tor  0.4.2.1-alpha-dev
policies.c
Go to the documentation of this file.
1 /* Copyright (c) 2001-2004, Roger Dingledine.
2  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
3  * Copyright (c) 2007-2019, The Tor Project, Inc. */
4 /* See LICENSE for licensing information */
5 
18 #define POLICIES_PRIVATE
19 
20 #include "core/or/or.h"
21 #include "feature/client/bridges.h"
22 #include "app/config/config.h"
23 #include "core/or/policies.h"
28 #include "feature/relay/router.h"
30 #include "lib/geoip/geoip.h"
31 #include "ht.h"
33 #include "lib/encoding/confline.h"
34 #include "trunnel/ed25519_cert.h"
35 
36 #include "core/or/addr_policy_st.h"
37 #include "feature/dirclient/dir_server_st.h"
38 #include "feature/nodelist/microdesc_st.h"
39 #include "feature/nodelist/node_st.h"
40 #include "core/or/port_cfg_st.h"
41 #include "feature/nodelist/routerinfo_st.h"
42 #include "feature/nodelist/routerstatus_st.h"
43 
45 #define MAX_EXITPOLICY_SUMMARY_LEN 1000
46 
48 static smartlist_t *socks_policy = NULL;
50 static smartlist_t *dir_policy = NULL;
60 
67 
69 typedef struct policy_summary_item_t {
70  uint16_t prt_min;
71  uint16_t prt_max;
72  uint64_t reject_count;
74  unsigned int accepted:1;
76 
83 static const char *private_nets[] = {
84  "0.0.0.0/8", "169.254.0.0/16",
85  "127.0.0.0/8", "192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12",
86  "[::]/8",
87  "[fc00::]/7", "[fe80::]/10", "[fec0::]/10", "[ff00::]/8", "[::]/127",
88  NULL
89 };
90 
92  config_line_t *cfg,
93  smartlist_t **dest,
94  int ipv6_exit,
95  int rejectprivate,
96  const smartlist_t *configured_addresses,
97  int reject_interface_addresses,
98  int reject_configured_port_addresses,
99  int add_default_policy,
100  int add_reduced_policy);
101 
104 void
106 {
107  uint16_t port_min, port_max;
108 
109  int i;
110  smartlist_t *tmp;
111 
112  if (!*policy) /*XXXX disallow NULL policies? */
113  return;
114 
115  tmp = smartlist_new();
116 
117  SMARTLIST_FOREACH_BEGIN(*policy, addr_policy_t *, p) {
118  if (! p->is_private) {
119  smartlist_add(tmp, p);
120  continue;
121  }
122  for (i = 0; private_nets[i]; ++i) {
123  addr_policy_t newpolicy;
124  memcpy(&newpolicy, p, sizeof(addr_policy_t));
125  newpolicy.is_private = 0;
126  newpolicy.is_canonical = 0;
128  &newpolicy.addr,
129  &newpolicy.maskbits, &port_min, &port_max)<0) {
130  tor_assert_unreached();
131  }
132  smartlist_add(tmp, addr_policy_get_canonical_entry(&newpolicy));
133  }
134  addr_policy_free(p);
135  } SMARTLIST_FOREACH_END(p);
136 
137  smartlist_free(*policy);
138  *policy = tmp;
139 }
140 
144 void
146 {
147  smartlist_t *tmp;
148  if (!*policy)
149  return;
150 
151  tmp = smartlist_new();
152  SMARTLIST_FOREACH_BEGIN(*policy, addr_policy_t *, p) {
153  sa_family_t family = tor_addr_family(&p->addr);
154  if (family == AF_INET6 || family == AF_INET || p->is_private) {
155  smartlist_add(tmp, p);
156  } else if (family == AF_UNSPEC) {
157  addr_policy_t newpolicy_ipv4;
158  addr_policy_t newpolicy_ipv6;
159  memcpy(&newpolicy_ipv4, p, sizeof(addr_policy_t));
160  memcpy(&newpolicy_ipv6, p, sizeof(addr_policy_t));
161  newpolicy_ipv4.is_canonical = 0;
162  newpolicy_ipv6.is_canonical = 0;
163  if (p->maskbits != 0) {
164  log_warn(LD_BUG, "AF_UNSPEC policy with maskbits==%d", p->maskbits);
165  newpolicy_ipv4.maskbits = 0;
166  newpolicy_ipv6.maskbits = 0;
167  }
168  tor_addr_from_ipv4h(&newpolicy_ipv4.addr, 0);
169  tor_addr_from_ipv6_bytes(&newpolicy_ipv6.addr,
170  "\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");
171  smartlist_add(tmp, addr_policy_get_canonical_entry(&newpolicy_ipv4));
172  smartlist_add(tmp, addr_policy_get_canonical_entry(&newpolicy_ipv6));
173  addr_policy_free(p);
174  } else {
175  log_warn(LD_BUG, "Funny-looking address policy with family %d", family);
176  smartlist_add(tmp, p);
177  }
178  } SMARTLIST_FOREACH_END(p);
179 
180  smartlist_free(*policy);
181  *policy = tmp;
182 }
183 
193 static int
195  int assume_action)
196 {
197  smartlist_t *result;
198  smartlist_t *entries;
199  addr_policy_t *item;
200  int malformed_list;
201  int r = 0;
202 
203  if (!cfg)
204  return 0;
205 
206  result = smartlist_new();
207  entries = smartlist_new();
208  for (; cfg; cfg = cfg->next) {
209  smartlist_split_string(entries, cfg->value, ",",
210  SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0);
211  SMARTLIST_FOREACH_BEGIN(entries, const char *, ent) {
212  log_debug(LD_CONFIG,"Adding new entry '%s'",ent);
213  malformed_list = 0;
214  item = router_parse_addr_policy_item_from_string(ent, assume_action,
215  &malformed_list);
216  if (item) {
217  smartlist_add(result, item);
218  } else if (malformed_list) {
219  /* the error is so severe the entire list should be discarded */
220  log_warn(LD_CONFIG, "Malformed policy '%s'. Discarding entire policy "
221  "list.", ent);
222  r = -1;
223  } else {
224  /* the error is minor: don't add the item, but keep processing the
225  * rest of the policies in the list */
226  log_debug(LD_CONFIG, "Ignored policy '%s' due to non-fatal error. "
227  "The remainder of the policy list will be used.",
228  ent);
229  }
230  } SMARTLIST_FOREACH_END(ent);
231  SMARTLIST_FOREACH(entries, char *, ent, tor_free(ent));
232  smartlist_clear(entries);
233  }
234  smartlist_free(entries);
235  if (r == -1) {
236  addr_policy_list_free(result);
237  } else {
238  policy_expand_private(&result);
239  policy_expand_unspec(&result);
240 
241  if (*dest) {
242  smartlist_add_all(*dest, result);
243  smartlist_free(result);
244  } else {
245  *dest = result;
246  }
247  }
248 
249  return r;
250 }
251 
256 static int
258 {
259  const or_options_t *options = get_options();
260  int ret = 0;
261 
262  if (options->ReachableDirAddresses &&
263  options->ReachableORAddresses &&
264  options->ReachableAddresses) {
265  log_warn(LD_CONFIG,
266  "Both ReachableDirAddresses and ReachableORAddresses are set. "
267  "ReachableAddresses setting will be ignored.");
268  }
269  addr_policy_list_free(reachable_or_addr_policy);
271  if (!options->ReachableORAddresses && options->ReachableAddresses)
272  log_info(LD_CONFIG,
273  "Using ReachableAddresses as ReachableORAddresses.");
275  options->ReachableORAddresses :
276  options->ReachableAddresses,
277  &reachable_or_addr_policy, ADDR_POLICY_ACCEPT)) {
278  log_warn(LD_CONFIG,
279  "Error parsing Reachable%sAddresses entry; ignoring.",
280  options->ReachableORAddresses ? "OR" : "");
281  ret = -1;
282  }
283 
284  addr_policy_list_free(reachable_dir_addr_policy);
286  if (!options->ReachableDirAddresses && options->ReachableAddresses)
287  log_info(LD_CONFIG,
288  "Using ReachableAddresses as ReachableDirAddresses");
290  options->ReachableDirAddresses :
291  options->ReachableAddresses,
292  &reachable_dir_addr_policy, ADDR_POLICY_ACCEPT)) {
293  if (options->ReachableDirAddresses)
294  log_warn(LD_CONFIG,
295  "Error parsing ReachableDirAddresses entry; ignoring.");
296  ret = -1;
297  }
298 
299  /* We ignore ReachableAddresses for relays */
300  if (!server_mode(options)) {
303  log_warn(LD_CONFIG, "Tor cannot connect to the Internet if "
304  "ReachableAddresses, ReachableORAddresses, or "
305  "ReachableDirAddresses reject all addresses. Please accept "
306  "some addresses in these options.");
307  } else if (options->ClientUseIPv4 == 1
310  log_warn(LD_CONFIG, "You have set ClientUseIPv4 1, but "
311  "ReachableAddresses, ReachableORAddresses, or "
312  "ReachableDirAddresses reject all IPv4 addresses. "
313  "Tor will not connect using IPv4.");
314  } else if (fascist_firewall_use_ipv6(options)
317  log_warn(LD_CONFIG, "You have configured tor to use or prefer IPv6 "
318  "(or UseBridges 1), but "
319  "ReachableAddresses, ReachableORAddresses, or "
320  "ReachableDirAddresses reject all IPv6 addresses. "
321  "Tor will not connect using IPv6.");
322  }
323  }
324 
325  /* Append a reject *:* to reachable_(or|dir)_addr_policy */
326  if (!ret && (options->ReachableDirAddresses ||
327  options->ReachableORAddresses ||
328  options->ReachableAddresses)) {
331  }
332 
333  return ret;
334 }
335 
336 /* Return true iff ClientUseIPv4 0 or ClientUseIPv6 0 might block any OR or Dir
337  * address:port combination. */
338 static int
339 firewall_is_fascist_impl(void)
340 {
341  const or_options_t *options = get_options();
342  /* Assume every non-bridge relay has an IPv4 address.
