| blob | 4641632b609bcb201b5168103befc0cf253744ca |
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3 * Copyright (c) 2007-2021, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
6 /**
7 * \file policies.c
8 * \brief Code to parse and use address policies and exit policies.
9 *
10 * We have two key kinds of address policy: full and compressed. A full
11 * policy is an array of accept/reject patterns, to be applied in order.
12 * A short policy is simply a list of ports. This module handles both
13 * kinds, including generic functions to apply them to addresses, and
14 * also including code to manage the global policies that we apply to
15 * incoming and outgoing connections.
16 **/
18 #define POLICIES_PRIVATE
44 /** Maximum length of an exit policy summary. */
45 #define MAX_EXITPOLICY_SUMMARY_LEN 1000
47 /** Policy that addresses for incoming SOCKS connections must match. */
49 /** Policy that addresses for incoming directory connections must match. */
51 /** Policy for incoming MetricsPort connections that must match. */
53 /** Policy that addresses for incoming router descriptors must match in order
54 * to be published by us. */
56 /** Policy that addresses for incoming router descriptors must match in order
57 * to be marked as valid in our networkstatus. */
59 /** Policy that addresses for incoming router descriptors must <b>not</b>
60 * match in order to not be marked as BadExit. */
62 /** Policy that addresses for incoming router descriptors must <b>not</b>
63 * match in order to not be marked as MiddleOnly. */
66 /** Parsed addr_policy_t describing which addresses we believe we can start
67 * circuits at. */
69 /** Parsed addr_policy_t describing which addresses we believe we can connect
70 * to directories at. */
73 /** Element of an exit policy summary */
78 this port range. */
82 /** Private networks. This list is used in two places, once to expand the
83 * "private" keyword when parsing our own exit policy, secondly to ignore
84 * just such networks when building exit policy summaries. It is important
85 * that all authorities agree on that list when creating summaries, so don't
86 * just change this without a proper migration plan and a proposal and stuff.
87 */
93 NULL
94 };
107 /** Replace all "private" entries in *<b>policy</b> with their expanded
108 * equivalents. */
109 void
111 {
126 }
128 addr_policy_t newpolicy;
136 }
138 }
144 }
146 /** Expand each of the AF_UNSPEC elements in *<b>policy</b> (which indicate
147 * protocol-neutral wildcards) into a pair of wildcard elements: one IPv4-
148 * specific and one IPv6-specific. */
149 void
151 {
162 addr_policy_t newpolicy_ipv4;
163 addr_policy_t newpolicy_ipv6;
172 }
182 }
187 }
189 /**
190 * Given a linked list of config lines containing "accept[6]" and "reject[6]"
191 * tokens, parse them and append the result to <b>dest</b>. Return -1
192 * if any tokens are malformed (and don't append any), else return 0.
193 *
194 * If <b>assume_action</b> is nonnegative, then insert its action
195 * (ADDR_POLICY_ACCEPT or ADDR_POLICY_REJECT) for items that specify no
196 * action.
197 */
198 static int
201 {
224 /* the error is so severe the entire list should be discarded */
229 /* the error is minor: don't add the item, but keep processing the
230 * rest of the policies in the list */
233 ent);
234 }
238 }
251 }
252 }
255 }
257 /** Helper: parse the Reachable(Dir|OR)?Addresses fields into
258 * reachable_(or|dir)_addr_policy. The options should already have
259 * been validated by validate_addr_policies.
260 */
261 static int
263 {
271 "Both ReachableDirAddresses and ReachableORAddresses are set. "
273 }
287 }
302 }
304 /* We ignore ReachableAddresses for relays */
309 "ReachableAddresses, ReachableORAddresses, or "
310 "ReachableDirAddresses reject all addresses. Please accept "
316 "ReachableAddresses, ReachableORAddresses, or "
317 "ReachableDirAddresses reject all IPv4 addresses. "
323 "(or UseBridges 1), but "
324 "ReachableAddresses, ReachableORAddresses, or "
325 "ReachableDirAddresses reject all IPv6 addresses. "
327 }
328 }
330 /* Append a reject *:* to reachable_(or|dir)_addr_policy */
336 }
339 }
341 /* Return true iff ClientUseIPv4 0 or ClientUseIPv6 0 might block any OR or Dir
342 * address:port combination. */
343 static int
345 {
347 /* Assume every non-bridge relay has an IPv4 address.
348 * Clients which use bridges may only know the IPv6 address of their
349 * bridge, but they will connect regardless of the ClientUseIPv6 setting. */
351 }
353 /** Return true iff the firewall options, including ClientUseIPv4 0 and
354 * ClientUseIPv6 0, might block any OR address:port combination.
355 * Address preferences may still change which address is selected even if
356 * this function returns false.
357 */
358 int
360 {
362 }
364 /** Return true iff the firewall options, including ClientUseIPv4 0 and
365 * ClientUseIPv6 0, might block any Dir address:port combination.
366 * Address preferences may still change which address is selected even if
367 * this function returns false.
368 */
369 int
371 {
373 }
375 /** Return true iff <b>policy</b> (possibly NULL) will allow a
376 * connection to <b>addr</b>:<b>port</b>.
377 */
378 static int
381 {
382 addr_policy_result_t p;
394 }
395 }
397 /** Return true iff we think our firewall will let us make a connection to
398 * addr:port.
399 *
400 * If we are configured as a server, ignore any address family preference and
401 * just use IPv4.
402 * Otherwise:
403 * - return false for all IPv4 addresses:
404 * - if ClientUseIPv4 is 0, or
405 * if pref_only and pref_ipv6 are both true;
406 * - return false for all IPv6 addresses:
407 * - if reachable_addr_use_ipv6() is 0, or
408 * - if pref_only is true and pref_ipv6 is false.
409 *
410 * Return false if addr is NULL or tor_addr_is_null(), or if port is 0. */
411 STATIC int
416 {
422 }
424 /* Clients stop using IPv4 if it's disabled. In most cases, clients also
425 * stop using IPv4 if it's not preferred.
