policies.c 109 KB

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576777879808182838485868788899091929394959697989910010110210310410510610710810911011111211311411511611711811912012112212312412512612712812913013113213313413513613713813914014114214314414514614714814915015115215315415515615715815916016116216316416516616716816917017117217317417517617717817918018118218318418518618718818919019119219319419519619719819920020120220320420520620720820921021121221321421521621721821922022122222322422522622722822923023123223323423523623723823924024124224324424524624724824925025125225325425525625725825926026126226326426526626726826927027127227327427527627727827928028128228328428528628728828929029129229329429529629729829930030130230330430530630730830931031131231331431531631731831932032132232332432532632732832933033133233333433533633733833934034134234334434534634734834935035135235335435535635735835936036136236336436536636736836937037137237337437537637737837938038138238338438538638738838939039139239339439539639739839940040140240340440540640740840941041141241341441541641741841942042142242342442542642742842943043143243343443543643743843944044144244344444544644744844945045145245345445545645745845946046146246346446546646746846947047147247347447547647747847948048148248348448548648748848949049149249349449549649749849950050150250350450550650750850951051151251351451551651751851952052152252352452552652752852953053153253353453553653753853954054154254354454554654754854955055155255355455555655755855956056156256356456556656756856957057157257357457557657757857958058158258358458558658758858959059159259359459559659759859960060160260360460560660760860961061161261361461561661761861962062162262362462562662762862963063163263363463563663763863964064164264364464564664764864965065165265365465565665765865966066166266366466566666766866967067167267367467567667767867968068168268368468568668768868969069169269369469569669769869970070170270370470570670770870971071171271371471571671771871972072172272372472572672772872973073173273373473573673773873974074174274374474574674774874975075175275375475575675775875976076176276376476576676776876977077177277377477577677777877978078178278378478578678778878979079179279379479579679779879980080180280380480580680780880981081181281381481581681781881982082182282382482582682782882983083183283383483583683783883984084184284384484584684784884985085185285385485585685785885986086186286386486586686786886987087187287387487587687787887988088188288388488588688788888989089189289389489589689789889990090190290390490590690790890991091191291391491591691791891992092192292392492592692792892993093193293393493593693793893994094194294394494594694794894995095195295395495595695795895996096196296396496596696796896997097197297397497597697797897998098198298398498598698798898999099199299399499599699799899910001001100210031004100510061007100810091010101110121013101410151016101710181019102010211022102310241025102610271028102910301031103210331034103510361037103810391040104110421043104410451046104710481049105010511052105310541055105610571058105910601061106210631064106510661067106810691070107110721073107410751076107710781079108010811082108310841085108610871088108910901091109210931094109510961097109810991100110111021103110411051106110711081109111011111112111311141115111611171118111911201121112211231124112511261127112811291130113111321133113411351136113711381139114011411142114311441145114611471148114911501151115211531154115511561157115811591160116111621163116411651166116711681169117011711172117311741175117611771178117911801181118211831184118511861187118811891190119111921193119411951196119711981199120012011202120312041205120612071208120912101211121212131214121512161217121812191220122112221223122412251226122712281229123012311232123312341235123612371238123912401241124212431244124512461247124812491250125112521253125412551256125712581259126012611262126312641265126612671268126912701271127212731274127512761277127812791280128112821283128412851286128712881289129012911292129312941295129612971298129913001301130213031304130513061307130813091310131113121313131413151316131713181319132013211322132313241325132613271328132913301331133213331334133513361337133813391340134113421343134413451346134713481349135013511352135313541355135613571358135913601361136213631364136513661367136813691370137113721373137413751376137713781379138013811382138313841385138613871388138913901391139213931394139513961397139813991400140114021403140414051406140714081409141014111412141314141415141614171418141914201421142214231424142514261427142814291430143114321433143414351436143714381439144014411442144314441445144614471448144914501451145214531454145514561457145814591460146114621463146414651466146714681469147014711472147314741475147614771478147914801481148214831484148514861487148814891490149114921493149414951496149714981499150015011502150315041505150615071508150915101511151215131514151515161517151815191520152115221523152415251526152715281529153015311532153315341535153615371538153915401541154215431544154515461547154815491550155115521553155415551556155715581559156015611562156315641565156615671568156915701571157215731574157515761577157815791580158115821583158415851586158715881589159015911592159315941595159615971598159916001601160216031604160516061607160816091610161116121613161416151616161716181619162016211622162316241625162616271628162916301631163216331634163516361637163816391640164116421643164416451646164716481649165016511652165316541655165616571658165916601661166216631664166516661667166816691670167116721673167416751676167716781679168016811682168316841685168616871688168916901691169216931694169516961697169816991700170117021703170417051706170717081709171017111712171317141715171617171718171917201721172217231724172517261727172817291730173117321733173417351736173717381739174017411742174317441745174617471748174917501751175217531754175517561757175817591760176117621763176417651766176717681769177017711772177317741775177617771778177917801781178217831784178517861787178817891790179117921793179417951796179717981799180018011802180318041805180618071808180918101811181218131814181518161817181818191820182118221823182418251826182718281829183018311832183318341835183618371838183918401841184218431844184518461847184818491850185118521853185418551856185718581859186018611862186318641865186618671868186918701871187218731874187518761877187818791880188118821883188418851886188718881889189018911892189318941895189618971898189919001901190219031904190519061907190819091910191119121913191419151916191719181919192019211922192319241925192619271928192919301931193219331934193519361937193819391940194119421943194419451946194719481949195019511952195319541955195619571958195919601961196219631964196519661967196819691970197119721973197419751976197719781979198019811982198319841985198619871988198919901991199219931994199519961997199819992000200120022003200420052006200720082009201020112012201320142015201620172018201920202021202220232024202520262027202820292030203120322033203420352036203720382039204020412042204320442045204620472048204920502051205220532054205520562057205820592060206120622063206420652066206720682069207020712072207320742075207620772078207920802081208220832084208520862087208820892090209120922093209420952096209720982099210021012102210321042105210621072108210921102111211221132114211521162117211821192120212121222123212421252126212721282129213021312132213321342135213621372138213921402141214221432144214521462147214821492150215121522153215421552156215721582159216021612162216321642165216621672168216921702171217221732174217521762177217821792180218121822183218421852186218721882189219021912192219321942195219621972198219922002201220222032204220522062207220822092210221122122213221422152216221722182219222022212222222322242225222622272228222922302231223222332234223522362237223822392240224122422243224422452246224722482249225022512252225322542255225622572258225922602261226222632264226522662267226822692270227122722273227422752276227722782279228022812282228322842285228622872288228922902291229222932294229522962297229822992300230123022303230423052306230723082309231023112312231323142315231623172318231923202321232223232324232523262327232823292330233123322333233423352336233723382339234023412342234323442345234623472348234923502351235223532354235523562357235823592360236123622363236423652366236723682369237023712372237323742375237623772378237923802381238223832384238523862387238823892390239123922393239423952396239723982399240024012402240324042405240624072408240924102411241224132414241524162417241824192420242124222423242424252426242724282429243024312432243324342435243624372438243924402441244224432444244524462447244824492450245124522453245424552456245724582459246024612462246324642465246624672468246924702471247224732474247524762477247824792480248124822483248424852486248724882489249024912492249324942495249624972498249925002501250225032504250525062507250825092510251125122513251425152516251725182519252025212522252325242525252625272528252925302531253225332534253525362537253825392540254125422543254425452546254725482549255025512552255325542555255625572558255925602561256225632564256525662567256825692570257125722573257425752576257725782579258025812582258325842585258625872588258925902591259225932594259525962597259825992600260126022603260426052606260726082609261026112612261326142615261626172618261926202621262226232624262526262627262826292630263126322633263426352636263726382639264026412642264326442645264626472648264926502651265226532654265526562657265826592660266126622663266426652666266726682669267026712672267326742675267626772678267926802681268226832684268526862687268826892690269126922693269426952696269726982699270027012702270327042705270627072708270927102711271227132714271527162717271827192720272127222723272427252726272727282729273027312732273327342735273627372738273927402741274227432744274527462747274827492750275127522753275427552756275727582759276027612762276327642765276627672768276927702771277227732774277527762777277827792780278127822783278427852786278727882789279027912792279327942795279627972798279928002801280228032804280528062807280828092810281128122813281428152816281728182819282028212822282328242825282628272828282928302831283228332834283528362837283828392840284128422843284428452846284728482849285028512852285328542855285628572858285928602861286228632864286528662867286828692870287128722873287428752876287728782879288028812882288328842885288628872888288928902891289228932894289528962897289828992900290129022903290429052906290729082909291029112912291329142915291629172918291929202921292229232924292529262927292829292930293129322933293429352936293729382939294029412942294329442945294629472948294929502951295229532954295529562957295829592960296129622963296429652966296729682969297029712972297329742975297629772978297929802981298229832984298529862987298829892990299129922993299429952996299729982999300030013002300330043005300630073008300930103011301230133014301530163017301830193020302130223023302430253026302730283029303030313032303330343035303630373038303930403041304230433044304530463047304830493050305130523053305430553056305730583059306030613062306330643065306630673068306930703071307230733074307530763077307830793080308130823083308430853086308730883089309030913092309330943095309630973098309931003101310231033104310531063107310831093110311131123113311431153116311731183119312031213122312331243125312631273128312931303131313231333134313531363137313831393140314131423143314431453146
  1. /* Copyright (c) 2001-2004, Roger Dingledine.
  2. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
  3. * Copyright (c) 2007-2018, The Tor Project, Inc. */
  4. /* See LICENSE for licensing information */
  5. /**
  6. * \file policies.c
  7. * \brief Code to parse and use address policies and exit policies.
  8. *
  9. * We have two key kinds of address policy: full and compressed. A full
  10. * policy is an array of accept/reject patterns, to be applied in order.
  11. * A short policy is simply a list of ports. This module handles both
  12. * kinds, including generic functions to apply them to addresses, and
  13. * also including code to manage the global policies that we apply to
  14. * incoming and outgoing connections.
  15. **/
  16. #define POLICIES_PRIVATE
  17. #include "or/or.h"
  18. #include "or/bridges.h"
  19. #include "or/config.h"
  20. #include "or/dirserv.h"
  21. #include "or/microdesc.h"
  22. #include "or/networkstatus.h"
  23. #include "or/nodelist.h"
  24. #include "or/policies.h"
  25. #include "or/router.h"
  26. #include "or/routerparse.h"
  27. #include "or/geoip.h"
  28. #include "ht.h"
  29. #include "lib/encoding/confline.h"
  30. #include "or/dir_server_st.h"
  31. #include "or/microdesc_st.h"
  32. #include "or/node_st.h"
  33. #include "or/port_cfg_st.h"
  34. #include "or/routerinfo_st.h"
  35. #include "or/routerstatus_st.h"
  36. /** Policy that addresses for incoming SOCKS connections must match. */
  37. static smartlist_t *socks_policy = NULL;
  38. /** Policy that addresses for incoming directory connections must match. */
  39. static smartlist_t *dir_policy = NULL;
  40. /** Policy that addresses for incoming router descriptors must match in order
  41. * to be published by us. */
  42. static smartlist_t *authdir_reject_policy = NULL;
  43. /** Policy that addresses for incoming router descriptors must match in order
  44. * to be marked as valid in our networkstatus. */
  45. static smartlist_t *authdir_invalid_policy = NULL;
  46. /** Policy that addresses for incoming router descriptors must <b>not</b>
  47. * match in order to not be marked as BadExit. */
  48. static smartlist_t *authdir_badexit_policy = NULL;
  49. /** Parsed addr_policy_t describing which addresses we believe we can start
  50. * circuits at. */
  51. static smartlist_t *reachable_or_addr_policy = NULL;
  52. /** Parsed addr_policy_t describing which addresses we believe we can connect
  53. * to directories at. */
  54. static smartlist_t *reachable_dir_addr_policy = NULL;
  55. /** Element of an exit policy summary */
  56. typedef struct policy_summary_item_t {
  57. uint16_t prt_min; /**< Lowest port number to accept/reject. */
  58. uint16_t prt_max; /**< Highest port number to accept/reject. */
  59. uint64_t reject_count; /**< Number of IP-Addresses that are rejected to
  60. this port range. */
  61. unsigned int accepted:1; /** Has this port already been accepted */
  62. } policy_summary_item_t;
  63. /** Private networks. This list is used in two places, once to expand the
  64. * "private" keyword when parsing our own exit policy, secondly to ignore
  65. * just such networks when building exit policy summaries. It is important
  66. * that all authorities agree on that list when creating summaries, so don't
  67. * just change this without a proper migration plan and a proposal and stuff.
  68. */
  69. static const char *private_nets[] = {
  70. "0.0.0.0/8", "169.254.0.0/16",
  71. "127.0.0.0/8", "192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12",
  72. "[::]/8",
  73. "[fc00::]/7", "[fe80::]/10", "[fec0::]/10", "[ff00::]/8", "[::]/127",
  74. NULL
  75. };
  76. static int policies_parse_exit_policy_internal(
  77. config_line_t *cfg,
  78. smartlist_t **dest,
  79. int ipv6_exit,
  80. int rejectprivate,
  81. const smartlist_t *configured_addresses,
  82. int reject_interface_addresses,
  83. int reject_configured_port_addresses,
  84. int add_default_policy,
  85. int add_reduced_policy);
  86. /** Replace all "private" entries in *<b>policy</b> with their expanded
  87. * equivalents. */
  88. void
  89. policy_expand_private(smartlist_t **policy)
  90. {
  91. uint16_t port_min, port_max;
  92. int i;
  93. smartlist_t *tmp;
  94. if (!*policy) /*XXXX disallow NULL policies? */
  95. return;
  96. tmp = smartlist_new();
  97. SMARTLIST_FOREACH_BEGIN(*policy, addr_policy_t *, p) {
  98. if (! p->is_private) {
  99. smartlist_add(tmp, p);
  100. continue;
  101. }
  102. for (i = 0; private_nets[i]; ++i) {
  103. addr_policy_t newpolicy;
  104. memcpy(&newpolicy, p, sizeof(addr_policy_t));
  105. newpolicy.is_private = 0;
  106. newpolicy.is_canonical = 0;
  107. if (tor_addr_parse_mask_ports(private_nets[i], 0,
  108. &newpolicy.addr,
  109. &newpolicy.maskbits, &port_min, &port_max)<0) {
  110. tor_assert_unreached();
  111. }
  112. smartlist_add(tmp, addr_policy_get_canonical_entry(&newpolicy));
  113. }
  114. addr_policy_free(p);
  115. } SMARTLIST_FOREACH_END(p);
  116. smartlist_free(*policy);
  117. *policy = tmp;
  118. }
  119. /** Expand each of the AF_UNSPEC elements in *<b>policy</b> (which indicate
  120. * protocol-neutral wildcards) into a pair of wildcard elements: one IPv4-
  121. * specific and one IPv6-specific. */
  122. void
  123. policy_expand_unspec(smartlist_t **policy)
  124. {
  125. smartlist_t *tmp;
  126. if (!*policy)
  127. return;
  128. tmp = smartlist_new();
  129. SMARTLIST_FOREACH_BEGIN(*policy, addr_policy_t *, p) {
  130. sa_family_t family = tor_addr_family(&p->addr);
  131. if (family == AF_INET6 || family == AF_INET || p->is_private) {
  132. smartlist_add(tmp, p);
  133. } else if (family == AF_UNSPEC) {
  134. addr_policy_t newpolicy_ipv4;
  135. addr_policy_t newpolicy_ipv6;
  136. memcpy(&newpolicy_ipv4, p, sizeof(addr_policy_t));
  137. memcpy(&newpolicy_ipv6, p, sizeof(addr_policy_t));
  138. newpolicy_ipv4.is_canonical = 0;
  139. newpolicy_ipv6.is_canonical = 0;
  140. if (p->maskbits != 0) {
  141. log_warn(LD_BUG, "AF_UNSPEC policy with maskbits==%d", p->maskbits);
  142. newpolicy_ipv4.maskbits = 0;
  143. newpolicy_ipv6.maskbits = 0;
  144. }
  145. tor_addr_from_ipv4h(&newpolicy_ipv4.addr, 0);
  146. tor_addr_from_ipv6_bytes(&newpolicy_ipv6.addr,
  147. "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");
  148. smartlist_add(tmp, addr_policy_get_canonical_entry(&newpolicy_ipv4));
  149. smartlist_add(tmp, addr_policy_get_canonical_entry(&newpolicy_ipv6));
  150. addr_policy_free(p);
  151. } else {
  152. log_warn(LD_BUG, "Funny-looking address policy with family %d", family);
  153. smartlist_add(tmp, p);
  154. }
  155. } SMARTLIST_FOREACH_END(p);
  156. smartlist_free(*policy);
  157. *policy = tmp;
  158. }
  159. /**
  160. * Given a linked list of config lines containing "accept[6]" and "reject[6]"
  161. * tokens, parse them and append the result to <b>dest</b>. Return -1
  162. * if any tokens are malformed (and don't append any), else return 0.
  163. *
  164. * If <b>assume_action</b> is nonnegative, then insert its action
  165. * (ADDR_POLICY_ACCEPT or ADDR_POLICY_REJECT) for items that specify no
  166. * action.
