this exit relay.
  1603. *
  1604. * Add reject entries to the linked list *<b>dest</b>:
  1605. * <ul>
  1606. * <li>if configured_addresses is non-NULL, add entries that reject each
  1607. * tor_addr_t in the list as a destination.
  1608. * <li>if reject_interface_addresses is true, add entries that reject each
  1609. * public IPv4 and IPv6 address of each interface on this machine.
  1610. * <li>if reject_configured_port_addresses is true, add entries that reject
  1611. * each IPv4 and IPv6 address configured for a port.
  1612. * </ul>
  1613. *
  1614. * IPv6 entries are only added if ipv6_exit is true. (All IPv6 addresses are
  1615. * already blocked by policies_parse_exit_policy_internal if ipv6_exit is
  1616. * false.)
  1617. *
  1618. * The list in <b>dest</b> is created as needed.
  1619. */
  1620. void
  1621. policies_parse_exit_policy_reject_private(
  1622. smartlist_t **dest,
  1623. int ipv6_exit,
  1624. const smartlist_t *configured_addresses,
  1625. int reject_interface_addresses,
  1626. int reject_configured_port_addresses)
  1627. {
  1628. tor_assert(dest);
  1629. /* Reject configured addresses, if they are from public netblocks. */
  1630. if (configured_addresses) {
  1631. addr_policy_append_reject_addr_list_filter(dest, configured_addresses,
  1632. 1, ipv6_exit);
  1633. }
  1634. /* Reject configured port addresses, if they are from public netblocks. */
  1635. if (reject_configured_port_addresses) {
  1636. const smartlist_t *port_addrs = get_configured_ports();
  1637. SMARTLIST_FOREACH_BEGIN(port_addrs, port_cfg_t *, port) {
  1638. /* Only reject port IP addresses, not port unix sockets */
  1639. if (!port->is_unix_addr) {
  1640. addr_policy_append_reject_addr_filter(dest, &port->addr, 1, ipv6_exit);
  1641. }
  1642. } SMARTLIST_FOREACH_END(port);
  1643. }
  1644. /* Reject local addresses from public netblocks on any interface. */
  1645. if (reject_interface_addresses) {
  1646. smartlist_t *public_addresses = NULL;
  1647. /* Reject public IPv4 addresses on any interface */
  1648. public_addresses = get_interface_address6_list(LOG_INFO, AF_INET, 0);
  1649. addr_policy_append_reject_addr_list_filter(dest, public_addresses, 1, 0);
  1650. interface_address6_list_free(public_addresses);
  1651. /* Don't look for IPv6 addresses if we're configured as IPv4-only */
  1652. if (ipv6_exit) {
  1653. /* Reject public IPv6 addresses on any interface */
  1654. public_addresses = get_interface_address6_list(LOG_INFO, AF_INET6, 0);
  1655. addr_policy_append_reject_addr_list_filter(dest, public_addresses, 0, 1);
  1656. interface_address6_list_free(public_addresses);
  1657. }
  1658. }
  1659. /* If addresses were added multiple times, remove all but one of them. */
  1660. if (*dest) {
  1661. exit_policy_remove_redundancies(*dest);
  1662. }
  1663. }
  1664. /**
  1665. * Iterate through <b>policy</b> looking for redundant entries. Log a
  1666. * warning message with the first redundant entry, if any is found.
  1667. */
  1668. static void
  1669. policies_log_first_redundant_entry(const smartlist_t *policy)
  1670. {
  1671. int found_final_effective_entry = 0;
  1672. int first_redundant_entry = 0;
  1673. tor_assert(policy);
  1674. SMARTLIST_FOREACH_BEGIN(policy, const addr_policy_t *, p) {
  1675. sa_family_t family;
  1676. int found_ipv4_wildcard = 0, found_ipv6_wildcard = 0;
  1677. const int i = p_sl_idx;
  1678. /* Look for accept/reject *[4|6|]:* entires */
  1679. if (p->prt_min <= 1 && p->prt_max == 65535 && p->maskbits == 0) {
  1680. family = tor_addr_family(&p->addr);
  1681. /* accept/reject *:* may have already been expanded into
  1682. * accept/reject *4:*,accept/reject *6:*
  1683. * But handle both forms.
  1684. */
  1685. if (family == AF_INET || family == AF_UNSPEC) {
  1686. found_ipv4_wildcard = 1;
  1687. }
  1688. if (family == AF_INET6 || family == AF_UNSPEC) {
  1689. found_ipv6_wildcard = 1;
  1690. }
  1691. }
  1692. /* We also find accept *4:*,reject *6:* ; and
  1693. * accept *4:*,<other policies>,accept *6:* ; and similar.
  1694. * That's ok, because they make any subsequent entries redundant. */
  1695. if (found_ipv4_wildcard && found_ipv6_wildcard) {
  1696. found_final_effective_entry = 1;
  1697. /* if we're not on the final entry in the list */
  1698. if (i < smartlist_len(policy) - 1) {
  1699. first_redundant_entry = i + 1;
  1700. }
  1701. break;
  1702. }
  1703. } SMARTLIST_FOREACH_END(p);
  1704. /* Work out if there are redundant trailing entries in the policy list */
  1705. if (found_final_effective_entry && first_redundant_entry > 0) {
  1706. const addr_policy_t *p;
  1707. /* Longest possible policy is
  1708. * "accept6 ffff:ffff:..255/128:10000-65535",
  1709. * which contains a max-length IPv6 address, plus 24 characters. */
  1710. char line[TOR_ADDR_BUF_LEN + 32];
  1711. tor_assert(first_redundant_entry < smartlist_len(policy));
  1712. p = smartlist_get(policy, first_redundant_entry);
  1713. /* since we've already parsed the policy into an addr_policy_t struct,
  1714. * we might not log exactly what the user typed in */
  1715. policy_write_item(line, TOR_ADDR_BUF_LEN + 32, p, 0);
  1716. log_warn(LD_DIR, "Exit policy '%s' and all following policies are "
  1717. "redundant, as it follows accept/reject *:* rules for both "
  1718. "IPv4 and IPv6. They will be removed from the exit policy. (Use "
  1719. "accept/reject *:* as the last entry in any exit policy.)",
  1720. line);
  1721. }
  1722. }
  1723. #define DEFAULT_EXIT_POLICY \
  1724. "reject *:25,reject *:119,reject *:135-139,reject *:445," \
  1725. "reject *:563,reject *:1214,reject *:4661-4666," \
  1726. "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
  1727. #define REDUCED_EXIT_POLICY \
  1728. "accept *:20-23,accept *:43,accept *:53,accept *:79-81,accept *:88," \
  1729. "accept *:110,accept *:143,accept *:194,accept *:220,accept *:389," \
  1730. "accept *:443,accept *:464,accept *:465,accept *:531,accept *:543-544," \
  1731. "accept *:554,accept *:563,accept *:587,accept *:636,accept *:706," \
  1732. "accept *:749,accept *:873,accept *:902-904,accept *:981,accept *:989-995," \
  1733. "accept *:1194,accept *:1220,accept *:1293,accept *:1500,accept *:1533," \
  1734. "accept *:1677,accept *:1723,accept *:1755,accept *:1863," \
  1735. "accept *:2082-2083,accept *:2086-2087,accept *:2095-2096," \
  1736. "accept *:2102-2104,accept *:3128,accept *:3389,accept *:3690," \
  1737. "accept *:4321,accept *:4643,accept *:5050,accept *:5190," \
  1738. "accept *:5222-5223,accept *:5228,accept *:5900,accept *:6660-6669," \
  1739. "accept *:6679,accept *:6697,accept *:8000,accept *:8008,accept *:8074," \
  1740. "accept *:8080,accept *:8082,accept *:8087-8088,accept *:8232-8233," \
  1741. "accept *:8332-8333,accept *:8443,accept *:8888,accept *:9418," \
  1742. "accept *:9999,accept *:10000,accept *:11371,accept *:19294," \
  1743. "accept *:19638,accept *:50002,accept *:64738,reject *:*"
  1744. /** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>.