426 * Servers must have IPv4 enabled and preferred. */
430 }
432 /* Clients and Servers won't use IPv6 unless it's enabled (and in most
433 * cases, IPv6 must also be preferred before it will be used). */
437 }
440 firewall_policy);
441 }
443 /** Is this client configured to use IPv6?
444 * Returns true if the client might use IPv6 for some of its connections
445 * (including dual-stack and IPv6-only clients), and false if it will never
446 * use IPv6 for any connections.
447 * Use node_ipv6_or/dir_preferred() when checking a specific node and OR/Dir
448 * port: it supports bridge client per-node IPv6 preferences.
449 */
450 int
452 {
453 /* Clients use IPv6 if it's set, or they use bridges, or they don't use
454 * IPv4, or they prefer it.
455 * ClientPreferIPv6DirPort is deprecated, but check it anyway. */
459 }
461 /** Do we prefer to connect to IPv6, ignoring ClientPreferIPv6ORPort and
462 * ClientPreferIPv6DirPort?
463 * If we're unsure, return -1, otherwise, return 1 for IPv6 and 0 for IPv4.
464 */
465 static int
467 {
468 /*
469 Cheap implementation of config options ClientUseIPv4 & ClientUseIPv6 --
470 If we're a server or IPv6 is disabled, use IPv4.
471 If IPv4 is disabled, use IPv6.
472 */
476 }
480 }
483 }
485 /** Do we prefer to connect to IPv6 ORPorts?
486 * Use node_ipv6_or_preferred() whenever possible: it supports bridge client
487 * per-node IPv6 preferences.
488 */
489 int
491 {
496 }
498 /* We can use both IPv4 and IPv6 - which do we prefer? */
501 }
504 }
506 /** Do we prefer to connect to IPv6 DirPorts?
507 *
508 * (node_ipv6_dir_preferred() doesn't support bridge client per-node IPv6
509 * preferences. There's no reason to use it instead of this function.)
510 */
511 int
513 {
518 }
520 /* We can use both IPv4 and IPv6 - which do we prefer? */
523 }
526 }
528 /** Return true iff we think our firewall will let us make a connection to
529 * addr:port. Uses ReachableORAddresses or ReachableDirAddresses based on
530 * fw_connection.
531 * If pref_only is true, return true if addr is in the client's preferred
532 * address family, which is IPv6 if pref_ipv6 is true, and IPv4 otherwise.
533 * If pref_only is false, ignore pref_ipv6, and return true if addr is allowed.
534 */
535 int
537 firewall_connection_t fw_connection,
539 {
542 reachable_or_addr_policy,
546 reachable_dir_addr_policy,
550 fw_connection);
552 }
553 }
555 /** Return true iff we think our firewall will let us make a connection to
556 * addr:port (ap). Uses ReachableORAddresses or ReachableDirAddresses based on
557 * fw_connection.
558 * pref_only and pref_ipv6 work as in reachable_addr_allows_addr().
559 */
560 static int
562 firewall_connection_t fw_connection,
564 {
568 pref_ipv6);
569 }
571 /** Return true iff we think our firewall will let us make a connection to
572 * ipv4h_addr/ipv6_addr. Uses ipv4_orport/ipv6_orport/ReachableORAddresses or
573 * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
574 * <b>fw_connection</b>.
575 * pref_only and pref_ipv6 work as in reachable_addr_allows_addr().
576 */
577 static int
582 firewall_connection_t fw_connection,
584 {
587 ? ipv4_orport
589 fw_connection,
592 }
596 ? ipv6_orport
598 fw_connection,
601 }
604 }
606 /** Like reachable_addr_allows_base(), but takes ri. */
607 static int
609 firewall_connection_t fw_connection,
611 {
614 }
616 /* Assume IPv4 and IPv6 DirPorts are the same */
621 }
623 /** Like reachable_addr_allows_rs, but takes pref_ipv6. */
624 static int
626 firewall_connection_t fw_connection,
628 {
631 }
633 /* Assume IPv4 and IPv6 DirPorts are the same */
638 }
640 /** Like reachable_addr_allows_base(), but takes rs.
641 * When rs is a fake_status from a dir_server_t, it can have a reachable
642 * address, even when the corresponding node does not.
643 * nodes can be missing addresses when there's no consensus (IPv4 and IPv6),
644 * or when there is a microdescriptor consensus, but no microdescriptors
645 * (microdescriptors have IPv6, the microdesc consensus does not). */
646 int
649 {
652 }
654 /* We don't have access to the node-specific IPv6 preference, so use the
655 * generic IPv6 preference instead. */
662 pref_ipv6);
663 }
665 /** Return true iff we think our firewall will let us make a connection to
666 * ipv6_addr:ipv6_orport based on ReachableORAddresses.
667 * If <b>fw_connection</b> is FIREWALL_DIR_CONNECTION, returns 0.
668 * pref_only and pref_ipv6 work as in reachable_addr_allows_addr().
669 */
670 static int
672 firewall_connection_t fw_connection,
674 {
677 }
679 /* Can't check dirport, it doesn't have one */
682 }
684 /* Also can't check IPv4, doesn't have that either */
687 pref_ipv6);
688 }
690 /** Like reachable_addr_allows_base(), but takes node, and looks up pref_ipv6
691 * from node_ipv6_or/dir_preferred(). */
692 int
694 firewall_connection_t fw_connection,
696 {
699 }
707 /* Sometimes, the rs is missing the IPv6 address info, and we need to go
708 * all the way to the md */
713 fw_connection,
714 pref_only,
715 pref_ipv6)) {
718 fw_connection,
719 pref_only,
720 pref_ipv6)) {
723 /* If we know nothing, assume it's unreachable, we'll never get an address
724 * to connect to. */
726 }
727 }
729 /** Like reachable_addr_allows_rs(), but takes ds. */
730 int
732 firewall_connection_t fw_connection,
734 {
737 }
739 /* A dir_server_t always has a fake_status. As long as it has the same
740 * addresses/ports in both fake_status and dir_server_t, this works fine.