  167. */
  168. static int
  169. parse_addr_policy(config_line_t *cfg, smartlist_t **dest,
  170. int assume_action)
  171. {
  172. smartlist_t *result;
  173. smartlist_t *entries;
  174. addr_policy_t *item;
  175. int malformed_list;
  176. int r = 0;
  177. if (!cfg)
  178. return 0;
  179. result = smartlist_new();
  180. entries = smartlist_new();
  181. for (; cfg; cfg = cfg->next) {
  182. smartlist_split_string(entries, cfg->value, ",",
  183. SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0);
  184. SMARTLIST_FOREACH_BEGIN(entries, const char *, ent) {
  185. log_debug(LD_CONFIG,"Adding new entry '%s'",ent);
  186. malformed_list = 0;
  187. item = router_parse_addr_policy_item_from_string(ent, assume_action,
  188. &malformed_list);
  189. if (item) {
  190. smartlist_add(result, item);
  191. } else if (malformed_list) {
  192. /* the error is so severe the entire list should be discarded */
  193. log_warn(LD_CONFIG, "Malformed policy '%s'. Discarding entire policy "
  194. "list.", ent);
  195. r = -1;
  196. } else {
  197. /* the error is minor: don't add the item, but keep processing the
  198. * rest of the policies in the list */
  199. log_debug(LD_CONFIG, "Ignored policy '%s' due to non-fatal error. "
  200. "The remainder of the policy list will be used.",
  201. ent);
  202. }
  203. } SMARTLIST_FOREACH_END(ent);
  204. SMARTLIST_FOREACH(entries, char *, ent, tor_free(ent));
  205. smartlist_clear(entries);
  206. }
  207. smartlist_free(entries);
  208. if (r == -1) {
  209. addr_policy_list_free(result);
  210. } else {
  211. policy_expand_private(&result);
  212. policy_expand_unspec(&result);
  213. if (*dest) {
  214. smartlist_add_all(*dest, result);
  215. smartlist_free(result);
  216. } else {
  217. *dest = result;
  218. }
  219. }
  220. return r;
  221. }
  222. /** Helper: parse the Reachable(Dir|OR)?Addresses fields into
  223. * reachable_(or|dir)_addr_policy. The options should already have
  224. * been validated by validate_addr_policies.
  225. */
  226. static int
  227. parse_reachable_addresses(void)
  228. {
  229. const or_options_t *options = get_options();
  230. int ret = 0;
  231. if (options->ReachableDirAddresses &&
  232. options->ReachableORAddresses &&
  233. options->ReachableAddresses) {
  234. log_warn(LD_CONFIG,
  235. "Both ReachableDirAddresses and ReachableORAddresses are set. "
  236. "ReachableAddresses setting will be ignored.");
  237. }
  238. addr_policy_list_free(reachable_or_addr_policy);
  239. reachable_or_addr_policy = NULL;
  240. if (!options->ReachableORAddresses && options->ReachableAddresses)
  241. log_info(LD_CONFIG,
  242. "Using ReachableAddresses as ReachableORAddresses.");
  243. if (parse_addr_policy(options->ReachableORAddresses ?
  244. options->ReachableORAddresses :
  245. options->ReachableAddresses,
  246. &reachable_or_addr_policy, ADDR_POLICY_ACCEPT)) {
  247. log_warn(LD_CONFIG,
  248. "Error parsing Reachable%sAddresses entry; ignoring.",
  249. options->ReachableORAddresses ? "OR" : "");
  250. ret = -1;
  251. }
  252. addr_policy_list_free(reachable_dir_addr_policy);
  253. reachable_dir_addr_policy = NULL;
  254. if (!options->ReachableDirAddresses && options->ReachableAddresses)
  255. log_info(LD_CONFIG,
  256. "Using ReachableAddresses as ReachableDirAddresses");
  257. if (parse_addr_policy(options->ReachableDirAddresses ?
  258. options->ReachableDirAddresses :
  259. options->ReachableAddresses,
  260. &reachable_dir_addr_policy, ADDR_POLICY_ACCEPT)) {
  261. if (options->ReachableDirAddresses)
  262. log_warn(LD_CONFIG,
  263. "Error parsing ReachableDirAddresses entry; ignoring.");
  264. ret = -1;
  265. }
  266. /* We ignore ReachableAddresses for relays */
  267. if (!server_mode(options)) {
  268. if (policy_is_reject_star(reachable_or_addr_policy, AF_UNSPEC, 0)
  269. || policy_is_reject_star(reachable_dir_addr_policy, AF_UNSPEC,0)) {
  270. log_warn(LD_CONFIG, "Tor cannot connect to the Internet if "
  271. "ReachableAddresses, ReachableORAddresses, or "
  272. "ReachableDirAddresses reject all addresses. Please accept "
  273. "some addresses in these options.");
  274. } else if (options->ClientUseIPv4 == 1
  275. && (policy_is_reject_star(reachable_or_addr_policy, AF_INET, 0)
  276. || policy_is_reject_star(reachable_dir_addr_policy, AF_INET, 0))) {
  277. log_warn(LD_CONFIG, "You have set ClientUseIPv4 1, but "
  278. "ReachableAddresses, ReachableORAddresses, or "
  279. "ReachableDirAddresses reject all IPv4 addresses. "
  280. "Tor will not connect using IPv4.");
  281. } else if (fascist_firewall_use_ipv6(options)
  282. && (policy_is_reject_star(reachable_or_addr_policy, AF_INET6, 0)
  283. || policy_is_reject_star(reachable_dir_addr_policy, AF_INET6, 0))) {
  284. log_warn(LD_CONFIG, "You have configured tor to use or prefer IPv6 "
  285. "(or UseBridges 1), but "
  286. "ReachableAddresses, ReachableORAddresses, or "
  287. "ReachableDirAddresses reject all IPv6 addresses. "
  288. "Tor will not connect using IPv6.");
  289. }
  290. }
  291. return ret;
  292. }
  293. /* Return true iff ClientUseIPv4 0 or ClientUseIPv6 0 might block any OR or Dir
  294. * address:port combination. */
  295. static int
  296. firewall_is_fascist_impl(void)
  297. {
  298. const or_options_t *options = get_options();
  299. /* Assume every non-bridge relay has an IPv4 address.
  300. * Clients which use bridges may only know the IPv6 address of their
  301. * bridge, but they will connect regardless of the ClientUseIPv6 setting. */
  302. return options->ClientUseIPv4 == 0;
  303. }
  304. /** Return true iff the firewall options, including ClientUseIPv4 0 and
  305. * ClientUseIPv6 0, might block any OR address:port combination.
  306. * Address preferences may still change which address is selected even if
  307. * this function returns false.
  308. */
  309. int
  310. firewall_is_fascist_or(void)
  311. {
  312. return (reachable_or_addr_policy != NULL || firewall_is_fascist_impl());
  313. }
  314. /** Return true iff the firewall options, including ClientUseIPv4 0 and
  315. * ClientUseIPv6 0, might block any Dir address:port combination.
  316. * Address preferences may still change which address is selected even if
  317. * this function returns false.
  318. */
  319. int
  320. firewall_is_fascist_dir(void)
  321. {
  322. return (reachable_dir_addr_policy != NULL || firewall_is_fascist_impl());
  323. }
  324. /** Return true iff <b>policy</b> (possibly NULL) will allow a
  325. * connection to <b>addr</b>:<b>port</b>.
  326. */
  327. static int
  328. addr_policy_permits_tor_addr(const tor_addr_t *addr, uint16_t port,
  329. smartlist_t *policy)
  330. {
  331. addr_policy_result_t p;
  332. p = compare_tor_addr_to_addr_policy(addr, port, policy);
  333. switch (p) {
  334. case ADDR_POLICY_PROBABLY_ACCEPTED:
  335. case ADDR_POLICY_ACCEPTED:
  336. return 1;
  337. case ADDR_POLICY_PROBABLY_REJECTED:
  338. case ADDR_POLICY_REJECTED:
  339. return 0;
  340. default:
  341. log_warn(LD_BUG, "Unexpected result: %d", (int)p);
  342. return 0;
  343. }
  344. }
  345. /** Return true iff <b> policy</b> (possibly NULL) will allow a connection to
  346. * <b>addr</b>:<b>port</b>. <b>addr</b> is an IPv4 address given in host
  347. * order. */
  348. /* XXXX deprecate when possible. */
  349. static int
  350. addr_policy_permits_address(uint32_t addr, uint16_t port,
  351. smartlist_t *policy)
  352. {
  353. tor_addr_t a;
  354. tor_addr_from_ipv4h(&a, addr);
  355. return addr_policy_permits_tor_addr(&a, port, policy);
  356. }
  357. /** Return true iff we think our firewall will let us make a connection to
  358. * addr:port.
  359. *
  360. * If we are configured as a server, ignore any address family preference and
  361. * just use IPv4.
  362. * Otherwise:
  363. * - return false for all IPv4 addresses:
  364. * - if ClientUseIPv4 is 0, or
  365. * if pref_only and pref_ipv6 are both true;
  366. * - return false for all IPv6 addresses:
  367. * - if fascist_firewall_use_ipv6() is 0, or
  368. * - if pref_only is true and pref_ipv6 is false.
  369. *
  370. * Return false if addr is NULL or tor_addr_is_null(), or if port is 0. */
  371. STATIC int
  372. fascist_firewall_allows_address(const tor_addr_t *addr,
  373. uint16_t port,
  374. smartlist_t *firewall_policy,
  375. int pref_only, int pref_ipv6)
  376. {
  377. const or_options_t *options = get_options();
  378. const int client_mode = !server_mode(options);
  379. if (!addr || tor_addr_is_null(addr) || !port) {
  380. return 0;
  381. }
  382. /* Clients stop using IPv4 if it's disabled. In most cases, clients also
  383. * stop using IPv4 if it's not preferred.
  384. * Servers must have IPv4 enabled and preferred. */
  385. if (tor_addr_family(addr) == AF_INET && client_mode &&
  386. (!options->ClientUseIPv4 || (pref_only && pref_ipv6))) {
  387. return 0;
  388. }
  389. /* Clients and Servers won't use IPv6 unless it's enabled (and in most
  390. * cases, IPv6 must also be preferred before it will be used). */
  391. if (tor_addr_family(addr) == AF_INET6 &&
  392. (!fascist_firewall_use_ipv6(options) || (pref_only && !pref_ipv6))) {
  393. return 0;
  394. }
  395. return addr_policy_permits_tor_addr(addr, port,
  396. firewall_policy);
  397. }
  398. /** Is this client configured to use IPv6?
  399. * Returns true if the client might use IPv6 for some of its connections
  400. * (including dual-stack and IPv6-only clients), and false if it will never
  401. * use IPv6 for any connections.
  402. * Use node_ipv6_or/dir_preferred() when checking a specific node and OR/Dir
  403. * port: it supports bridge client per-node IPv6 preferences.
  404. */
  405. int
  406. fascist_firewall_use_ipv6(const or_options_t *options)
  407. {
  408. /* Clients use IPv6 if it's set, or they use bridges, or they don't use
  409. * IPv4, or they prefer it.
  410. * ClientPreferIPv6DirPort is deprecated, but check it anyway. */
  411. return (options->ClientUseIPv6 == 1 || options->ClientUseIPv4 == 0 ||
  412. options->ClientPreferIPv6ORPort == 1 ||
  413. options->ClientPreferIPv6DirPort == 1 || options->UseBridges == 1);
  414. }
  415. /** Do we prefer to connect to IPv6, ignoring ClientPreferIPv6ORPort and
  416. * ClientPreferIPv6DirPort?
  417. * If we're unsure, return -1, otherwise, return 1 for IPv6 and 0 for IPv4.
  418. */
  419. static int
  420. fascist_firewall_prefer_ipv6_impl(const or_options_t *options)
  421. {
  422. /*
  423. Cheap implementation of config options ClientUseIPv4 & ClientUseIPv6 --
  424. If we're a server or IPv6 is disabled, use IPv4.
  425. If IPv4 is disabled, use IPv6.
  426. */
  427. if (server_mode(options) || !fascist_firewall_use_ipv6(options)) {
  428. return 0;
  429. }
  430. if (!options->ClientUseIPv4) {
  431. return 1;
  432. }
  433. return -1;
  434. }
  435. /** Do we prefer to connect to IPv6 ORPorts?
  436. * Use node_ipv6_or_preferred() whenever possible: it supports bridge client
  437. * per-node IPv6 preferences.
  438. */
  439. int
  440. fascist_firewall_prefer_ipv6_orport(const or_options_t *options)
  441. {
  442. int pref_ipv6 = fascist_firewall_prefer_ipv6_impl(options);
  443. if (pref_ipv6 >= 0) {
  444. return pref_ipv6;
  445. }
  446. /* We can use both IPv4 and IPv6 - which do we prefer? */
  447. if (options->ClientPreferIPv6ORPort == 1) {
  448. return 1;
  449. }
  450. return 0;
  451. }
  452. /** Do we prefer to connect to IPv6 DirPorts?
  453. *
  454. * (node_ipv6_dir_preferred() doesn't support bridge client per-node IPv6
  455. * preferences. There's no reason to use it instead of this function.)
  456. */
  457. int
  458. fascist_firewall_prefer_ipv6_dirport(const or_options_t *options)
  459. {
  460. int pref_ipv6 = fascist_firewall_prefer_ipv6_impl(options);
  461. if (pref_ipv6 >= 0) {
  462. return pref_ipv6;
  463. }
  464. /* We can use both IPv4 and IPv6 - which do we prefer? */
  465. if (options->ClientPreferIPv6DirPort == 1) {
  466. return 1;
  467. }
  468. return 0;
  469. }
  470. /** Return true iff we think our firewall will let us make a connection to
  471. * addr:port. Uses ReachableORAddresses or ReachableDirAddresses based on
  472. * fw_connection.
  473. * If pref_only is true, return true if addr is in the client's preferred
  474. * address family, which is IPv6 if pref_ipv6 is true, and IPv4 otherwise.
  475. * If pref_only is false, ignore pref_ipv6, and return true if addr is allowed.
  476. */
  477. int
  478. fascist_firewall_allows_address_addr(const tor_addr_t *addr, uint16_t port,
  479. firewall_connection_t fw_connection,
  480. int pref_only, int pref_ipv6)
  481. {
  482. if (fw_connection == FIREWALL_OR_CONNECTION) {
  483. return fascist_firewall_allows_address(addr, port,
  484. reachable_or_addr_policy,
  485. pref_only, pref_ipv6);
  486. } else if (fw_connection == FIREWALL_DIR_CONNECTION) {
  487. return fascist_firewall_allows_address(addr, port,
  488. reachable_dir_addr_policy,
  489. pref_only, pref_ipv6);
  490. } else {
  491. log_warn(LD_BUG, "Bad firewall_connection_t value %d.",
  492. fw_connection);
  493. return 0;
  494. }
  495. }
  496. /** Return true iff we think our firewall will let us make a connection to
  497. * addr:port (ap). Uses ReachableORAddresses or ReachableDirAddresses based on
  498. * fw_connection.
  499. * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
  500. */
  501. static int
  502. fascist_firewall_allows_address_ap(const tor_addr_port_t *ap,
  503. firewall_connection_t fw_connection,
  504. int pref_only, int pref_ipv6)
  505. {
  506. tor_assert(ap);
  507. return fascist_firewall_allows_address_addr(&ap->addr, ap->port,
  508. fw_connection, pref_only,
  509. pref_ipv6);
  510. }
  511. /* Return true iff we think our firewall will let us make a connection to
  512. * ipv4h_or_addr:ipv4_or_port. ipv4h_or_addr is interpreted in host order.
  513. * Uses ReachableORAddresses or ReachableDirAddresses based on
  514. * fw_connection.
  515. * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
  516. */
  517. static int
  518. fascist_firewall_allows_address_ipv4h(uint32_t ipv4h_or_addr,
  519. uint16_t ipv4_or_port,
  520. firewall_connection_t fw_connection,
  521. int pref_only, int pref_ipv6)
  522. {
  523. tor_addr_t ipv4_or_addr;
  524. tor_addr_from_ipv4h(&ipv4_or_addr, ipv4h_or_addr);
  525. return fascist_firewall_allows_address_addr(&ipv4_or_addr, ipv4_or_port,
  526. fw_connection, pref_only,
  527. pref_ipv6);
  528. }
  529. /** Return true iff we think our firewall will let us make a connection to
  530. * ipv4h_addr/ipv6_addr. Uses ipv4_orport/ipv6_orport/ReachableORAddresses or
  531. * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
  532. * <b>fw_connection</b>.
  533. * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
  534. */
  535. static int
  536. fascist_firewall_allows_base(uint32_t ipv4h_addr, uint16_t ipv4_orport,
  537. uint16_t ipv4_dirport,
  538. const tor_addr_t *ipv6_addr, uint16_t ipv6_orport,
  539. uint16_t ipv6_dirport,
  540. firewall_connection_t fw_connection,
  541. int pref_only, int pref_ipv6)
  542. {
  543. if (fascist_firewall_allows_address_ipv4h(ipv4h_addr,
  544. (fw_connection == FIREWALL_OR_CONNECTION
  545. ? ipv4_orport
  546. : ipv4_dirport),
  547. fw_connection,
  548. pref_only, pref_ipv6)) {
  549. return 1;
  550. }
  551. if (fascist_firewall_allows_address_addr(ipv6_addr,
  552. (fw_connection == FIREWALL_OR_CONNECTION
  553. ? ipv6_orport
  554. : ipv6_dirport),
  555. fw_connection,
  556. pref_only, pref_ipv6)) {
  557. return 1;
  558. }
  559. return 0;
  560. }
  561. /** Like fascist_firewall_allows_base(), but takes ri. */
  562. static int
  563. fascist_firewall_allows_ri_impl(const routerinfo_t *ri,
  564. firewall_connection_t fw_connection,
  565. int pref_only, int pref_ipv6)
  566. {
  567. if (!ri) {
  568. return 0;
  569. }
  570. /* Assume IPv4 and IPv6 DirPorts are the same */
  571. return fascist_firewall_allows_base(ri->addr, ri->or_port, ri->dir_port,
  572. &ri->ipv6_addr, ri->ipv6_orport,
  573. ri->dir_port, fw_connection, pref_only,
  574. pref_ipv6);
  575. }
  576. /** Like fascist_firewall_allows_rs, but takes pref_ipv6. */
  577. static int
  578. fascist_firewall_allows_rs_impl(const routerstatus_t *rs,
  579. firewall_connection_t fw_connection,
  580. int pref_only, int pref_ipv6)
  581. {
  582. if (!rs) {
  583. return 0;
  584. }
  585. /* Assume IPv4 and IPv6 DirPorts are the same */
  586. return fascist_firewall_allows_base(rs->addr, rs->or_port, rs->dir_port,
  587. &rs->ipv6_addr, rs->ipv6_orport,
  588. rs->dir_port, fw_connection, pref_only,
  589. pref_ipv6);
  590. }
  591. /** Like fascist_firewall_allows_base(), but takes rs.
