18 #define POLICIES_PRIVATE
34 #include "trunnel/ed25519_cert.h"
45 #define MAX_EXITPOLICY_SUMMARY_LEN 1000
76 unsigned int accepted:1;
86 "0.0.0.0/8",
"169.254.0.0/16",
87 "127.0.0.0/8",
"192.168.0.0/16",
"10.0.0.0/8",
"172.16.0.0/12",
89 "[fc00::]/7",
"[fe80::]/10",
"[fec0::]/10",
"[ff00::]/8",
"[::]/127",
99 int reject_interface_addresses,
100 int reject_configured_port_addresses,
101 int add_default_policy,
102 int add_reduced_policy);
109 uint16_t port_min, port_max;
120 if (! p->is_private) {
131 &newpolicy.
maskbits, &port_min, &port_max)<0) {
132 tor_assert_unreached();
137 } SMARTLIST_FOREACH_END(p);
139 smartlist_free(*policy);
156 if (family == AF_INET6 || family == AF_INET || p->is_private) {
158 }
else if (family == AF_UNSPEC) {
165 if (p->maskbits != 0) {
166 log_warn(
LD_BUG,
"AF_UNSPEC policy with maskbits==%d", p->maskbits);
172 (
const uint8_t *)
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");
177 log_warn(
LD_BUG,
"Funny-looking address policy with family %d", family);
180 } SMARTLIST_FOREACH_END(p);
182 smartlist_free(*policy);
210 for (; cfg; cfg = cfg->next) {
212 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0);
214 log_debug(
LD_CONFIG,
"Adding new entry '%s'",ent);
220 }
else if (malformed_list) {
222 log_warn(
LD_CONFIG,
"Malformed policy '%s'. Discarding entire policy "
228 log_debug(
LD_CONFIG,
"Ignored policy '%s' due to non-fatal error. "
229 "The remainder of the policy list will be used.",
232 } SMARTLIST_FOREACH_END(ent);
236 smartlist_free(entries);
238 addr_policy_list_free(result);
245 smartlist_free(result);
268 "Both ReachableDirAddresses and ReachableORAddresses are set. "
269 "ReachableAddresses setting will be ignored.");
275 "Using ReachableAddresses as ReachableORAddresses.");
281 "Error parsing Reachable%sAddresses entry; ignoring.",
290 "Using ReachableAddresses as ReachableDirAddresses");
297 "Error parsing ReachableDirAddresses entry; ignoring.");
305 log_warn(
LD_CONFIG,
"Tor cannot connect to the Internet if "
306 "ReachableAddresses, ReachableORAddresses, or "
307 "ReachableDirAddresses reject all addresses. Please accept "
308 "some addresses in these options.");
312 log_warn(
LD_CONFIG,
"You have set ClientUseIPv4 1, but "
313 "ReachableAddresses, ReachableORAddresses, or "
314 "ReachableDirAddresses reject all IPv4 addresses. "
315 "Tor will not connect using IPv4.");
319 log_warn(
LD_CONFIG,
"You have configured tor to use or prefer IPv6 "
320 "(or UseBridges 1), but "
321 "ReachableAddresses, ReachableORAddresses, or "
322 "ReachableDirAddresses reject all IPv6 addresses. "
323 "Tor will not connect using IPv6.");
341 firewall_is_fascist_impl(
void)
389 log_warn(
LD_BUG,
"Unexpected result: %d", (
int)p);
412 int pref_only,
int pref_ipv6)
491 if (pref_ipv6 >= 0) {
513 if (pref_ipv6 >= 0) {
534 firewall_connection_t fw_connection,
535 int pref_only,
int pref_ipv6)
537 if (fw_connection == FIREWALL_OR_CONNECTION) {
540 pref_only, pref_ipv6);
541 }
else if (fw_connection == FIREWALL_DIR_CONNECTION) {
544 pref_only, pref_ipv6);
546 log_warn(
LD_BUG,
"Bad firewall_connection_t value %d.",
559 firewall_connection_t fw_connection,
560 int pref_only,
int pref_ipv6)
564 fw_connection, pref_only,
576 uint16_t ipv4_dirport,
577 const tor_addr_t *ipv6_addr, uint16_t ipv6_orport,
578 uint16_t ipv6_dirport,
579 firewall_connection_t fw_connection,
580 int pref_only,
int pref_ipv6)
583 (fw_connection == FIREWALL_OR_CONNECTION
587 pref_only, pref_ipv6)) {
592 (fw_connection == FIREWALL_OR_CONNECTION
596 pref_only, pref_ipv6)) {
606 firewall_connection_t fw_connection,
607 int pref_only,
int pref_ipv6)
616 ri->ipv6_orport, ri->ipv4_dirport,
617 fw_connection, pref_only, pref_ipv6);
623 firewall_connection_t fw_connection,
624 int pref_only,
int pref_ipv6)
634 fw_connection, pref_only, pref_ipv6);
645 firewall_connection_t fw_connection,
int pref_only)
654 int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
669 firewall_connection_t fw_connection,
670 int pref_only,
int pref_ipv6)
677 if (fw_connection == FIREWALL_DIR_CONNECTION) {
683 fw_connection, pref_only,
691 firewall_connection_t fw_connection,
698 node_assert_ok(node);
700 const int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
707 pref_only, pref_ipv6)) {