741 * (See #17867.)
742 * reachable_addr_allows_rs only checks the addresses in fake_status. */
744 pref_only);
745 }
747 /** If a and b are both valid and allowed by fw_connection,
748 * choose one based on want_a and return it.
749 * Otherwise, return whichever is allowed.
750 * Otherwise, return NULL.
751 * pref_only and pref_ipv6 work as in reachable_addr_allows_addr().
752 */
757 firewall_connection_t fw_connection,
759 {
764 pref_ipv6)) {
766 }
769 pref_ipv6)) {
771 }
773 /* If both are allowed */
775 /* Choose a if we want it */
778 /* Choose a if we have it */
780 }
781 }
783 /** If a and b are both valid and preferred by fw_connection,
784 * choose one based on want_a and return it.
785 * Otherwise, return whichever is preferred.
786 * If neither are preferred, and pref_only is false:
787 * - If a and b are both allowed by fw_connection,
788 * choose one based on want_a and return it.
789 * - Otherwise, return whichever is preferred.
790 * Otherwise, return NULL. */
795 firewall_connection_t fw_connection,
797 {
800 fw_connection,
803 /* If there is a preferred address, use it. If we can only use preferred
804 * addresses, and neither address is preferred, pref will be NULL, and we
805 * want to return NULL, so return it. */
808 /* If there's no preferred address, and we can return addresses that are
809 * not preferred, use an address that's allowed */
812 }
813 }
815 /** Copy an address and port into <b>ap</b> that we think our firewall will
816 * let us connect to. Uses ipv4_addr/ipv6_addr and
817 * ipv4_orport/ipv6_orport/ReachableORAddresses or
818 * ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
819 * <b>fw_connection</b>.
820 * If pref_only, only choose preferred addresses. In either case, choose
821 * a preferred address before an address that's not preferred.
822 * If both addresses could be chosen (they are both preferred or both allowed)
823 * choose IPv6 if pref_ipv6 is true, otherwise choose IPv4. */
824 static void
831 firewall_connection_t fw_connection,
835 {
845 tor_addr_port_t ipv4_ap;
848 ? ipv4_orport
851 tor_addr_port_t ipv6_ap;
854 ? ipv6_orport
858 want_ipv4,
860 pref_ipv6);
865 }
866 }
868 /** Like reachable_addr_choose_base(), but takes <b>rs</b>.
869 * Consults the corresponding node, then falls back to rs if node is NULL.
870 * This should only happen when there's no valid consensus, and rs doesn't
871 * correspond to a bridge client's bridge.
872 */
873 void
875 firewall_connection_t fw_connection,
877 {
885 }
893 /* There's no node-specific IPv6 preference, so use the generic IPv6
894 * preference instead. */
903 ap);
904 }
905 }
907 /** Like reachable_addr_choose_base(), but takes in a smartlist
908 * <b>lspecs</b> consisting of one or more link specifiers. We assume
909 * fw_connection is FIREWALL_OR_CONNECTION as link specifiers cannot
910 * contain DirPorts.
911 */
912 void
915 {
925 }
929 }
940 /* Skip if we already seen a v4. */
948 /* Skip if we already seen a v6, or deliberately skip it if we're not a
949 * direct connection. */
957 /* Ignore unknown. */
959 }
962 /* If we don't have IPv4 or IPv6 in link specifiers, log a bug and return. */
968 }
970 }
972 /* Here, don't check for DirPorts as link specifiers are only used for
973 * ORPorts. */
976 /* Assume that the DirPorts are zero as link specifiers only use ORPorts. */
979 FIREWALL_OR_CONNECTION,
981 ap);
982 }
984 /** Like reachable_addr_choose_base(), but takes <b>node</b>, and
985 * looks up the node's IPv6 preference rather than taking an argument
986 * for pref_ipv6. */
987 void
989 firewall_connection_t fw_connection,
991 {
999 }
1007 tor_addr_port_t ipv4_or_ap;
1009 tor_addr_port_t ipv4_dir_ap;
1012 tor_addr_port_t ipv6_or_ap;
1014 tor_addr_port_t ipv6_dir_ap;
1017 /* Assume the IPv6 OR and Dir addresses are the same. */
1023 }
1025 /** Like reachable_addr_choose_from_rs(), but takes <b>ds</b>. */
1026 void
1028 firewall_connection_t fw_connection,
1031 {
1039 }
1041 /* A dir_server_t always has a fake_status. As long as it has the same
1042 * addresses/ports in both fake_status and dir_server_t, this works fine.
1043 * (See #17867.)
1044 * This function relies on reachable_addr_choose_from_rs looking up the
1045 * node if it can, because that will get the latest info for the relay. */
1048 }
1050 /** Return 1 if <b>addr</b> is permitted to connect to our dir port,
1051 * based on <b>dir_policy</b>. Else return 0.
1052 */
1053 int
1055 {
1057 }
1059 /** Return 1 if <b>addr</b> is permitted to connect to our socks port,
1060 * based on <b>socks_policy</b>. Else return 0.
1061 */
1062 int
1064 {
1066 }
1068 /** Return 1 if <b>addr</b> is permitted to connect to our metrics port,
1069 * based on <b>metrics_policy</b>. Else return 0.
1070 */
1071 int
1073 {
1075 }
1077 /** Return true iff the address <b>addr</b> is in a country listed in the
1078 * case-insensitive list of country codes <b>cc_list</b>. */
1079 static int
1081 {
1082 country_t country;
1090 }
1092 /** Return 1 if <b>addr</b>:<b>port</b> is permitted to publish to our
1093 * directory, based on <b>authdir_reject_policy</b>. Else return 0.