  592. * When rs is a fake_status from a dir_server_t, it can have a reachable
  593. * address, even when the corresponding node does not.
  594. * nodes can be missing addresses when there's no consensus (IPv4 and IPv6),
  595. * or when there is a microdescriptor consensus, but no microdescriptors
  596. * (microdescriptors have IPv6, the microdesc consensus does not). */
  597. int
  598. fascist_firewall_allows_rs(const routerstatus_t *rs,
  599. firewall_connection_t fw_connection, int pref_only)
  600. {
  601. if (!rs) {
  602. return 0;
  603. }
  604. /* We don't have access to the node-specific IPv6 preference, so use the
  605. * generic IPv6 preference instead. */
  606. const or_options_t *options = get_options();
  607. int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
  608. ? fascist_firewall_prefer_ipv6_orport(options)
  609. : fascist_firewall_prefer_ipv6_dirport(options));
  610. return fascist_firewall_allows_rs_impl(rs, fw_connection, pref_only,
  611. pref_ipv6);
  612. }
  613. /** Return true iff we think our firewall will let us make a connection to
  614. * ipv6_addr:ipv6_orport based on ReachableORAddresses.
  615. * If <b>fw_connection</b> is FIREWALL_DIR_CONNECTION, returns 0.
  616. * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
  617. */
  618. static int
  619. fascist_firewall_allows_md_impl(const microdesc_t *md,
  620. firewall_connection_t fw_connection,
  621. int pref_only, int pref_ipv6)
  622. {
  623. if (!md) {
  624. return 0;
  625. }
  626. /* Can't check dirport, it doesn't have one */
  627. if (fw_connection == FIREWALL_DIR_CONNECTION) {
  628. return 0;
  629. }
  630. /* Also can't check IPv4, doesn't have that either */
  631. return fascist_firewall_allows_address_addr(&md->ipv6_addr, md->ipv6_orport,
  632. fw_connection, pref_only,
  633. pref_ipv6);
  634. }
  635. /** Like fascist_firewall_allows_base(), but takes node, and looks up pref_ipv6
  636. * from node_ipv6_or/dir_preferred(). */
  637. int
  638. fascist_firewall_allows_node(const node_t *node,
  639. firewall_connection_t fw_connection,
  640. int pref_only)
  641. {
  642. if (!node) {
  643. return 0;
  644. }
  645. node_assert_ok(node);
  646. const int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
  647. ? node_ipv6_or_preferred(node)
  648. : node_ipv6_dir_preferred(node));
  649. /* Sometimes, the rs is missing the IPv6 address info, and we need to go
  650. * all the way to the md */
  651. if (node->ri && fascist_firewall_allows_ri_impl(node->ri, fw_connection,
  652. pref_only, pref_ipv6)) {
  653. return 1;
  654. } else if (node->rs && fascist_firewall_allows_rs_impl(node->rs,
  655. fw_connection,
  656. pref_only,
  657. pref_ipv6)) {
  658. return 1;
  659. } else if (node->md && fascist_firewall_allows_md_impl(node->md,
  660. fw_connection,
  661. pref_only,
  662. pref_ipv6)) {
  663. return 1;
  664. } else {
  665. /* If we know nothing, assume it's unreachable, we'll never get an address
  666. * to connect to. */
  667. return 0;
  668. }
  669. }
  670. /** Like fascist_firewall_allows_rs(), but takes ds. */
  671. int
  672. fascist_firewall_allows_dir_server(const dir_server_t *ds,
  673. firewall_connection_t fw_connection,
  674. int pref_only)
  675. {
  676. if (!ds) {
  677. return 0;
  678. }
  679. /* A dir_server_t always has a fake_status. As long as it has the same
  680. * addresses/ports in both fake_status and dir_server_t, this works fine.
  681. * (See #17867.)
  682. * fascist_firewall_allows_rs only checks the addresses in fake_status. */
  683. return fascist_firewall_allows_rs(&ds->fake_status, fw_connection,
  684. pref_only);
  685. }
  686. /** If a and b are both valid and allowed by fw_connection,
  687. * choose one based on want_a and return it.
  688. * Otherwise, return whichever is allowed.
  689. * Otherwise, return NULL.
  690. * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
  691. */
  692. static const tor_addr_port_t *
  693. fascist_firewall_choose_address_impl(const tor_addr_port_t *a,
  694. const tor_addr_port_t *b,
  695. int want_a,
  696. firewall_connection_t fw_connection,
  697. int pref_only, int pref_ipv6)
  698. {
  699. const tor_addr_port_t *use_a = NULL;
  700. const tor_addr_port_t *use_b = NULL;
  701. if (fascist_firewall_allows_address_ap(a, fw_connection, pref_only,
  702. pref_ipv6)) {
  703. use_a = a;
  704. }
  705. if (fascist_firewall_allows_address_ap(b, fw_connection, pref_only,
  706. pref_ipv6)) {
  707. use_b = b;
  708. }
  709. /* If both are allowed */
  710. if (use_a && use_b) {
  711. /* Choose a if we want it */
  712. return (want_a ? use_a : use_b);
  713. } else {
  714. /* Choose a if we have it */
  715. return (use_a ? use_a : use_b);
  716. }
  717. }
  718. /** If a and b are both valid and preferred by fw_connection,
  719. * choose one based on want_a and return it.
  720. * Otherwise, return whichever is preferred.
  721. * If neither are preferred, and pref_only is false:
  722. * - If a and b are both allowed by fw_connection,
  723. * choose one based on want_a and return it.
  724. * - Otherwise, return whichever is preferred.
  725. * Otherwise, return NULL. */
  726. STATIC const tor_addr_port_t *
  727. fascist_firewall_choose_address(const tor_addr_port_t *a,
  728. const tor_addr_port_t *b,
  729. int want_a,
  730. firewall_connection_t fw_connection,
  731. int pref_only, int pref_ipv6)
  732. {
  733. const tor_addr_port_t *pref = fascist_firewall_choose_address_impl(
  734. a, b, want_a,
  735. fw_connection,
  736. 1, pref_ipv6);
  737. if (pref_only || pref) {
  738. /* If there is a preferred address, use it. If we can only use preferred
  739. * addresses, and neither address is preferred, pref will be NULL, and we
  740. * want to return NULL, so return it. */
  741. return pref;
  742. } else {
  743. /* If there's no preferred address, and we can return addresses that are
  744. * not preferred, use an address that's allowed */
  745. return fascist_firewall_choose_address_impl(a, b, want_a, fw_connection,
  746. 0, pref_ipv6);
  747. }
  748. }
  749. /** Copy an address and port into <b>ap</b> that we think our firewall will
  750. * let us connect to. Uses ipv4_addr/ipv6_addr and
  751. * ipv4_orport/ipv6_orport/ReachableORAddresses or
  752. * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
  753. * <b>fw_connection</b>.
  754. * If pref_only, only choose preferred addresses. In either case, choose
  755. * a preferred address before an address that's not preferred.
  756. * If both addresses could be chosen (they are both preferred or both allowed)
  757. * choose IPv6 if pref_ipv6 is true, otherwise choose IPv4. */
  758. static void
  759. fascist_firewall_choose_address_base(const tor_addr_t *ipv4_addr,
  760. uint16_t ipv4_orport,
  761. uint16_t ipv4_dirport,
  762. const tor_addr_t *ipv6_addr,
  763. uint16_t ipv6_orport,
  764. uint16_t ipv6_dirport,
  765. firewall_connection_t fw_connection,
  766. int pref_only,
  767. int pref_ipv6,
  768. tor_addr_port_t* ap)
  769. {
  770. const tor_addr_port_t *result = NULL;
  771. const int want_ipv4 = !pref_ipv6;
  772. tor_assert(ipv6_addr);
  773. tor_assert(ap);
  774. tor_addr_make_null(&ap->addr, AF_UNSPEC);
  775. ap->port = 0;
  776. tor_addr_port_t ipv4_ap;
  777. tor_addr_copy(&ipv4_ap.addr, ipv4_addr);
  778. ipv4_ap.port = (fw_connection == FIREWALL_OR_CONNECTION
  779. ? ipv4_orport
  780. : ipv4_dirport);
  781. tor_addr_port_t ipv6_ap;
  782. tor_addr_copy(&ipv6_ap.addr, ipv6_addr);
  783. ipv6_ap.port = (fw_connection == FIREWALL_OR_CONNECTION
  784. ? ipv6_orport
  785. : ipv6_dirport);
  786. result = fascist_firewall_choose_address(&ipv4_ap, &ipv6_ap,
  787. want_ipv4,
  788. fw_connection, pref_only,
  789. pref_ipv6);
  790. if (result) {
  791. tor_addr_copy(&ap->addr, &result->addr);
  792. ap->port = result->port;
  793. }
  794. }
  795. /** Like fascist_firewall_choose_address_base(), but takes a host-order IPv4
  796. * address as the first parameter. */
  797. static void
  798. fascist_firewall_choose_address_ipv4h(uint32_t ipv4h_addr,
  799. uint16_t ipv4_orport,
  800. uint16_t ipv4_dirport,
  801. const tor_addr_t *ipv6_addr,
  802. uint16_t ipv6_orport,
  803. uint16_t ipv6_dirport,
  804. firewall_connection_t fw_connection,
  805. int pref_only,
  806. int pref_ipv6,
  807. tor_addr_port_t* ap)
  808. {
  809. tor_addr_t ipv4_addr;
  810. tor_addr_from_ipv4h(&ipv4_addr, ipv4h_addr);
  811. tor_assert(ap);
  812. tor_addr_make_null(&ap->addr, AF_UNSPEC);
  813. ap->port = 0;
  814. fascist_firewall_choose_address_base(&ipv4_addr, ipv4_orport,
  815. ipv4_dirport, ipv6_addr,
  816. ipv6_orport, ipv6_dirport,
  817. fw_connection, pref_only,
  818. pref_ipv6, ap);
  819. }
  820. /* Some microdescriptor consensus methods have no IPv6 addresses in rs: they
  821. * are in the microdescriptors. For these consensus methods, we can't rely on
  822. * the node's IPv6 address until its microdescriptor is available (when using
  823. * microdescs).
  824. * But for bridges, rewrite_node_address_for_bridge() updates node->ri with
  825. * the configured address, so we can trust bridge addresses.
  826. * (Bridges could gain an IPv6 address if their microdescriptor arrives, but
  827. * this will never be their preferred address: that is in the config.)
  828. * Returns true if the node needs a microdescriptor for its IPv6 address, and
  829. * false if the addresses in the node are already up-to-date.
  830. */
  831. static int
  832. node_awaiting_ipv6(const or_options_t* options, const node_t *node)
  833. {
  834. tor_assert(node);
  835. /* There's no point waiting for an IPv6 address if we'd never use it */
  836. if (!fascist_firewall_use_ipv6(options)) {
  837. return 0;
  838. }
  839. /* If the node has an IPv6 address, we're not waiting */
  840. if (node_has_ipv6_addr(node)) {
  841. return 0;
  842. }
  843. /* If the current consensus method and flavour has IPv6 addresses, we're not
  844. * waiting */
  845. if (networkstatus_consensus_has_ipv6(options)) {
  846. return 0;
  847. }
  848. /* Bridge clients never use the address from a bridge's md, so there's no
  849. * need to wait for it. */
  850. if (node_is_a_configured_bridge(node)) {
  851. return 0;
  852. }
  853. /* We are waiting if we_use_microdescriptors_for_circuits() and we have no
  854. * md. */
  855. return (!node->md && we_use_microdescriptors_for_circuits(options));
  856. }
  857. /** Like fascist_firewall_choose_address_base(), but takes <b>rs</b>.
  858. * Consults the corresponding node, then falls back to rs if node is NULL.
  859. * This should only happen when there's no valid consensus, and rs doesn't
  860. * correspond to a bridge client's bridge.
  861. */
  862. void
  863. fascist_firewall_choose_address_rs(const routerstatus_t *rs,
  864. firewall_connection_t fw_connection,
  865. int pref_only, tor_addr_port_t* ap)
  866. {
  867. tor_assert(ap);
  868. tor_addr_make_null(&ap->addr, AF_UNSPEC);
  869. ap->port = 0;
  870. if (!rs) {
  871. return;
  872. }
  873. const or_options_t *options = get_options();
  874. const node_t *node = node_get_by_id(rs->identity_digest);
  875. if (node && !node_awaiting_ipv6(options, node)) {
  876. fascist_firewall_choose_address_node(node, fw_connection, pref_only, ap);
  877. } else {
  878. /* There's no node-specific IPv6 preference, so use the generic IPv6
  879. * preference instead. */
  880. int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
  881. ? fascist_firewall_prefer_ipv6_orport(options)
  882. : fascist_firewall_prefer_ipv6_dirport(options));
  883. /* Assume IPv4 and IPv6 DirPorts are the same.
  884. * Assume the IPv6 OR and Dir addresses are the same. */
  885. fascist_firewall_choose_address_ipv4h(rs->addr, rs->or_port, rs->dir_port,
  886. &rs->ipv6_addr, rs->ipv6_orport,
  887. rs->dir_port, fw_connection,
  888. pref_only, pref_ipv6, ap);
  889. }
  890. }
  891. /** Like fascist_firewall_choose_address_base(), but takes <b>node</b>, and
  892. * looks up the node's IPv6 preference rather than taking an argument
  893. * for pref_ipv6. */
  894. void
  895. fascist_firewall_choose_address_node(const node_t *node,
  896. firewall_connection_t fw_connection,
  897. int pref_only, tor_addr_port_t *ap)
  898. {
  899. tor_assert(ap);
  900. tor_addr_make_null(&ap->addr, AF_UNSPEC);
  901. ap->port = 0;
  902. if (!node) {
  903. return;
  904. }
  905. node_assert_ok(node);
  906. /* Calling fascist_firewall_choose_address_node() when the node is missing
  907. * IPv6 information breaks IPv6-only clients.
  908. * If the node is a hard-coded fallback directory or authority, call
  909. * fascist_firewall_choose_address_rs() on the fake (hard-coded) routerstatus
  910. * for the node.
  911. * If it is not hard-coded, check that the node has a microdescriptor, full
  912. * descriptor (routerinfo), or is one of our configured bridges before
  913. * calling this function. */
  914. if (BUG(node_awaiting_ipv6(get_options(), node))) {
  915. return;
  916. }
  917. const int pref_ipv6_node = (fw_connection == FIREWALL_OR_CONNECTION
  918. ? node_ipv6_or_preferred(node)
  919. : node_ipv6_dir_preferred(node));
  920. tor_addr_port_t ipv4_or_ap;
  921. node_get_prim_orport(node, &ipv4_or_ap);
  922. tor_addr_port_t ipv4_dir_ap;
  923. node_get_prim_dirport(node, &ipv4_dir_ap);
  924. tor_addr_port_t ipv6_or_ap;
  925. node_get_pref_ipv6_orport(node, &ipv6_or_ap);
  926. tor_addr_port_t ipv6_dir_ap;
  927. node_get_pref_ipv6_dirport(node, &ipv6_dir_ap);
  928. /* Assume the IPv6 OR and Dir addresses are the same. */
  929. fascist_firewall_choose_address_base(&ipv4_or_ap.addr, ipv4_or_ap.port,
  930. ipv4_dir_ap.port, &ipv6_or_ap.addr,
  931. ipv6_or_ap.port, ipv6_dir_ap.port,
  932. fw_connection, pref_only,
  933. pref_ipv6_node, ap);
  934. }
  935. /** Like fascist_firewall_choose_address_rs(), but takes <b>ds</b>. */
  936. void
  937. fascist_firewall_choose_address_dir_server(const dir_server_t *ds,
  938. firewall_connection_t fw_connection,
  939. int pref_only,
  940. tor_addr_port_t *ap)
  941. {
  942. tor_assert(ap);
  943. tor_addr_make_null(&ap->addr, AF_UNSPEC);
  944. ap->port = 0;
  945. if (!ds) {
  946. return;
  947. }
  948. /* A dir_server_t always has a fake_status. As long as it has the same
  949. * addresses/ports in both fake_status and dir_server_t, this works fine.
  950. * (See #17867.)
  951. * This function relies on fascist_firewall_choose_address_rs looking up the
  952. * node if it can, because that will get the latest info for the relay. */
  953. fascist_firewall_choose_address_rs(&ds->fake_status, fw_connection,
  954. pref_only, ap);
  955. }
  956. /** Return 1 if <b>addr</b> is permitted to connect to our dir port,
  957. * based on <b>dir_policy</b>. Else return 0.
  958. */
  959. int
  960. dir_policy_permits_address(const tor_addr_t *addr)
  961. {
  962. return addr_policy_permits_tor_addr(addr, 1, dir_policy);
  963. }
  964. /** Return 1 if <b>addr</b> is permitted to connect to our socks port,
  965. * based on <b>socks_policy</b>. Else return 0.