  1745. *
  1746. * If <b>ipv6_exit</b> is false, prepend "reject *6:*" to the policy.
  1747. *
  1748. * If <b>configured_addresses</b> contains addresses:
  1749. * - prepend entries that reject the addresses in this list. These may be the
  1750. * advertised relay addresses and/or the outbound bind addresses,
  1751. * depending on the ExitPolicyRejectPrivate and
  1752. * ExitPolicyRejectLocalInterfaces settings.
  1753. * If <b>rejectprivate</b> is true:
  1754. * - prepend "reject private:*" to the policy.
  1755. * If <b>reject_interface_addresses</b> is true:
  1756. * - prepend entries that reject publicly routable interface addresses on
  1757. * this exit relay by calling policies_parse_exit_policy_reject_private
  1758. * If <b>reject_configured_port_addresses</b> is true:
  1759. * - prepend entries that reject all configured port addresses
  1760. *
  1761. * If cfg doesn't end in an absolute accept or reject and if
  1762. * <b>add_default_policy</b> is true, add the default exit
  1763. * policy afterwards.
  1764. *
  1765. * Return -1 if we can't parse cfg, else return 0.
  1766. *
  1767. * This function is used to parse the exit policy from our torrc. For
  1768. * the functions used to parse the exit policy from a router descriptor,
  1769. * see router_add_exit_policy.
  1770. */
  1771. static int
  1772. policies_parse_exit_policy_internal(config_line_t *cfg,
  1773. smartlist_t **dest,
  1774. int ipv6_exit,
  1775. int rejectprivate,
  1776. const smartlist_t *configured_addresses,
  1777. int reject_interface_addresses,
  1778. int reject_configured_port_addresses,
  1779. int add_default_policy,
  1780. int add_reduced_policy)
  1781. {
  1782. if (!ipv6_exit) {
  1783. append_exit_policy_string(dest, "reject *6:*");
  1784. }
  1785. if (rejectprivate) {
  1786. /* Reject IPv4 and IPv6 reserved private netblocks */
  1787. append_exit_policy_string(dest, "reject private:*");
  1788. }
  1789. /* Consider rejecting IPv4 and IPv6 advertised relay addresses, outbound bind
  1790. * addresses, publicly routable addresses, and configured port addresses
  1791. * on this exit relay */
  1792. policies_parse_exit_policy_reject_private(dest, ipv6_exit,
  1793. configured_addresses,
  1794. reject_interface_addresses,
  1795. reject_configured_port_addresses);
  1796. if (parse_addr_policy(cfg, dest, -1))
  1797. return -1;
  1798. /* Before we add the default policy and final rejects, check to see if
  1799. * there are any lines after accept *:* or reject *:*. These lines have no
  1800. * effect, and are most likely an error. */
  1801. policies_log_first_redundant_entry(*dest);
  1802. if (add_reduced_policy) {
  1803. append_exit_policy_string(dest, REDUCED_EXIT_POLICY);
  1804. } else if (add_default_policy) {
  1805. append_exit_policy_string(dest, DEFAULT_EXIT_POLICY);
  1806. } else {
  1807. append_exit_policy_string(dest, "reject *4:*");
  1808. append_exit_policy_string(dest, "reject *6:*");
  1809. }
  1810. exit_policy_remove_redundancies(*dest);
  1811. return 0;
  1812. }
  1813. /** Parse exit policy in <b>cfg</b> into <b>dest</b> smartlist.
  1814. *
  1815. * Prepend an entry that rejects all IPv6 destinations unless
  1816. * <b>EXIT_POLICY_IPV6_ENABLED</b> bit is set in <b>options</b> bitmask.
  1817. *
  1818. * If <b>EXIT_POLICY_REJECT_PRIVATE</b> bit is set in <b>options</b>:
  1819. * - prepend an entry that rejects all destinations in all netblocks
  1820. * reserved for private use.
  1821. * - prepend entries that reject the advertised relay addresses in
  1822. * configured_addresses
  1823. * If <b>EXIT_POLICY_REJECT_LOCAL_INTERFACES</b> bit is set in <b>options</b>:
  1824. * - prepend entries that reject publicly routable addresses on this exit
  1825. * relay by calling policies_parse_exit_policy_internal
  1826. * - prepend entries that reject the outbound bind addresses in
  1827. * configured_addresses
  1828. * - prepend entries that reject all configured port addresses
  1829. *
  1830. * If <b>EXIT_POLICY_ADD_DEFAULT</b> bit is set in <b>options</b>, append
  1831. * default exit policy entries to <b>result</b> smartlist.
  1832. */
  1833. int
  1834. policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest,
  1835. exit_policy_parser_cfg_t options,
  1836. const smartlist_t *configured_addresses)
  1837. {
  1838. int ipv6_enabled = (options & EXIT_POLICY_IPV6_ENABLED) ? 1 : 0;
  1839. int reject_private = (options & EXIT_POLICY_REJECT_PRIVATE) ? 1 : 0;
  1840. int add_default = (options & EXIT_POLICY_ADD_DEFAULT) ? 1 : 0;
  1841. int reject_local_interfaces = (options &
  1842. EXIT_POLICY_REJECT_LOCAL_INTERFACES) ? 1 : 0;
  1843. int add_reduced = (options & EXIT_POLICY_ADD_REDUCED) ? 1 : 0;
  1844. return policies_parse_exit_policy_internal(cfg,dest,ipv6_enabled,
  1845. reject_private,
  1846. configured_addresses,
  1847. reject_local_interfaces,
  1848. reject_local_interfaces,
  1849. add_default,
  1850. add_reduced);
  1851. }
  1852. /** Helper function that adds a copy of addr to a smartlist as long as it is
  1853. * non-NULL and not tor_addr_is_null().
  1854. *
  1855. * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
  1856. */
  1857. static void
  1858. policies_copy_addr_to_smartlist(smartlist_t *addr_list, const tor_addr_t *addr)
  1859. {
  1860. if (addr && !tor_addr_is_null(addr)) {
  1861. tor_addr_t *addr_copy = tor_malloc(sizeof(tor_addr_t));
  1862. tor_addr_copy(addr_copy, addr);
  1863. smartlist_add(addr_list, addr_copy);
  1864. }
  1865. }
  1866. /** Helper function that adds ipv4h_addr to a smartlist as a tor_addr_t *,
  1867. * as long as it is not tor_addr_is_null(), by converting it to a tor_addr_t
  1868. * and passing it to policies_add_addr_to_smartlist.
  1869. *
  1870. * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
  1871. */
  1872. static void
  1873. policies_copy_ipv4h_to_smartlist(smartlist_t *addr_list, uint32_t ipv4h_addr)
  1874. {
  1875. if (ipv4h_addr) {
  1876. tor_addr_t ipv4_tor_addr;
  1877. tor_addr_from_ipv4h(&ipv4_tor_addr, ipv4h_addr);
  1878. policies_copy_addr_to_smartlist(addr_list, &ipv4_tor_addr);
  1879. }
  1880. }
  1881. /** Helper function that adds copies of or_options->OutboundBindAddresses
  1882. * to a smartlist as tor_addr_t *, as long as or_options is non-NULL, and
  1883. * the addresses are not tor_addr_is_null(), by passing them to
  1884. * policies_add_addr_to_smartlist.