1094 */
1095 int
1097 {
1101 }
1103 /** Return 1 if <b>addr</b>:<b>port</b> is considered valid in our
1104 * directory, based on <b>authdir_invalid_policy</b>. Else return 0.
1105 */
1106 int
1108 {
1112 }
1114 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as a bad exit,
1115 * based on <b>authdir_badexit_policy</b>. Else return 0.
1116 */
1117 int
1119 {
1123 }
1125 /** Return 1 if <b>addr</b>:<b>port</b> should be marked as MiddleOnly,
1126 * based on <b>authdir_middleonly_policy</b>. Else return 0.
1127 */
1128 int
1130 {
1134 }
1136 #define REJECT(arg) \
1137 STMT_BEGIN *msg = tor_strdup(arg); goto err; STMT_END
1139 /** Check <b>or_options</b> to determine whether or not we are using the
1140 * default options for exit policy. Return true if so, false otherwise. */
1141 int
1143 {
1146 }
1148 /** Config helper: If there's any problem with the policy configuration
1149 * options in <b>options</b>, return -1 and set <b>msg</b> to a newly
1150 * allocated description of the error. Else return 0. */
1151 int
1153 {
1154 /* XXXX Maybe merge this into parse_policies_from_options, to make sure
1155 * that the two can't go out of sync. */
1162 }
1170 "If you want to be an exit relay, "
1171 "set ExitRelay to 1. To suppress this message in the future, "
1173 }
1175 /* The rest of these calls *append* to addr_policy. So don't actually
1176 * use the results for anything other than checking if they parse! */
1182 ADDR_POLICY_REJECT))
1185 ADDR_POLICY_REJECT))
1188 ADDR_POLICY_REJECT))
1191 ADDR_POLICY_REJECT))
1195 ADDR_POLICY_ACCEPT))
1198 ADDR_POLICY_ACCEPT))
1201 ADDR_POLICY_ACCEPT))
1204 err:
1207 #undef REJECT
1208 }
1210 /** Parse <b>string</b> in the same way that the exit policy
1211 * is parsed, and put the processed version in *<b>policy</b>.
1212 * Ignore port specifiers.
1213 */
1214 static int
1218 {
1226 }
1229 /* ports aren't used in these. */
1240 }
1242 }
1245 }
1247 }
1249 /** Helper: Parse the MetricsPortPolicy option into the metrics_policy and set
1250 * the reject all by default.
1251 *
1252 * Return 0 on success else -1. */
1253 static int
1255 {
1259 }
1260 /* It is a reject all by default. */
1263 }
1265 /** Set all policies based on <b>options</b>, which should have been validated
1266 * first by validate_addr_policies. */
1267 int
1269 {
1291 }
1295 }
1297 /** Compare two provided address policy items, and renturn -1, 0, or 1
1298 * if the first is less than, equal to, or greater than the second. */
1299 static int
1301 {
1303 #define CMP_FIELD(field) do { \
1304 if (a->field != b->field) { \
1305 return 0; \
1306 } \
1307 } while (0)
1310 /* refcnt and is_canonical are irrelevant to equality,
1311 * they are hash table implementation details */
1317 #undef CMP_FIELD
1319 }
1321 /** As single_addr_policy_eq, but compare every element of two policies.
1322 */
1323 int
1325 {
1336 }
1339 }
1341 /** Node in hashtable used to store address policy entries. */
1347 /* DOCDOC policy_root */
1350 /** Return true iff a and b are equal. */
1353 {
1355 }
1357 /** Return a hashcode for <b>ent</b> */
1358 static unsigned int
1360 {
1362 addr_policy_t aa;
1375 }
1378 }
1381 policy_eq);
1385 /** Given a pointer to an addr_policy_t, return a copy of the pointer to the
1386 * "canonical" copy of that addr_policy_t; the canonical copy is a single
1387 * reference-counted object. */
1388 addr_policy_t *
1390 {
1403 }
1408 }
1410 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
1411 * addr and port are both known. */
1412 static addr_policy_result_t
1415 {
1416 /* We know the address and port, and we know the policy, so we can just
1417 * compute an exact match. */
1422 }
1423 /* Address is known */
1425 CMP_EXACT)) {
1427 /* Exact match for the policy */
1430 }
1431 }
1434 /* accept all by default. */
1436 }
1438 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
1439 * addr is known but port is not. */
1440 static addr_policy_result_t
1443 {
1444 /* We look to see if there's a definite match. If so, we return that
1445 match's value, unless there's an intervening possible match that says
1446 something different. */
1453 }
1455 CMP_EXACT)) {
1457 /* Definitely matches, since it covers all ports. */
1459 /* If we already hit a clause that might trigger a 'reject', than we
1460 * can't be sure of this certain 'accept'.*/
1462 ADDR_POLICY_ACCEPTED;
1465 ADDR_POLICY_REJECTED;
1466 }
1468 /* Might match. */
1471 else
1473 }
1474 }
1477 /* accept all by default. */
1479 }
1481 /** Helper for compare_tor_addr_to_addr_policy. Implements the case where
1482 * port is known but address is not. */
1483 static addr_policy_result_t
1486 {
1487 /* We look to see if there's a definite match. If so, we return that
1488 match's value, unless there's an intervening possible match that says
1489 something different. */
1496 }
1499 /* Definitely matches, since it covers all addresses. */
1501 /* If we already hit a clause that might trigger a 'reject', than we
1502 * can't be sure of this certain 'accept'.*/
1504 ADDR_POLICY_ACCEPTED;
1507 ADDR_POLICY_REJECTED;
1508 }
1510 /* Might match. */
1513 else
1515 }
1516 }
1519 /* accept all by default. */
1521 }
1523 /** Decide whether a given addr:port is definitely accepted,
1524 * definitely rejected, probably accepted, or probably rejected by a
1525 * given policy. If <b>addr</b> is 0, we don't know the IP of the
1526 * target address. If <b>port</b> is 0, we don't know the port of the
1527 * target address. (At least one of <b>addr</b> and <b>port</b> must be
1528 * provided. If you want to know whether a policy would definitely reject
1529 * an unknown address:port, use policy_is_reject_star().)