343  * Clients which use bridges may only know the IPv6 address of their
344  * bridge, but they will connect regardless of the ClientUseIPv6 setting. */
345  return options->ClientUseIPv4 == 0;
346 }
347 
353 int
355 {
356  return (reachable_or_addr_policy != NULL || firewall_is_fascist_impl());
357 }
358 
364 int
366 {
367  return (reachable_dir_addr_policy != NULL || firewall_is_fascist_impl());
368 }
369 
373 static int
374 addr_policy_permits_tor_addr(const tor_addr_t *addr, uint16_t port,
375  smartlist_t *policy)
376 {
378  p = compare_tor_addr_to_addr_policy(addr, port, policy);
379  switch (p) {
382  return 1;
385  return 0;
386  default:
387  log_warn(LD_BUG, "Unexpected result: %d", (int)p);
388  return 0;
389  }
390 }
391 
395 /* XXXX deprecate when possible. */
396 static int
397 addr_policy_permits_address(uint32_t addr, uint16_t port,
398  smartlist_t *policy)
399 {
400  tor_addr_t a;
401  tor_addr_from_ipv4h(&a, addr);
402  return addr_policy_permits_tor_addr(&a, port, policy);
403 }
404 
419 STATIC int
421  uint16_t port,
422  smartlist_t *firewall_policy,
423  int pref_only, int pref_ipv6)
424 {
425  const or_options_t *options = get_options();
426  const int client_mode = !server_mode(options);
427 
428  if (!addr || tor_addr_is_null(addr) || !port) {
429  return 0;
430  }
431 
432  /* Clients stop using IPv4 if it's disabled. In most cases, clients also
433  * stop using IPv4 if it's not preferred.
434  * Servers must have IPv4 enabled and preferred. */
435  if (tor_addr_family(addr) == AF_INET && client_mode &&
436  (!options->ClientUseIPv4 || (pref_only && pref_ipv6))) {
437  return 0;
438  }
439 
440  /* Clients and Servers won't use IPv6 unless it's enabled (and in most
441  * cases, IPv6 must also be preferred before it will be used). */
442  if (tor_addr_family(addr) == AF_INET6 &&
443  (!fascist_firewall_use_ipv6(options) || (pref_only && !pref_ipv6))) {
444  return 0;
445  }
446 
447  return addr_policy_permits_tor_addr(addr, port,
448  firewall_policy);
449 }
450 
458 int
460 {
461  /* Clients use IPv6 if it's set, or they use bridges, or they don't use
462  * IPv4, or they prefer it.
463  * ClientPreferIPv6DirPort is deprecated, but check it anyway. */
464  return (options->ClientUseIPv6 == 1 || options->ClientUseIPv4 == 0 ||
465  options->ClientPreferIPv6ORPort == 1 ||
466  options->ClientPreferIPv6DirPort == 1 || options->UseBridges == 1 ||
467  options->ClientAutoIPv6ORPort == 1);
468 }
469 
474 static int
476 {
477  /*
478  Cheap implementation of config options ClientUseIPv4 & ClientUseIPv6 --
479  If we're a server or IPv6 is disabled, use IPv4.
480  If IPv4 is disabled, use IPv6.
481  */
482 
483  if (server_mode(options) || !fascist_firewall_use_ipv6(options)) {
484  return 0;
485  }
486 
487  if (!options->ClientUseIPv4) {
488  return 1;
489  }
490 
491  return -1;
492 }
493 
494 /* Choose whether we prefer IPv4 or IPv6 by randomly choosing an address
495  * family. Return 0 for IPv4, and 1 for IPv6. */
496 MOCK_IMPL(int,
497 fascist_firewall_rand_prefer_ipv6_addr, (void))
498 {
499  /* TODO: Check for failures, and infer our preference based on this. */
500  return crypto_rand_int(2);
501 }
502 
507 int
509 {
510  int pref_ipv6 = fascist_firewall_prefer_ipv6_impl(options);
511 
512  if (pref_ipv6 >= 0) {
513  return pref_ipv6;
514  }
515 
516  /* We can use both IPv4 and IPv6 - which do we prefer? */
517  if (options->ClientAutoIPv6ORPort == 1) {
518  /* If ClientAutoIPv6ORPort is 1, we prefer IPv4 or IPv6 at random. */
519  return fascist_firewall_rand_prefer_ipv6_addr();
520  } else if (options->ClientPreferIPv6ORPort == 1) {
521  return 1;
522  }
523 
524  return 0;
525 }
526 
532 int
534 {
535  int pref_ipv6 = fascist_firewall_prefer_ipv6_impl(options);
536 
537  if (pref_ipv6 >= 0) {
538  return pref_ipv6;
539  }
540 
541  /* We can use both IPv4 and IPv6 - which do we prefer? */
542  if (options->ClientPreferIPv6DirPort == 1) {
543  return 1;
544  }
545 
546  return 0;
547 }
548 
556 int
558  firewall_connection_t fw_connection,
559  int pref_only, int pref_ipv6)
560 {
561  if (fw_connection == FIREWALL_OR_CONNECTION) {
562  return fascist_firewall_allows_address(addr, port,
564  pref_only, pref_ipv6);
565  } else if (fw_connection == FIREWALL_DIR_CONNECTION) {
566  return fascist_firewall_allows_address(addr, port,
568  pref_only, pref_ipv6);
569  } else {
570  log_warn(LD_BUG, "Bad firewall_connection_t value %d.",
571  fw_connection);
572  return 0;
573  }
574 }
575 
581 static int
583  firewall_connection_t fw_connection,
584  int pref_only, int pref_ipv6)
585 {
586  tor_assert(ap);
587  return fascist_firewall_allows_address_addr(&ap->addr, ap->port,
588  fw_connection, pref_only,
589  pref_ipv6);
590 }
591 
592 /* Return true iff we think our firewall will let us make a connection to
593  * ipv4h_or_addr:ipv4_or_port. ipv4h_or_addr is interpreted in host order.