729 firewall_connection_t fw_connection,
754 firewall_connection_t fw_connection,
755 int pref_only,
int pref_ipv6)
771 if (use_a && use_b) {
773 return (want_a ? use_a : use_b);
776 return (use_a ? use_a : use_b);
792 firewall_connection_t fw_connection,
793 int pref_only,
int pref_ipv6)
799 if (pref_only || pref) {
823 uint16_t ipv4_orport,
824 uint16_t ipv4_dirport,
826 uint16_t ipv6_orport,
827 uint16_t ipv6_dirport,
828 firewall_connection_t fw_connection,
834 const int want_ipv4 = !pref_ipv6;
844 ipv4_ap.port = (fw_connection == FIREWALL_OR_CONNECTION
850 ipv6_ap.port = (fw_connection == FIREWALL_OR_CONNECTION
856 fw_connection, pref_only,
861 ap->port = result->port;
872 firewall_connection_t fw_connection,
892 int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
899 fw_connection, pref_only, pref_ipv6,
913 int have_v4 = 0, have_v6 = 0;
914 uint16_t port_v4 = 0, port_v6 = 0;
919 if (lspecs == NULL) {
920 log_warn(
LD_BUG,
"Unknown or missing link specifiers");
923 if (smartlist_len(lspecs) == 0) {
924 log_warn(
LD_PROTOCOL,
"Link specifiers are empty");
935 switch (link_specifier_get_ls_type(ls)) {
938 if (have_v4)
continue;
940 link_specifier_get_un_ipv4_addr(ls));
941 port_v4 = link_specifier_get_un_ipv4_port(ls);
947 if (have_v6)
continue;
949 link_specifier_getconstarray_un_ipv6_addr(ls));
950 port_v6 = link_specifier_get_un_ipv6_port(ls);
957 } SMARTLIST_FOREACH_END(ls);
960 if (!have_v4 && !have_v6) {
962 log_warn(
LD_PROTOCOL,
"None of our link specifiers have IPv4 or IPv6");
964 log_warn(
LD_PROTOCOL,
"None of our link specifiers have IPv4");
975 &addr_v6, port_v6, 0,
976 FIREWALL_OR_CONNECTION,
977 pref_only, pref_ipv6,
986 firewall_connection_t fw_connection,
998 node_assert_ok(node);
1000 const int pref_ipv6_node = (fw_connection == FIREWALL_OR_CONNECTION
1016 ipv4_dir_ap.port, &ipv6_or_ap.addr,
1017 ipv6_or_ap.port, ipv6_dir_ap.port,
1018 fw_connection, pref_only,
1019 pref_ipv6_node, ap);
1025 firewall_connection_t fw_connection,
1122 #define REJECT(arg) \
1123 STMT_BEGIN *msg = tor_strdup(arg); goto err; STMT_END
1147 REJECT(
"Error in ExitPolicy entry.");
1150 static int warned_about_nonexit = 0;
1154 warned_about_nonexit = 1;
1155 log_notice(
LD_CONFIG,
"By default, Tor does not run as an exit relay. "
1156 "If you want to be an exit relay, "
1157 "set ExitRelay to 1. To suppress this message in the future, "
1158 "set ExitRelay to 0.");
1164 REJECT(
"Error in DirPolicy entry.");
1166 REJECT(
"Error in SocksPolicy entry.");
1168 ADDR_POLICY_REJECT))
1169 REJECT(
"Error in AuthDirReject entry.");
1171 ADDR_POLICY_REJECT))
1172 REJECT(
"Error in AuthDirInvalid entry.");
1174 ADDR_POLICY_REJECT))
1175 REJECT(
"Error in AuthDirBadExit entry.");
1178 ADDR_POLICY_ACCEPT))
1179 REJECT(
"Error in ReachableAddresses entry.");
1181 ADDR_POLICY_ACCEPT))
1182 REJECT(
"Error in ReachableORAddresses entry.");
1184 ADDR_POLICY_ACCEPT))
1185 REJECT(
"Error in ReachableDirAddresses entry.");
1188 addr_policy_list_free(addr_policy);
1189 return *msg ? -1 : 0;
1203 int killed_any_ports = 0;
1204 addr_policy_list_free(*policy);
1213 if (n->prt_min > 1 || n->prt_max != 65535) {
1215 memcpy(&newp, n,
sizeof(newp));
1221 addr_policy_free(n);
1222 killed_any_ports = 1;
1224 } SMARTLIST_FOREACH_END(n);
1226 if (killed_any_ports) {
1227 log_warn(
LD_CONFIG,
"Ignoring ports in %s option.", option_name);
1283 #define CMP_FIELD(field) do { \
1284 if (a->field != b->field) { \
1288 CMP_FIELD(policy_type);
1289 CMP_FIELD(is_private);
1294 CMP_FIELD(maskbits);
1307 int len_a = a ? smartlist_len(a) : 0;
1308 int len_b = b ? smartlist_len(b) : 0;
1313 for (i = 0; i < len_a; ++i) {
1343 memset(&aa, 0,
sizeof(aa));
1357 return (
unsigned) siphash24g(&aa,
sizeof(aa));
1376 found = HT_FIND(policy_map, &policy_root, &search);
1380 found->policy->is_canonical = 1;
1381 found->policy->refcnt = 0;
1382 HT_INSERT(policy_map, &policy_root, found);
1386 ++found->policy->refcnt;
1387 return found->policy;
1399 if (tmpe->addr.family == AF_UNSPEC) {
1400 log_warn(
LD_BUG,
"Policy contains an AF_UNSPEC address, which only "
1401 "matches other AF_UNSPEC addresses.");
1406 if (port >= tmpe->prt_min && port <= tmpe->prt_max) {
1408 return tmpe->policy_type == ADDR_POLICY_ACCEPT ?