1530 *
1531 * We could do better by assuming that some ranges never match typical
1532 * addresses (127.0.0.1, and so on). But we'll try this for now.
1533 */
1537 {
1539 /* no policy? accept all. */
1546 }
1552 }
1553 }
1555 /** Return true iff the address policy <b>a</b> covers every case that
1556 * would be covered by <b>b</b>, so that a,b is redundant. */
1557 static int
1559 {
1561 /* You can't cover a different family. */
1563 }
1564 /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces
1565 * to "accept *:80". */
1567 /* a has more fixed bits than b; it can't possibly cover b. */
1569 }
1571 /* There's a fixed bit in a that's set differently in b. */
1573 }
1575 }
1577 /** Return true iff the address policies <b>a</b> and <b>b</b> intersect,
1578 * that is, there exists an address/port that is covered by <b>a</b> that
1579 * is also covered by <b>b</b>.
1580 */
1581 static int
1583 {
1584 maskbits_t minbits;
1585 /* All the bits we care about are those that are set in both
1586 * netmasks. If they are equal in a and b's networkaddresses
1587 * then the networks intersect. If there is a difference,
1588 * then they do not. */
1591 else
1598 }
1600 /** Add the exit policy described by <b>more</b> to <b>policy</b>.
1601 */
1602 STATIC void
1604 {
1605 config_line_t tmp;
1612 }
1613 }
1615 /** Add "reject <b>addr</b>:*" to <b>dest</b>, creating the list as needed. */
1616 void
1618 {
1636 }
1638 /* Is addr public for the purposes of rejection? */
1639 static int
1641 {
1644 }
1646 /* Add "reject <b>addr</b>:*" to <b>dest</b>, creating the list as needed.
1647 * Filter the address, only adding an IPv4 reject rule if ipv4_rules
1648 * is true, and similarly for ipv6_rules. Check each address returns true for
1649 * tor_addr_is_public_for_reject before adding it.
1650 */
1651 static void
1656 {
1660 /* Only reject IP addresses which are public */
1663 /* Reject IPv4 addresses and IPv6 addresses based on the filters */
1667 }
1668 }
1669 }
1671 /** Add "reject addr:*" to <b>dest</b>, for each addr in addrs, creating the
1672 * list as needed. */
1673 void
1676 {
1683 }
1685 /** Add "reject addr:*" to <b>dest</b>, for each addr in addrs, creating the
1686 * list as needed. Filter using */
1687 static void
1692 {
1699 }
1701 /** Detect and excise "dead code" from the policy *<b>dest</b>. */
1702 static void
1704 {
1708 /* Step one: kill every ipv4 thing after *4:*, every IPv6 thing after *6:*
1709 */
1710 {
1713 sa_family_t family;
1721 }
1724 /* This is a catch-all line -- later lines are unreachable. */
1729 }
1730 }
1731 }
1732 }
1734 /* Step two: for every entry, see if there's a redundant entry
1735 * later on, and remove it. */
1749 }
1750 }
1751 }
1753 /* Step three: for every entry A, see if there's an entry B making this one
1754 * redundant later on. This is the case if A and B are of the same type
1755 * (accept/reject), A is a subset of B, and there is no other entry of
1756 * different type in between those two that intersects with A.
1757 *
1758 * Anybody want to double-check the logic here? XXX
1759 */
1763 // tor_assert(j > i); // j starts out at i+1; j only increases; i only
1764 // // decreases.
1779 }
1780 }
1781 }
1782 }
1783 }
1785 /** Reject private helper for policies_parse_exit_policy_internal: rejects
1786 * publicly routable addresses on this exit relay.
1787 *
1788 * Add reject entries to the linked list *<b>dest</b>:
1789 * <ul>
1790 * <li>if configured_addresses is non-NULL, add entries that reject each
1791 * tor_addr_t in the list as a destination.
1792 * <li>if reject_interface_addresses is true, add entries that reject each
1793 * public IPv4 and IPv6 address of each interface on this machine.
1794 * <li>if reject_configured_port_addresses is true, add entries that reject
1795 * each IPv4 and IPv6 address configured for a port.
1796 * </ul>
1797 *
1798 * IPv6 entries are only added if ipv6_exit is true. (All IPv6 addresses are
1799 * already blocked by policies_parse_exit_policy_internal if ipv6_exit is
1800 * false.)
1801 *
1802 * The list in <b>dest</b> is created as needed.
1803 */
1804 void
1811 {
1814 /* Reject configured addresses, if they are from public netblocks. */
1818 }
1820 /* Reject configured port addresses, if they are from public netblocks. */
1826 /* Only reject port IP addresses, not port unix sockets */
1829 }
1831 }
1833 /* Reject local addresses from public netblocks on any interface. */
1837 /* Reject public IPv4 addresses on any interface */
1842 /* Don't look for IPv6 addresses if we're configured as IPv4-only */
1844 /* Reject public IPv6 addresses on any interface */
1848 }
1849 }
1851 /* If addresses were added multiple times, remove all but one of them. */
1854 }
1855 }
1857 /**
1858 * Iterate through <b>policy</b> looking for redundant entries. Log a
1859 * warning message with the first redundant entry, if any is found.
1860 */
1861 static void
1863 {
1868 sa_family_t family;
1872 /* Look for accept/reject *[4|6|]:* entries */
1875 /* accept/reject *:* may have already been expanded into
1876 * accept/reject *4:*,accept/reject *6:*
1877 * But handle both forms.
1878 */
1881 }
1884 }
1885 }
1887 /* We also find accept *4:*,reject *6:* ; and
1888 * accept *4:*,<other policies>,accept *6:* ; and similar.