  1885. *
  1886. * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
  1887. */
  1888. static void
  1889. policies_copy_outbound_addresses_to_smartlist(smartlist_t *addr_list,
  1890. const or_options_t *or_options)
  1891. {
  1892. if (or_options) {
  1893. for (int i=0;i<OUTBOUND_ADDR_MAX;i++) {
  1894. for (int j=0;j<2;j++) {
  1895. if (!tor_addr_is_null(&or_options->OutboundBindAddresses[i][j])) {
  1896. policies_copy_addr_to_smartlist(addr_list,
  1897. &or_options->OutboundBindAddresses[i][j]);
  1898. }
  1899. }
  1900. }
  1901. }
  1902. }
  1903. /** Parse <b>ExitPolicy</b> member of <b>or_options</b> into <b>result</b>
  1904. * smartlist.
  1905. * If <b>or_options->IPv6Exit</b> is false, prepend an entry that
  1906. * rejects all IPv6 destinations.
  1907. *
  1908. * If <b>or_options->ExitPolicyRejectPrivate</b> is true:
  1909. * - prepend an entry that rejects all destinations in all netblocks reserved
  1910. * for private use.
  1911. * - if local_address is non-zero, treat it as a host-order IPv4 address, and
  1912. * add it to the list of configured addresses.
  1913. * - if ipv6_local_address is non-NULL, and not the null tor_addr_t, add it
  1914. * to the list of configured addresses.
  1915. * If <b>or_options->ExitPolicyRejectLocalInterfaces</b> is true:
  1916. * - if or_options->OutboundBindAddresses[][0] (=IPv4) is not the null
  1917. * tor_addr_t, add it to the list of configured addresses.
  1918. * - if or_options->OutboundBindAddresses[][1] (=IPv6) is not the null
  1919. * tor_addr_t, add it to the list of configured addresses.
  1920. *
  1921. * If <b>or_options->BridgeRelay</b> is false, append entries of default
  1922. * Tor exit policy into <b>result</b> smartlist.
  1923. *
  1924. * If or_options->ExitRelay is false, then make our exit policy into
  1925. * "reject *:*" regardless.
  1926. */
  1927. int
  1928. policies_parse_exit_policy_from_options(const or_options_t *or_options,
  1929. uint32_t local_address,
  1930. const tor_addr_t *ipv6_local_address,
  1931. smartlist_t **result)
  1932. {
  1933. exit_policy_parser_cfg_t parser_cfg = 0;
  1934. smartlist_t *configured_addresses = NULL;
  1935. int rv = 0;
  1936. /* Short-circuit for non-exit relays */
  1937. if (or_options->ExitRelay == 0) {
  1938. append_exit_policy_string(result, "reject *4:*");
  1939. append_exit_policy_string(result, "reject *6:*");
  1940. return 0;
  1941. }
  1942. configured_addresses = smartlist_new();
  1943. /* Configure the parser */
  1944. if (or_options->IPv6Exit) {
  1945. parser_cfg |= EXIT_POLICY_IPV6_ENABLED;
  1946. }
  1947. if (or_options->ExitPolicyRejectPrivate) {
  1948. parser_cfg |= EXIT_POLICY_REJECT_PRIVATE;
  1949. }
  1950. if (!or_options->BridgeRelay) {
  1951. if (or_options->ReducedExitPolicy)
  1952. parser_cfg |= EXIT_POLICY_ADD_REDUCED;
  1953. else
  1954. parser_cfg |= EXIT_POLICY_ADD_DEFAULT;
  1955. }
  1956. if (or_options->ExitPolicyRejectLocalInterfaces) {
  1957. parser_cfg |= EXIT_POLICY_REJECT_LOCAL_INTERFACES;
  1958. }
  1959. /* Copy the configured addresses into the tor_addr_t* list */
  1960. if (or_options->ExitPolicyRejectPrivate) {
  1961. policies_copy_ipv4h_to_smartlist(configured_addresses, local_address);
  1962. policies_copy_addr_to_smartlist(configured_addresses, ipv6_local_address);
  1963. }
  1964. if (or_options->ExitPolicyRejectLocalInterfaces) {
  1965. policies_copy_outbound_addresses_to_smartlist(configured_addresses,
  1966. or_options);
  1967. }
  1968. rv = policies_parse_exit_policy(or_options->ExitPolicy, result, parser_cfg,
  1969. configured_addresses);
  1970. SMARTLIST_FOREACH(configured_addresses, tor_addr_t *, a, tor_free(a));
  1971. smartlist_free(configured_addresses);
  1972. return rv;
  1973. }
  1974. /** Add "reject *:*" to the end of the policy in *<b>dest</b>, allocating
  1975. * *<b>dest</b> as needed. */
  1976. void
  1977. policies_exit_policy_append_reject_star(smartlist_t **dest)
  1978. {
  1979. append_exit_policy_string(dest, "reject *4:*");
  1980. append_exit_policy_string(dest, "reject *6:*");
  1981. }
  1982. /** Replace the exit policy of <b>node</b> with reject *:* */
  1983. void
  1984. policies_set_node_exitpolicy_to_reject_all(node_t *node)
  1985. {
  1986. node->rejects_all = 1;
  1987. }
  1988. /** Return 1 if there is at least one /8 subnet in <b>policy</b> that
  1989. * allows exiting to <b>port</b>. Otherwise, return 0. */
  1990. static int
  1991. exit_policy_is_general_exit_helper(smartlist_t *policy, int port)
  1992. {
  1993. uint32_t mask, ip, i;
  1994. /* Is this /8 rejected (1), or undecided (0)? */
  1995. char subnet_status[256];
  1996. memset(subnet_status, 0, sizeof(subnet_status));
  1997. SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, p) {
  1998. if (tor_addr_family(&p->addr) != AF_INET)
  1999. continue; /* IPv4 only for now */
  2000. if (p->prt_min > port || p->prt_max < port)
  2001. continue; /* Doesn't cover our port. */
  2002. mask = 0;
  2003. tor_assert(p->maskbits <= 32);
  2004. if (p->maskbits)
  2005. mask = UINT32_MAX<<(32-p->maskbits);
  2006. ip = tor_addr_to_ipv4h(&p->addr);
  2007. /* Calculate the first and last subnet that this exit policy touches
  2008. * and set it as loop boundaries. */
  2009. for (i = ((mask & ip)>>24); i <= (~((mask & ip) ^ mask)>>24); ++i) {
  2010. tor_addr_t addr;
  2011. if (subnet_status[i] != 0)
  2012. continue; /* We already reject some part of this /8 */
  2013. tor_addr_from_ipv4h(&addr, i<<24);
  2014. if (tor_addr_is_internal(&addr, 0) &&
  2015. !get_options()->DirAllowPrivateAddresses) {
  2016. continue; /* Local or non-routable addresses */
  2017. }
  2018. if (p->policy_type == ADDR_POLICY_ACCEPT) {
  2019. if (p->maskbits > 8)
  2020. continue; /* Narrower than a /8. */
  2021. /* We found an allowed subnet of at least size /8. Done
  2022. * for this port! */
  2023. return 1;
  2024. } else if (p->policy_type == ADDR_POLICY_REJECT) {
  2025. subnet_status[i] = 1;
  2026. }
  2027. }
  2028. } SMARTLIST_FOREACH_END(p);
  2029. return 0;
  2030. }
  2031. /** Return true iff <b>ri</b> is "useful as an exit node", meaning
  2032. * it allows exit to at least one /8 address space for each of ports 80
  2033. * and 443. */
  2034. int
  2035. exit_policy_is_general_exit(smartlist_t *policy)
  2036. {
  2037. if (!policy) /*XXXX disallow NULL policies? */
  2038. return 0;
  2039. return (exit_policy_is_general_exit_helper(policy, 80) &&
  2040. exit_policy_is_general_exit_helper(policy, 443));
  2041. }
  2042. /** Return false if <b>policy</b> might permit access to some addr:port;
  2043. * otherwise if we are certain it rejects everything, return true. If no
  2044. * part of <b>policy</b> matches, return <b>default_reject</b>.