594  * Uses ReachableORAddresses or ReachableDirAddresses based on
595  * fw_connection.
596  * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
597  */
598 static int
599 fascist_firewall_allows_address_ipv4h(uint32_t ipv4h_or_addr,
600  uint16_t ipv4_or_port,
601  firewall_connection_t fw_connection,
602  int pref_only, int pref_ipv6)
603 {
604  tor_addr_t ipv4_or_addr;
605  tor_addr_from_ipv4h(&ipv4_or_addr, ipv4h_or_addr);
606  return fascist_firewall_allows_address_addr(&ipv4_or_addr, ipv4_or_port,
607  fw_connection, pref_only,
608  pref_ipv6);
609 }
610 
617 static int
618 fascist_firewall_allows_base(uint32_t ipv4h_addr, uint16_t ipv4_orport,
619  uint16_t ipv4_dirport,
620  const tor_addr_t *ipv6_addr, uint16_t ipv6_orport,
621  uint16_t ipv6_dirport,
622  firewall_connection_t fw_connection,
623  int pref_only, int pref_ipv6)
624 {
625  if (fascist_firewall_allows_address_ipv4h(ipv4h_addr,
626  (fw_connection == FIREWALL_OR_CONNECTION
627  ? ipv4_orport
628  : ipv4_dirport),
629  fw_connection,
630  pref_only, pref_ipv6)) {
631  return 1;
632  }
633 
635  (fw_connection == FIREWALL_OR_CONNECTION
636  ? ipv6_orport
637  : ipv6_dirport),
638  fw_connection,
639  pref_only, pref_ipv6)) {
640  return 1;
641  }
642 
643  return 0;
644 }
645 
647 static int
649  firewall_connection_t fw_connection,
650  int pref_only, int pref_ipv6)
651 {
652  if (!ri) {
653  return 0;
654  }
655 
656  /* Assume IPv4 and IPv6 DirPorts are the same */
657  return fascist_firewall_allows_base(ri->addr, ri->or_port, ri->dir_port,
658  &ri->ipv6_addr, ri->ipv6_orport,
659  ri->dir_port, fw_connection, pref_only,
660  pref_ipv6);
661 }
662 
664 static int
666  firewall_connection_t fw_connection,
667  int pref_only, int pref_ipv6)
668 {
669  if (!rs) {
670  return 0;
671  }
672 
673  /* Assume IPv4 and IPv6 DirPorts are the same */
674  return fascist_firewall_allows_base(rs->addr, rs->or_port, rs->dir_port,
675  &rs->ipv6_addr, rs->ipv6_orport,
676  rs->dir_port, fw_connection, pref_only,
677  pref_ipv6);
678 }
679 
686 int
688  firewall_connection_t fw_connection, int pref_only)
689 {
690  if (!rs) {
691  return 0;
692  }
693 
694  /* We don't have access to the node-specific IPv6 preference, so use the
695  * generic IPv6 preference instead. */
696  const or_options_t *options = get_options();
697  int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
700 
701  return fascist_firewall_allows_rs_impl(rs, fw_connection, pref_only,
702  pref_ipv6);
703 }
704 
710 static int
712  firewall_connection_t fw_connection,
713  int pref_only, int pref_ipv6)
714 {
715  if (!md) {
716  return 0;
717  }
718 
719  /* Can't check dirport, it doesn't have one */
720  if (fw_connection == FIREWALL_DIR_CONNECTION) {
721  return 0;
722  }
723 
724  /* Also can't check IPv4, doesn't have that either */
726  fw_connection, pref_only,
727  pref_ipv6);
728 }
729 
732 int
734  firewall_connection_t fw_connection,
735  int pref_only)
736 {
737  if (!node) {
738  return 0;
739  }
740 
741  node_assert_ok(node);
742 
743  const int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
744  ? node_ipv6_or_preferred(node)
745  : node_ipv6_dir_preferred(node));
746 
747  /* Sometimes, the rs is missing the IPv6 address info, and we need to go
748  * all the way to the md */
749  if (node->ri && fascist_firewall_allows_ri_impl(node->ri, fw_connection,
750  pref_only, pref_ipv6)) {
751  return 1;
752  } else if (node->rs && fascist_firewall_allows_rs_impl(node->rs,
753  fw_connection,
754  pref_only,
755  pref_ipv6)) {
756  return 1;
757  } else if (node->md && fascist_firewall_allows_md_impl(node->md,
758  fw_connection,
759  pref_only,
760  pref_ipv6)) {
761  return 1;
762  } else {
763  /* If we know nothing, assume it's unreachable, we'll never get an address
764  * to connect to. */
765  return 0;
766  }
767 }
768 
770 int
772  firewall_connection_t fw_connection,
773  int pref_only)
774 {
775  if (!ds) {
776  return 0;
777  }
778 
779  /* A dir_server_t always has a fake_status. As long as it has the same
780  * addresses/ports in both fake_status and dir_server_t, this works fine.
781  * (See #17867.)
782  * fascist_firewall_allows_rs only checks the addresses in fake_status. */
783  return fascist_firewall_allows_rs(&ds->fake_status, fw_connection,
784  pref_only);
785 }
786 
793 static const tor_addr_port_t *
795  const tor_addr_port_t *b,
796  int want_a,
797  firewall_connection_t fw_connection,
798  int pref_only, int pref_ipv6)
799 {
800  const tor_addr_port_t *use_a = NULL;
801  const tor_addr_port_t *use_b = NULL;
802 
803  if (fascist_firewall_allows_address_ap(a, fw_connection, pref_only,
804  pref_ipv6)) {
805  use_a = a;
806  }
807 
808  if (fascist_firewall_allows_address_ap(b, fw_connection, pref_only,
809  pref_ipv6)) {
810  use_b = b;
811  }
812 
813  /* If both are allowed */
814  if (use_a && use_b) {
815  /* Choose a if we want it */
816  return (want_a ? use_a : use_b);
817  } else {
818  /* Choose a if we have it */
819  return (use_a ? use_a : use_b);
820  }
821 }
822 
831 STATIC const tor_addr_port_t *
833  const tor_addr_port_t *b,
834  int want_a,
835  firewall_connection_t fw_connection,
836  int pref_only, int pref_ipv6)
837 {
839  a, b, want_a,
840  fw_connection,
841  1, pref_ipv6);
842  if (pref_only || pref) {
843  /* If there is a preferred address, use it. If we can only use preferred
844  * addresses, and neither address is preferred, pref will be NULL, and we
845  * want to return NULL, so return it. */
846  return pref;
847  } else {
848  /* If there's no preferred address, and we can return addresses that are
849  * not preferred, use an address that's allowed */
850  return fascist_firewall_choose_address_impl(a, b, want_a, fw_connection,
851  0, pref_ipv6);
852  }
853 }
854 
864 static void
866  uint16_t ipv4_orport,
867  uint16_t ipv4_dirport,
868  const tor_addr_t *ipv6_addr,
869  uint16_t ipv6_orport,
870  uint16_t ipv6_dirport,
871  firewall_connection_t fw_connection,
872  int pref_only,
873  int pref_ipv6,
874  tor_addr_port_t* ap)
875 {
876  const tor_addr_port_t *result = NULL;
877  const int want_ipv4 = !pref_ipv6;
878 
879  tor_assert(ipv6_addr);
880  tor_assert(ap);
881 
882  tor_addr_make_null(&ap->addr, AF_UNSPEC);
883  ap->port = 0;
884 
885  tor_addr_port_t ipv4_ap;
886  tor_addr_copy(&ipv4_ap.addr, ipv4_addr);
887  ipv4_ap.port = (fw_connection == FIREWALL_OR_CONNECTION
888  ? ipv4_orport
889  : ipv4_dirport);
890 
891  tor_addr_port_t ipv6_ap;
892  tor_addr_copy(&ipv6_ap.addr, ipv6_addr);
893  ipv6_ap.port = (fw_connection == FIREWALL_OR_CONNECTION
894  ? ipv6_orport
895  : ipv6_dirport);
896 
897  result = fascist_firewall_choose_address(&ipv4_ap, &ipv6_ap,
898  want_ipv4,
899  fw_connection, pref_only,
900  pref_ipv6);
901 
902  if (result) {
903  tor_addr_copy(&ap->addr, &result->addr);
904  ap->port = result->port;
905  }
906 }
907 
910 static void
912  uint16_t ipv4_orport,
913  uint16_t ipv4_dirport,
914  const tor_addr_t *ipv6_addr,
915  uint16_t ipv6_orport,
916  uint16_t ipv6_dirport,
917  firewall_connection_t fw_connection,
918  int pref_only,
919  int pref_ipv6,
920  tor_addr_port_t* ap)
921 {
922  tor_addr_t ipv4_addr;
923  tor_addr_from_ipv4h(&ipv4_addr, ipv4h_addr);
924  tor_assert(ap);
925 
926  tor_addr_make_null(&ap->addr, AF_UNSPEC);
927  ap->port = 0;
928 
929  fascist_firewall_choose_address_base(&ipv4_addr, ipv4_orport,
930  ipv4_dirport, ipv6_addr,
931  ipv6_orport, ipv6_dirport,
932  fw_connection, pref_only,
933  pref_ipv6, ap);
934 }
935 
936 /* Some microdescriptor consensus methods have no IPv6 addresses in rs: they
937  * are in the microdescriptors. For these consensus methods, we can't rely on
938  * the node's IPv6 address until its microdescriptor is available (when using
939  * microdescs).