1889 * That's ok, because they make any subsequent entries redundant. */
1892 /* if we're not on the final entry in the list */
1895 }
1897 }
1900 /* Work out if there are redundant trailing entries in the policy list */
1903 /* Longest possible policy is
1904 * "accept6 ffff:ffff:..255/128:10000-65535",
1905 * which contains a max-length IPv6 address, plus 24 characters. */
1910 /* since we've already parsed the policy into an addr_policy_t struct,
1911 * we might not log exactly what the user typed in */
1914 "redundant, as it follows accept/reject *:* rules for both "
1915 "IPv4 and IPv6. They will be removed from the exit policy. (Use "
1917 line);
1918 }
1919 }
1921 #define DEFAULT_EXIT_POLICY \
1924 "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
1926 #define REDUCED_EXIT_POLICY \
1942 "accept *:19638,accept *:50002,accept *:64738,reject *:*"
1944 /** Parse the exit policy <b>cfg</b> into the linked list *<b>dest</b>.
1945 *
1946 * If <b>ipv6_exit</b> is false, prepend "reject *6:*" to the policy.
1947 *
1948 * If <b>configured_addresses</b> contains addresses:
1949 * - prepend entries that reject the addresses in this list. These may be the
1950 * advertised relay addresses and/or the outbound bind addresses,
1951 * depending on the ExitPolicyRejectPrivate and
1952 * ExitPolicyRejectLocalInterfaces settings.
1953 * If <b>rejectprivate</b> is true:
1954 * - prepend "reject private:*" to the policy.
1955 * If <b>reject_interface_addresses</b> is true:
1956 * - prepend entries that reject publicly routable interface addresses on
1957 * this exit relay by calling policies_parse_exit_policy_reject_private
1958 * If <b>reject_configured_port_addresses</b> is true:
1959 * - prepend entries that reject all configured port addresses
1960 *
1961 * If cfg doesn't end in an absolute accept or reject and if
1962 * <b>add_default_policy</b> is true, add the default exit
1963 * policy afterwards.
1964 *
1965 * Return -1 if we can't parse cfg, else return 0.
1966 *
1967 * This function is used to parse the exit policy from our torrc. For
1968 * the functions used to parse the exit policy from a router descriptor,
1969 * see router_add_exit_policy.
1970 */
1971 static int
1981 {
1984 }
1986 /* Reject IPv4 and IPv6 reserved private netblocks */
1988 }
1990 /* Consider rejecting IPv4 and IPv6 advertised relay addresses, outbound bind
1991 * addresses, publicly routable addresses, and configured port addresses
1992 * on this exit relay */
1994 configured_addresses,
1995 reject_interface_addresses,
1996 reject_configured_port_addresses);
2001 /* Before we add the default policy and final rejects, check to see if
2002 * there are any lines after accept *:* or reject *:*. These lines have no
2003 * effect, and are most likely an error. */
2013 }
2017 }
2019 /** Parse exit policy in <b>cfg</b> into <b>dest</b> smartlist.
2020 *
2021 * Prepend an entry that rejects all IPv6 destinations unless
2022 * <b>EXIT_POLICY_IPV6_ENABLED</b> bit is set in <b>options</b> bitmask.
2023 *
2024 * If <b>EXIT_POLICY_REJECT_PRIVATE</b> bit is set in <b>options</b>:
2025 * - prepend an entry that rejects all destinations in all netblocks
2026 * reserved for private use.
2027 * - prepend entries that reject the advertised relay addresses in
2028 * configured_addresses
2029 * If <b>EXIT_POLICY_REJECT_LOCAL_INTERFACES</b> bit is set in <b>options</b>:
2030 * - prepend entries that reject publicly routable addresses on this exit
2031 * relay by calling policies_parse_exit_policy_internal
2032 * - prepend entries that reject the outbound bind addresses in
2033 * configured_addresses
2034 * - prepend entries that reject all configured port addresses
2035 *
2036 * If <b>EXIT_POLICY_ADD_DEFAULT</b> bit is set in <b>options</b>, append
2037 * default exit policy entries to <b>result</b> smartlist.
2038 */
2039 int
2041 exit_policy_parser_cfg_t options,
2043 {
2052 reject_private,
2053 configured_addresses,
2054 reject_local_interfaces,
2055 reject_local_interfaces,
2056 add_default,
2057 add_reduced);
2058 }
2060 /** Helper function that adds a copy of addr to a smartlist as long as it is
2061 * non-NULL and not tor_addr_is_null().
2062 *
2063 * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
2064 */
2065 static void
2067 {
2072 }
2073 }
2075 /** Helper function that adds copies of or_options->OutboundBindAddresses
2076 * to a smartlist as tor_addr_t *, as long as or_options is non-NULL, and
2077 * the addresses are not tor_addr_is_null(), by passing them to
2078 * policies_add_addr_to_smartlist.
2079 *
2080 * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
2081 */
2082 static void
2085 {
2092 }
2093 }
2094 }
2095 }
2096 }
2098 /** Parse <b>ExitPolicy</b> member of <b>or_options</b> into <b>result</b>
2099 * smartlist.
2100 * If <b>or_options->IPv6Exit</b> is false, prepend an entry that
2101 * rejects all IPv6 destinations.
2102 *
2103 * If <b>or_options->ExitPolicyRejectPrivate</b> is true:
2104 * - prepend an entry that rejects all destinations in all netblocks reserved
2105 * for private use.
2106 * - if ipv4_local_address is non-zero, treat it as a host-order IPv4 address,
2107 * and add it to the list of configured addresses.
2108 * - if ipv6_local_address is non-NULL, and not the null tor_addr_t, add it
2109 * to the list of configured addresses.
2110 * If <b>or_options->ExitPolicyRejectLocalInterfaces</b> is true:
2111 * - if or_options->OutboundBindAddresses[][0] (=IPv4) is not the null
2112 * tor_addr_t, add it to the list of configured addresses.