  966. */
  967. int
  968. socks_policy_permits_address(const tor_addr_t *addr)
  969. {
  970. return addr_policy_permits_tor_addr(addr, 1, socks_policy);
  971. }
  972. /** Return true iff the address <b>addr</b> is in a country listed in the
  973. * case-insensitive list of country codes <b>cc_list</b>. */
  974. static int
  975. addr_is_in_cc_list(uint32_t addr, const smartlist_t *cc_list)
  976. {
  977. country_t country;
  978. const char *name;
  979. tor_addr_t tar;
  980. if (!cc_list)
  981. return 0;
  982. /* XXXXipv6 */
  983. tor_addr_from_ipv4h(&tar, addr);
  984. country = geoip_get_country_by_addr(&tar);
  985. name = geoip_get_country_name(country);
  986. return smartlist_contains_string_case(cc_list, name);
  987. }
  988. /** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
  989. * directory, based on <b>authdir_reject_policy</b>. Else return 0.
  990. */
  991. int
  992. authdir_policy_permits_address(uint32_t addr, uint16_t port)
  993. {
  994. if (! addr_policy_permits_address(addr, port, authdir_reject_policy))
  995. return 0;
  996. return !addr_is_in_cc_list(addr, get_options()->AuthDirRejectCCs);
  997. }
  998. /** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
  999. * directory, based on <b>authdir_invalid_policy</b>. Else return 0.
  1000. */
  1001. int
  1002. authdir_policy_valid_address(uint32_t addr, uint16_t port)
  1003. {
  1004. if (! addr_policy_permits_address(addr, port, authdir_invalid_policy))
  1005. return 0;
  1006. return !addr_is_in_cc_list(addr, get_options()->AuthDirInvalidCCs);
  1007. }
  1008. /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
  1009. * based on <b>authdir_badexit_policy</b>. Else return 0.
  1010. */
  1011. int
  1012. authdir_policy_badexit_address(uint32_t addr, uint16_t port)
  1013. {
  1014. if (! addr_policy_permits_address(addr, port, authdir_badexit_policy))
  1015. return 1;
  1016. return addr_is_in_cc_list(addr, get_options()->AuthDirBadExitCCs);
  1017. }
  1018. #define REJECT(arg) \
  1019. STMT_BEGIN *msg = tor_strdup(arg); goto err; STMT_END
  1020. /** Config helper: If there's any problem with the policy configuration
  1021. * options in <b>options</b>, return -1 and set <b>msg</b> to a newly
  1022. * allocated description of the error. Else return 0. */
  1023. int
  1024. validate_addr_policies(const or_options_t *options, char **msg)
  1025. {
  1026. /* XXXX Maybe merge this into parse_policies_from_options, to make sure
  1027. * that the two can't go out of sync. */
  1028. smartlist_t *addr_policy=NULL;
  1029. *msg = NULL;
  1030. if (policies_parse_exit_policy_from_options(options,0,NULL,&addr_policy)) {
  1031. REJECT("Error in ExitPolicy entry.");
  1032. }
  1033. static int warned_about_exitrelay = 0;
  1034. const int exitrelay_setting_is_auto = options->ExitRelay == -1;
  1035. const int policy_accepts_something =
  1036. ! (policy_is_reject_star(addr_policy, AF_INET, 1) &&
  1037. policy_is_reject_star(addr_policy, AF_INET6, 1));
  1038. if (server_mode(options) &&
  1039. ! warned_about_exitrelay &&
  1040. exitrelay_setting_is_auto &&
  1041. policy_accepts_something) {
  1042. /* Policy accepts something */
  1043. warned_about_exitrelay = 1;
  1044. log_warn(LD_CONFIG,
  1045. "Tor is running as an exit relay%s. If you did not want this "
  1046. "behavior, please set the ExitRelay option to 0. If you do "
  1047. "want to run an exit Relay, please set the ExitRelay option "
  1048. "to 1 to disable this warning, and for forward compatibility.",
  1049. options->ExitPolicy == NULL ?
  1050. " with the default exit policy" : "");
  1051. if (options->ExitPolicy == NULL && options->ReducedExitPolicy == 0) {
  1052. log_warn(LD_CONFIG,
  1053. "In a future version of Tor, ExitRelay 0 may become the "
  1054. "default when no ExitPolicy is given.");
  1055. }
  1056. }
  1057. /* The rest of these calls *append* to addr_policy. So don't actually
  1058. * use the results for anything other than checking if they parse! */
  1059. if (parse_addr_policy(options->DirPolicy, &addr_policy, -1))
  1060. REJECT("Error in DirPolicy entry.");
  1061. if (parse_addr_policy(options->SocksPolicy, &addr_policy, -1))
  1062. REJECT("Error in SocksPolicy entry.");
  1063. if (parse_addr_policy(options->AuthDirReject, &addr_policy,
  1064. ADDR_POLICY_REJECT))
  1065. REJECT("Error in AuthDirReject entry.");
  1066. if (parse_addr_policy(options->AuthDirInvalid, &addr_policy,
  1067. ADDR_POLICY_REJECT))
  1068. REJECT("Error in AuthDirInvalid entry.");
  1069. if (parse_addr_policy(options->AuthDirBadExit, &addr_policy,
  1070. ADDR_POLICY_REJECT))
  1071. REJECT("Error in AuthDirBadExit entry.");
  1072. if (parse_addr_policy(options->ReachableAddresses, &addr_policy,
  1073. ADDR_POLICY_ACCEPT))
  1074. REJECT("Error in ReachableAddresses entry.");
  1075. if (parse_addr_policy(options->ReachableORAddresses, &addr_policy,
  1076. ADDR_POLICY_ACCEPT))
  1077. REJECT("Error in ReachableORAddresses entry.");
  1078. if (parse_addr_policy(options->ReachableDirAddresses, &addr_policy,
  1079. ADDR_POLICY_ACCEPT))
  1080. REJECT("Error in ReachableDirAddresses entry.");
  1081. err:
  1082. addr_policy_list_free(addr_policy);
  1083. return *msg ? -1 : 0;
  1084. #undef REJECT
  1085. }
  1086. /** Parse <b>string</b> in the same way that the exit policy
  1087. * is parsed, and put the processed version in *<b>policy</b>.
  1088. * Ignore port specifiers.
  1089. */
  1090. static int
  1091. load_policy_from_option(config_line_t *config, const char *option_name,
  1092. smartlist_t **policy,
  1093. int assume_action)
  1094. {
  1095. int r;
  1096. int killed_any_ports = 0;
  1097. addr_policy_list_free(*policy);
  1098. *policy = NULL;
  1099. r = parse_addr_policy(config, policy, assume_action);
  1100. if (r < 0) {
  1101. return -1;
  1102. }
  1103. if (*policy) {
  1104. SMARTLIST_FOREACH_BEGIN(*policy, addr_policy_t *, n) {
  1105. /* ports aren't used in these. */
  1106. if (n->prt_min > 1 || n->prt_max != 65535) {
  1107. addr_policy_t newp, *c;
  1108. memcpy(&newp, n, sizeof(newp));
  1109. newp.prt_min = 1;
  1110. newp.prt_max = 65535;
  1111. newp.is_canonical = 0;
  1112. c = addr_policy_get_canonical_entry(&newp);
  1113. SMARTLIST_REPLACE_CURRENT(*policy, n, c);
  1114. addr_policy_free(n);
  1115. killed_any_ports = 1;
  1116. }
  1117. } SMARTLIST_FOREACH_END(n);
  1118. }
  1119. if (killed_any_ports) {
  1120. log_warn(LD_CONFIG, "Ignoring ports in %s option.", option_name);
  1121. }
  1122. return 0;
  1123. }
  1124. /** Set all policies based on <b>options</b>, which should have been validated
  1125. * first by validate_addr_policies. */
  1126. int
  1127. policies_parse_from_options(const or_options_t *options)
  1128. {
  1129. int ret = 0;
  1130. if (load_policy_from_option(options->SocksPolicy, "SocksPolicy",
  1131. &socks_policy, -1) < 0)
  1132. ret = -1;
  1133. if (load_policy_from_option(options->DirPolicy, "DirPolicy",
  1134. &dir_policy, -1) < 0)
  1135. ret = -1;
  1136. if (load_policy_from_option(options->AuthDirReject, "AuthDirReject",
  1137. &authdir_reject_policy, ADDR_POLICY_REJECT) < 0)
  1138. ret = -1;
  1139. if (load_policy_from_option(options->AuthDirInvalid, "AuthDirInvalid",
  1140. &authdir_invalid_policy, ADDR_POLICY_REJECT) < 0)
  1141. ret = -1;
  1142. if (load_policy_from_option(options->AuthDirBadExit, "AuthDirBadExit",
  1143. &authdir_badexit_policy, ADDR_POLICY_REJECT) < 0)
  1144. ret = -1;
  1145. if (parse_reachable_addresses() < 0)
  1146. ret = -1;
  1147. return ret;
  1148. }
  1149. /** Compare two provided address policy items, and renturn -1, 0, or 1
  1150. * if the first is less than, equal to, or greater than the second. */
  1151. static int
  1152. single_addr_policy_eq(const addr_policy_t *a, const addr_policy_t *b)
  1153. {
  1154. int r;
  1155. #define CMP_FIELD(field) do { \
  1156. if (a->field != b->field) { \
  1157. return 0; \
  1158. } \
  1159. } while (0)
  1160. CMP_FIELD(policy_type);
  1161. CMP_FIELD(is_private);
  1162. /* refcnt and is_canonical are irrelevant to equality,
  1163. * they are hash table implementation details */
  1164. if ((r=tor_addr_compare(&a->addr, &b->addr, CMP_EXACT)))
  1165. return 0;
  1166. CMP_FIELD(maskbits);
  1167. CMP_FIELD(prt_min);
  1168. CMP_FIELD(prt_max);
  1169. #undef CMP_FIELD
  1170. return 1;
  1171. }
  1172. /** As single_addr_policy_eq, but compare every element of two policies.
  1173. */
  1174. int
  1175. addr_policies_eq(const smartlist_t *a, const smartlist_t *b)
  1176. {
  1177. int i;
  1178. int len_a = a ? smartlist_len(a) : 0;
  1179. int len_b = b ? smartlist_len(b) : 0;
  1180. if (len_a != len_b)
  1181. return 0;
  1182. for (i = 0; i < len_a; ++i) {
  1183. if (! single_addr_policy_eq(smartlist_get(a, i), smartlist_get(b, i)))
  1184. return 0;
  1185. }
  1186. return 1;
  1187. }
  1188. /** Node in hashtable used to store address policy entries. */
  1189. typedef struct policy_map_ent_t {
  1190. HT_ENTRY(policy_map_ent_t) node;
  1191. addr_policy_t *policy;
  1192. } policy_map_ent_t;
  1193. /* DOCDOC policy_root */
  1194. static HT_HEAD(policy_map, policy_map_ent_t) policy_root = HT_INITIALIZER();
  1195. /** Return true iff a and b are equal. */
  1196. static inline int
  1197. policy_eq(policy_map_ent_t *a, policy_map_ent_t *b)
  1198. {
  1199. return single_addr_policy_eq(a->policy, b->policy);
  1200. }
  1201. /** Return a hashcode for <b>ent</b> */
  1202. static unsigned int
  1203. policy_hash(const policy_map_ent_t *ent)
  1204. {
  1205. const addr_policy_t *a = ent->policy;
  1206. addr_policy_t aa;
  1207. memset(&aa, 0, sizeof(aa));
  1208. aa.prt_min = a->prt_min;
  1209. aa.prt_max = a->prt_max;
  1210. aa.maskbits = a->maskbits;
  1211. aa.policy_type = a->policy_type;
  1212. aa.is_private = a->is_private;
  1213. if (a->is_private) {
  1214. aa.is_private = 1;
  1215. } else {
  1216. tor_addr_copy_tight(&aa.addr, &a->addr);
  1217. }
  1218. return (unsigned) siphash24g(&aa, sizeof(aa));
  1219. }
  1220. HT_PROTOTYPE(policy_map, policy_map_ent_t, node, policy_hash,
  1221. policy_eq)
  1222. HT_GENERATE2(policy_map, policy_map_ent_t, node, policy_hash,
  1223. policy_eq, 0.6, tor_reallocarray_, tor_free_)
  1224. /** Given a pointer to an addr_policy_t, return a copy of the pointer to the
  1225. * "canonical" copy of that addr_policy_t; the canonical copy is a single
  1226. * reference-counted object. */
  1227. addr_policy_t *
  1228. addr_policy_get_canonical_entry(addr_policy_t *e)
  1229. {
  1230. policy_map_ent_t search, *found;
  1231. if (e->is_canonical)
  1232. return e;
  1233. search.policy = e;
  1234. found = HT_FIND(policy_map, &policy_root, &search);
  1235. if (!found) {
  1236. found = tor_malloc_zero(sizeof(policy_map_ent_t));
  1237. found->policy = tor_memdup(e, sizeof(addr_policy_t));
  1238. found->policy->is_canonical = 1;
  1239. found->policy->refcnt = 0;
  1240. HT_INSERT(policy_map, &policy_root, found);
  1241. }
  1242. tor_assert(single_addr_policy_eq(found->policy, e));
  1243. ++found->policy->refcnt;
  1244. return found->policy;
  1245. }
  1246. /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
  1247. * addr and port are both known. */
  1248. static addr_policy_result_t
  1249. compare_known_tor_addr_to_addr_policy(const tor_addr_t *addr, uint16_t port,
  1250. const smartlist_t *policy)
  1251. {
  1252. /* We know the address and port, and we know the policy, so we can just
  1253. * compute an exact match. */
  1254. SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, tmpe) {
  1255. if (tmpe->addr.family == AF_UNSPEC) {
  1256. log_warn(LD_BUG, "Policy contains an AF_UNSPEC address, which only "
  1257. "matches other AF_UNSPEC addresses.");
  1258. }
  1259. /* Address is known */
  1260. if (!tor_addr_compare_masked(addr, &tmpe->addr, tmpe->maskbits,
  1261. CMP_EXACT)) {
  1262. if (port >= tmpe->prt_min && port <= tmpe->prt_max) {
  1263. /* Exact match for the policy */
  1264. return tmpe->policy_type == ADDR_POLICY_ACCEPT ?
  1265. ADDR_POLICY_ACCEPTED : ADDR_POLICY_REJECTED;
  1266. }
  1267. }
  1268. } SMARTLIST_FOREACH_END(tmpe);
  1269. /* accept all by default. */
  1270. return ADDR_POLICY_ACCEPTED;
  1271. }
  1272. /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
  1273. * addr is known but port is not. */
  1274. static addr_policy_result_t
  1275. compare_known_tor_addr_to_addr_policy_noport(const tor_addr_t *addr,
  1276. const smartlist_t *policy)
  1277. {
  1278. /* We look to see if there's a definite match. If so, we return that
  1279. match's value, unless there's an intervening possible match that says
  1280. something different. */
  1281. int maybe_accept = 0, maybe_reject = 0;
  1282. SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, tmpe) {
  1283. if (tmpe->addr.family == AF_UNSPEC) {
  1284. log_warn(LD_BUG, "Policy contains an AF_UNSPEC address, which only "
  1285. "matches other AF_UNSPEC addresses.");
  1286. }
  1287. if (!tor_addr_compare_masked(addr, &tmpe->addr, tmpe->maskbits,
  1288. CMP_EXACT)) {
  1289. if (tmpe->prt_min <= 1 && tmpe->prt_max >= 65535) {
  1290. /* Definitely matches, since it covers all ports. */
  1291. if (tmpe->policy_type == ADDR_POLICY_ACCEPT) {
  1292. /* If we already hit a clause that might trigger a 'reject', than we
  1293. * can't be sure of this certain 'accept'.*/
  1294. return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED :
  1295. ADDR_POLICY_ACCEPTED;
  1296. } else {
  1297. return maybe_accept ? ADDR_POLICY_PROBABLY_REJECTED :
  1298. ADDR_POLICY_REJECTED;
  1299. }
  1300. } else {
  1301. /* Might match. */
  1302. if (tmpe->policy_type == ADDR_POLICY_REJECT)
  1303. maybe_reject = 1;
  1304. else
  1305. maybe_accept = 1;
  1306. }
  1307. }
  1308. } SMARTLIST_FOREACH_END(tmpe);
  1309. /* accept all by default. */
  1310. return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED : ADDR_POLICY_ACCEPTED;
  1311. }
  1312. /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
  1313. * port is known but address is not. */
  1314. static addr_policy_result_t
  1315. compare_unknown_tor_addr_to_addr_policy(uint16_t port,
  1316. const smartlist_t *policy)
  1317. {
  1318. /* We look to see if there's a definite match. If so, we return that
  1319. match's value, unless there's an intervening possible match that says
  1320. something different. */
  1321. int maybe_accept = 0, maybe_reject = 0;
  1322. SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, tmpe) {
  1323. if (tmpe->addr.family == AF_UNSPEC) {
  1324. log_warn(LD_BUG, "Policy contains an AF_UNSPEC address, which only "
  1325. "matches other AF_UNSPEC addresses.");
  1326. }
  1327. if (tmpe->prt_min <= port && port <= tmpe->prt_max) {
  1328. if (tmpe->maskbits == 0) {
  1329. /* Definitely matches, since it covers all addresses. */
  1330. if (tmpe->policy_type == ADDR_POLICY_ACCEPT) {
  1331. /* If we already hit a clause that might trigger a 'reject', than we
  1332. * can't be sure of this certain 'accept'.*/
  1333. return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED :
  1334. ADDR_POLICY_ACCEPTED;
  1335. } else {
  1336. return maybe_accept ? ADDR_POLICY_PROBABLY_REJECTED :
  1337. ADDR_POLICY_REJECTED;
  1338. }
  1339. } else {
  1340. /* Might match. */
  1341. if (tmpe->policy_type == ADDR_POLICY_REJECT)
  1342. maybe_reject = 1;
  1343. else
  1344. maybe_accept = 1;
  1345. }
  1346. }
  1347. } SMARTLIST_FOREACH_END(tmpe);
  1348. /* accept all by default. */
  1349. return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED : ADDR_POLICY_ACCEPTED;
  1350. }
  1351. /** Decide whether a given addr:port is definitely accepted,
  1352. * definitely rejected, probably accepted, or probably rejected by a
  1353. * given policy. If <b>addr</b> is 0, we don't know the IP of the
  1354. * target address. If <b>port</b> is 0, we don't know the port of the
  1355. * target address. (At least one of <b>addr</b> and <b>port</b> must be
  1356. * provided. If you want to know whether a policy would definitely reject
  1357. * an unknown address:port, use policy_is_reject_star().)