940  * But for bridges, rewrite_node_address_for_bridge() updates node->ri with
941  * the configured address, so we can trust bridge addresses.
942  * (Bridges could gain an IPv6 address if their microdescriptor arrives, but
943  * this will never be their preferred address: that is in the config.)
944  * Returns true if the node needs a microdescriptor for its IPv6 address, and
945  * false if the addresses in the node are already up-to-date.
946  */
947 static int
948 node_awaiting_ipv6(const or_options_t* options, const node_t *node)
949 {
950  tor_assert(node);
951 
952  /* There's no point waiting for an IPv6 address if we'd never use it */
953  if (!fascist_firewall_use_ipv6(options)) {
954  return 0;
955  }
956 
957  /* If the node has an IPv6 address, we're not waiting */
958  if (node_has_ipv6_addr(node)) {
959  return 0;
960  }
961 
962  /* If the current consensus method and flavour has IPv6 addresses, we're not
963  * waiting */
964  if (networkstatus_consensus_has_ipv6(options)) {
965  return 0;
966  }
967 
968  /* Bridge clients never use the address from a bridge's md, so there's no
969  * need to wait for it. */
970  if (node_is_a_configured_bridge(node)) {
971  return 0;
972  }
973 
974  /* We are waiting if we_use_microdescriptors_for_circuits() and we have no
975  * md. */
976  return (!node->md && we_use_microdescriptors_for_circuits(options));
977 }
978 
984 void
986  firewall_connection_t fw_connection,
987  int pref_only, tor_addr_port_t* ap)
988 {
989  tor_assert(ap);
990 
991  tor_addr_make_null(&ap->addr, AF_UNSPEC);
992  ap->port = 0;
993 
994  if (!rs) {
995  return;
996  }
997 
998  const or_options_t *options = get_options();
999  const node_t *node = node_get_by_id(rs->identity_digest);
1000 
1001  if (node && !node_awaiting_ipv6(options, node)) {
1002  fascist_firewall_choose_address_node(node, fw_connection, pref_only, ap);
1003  } else {
1004  /* There's no node-specific IPv6 preference, so use the generic IPv6
1005  * preference instead. */
1006  int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
1009 
1010  /* Assume IPv4 and IPv6 DirPorts are the same.
1011  * Assume the IPv6 OR and Dir addresses are the same. */
1013  &rs->ipv6_addr, rs->ipv6_orport,
1014  rs->dir_port, fw_connection,
1015  pref_only, pref_ipv6, ap);
1016  }
1017 }
1018 
1024 void
1026  int pref_only, tor_addr_port_t* ap)
1027 {
1028  int have_v4 = 0, have_v6 = 0;
1029  uint16_t port_v4 = 0, port_v6 = 0;
1030  tor_addr_t addr_v4, addr_v6;
1031 
1032  tor_assert(ap);
1033 
1034  if (lspecs == NULL) {
1035  log_warn(LD_BUG, "Unknown or missing link specifiers");
1036  return;
1037  }
1038  if (smartlist_len(lspecs) == 0) {
1039  log_warn(LD_PROTOCOL, "Link specifiers are empty");
1040  return;
1041  }
1042 
1043  tor_addr_make_null(&ap->addr, AF_UNSPEC);
1044  ap->port = 0;
1045 
1046  tor_addr_make_null(&addr_v4, AF_INET);
1047  tor_addr_make_null(&addr_v6, AF_INET6);
1048 
1049  SMARTLIST_FOREACH_BEGIN(lspecs, const link_specifier_t *, ls) {
1050  switch (link_specifier_get_ls_type(ls)) {
1051  case LS_IPV4:
1052  /* Skip if we already seen a v4. */
1053  if (have_v4) continue;
1054  tor_addr_from_ipv4h(&addr_v4,
1055  link_specifier_get_un_ipv4_addr(ls));
1056  port_v4 = link_specifier_get_un_ipv4_port(ls);
1057  have_v4 = 1;
1058  break;
1059  case LS_IPV6:
1060  /* Skip if we already seen a v6, or deliberately skip it if we're not a
1061  * direct connection. */
1062  if (have_v6) continue;
1063  tor_addr_from_ipv6_bytes(&addr_v6,
1064  (const char *) link_specifier_getconstarray_un_ipv6_addr(ls));
1065  port_v6 = link_specifier_get_un_ipv6_port(ls);
1066  have_v6 = 1;
1067  break;
1068  default:
1069  /* Ignore unknown. */
1070  break;
1071  }
1072  } SMARTLIST_FOREACH_END(ls);
1073 
1074  /* If we don't have IPv4 or IPv6 in link specifiers, log a bug and return. */
1075  if (!have_v4 && !have_v6) {
1076  if (!have_v6) {
1077  log_warn(LD_PROTOCOL, "None of our link specifiers have IPv4 or IPv6");
1078  } else {
1079  log_warn(LD_PROTOCOL, "None of our link specifiers have IPv4");
1080  }
1081  return;
1082  }
1083 
1084  /* Here, don't check for DirPorts as link specifiers are only used for
1085  * ORPorts. */
1086  const or_options_t *options = get_options();
1087  int pref_ipv6 = fascist_firewall_prefer_ipv6_orport(options);
1088  /* Assume that the DirPorts are zero as link specifiers only use ORPorts. */
1089  fascist_firewall_choose_address_base(&addr_v4, port_v4, 0,
1090  &addr_v6, port_v6, 0,
1091  FIREWALL_OR_CONNECTION,
1092  pref_only, pref_ipv6,
1093  ap);
1094 }
1095 
1099 void
1101  firewall_connection_t fw_connection,
1102  int pref_only, tor_addr_port_t *ap)
1103 {
1104  tor_assert(ap);
1105 
1106  tor_addr_make_null(&ap->addr, AF_UNSPEC);
1107  ap->port = 0;
1108 
1109  if (!node) {
1110  return;
1111  }
1112 
1113  node_assert_ok(node);
1114  /* Calling fascist_firewall_choose_address_node() when the node is missing
1115  * IPv6 information breaks IPv6-only clients.