2113 * - if or_options->OutboundBindAddresses[][1] (=IPv6) is not the null
2114 * tor_addr_t, add it to the list of configured addresses.
2115 *
2116 * If <b>or_options->BridgeRelay</b> is false, append entries of default
2117 * Tor exit policy into <b>result</b> smartlist.
2118 *
2119 * If or_options->ExitRelay is false, or is auto without specifying an exit
2120 * policy, then make our exit policy into "reject *:*" regardless.
2121 */
2122 int
2127 {
2132 /* Short-circuit for non-exit relays, or for relays where we didn't specify
2133 * ExitPolicy or ReducedExitPolicy or IPv6Exit and ExitRelay is auto. */
2139 }
2143 /* Configure the parser */
2146 }
2150 }
2155 else
2157 }
2161 }
2163 /* Copy the configured addresses into the tor_addr_t* list */
2167 }
2171 or_options);
2172 }
2175 configured_addresses);
2181 }
2183 /** Add "reject *:*" to the end of the policy in *<b>dest</b>, allocating
2184 * *<b>dest</b> as needed. */
2185 void
2187 {
2190 }
2192 /** Replace the exit policy of <b>node</b> with reject *:* */
2193 void
2195 {
2197 }
2199 /** Return 1 if there is at least one /8 subnet in <b>policy</b> that
2200 * allows exiting to <b>port</b>. Otherwise, return 0. */
2201 static int
2203 {
2205 /* Is this /8 rejected (1), or undecided (0)? */
2221 /* Calculate the first and last subnet that this exit policy touches
2222 * and set it as loop boundaries. */
2224 tor_addr_t addr;
2231 }
2235 /* We found an allowed subnet of at least size /8. Done
2236 * for this port! */
2240 }
2241 }
2244 }
2246 /** Return true iff <b>ri</b> is "useful as an exit node", meaning
2247 * it allows exit to at least one /8 address space for each of ports 80
2248 * and 443. */
2249 int
2251 {
2257 }
2259 /** Return false if <b>policy</b> might permit access to some addr:port;
2260 * otherwise if we are certain it rejects everything, return true. If no
2261 * part of <b>policy</b> matches, return <b>default_reject</b>.
2262 * NULL policies are allowed, and treated as empty. */
2263 int
2266 {
2280 }
2283 }
2285 /** Write a single address policy to the buf_len byte buffer at buf. Return
2286 * the number of characters written, or -1 on failure. */
2287 int
2290 {
2301 /* write accept/reject 1.2.3.4 */
2311 else
2315 }
2320 addrpart);
2324 /* If the maskbits is 32 (IPv4) or 128 (IPv6) we don't need to give it. If
2325 the mask is 0, we already wrote "*". */
2330 }
2332 /* There is no port set; write ":*" */
2338 /* There is only one port; write ":80". */
2344 /* There is a range of ports; write ":79-80". */
2350 }
2353 else
2357 }
2359 /** Create a new exit policy summary, initially only with a single
2360 * port 1-64k item */
2361 /* XXXX This entire thing will do most stuff in O(N^2), or worse. Use an
2362 * RB-tree if that turns out to matter. */
2365 {
2379 }
2381 /** Split the summary item in <b>item</b> at the port <b>new_starts</b>.
2382 * The current item is changed to end at new-starts - 1, the new item
2383 * copies reject_count and accepted from the old item,
2384 * starts at new_starts and ends at the port where the original item
2385 * previously ended.
2386 */
2389 {
2403 }
2405 /* XXXX Nick says I'm going to hell for this. If he feels charitably towards
2406 * my immortal soul, he can clean it up himself. */
2407 #define AT(x) ((policy_summary_item_t*)smartlist_get(summary, x))
2409 #define IPV4_BITS (32)
2410 /* Every IPv4 address is counted as one rejection */
2411 #define REJECT_CUTOFF_SCALE_IPV4 (0)
2412 /* Ports are rejected in an IPv4 summary if they are rejected in more than two
2413 * IPv4 /8 address blocks */
2414 #define REJECT_CUTOFF_COUNT_IPV4 (UINT64_C(1) << \
2415 (IPV4_BITS - REJECT_CUTOFF_SCALE_IPV4 - 7))
2417 #define IPV6_BITS (128)
2418 /* IPv6 /64s are counted as one rejection, anything smaller is ignored */
2419 #define REJECT_CUTOFF_SCALE_IPV6 (64)
2420 /* Ports are rejected in an IPv6 summary if they are rejected in more than one
2421 * IPv6 /16 address block.
2422 * This is roughly equivalent to the IPv4 cutoff, as only five IPv6 /12s (and
2423 * some scattered smaller blocks) have been allocated to the RIRs.
2424 * Network providers are typically allocated one or more IPv6 /32s.
2425 */
2426 #define REJECT_CUTOFF_COUNT_IPV6 (UINT64_C(1) << \
2427 (IPV6_BITS - REJECT_CUTOFF_SCALE_IPV6 - 16))
2429 /** Split an exit policy summary so that prt_min and prt_max
2430 * fall at exactly the start and end of an item respectively.