1412 } SMARTLIST_FOREACH_END(tmpe);
1427 int maybe_accept = 0, maybe_reject = 0;
1430 if (tmpe->addr.family == AF_UNSPEC) {
1431 log_warn(
LD_BUG,
"Policy contains an AF_UNSPEC address, which only "
1432 "matches other AF_UNSPEC addresses.");
1436 if (tmpe->prt_min <= 1 && tmpe->prt_max >= 65535) {
1438 if (tmpe->policy_type == ADDR_POLICY_ACCEPT) {
1449 if (tmpe->policy_type == ADDR_POLICY_REJECT)
1455 } SMARTLIST_FOREACH_END(tmpe);
1470 int maybe_accept = 0, maybe_reject = 0;
1473 if (tmpe->addr.family == AF_UNSPEC) {
1474 log_warn(
LD_BUG,
"Policy contains an AF_UNSPEC address, which only "
1475 "matches other AF_UNSPEC addresses.");
1477 if (tmpe->prt_min <= port && port <= tmpe->prt_max) {
1478 if (tmpe->maskbits == 0) {
1480 if (tmpe->policy_type == ADDR_POLICY_ACCEPT) {
1491 if (tmpe->policy_type == ADDR_POLICY_REJECT)
1497 } SMARTLIST_FOREACH_END(tmpe);
1523 log_info(
LD_BUG,
"Rejecting null address with 0 port (family %d)",
1528 }
else if (port == 0) {
1588 tmp.value = (
char*) more;
1591 log_warn(
LD_BUG,
"Unable to parse internally generated policy %s",more);
1603 memset(&p, 0,
sizeof(p));
1614 log_debug(
LD_CONFIG,
"Adding a reject ExitPolicy 'reject %s:*'",
1620 tor_addr_is_public_for_reject(
const tor_addr_t *addr)
1632 addr_policy_append_reject_addr_filter(
smartlist_t **dest,
1641 if (tor_addr_is_public_for_reject(addr)) {
1645 if ((is_ipv4 && ipv4_rules) || (!is_ipv4 && ipv6_rules)) {
1662 } SMARTLIST_FOREACH_END(addr);
1677 addr_policy_append_reject_addr_filter(dest, addr, ipv4_rules, ipv6_rules);
1678 } SMARTLIST_FOREACH_END(addr);
1691 int kill_v4=0, kill_v6=0;
1692 for (i = 0; i < smartlist_len(dest); ++i) {
1694 ap = smartlist_get(dest, i);
1696 if ((family == AF_INET && kill_v4) ||
1697 (family == AF_INET6 && kill_v6)) {
1699 addr_policy_free(ap);
1705 if (family == AF_INET) {
1707 }
else if (family == AF_INET6) {
1716 for (i = 0; i < smartlist_len(dest)-1; ++i) {
1717 ap = smartlist_get(dest, i);
1718 for (j = i+1; j < smartlist_len(dest); ++j) {
1719 tmp = smartlist_get(dest, j);
1722 char p1[POLICY_BUF_LEN], p2[POLICY_BUF_LEN];
1725 log_debug(
LD_CONFIG,
"Removing exit policy %s (%d). It is made "
1726 "redundant by %s (%d).", p1, j, p2, i);
1728 addr_policy_free(tmp);
1740 for (i = 0; i < smartlist_len(dest)-1; ++i) {
1741 ap = smartlist_get(dest, i);
1742 for (j = i+1; j < smartlist_len(dest); ++j) {
1745 tmp = smartlist_get(dest, j);
1751 char p1[POLICY_BUF_LEN], p2[POLICY_BUF_LEN];
1754 log_debug(
LD_CONFIG,
"Removing exit policy %s. It is already "
1755 "covered by %s.", p1, p2);
1757 addr_policy_free(ap);
1789 int reject_interface_addresses,
1790 int reject_configured_port_addresses)
1795 if (configured_addresses) {
1801 if (reject_configured_port_addresses) {
1807 if (!port->is_unix_addr) {
1808 addr_policy_append_reject_addr_filter(dest, &port->addr, 1, ipv6_exit);
1810 } SMARTLIST_FOREACH_END(port);
1814 if (reject_interface_addresses) {
1820 interface_address6_list_free(public_addresses);
1827 interface_address6_list_free(public_addresses);
1844 int found_final_effective_entry = 0;
1845 int first_redundant_entry = 0;
1849 int found_ipv4_wildcard = 0, found_ipv6_wildcard = 0;
1850 const int i = p_sl_idx;
1853 if (p->prt_min <= 1 && p->prt_max == 65535 && p->maskbits == 0) {
1859 if (family == AF_INET || family == AF_UNSPEC) {
1860 found_ipv4_wildcard = 1;
1862 if (family == AF_INET6 || family == AF_UNSPEC) {
1863 found_ipv6_wildcard = 1;
1870 if (found_ipv4_wildcard && found_ipv6_wildcard) {
1871 found_final_effective_entry = 1;
1873 if (i < smartlist_len(policy) - 1) {
1874 first_redundant_entry = i + 1;
1878 } SMARTLIST_FOREACH_END(p);
1881 if (found_final_effective_entry && first_redundant_entry > 0) {
1888 tor_assert(first_redundant_entry < smartlist_len(policy));
1889 p = smartlist_get(policy, first_redundant_entry);
1893 log_warn(
LD_DIR,
"Exit policy '%s' and all following policies are "
1894 "redundant, as it follows accept/reject *:* rules for both "
1895 "IPv4 and IPv6. They will be removed from the exit policy. (Use "
1896 "accept/reject *:* as the last entry in any exit policy.)",
1901 #define DEFAULT_EXIT_POLICY \
1902 "reject *:25,reject *:119,reject *:135-139,reject *:445," \
1903 "reject *:563,reject *:1214,reject *:4661-4666," \
1904 "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
1906 #define REDUCED_EXIT_POLICY \
1907 "accept *:20-23,accept *:43,accept *:53,accept *:79-81,accept *:88," \
1908 "accept *:110,accept *:143,accept *:194,accept *:220,accept *:389," \
1909 "accept *:443,accept *:464,accept *:465,accept *:531,accept *:543-544," \