  1358. *
  1359. * We could do better by assuming that some ranges never match typical
  1360. * addresses (127.0.0.1, and so on). But we'll try this for now.
  1361. */
  1362. MOCK_IMPL(addr_policy_result_t,
  1363. compare_tor_addr_to_addr_policy,(const tor_addr_t *addr, uint16_t port,
  1364. const smartlist_t *policy))
  1365. {
  1366. if (!policy) {
  1367. /* no policy? accept all. */
  1368. return ADDR_POLICY_ACCEPTED;
  1369. } else if (addr == NULL || tor_addr_is_null(addr)) {
  1370. if (port == 0) {
  1371. log_info(LD_BUG, "Rejecting null address with 0 port (family %d)",
  1372. addr ? tor_addr_family(addr) : -1);
  1373. return ADDR_POLICY_REJECTED;
  1374. }
  1375. return compare_unknown_tor_addr_to_addr_policy(port, policy);
  1376. } else if (port == 0) {
  1377. return compare_known_tor_addr_to_addr_policy_noport(addr, policy);
  1378. } else {
  1379. return compare_known_tor_addr_to_addr_policy(addr, port, policy);
  1380. }
  1381. }
  1382. /** Return true iff the address policy <b>a</b> covers every case that
  1383. * would be covered by <b>b</b>, so that a,b is redundant. */
  1384. static int
  1385. addr_policy_covers(addr_policy_t *a, addr_policy_t *b)
  1386. {
  1387. if (tor_addr_family(&a->addr) != tor_addr_family(&b->addr)) {
  1388. /* You can't cover a different family. */
  1389. return 0;
  1390. }
  1391. /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces
  1392. * to "accept *:80". */
  1393. if (a->maskbits > b->maskbits) {
  1394. /* a has more fixed bits than b; it can't possibly cover b. */
  1395. return 0;
  1396. }
  1397. if (tor_addr_compare_masked(&a->addr, &b->addr, a->maskbits, CMP_EXACT)) {
  1398. /* There's a fixed bit in a that's set differently in b. */
  1399. return 0;
  1400. }
  1401. return (a->prt_min <= b->prt_min && a->prt_max >= b->prt_max);
  1402. }
  1403. /** Return true iff the address policies <b>a</b> and <b>b</b> intersect,
  1404. * that is, there exists an address/port that is covered by <b>a</b> that
  1405. * is also covered by <b>b</b>.
  1406. */
  1407. static int
  1408. addr_policy_intersects(addr_policy_t *a, addr_policy_t *b)
  1409. {
  1410. maskbits_t minbits;
  1411. /* All the bits we care about are those that are set in both
  1412. * netmasks. If they are equal in a and b's networkaddresses
  1413. * then the networks intersect. If there is a difference,
  1414. * then they do not. */
  1415. if (a->maskbits < b->maskbits)
  1416. minbits = a->maskbits;
  1417. else
  1418. minbits = b->maskbits;
  1419. if (tor_addr_compare_masked(&a->addr, &b->addr, minbits, CMP_EXACT))
  1420. return 0;
  1421. if (a->prt_max < b->prt_min || b->prt_max < a->prt_min)
  1422. return 0;
  1423. return 1;
  1424. }
  1425. /** Add the exit policy described by <b>more</b> to <b>policy</b>.
  1426. */
  1427. STATIC void
  1428. append_exit_policy_string(smartlist_t **policy, const char *more)
  1429. {
  1430. config_line_t tmp;
  1431. tmp.key = NULL;
  1432. tmp.value = (char*) more;
  1433. tmp.next = NULL;
  1434. if (parse_addr_policy(&tmp, policy, -1)<0) {
  1435. log_warn(LD_BUG, "Unable to parse internally generated policy %s",more);
  1436. }
  1437. }
  1438. /** Add "reject <b>addr</b>:*" to <b>dest</b>, creating the list as needed. */
  1439. void
  1440. addr_policy_append_reject_addr(smartlist_t **dest, const tor_addr_t *addr)
  1441. {
  1442. tor_assert(dest);
  1443. tor_assert(addr);
  1444. addr_policy_t p, *add;
  1445. memset(&p, 0, sizeof(p));
  1446. p.policy_type = ADDR_POLICY_REJECT;
  1447. p.maskbits = tor_addr_family(addr) == AF_INET6 ? 128 : 32;
  1448. tor_addr_copy(&p.addr, addr);
  1449. p.prt_min = 1;
  1450. p.prt_max = 65535;
  1451. add = addr_policy_get_canonical_entry(&p);
  1452. if (!*dest)
  1453. *dest = smartlist_new();
  1454. smartlist_add(*dest, add);
  1455. log_debug(LD_CONFIG, "Adding a reject ExitPolicy 'reject %s:*'",
  1456. fmt_addr(addr));
  1457. }
  1458. /* Is addr public for the purposes of rejection? */
  1459. static int
  1460. tor_addr_is_public_for_reject(const tor_addr_t *addr)
  1461. {
  1462. return (!tor_addr_is_null(addr) && !tor_addr_is_internal(addr, 0)
  1463. && !tor_addr_is_multicast(addr));
  1464. }
  1465. /* Add "reject <b>addr</b>:*" to <b>dest</b>, creating the list as needed.
  1466. * Filter the address, only adding an IPv4 reject rule if ipv4_rules
  1467. * is true, and similarly for ipv6_rules. Check each address returns true for
  1468. * tor_addr_is_public_for_reject before adding it.
  1469. */
  1470. static void
  1471. addr_policy_append_reject_addr_filter(smartlist_t **dest,
  1472. const tor_addr_t *addr,
  1473. int ipv4_rules,
  1474. int ipv6_rules)
  1475. {
  1476. tor_assert(dest);
  1477. tor_assert(addr);
  1478. /* Only reject IP addresses which are public */
  1479. if (tor_addr_is_public_for_reject(addr)) {
  1480. /* Reject IPv4 addresses and IPv6 addresses based on the filters */
  1481. int is_ipv4 = tor_addr_is_v4(addr);
  1482. if ((is_ipv4 && ipv4_rules) || (!is_ipv4 && ipv6_rules)) {
  1483. addr_policy_append_reject_addr(dest, addr);
  1484. }
  1485. }
  1486. }
  1487. /** Add "reject addr:*" to <b>dest</b>, for each addr in addrs, creating the
  1488. * list as needed. */
  1489. void
  1490. addr_policy_append_reject_addr_list(smartlist_t **dest,
  1491. const smartlist_t *addrs)
  1492. {
  1493. tor_assert(dest);
  1494. tor_assert(addrs);
  1495. SMARTLIST_FOREACH_BEGIN(addrs, tor_addr_t *, addr) {
  1496. addr_policy_append_reject_addr(dest, addr);
  1497. } SMARTLIST_FOREACH_END(addr);
  1498. }
  1499. /** Add "reject addr:*" to <b>dest</b>, for each addr in addrs, creating the
  1500. * list as needed. Filter using */
  1501. static void
  1502. addr_policy_append_reject_addr_list_filter(smartlist_t **dest,
  1503. const smartlist_t *addrs,
  1504. int ipv4_rules,
  1505. int ipv6_rules)
  1506. {
  1507. tor_assert(dest);
  1508. tor_assert(addrs);
  1509. SMARTLIST_FOREACH_BEGIN(addrs, tor_addr_t *, addr) {
  1510. addr_policy_append_reject_addr_filter(dest, addr, ipv4_rules, ipv6_rules);
  1511. } SMARTLIST_FOREACH_END(addr);
  1512. }
  1513. /** Detect and excise "dead code" from the policy *<b>dest</b>. */
  1514. static void
  1515. exit_policy_remove_redundancies(smartlist_t *dest)
  1516. {
  1517. addr_policy_t *ap, *tmp;
  1518. int i, j;
  1519. /* Step one: kill every ipv4 thing after *4:*, every IPv6 thing after *6:*
  1520. */
  1521. {
  1522. int kill_v4=0, kill_v6=0;
  1523. for (i = 0; i < smartlist_len(dest); ++i) {
  1524. sa_family_t family;
  1525. ap = smartlist_get(dest, i);
  1526. family = tor_addr_family(&ap->addr);
  1527. if ((family == AF_INET && kill_v4) ||
  1528. (family == AF_INET6 && kill_v6)) {
  1529. smartlist_del_keeporder(dest, i--);
  1530. addr_policy_free(ap);
  1531. continue;
  1532. }
  1533. if (ap->maskbits == 0 && ap->prt_min <= 1 && ap->prt_max >= 65535) {
  1534. /* This is a catch-all line -- later lines are unreachable. */
  1535. if (family == AF_INET) {
  1536. kill_v4 = 1;
  1537. } else if (family == AF_INET6) {
  1538. kill_v6 = 1;
  1539. }
  1540. }
  1541. }
  1542. }
  1543. /* Step two: for every entry, see if there's a redundant entry
  1544. * later on, and remove it. */
  1545. for (i = 0; i < smartlist_len(dest)-1; ++i) {
  1546. ap = smartlist_get(dest, i);
  1547. for (j = i+1; j < smartlist_len(dest); ++j) {
  1548. tmp = smartlist_get(dest, j);
  1549. tor_assert(j > i);
  1550. if (addr_policy_covers(ap, tmp)) {
  1551. char p1[POLICY_BUF_LEN], p2[POLICY_BUF_LEN];
  1552. policy_write_item(p1, sizeof(p1), tmp, 0);
  1553. policy_write_item(p2, sizeof(p2), ap, 0);
  1554. log_debug(LD_CONFIG, "Removing exit policy %s (%d). It is made "
  1555. "redundant by %s (%d).", p1, j, p2, i);
  1556. smartlist_del_keeporder(dest, j--);
  1557. addr_policy_free(tmp);
  1558. }
  1559. }
  1560. }
  1561. /* Step three: for every entry A, see if there's an entry B making this one
  1562. * redundant later on. This is the case if A and B are of the same type
  1563. * (accept/reject), A is a subset of B, and there is no other entry of
  1564. * different type in between those two that intersects with A.
  1565. *
  1566. * Anybody want to double-check the logic here? XXX
  1567. */
  1568. for (i = 0; i < smartlist_len(dest)-1; ++i) {
  1569. ap = smartlist_get(dest, i);
  1570. for (j = i+1; j < smartlist_len(dest); ++j) {
  1571. // tor_assert(j > i); // j starts out at i+1; j only increases; i only
  1572. // // decreases.
  1573. tmp = smartlist_get(dest, j);
  1574. if (ap->policy_type != tmp->policy_type) {
  1575. if (addr_policy_intersects(ap, tmp))
  1576. break;
  1577. } else { /* policy_types are equal. */
  1578. if (addr_policy_covers(tmp, ap)) {
  1579. char p1[POLICY_BUF_LEN], p2[POLICY_BUF_LEN];
  1580. policy_write_item(p1, sizeof(p1), ap, 0);
  1581. policy_write_item(p2, sizeof(p2), tmp, 0);
  1582. log_debug(LD_CONFIG, "Removing exit policy %s. It is already "
  1583. "covered by %s.", p1, p2);
  1584. smartlist_del_keeporder(dest, i--);
  1585. addr_policy_free(ap);
  1586. break;
  1587. }
  1588. }
  1589. }
  1590. }
  1591. }
  1592. /** Reject private helper for policies_parse_exit_policy_internal: rejects
  1593. * publicly routable addresses on this exit relay.
  1594. *
  1595. * Add reject entries to the linked list *<b>dest</b>:
  1596. * <ul>
  1597. * <li>if configured_addresses is non-NULL, add entries that reject each
  1598. * tor_addr_t in the list as a destination.
  1599. * <li>if reject_interface_addresses is true, add entries that reject each
  1600. * public IPv4 and IPv6 address of each interface on this machine.
  1601. * <li>if reject_configured_port_addresses is true, add entries that reject
  1602. * each IPv4 and IPv6 address configured for a port.
  1603. * </ul>
  1604. *
  1605. * IPv6 entries are only added if ipv6_exit is true. (All IPv6 addresses are
  1606. * already blocked by policies_parse_exit_policy_internal if ipv6_exit is
  1607. * false.)
  1608. *
  1609. * The list in <b>dest</b> is created as needed.
  1610. */
  1611. void
  1612. policies_parse_exit_policy_reject_private(
  1613. smartlist_t **dest,
  1614. int ipv6_exit,
  1615. const smartlist_t *configured_addresses,
  1616. int reject_interface_addresses,
  1617. int reject_configured_port_addresses)
  1618. {
  1619. tor_assert(dest);
  1620. /* Reject configured addresses, if they are from public netblocks. */
  1621. if (configured_addresses) {
  1622. addr_policy_append_reject_addr_list_filter(dest, configured_addresses,
  1623. 1, ipv6_exit);
  1624. }
  1625. /* Reject configured port addresses, if they are from public netblocks. */
  1626. if (reject_configured_port_addresses) {
  1627. const smartlist_t *port_addrs = get_configured_ports();
  1628. SMARTLIST_FOREACH_BEGIN(port_addrs, port_cfg_t *, port) {
  1629. /* Only reject port IP addresses, not port unix sockets */
  1630. if (!port->is_unix_addr) {
  1631. addr_policy_append_reject_addr_filter(dest, &port->addr, 1, ipv6_exit);
  1632. }
  1633. } SMARTLIST_FOREACH_END(port);
  1634. }
  1635. /* Reject local addresses from public netblocks on any interface. */
  1636. if (reject_interface_addresses) {
  1637. smartlist_t *public_addresses = NULL;
  1638. /* Reject public IPv4 addresses on any interface */
  1639. public_addresses = get_interface_address6_list(LOG_INFO, AF_INET, 0);
  1640. addr_policy_append_reject_addr_list_filter(dest, public_addresses, 1, 0);
  1641. interface_address6_list_free(public_addresses);
  1642. /* Don't look for IPv6 addresses if we're configured as IPv4-only */
  1643. if (ipv6_exit) {
  1644. /* Reject public IPv6 addresses on any interface */
  1645. public_addresses = get_interface_address6_list(LOG_INFO, AF_INET6, 0);
  1646. addr_policy_append_reject_addr_list_filter(dest, public_addresses, 0, 1);
  1647. interface_address6_list_free(public_addresses);
  1648. }
  1649. }
  1650. /* If addresses were added multiple times, remove all but one of them. */
  1651. if (*dest) {
  1652. exit_policy_remove_redundancies(*dest);
  1653. }
  1654. }
  1655. /**
  1656. * Iterate through <b>policy</b> looking for redundant entries. Log a
  1657. * warning message with the first redundant entry, if any is found.
  1658. */
  1659. static void
  1660. policies_log_first_redundant_entry(const smartlist_t *policy)
  1661. {
  1662. int found_final_effective_entry = 0;
  1663. int first_redundant_entry = 0;
  1664. tor_assert(policy);
  1665. SMARTLIST_FOREACH_BEGIN(policy, const addr_policy_t *, p) {
  1666. sa_family_t family;
  1667. int found_ipv4_wildcard = 0, found_ipv6_wildcard = 0;
  1668. const int i = p_sl_idx;
  1669. /* Look for accept/reject *[4|6|]:* entires */
  1670. if (p->prt_min <= 1 && p->prt_max == 65535 && p->maskbits == 0) {
  1671. family = tor_addr_family(&p->addr);
  1672. /* accept/reject *:* may have already been expanded into
  1673. * accept/reject *4:*,accept/reject *6:*
  1674. * But handle both forms.
  1675. */
  1676. if (family == AF_INET || family == AF_UNSPEC) {
  1677. found_ipv4_wildcard = 1;
  1678. }
  1679. if (family == AF_INET6 || family == AF_UNSPEC) {
  1680. found_ipv6_wildcard = 1;
  1681. }
  1682. }
  1683. /* We also find accept *4:*,reject *6:* ; and
  1684. * accept *4:*,<other policies>,accept *6:* ; and similar.