1116  * If the node is a hard-coded fallback directory or authority, call
1117  * fascist_firewall_choose_address_rs() on the fake (hard-coded) routerstatus
1118  * for the node.
1119  * If it is not hard-coded, check that the node has a microdescriptor, full
1120  * descriptor (routerinfo), or is one of our configured bridges before
1121  * calling this function. */
1122  if (BUG(node_awaiting_ipv6(get_options(), node))) {
1123  return;
1124  }
1125 
1126  const int pref_ipv6_node = (fw_connection == FIREWALL_OR_CONNECTION
1127  ? node_ipv6_or_preferred(node)
1128  : node_ipv6_dir_preferred(node));
1129 
1130  tor_addr_port_t ipv4_or_ap;
1131  node_get_prim_orport(node, &ipv4_or_ap);
1132  tor_addr_port_t ipv4_dir_ap;
1133  node_get_prim_dirport(node, &ipv4_dir_ap);
1134 
1135  tor_addr_port_t ipv6_or_ap;
1136  node_get_pref_ipv6_orport(node, &ipv6_or_ap);
1137  tor_addr_port_t ipv6_dir_ap;
1138  node_get_pref_ipv6_dirport(node, &ipv6_dir_ap);
1139 
1140  /* Assume the IPv6 OR and Dir addresses are the same. */
1141  fascist_firewall_choose_address_base(&ipv4_or_ap.addr, ipv4_or_ap.port,
1142  ipv4_dir_ap.port, &ipv6_or_ap.addr,
1143  ipv6_or_ap.port, ipv6_dir_ap.port,
1144  fw_connection, pref_only,
1145  pref_ipv6_node, ap);
1146 }
1147 
1149 void
1151  firewall_connection_t fw_connection,
1152  int pref_only,
1153  tor_addr_port_t *ap)
1154 {
1155  tor_assert(ap);
1156 
1157  tor_addr_make_null(&ap->addr, AF_UNSPEC);
1158  ap->port = 0;
1159 
1160  if (!ds) {
1161  return;
1162  }
1163 
1164  /* A dir_server_t always has a fake_status. As long as it has the same
1165  * addresses/ports in both fake_status and dir_server_t, this works fine.
1166  * (See #17867.)
1167  * This function relies on fascist_firewall_choose_address_rs looking up the
1168  * node if it can, because that will get the latest info for the relay. */
1169  fascist_firewall_choose_address_rs(&ds->fake_status, fw_connection,
1170  pref_only, ap);
1171 }
1172 
1176 int
1178 {
1179  return addr_policy_permits_tor_addr(addr, 1, dir_policy);
1180 }
1181 
1185 int
1187 {
1188  return addr_policy_permits_tor_addr(addr, 1, socks_policy);
1189 }
1190 
1193 static int
1194 addr_is_in_cc_list(uint32_t addr, const smartlist_t *cc_list)
1195 {
1196  country_t country;
1197  const char *name;
1198  tor_addr_t tar;
1199 
1200  if (!cc_list)
1201  return 0;
1202  /* XXXXipv6 */
1203  tor_addr_from_ipv4h(&tar, addr);
1204  country = geoip_get_country_by_addr(&tar);
1205  name = geoip_get_country_name(country);
1206  return smartlist_contains_string_case(cc_list, name);
1207 }
1208 
1212 int
1213 authdir_policy_permits_address(uint32_t addr, uint16_t port)
1214 {
1216  return 0;
1217  return !addr_is_in_cc_list(addr, get_options()->AuthDirRejectCCs);
1218 }
1219 
1223 int
1224 authdir_policy_valid_address(uint32_t addr, uint16_t port)
1225 {
1227  return 0;
1228  return !addr_is_in_cc_list(addr, get_options()->AuthDirInvalidCCs);
1229 }
1230 
1234 int
1235 authdir_policy_badexit_address(uint32_t addr, uint16_t port)
1236 {
1238  return 1;
1239  return addr_is_in_cc_list(addr, get_options()->AuthDirBadExitCCs);
1240 }
1241 
1242 #define REJECT(arg) \
1243  STMT_BEGIN *msg = tor_strdup(arg); goto err; STMT_END
1244 
1247 static int
1249 {
1250  return (or_options->ExitPolicy == NULL && or_options->ExitRelay == -1 &&
1251  or_options->ReducedExitPolicy == 0 && or_options->IPv6Exit == 0);
1252 }
1253 
1257 int
1258 validate_addr_policies(const or_options_t *options, char **msg)
1259 {
1260  /* XXXX Maybe merge this into parse_policies_from_options, to make sure
1261  * that the two can't go out of sync. */
1262 
1263  smartlist_t *addr_policy=NULL;
1264  *msg = NULL;
1265 
1266  if (policies_parse_exit_policy_from_options(options,0,NULL,&addr_policy)) {
1267  REJECT("Error in ExitPolicy entry.");
1268  }
1269 
1270  static int warned_about_nonexit = 0;
1271 
1272  if (public_server_mode(options) && !warned_about_nonexit &&
1274  warned_about_nonexit = 1;
1275  log_notice(LD_CONFIG, "By default, Tor does not run as an exit relay. "
1276  "If you want to be an exit relay, "
1277  "set ExitRelay to 1. To suppress this message in the future, "
1278  "set ExitRelay to 0.");
1279  }
1280 
1281  /* The rest of these calls *append* to addr_policy. So don't actually
1282  * use the results for anything other than checking if they parse! */
1283  if (parse_addr_policy(options->DirPolicy, &addr_policy, -1))
1284  REJECT("Error in DirPolicy entry.");
1285  if (parse_addr_policy(options->SocksPolicy, &addr_policy, -1))
1286  REJECT("Error in SocksPolicy entry.");
1287  if (parse_addr_policy(options->AuthDirReject, &addr_policy,
1288  ADDR_POLICY_REJECT))
1289  REJECT("Error in AuthDirReject entry.");
1290  if (parse_addr_policy(options->AuthDirInvalid, &addr_policy,
1291  ADDR_POLICY_REJECT))
1292  REJECT("Error in AuthDirInvalid entry.");
1293  if (parse_addr_policy(options->AuthDirBadExit, &addr_policy,
1294  ADDR_POLICY_REJECT))
1295  REJECT("Error in AuthDirBadExit entry.");
1296 
1297  if (parse_addr_policy(options->ReachableAddresses, &addr_policy,
1298  ADDR_POLICY_ACCEPT))
1299  REJECT("Error in ReachableAddresses entry.");
1300  if (parse_addr_policy(options->ReachableORAddresses, &addr_policy,
1301  ADDR_POLICY_ACCEPT))
1302  REJECT("Error in ReachableORAddresses entry.");