1910 "accept *:554,accept *:563,accept *:587,accept *:636,accept *:706," \
1911 "accept *:749,accept *:873,accept *:902-904,accept *:981,accept *:989-995," \
1912 "accept *:1194,accept *:1220,accept *:1293,accept *:1500,accept *:1533," \
1913 "accept *:1677,accept *:1723,accept *:1755,accept *:1863," \
1914 "accept *:2082-2083,accept *:2086-2087,accept *:2095-2096," \
1915 "accept *:2102-2104,accept *:3128,accept *:3389,accept *:3690," \
1916 "accept *:4321,accept *:4643,accept *:5050,accept *:5190," \
1917 "accept *:5222-5223,accept *:5228,accept *:5900,accept *:6660-6669," \
1918 "accept *:6679,accept *:6697,accept *:8000,accept *:8008,accept *:8074," \
1919 "accept *:8080,accept *:8082,accept *:8087-8088,accept *:8232-8233," \
1920 "accept *:8332-8333,accept *:8443,accept *:8888,accept *:9418," \
1921 "accept *:9999,accept *:10000,accept *:11371,accept *:19294," \
1922 "accept *:19638,accept *:50002,accept *:64738,reject *:*"
1957 int reject_interface_addresses,
1958 int reject_configured_port_addresses,
1959 int add_default_policy,
1960 int add_reduced_policy)
1965 if (rejectprivate) {
1974 configured_addresses,
1975 reject_interface_addresses,
1976 reject_configured_port_addresses);
1986 if (add_reduced_policy) {
1988 }
else if (add_default_policy) {
2021 exit_policy_parser_cfg_t options,
2024 int ipv6_enabled = (options & EXIT_POLICY_IPV6_ENABLED) ? 1 : 0;
2025 int reject_private = (options & EXIT_POLICY_REJECT_PRIVATE) ? 1 : 0;
2026 int add_default = (options & EXIT_POLICY_ADD_DEFAULT) ? 1 : 0;
2027 int reject_local_interfaces = (options &
2028 EXIT_POLICY_REJECT_LOCAL_INTERFACES) ? 1 : 0;
2029 int add_reduced = (options & EXIT_POLICY_ADD_REDUCED) ? 1 : 0;
2033 configured_addresses,
2034 reject_local_interfaces,
2035 reject_local_interfaces,
2068 for (
int j=0;j<2;j++) {
2108 exit_policy_parser_cfg_t parser_cfg = 0;
2125 parser_cfg |= EXIT_POLICY_IPV6_ENABLED;
2129 parser_cfg |= EXIT_POLICY_REJECT_PRIVATE;
2134 parser_cfg |= EXIT_POLICY_ADD_REDUCED;
2136 parser_cfg |= EXIT_POLICY_ADD_DEFAULT;
2140 parser_cfg |= EXIT_POLICY_REJECT_LOCAL_INTERFACES;
2155 configured_addresses);
2158 smartlist_free(configured_addresses);
2184 uint32_t mask, ip, i;
2186 char subnet_status[256];
2188 memset(subnet_status, 0,
sizeof(subnet_status));
2192 if (p->prt_min > port || p->prt_max < port)
2198 mask = UINT32_MAX<<(32-p->maskbits);
2203 for (i = ((mask & ip)>>24); i <= (~((mask & ip) ^ mask)>>24); ++i) {
2205 if (subnet_status[i] != 0)
2208 if (tor_addr_is_internal(&addr, 0) &&
2212 if (p->policy_type == ADDR_POLICY_ACCEPT) {
2213 if (p->maskbits > 8)
2218 }
else if (p->policy_type == ADDR_POLICY_REJECT) {
2219 subnet_status[i] = 1;
2222 } SMARTLIST_FOREACH_END(p);
2248 return default_reject;
2250 if (p->policy_type == ADDR_POLICY_ACCEPT &&
2254 }
else if (p->policy_type == ADDR_POLICY_REJECT &&
2255 p->prt_min <= 1 && p->prt_max == 65535 &&
2261 } SMARTLIST_FOREACH_END(p);
2262 return default_reject;
2269 int format_for_desc)
2273 const char *addrpart;
2275 const int is_accept = policy->
policy_type == ADDR_POLICY_ACCEPT;
2277 const int is_ip6 = (family == AF_INET6);
2283 addrpart =
"private";
2284 }
else if (policy->
maskbits == 0) {
2285 if (format_for_desc)
2287 else if (family == AF_INET6)
2289 else if (family == AF_INET)
2298 is_accept ?
"accept" :
"reject",
2299 (is_ip6&&format_for_desc)?
"6":
"",
2303 written += strlen(buf);
2309 written += strlen(buf+written);
2313 if (written+4 > buflen)
2315 strlcat(buf+written,
":*", buflen-written);
2325 result =
tor_snprintf(buf+written, buflen-written,
":%d-%d",
2331 if (written < buflen)
2332 buf[written] =
'\0';
2336 return (
int)written;
2373 new->prt_min = new_starts;
2376 new->accepted = old->accepted;
2387 #define AT(x) ((policy_summary_item_t*)smartlist_get(summary, x))
2389 #define IPV4_BITS (32)
2391 #define REJECT_CUTOFF_SCALE_IPV4 (0)
2394 #define REJECT_CUTOFF_COUNT_IPV4 (UINT64_C(1) << \
2395 (IPV4_BITS - REJECT_CUTOFF_SCALE_IPV4 - 7))
2397 #define IPV6_BITS (128)
2399 #define REJECT_CUTOFF_SCALE_IPV6 (64)
2406 #define REJECT_CUTOFF_COUNT_IPV6 (UINT64_C(1) << \
2407 (IPV6_BITS - REJECT_CUTOFF_SCALE_IPV6 - 16))
2414 uint16_t prt_min, uint16_t prt_max)
2420 while (AT(i)->prt_max < prt_min)
2422 if (AT(i)->prt_min != prt_min) {
2430 while (AT(i)->prt_max < prt_max)
2432 if (AT(i)->prt_max != prt_max) {
2438 return start_at_index;
2445 uint16_t prt_min, uint16_t prt_max,
2448 tor_assert_nonfatal_once(family == AF_INET || family == AF_INET6);
2449 uint64_t family_reject_count = ((family == AF_INET) ?