  2045. * NULL policies are allowed, and treated as empty. */
  2046. int
  2047. policy_is_reject_star(const smartlist_t *policy, sa_family_t family,
  2048. int default_reject)
  2049. {
  2050. if (!policy)
  2051. return default_reject;
  2052. SMARTLIST_FOREACH_BEGIN(policy, const addr_policy_t *, p) {
  2053. if (p->policy_type == ADDR_POLICY_ACCEPT &&
  2054. (tor_addr_family(&p->addr) == family ||
  2055. tor_addr_family(&p->addr) == AF_UNSPEC)) {
  2056. return 0;
  2057. } else if (p->policy_type == ADDR_POLICY_REJECT &&
  2058. p->prt_min <= 1 && p->prt_max == 65535 &&
  2059. p->maskbits == 0 &&
  2060. (tor_addr_family(&p->addr) == family ||
  2061. tor_addr_family(&p->addr) == AF_UNSPEC)) {
  2062. return 1;
  2063. }
  2064. } SMARTLIST_FOREACH_END(p);
  2065. return default_reject;
  2066. }
  2067. /** Write a single address policy to the buf_len byte buffer at buf. Return
  2068. * the number of characters written, or -1 on failure. */
  2069. int
  2070. policy_write_item(char *buf, size_t buflen, const addr_policy_t *policy,
  2071. int format_for_desc)
  2072. {
  2073. size_t written = 0;
  2074. char addrbuf[TOR_ADDR_BUF_LEN];
  2075. const char *addrpart;
  2076. int result;
  2077. const int is_accept = policy->policy_type == ADDR_POLICY_ACCEPT;
  2078. const sa_family_t family = tor_addr_family(&policy->addr);
  2079. const int is_ip6 = (family == AF_INET6);
  2080. tor_addr_to_str(addrbuf, &policy->addr, sizeof(addrbuf), 1);
  2081. /* write accept/reject 1.2.3.4 */
  2082. if (policy->is_private) {
  2083. addrpart = "private";
  2084. } else if (policy->maskbits == 0) {
  2085. if (format_for_desc)
  2086. addrpart = "*";
  2087. else if (family == AF_INET6)
  2088. addrpart = "*6";
  2089. else if (family == AF_INET)
  2090. addrpart = "*4";
  2091. else
  2092. addrpart = "*";
  2093. } else {
  2094. addrpart = addrbuf;
  2095. }
  2096. result = tor_snprintf(buf, buflen, "%s%s %s",
  2097. is_accept ? "accept" : "reject",
  2098. (is_ip6&&format_for_desc)?"6":"",
  2099. addrpart);
  2100. if (result < 0)
  2101. return -1;
  2102. written += strlen(buf);
  2103. /* If the maskbits is 32 (IPv4) or 128 (IPv6) we don't need to give it. If
  2104. the mask is 0, we already wrote "*". */
  2105. if (policy->maskbits < (is_ip6?128:32) && policy->maskbits > 0) {
  2106. if (tor_snprintf(buf+written, buflen-written, "/%d", policy->maskbits)<0)
  2107. return -1;
  2108. written += strlen(buf+written);
  2109. }
  2110. if (policy->prt_min <= 1 && policy->prt_max == 65535) {
  2111. /* There is no port set; write ":*" */
  2112. if (written+4 > buflen)
  2113. return -1;
  2114. strlcat(buf+written, ":*", buflen-written);
  2115. written += 2;
  2116. } else if (policy->prt_min == policy->prt_max) {
  2117. /* There is only one port; write ":80". */
  2118. result = tor_snprintf(buf+written, buflen-written, ":%d", policy->prt_min);
  2119. if (result<0)
  2120. return -1;
  2121. written += result;
  2122. } else {
  2123. /* There is a range of ports; write ":79-80". */
  2124. result = tor_snprintf(buf+written, buflen-written, ":%d-%d",
  2125. policy->prt_min, policy->prt_max);
  2126. if (result<0)
  2127. return -1;
  2128. written += result;
  2129. }
  2130. if (written < buflen)
  2131. buf[written] = '\0';
  2132. else
  2133. return -1;
  2134. return (int)written;
  2135. }
  2136. /** Create a new exit policy summary, initially only with a single
  2137. * port 1-64k item */
  2138. /* XXXX This entire thing will do most stuff in O(N^2), or worse. Use an
  2139. * RB-tree if that turns out to matter. */
  2140. static smartlist_t *
  2141. policy_summary_create(void)
  2142. {
  2143. smartlist_t *summary;
  2144. policy_summary_item_t* item;
  2145. item = tor_malloc_zero(sizeof(policy_summary_item_t));
  2146. item->prt_min = 1;
  2147. item->prt_max = 65535;
  2148. item->reject_count = 0;
  2149. item->accepted = 0;
  2150. summary = smartlist_new();
  2151. smartlist_add(summary, item);
  2152. return summary;
  2153. }
  2154. /** Split the summary item in <b>item</b> at the port <b>new_starts</b>.
  2155. * The current item is changed to end at new-starts - 1, the new item
  2156. * copies reject_count and accepted from the old item,
  2157. * starts at new_starts and ends at the port where the original item
  2158. * previously ended.
  2159. */
  2160. static policy_summary_item_t*
  2161. policy_summary_item_split(policy_summary_item_t* old, uint16_t new_starts)
  2162. {
  2163. policy_summary_item_t* new;
  2164. new = tor_malloc_zero(sizeof(policy_summary_item_t));
  2165. new->prt_min = new_starts;
  2166. new->prt_max = old->prt_max;
  2167. new->reject_count = old->reject_count;
  2168. new->accepted = old->accepted;
  2169. old->prt_max = new_starts-1;
  2170. tor_assert(old->prt_min <= old->prt_max);
  2171. tor_assert(new->prt_min <= new->prt_max);
  2172. return new;
  2173. }
  2174. /* XXXX Nick says I'm going to hell for this. If he feels charitably towards
  2175. * my immortal soul, he can clean it up himself. */
  2176. #define AT(x) ((policy_summary_item_t*)smartlist_get(summary, x))
  2177. #define IPV4_BITS (32)
  2178. /* Every IPv4 address is counted as one rejection */
  2179. #define REJECT_CUTOFF_SCALE_IPV4 (0)
  2180. /* Ports are rejected in an IPv4 summary if they are rejected in more than two
  2181. * IPv4 /8 address blocks */
  2182. #define REJECT_CUTOFF_COUNT_IPV4 (U64_LITERAL(1) << \
  2183. (IPV4_BITS - REJECT_CUTOFF_SCALE_IPV4 - 7))
  2184. #define IPV6_BITS (128)
  2185. /* IPv6 /64s are counted as one rejection, anything smaller is ignored */
  2186. #define REJECT_CUTOFF_SCALE_IPV6 (64)
  2187. /* Ports are rejected in an IPv6 summary if they are rejected in more than one
  2188. * IPv6 /16 address block.
