search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge branch 'maint-0.4.8'
[tor.git] / src / core / or / policies.h
blob9276b76d01341b4947c237c37d165f3dd7960f34
1 /* Copyright (c) 2001 Matej Pfajfar.
2 * Copyright (c) 2001-2004, Roger Dingledine.
3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4 * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6
7 /**
8 * \file policies.h
9 * \brief Header file for policies.c.
10 **/
11
12 #ifndef TOR_POLICIES_H
13 #define TOR_POLICIES_H
14
15 /* (length of
16 * "accept6 [ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]/128:65535-65535\n"
17 * plus a terminating NUL, rounded up to a nice number.)
18 */
19 #define POLICY_BUF_LEN 72
20
21 #define EXIT_POLICY_IPV6_ENABLED (1 << 0)
22 #define EXIT_POLICY_REJECT_PRIVATE (1 << 1)
23 #define EXIT_POLICY_ADD_DEFAULT (1 << 2)
24 #define EXIT_POLICY_REJECT_LOCAL_INTERFACES (1 << 3)
25 #define EXIT_POLICY_ADD_REDUCED (1 << 4)
26 #define EXIT_POLICY_OPTION_MAX EXIT_POLICY_ADD_REDUCED
27 /* All options set: used for unit testing */
28 #define EXIT_POLICY_OPTION_ALL ((EXIT_POLICY_OPTION_MAX << 1) - 1)
29
30 typedef enum firewall_connection_t {
31 FIREWALL_OR_CONNECTION = 0,
32 FIREWALL_DIR_CONNECTION = 1
33 } firewall_connection_t;
34
35 typedef int exit_policy_parser_cfg_t;
36
37 /** Outcome of applying an address policy to an address. */
38 typedef enum {
39 /** The address was accepted */
40 ADDR_POLICY_ACCEPTED=0,
41 /** The address was rejected */
42 ADDR_POLICY_REJECTED=-1,
43 /** Part of the address was unknown, but as far as we can tell, it was
44 * accepted. */
45 ADDR_POLICY_PROBABLY_ACCEPTED=1,
46 /** Part of the address was unknown, but as far as we can tell, it was
47 * rejected. */
48 ADDR_POLICY_PROBABLY_REJECTED=2,
49 } addr_policy_result_t;
50
51 /** A single entry in a parsed policy summary, describing a range of ports. */
52 typedef struct short_policy_entry_t {
53 uint16_t min_port, max_port;
54 } short_policy_entry_t;
55
56 /** A short_poliy_t is the parsed version of a policy summary. */
57 typedef struct short_policy_t {
58 /** True if the members of 'entries' are port ranges to accept; false if
59 * they are port ranges to reject */
60 unsigned int is_accept : 1;
61 /** The actual number of values in 'entries'. */
62 unsigned int n_entries : 31;
63 /** An array of 0 or more short_policy_entry_t values, each describing a
64 * range of ports that this policy accepts or rejects (depending on the
65 * value of is_accept).
66 */
67 short_policy_entry_t entries[FLEXIBLE_ARRAY_MEMBER];
68 } short_policy_t;
69
70 int firewall_is_fascist_or(void);
71 int firewall_is_fascist_dir(void);
72 int reachable_addr_use_ipv6(const or_options_t *options);
73 int reachable_addr_prefer_ipv6_orport(const or_options_t *options);
74 int reachable_addr_prefer_ipv6_dirport(const or_options_t *options);
75
76 int reachable_addr_allows_addr(const tor_addr_t *addr,
77 uint16_t port,
78 firewall_connection_t fw_connection,
79 int pref_only, int pref_ipv6);
80
81 int reachable_addr_allows_rs(const routerstatus_t *rs,
82 firewall_connection_t fw_connection,
83 int pref_only);
84 int reachable_addr_allows_node(const node_t *node,
85 firewall_connection_t fw_connection,
86 int pref_only);
87 int reachable_addr_allows_dir_server(const dir_server_t *ds,
88 firewall_connection_t fw_connection,
89 int pref_only);
90
91 void reachable_addr_choose_from_rs(const routerstatus_t *rs,
92 firewall_connection_t fw_connection,
93 int pref_only, tor_addr_port_t* ap);
94 void reachable_addr_choose_from_ls(const smartlist_t *lspecs,
95 int pref_only, tor_addr_port_t* ap);
96 void reachable_addr_choose_from_node(const node_t *node,
97 firewall_connection_t fw_connection,
98 int pref_only, tor_addr_port_t* ap);
99 void reachable_addr_choose_from_dir_server(const dir_server_t *ds,
100 firewall_connection_t fw_connection,
101 int pref_only, tor_addr_port_t* ap);
102
103 int dir_policy_permits_address(const tor_addr_t *addr);
104 int socks_policy_permits_address(const tor_addr_t *addr);