2450 REJECT_CUTOFF_COUNT_IPV4 :
2451 REJECT_CUTOFF_COUNT_IPV6);
2454 while (i < smartlist_len(summary) &&
2455 AT(i)->prt_max <= prt_max) {
2456 if (!AT(i)->accepted &&
2457 AT(i)->reject_count <= family_reject_count)
2458 AT(i)->accepted = 1;
2461 tor_assert(i < smartlist_len(summary) || prt_max==65535);
2469 uint16_t prt_min, uint16_t prt_max,
2472 tor_assert_nonfatal_once(family == AF_INET || family == AF_INET6);
2477 int addrbits = (family == AF_INET) ? IPV4_BITS : IPV6_BITS;
2478 tor_assert_nonfatal_once(addrbits >= maskbits);
2482 int scale = ((family == AF_INET) ?
2483 REJECT_CUTOFF_SCALE_IPV4 :
2484 REJECT_CUTOFF_SCALE_IPV6);
2486 tor_assert_nonfatal_once(addrbits >= scale);
2487 if (maskbits > (addrbits - scale)) {
2488 tor_assert_nonfatal_once(family == AF_INET6);
2495 if (addrbits - scale - maskbits >= 64) {
2496 tor_assert_nonfatal_once(family == AF_INET6);
2501 count = (UINT64_C(1) << (addrbits - scale - maskbits));
2503 tor_assert_nonfatal_once(count > 0);
2504 while (i < smartlist_len(summary) &&
2505 AT(i)->prt_max <= prt_max) {
2506 if (AT(i)->reject_count <= UINT64_MAX - count) {
2507 AT(i)->reject_count += count;
2511 if (family == AF_INET) {
2512 tor_assert_nonfatal_unreached_once();
2515 AT(i)->reject_count = UINT64_MAX;
2519 tor_assert(i < smartlist_len(summary) || prt_max==65535);
2538 }
else if (p->
policy_type == ADDR_POLICY_REJECT) {
2546 &maskbits, NULL, NULL)<0) {
2577 int i, last, start_prt;
2578 size_t accepts_len, rejects_len;
2579 char *accepts_str = NULL, *rejects_str = NULL, *shorter_str, *result;
2587 if (f != AF_INET && f != AF_INET6) {
2588 log_warn(
LD_BUG,
"Weird family when summarizing address policy");
2593 } SMARTLIST_FOREACH_END(p);
2605 last = i == smartlist_len(summary)-1;
2607 AT(i)->accepted != AT(i+1)->accepted) {
2608 char buf[POLICY_BUF_LEN];
2610 if (start_prt == AT(i)->prt_max)
2613 tor_snprintf(buf,
sizeof(buf),
"%d-%d", start_prt, AT(i)->prt_max);
2615 if (AT(i)->accepted)
2623 start_prt = AT(i+1)->prt_min;
2631 if (smartlist_len(accepts) == 0) {
2632 result = tor_strdup(
"reject 1-65535");
2635 if (smartlist_len(rejects) == 0) {
2636 result = tor_strdup(
"accept 1-65535");
2646 shorter_str = accepts_str;
2650 while (*c !=
',' && c >= shorter_str)
2656 }
else if (rejects_len < accepts_len) {
2657 shorter_str = rejects_str;
2660 shorter_str = accepts_str;
2669 smartlist_free(summary);
2673 smartlist_free(accepts);
2677 smartlist_free(rejects);
2687 const char *orig_summary = summary;
2696 summary += strlen(
"accept ");
2699 summary += strlen(
"reject ");
2701 log_fn(LOG_PROTOCOL_WARN,
LD_DIR,
"Unrecognized policy summary keyword");
2706 for ( ; *summary; summary = next) {
2708 log_fn(LOG_PROTOCOL_WARN,
LD_DIR,
"Impossibly long policy summary %s",
2717 if (! TOR_ISDIGIT(*summary) || *summary ==
',') {
2733 high = (unsigned)
tor_parse_ulong(next+1, 10, low, 65535, &ok, &next);
2739 else if (*next !=
'\0')
2747 entries[n_entries].min_port = low;
2748 entries[n_entries].max_port = high;
2753 next = strchr(next,
',');
2759 if (n_entries == 0) {
2761 "Found no port-range entries in summary %s",
escaped(orig_summary));
2768 result = tor_malloc_zero(size);
2779 log_fn(LOG_PROTOCOL_WARN,
LD_DIR,
"Found bad entry in policy summary %s",
2796 if (e->min_port == e->max_port) {
2801 if (i < policy->n_entries-1)
2826 int found_match = 0;
2834 if (addr &&
get_options()->ClientRejectInternalAddresses &&
2840 if (e->min_port <= port && port <= e->max_port) {
2879 policy->
entries[0].min_port == 1 &&
2880 policy->
entries[0].max_port == 65535);
2907 }
else if (node->md) {
2930 char *policy_string = NULL;
2936 int bytes_written_to_pbuf;
2944 pbuf = tor_malloc(POLICY_BUF_LEN);
2947 if (bytes_written_to_pbuf < 0) {
2948 log_warn(
LD_BUG,
"policy_dump_to_string ran out of room!");
2954 } SMARTLIST_FOREACH_END(tmpe);
2960 smartlist_free(policy_string_list);
2962 return policy_string;
2969 const char *question,
char **answer,
2970 const char **errmsg)
2974 if (!strcmp(question,
"exit-policy/default")) {
2975 *answer = tor_strdup(DEFAULT_EXIT_POLICY);
2976 }
else if (!strcmp(question,
"exit-policy/reject-private/default")) {
2982 while (*priv != NULL) {
2993 smartlist_free(private_policy_strings);
2994 }
else if (!strcmp(question,
"exit-policy/reject-private/relay")) {
3006 *answer = tor_strdup(
"");
3025 &private_policy_list,
3027 configured_addresses,
3032 addr_policy_list_free(private_policy_list);
3034 smartlist_free(configured_addresses);
3035 }
else if (!