  2189. * This is roughly equivalent to the IPv4 cutoff, as only five IPv6 /12s (and
  2190. * some scattered smaller blocks) have been allocated to the RIRs.
  2191. * Network providers are typically allocated one or more IPv6 /32s.
  2192. */
  2193. #define REJECT_CUTOFF_COUNT_IPV6 (U64_LITERAL(1) << \
  2194. (IPV6_BITS - REJECT_CUTOFF_SCALE_IPV6 - 16))
  2195. /** Split an exit policy summary so that prt_min and prt_max
  2196. * fall at exactly the start and end of an item respectively.
  2197. */
  2198. static int
  2199. policy_summary_split(smartlist_t *summary,
  2200. uint16_t prt_min, uint16_t prt_max)
  2201. {
  2202. int start_at_index;
  2203. int i = 0;
  2204. while (AT(i)->prt_max < prt_min)
  2205. i++;
  2206. if (AT(i)->prt_min != prt_min) {
  2207. policy_summary_item_t* new_item;
  2208. new_item = policy_summary_item_split(AT(i), prt_min);
  2209. smartlist_insert(summary, i+1, new_item);
  2210. i++;
  2211. }
  2212. start_at_index = i;
  2213. while (AT(i)->prt_max < prt_max)
  2214. i++;
  2215. if (AT(i)->prt_max != prt_max) {
  2216. policy_summary_item_t* new_item;
  2217. new_item = policy_summary_item_split(AT(i), prt_max+1);
  2218. smartlist_insert(summary, i+1, new_item);
  2219. }
  2220. return start_at_index;
  2221. }
  2222. /** Mark port ranges as accepted if they are below the reject_count for family
  2223. */
  2224. static void
  2225. policy_summary_accept(smartlist_t *summary,
  2226. uint16_t prt_min, uint16_t prt_max,
  2227. sa_family_t family)
  2228. {
  2229. tor_assert_nonfatal_once(family == AF_INET || family == AF_INET6);
  2230. uint64_t family_reject_count = ((family == AF_INET) ?
  2231. REJECT_CUTOFF_COUNT_IPV4 :
  2232. REJECT_CUTOFF_COUNT_IPV6);
  2233. int i = policy_summary_split(summary, prt_min, prt_max);
  2234. while (i < smartlist_len(summary) &&
  2235. AT(i)->prt_max <= prt_max) {
  2236. if (!AT(i)->accepted &&
  2237. AT(i)->reject_count <= family_reject_count)
  2238. AT(i)->accepted = 1;
  2239. i++;
  2240. }
  2241. tor_assert(i < smartlist_len(summary) || prt_max==65535);
  2242. }
  2243. /** Count the number of addresses in a network in family with prefixlen
  2244. * maskbits against the given portrange. */
  2245. static void
  2246. policy_summary_reject(smartlist_t *summary,
  2247. maskbits_t maskbits,
  2248. uint16_t prt_min, uint16_t prt_max,
  2249. sa_family_t family)
  2250. {
  2251. tor_assert_nonfatal_once(family == AF_INET || family == AF_INET6);
  2252. int i = policy_summary_split(summary, prt_min, prt_max);
  2253. /* The length of a single address mask */
  2254. int addrbits = (family == AF_INET) ? IPV4_BITS : IPV6_BITS;
  2255. tor_assert_nonfatal_once(addrbits >= maskbits);
  2256. /* We divide IPv6 address counts by (1 << scale) to keep them in a uint64_t
  2257. */
  2258. int scale = ((family == AF_INET) ?
  2259. REJECT_CUTOFF_SCALE_IPV4 :
  2260. REJECT_CUTOFF_SCALE_IPV6);
  2261. tor_assert_nonfatal_once(addrbits >= scale);
  2262. if (maskbits > (addrbits - scale)) {
  2263. tor_assert_nonfatal_once(family == AF_INET6);
  2264. /* The address range is so small, we'd need billions of them to reach the
  2265. * rejection limit. So we ignore this range in the reject count. */
  2266. return;
  2267. }
  2268. uint64_t count = 0;
  2269. if (addrbits - scale - maskbits >= 64) {
  2270. tor_assert_nonfatal_once(family == AF_INET6);
  2271. /* The address range is so large, it's an automatic rejection for all ports
  2272. * in the range. */
  2273. count = UINT64_MAX;
  2274. } else {
  2275. count = (U64_LITERAL(1) << (addrbits - scale - maskbits));
  2276. }
  2277. tor_assert_nonfatal_once(count > 0);
  2278. while (i < smartlist_len(summary) &&
  2279. AT(i)->prt_max <= prt_max) {
  2280. if (AT(i)->reject_count <= UINT64_MAX - count) {
  2281. AT(i)->reject_count += count;
  2282. } else {
  2283. /* IPv4 would require a 4-billion address redundant policy to get here,
  2284. * but IPv6 just needs to have ::/0 */
  2285. if (family == AF_INET) {
  2286. tor_assert_nonfatal_unreached_once();
  2287. }
  2288. /* If we do get here, use saturating arithmetic */
  2289. AT(i)->reject_count = UINT64_MAX;
  2290. }
  2291. i++;
  2292. }
  2293. tor_assert(i < smartlist_len(summary) || prt_max==65535);
  2294. }
  2295. /** Add a single exit policy item to our summary:
  2296. *
  2297. * If it is an accept, ignore it unless it is for all IP addresses
  2298. * ("*", i.e. its prefixlen/maskbits is 0). Otherwise call
  2299. * policy_summary_accept().
  2300. *
  2301. * If it is a reject, ignore it if it is about one of the private
  2302. * networks. Otherwise call policy_summary_reject().
  2303. */
  2304. static void
  2305. policy_summary_add_item(smartlist_t *summary, addr_policy_t *p)
  2306. {
  2307. if (p->policy_type == ADDR_POLICY_ACCEPT) {
  2308. if (p->maskbits == 0) {
  2309. policy_summary_accept(summary, p->prt_min, p->prt_max, p->addr.family);
  2310. }
  2311. } else if (p->policy_type == ADDR_POLICY_REJECT) {
  2312. int is_private = 0;
  2313. int i;
  2314. for (i = 0; private_nets[i]; ++i) {
  2315. tor_addr_t addr;
  2316. maskbits_t maskbits;
  2317. if (tor_addr_parse_mask_ports(private_nets[i], 0, &addr,
  2318. &maskbits, NULL, NULL)<0) {
  2319. tor_assert(0);
  2320. }
  2321. if (tor_addr_compare(&p->addr, &addr, CMP_EXACT) == 0 &&
  2322. p->maskbits == maskbits) {
  2323. is_private = 1;
  2324. break;
  2325. }
  2326. }
  2327. if (!is_private) {
  2328. policy_summary_reject(summary, p->maskbits, p->prt_min, p->prt_max,
  2329. p->addr.family);
  2330. }
  2331. } else
  2332. tor_assert(0);
  2333. }
  2334. /** Create a string representing a summary for an exit policy.
  2335. * The summary will either be an "accept" plus a comma-separated list of port
  2336. * ranges or a "reject" plus port-ranges, depending on which is shorter.
  2337. *
  2338. * If no exits are allowed at all then "reject 1-65535" is returned. If no
  2339. * ports are blocked instead of "reject " we return "accept 1-65535". (These
  2340. * are an exception to the shorter-representation-wins rule).