1303  if (parse_addr_policy(options->ReachableDirAddresses, &addr_policy,
1304  ADDR_POLICY_ACCEPT))
1305  REJECT("Error in ReachableDirAddresses entry.");
1306 
1307  err:
1308  addr_policy_list_free(addr_policy);
1309  return *msg ? -1 : 0;
1310 #undef REJECT
1311 }
1312 
1317 static int
1318 load_policy_from_option(config_line_t *config, const char *option_name,
1319  smartlist_t **policy,
1320  int assume_action)
1321 {
1322  int r;
1323  int killed_any_ports = 0;
1324  addr_policy_list_free(*policy);
1325  *policy = NULL;
1326  r = parse_addr_policy(config, policy, assume_action);
1327  if (r < 0) {
1328  return -1;
1329  }
1330  if (*policy) {
1331  SMARTLIST_FOREACH_BEGIN(*policy, addr_policy_t *, n) {
1332  /* ports aren't used in these. */
1333  if (n->prt_min > 1 || n->prt_max != 65535) {
1334  addr_policy_t newp, *c;
1335  memcpy(&newp, n, sizeof(newp));
1336  newp.prt_min = 1;
1337  newp.prt_max = 65535;
1338  newp.is_canonical = 0;
1339  c = addr_policy_get_canonical_entry(&newp);
1340  SMARTLIST_REPLACE_CURRENT(*policy, n, c);
1341  addr_policy_free(n);
1342  killed_any_ports = 1;
1343  }
1344  } SMARTLIST_FOREACH_END(n);
1345  }
1346  if (killed_any_ports) {
1347  log_warn(LD_CONFIG, "Ignoring ports in %s option.", option_name);
1348  }
1349  return 0;
1350 }
1351 
1354 int
1356 {
1357  int ret = 0;
1358  if (load_policy_from_option(options->SocksPolicy, "SocksPolicy",
1359  &socks_policy, -1) < 0)
1360  ret = -1;
1361  if (load_policy_from_option(options->DirPolicy, "DirPolicy",
1362  &dir_policy, -1) < 0)
1363  ret = -1;
1364  if (load_policy_from_option(options->AuthDirReject, "AuthDirReject",
1365  &authdir_reject_policy, ADDR_POLICY_REJECT) < 0)
1366  ret = -1;
1367  if (load_policy_from_option(options->AuthDirInvalid, "AuthDirInvalid",
1368  &authdir_invalid_policy, ADDR_POLICY_REJECT) < 0)
1369  ret = -1;
1370  if (load_policy_from_option(options->AuthDirBadExit, "AuthDirBadExit",
1371  &authdir_badexit_policy, ADDR_POLICY_REJECT) < 0)
1372  ret = -1;
1373  if (parse_reachable_addresses() < 0)
1374  ret = -1;
1375  return ret;
1376 }
1377 
1380 static int
1382 {
1383  int r;
1384 #define CMP_FIELD(field) do { \
1385  if (a->field != b->field) { \
1386  return 0; \
1387  } \
1388  } while (0)
1389  CMP_FIELD(policy_type);
1390  CMP_FIELD(is_private);
1391  /* refcnt and is_canonical are irrelevant to equality,
1392  * they are hash table implementation details */
1393  if ((r=tor_addr_compare(&a->addr, &b->addr, CMP_EXACT)))
1394  return 0;
1395  CMP_FIELD(maskbits);
1396  CMP_FIELD(prt_min);
1397  CMP_FIELD(prt_max);
1398 #undef CMP_FIELD
1399  return 1;
1400 }
1401 
1404 int
1406 {
1407  int i;
1408  int len_a = a ? smartlist_len(a) : 0;
1409  int len_b = b ? smartlist_len(b) : 0;
1410 
1411  if (len_a != len_b)
1412  return 0;
1413 
1414  for (i = 0; i < len_a; ++i) {
1415  if (! single_addr_policy_eq(smartlist_get(a, i), smartlist_get(b, i)))
1416  return 0;
1417  }
1418 
1419  return 1;
1420 }
1421 
1423 typedef struct policy_map_ent_t {
1424  HT_ENTRY(policy_map_ent_t) node;
1425  addr_policy_t *policy;
1427 
1428 /* DOCDOC policy_root */
1429 static HT_HEAD(policy_map, policy_map_ent_t) policy_root = HT_INITIALIZER();
1430 
1432 static inline int
1433 policy_eq(policy_map_ent_t *a, policy_map_ent_t *b)
1434 {
1435  return single_addr_policy_eq(a->policy, b->policy);
1436 }
1437 
1439 static unsigned int
1441 {
1442  const addr_policy_t *a = ent->policy;
1443  addr_policy_t aa;
1444  memset(&aa, 0, sizeof(aa));
1445 
1446  aa.prt_min = a->prt_min;
1447  aa.prt_max = a->prt_max;
1448  aa.maskbits = a->maskbits;
1449  aa.policy_type = a->policy_type;
1450  aa.is_private = a->is_private;
1451 
1452  if (a->is_private) {
1453  aa.is_private = 1;
1454  } else {
1455  tor_addr_copy_tight(&aa.addr, &a->addr);
1456  }
1457 
1458  return (unsigned) siphash24g(&aa, sizeof(aa));
1459 }
1460 
1462  policy_eq)
1463 HT_GENERATE2(policy_map, policy_map_ent_t, node, policy_hash,
1464  policy_eq, 0.6, tor_reallocarray_, tor_free_)
1465 
1466 
1469 addr_policy_t *
1470 addr_policy_get_canonical_entry(addr_policy_t *e)
1471 {
1472  policy_map_ent_t search, *found;
1473  if (e->is_canonical)
1474  return e;
1475 
1476  search.policy = e;
1477  found = HT_FIND(policy_map, &policy_root, &search);
1478  if (!found) {
1479  found = tor_malloc_zero(sizeof(policy_map_ent_t));
1480  found->policy = tor_memdup(e, sizeof(addr_policy_t));
1481  found->policy->is_canonical = 1;
1482  found->policy->refcnt = 0;
1483  HT_INSERT(policy_map, &policy_root, found);
1484  }
1485 
1486  tor_assert(single_addr_policy_eq(found->policy, e));
1487  ++found->policy->refcnt;
1488  return found->policy;
1489 }
1490 
1493 static addr_policy_result_t
1495  const smartlist_t *policy)
1496 {
1497  /* We know the address and port, and we know the policy, so we can just
1498  * compute an exact match. */
1499  SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, tmpe) {
1500  if (tmpe->addr.family == AF_UNSPEC) {
1501  log_warn(LD_BUG, "Policy contains an AF_UNSPEC address, which only "
1502  "matches other AF_UNSPEC addresses.");
1503  }
1504  /* Address is known */
1505  if (!tor_addr_compare_masked(addr, &tmpe->addr, tmpe->maskbits,
1506  CMP_EXACT)) {
1507  if (port >= tmpe->prt_min && port <= tmpe->prt_max) {
1508  /* Exact match for the policy */
1509  return tmpe->policy_type == ADDR_POLICY_ACCEPT ?