strcmpstart(question,
"exit-policy/")) {
3036 int include_ipv4 = 0;
3037 int include_ipv6 = 0;
3047 if (!strcmp(question,
"exit-policy/ipv4")) {
3049 }
else if (!strcmp(question,
"exit-policy/ipv6")) {
3051 }
else if (!strcmp(question,
"exit-policy/full")) {
3052 include_ipv4 = include_ipv6 = 1;
3071 smartlist_free(lst);
3085 found = HT_REMOVE(policy_map, &policy_root, &search);
3116 if (!HT_EMPTY(&policy_root)) {
3119 char buf[POLICY_BUF_LEN];
3121 log_warn(
LD_MM,
"Still had %d address policies cached at shutdown.",
3122 (
int)HT_SIZE(&policy_root));
3126 HT_FOREACH(ent, policy_map, &policy_root) {
3130 log_warn(
LD_MM,
" %d [%d]: %s", n, (*ent)->policy->refcnt, buf);
3133 HT_CLEAR(policy_map, &policy_root);
Address policy structures.
void tor_addr_copy(tor_addr_t *dest, const tor_addr_t *src)
const char * tor_addr_to_str(char *dest, const tor_addr_t *addr, size_t len, int decorate)
void tor_addr_make_null(tor_addr_t *a, sa_family_t family)
int tor_addr_is_loopback(const tor_addr_t *addr)
int tor_addr_compare_masked(const tor_addr_t *addr1, const tor_addr_t *addr2, maskbits_t mbits, tor_addr_comparison_t how)
int tor_addr_is_v4(const tor_addr_t *addr)
int tor_addr_compare(const tor_addr_t *addr1, const tor_addr_t *addr2, tor_addr_comparison_t how)
int tor_addr_is_null(const tor_addr_t *addr)
int tor_addr_is_multicast(const tor_addr_t *a)
int tor_addr_parse_mask_ports(const char *s, unsigned flags, tor_addr_t *addr_out, maskbits_t *maskbits_out, uint16_t *port_min_out, uint16_t *port_max_out)
smartlist_t * get_interface_address6_list(int severity, sa_family_t family, int include_internal)
void tor_addr_copy_tight(tor_addr_t *dest, const tor_addr_t *src)
void tor_addr_from_ipv6_bytes(tor_addr_t *dest, const uint8_t *ipv6_bytes)
static sa_family_t tor_addr_family(const tor_addr_t *a)
static uint32_t tor_addr_to_ipv4h(const tor_addr_t *a)
#define tor_addr_from_ipv4h(dest, v4addr)
Header file for circuitbuild.c.
const smartlist_t * get_configured_ports(void)
const or_options_t * get_options(void)
Header file for config.c.
Common functions for using (pseudo-)random number generators.
Trusted/fallback directory server structure.
const char * escaped(const char *s)
const char * geoip_get_country_name(country_t num)
int geoip_get_country_by_addr(const tor_addr_t *addr)
HT_PROTOTYPE(hs_circuitmap_ht, circuit_t, hs_circuitmap_node, hs_circuit_hash_token, hs_circuits_have_same_token)
typedef HT_HEAD(hs_service_ht, hs_service_t) hs_service_ht
#define log_fn(severity, domain, args,...)
void tor_free_(void *mem)
void * tor_reallocarray_(void *ptr, size_t sz1, size_t sz2)
Header file for microdesc.c.
Microdescriptor structure.
Header file for networkstatus.c.
Node information structure.
void node_get_prim_orport(const node_t *node, tor_addr_port_t *ap_out)
void node_get_prim_dirport(const node_t *node, tor_addr_port_t *ap_out)
int node_ipv6_dir_preferred(const node_t *node)
void node_get_pref_ipv6_dirport(const node_t *node, tor_addr_port_t *ap_out)
const node_t * node_get_by_id(const char *identity_digest)
int node_ipv6_or_preferred(const node_t *node)
void node_get_pref_ipv6_orport(const node_t *node, tor_addr_port_t *ap_out)
Header file for nodelist.c.