  2341. */
  2342. char *
  2343. policy_summarize(smartlist_t *policy, sa_family_t family)
  2344. {
  2345. smartlist_t *summary = policy_summary_create();
  2346. smartlist_t *accepts, *rejects;
  2347. int i, last, start_prt;
  2348. size_t accepts_len, rejects_len;
  2349. char *accepts_str = NULL, *rejects_str = NULL, *shorter_str, *result;
  2350. const char *prefix;
  2351. tor_assert(policy);
  2352. /* Create the summary list */
  2353. SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, p) {
  2354. sa_family_t f = tor_addr_family(&p->addr);
  2355. if (f != AF_INET && f != AF_INET6) {
  2356. log_warn(LD_BUG, "Weird family when summarizing address policy");
  2357. }
  2358. if (f != family)
  2359. continue;
  2360. policy_summary_add_item(summary, p);
  2361. } SMARTLIST_FOREACH_END(p);
  2362. /* Now create two lists of strings, one for accepted and one
  2363. * for rejected ports. We take care to merge ranges so that
  2364. * we avoid getting stuff like "1-4,5-9,10", instead we want
  2365. * "1-10"
  2366. */
  2367. i = 0;
  2368. start_prt = 1;
  2369. accepts = smartlist_new();
  2370. rejects = smartlist_new();
  2371. while (1) {
  2372. last = i == smartlist_len(summary)-1;
  2373. if (last ||
  2374. AT(i)->accepted != AT(i+1)->accepted) {
  2375. char buf[POLICY_BUF_LEN];
  2376. if (start_prt == AT(i)->prt_max)
  2377. tor_snprintf(buf, sizeof(buf), "%d", start_prt);
  2378. else
  2379. tor_snprintf(buf, sizeof(buf), "%d-%d", start_prt, AT(i)->prt_max);
  2380. if (AT(i)->accepted)
  2381. smartlist_add_strdup(accepts, buf);
  2382. else
  2383. smartlist_add_strdup(rejects, buf);
  2384. if (last)
  2385. break;
  2386. start_prt = AT(i+1)->prt_min;
  2387. };
  2388. i++;
  2389. };
  2390. /* Figure out which of the two stringlists will be shorter and use
  2391. * that to build the result
  2392. */
  2393. if (smartlist_len(accepts) == 0) { /* no exits at all */
  2394. result = tor_strdup("reject 1-65535");
  2395. goto cleanup;
  2396. }
  2397. if (smartlist_len(rejects) == 0) { /* no rejects at all */
  2398. result = tor_strdup("accept 1-65535");
  2399. goto cleanup;
  2400. }
  2401. accepts_str = smartlist_join_strings(accepts, ",", 0, &accepts_len);
  2402. rejects_str = smartlist_join_strings(rejects, ",", 0, &rejects_len);
  2403. if (rejects_len > MAX_EXITPOLICY_SUMMARY_LEN-strlen("reject")-1 &&
  2404. accepts_len > MAX_EXITPOLICY_SUMMARY_LEN-strlen("accept")-1) {
  2405. char *c;
  2406. shorter_str = accepts_str;
  2407. prefix = "accept";
  2408. c = shorter_str + (MAX_EXITPOLICY_SUMMARY_LEN-strlen(prefix)-1);
  2409. while (*c != ',' && c >= shorter_str)
  2410. c--;
  2411. tor_assert(c >= shorter_str);
  2412. tor_assert(*c == ',');
  2413. *c = '\0';
  2414. } else if (rejects_len < accepts_len) {
  2415. shorter_str = rejects_str;
  2416. prefix = "reject";
  2417. } else {
  2418. shorter_str = accepts_str;
  2419. prefix = "accept";
  2420. }
  2421. tor_asprintf(&result, "%s %s", prefix, shorter_str);
  2422. cleanup:
  2423. /* cleanup */
  2424. SMARTLIST_FOREACH(summary, policy_summary_item_t *, s, tor_free(s));
  2425. smartlist_free(summary);
  2426. tor_free(accepts_str);
  2427. SMARTLIST_FOREACH(accepts, char *, s, tor_free(s));
  2428. smartlist_free(accepts);
  2429. tor_free(rejects_str);
  2430. SMARTLIST_FOREACH(rejects, char *, s, tor_free(s));
  2431. smartlist_free(rejects);
  2432. return result;
  2433. }
  2434. /** Convert a summarized policy string into a short_policy_t. Return NULL
  2435. * if the string is not well-formed. */
  2436. short_policy_t *
  2437. parse_short_policy(const char *summary)
  2438. {
  2439. const char *orig_summary = summary;
  2440. short_policy_t *result;
  2441. int is_accept;
  2442. int n_entries;
  2443. short_policy_entry_t entries[MAX_EXITPOLICY_SUMMARY_LEN]; /* overkill */
  2444. const char *next;
  2445. if (!strcmpstart(summary, "accept ")) {
  2446. is_accept = 1;
  2447. summary += strlen("accept ");
  2448. } else if (!strcmpstart(summary, "reject ")) {
  2449. is_accept = 0;
  2450. summary += strlen("reject ");
  2451. } else {
  2452. log_fn(LOG_PROTOCOL_WARN, LD_DIR, "Unrecognized policy summary keyword");
  2453. return NULL;
  2454. }
  2455. n_entries = 0;
  2456. for ( ; *summary; summary = next) {
  2457. const char *comma = strchr(summary, ',');
  2458. unsigned low, high;
  2459. char dummy;
  2460. char ent_buf[32];
  2461. size_t len;
  2462. next = comma ? comma+1 : strchr(summary, '\0');
  2463. len = comma ? (size_t)(comma - summary) : strlen(summary);
  2464. if (n_entries == MAX_EXITPOLICY_SUMMARY_LEN) {
  2465. log_fn(LOG_PROTOCOL_WARN, LD_DIR, "Impossibly long policy summary %s",
  2466. escaped(orig_summary));
  2467. return NULL;
  2468. }
  2469. if (! TOR_ISDIGIT(*summary) || len > (sizeof(ent_buf)-1)) {
  2470. /* unrecognized entry format. skip it. */
  2471. continue;
  2472. }
  2473. if (len < 1) {
  2474. /* empty; skip it. */
  2475. /* XXX This happens to be unreachable, since if len==0, then *summary is
  2476. * ',' or '\0', and the TOR_ISDIGIT test above would have failed. */
  2477. continue;
  2478. }
  2479. memcpy(ent_buf, summary, len);
  2480. ent_buf[len] = '\0';
  2481. if (tor_sscanf(ent_buf, "%u-%u%c", &low, &high, &dummy) == 2) {
  2482. if (low<1 || low>65535 || high<1 || high>65535 || low>high) {
  2483. log_fn(LOG_PROTOCOL_WARN, LD_DIR,
  2484. "Found bad entry in policy summary %s", escaped(orig_summary));
  2485. return NULL;
  2486. }
  2487. } else if (tor_sscanf(ent_buf, "%u%c", &low, &dummy) == 1) {
  2488. if (low<1 || low>65535) {
  2489. log_fn(LOG_PROTOCOL_WARN, LD_DIR,
  2490. "Found bad entry in policy summary %s", escaped(orig_summary));
  2491. return NULL;
  2492. }
  2493. high = low;
  2494. } else {
  2495. log_fn(LOG_PROTOCOL_WARN, LD_DIR,"Found bad entry in policy summary %s",
  2496. escaped(orig_summary));