105 int metrics_policy_permits_address(const tor_addr_t *addr);
106 int authdir_policy_permits_address(const tor_addr_t *addr, uint16_t port);
107 int authdir_policy_valid_address(const tor_addr_t *addr, uint16_t port);
108 int authdir_policy_badexit_address(const tor_addr_t *addr, uint16_t port);
109 int authdir_policy_middleonly_address(const tor_addr_t *addr, uint16_t port);
110
111 int policy_using_default_exit_options(const or_options_t *or_options);
112 int validate_addr_policies(const or_options_t *options, char **msg);
113 void policy_expand_private(smartlist_t **policy);
114 void policy_expand_unspec(smartlist_t **policy);
115 int policies_parse_from_options(const or_options_t *options);
116
117 addr_policy_t *addr_policy_get_canonical_entry(addr_policy_t *ent);
118 int addr_policies_eq(const smartlist_t *a, const smartlist_t *b);
119 MOCK_DECL(addr_policy_result_t, compare_tor_addr_to_addr_policy,
120 (const tor_addr_t *addr, uint16_t port, const smartlist_t *policy));
121 addr_policy_result_t compare_tor_addr_to_node_policy(const tor_addr_t *addr,
122 uint16_t port, const node_t *node);
123
124 int policies_parse_exit_policy_from_options(
125 const or_options_t *or_options,
126 const tor_addr_t *ipv4_local_address,
127 const tor_addr_t *ipv6_local_address,
128 smartlist_t **result);
129 struct config_line_t;
130 int policies_parse_exit_policy(struct config_line_t *cfg, smartlist_t **dest,
131 exit_policy_parser_cfg_t options,
132 const smartlist_t *configured_addresses);
133 void policies_parse_exit_policy_reject_private(
134 smartlist_t **dest,
135 int ipv6_exit,
136 const smartlist_t *configured_addresses,
137 int reject_interface_addresses,
138 int reject_configured_port_addresses);
139 void policies_exit_policy_append_reject_star(smartlist_t **dest);
140 void addr_policy_append_reject_addr(smartlist_t **dest,
141 const tor_addr_t *addr);
142 void addr_policy_append_reject_addr_list(smartlist_t **dest,
143 const smartlist_t *addrs);
144 void policies_set_node_exitpolicy_to_reject_all(node_t *exitrouter);
145 int exit_policy_is_general_exit(smartlist_t *policy);
146 int policy_is_reject_star(const smartlist_t *policy, sa_family_t family,
147 int reject_by_default);
148 char * policy_dump_to_string(const smartlist_t *policy_list,
149 int include_ipv4,
150 int include_ipv6);
151 int getinfo_helper_policies(control_connection_t *conn,
152 const char *question, char **answer,
153 const char **errmsg);
154 int policy_write_item(char *buf, size_t buflen, const addr_policy_t *item,
155 int format_for_desc);
156
157 void addr_policy_list_free_(smartlist_t *p);
158 #define addr_policy_list_free(lst) \
159 FREE_AND_NULL(smartlist_t, addr_policy_list_free_, (lst))
160 void addr_policy_free_(addr_policy_t *p);
161 #define addr_policy_free(p) \
162 FREE_AND_NULL(addr_policy_t, addr_policy_free_, (p))
163 void policies_free_all(void);
164
165 char *policy_summarize(smartlist_t *policy, sa_family_t family);
166
167 short_policy_t *parse_short_policy(const char *summary);
168 char *write_short_policy(const short_policy_t *policy);
169 void short_policy_free_(short_policy_t *policy);
170 #define short_policy_free(p) \
171 FREE_AND_NULL(short_policy_t, short_policy_free_, (p))
172 int short_policy_is_reject_star(const short_policy_t *policy);
173 addr_policy_result_t compare_tor_addr_to_short_policy(
174 const tor_addr_t *addr, uint16_t port,
175 const short_policy_t *policy);
176
177 #ifdef POLICIES_PRIVATE
178 STATIC void append_exit_policy_string(smartlist_t **policy, const char *more);
179 STATIC int reachable_addr_allows(const tor_addr_t *addr,
180 uint16_t port,
181 smartlist_t *firewall_policy,
182 int pref_only, int pref_ipv6);
183 STATIC const tor_addr_port_t * reachable_addr_choose(
184 const tor_addr_port_t *a,
185 const tor_addr_port_t *b,
186 int want_a,
187 firewall_connection_t fw_connection,
188 int pref_only, int pref_ipv6);
189
190 #endif /* defined(POLICIES_PRIVATE) */
191
192 #endif /* !defined(TOR_POLICIES_H) */
The Onion Router