Master header file for Tor-specific functionality.
unsigned long tor_parse_ulong(const char *s, int base, unsigned long min, unsigned long max, int *ok, char **next)
void addr_policy_append_reject_addr(smartlist_t **dest, const tor_addr_t *addr)
static smartlist_t * metrics_policy
void addr_policy_free_(addr_policy_t *p)
int addr_policies_eq(const smartlist_t *a, const smartlist_t *b)
static int addr_policy_permits_tor_addr(const tor_addr_t *addr, uint16_t port, smartlist_t *policy)
static int addr_policy_intersects(addr_policy_t *a, addr_policy_t *b)
static int addr_policy_covers(addr_policy_t *a, addr_policy_t *b)
int reachable_addr_prefer_ipv6_dirport(const or_options_t *options)
static smartlist_t * dir_policy
int policies_parse_exit_policy_from_options(const or_options_t *or_options, const tor_addr_t *ipv4_local_address, const tor_addr_t *ipv6_local_address, smartlist_t **result)
static int parse_reachable_addresses(void)
static int exit_policy_is_general_exit_helper(smartlist_t *policy, int port)
static int single_addr_policy_eq(const addr_policy_t *a, const addr_policy_t *b)
#define MAX_EXITPOLICY_SUMMARY_LEN
static smartlist_t * authdir_invalid_policy
static int reachable_addr_prefer_ipv6_impl(const or_options_t *options)
static void policy_summary_add_item(smartlist_t *summary, addr_policy_t *p)
int reachable_addr_prefer_ipv6_orport(const or_options_t *options)
void policy_expand_private(smartlist_t **policy)
static const char * private_nets[]
int reachable_addr_allows_rs(const routerstatus_t *rs, firewall_connection_t fw_connection, int pref_only)
static smartlist_t * policy_summary_create(void)
int firewall_is_fascist_or(void)
int metrics_policy_permits_address(const tor_addr_t *addr)
STATIC int reachable_addr_allows(const tor_addr_t *addr, uint16_t port, smartlist_t *firewall_policy, int pref_only, int pref_ipv6)
void policies_parse_exit_policy_reject_private(smartlist_t **dest, int ipv6_exit, const smartlist_t *configured_addresses, int reject_interface_addresses, int reject_configured_port_addresses)
static void policy_summary_accept(smartlist_t *summary, uint16_t prt_min, uint16_t prt_max, sa_family_t family)
short_policy_t * parse_short_policy(const char *summary)
static int reachable_addr_allows_md_impl(const microdesc_t *md, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
void addr_policy_append_reject_addr_list(smartlist_t **dest, const smartlist_t *addrs)
static int reachable_addr_allows_rs_impl(const routerstatus_t *rs, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
static const tor_addr_port_t * reachable_addr_choose_impl(const tor_addr_port_t *a, const tor_addr_port_t *b, int want_a, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
static void policies_copy_outbound_addresses_to_smartlist(smartlist_t *addr_list, const or_options_t *or_options)
static int addr_is_in_cc_list(const tor_addr_t *addr, const smartlist_t *cc_list)
int reachable_addr_allows_addr(const tor_addr_t *addr, uint16_t port, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
void reachable_addr_choose_from_node(const node_t *node, firewall_connection_t fw_connection, int pref_only, tor_addr_port_t *ap)
void reachable_addr_choose_from_dir_server(const dir_server_t *ds, firewall_connection_t fw_connection, int pref_only, tor_addr_port_t *ap)
char * policy_dump_to_string(const smartlist_t *policy_list, int include_ipv4, int include_ipv6)
int reachable_addr_allows_node(const node_t *node, firewall_connection_t fw_connection, int pref_only)
static void exit_policy_remove_redundancies(smartlist_t *dest)
static void policy_summary_reject(smartlist_t *summary, maskbits_t maskbits, uint16_t prt_min, uint16_t prt_max, sa_family_t family)
static void addr_policy_append_reject_addr_list_filter(smartlist_t **dest, const smartlist_t *addrs, int ipv4_rules, int ipv6_rules)
int getinfo_helper_policies(control_connection_t *conn, const char *question, char **answer, const char **errmsg)
void reachable_addr_choose_from_ls(const smartlist_t *lspecs, int pref_only, tor_addr_port_t *ap)
STATIC void append_exit_policy_string(smartlist_t **policy, const char *more)
void reachable_addr_choose_from_rs(const routerstatus_t *rs, firewall_connection_t fw_connection, int pref_only, tor_addr_port_t *ap)
static addr_policy_result_t compare_known_tor_addr_to_addr_policy_noport(const tor_addr_t *addr, const smartlist_t *policy)
int policies_parse_from_options(const or_options_t *options)
int authdir_policy_badexit_address(const tor_addr_t *addr, uint16_t port)
int reachable_addr_allows_dir_server(const dir_server_t *ds, firewall_connection_t fw_connection, int pref_only)
static void policies_log_first_redundant_entry(const smartlist_t *policy)
void policies_set_node_exitpolicy_to_reject_all(node_t *node)
static policy_summary_item_t * policy_summary_item_split(policy_summary_item_t *old, uint16_t new_starts)
static smartlist_t * reachable_or_addr_policy
static int load_policy_from_option(config_line_t *config, const char *option_name, smartlist_t **policy, int assume_action)
addr_policy_result_t compare_tor_addr_to_addr_policy(const tor_addr_t *addr, uint16_t port, const smartlist_t *policy)
char * write_short_policy(const short_policy_t *policy)
static addr_policy_result_t compare_unknown_tor_addr_to_addr_policy(uint16_t port, const smartlist_t *policy)
int policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest, exit_policy_parser_cfg_t options, const smartlist_t *configured_addresses)
static smartlist_t * reachable_dir_addr_policy
static int policy_using_default_exit_options(const or_options_t *or_options)
static addr_policy_result_t compare_known_tor_addr_to_addr_policy(const tor_addr_t *addr, uint16_t port, const smartlist_t *policy)