  2497. return NULL;
  2498. }
  2499. entries[n_entries].min_port = low;
  2500. entries[n_entries].max_port = high;
  2501. n_entries++;
  2502. }
  2503. if (n_entries == 0) {
  2504. log_fn(LOG_PROTOCOL_WARN, LD_DIR,
  2505. "Found no port-range entries in summary %s", escaped(orig_summary));
  2506. return NULL;
  2507. }
  2508. {
  2509. size_t size = offsetof(short_policy_t, entries) +
  2510. sizeof(short_policy_entry_t)*(n_entries);
  2511. result = tor_malloc_zero(size);
  2512. tor_assert( (char*)&result->entries[n_entries-1] < ((char*)result)+size);
  2513. }
  2514. result->is_accept = is_accept;
  2515. result->n_entries = n_entries;
  2516. memcpy(result->entries, entries, sizeof(short_policy_entry_t)*n_entries);
  2517. return result;
  2518. }
  2519. /** Write <b>policy</b> back out into a string. */
  2520. char *
  2521. write_short_policy(const short_policy_t *policy)
  2522. {
  2523. int i;
  2524. char *answer;
  2525. smartlist_t *sl = smartlist_new();
  2526. smartlist_add_asprintf(sl, "%s", policy->is_accept ? "accept " : "reject ");
  2527. for (i=0; i < policy->n_entries; i++) {
  2528. const short_policy_entry_t *e = &policy->entries[i];
  2529. if (e->min_port == e->max_port) {
  2530. smartlist_add_asprintf(sl, "%d", e->min_port);
  2531. } else {
  2532. smartlist_add_asprintf(sl, "%d-%d", e->min_port, e->max_port);
  2533. }
  2534. if (i < policy->n_entries-1)
  2535. smartlist_add_strdup(sl, ",");
  2536. }
  2537. answer = smartlist_join_strings(sl, "", 0, NULL);
  2538. SMARTLIST_FOREACH(sl, char *, a, tor_free(a));
  2539. smartlist_free(sl);
  2540. return answer;
  2541. }
  2542. /** Release all storage held in <b>policy</b>. */
  2543. void
  2544. short_policy_free_(short_policy_t *policy)
  2545. {
  2546. tor_free(policy);
  2547. }
  2548. /** See whether the <b>addr</b>:<b>port</b> address is likely to be accepted
  2549. * or rejected by the summarized policy <b>policy</b>. Return values are as
  2550. * for compare_tor_addr_to_addr_policy. Unlike the regular addr_policy
  2551. * functions, requires the <b>port</b> be specified. */
  2552. addr_policy_result_t
  2553. compare_tor_addr_to_short_policy(const tor_addr_t *addr, uint16_t port,
  2554. const short_policy_t *policy)
  2555. {
  2556. int i;
  2557. int found_match = 0;
  2558. int accept_;
  2559. tor_assert(port != 0);
  2560. if (addr && tor_addr_is_null(addr))
  2561. addr = NULL; /* Unspec means 'no address at all,' in this context. */
  2562. if (addr && get_options()->ClientRejectInternalAddresses &&
  2563. (tor_addr_is_internal(addr, 0) || tor_addr_is_loopback(addr)))
  2564. return ADDR_POLICY_REJECTED;
  2565. for (i=0; i < policy->n_entries; ++i) {
  2566. const short_policy_entry_t *e = &policy->entries[i];
  2567. if (e->min_port <= port && port <= e->max_port) {
  2568. found_match = 1;
  2569. break;
  2570. }
  2571. }
  2572. if (found_match)
  2573. accept_ = policy->is_accept;
  2574. else
  2575. accept_ = ! policy->is_accept;
  2576. /* ???? are these right? -NM */
  2577. /* We should be sure not to return ADDR_POLICY_ACCEPTED in the accept
  2578. * case here, because it would cause clients to believe that the node
  2579. * allows exit enclaving. Trying it anyway would open up a cool attack
  2580. * where the node refuses due to exitpolicy, the client reacts in
  2581. * surprise by rewriting the node's exitpolicy to reject *:*, and then
  2582. * an adversary targets users by causing them to attempt such connections
  2583. * to 98% of the exits.
  2584. *
  2585. * Once microdescriptors can handle addresses in special cases (e.g. if
  2586. * we ever solve ticket 1774), we can provide certainty here. -RD */
  2587. if (accept_)
  2588. return ADDR_POLICY_PROBABLY_ACCEPTED;
  2589. else
  2590. return ADDR_POLICY_REJECTED;
  2591. }
  2592. /** Return true iff <b>policy</b> seems reject all ports */
  2593. int
  2594. short_policy_is_reject_star(const short_policy_t *policy)
  2595. {
  2596. /* This doesn't need to be as much on the lookout as policy_is_reject_star,
  2597. * since policy summaries are from the consensus or from consensus
  2598. * microdescs.
  2599. */
  2600. tor_assert(policy);
  2601. /* Check for an exact match of "reject 1-65535". */
  2602. return (policy->is_accept == 0 && policy->n_entries == 1 &&
  2603. policy->entries[0].min_port == 1 &&
  2604. policy->entries[0].max_port == 65535);
  2605. }
  2606. /** Decide whether addr:port is probably or definitely accepted or rejected by
  2607. * <b>node</b>. See compare_tor_addr_to_addr_policy for details on addr/port
  2608. * interpretation. */
  2609. addr_policy_result_t
  2610. compare_tor_addr_to_node_policy(const tor_addr_t *addr, uint16_t port,
  2611. const node_t *node)
  2612. {
  2613. if (node->rejects_all)
  2614. return ADDR_POLICY_REJECTED;
  2615. if (addr && tor_addr_family(addr) == AF_INET6) {
  2616. const short_policy_t *p = NULL;
  2617. if (node->ri)
  2618. p = node->ri->ipv6_exit_policy;
  2619. else if (node->md)
  2620. p = node->md->ipv6_exit_policy;
  2621. if (p)
  2622. return compare_tor_addr_to_short_policy(addr, port, p);
  2623. else
  2624. return ADDR_POLICY_REJECTED;
  2625. }
  2626. if (node->ri) {
  2627. return compare_tor_addr_to_addr_policy(addr, port, node->ri->exit_policy);
  2628. } else if (node->md) {
  2629. if (node->md->exit_policy == NULL)
  2630. return ADDR_POLICY_REJECTED;
  2631. else
  2632. return compare_tor_addr_to_short_policy(addr, port,
  2633. node->md->exit_policy);
  2634. } else {
  2635. return ADDR_POLICY_PROBABLY_REJECTED;
  2636. }
  2637. }
  2638. /**
  2639. * Given <b>policy_list</b>, a list of addr_policy_t, produce a string
  2640. * representation of the list.
  2641. * If <b>include_ipv4</b> is true, include IPv4 entries.
  2642. * If <b>include_ipv6</b> is true, include IPv6 entries.