  1685. * That's ok, because they make any subsequent entries redundant. */
  1686. if (found_ipv4_wildcard && found_ipv6_wildcard) {
  1687. found_final_effective_entry = 1;
  1688. /* if we're not on the final entry in the list */
  1689. if (i < smartlist_len(policy) - 1) {
  1690. first_redundant_entry = i + 1;
  1691. }
  1692. break;
  1693. }
  1694. } SMARTLIST_FOREACH_END(p);
  1695. /* Work out if there are redundant trailing entries in the policy list */
  1696. if (found_final_effective_entry && first_redundant_entry > 0) {
  1697. const addr_policy_t *p;
  1698. /* Longest possible policy is
  1699. * "accept6 ffff:ffff:..255/128:10000-65535",
  1700. * which contains a max-length IPv6 address, plus 24 characters. */
  1701. char line[TOR_ADDR_BUF_LEN + 32];
  1702. tor_assert(first_redundant_entry < smartlist_len(policy));
  1703. p = smartlist_get(policy, first_redundant_entry);
  1704. /* since we've already parsed the policy into an addr_policy_t struct,
  1705. * we might not log exactly what the user typed in */
  1706. policy_write_item(line, TOR_ADDR_BUF_LEN + 32, p, 0);
  1707. log_warn(LD_DIR, "Exit policy '%s' and all following policies are "
  1708. "redundant, as it follows accept/reject *:* rules for both "
  1709. "IPv4 and IPv6. They will be removed from the exit policy. (Use "
  1710. "accept/reject *:* as the last entry in any exit policy.)",
  1711. line);
  1712. }
  1713. }
  1714. #define DEFAULT_EXIT_POLICY \
  1715. "reject *:25,reject *:119,reject *:135-139,reject *:445," \
  1716. "reject *:563,reject *:1214,reject *:4661-4666," \
  1717. "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
  1718. #define REDUCED_EXIT_POLICY \
  1719. "accept *:20-23,accept *:43,accept *:53,accept *:79-81,accept *:88," \
  1720. "accept *:110,accept *:143,accept *:194,accept *:220,accept *:389," \
  1721. "accept *:443,accept *:464,accept *:465,accept *:531,accept *:543-544," \
  1722. "accept *:554,accept *:563,accept *:587,accept *:636,accept *:706," \
  1723. "accept *:749,accept *:873,accept *:902-904,accept *:981,accept *:989-995," \
  1724. "accept *:1194,accept *:1220,accept *:1293,accept *:1500,accept *:1533," \
  1725. "accept *:1677,accept *:1723,accept *:1755,accept *:1863," \
  1726. "accept *:2082-2083,accept *:2086-2087,accept *:2095-2096," \
  1727. "accept *:2102-2104,accept *:3128,accept *:3389,accept *:3690," \
  1728. "accept *:4321,accept *:4643,accept *:5050,accept *:5190," \
  1729. "accept *:5222-5223,accept *:5228,accept *:5900,accept *:6660-6669," \
  1730. "accept *:6679,accept *:6697,accept *:8000,accept *:8008,accept *:8074," \
  1731. "accept *:8080,accept *:8082,accept *:8087-8088,accept *:8232-8233," \
  1732. "accept *:8332-8333,accept *:8443,accept *:8888,accept *:9418," \
  1733. "accept *:9999,accept *:10000,accept *:11371,accept *:19294," \
  1734. "accept *:19638,accept *:50002,accept *:64738,reject *:*"
  1735. /** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>.
  1736. *
  1737. * If <b>ipv6_exit</b> is false, prepend "reject *6:*" to the policy.
  1738. *
  1739. * If <b>configured_addresses</b> contains addresses:
  1740. * - prepend entries that reject the addresses in this list. These may be the
  1741. * advertised relay addresses and/or the outbound bind addresses,
  1742. * depending on the ExitPolicyRejectPrivate and
  1743. * ExitPolicyRejectLocalInterfaces settings.
  1744. * If <b>rejectprivate</b> is true:
  1745. * - prepend "reject private:*" to the policy.
  1746. * If <b>reject_interface_addresses</b> is true:
  1747. * - prepend entries that reject publicly routable interface addresses on
  1748. * this exit relay by calling policies_parse_exit_policy_reject_private
  1749. * If <b>reject_configured_port_addresses</b> is true:
  1750. * - prepend entries that reject all configured port addresses
  1751. *
  1752. * If cfg doesn't end in an absolute accept or reject and if
  1753. * <b>add_default_policy</b> is true, add the default exit
  1754. * policy afterwards.
  1755. *
  1756. * Return -1 if we can't parse cfg, else return 0.
  1757. *
  1758. * This function is used to parse the exit policy from our torrc. For
  1759. * the functions used to parse the exit policy from a router descriptor,
  1760. * see router_add_exit_policy.
  1761. */
  1762. static int
  1763. policies_parse_exit_policy_internal(config_line_t *cfg,
  1764. smartlist_t **dest,
  1765. int ipv6_exit,
  1766. int rejectprivate,
  1767. const smartlist_t *configured_addresses,
  1768. int reject_interface_addresses,
  1769. int reject_configured_port_addresses,
  1770. int add_default_policy,
  1771. int add_reduced_policy)
  1772. {
  1773. if (!ipv6_exit) {
  1774. append_exit_policy_string(dest, "reject *6:*");
  1775. }
  1776. if (rejectprivate) {
  1777. /* Reject IPv4 and IPv6 reserved private netblocks */
  1778. append_exit_policy_string(dest, "reject private:*");
  1779. }
  1780. /* Consider rejecting IPv4 and IPv6 advertised relay addresses, outbound bind
  1781. * addresses, publicly routable addresses, and configured port addresses
  1782. * on this exit relay */
  1783. policies_parse_exit_policy_reject_private(dest, ipv6_exit,
  1784. configured_addresses,
  1785. reject_interface_addresses,
  1786. reject_configured_port_addresses);
  1787. if (parse_addr_policy(cfg, dest, -1))
  1788. return -1;
  1789. /* Before we add the default policy and final rejects, check to see if
  1790. * there are any lines after accept *:* or reject *:*. These lines have no
  1791. * effect, and are most likely an error. */
  1792. policies_log_first_redundant_entry(*dest);
  1793. if (add_reduced_policy) {
  1794. append_exit_policy_string(dest, REDUCED_EXIT_POLICY);
  1795. } else if (add_default_policy) {
  1796. append_exit_policy_string(dest, DEFAULT_EXIT_POLICY);
  1797. } else {
  1798. append_exit_policy_string(dest, "reject *4:*");
  1799. append_exit_policy_string(dest, "reject *6:*");
  1800. }
  1801. exit_policy_remove_redundancies(*dest);
  1802. return 0;
  1803. }
  1804. /** Parse exit policy in <b>cfg</b> into <b>dest</b> smartlist.
  1805. *
  1806. * Prepend an entry that rejects all IPv6 destinations unless
  1807. * <b>EXIT_POLICY_IPV6_ENABLED</b> bit is set in <b>options</b> bitmask.
  1808. *
  1809. * If <b>EXIT_POLICY_REJECT_PRIVATE</b> bit is set in <b>options</b>:
  1810. * - prepend an entry that rejects all destinations in all netblocks
  1811. * reserved for private use.
  1812. * - prepend entries that reject the advertised relay addresses in
  1813. * configured_addresses
  1814. * If <b>EXIT_POLICY_REJECT_LOCAL_INTERFACES</b> bit is set in <b>options</b>:
  1815. * - prepend entries that reject publicly routable addresses on this exit
  1816. * relay by calling policies_parse_exit_policy_internal
  1817. * - prepend entries that reject the outbound bind addresses in
  1818. * configured_addresses
  1819. * - prepend entries that reject all configured port addresses
  1820. *
  1821. * If <b>EXIT_POLICY_ADD_DEFAULT</b> bit is set in <b>options</b>, append
  1822. * default exit policy entries to <b>result</b> smartlist.
  1823. */
  1824. int
  1825. policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest,
  1826. exit_policy_parser_cfg_t options,
  1827. const smartlist_t *configured_addresses)
  1828. {
  1829. int ipv6_enabled = (options & EXIT_POLICY_IPV6_ENABLED) ? 1 : 0;
  1830. int reject_private = (options & EXIT_POLICY_REJECT_PRIVATE) ? 1 : 0;
  1831. int add_default = (options & EXIT_POLICY_ADD_DEFAULT) ? 1 : 0;
  1832. int reject_local_interfaces = (options &
  1833. EXIT_POLICY_REJECT_LOCAL_INTERFACES) ? 1 : 0;
  1834. int add_reduced = (options & EXIT_POLICY_ADD_REDUCED) ? 1 : 0;
  1835. return policies_parse_exit_policy_internal(cfg,dest,ipv6_enabled,
  1836. reject_private,
  1837. configured_addresses,
  1838. reject_local_interfaces,
  1839. reject_local_interfaces,
  1840. add_default,
  1841. add_reduced);
  1842. }
  1843. /** Helper function that adds a copy of addr to a smartlist as long as it is
  1844. * non-NULL and not tor_addr_is_null().
  1845. *
  1846. * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
  1847. */
  1848. static void
  1849. policies_copy_addr_to_smartlist(smartlist_t *addr_list, const tor_addr_t *addr)
  1850. {
  1851. if (addr && !tor_addr_is_null(addr)) {
  1852. tor_addr_t *addr_copy = tor_malloc(sizeof(tor_addr_t));
  1853. tor_addr_copy(addr_copy, addr);
  1854. smartlist_add(addr_list, addr_copy);
  1855. }
  1856. }
  1857. /** Helper function that adds ipv4h_addr to a smartlist as a tor_addr_t *,
  1858. * as long as it is not tor_addr_is_null(), by converting it to a tor_addr_t
  1859. * and passing it to policies_add_addr_to_smartlist.
  1860. *
  1861. * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
  1862. */
  1863. static void
  1864. policies_copy_ipv4h_to_smartlist(smartlist_t *addr_list, uint32_t ipv4h_addr)
  1865. {
  1866. if (ipv4h_addr) {
  1867. tor_addr_t ipv4_tor_addr;
  1868. tor_addr_from_ipv4h(&ipv4_tor_addr, ipv4h_addr);
  1869. policies_copy_addr_to_smartlist(addr_list, &ipv4_tor_addr);
  1870. }
  1871. }
  1872. /** Helper function that adds copies of or_options->OutboundBindAddresses
  1873. * to a smartlist as tor_addr_t *, as long as or_options is non-NULL, and
  1874. * the addresses are not tor_addr_is_null(), by passing them to
  1875. * policies_add_addr_to_smartlist.
  1876. *
  1877. * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
  1878. */
  1879. static void
  1880. policies_copy_outbound_addresses_to_smartlist(smartlist_t *addr_list,
  1881. const or_options_t *or_options)
  1882. {
  1883. if (or_options) {
  1884. for (int i=0;i<OUTBOUND_ADDR_MAX;i++) {
  1885. for (int j=0;j<2;j++) {
  1886. if (!tor_addr_is_null(&or_options->OutboundBindAddresses[i][j])) {
  1887. policies_copy_addr_to_smartlist(addr_list,
  1888. &or_options->OutboundBindAddresses[i][j]);
  1889. }
  1890. }
  1891. }
  1892. }
  1893. }
  1894. /** Parse <b>ExitPolicy</b> member of <b>or_options</b> into <b>result</b>
  1895. * smartlist.
  1896. * If <b>or_options->IPv6Exit</b> is false, prepend an entry that
  1897. * rejects all IPv6 destinations.
  1898. *
  1899. * If <b>or_options->ExitPolicyRejectPrivate</b> is true:
  1900. * - prepend an entry that rejects all destinations in all netblocks reserved
  1901. * for private use.
  1902. * - if local_address is non-zero, treat it as a host-order IPv4 address, and
  1903. * add it to the list of configured addresses.
  1904. * - if ipv6_local_address is non-NULL, and not the null tor_addr_t, add it
  1905. * to the list of configured addresses.
  1906. * If <b>or_options->ExitPolicyRejectLocalInterfaces</b> is true:
  1907. * - if or_options->OutboundBindAddresses[][0] (=IPv4) is not the null
  1908. * tor_addr_t, add it to the list of configured addresses.
  1909. * - if or_options->OutboundBindAddresses[][1] (=IPv6) is not the null
  1910. * tor_addr_t, add it to the list of configured addresses.
  1911. *
  1912. * If <b>or_options->BridgeRelay</b> is false, append entries of default
  1913. * Tor exit policy into <b>result</b> smartlist.
  1914. *
  1915. * If or_options->ExitRelay is false, then make our exit policy into
  1916. * "reject *:*" regardless.
  1917. */
  1918. int
  1919. policies_parse_exit_policy_from_options(const or_options_t *or_options,
  1920. uint32_t local_address,
  1921. const tor_addr_t *ipv6_local_address,
  1922. smartlist_t **result)
  1923. {
  1924. exit_policy_parser_cfg_t parser_cfg = 0;
  1925. smartlist_t *configured_addresses = NULL;
  1926. int rv = 0;
  1927. /* Short-circuit for non-exit relays */
  1928. if (or_options->ExitRelay == 0) {
  1929. append_exit_policy_string(result, "reject *4:*");
  1930. append_exit_policy_string(result, "reject *6:*");
  1931. return 0;
  1932. }
  1933. configured_addresses = smartlist_new();
  1934. /* Configure the parser */
  1935. if (or_options->IPv6Exit) {
  1936. parser_cfg |= EXIT_POLICY_IPV6_ENABLED;
  1937. }
  1938. if (or_options->ExitPolicyRejectPrivate) {
  1939. parser_cfg |= EXIT_POLICY_REJECT_PRIVATE;
  1940. }
  1941. if (!or_options->BridgeRelay) {
  1942. if (or_options->ReducedExitPolicy)
  1943. parser_cfg |= EXIT_POLICY_ADD_REDUCED;
  1944. else
  1945. parser_cfg |= EXIT_POLICY_ADD_DEFAULT;
  1946. }
  1947. if (or_options->ExitPolicyRejectLocalInterfaces) {
  1948. parser_cfg |= EXIT_POLICY_REJECT_LOCAL_INTERFACES;
  1949. }
  1950. /* Copy the configured addresses into the tor_addr_t* list */
  1951. if (or_options->ExitPolicyRejectPrivate) {
  1952. policies_copy_ipv4h_to_smartlist(configured_addresses, local_address);
  1953. policies_copy_addr_to_smartlist(configured_addresses, ipv6_local_address);
  1954. }
  1955. if (or_options->ExitPolicyRejectLocalInterfaces) {
  1956. policies_copy_outbound_addresses_to_smartlist(configured_addresses,
  1957. or_options);
  1958. }
  1959. rv = policies_parse_exit_policy(or_options->ExitPolicy, result, parser_cfg,
  1960. configured_addresses);
  1961. SMARTLIST_FOREACH(configured_addresses, tor_addr_t *, a, tor_free(a));
  1962. smartlist_free(configured_addresses);
  1963. return rv;
  1964. }
  1965. /** Add "reject *:*" to the end of the policy in *<b>dest</b>, allocating
  1966. * *<b>dest</b> as needed. */
  1967. void
  1968. policies_exit_policy_append_reject_star(smartlist_t **dest)
  1969. {
  1970. append_exit_policy_string(dest, "reject *4:*");
  1971. append_exit_policy_string(dest, "reject *6:*");
  1972. }
  1973. /** Replace the exit policy of <b>node</b> with reject *:* */
  1974. void
  1975. policies_set_node_exitpolicy_to_reject_all(node_t *node)
  1976. {
  1977. node->rejects_all = 1;
  1978. }
  1979. /** Return 1 if there is at least one /8 subnet in <b>policy</b> that
  1980. * allows exiting to <b>port</b>. Otherwise, return 0. */
  1981. static int
  1982. exit_policy_is_general_exit_helper(smartlist_t *policy, int port)
  1983. {
  1984. uint32_t mask, ip, i;
  1985. /* Is this /8 rejected (1), or undecided (0)? */
  1986. char subnet_status[256];
  1987. memset(subnet_status, 0, sizeof(subnet_status));
  1988. SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, p) {
  1989. if (tor_addr_family(&p->addr) != AF_INET)
  1990. continue; /* IPv4 only for now */
  1991. if (p->prt_min > port || p->prt_max < port)
  1992. continue; /* Doesn't cover our port. */
  1993. mask = 0;
  1994. tor_assert(p->maskbits <= 32);
  1995. if (p->maskbits)
  1996. mask = UINT32_MAX<<(32-p->maskbits);
  1997. ip = tor_addr_to_ipv4h(&p->addr);
  1998. /* Calculate the first and last subnet that this exit policy touches
  1999. * and set it as loop boundaries. */
  2000. for (i = ((mask & ip)>>24); i <= (~((mask & ip) ^ mask)>>24); ++i) {
  2001. tor_addr_t addr;
  2002. if (subnet_status[i] != 0)
  2003. continue; /* We already reject some part of this /8 */
  2004. tor_addr_from_ipv4h(&addr, i<<24);
  2005. if (tor_addr_is_internal(&addr, 0) &&
  2006. !get_options()->DirAllowPrivateAddresses) {
  2007. continue; /* Local or non-routable addresses */
  2008. }
  2009. if (p->policy_type == ADDR_POLICY_ACCEPT) {
  2010. if (p->maskbits > 8)
  2011. continue; /* Narrower than a /8. */
  2012. /* We found an allowed subnet of at least size /8. Done
  2013. * for this port! */
  2014. return 1;
  2015. } else if (p->policy_type == ADDR_POLICY_REJECT) {
  2016. subnet_status[i] = 1;
  2017. }
  2018. }
  2019. } SMARTLIST_FOREACH_END(p);
  2020. return 0;
  2021. }
  2022. /** Return true iff <b>ri</b> is "useful as an exit node", meaning
  2023. * it allows exit to at least one /8 address space for each of ports 80
  2024. * and 443. */
  2025. int
  2026. exit_policy_is_general_exit(smartlist_t *policy)
  2027. {
  2028. if (!policy) /*XXXX disallow NULL policies? */
  2029. return 0;
  2030. return (exit_policy_is_general_exit_helper(policy, 80) &&
  2031. exit_policy_is_general_exit_helper(policy, 443));
  2032. }
  2033. /** Return false if <b>policy</b> might permit access to some addr:port;
  2034. * otherwise if we are certain it rejects everything, return true. If no
  2035. * part of <b>policy</b> matches, return <b>default_reject</b>.