int reachable_addr_use_ipv6(const or_options_t *options)
addr_policy_result_t compare_tor_addr_to_short_policy(const tor_addr_t *addr, uint16_t port, const short_policy_t *policy)
int firewall_is_fascist_dir(void)
static smartlist_t * authdir_badexit_policy
static unsigned int policy_hash(const policy_map_ent_t *ent)
int dir_policy_permits_address(const tor_addr_t *addr)
void policy_expand_unspec(smartlist_t **policy)
addr_policy_t * addr_policy_get_canonical_entry(addr_policy_t *e)
int authdir_policy_permits_address(const tor_addr_t *addr, uint16_t port)
void policies_free_all(void)
void addr_policy_list_free_(smartlist_t *lst)
void short_policy_free_(short_policy_t *policy)
static smartlist_t * socks_policy
static int reachable_addr_allows_ri_impl(const routerinfo_t *ri, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
int validate_addr_policies(const or_options_t *options, char **msg)
int socks_policy_permits_address(const tor_addr_t *addr)
static void policies_copy_addr_to_smartlist(smartlist_t *addr_list, const tor_addr_t *addr)
STATIC const tor_addr_port_t * reachable_addr_choose(const tor_addr_port_t *a, const tor_addr_port_t *b, int want_a, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
int policy_is_reject_star(const smartlist_t *policy, sa_family_t family, int default_reject)
static smartlist_t * authdir_reject_policy
addr_policy_result_t compare_tor_addr_to_node_policy(const tor_addr_t *addr, uint16_t port, const node_t *node)
int authdir_policy_valid_address(const tor_addr_t *addr, uint16_t port)
static void reachable_addr_choose_base(const tor_addr_t *ipv4_addr, uint16_t ipv4_orport, uint16_t ipv4_dirport, const tor_addr_t *ipv6_addr, uint16_t ipv6_orport, uint16_t ipv6_dirport, firewall_connection_t fw_connection, int pref_only, int pref_ipv6, tor_addr_port_t *ap)
static int policies_parse_exit_policy_internal(config_line_t *cfg, smartlist_t **dest, int ipv6_exit, int rejectprivate, const smartlist_t *configured_addresses, int reject_interface_addresses, int reject_configured_port_addresses, int add_default_policy, int add_reduced_policy)
int short_policy_is_reject_star(const short_policy_t *policy)
static int policy_summary_split(smartlist_t *summary, uint16_t prt_min, uint16_t prt_max)
static int parse_metrics_port_policy(const or_options_t *options)
static int reachable_addr_allows_base(const tor_addr_t *ipv4_addr, uint16_t ipv4_orport, uint16_t ipv4_dirport, const tor_addr_t *ipv6_addr, uint16_t ipv6_orport, uint16_t ipv6_dirport, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
int exit_policy_is_general_exit(smartlist_t *policy)
char * policy_summarize(smartlist_t *policy, sa_family_t family)
static int parse_addr_policy(config_line_t *cfg, smartlist_t **dest, int assume_action)
void policies_exit_policy_append_reject_star(smartlist_t **dest)
int policy_write_item(char *buf, size_t buflen, const addr_policy_t *policy, int format_for_desc)
static int reachable_addr_allows_ap(const tor_addr_port_t *ap, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
Header file for policies.c.
@ ADDR_POLICY_PROBABLY_ACCEPTED
@ ADDR_POLICY_PROBABLY_REJECTED
addr_policy_t * router_parse_addr_policy_item_from_string(const char *s, int assume_action, int *malformed_list)
Header file for policy_parse.c.
Listener port configuration structure.
int tor_asprintf(char **strp, const char *fmt,...)
int tor_snprintf(char *str, size_t size, const char *format,...)
const char * routerinfo_err_to_string(int err)
const routerinfo_t * router_get_my_routerinfo_with_err(int *err)
char * router_dump_exit_policy_to_string(const routerinfo_t *router, int include_ipv4, int include_ipv6)
int routerinfo_err_is_transient(int err)
Header file for router.c.
Router descriptor structure.
int public_server_mode(const or_options_t *options)
int server_mode(const or_options_t *options)
Header file for routermode.c.
Routerstatus (consensus entry) structure.
int smartlist_contains_string_case(const smartlist_t *sl, const char *element)
void smartlist_add_asprintf(struct smartlist_t *sl, const char *pattern,...)
char * smartlist_join_strings(smartlist_t *sl, const char *join, int terminate, size_t *len_out)
void smartlist_insert(smartlist_t *sl, int idx, void *val)
void smartlist_add_all(smartlist_t *s1, const smartlist_t *s2)
smartlist_t * smartlist_new(void)
void smartlist_add_strdup(struct smartlist_t *sl, const char *string)
void smartlist_add(smartlist_t *sl, void *element)
void smartlist_clear(smartlist_t *sl)
void smartlist_del_keeporder(smartlist_t *sl, int idx)
#define SMARTLIST_REPLACE_CURRENT(sl, var, val)
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
#define SMARTLIST_FOREACH(sl, type, var, cmd)
int smartlist_split_string(smartlist_t *sl, const char *str, const char *sep, int flags, int max)
addr_policy_action_bitfield_t policy_type
unsigned int is_canonical
routerstatus_t fake_status
struct short_policy_t * exit_policy
struct short_policy_t * ipv6_exit_policy
struct config_line_t * AuthDirInvalid
int ClientPreferIPv6DirPort
struct config_line_t * AuthDirReject
int ExitPolicyRejectPrivate
struct config_line_t * MetricsPortPolicy
int ClientPreferIPv6ORPort
struct config_line_t * SocksPolicy
struct config_line_t * ReachableORAddresses
struct config_line_t * ReachableDirAddresses
tor_addr_t OutboundBindAddresses[OUTBOUND_ADDR_MAX][2]
int ExitPolicyRejectLocalInterfaces
struct config_line_t * DirPolicy
struct config_line_t * ExitPolicy
struct config_line_t * ReachableAddresses
struct config_line_t * AuthDirBadExit
smartlist_t * exit_policy
struct short_policy_t * ipv6_exit_policy
char identity_digest[DIGEST_LEN]
short_policy_entry_t entries[FLEXIBLE_ARRAY_MEMBER]
#define MOCK_IMPL(rv, funcname, arglist)
int strcmpstart(const char *s1, const char *s2)