  2643. */
  2644. char *
  2645. policy_dump_to_string(const smartlist_t *policy_list,
  2646. int include_ipv4,
  2647. int include_ipv6)
  2648. {
  2649. smartlist_t *policy_string_list;
  2650. char *policy_string = NULL;
  2651. policy_string_list = smartlist_new();
  2652. SMARTLIST_FOREACH_BEGIN(policy_list, addr_policy_t *, tmpe) {
  2653. char *pbuf;
  2654. int bytes_written_to_pbuf;
  2655. if ((tor_addr_family(&tmpe->addr) == AF_INET6) && (!include_ipv6)) {
  2656. continue; /* Don't include IPv6 parts of address policy */
  2657. }
  2658. if ((tor_addr_family(&tmpe->addr) == AF_INET) && (!include_ipv4)) {
  2659. continue; /* Don't include IPv4 parts of address policy */
  2660. }
  2661. pbuf = tor_malloc(POLICY_BUF_LEN);
  2662. bytes_written_to_pbuf = policy_write_item(pbuf,POLICY_BUF_LEN, tmpe, 1);
  2663. if (bytes_written_to_pbuf < 0) {
  2664. log_warn(LD_BUG, "policy_dump_to_string ran out of room!");
  2665. tor_free(pbuf);
  2666. goto done;
  2667. }
  2668. smartlist_add(policy_string_list,pbuf);
  2669. } SMARTLIST_FOREACH_END(tmpe);
  2670. policy_string = smartlist_join_strings(policy_string_list, "\n", 0, NULL);
  2671. done:
  2672. SMARTLIST_FOREACH(policy_string_list, char *, str, tor_free(str));
  2673. smartlist_free(policy_string_list);
  2674. return policy_string;
  2675. }
  2676. /** Implementation for GETINFO control command: knows the answer for questions
  2677. * about "exit-policy/..." */
  2678. int
  2679. getinfo_helper_policies(control_connection_t *conn,
  2680. const char *question, char **answer,
  2681. const char **errmsg)
  2682. {
  2683. (void) conn;
  2684. (void) errmsg;
  2685. if (!strcmp(question, "exit-policy/default")) {
  2686. *answer = tor_strdup(DEFAULT_EXIT_POLICY);
  2687. } else if (!strcmp(question, "exit-policy/reject-private/default")) {
  2688. smartlist_t *private_policy_strings;
  2689. const char **priv = private_nets;
  2690. private_policy_strings = smartlist_new();
  2691. while (*priv != NULL) {
  2692. /* IPv6 addresses are in "[]" and contain ":",
  2693. * IPv4 addresses are not in "[]" and contain "." */
  2694. smartlist_add_asprintf(private_policy_strings, "reject %s:*", *priv);
  2695. priv++;
  2696. }
  2697. *answer = smartlist_join_strings(private_policy_strings,
  2698. ",", 0, NULL);
  2699. SMARTLIST_FOREACH(private_policy_strings, char *, str, tor_free(str));
  2700. smartlist_free(private_policy_strings);
  2701. } else if (!strcmp(question, "exit-policy/reject-private/relay")) {
  2702. const or_options_t *options = get_options();
  2703. const routerinfo_t *me = router_get_my_routerinfo();
  2704. if (!me) {
  2705. *errmsg = "router_get_my_routerinfo returned NULL";
  2706. return -1;
  2707. }
  2708. if (!options->ExitPolicyRejectPrivate &&
  2709. !options->ExitPolicyRejectLocalInterfaces) {
  2710. *answer = tor_strdup("");
  2711. return 0;
  2712. }
  2713. smartlist_t *private_policy_list = smartlist_new();
  2714. smartlist_t *configured_addresses = smartlist_new();
  2715. /* Copy the configured addresses into the tor_addr_t* list */
  2716. if (options->ExitPolicyRejectPrivate) {
  2717. policies_copy_ipv4h_to_smartlist(configured_addresses, me->addr);
  2718. policies_copy_addr_to_smartlist(configured_addresses, &me->ipv6_addr);
  2719. }
  2720. if (options->ExitPolicyRejectLocalInterfaces) {
  2721. policies_copy_outbound_addresses_to_smartlist(configured_addresses,
  2722. options);
  2723. }
  2724. policies_parse_exit_policy_reject_private(
  2725. &private_policy_list,
  2726. options->IPv6Exit,
  2727. configured_addresses,
  2728. options->ExitPolicyRejectLocalInterfaces,
  2729. options->ExitPolicyRejectLocalInterfaces);
  2730. *answer = policy_dump_to_string(private_policy_list, 1, 1);
  2731. addr_policy_list_free(private_policy_list);
  2732. SMARTLIST_FOREACH(configured_addresses, tor_addr_t *, a, tor_free(a));
  2733. smartlist_free(configured_addresses);
  2734. } else if (!strcmpstart(question, "exit-policy/")) {
  2735. const routerinfo_t *me = router_get_my_routerinfo();
  2736. int include_ipv4 = 0;
  2737. int include_ipv6 = 0;
  2738. if (!strcmp(question, "exit-policy/ipv4")) {
  2739. include_ipv4 = 1;
  2740. } else if (!strcmp(question, "exit-policy/ipv6")) {
  2741. include_ipv6 = 1;
  2742. } else if (!strcmp(question, "exit-policy/full")) {
  2743. include_ipv4 = include_ipv6 = 1;
  2744. } else {
  2745. return 0; /* No such key. */
  2746. }
  2747. if (!me) {
  2748. *errmsg = "router_get_my_routerinfo returned NULL";
  2749. return -1;
  2750. }
  2751. *answer = router_dump_exit_policy_to_string(me,include_ipv4,include_ipv6);
  2752. }
  2753. return 0;
  2754. }
  2755. /** Release all storage held by <b>p</b>. */
  2756. void
  2757. addr_policy_list_free_(smartlist_t *lst)
  2758. {
  2759. if (!lst)
  2760. return;
  2761. SMARTLIST_FOREACH(lst, addr_policy_t *, policy, addr_policy_free(policy));
  2762. smartlist_free(lst);
  2763. }
  2764. /** Release all storage held by <b>p</b>. */
  2765. void
  2766. addr_policy_free_(addr_policy_t *p)
  2767. {
  2768. if (!p)
  2769. return;
  2770. if (--p->refcnt <= 0) {
  2771. if (p->is_canonical) {
  2772. policy_map_ent_t search, *found;
  2773. search.policy = p;
  2774. found = HT_REMOVE(policy_map, &policy_root, &search);
  2775. if (found) {
  2776. tor_assert(p == found->policy);
  2777. tor_free(found);
  2778. }
  2779. }
  2780. tor_free(p);
  2781. }
  2782. }
  2783. /** Release all storage held by policy variables. */
  2784. void
  2785. policies_free_all(void)
  2786. {
  2787. addr_policy_list_free(reachable_or_addr_policy);
  2788. reachable_or_addr_policy = NULL;
  2789. addr_policy_list_free(reachable_dir_addr_policy);
  2790. reachable_dir_addr_policy = NULL;
  2791. addr_policy_list_free(socks_policy);
  2792. socks_policy = NULL;
  2793. addr_policy_list_free(dir_policy);
  2794. dir_policy = NULL;
  2795. addr_policy_list_free(authdir_reject_policy);
  2796. authdir_reject_policy = NULL;
  2797. addr_policy_list_free(authdir_invalid_policy);
  2798. authdir_invalid_policy = NULL;
  2799. addr_policy_list_free(authdir_badexit_policy);
  2800. authdir_badexit_policy = NULL;
  2801. if (!HT_EMPTY(&policy_root)) {
  2802. policy_map_ent_t **ent;
  2803. int n = 0;
  2804. char buf[POLICY_BUF_LEN];
  2805. log_warn(LD_MM, "Still had %d address policies cached at shutdown.",
  2806. (int)HT_SIZE(&policy_root));
  2807. /* Note the first 10 cached policies to try to figure out where they
  2808. * might be coming from. */
  2809. HT_FOREACH(ent, policy_map, &policy_root) {
  2810. if (++n > 10)
  2811. break;
  2812. if (policy_write_item(buf, sizeof(buf), (*ent)->policy, 0) >= 0)
  2813. log_warn(LD_MM," %d [%d]: %s", n, (*ent)->policy->refcnt, buf);
  2814. }
  2815. }
  2816. HT_CLEAR(policy_map, &policy_root);
  2817. }