  2036. * NULL policies are allowed, and treated as empty. */
  2037. int
  2038. policy_is_reject_star(const smartlist_t *policy, sa_family_t family,
  2039. int default_reject)
  2040. {
  2041. if (!policy)
  2042. return default_reject;
  2043. SMARTLIST_FOREACH_BEGIN(policy, const addr_policy_t *, p) {
  2044. if (p->policy_type == ADDR_POLICY_ACCEPT &&
  2045. (tor_addr_family(&p->addr) == family ||
  2046. tor_addr_family(&p->addr) == AF_UNSPEC)) {
  2047. return 0;
  2048. } else if (p->policy_type == ADDR_POLICY_REJECT &&
  2049. p->prt_min <= 1 && p->prt_max == 65535 &&
  2050. p->maskbits == 0 &&
  2051. (tor_addr_family(&p->addr) == family ||
  2052. tor_addr_family(&p->addr) == AF_UNSPEC)) {
  2053. return 1;
  2054. }
  2055. } SMARTLIST_FOREACH_END(p);
  2056. return default_reject;
  2057. }
  2058. /** Write a single address policy to the buf_len byte buffer at buf. Return
  2059. * the number of characters written, or -1 on failure. */
  2060. int
  2061. policy_write_item(char *buf, size_t buflen, const addr_policy_t *policy,
  2062. int format_for_desc)
  2063. {
  2064. size_t written = 0;
  2065. char addrbuf[TOR_ADDR_BUF_LEN];
  2066. const char *addrpart;
  2067. int result;
  2068. const int is_accept = policy->policy_type == ADDR_POLICY_ACCEPT;
  2069. const sa_family_t family = tor_addr_family(&policy->addr);
  2070. const int is_ip6 = (family == AF_INET6);
  2071. tor_addr_to_str(addrbuf, &policy->addr, sizeof(addrbuf), 1);
  2072. /* write accept/reject 1.2.3.4 */
  2073. if (policy->is_private) {
  2074. addrpart = "private";
  2075. } else if (policy->maskbits == 0) {
  2076. if (format_for_desc)
  2077. addrpart = "*";
  2078. else if (family == AF_INET6)
  2079. addrpart = "*6";
  2080. else if (family == AF_INET)
  2081. addrpart = "*4";
  2082. else
  2083. addrpart = "*";
  2084. } else {
  2085. addrpart = addrbuf;
  2086. }
  2087. result = tor_snprintf(buf, buflen, "%s%s %s",
  2088. is_accept ? "accept" : "reject",
  2089. (is_ip6&&format_for_desc)?"6":"",
  2090. addrpart);
  2091. if (result < 0)
  2092. return -1;
  2093. written += strlen(buf);
  2094. /* If the maskbits is 32 (IPv4) or 128 (IPv6) we don't need to give it. If
  2095. the mask is 0, we already wrote "*". */
  2096. if (policy->maskbits < (is_ip6?128:32) && policy->maskbits > 0) {
  2097. if (tor_snprintf(buf+written, buflen-written, "/%d", policy->maskbits)<0)
  2098. return -1;
  2099. written += strlen(buf+written);
  2100. }
  2101. if (policy->prt_min <= 1 && policy->prt_max == 65535) {
  2102. /* There is no port set; write ":*" */
  2103. if (written+4 > buflen)
  2104. return -1;
  2105. strlcat(buf+written, ":*", buflen-written);
  2106. written += 2;
  2107. } else if (policy->prt_min == policy->prt_max) {
  2108. /* There is only one port; write ":80". */
  2109. result = tor_snprintf(buf+written, buflen-written, ":%d", policy->prt_min);
  2110. if (result<0)
  2111. return -1;
  2112. written += result;
  2113. } else {
  2114. /* There is a range of ports; write ":79-80". */
  2115. result = tor_snprintf(buf+written, buflen-written, ":%d-%d",
  2116. policy->prt_min, policy->prt_max);
  2117. if (result<0)
  2118. return -1;
  2119. written += result;
  2120. }
  2121. if (written < buflen)
  2122. buf[written] = '\0';
  2123. else
  2124. return -1;
  2125. return (int)written;
  2126. }
  2127. /** Create a new exit policy summary, initially only with a single
  2128. * port 1-64k item */
  2129. /* XXXX This entire thing will do most stuff in O(N^2), or worse. Use an
  2130. * RB-tree if that turns out to matter. */
  2131. static smartlist_t *
  2132. policy_summary_create(void)
  2133. {
  2134. smartlist_t *summary;
  2135. policy_summary_item_t* item;
  2136. item = tor_malloc_zero(sizeof(policy_summary_item_t));
  2137. item->prt_min = 1;
  2138. item->prt_max = 65535;
  2139. item->reject_count = 0;
  2140. item->accepted = 0;
  2141. summary = smartlist_new();
  2142. smartlist_add(summary, item);
  2143. return summary;
  2144. }
  2145. /** Split the summary item in <b>item</b> at the port <b>new_starts</b>.
  2146. * The current item is changed to end at new-starts - 1, the new item
  2147. * copies reject_count and accepted from the old item,
  2148. * starts at new_starts and ends at the port where the original item
  2149. * previously ended.
  2150. */
  2151. static policy_summary_item_t*
  2152. policy_summary_item_split(policy_summary_item_t* old, uint16_t new_starts)
  2153. {
  2154. policy_summary_item_t* new;
  2155. new = tor_malloc_zero(sizeof(policy_summary_item_t));
  2156. new->prt_min = new_starts;
  2157. new->prt_max = old->prt_max;
  2158. new->reject_count = old->reject_count;
  2159. new->accepted = old->accepted;
  2160. old->prt_max = new_starts-1;
  2161. tor_assert(old->prt_min <= old->prt_max);
  2162. tor_assert(new->prt_min <= new->prt_max);
  2163. return new;
  2164. }
  2165. /* XXXX Nick says I'm going to hell for this. If he feels charitably towards
  2166. * my immortal soul, he can clean it up himself. */
  2167. #define AT(x) ((policy_summary_item_t*)smartlist_get(summary, x))
  2168. #define IPV4_BITS (32)
  2169. /* Every IPv4 address is counted as one rejection */
  2170. #define REJECT_CUTOFF_SCALE_IPV4 (0)
  2171. /* Ports are rejected in an IPv4 summary if they are rejected in more than two
  2172. * IPv4 /8 address blocks */
  2173. #define REJECT_CUTOFF_COUNT_IPV4 (U64_LITERAL(1) << \
  2174. (IPV4_BITS - REJECT_CUTOFF_SCALE_IPV4 - 7))
  2175. #define IPV6_BITS (128)
  2176. /* IPv6 /64s are counted as one rejection, anything smaller is ignored */
  2177. #define REJECT_CUTOFF_SCALE_IPV6 (64)
  2178. /* Ports are rejected in an IPv6 summary if they are rejected in more than one
  2179. * IPv6 /16 address block.
  2180. * This is roughly equivalent to the IPv4 cutoff, as only five IPv6 /12s (and
  2181. * some scattered smaller blocks) have been allocated to the RIRs.
  2182. * Network providers are typically allocated one or more IPv6 /32s.
  2183. */
  2184. #define REJECT_CUTOFF_COUNT_IPV6 (U64_LITERAL(1) << \
  2185. (IPV6_BITS - REJECT_CUTOFF_SCALE_IPV6 - 16))
  2186. /** Split an exit policy summary so that prt_min and prt_max
  2187. * fall at exactly the start and end of an item respectively.
  2188. */
  2189. static int
  2190. policy_summary_split(smartlist_t *summary,
  2191. uint16_t prt_min, uint16_t prt_max)
  2192. {
  2193. int start_at_index;
  2194. int i = 0;
  2195. while (AT(i)->prt_max < prt_min)
  2196. i++;
  2197. if (AT(i)->prt_min != prt_min) {
  2198. policy_summary_item_t* new_item;
  2199. new_item = policy_summary_item_split(AT(i), prt_min);
  2200. smartlist_insert(summary, i+1, new_item);
  2201. i++;
  2202. }
  2203. start_at_index = i;
  2204. while (AT(i)->prt_max < prt_max)
  2205. i++;
  2206. if (AT(i)->prt_max != prt_max) {
  2207. policy_summary_item_t* new_item;
  2208. new_item = policy_summary_item_split(AT(i), prt_max+1);
  2209. smartlist_insert(summary, i+1, new_item);
  2210. }
  2211. return start_at_index;
  2212. }
  2213. /** Mark port ranges as accepted if they are below the reject_count for family
  2214. */
  2215. static void
  2216. policy_summary_accept(smartlist_t *summary,
  2217. uint16_t prt_min, uint16_t prt_max,
  2218. sa_family_t family)
  2219. {
  2220. tor_assert_nonfatal_once(family == AF_INET || family == AF_INET6);
  2221. uint64_t family_reject_count = ((family == AF_INET) ?
  2222. REJECT_CUTOFF_COUNT_IPV4 :
  2223. REJECT_CUTOFF_COUNT_IPV6);
  2224. int i = policy_summary_split(summary, prt_min, prt_max);
  2225. while (i < smartlist_len(summary) &&
  2226. AT(i)->prt_max <= prt_max) {
  2227. if (!AT(i)->accepted &&
  2228. AT(i)->reject_count <= family_reject_count)
  2229. AT(i)->accepted = 1;
  2230. i++;
  2231. }
  2232. tor_assert(i < smartlist_len(summary) || prt_max==65535);
  2233. }
  2234. /** Count the number of addresses in a network in family with prefixlen
  2235. * maskbits against the given portrange. */
  2236. static void
  2237. policy_summary_reject(smartlist_t *summary,
  2238. maskbits_t maskbits,
  2239. uint16_t prt_min, uint16_t prt_max,
  2240. sa_family_t family)
  2241. {
  2242. tor_assert_nonfatal_once(family == AF_INET || family == AF_INET6);
  2243. int i = policy_summary_split(summary, prt_min, prt_max);
  2244. /* The length of a single address mask */
  2245. int addrbits = (family == AF_INET) ? IPV4_BITS : IPV6_BITS;
  2246. tor_assert_nonfatal_once(addrbits >= maskbits);
  2247. /* We divide IPv6 address counts by (1 << scale) to keep them in a uint64_t
  2248. */
  2249. int scale = ((family == AF_INET) ?
  2250. REJECT_CUTOFF_SCALE_IPV4 :
  2251. REJECT_CUTOFF_SCALE_IPV6);
  2252. tor_assert_nonfatal_once(addrbits >= scale);
  2253. if (maskbits > (addrbits - scale)) {
  2254. tor_assert_nonfatal_once(family == AF_INET6);
  2255. /* The address range is so small, we'd need billions of them to reach the
  2256. * rejection limit. So we ignore this range in the reject count. */
  2257. return;
  2258. }
  2259. uint64_t count = 0;
  2260. if (addrbits - scale - maskbits >= 64) {
  2261. tor_assert_nonfatal_once(family == AF_INET6);
  2262. /* The address range is so large, it's an automatic rejection for all ports
  2263. * in the range. */
  2264. count = UINT64_MAX;
  2265. } else {
  2266. count = (U64_LITERAL(1) << (addrbits - scale - maskbits));
  2267. }
  2268. tor_assert_nonfatal_once(count > 0);
  2269. while (i < smartlist_len(summary) &&
  2270. AT(i)->prt_max <= prt_max) {
  2271. if (AT(i)->reject_count <= UINT64_MAX - count) {
  2272. AT(i)->reject_count += count;
  2273. } else {
  2274. /* IPv4 would require a 4-billion address redundant policy to get here,
  2275. * but IPv6 just needs to have ::/0 */
  2276. if (family == AF_INET) {
  2277. tor_assert_nonfatal_unreached_once();
  2278. }
  2279. /* If we do get here, use saturating arithmetic */
  2280. AT(i)->reject_count = UINT64_MAX;
  2281. }
  2282. i++;
  2283. }
  2284. tor_assert(i < smartlist_len(summary) || prt_max==65535);
  2285. }
  2286. /** Add a single exit policy item to our summary:
  2287. *
  2288. * If it is an accept, ignore it unless it is for all IP addresses
  2289. * ("*", i.e. its prefixlen/maskbits is 0). Otherwise call
  2290. * policy_summary_accept().
  2291. *
  2292. * If it is a reject, ignore it if it is about one of the private
  2293. * networks. Otherwise call policy_summary_reject().
  2294. */
  2295. static void
  2296. policy_summary_add_item(smartlist_t *summary, addr_policy_t *p)
  2297. {
  2298. if (p->policy_type == ADDR_POLICY_ACCEPT) {
  2299. if (p->maskbits == 0) {
  2300. policy_summary_accept(summary, p->prt_min, p->prt_max, p->addr.family);
  2301. }
  2302. } else if (p->policy_type == ADDR_POLICY_REJECT) {
  2303. int is_private = 0;
  2304. int i;
  2305. for (i = 0; private_nets[i]; ++i) {
  2306. tor_addr_t addr;
  2307. maskbits_t maskbits;
  2308. if (tor_addr_parse_mask_ports(private_nets[i], 0, &addr,
  2309. &maskbits, NULL, NULL)<0) {
  2310. tor_assert(0);
  2311. }
  2312. if (tor_addr_compare(&p->addr, &addr, CMP_EXACT) == 0 &&
  2313. p->maskbits == maskbits) {
  2314. is_private = 1;
  2315. break;
  2316. }
  2317. }
  2318. if (!is_private) {
  2319. policy_summary_reject(summary, p->maskbits, p->prt_min, p->prt_max,
  2320. p->addr.family);
  2321. }
  2322. } else
  2323. tor_assert(0);
  2324. }
  2325. /** Create a string representing a summary for an exit policy.
  2326. * The summary will either be an "accept" plus a comma-separated list of port
  2327. * ranges or a "reject" plus port-ranges, depending on which is shorter.
  2328. *
  2329. * If no exits are allowed at all then "reject 1-65535" is returned. If no
  2330. * ports are blocked instead of "reject " we return "accept 1-65535". (These
  2331. * are an exception to the shorter-representation-wins rule).