2431 */
2432 static int
2435 {
2441 i++;
2446 i++;
2447 }
2451 i++;
2456 }
2459 }
2461 /** Mark port ranges as accepted if they are below the reject_count for family
2462 */
2463 static void
2466 sa_family_t family)
2467 {
2470 REJECT_CUTOFF_COUNT_IPV4 :
2471 REJECT_CUTOFF_COUNT_IPV6);
2479 i++;
2480 }
2482 }
2484 /** Count the number of addresses in a network in family with prefixlen
2485 * maskbits against the given portrange. */
2486 static void
2488 maskbits_t maskbits,
2490 sa_family_t family)
2491 {
2496 /* The length of a single address mask */
2500 /* We divide IPv6 address counts by (1 << scale) to keep them in a uint64_t
2501 */
2503 REJECT_CUTOFF_SCALE_IPV4 :
2504 REJECT_CUTOFF_SCALE_IPV6);
2509 /* The address range is so small, we'd need billions of them to reach the
2510 * rejection limit. So we ignore this range in the reject count. */
2512 }
2517 /* The address range is so large, it's an automatic rejection for all ports
2518 * in the range. */
2522 }
2529 /* IPv4 would require a 4-billion address redundant policy to get here,
2530 * but IPv6 just needs to have ::/0 */
2533 }
2534 /* If we do get here, use saturating arithmetic */
2536 }
2537 i++;
2538 }
2540 }
2542 /** Add a single exit policy item to our summary:
2543 *
2544 * If it is an accept, ignore it unless it is for all IP addresses
2545 * ("*", i.e. its prefixlen/maskbits is 0). Otherwise call
2546 * policy_summary_accept().
2547 *
2548 * If it is a reject, ignore it if it is about one of the private
2549 * networks. Otherwise call policy_summary_reject().
2550 */
2551 static void
2553 {
2557 }
2563 tor_addr_t addr;
2564 maskbits_t maskbits;
2568 }
2573 }
2574 }
2579 }
2582 }
2584 /** Create a string representing a summary for an exit policy.
2585 * The summary will either be an "accept" plus a comma-separated list of port
2586 * ranges or a "reject" plus port-ranges, depending on which is shorter.
2587 *
2588 * If no exits are allowed at all then "reject 1-65535" is returned. If no
2589 * ports are blocked instead of "reject " we return "accept 1-65535". (These
2590 * are an exception to the shorter-representation-wins rule).
2591 */
2594 {
2604 /* Create the summary list */
2609 }
2615 /* Now create two lists of strings, one for accepted and one
2616 * for rejected ports. We take care to merge ranges so that
2617 * we avoid getting stuff like "1-4,5-9,10", instead we want
2618 * "1-10"
2619 */
2632 else
2637 else
2644 };
2645 i++;
2646 };
2648 /* Figure out which of the two stringlists will be shorter and use
2649 * that to build the result
2650 */
2654 }
2658 }
2671 c--;
2682 }
2686 cleanup:
2687 /* cleanup */
2700 }
2702 /** Convert a summarized policy string into a short_policy_t. Return NULL
2703 * if the string is not well-formed. */
2704 short_policy_t *
2706 {
2723 }
2731 }
2738 /* Unrecognized format: skip it. */
2742 }
2743 }
2748 FALLTHROUGH;
2765 }
2769 n_entries++;
2772 skip_ent:
2777 }
2783 }
2785 {
2791 }
2798 bad_ent:
2802 }
2804 /** Write <b>policy</b> back out into a string. */
2807 {
2820 }
2823 }
2828 }
2830 /** Release all storage held in <b>policy</b>. */
2831 void
2833 {
2835 }
2837 /** See whether the <b>addr</b>:<b>port</b> address is likely to be accepted
2838 * or rejected by the summarized policy <b>policy</b>. Return values are as
2839 * for compare_tor_addr_to_addr_policy. Unlike the regular addr_policy
2840 * functions, requires the <b>port</b> be specified. */
2841 addr_policy_result_t
2844 {
2863 }
2864 }
2868 else
2871 /* ???? are these right? -NM */
2872 /* We should be sure not to return ADDR_POLICY_ACCEPTED in the accept
2873 * case here, because it would cause clients to believe that the node
2874 * allows exit enclaving. Trying it anyway would open up a cool attack
2875 * where the node refuses due to exitpolicy, the client reacts in
2876 * surprise by rewriting the node's exitpolicy to reject *:*, and then
2877 * an adversary targets users by causing them to attempt such connections
2878 * to 98% of the exits.
2879 *
2880 * Once microdescriptors can handle addresses in special cases (e.g. if
2881 * we ever solve ticket 1774), we can provide certainty here. -RD */
2884 else
2886 }
2888 /** Return true iff <b>policy</b> seems reject all ports */
2889 int
2891 {
2892 /* This doesn't need to be as much on the lookout as policy_is_reject_star,
2893 * since policy summaries are from the consensus or from consensus
2894 * microdescs.
2895 */
2897 /* Check for an exact match of "reject 1-65535". */
2901 }
2903 /** Decide whether addr:port is probably or definitely accepted or rejected by
2904 * <b>node</b>. See compare_tor_addr_to_addr_policy for details on addr/port
2905 * interpretation. */
2906 addr_policy_result_t
2909 {
2921 else
2923 }
2930 else
2935 }
2936 }
2938 /**
2939 * Given <b>policy_list</b>, a list of addr_policy_t, produce a string
2940 * representation of the list.
2941 * If <b>include_ipv4</b> is true, include IPv4 entries.
2942 * If <b>include_ipv6</b> is true, include IPv6 entries.
2943 */
2948 {
2959 }
2962 }
2971 }
2978 done:
2983 }
2985 /** Implementation for GETINFO control command: knows the answer for questions
2986 * about "exit-policy/..." */
2987 int
2991 {
3003 /* IPv6 addresses are in "[]" and contain ":",
3004 * IPv4 addresses are not in "[]" and contain "." */
3006 priv++;
3007 }
3022 }
3028 }
3033 /* Copy the configured addresses into the tor_addr_t* list */
3037 }
3041 options);
3042 }
3047 configured_addresses,
3065 }
3075 }
3078 include_ipv6);
3079 }
3082 }
3084 /** Release all storage held by <b>p</b>. */
3085 void
3087 {
3092 }
3094 /** Release all storage held by <b>p</b>. */
3095 void
3097 {
3109 }
3110 }
3112 }
3113 }
3115 /** Release all storage held by policy variables. */
3116 void
3118 {
3146 /* Note the first 10 cached policies to try to figure out where they
3147 * might be coming from. */
3153 }
3154 }
3156 }