1511  }
1512  }
1513  } SMARTLIST_FOREACH_END(tmpe);
1514 
1515  /* accept all by default. */
1516  return ADDR_POLICY_ACCEPTED;
1517 }
1518 
1521 static addr_policy_result_t
1523  const smartlist_t *policy)
1524 {
1525  /* We look to see if there's a definite match. If so, we return that
1526  match's value, unless there's an intervening possible match that says
1527  something different. */
1528  int maybe_accept = 0, maybe_reject = 0;
1529 
1530  SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, tmpe) {
1531  if (tmpe->addr.family == AF_UNSPEC) {
1532  log_warn(LD_BUG, "Policy contains an AF_UNSPEC address, which only "
1533  "matches other AF_UNSPEC addresses.");
1534  }
1535  if (!tor_addr_compare_masked(addr, &tmpe->addr, tmpe->maskbits,
1536  CMP_EXACT)) {
1537  if (tmpe->prt_min <= 1 && tmpe->prt_max >= 65535) {
1538  /* Definitely matches, since it covers all ports. */
1539  if (tmpe->policy_type == ADDR_POLICY_ACCEPT) {
1540  /* If we already hit a clause that might trigger a 'reject', than we
1541  * can't be sure of this certain 'accept'.*/
1542  return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED :
1544  } else {
1545  return maybe_accept ? ADDR_POLICY_PROBABLY_REJECTED :
1547  }
1548  } else {
1549  /* Might match. */
1550  if (tmpe->policy_type == ADDR_POLICY_REJECT)
1551  maybe_reject = 1;
1552  else
1553  maybe_accept = 1;
1554  }
1555  }
1556  } SMARTLIST_FOREACH_END(tmpe);
1557 
1558  /* accept all by default. */
1559  return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED : ADDR_POLICY_ACCEPTED;
1560 }
1561 
1564 static addr_policy_result_t
1566  const smartlist_t *policy)
1567 {
1568  /* We look to see if there's a definite match. If so, we return that
1569  match's value, unless there's an intervening possible match that says
1570  something different. */
1571  int maybe_accept = 0, maybe_reject = 0;
1572 
1573  SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, tmpe) {
1574  if (tmpe->addr.family == AF_UNSPEC) {
1575  log_warn(LD_BUG, "Policy contains an AF_UNSPEC address, which only "
1576  "matches other AF_UNSPEC addresses.");
1577  }
1578  if (tmpe->prt_min <= port && port <= tmpe->prt_max) {
1579  if (tmpe->maskbits == 0) {
1580  /* Definitely matches, since it covers all addresses. */
1581  if (tmpe->policy_type == ADDR_POLICY_ACCEPT) {
1582  /* If we already hit a clause that might trigger a 'reject', than we
1583  * can't be sure of this certain 'accept'.*/
1584  return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED :
1586  } else {
1587  return maybe_accept ? ADDR_POLICY_PROBABLY_REJECTED :
1589  }
1590  } else {
1591  /* Might match. */
1592  if (tmpe->policy_type == ADDR_POLICY_REJECT)
1593  maybe_reject = 1;
1594  else
1595  maybe_accept = 1;
1596  }
1597  }
1598  } SMARTLIST_FOREACH_END(tmpe);
1599 
1600  /* accept all by default. */
1601  return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED : ADDR_POLICY_ACCEPTED;
1602 }
1603 
1616 compare_tor_addr_to_addr_policy,(const tor_addr_t *addr, uint16_t port,
1617  const smartlist_t *policy))
1618 {
1619  if (!policy) {
1620  /* no policy? accept all. */
1621  return ADDR_POLICY_ACCEPTED;
1622  } else if (addr == NULL || tor_addr_is_null(addr)) {
1623  if (port == 0) {
1624  log_info(LD_BUG, "Rejecting null address with 0 port (family %d)",
1625  addr ? tor_addr_family(addr) : -1);
1626  return ADDR_POLICY_REJECTED;
1627  }
1628  return compare_unknown_tor_addr_to_addr_policy(port, policy);
1629  } else if (port == 0) {
1630  return compare_known_tor_addr_to_addr_policy_noport(addr, policy);
1631  } else {
1632  return compare_known_tor_addr_to_addr_policy(addr, port, policy);
1633  }
1634 }
1635 
1638 static int
1640 {
1641  if (tor_addr_family(&a->addr) != tor_addr_family(&b->addr)) {
1642  /* You can't cover a different family. */
1643  return 0;
1644  }
1645  /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces
1646  * to "accept *:80". */
1647  if (a->maskbits > b->maskbits) {
1648  /* a has more fixed bits than b; it can't possibly cover b. */
1649  return 0;
1650  }
1651  if (tor_addr_compare_masked(&a->addr, &b->addr, a->maskbits, CMP_EXACT)) {
1652  /* There's a fixed bit in a that's set differently in b. */
1653  return 0;
1654  }
1655  return (a->prt_min <= b->prt_min && a->prt_max >= b->prt_max);
1656 }
1657 
1662 static int
1664 {
1665  maskbits_t minbits;
1666  /* All the bits we care about are those that are set in both
1667  * netmasks. If they are equal in a and b's networkaddresses
1668  * then the networks intersect. If there is a difference,
1669  * then they do not. */
1670  if (a->maskbits < b->maskbits)
1671  minbits = a->maskbits;
1672  else
1673  minbits = b->maskbits;
1674  if (tor_addr_compare_masked(&a->addr, &b->addr, minbits, CMP_EXACT))
1675  return 0;
1676  if (a->prt_max < b->prt_min || b->prt_max < a->prt_min)
1677  return 0;
1678  return 1;
1679 }
1680 
1683 STATIC void
1684 append_exit_policy_string(smartlist_t **policy, const char *more)
1685 {
1686  config_line_t tmp;
1687 
1688  tmp.key = NULL;
1689  tmp.value = (char*) more;
1690  tmp.next = NULL;
1691  if (parse_addr_policy(&tmp, policy, -1)<0) {
1692  log_warn(LD_BUG, "Unable to parse internally generated policy %s",more);
1693  }
1694 }
1695 
1697 void
1699 {
1700  tor_assert(dest);
1701  tor_assert(addr);
1702 
1703  addr_policy_t p, *add;
1704  memset(&p, 0, sizeof(p));
1705  p.policy_type = ADDR_POLICY_REJECT;
1706  p.maskbits = tor_addr_family(addr) == AF_INET6 ? 128 : 32;
1707  tor_addr_copy(&p.addr, addr);
1708  p.prt_min = 1;
1709  p.prt_max = 65535;
1710 
1711  add = addr_policy_get_canonical_entry(&p);
1712  if (!*dest)
1713  *dest = smartlist_new();
1714  smartlist_add(*dest, add);
1715  log_debug(LD_CONFIG, "Adding a reject ExitPolicy 'reject %s:*'",
1716  fmt_addr(addr));
1717 }
1718 
1719 /* Is addr public for the purposes of rejection? */
1720 static int
1721 tor_addr_is_public_for_reject(const tor_addr_t *addr)
1722 {
1723  return (!tor_addr_is_null(addr) && !tor_addr_is_internal(addr, 0)
1724  && !tor_addr_is_multicast(addr));
1725 }
1726 
1727 /* Add "reject <b>addr</b>:*" to <b>dest</b>, creating the list as needed.
1728  * Filter the address, only adding an IPv4 reject rule if ipv4_rules
1729  * is true, and similarly for ipv6_rules. Check each address returns true for
1730  * tor_addr_is_public_for_reject before adding it.
1731  */
1732 static void
1733 addr_policy_append_reject_addr_filter(smartlist_t **dest,
1734  const tor_addr_t *addr,
1735  int ipv4_rules,
1736  int ipv6_rules)
1737 {
1738  tor_assert(dest);
1739  tor_assert(addr);
1740 
1741  /* Only reject IP addresses which are public */
1742  if (tor_addr_is_public_for_reject(addr)) {
1743 
1744  /* Reject IPv4 addresses and IPv6 addresses based on the filters */
1745  int is_ipv4 = tor_addr_is_v4(addr);
1746  if ((is_ipv4 && ipv4_rules) || (!is_ipv4 && ipv6_rules)) {
1747  addr_policy_append_reject_addr(dest, addr);
1748  }
1749  }
1750 }
1751 
1754 void
1756  const smartlist_t *addrs)
1757 {
1758  tor_assert(dest);
1759  tor_assert(addrs);
1760 
1761  SMARTLIST_FOREACH_BEGIN(addrs, tor_addr_t *, addr) {
1762  addr_policy_append_reject_addr(dest, addr);
1763  } SMARTLIST_FOREACH_END(addr);
1764 }
1765 
1768 static void
1770  const smartlist_t *addrs,
1771  int ipv4_rules,
1772  int ipv6_rules)
1773 {
1774  tor_assert(dest);
1775  tor_assert(addrs);
1776 
1777  SMARTLIST_FOREACH_BEGIN(addrs, tor_addr_t *, addr) {
1778  addr_policy_append_reject_addr_filter(dest, addr, ipv4_rules, ipv6_rules);
1779  } SMARTLIST_FOREACH_END(addr);
1780 }
1781 
1783 static void
1785 {
1786  addr_policy_t *ap, *tmp;
1787  int i, j;
1788 
1789  /* Step one: kill every ipv4 thing after *4:*, every IPv6 thing after *6:*
1790  */
1791  {
1792  int kill_v4=0, kill_v6=0;
1793  for (i = 0; i < smartlist_len(dest); ++i) {
1794  sa_family_t family;
1795  ap = smartlist_get(dest, i);
1796  family = tor_addr_family(&ap->addr);
1797  if ((family == AF_INET && kill_v4) ||
1798  (family == AF_INET6 && kill_v6)) {
1799  smartlist_del_keeporder(dest, i--);
1800  addr_policy_free(ap);
1801  continue;
1802  }
1803 
1804  if (ap->maskbits == 0 && ap->prt_min <= 1 && ap->prt_max >= 65535) {
1805  /* This is a catch-all line -- later lines are unreachable. */
1806  if (family == AF_INET) {
1807  kill_v4 = 1;
1808  } else if (family == AF_INET6) {
1809  kill_v6 = 1;
1810  }
1811  }
1812  }
1813  }
1814 
1815  /* Step two: for every entry, see if there's a redundant entry
1816  * later on, and remove it. */
1817  for (i = 0; i < smartlist_len(dest)-1; ++i) {
1818  ap = smartlist_get(dest, i);
1819  for (j = i+1; j < smartlist_len(dest); ++j) {
1820  tmp = smartlist_get(dest, j);
1821  tor_assert(j > i);
1822  if (addr_policy_covers(ap, tmp)) {
1823  char p1[POLICY_BUF_LEN], p2[POLICY_BUF_LEN];
1824  policy_write_item(p1, sizeof(p1), tmp, 0);
1825  policy_write_item(p2, sizeof(p2), ap, 0);
1826  log_debug(LD_CONFIG, "Removing exit policy %s (%d). It is made "
1827  "redundant by %s (%d).", p1, j, p2, i);
1828  smartlist_del_keeporder(dest, j--);
1829  addr_policy_free(tmp);
1830  }
1831  }
1832  }
1833 
1834  /* Step three: for every entry A, see if there's an entry B making this one
1835  * redundant later on. This is the case if A and B are of the same type
1836  * (accept/reject), A is a subset of B, and there is no other entry of
1837  * different type in between those two that intersects with A.