  2332. */
  2333. char *
  2334. policy_summarize(smartlist_t *policy, sa_family_t family)
  2335. {
  2336. smartlist_t *summary = policy_summary_create();
  2337. smartlist_t *accepts, *rejects;
  2338. int i, last, start_prt;
  2339. size_t accepts_len, rejects_len;
  2340. char *accepts_str = NULL, *rejects_str = NULL, *shorter_str, *result;
  2341. const char *prefix;
  2342. tor_assert(policy);
  2343. /* Create the summary list */
  2344. SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, p) {
  2345. sa_family_t f = tor_addr_family(&p->addr);
  2346. if (f != AF_INET && f != AF_INET6) {
  2347. log_warn(LD_BUG, "Weird family when summarizing address policy");
  2348. }
  2349. if (f != family)
  2350. continue;
  2351. policy_summary_add_item(summary, p);
  2352. } SMARTLIST_FOREACH_END(p);
  2353. /* Now create two lists of strings, one for accepted and one
  2354. * for rejected ports. We take care to merge ranges so that
  2355. * we avoid getting stuff like "1-4,5-9,10", instead we want
  2356. * "1-10"
  2357. */
  2358. i = 0;
  2359. start_prt = 1;
  2360. accepts = smartlist_new();
  2361. rejects = smartlist_new();
  2362. while (1) {
  2363. last = i == smartlist_len(summary)-1;
  2364. if (last ||
  2365. AT(i)->accepted != AT(i+1)->accepted) {
  2366. char buf[POLICY_BUF_LEN];
  2367. if (start_prt == AT(i)->prt_max)
  2368. tor_snprintf(buf, sizeof(buf), "%d", start_prt);
  2369. else
  2370. tor_snprintf(buf, sizeof(buf), "%d-%d", start_prt, AT(i)->prt_max);
  2371. if (AT(i)->accepted)
  2372. smartlist_add_strdup(accepts, buf);
  2373. else
  2374. smartlist_add_strdup(rejects, buf);
  2375. if (last)
  2376. break;
  2377. start_prt = AT(i+1)->prt_min;
  2378. };
  2379. i++;
  2380. };
  2381. /* Figure out which of the two stringlists will be shorter and use
  2382. * that to build the result
  2383. */
  2384. if (smartlist_len(accepts) == 0) { /* no exits at all */
  2385. result = tor_strdup("reject 1-65535");
  2386. goto cleanup;
  2387. }
  2388. if (smartlist_len(rejects) == 0) { /* no rejects at all */
  2389. result = tor_strdup("accept 1-65535");
  2390. goto cleanup;
  2391. }
  2392. accepts_str = smartlist_join_strings(accepts, ",", 0, &accepts_len);
  2393. rejects_str = smartlist_join_strings(rejects, ",", 0, &rejects_len);
  2394. if (rejects_len > MAX_EXITPOLICY_SUMMARY_LEN-strlen("reject")-1 &&
  2395. accepts_len > MAX_EXITPOLICY_SUMMARY_LEN-strlen("accept")-1) {
  2396. char *c;
  2397. shorter_str = accepts_str;
  2398. prefix = "accept";
  2399. c = shorter_str + (MAX_EXITPOLICY_SUMMARY_LEN-strlen(prefix)-1);
  2400. while (*c != ',' && c >= shorter_str)
  2401. c--;
  2402. tor_assert(c >= shorter_str);
  2403. tor_assert(*c == ',');
  2404. *c = '\0';
  2405. } else if (rejects_len < accepts_len) {
  2406. shorter_str = rejects_str;
  2407. prefix = "reject";
  2408. } else {
  2409. shorter_str = accepts_str;
  2410. prefix = "accept";
  2411. }
  2412. tor_asprintf(&result, "%s %s", prefix, shorter_str);
  2413. cleanup:
  2414. /* cleanup */
  2415. SMARTLIST_FOREACH(summary, policy_summary_item_t *, s, tor_free(s));
  2416. smartlist_free(summary);
  2417. tor_free(accepts_str);
  2418. SMARTLIST_FOREACH(accepts, char *, s, tor_free(s));
  2419. smartlist_free(accepts);
  2420. tor_free(rejects_str);
  2421. SMARTLIST_FOREACH(rejects, char *, s, tor_free(s));
  2422. smartlist_free(rejects);
  2423. return result;
  2424. }
  2425. /** Convert a summarized policy string into a short_policy_t. Return NULL
  2426. * if the string is not well-formed. */
  2427. short_policy_t *
  2428. parse_short_policy(const char *summary)
  2429. {
  2430. const char *orig_summary = summary;
  2431. short_policy_t *result;
  2432. int is_accept;
  2433. int n_entries;
  2434. short_policy_entry_t entries[MAX_EXITPOLICY_SUMMARY_LEN]; /* overkill */
  2435. const char *next;
  2436. if (!strcmpstart(summary, "accept ")) {
  2437. is_accept = 1;
  2438. summary += strlen("accept ");
  2439. } else if (!strcmpstart(summary, "reject ")) {
  2440. is_accept = 0;
  2441. summary += strlen("reject ");
  2442. } else {
  2443. log_fn(LOG_PROTOCOL_WARN, LD_DIR, "Unrecognized policy summary keyword");
  2444. return NULL;
  2445. }
  2446. n_entries = 0;
  2447. for ( ; *summary; summary = next) {
  2448. const char *comma = strchr(summary, ',');
  2449. unsigned low, high;
  2450. char dummy;
  2451. char ent_buf[32];
  2452. size_t len;
  2453. next = comma ? comma+1 : strchr(summary, '\0');
  2454. len = comma ? (size_t)(comma - summary) : strlen(summary);
  2455. if (n_entries == MAX_EXITPOLICY_SUMMARY_LEN) {
  2456. log_fn(LOG_PROTOCOL_WARN, LD_DIR, "Impossibly long policy summary %s",
  2457. escaped(orig_summary));
  2458. return NULL;
  2459. }
  2460. if (! TOR_ISDIGIT(*summary) || len > (sizeof(ent_buf)-1)) {
  2461. /* unrecognized entry format. skip it. */
  2462. continue;
  2463. }
  2464. if (len < 1) {
  2465. /* empty; skip it. */
  2466. /* XXX This happens to be unreachable, since if len==0, then *summary is
  2467. * ',' or '\0', and the TOR_ISDIGIT test above would have failed. */
  2468. continue;
  2469. }
  2470. memcpy(ent_buf, summary, len);
  2471. ent_buf[len] = '\0';
  2472. if (tor_sscanf(ent_buf, "%u-%u%c", &low, &high, &dummy) == 2) {
  2473. if (low<1 || low>65535 || high<1 || high>65535 || low>high) {
  2474. log_fn(LOG_PROTOCOL_WARN, LD_DIR,
  2475. "Found bad entry in policy summary %s", escaped(orig_summary));
  2476. return NULL;
  2477. }
  2478. } else if (tor_sscanf(ent_buf, "%u%c", &low, &dummy) == 1) {
  2479. if (low<1 || low>65535) {
  2480. log_fn(LOG_PROTOCOL_WARN, LD_DIR,
  2481. "Found bad entry in policy summary %s", escaped(orig_summary));
  2482. return NULL;
  2483. }
  2484. high = low;
  2485. } else {
  2486. log_fn(LOG_PROTOCOL_WARN, LD_DIR,"Found bad entry in policy summary %s",
  2487. escaped(orig_summary));
  2488. return NULL;
  2489. }
  2490. entries[n_entries].min_port = low;
  2491. entries[n_entries].max_port = high;
  2492. n_entries++;
  2493. }
  2494. if (n_entries == 0) {
  2495. log_fn(LOG_PROTOCOL_WARN, LD_DIR,
  2496. "Found no port-range entries in summary %s", escaped(orig_summary));
  2497. return NULL;
  2498. }
  2499. {
  2500. size_t size = offsetof(short_policy_t, entries) +
  2501. sizeof(short_policy_entry_t)*(n_entries);
  2502. result = tor_malloc_zero(size);
  2503. tor_assert( (char*)&result->entries[n_entries-1] < ((char*)result)+size);
  2504. }
  2505. result->is_accept = is_accept;
  2506. result->n_entries = n_entries;
  2507. memcpy(result->entries, entries, sizeof(short_policy_entry_t)*n_entries);
  2508. return result;
  2509. }
  2510. /** Write <b>policy</b> back out into a string. */
  2511. char *
  2512. write_short_policy(const short_policy_t *policy)
  2513. {
  2514. int i;
  2515. char *answer;
  2516. smartlist_t *sl = smartlist_new();
  2517. smartlist_add_asprintf(sl, "%s", policy->is_accept ? "accept " : "reject ");
  2518. for (i=0; i < policy->n_entries; i++) {
  2519. const short_policy_entry_t *e = &policy->entries[i];
  2520. if (e->min_port == e->max_port) {
  2521. smartlist_add_asprintf(sl, "%d", e->min_port);
  2522. } else {
  2523. smartlist_add_asprintf(sl, "%d-%d", e->min_port, e->max_port);
  2524. }
  2525. if (i < policy->n_entries-1)
  2526. smartlist_add_strdup(sl, ",");
  2527. }
  2528. answer = smartlist_join_strings(sl, "", 0, NULL);
  2529. SMARTLIST_FOREACH(sl, char *, a, tor_free(a));
  2530. smartlist_free(sl);
  2531. return answer;
  2532. }
  2533. /** Release all storage held in <b>policy</b>. */
  2534. void
  2535. short_policy_free_(short_policy_t *policy)
  2536. {
  2537. tor_free(policy);
  2538. }
  2539. /** See whether the <b>addr</b>:<b>port</b> address is likely to be accepted
  2540. * or rejected by the summarized policy <b>policy</b>. Return values are as
  2541. * for compare_tor_addr_to_addr_policy. Unlike the regular addr_policy
  2542. * functions, requires the <b>port</b> be specified. */
  2543. addr_policy_result_t
  2544. compare_tor_addr_to_short_policy(const tor_addr_t *addr, uint16_t port,
  2545. const short_policy_t *policy)
  2546. {
  2547. int i;
  2548. int found_match = 0;
  2549. int accept_;
  2550. tor_assert(port != 0);
  2551. if (addr && tor_addr_is_null(addr))
  2552. addr = NULL; /* Unspec means 'no address at all,' in this context. */
  2553. if (addr && get_options()->ClientRejectInternalAddresses &&
  2554. (tor_addr_is_internal(addr, 0) || tor_addr_is_loopback(addr)))
  2555. return ADDR_POLICY_REJECTED;
  2556. for (i=0; i < policy->n_entries; ++i) {
  2557. const short_policy_entry_t *e = &policy->entries[i];
  2558. if (e->min_port <= port && port <= e->max_port) {
  2559. found_match = 1;
  2560. break;
  2561. }
  2562. }
  2563. if (found_match)
  2564. accept_ = policy->is_accept;
  2565. else
  2566. accept_ = ! policy->is_accept;
  2567. /* ???? are these right? -NM */
  2568. /* We should be sure not to return ADDR_POLICY_ACCEPTED in the accept
  2569. * case here, because it would cause clients to believe that the node
  2570. * allows exit enclaving. Trying it anyway would open up a cool attack
  2571. * where the node refuses due to exitpolicy, the client reacts in
  2572. * surprise by rewriting the node's exitpolicy to reject *:*, and then
  2573. * an adversary targets users by causing them to attempt such connections
  2574. * to 98% of the exits.
  2575. *
  2576. * Once microdescriptors can handle addresses in special cases (e.g. if
  2577. * we ever solve ticket 1774), we can provide certainty here. -RD */
  2578. if (accept_)
  2579. return ADDR_POLICY_PROBABLY_ACCEPTED;
  2580. else
  2581. return ADDR_POLICY_REJECTED;
  2582. }
  2583. /** Return true iff <b>policy</b> seems reject all ports */
  2584. int
  2585. short_policy_is_reject_star(const short_policy_t *policy)
  2586. {
  2587. /* This doesn't need to be as much on the lookout as policy_is_reject_star,
  2588. * since policy summaries are from the consensus or from consensus
  2589. * microdescs.
  2590. */
  2591. tor_assert(policy);
  2592. /* Check for an exact match of "reject 1-65535". */
  2593. return (policy->is_accept == 0 && policy->n_entries == 1 &&
  2594. policy->entries[0].min_port == 1 &&
  2595. policy->entries[0].max_port == 65535);
  2596. }
  2597. /** Decide whether addr:port is probably or definitely accepted or rejected by
  2598. * <b>node</b>. See compare_tor_addr_to_addr_policy for details on addr/port
  2599. * interpretation. */
  2600. addr_policy_result_t
  2601. compare_tor_addr_to_node_policy(const tor_addr_t *addr, uint16_t port,
  2602. const node_t *node)
  2603. {
  2604. if (node->rejects_all)
  2605. return ADDR_POLICY_REJECTED;
  2606. if (addr && tor_addr_family(addr) == AF_INET6) {
  2607. const short_policy_t *p = NULL;
  2608. if (node->ri)
  2609. p = node->ri->ipv6_exit_policy;
  2610. else if (node->md)
  2611. p = node->md->ipv6_exit_policy;
  2612. if (p)
  2613. return compare_tor_addr_to_short_policy(addr, port, p);
  2614. else
  2615. return ADDR_POLICY_REJECTED;
  2616. }
  2617. if (node->ri) {
  2618. return compare_tor_addr_to_addr_policy(addr, port, node->ri->exit_policy);
  2619. } else if (node->md) {
  2620. if (node->md->exit_policy == NULL)
  2621. return ADDR_POLICY_REJECTED;
  2622. else
  2623. return compare_tor_addr_to_short_policy(addr, port,
  2624. node->md->exit_policy);
  2625. } else {
  2626. return ADDR_POLICY_PROBABLY_REJECTED;
  2627. }
  2628. }
  2629. /**
  2630. * Given <b>policy_list</b>, a list of addr_policy_t, produce a string
  2631. * representation of the list.
  2632. * If <b>include_ipv4</b> is true, include IPv4 entries.
  2633. * If <b>include_ipv6</b> is true, include IPv6 entries.
  2634. */
  2635. char *
  2636. policy_dump_to_string(const smartlist_t *policy_list,
  2637. int include_ipv4,
  2638. int include_ipv6)
  2639. {
  2640. smartlist_t *policy_string_list;
  2641. char *policy_string = NULL;
  2642. policy_string_list = smartlist_new();
  2643. SMARTLIST_FOREACH_BEGIN(policy_list, addr_policy_t *, tmpe) {
  2644. char *pbuf;
  2645. int bytes_written_to_pbuf;
  2646. if ((tor_addr_family(&tmpe->addr) == AF_INET6) && (!include_ipv6)) {
  2647. continue; /* Don't include IPv6 parts of address policy */
  2648. }
  2649. if ((tor_addr_family(&tmpe->addr) == AF_INET) && (!include_ipv4)) {
  2650. continue; /* Don't include IPv4 parts of address policy */
  2651. }
  2652. pbuf = tor_malloc(POLICY_BUF_LEN);
  2653. bytes_written_to_pbuf = policy_write_item(pbuf,POLICY_BUF_LEN, tmpe, 1);
  2654. if (bytes_written_to_pbuf < 0) {
  2655. log_warn(LD_BUG, "policy_dump_to_string ran out of room!");
  2656. tor_free(pbuf);
  2657. goto done;
  2658. }
  2659. smartlist_add(policy_string_list,pbuf);
  2660. } SMARTLIST_FOREACH_END(tmpe);
  2661. policy_string = smartlist_join_strings(policy_string_list, "\n", 0, NULL);
  2662. done:
  2663. SMARTLIST_FOREACH(policy_string_list, char *, str, tor_free(str));
  2664. smartlist_free(policy_string_list);
  2665. return policy_string;
  2666. }
  2667. /** Implementation for GETINFO control command: knows the answer for questions
  2668. * about "exit-policy/..." */
  2669. int
  2670. getinfo_helper_policies(control_connection_t *conn,
  2671. const char *question, char **answer,
  2672. const char **errmsg)
  2673. {
  2674. (void) conn;
  2675. (void) errmsg;
  2676. if (!strcmp(question, "exit-policy/default")) {
  2677. *answer = tor_strdup(DEFAULT_EXIT_POLICY);
  2678. } else if (!strcmp(question, "exit-policy/reject-private/default")) {
  2679. smartlist_t *private_policy_strings;
  2680. const char **priv = private_nets;
  2681. private_policy_strings = smartlist_new();
  2682. while (*priv != NULL) {
  2683. /* IPv6 addresses are in "[]" and contain ":",
  2684. * IPv4 addresses are not in "[]" and contain "." */
  2685. smartlist_add_asprintf(private_policy_strings, "reject %s:*", *priv);
  2686. priv++;
  2687. }
  2688. *answer = smartlist_join_strings(private_policy_strings,
  2689. ",", 0, NULL);
  2690. SMARTLIST_FOREACH(private_policy_strings, char *, str, tor_free(str));
  2691. smartlist_free(private_policy_strings);
  2692. } else if (!strcmp(question, "exit-policy/reject-private/relay")) {
  2693. const or_options_t *options = get_options();
  2694. int err = 0;
  2695. const routerinfo_t *me = router_get_my_routerinfo_with_err(&err);
  2696. if (!me) {
  2697. *errmsg = routerinfo_err_to_string(err);
  2698. return routerinfo_err_is_transient(err) ? -1 : 0;
  2699. }
  2700. if (!options->ExitPolicyRejectPrivate &&
  2701. !options->ExitPolicyRejectLocalInterfaces) {
  2702. *answer = tor_strdup("");
  2703. return 0;
  2704. }
  2705. smartlist_t *private_policy_list = smartlist_new();
  2706. smartlist_t *configured_addresses = smartlist_new();
  2707. /* Copy the configured addresses into the tor_addr_t* list */
  2708. if (options->ExitPolicyRejectPrivate) {
  2709. policies_copy_ipv4h_to_smartlist(configured_addresses, me->addr);
  2710. policies_copy_addr_to_smartlist(configured_addresses, &me->ipv6_addr);
  2711. }
  2712. if (options->ExitPolicyRejectLocalInterfaces) {
  2713. policies_copy_outbound_addresses_to_smartlist(configured_addresses,
  2714. options);
  2715. }
  2716. policies_parse_exit_policy_reject_private(
  2717. &private_policy_list,
  2718. options->IPv6Exit,
  2719. configured_addresses,
  2720. options->ExitPolicyRejectLocalInterfaces,
  2721. options->ExitPolicyRejectLocalInterfaces);
  2722. *answer = policy_dump_to_string(private_policy_list, 1, 1);
  2723. addr_policy_list_free(private_policy_list);
  2724. SMARTLIST_FOREACH(configured_addresses, tor_addr_t *, a, tor_free(a));
  2725. smartlist_free(configured_addresses);
  2726. } else if (!strcmpstart(question, "exit-policy/")) {
  2727. int include_ipv4 = 0;
  2728. int include_ipv6 = 0;
  2729. int err = 0;
  2730. const routerinfo_t *me = router_get_my_routerinfo_with_err(&err);
  2731. if (!me) {
  2732. *errmsg = routerinfo_err_to_string(err);
  2733. return routerinfo_err_is_transient(err) ? -1 : 0;
  2734. }
  2735. if (!strcmp(question, "exit-policy/ipv4")) {
  2736. include_ipv4 = 1;
  2737. } else if (!strcmp(question, "exit-policy/ipv6")) {
  2738. include_ipv6 = 1;
  2739. } else if (!strcmp(question, "exit-policy/full")) {
  2740. include_ipv4 = include_ipv6 = 1;
  2741. } else {
  2742. return 0; /* No such key. */
  2743. }
  2744. *answer = router_dump_exit_policy_to_string(me,include_ipv4,
  2745. include_ipv6);
  2746. }
  2747. return 0;
  2748. }
  2749. /** Release all storage held by <b>p</b>. */
  2750. void
  2751. addr_policy_list_free_(smartlist_t *lst)
  2752. {
  2753. if (!lst)
  2754. return;
  2755. SMARTLIST_FOREACH(lst, addr_policy_t *, policy, addr_policy_free(policy));
  2756. smartlist_free(lst);
  2757. }
  2758. /** Release all storage held by <b>p</b>. */
  2759. void
  2760. addr_policy_free_(addr_policy_t *p)
  2761. {
  2762. if (!p)
  2763. return;
  2764. if (--p->refcnt <= 0) {
  2765. if (p->is_canonical) {
  2766. policy_map_ent_t search, *found;
  2767. search.policy = p;
  2768. found = HT_REMOVE(policy_map, &policy_root, &search);
  2769. if (found) {
  2770. tor_assert(p == found->policy);
  2771. tor_free(found);
  2772. }
  2773. }
  2774. tor_free(p);
  2775. }
  2776. }
  2777. /** Release all storage held by policy variables. */
  2778. void
  2779. policies_free_all(void)
  2780. {
  2781. addr_policy_list_free(reachable_or_addr_policy);
  2782. reachable_or_addr_policy = NULL;
  2783. addr_policy_list_free(reachable_dir_addr_policy);
  2784. reachable_dir_addr_policy = NULL;
  2785. addr_policy_list_free(socks_policy);
  2786. socks_policy = NULL;
  2787. addr_policy_list_free(dir_policy);
  2788. dir_policy = NULL;
  2789. addr_policy_list_free(authdir_reject_policy);
  2790. authdir_reject_policy = NULL;
  2791. addr_policy_list_free(authdir_invalid_policy);
  2792. authdir_invalid_policy = NULL;
  2793. addr_policy_list_free(authdir_badexit_policy);
  2794. authdir_badexit_policy = NULL;
  2795. if (!HT_EMPTY(&policy_root)) {
  2796. policy_map_ent_t **ent;
  2797. int n = 0;
  2798. char buf[POLICY_BUF_LEN];
  2799. log_warn(LD_MM, "Still had %d address policies cached at shutdown.",
  2800. (int)HT_SIZE(&policy_root));
  2801. /* Note the first 10 cached policies to try to figure out where they
  2802. * might be coming from. */
  2803. HT_FOREACH(ent, policy_map, &policy_root) {
  2804. if (++n > 10)
  2805. break;
  2806. if (policy_write_item(buf, sizeof(buf), (*ent)->policy, 0) >= 0)
  2807. log_warn(LD_MM," %d [%d]: %s", n, (*ent)->policy->refcnt, buf);
  2808. }
  2809. }
  2810. HT_CLEAR(policy_map, &policy_root);
  2811. }