1838  *
1839  * Anybody want to double-check the logic here? XXX
1840  */
1841  for (i = 0; i < smartlist_len(dest)-1; ++i) {
1842  ap = smartlist_get(dest, i);
1843  for (j = i+1; j < smartlist_len(dest); ++j) {
1844  // tor_assert(j > i); // j starts out at i+1; j only increases; i only
1845  // // decreases.
1846  tmp = smartlist_get(dest, j);
1847  if (ap->policy_type != tmp->policy_type) {
1848  if (addr_policy_intersects(ap, tmp))
1849  break;
1850  } else { /* policy_types are equal. */
1851  if (addr_policy_covers(tmp, ap)) {
1852  char p1[POLICY_BUF_LEN], p2[POLICY_BUF_LEN];
1853  policy_write_item(p1, sizeof(p1), ap, 0);
1854  policy_write_item(p2, sizeof(p2), tmp, 0);
1855  log_debug(LD_CONFIG, "Removing exit policy %s. It is already "
1856  "covered by %s.", p1, p2);
1857  smartlist_del_keeporder(dest, i--);
1858  addr_policy_free(ap);
1859  break;
1860  }
1861  }
1862  }
1863  }
1864 }
1865 
1885 void
1887  smartlist_t **dest,
1888  int ipv6_exit,
1889  const smartlist_t *configured_addresses,
1890  int reject_interface_addresses,
1891  int reject_configured_port_addresses)
1892 {
1893  tor_assert(dest);
1894 
1895  /* Reject configured addresses, if they are from public netblocks. */
1896  if (configured_addresses) {
1897  addr_policy_append_reject_addr_list_filter(dest, configured_addresses,
1898  1, ipv6_exit);
1899  }
1900 
1901  /* Reject configured port addresses, if they are from public netblocks. */
1902  if (reject_configured_port_addresses) {
1903  const smartlist_t *port_addrs = get_configured_ports();
1904 
1905  SMARTLIST_FOREACH_BEGIN(port_addrs, port_cfg_t *, port) {
1906 
1907  /* Only reject port IP addresses, not port unix sockets */
1908  if (!port->is_unix_addr) {
1909  addr_policy_append_reject_addr_filter(dest, &port->addr, 1, ipv6_exit);
1910  }
1911  } SMARTLIST_FOREACH_END(port);
1912  }
1913 
1914  /* Reject local addresses from public netblocks on any interface. */
1915  if (reject_interface_addresses) {
1916  smartlist_t *public_addresses = NULL;
1917 
1918  /* Reject public IPv4 addresses on any interface */
1919  public_addresses = get_interface_address6_list(LOG_INFO, AF_INET, 0);
1920  addr_policy_append_reject_addr_list_filter(dest, public_addresses, 1, 0);
1921  interface_address6_list_free(public_addresses);
1922 
1923  /* Don't look for IPv6 addresses if we're configured as IPv4-only */
1924  if (ipv6_exit) {
1925  /* Reject public IPv6 addresses on any interface */
1926  public_addresses = get_interface_address6_list(LOG_INFO, AF_INET6, 0);
1927  addr_policy_append_reject_addr_list_filter(dest, public_addresses, 0, 1);
1928  interface_address6_list_free(public_addresses);
1929  }
1930  }
1931 
1932  /* If addresses were added multiple times, remove all but one of them. */
1933  if (*dest) {
1935  }
1936 }
1937 
1942 static void
1944 {
1945  int found_final_effective_entry = 0;
1946  int first_redundant_entry = 0;
1947  tor_assert(policy);
1948  SMARTLIST_FOREACH_BEGIN(policy, const addr_policy_t *, p) {
1949  sa_family_t family;
1950  int found_ipv4_wildcard = 0, found_ipv6_wildcard = 0;
1951  const int i = p_sl_idx;
1952 
1953  /* Look for accept/reject *[4|6|]:* entires */
1954  if (p->prt_min <= 1 && p->prt_max == 65535 && p->maskbits == 0) {
1955  family = tor_addr_family(&p->addr);
1956  /* accept/reject *:* may have already been expanded into
1957  * accept/reject *4:*,accept/reject *6:*
1958  * But handle both forms.
1959  */
1960  if (family == AF_INET || family == AF_UNSPEC) {
1961  found_ipv4_wildcard = 1;
1962  }
1963  if (family == AF_INET6 || family == AF_UNSPEC) {
1964  found_ipv6_wildcard = 1;
1965  }
1966  }
1967 
1968  /* We also find accept *4:*,reject *6:* ; and
1969  * accept *4:*,<other policies>,accept *6:* ; and similar.
1970  * That's ok, because they make any subsequent entries redundant. */
1971  if (found_ipv4_wildcard && found_ipv6_wildcard) {
1972  found_final_effective_entry = 1;
1973  /* if we're not on the final entry in the list */
1974  if (i < smartlist_len(policy) - 1) {
1975  first_redundant_entry = i + 1;
1976  }
1977  break;
1978  }
1979  } SMARTLIST_FOREACH_END(p);
1980 
1981  /* Work out if there are redundant trailing entries in the policy list */
1982  if (found_final_effective_entry && first_redundant_entry > 0) {
1983  const addr_policy_t *p;
1984  /* Longest possible policy is
1985  * "accept6 ffff:ffff:..255/128:10000-65535",
1986  * which contains a max-length IPv6 address, plus 24 characters. */
1987  char line[TOR_ADDR_BUF_LEN + 32];
1988 
1989  tor_assert(first_redundant_entry < smartlist_len(policy));
1990  p = smartlist_get(policy, first_redundant_entry);
1991  /* since we've already parsed the policy into an addr_policy_t struct,
1992  * we might not log exactly what the user typed in */
1993  policy_write_item(line, TOR_ADDR_BUF_LEN + 32, p, 0);
1994  log_warn(LD_DIR, "Exit policy '%s' and all following policies are "
1995  "redundant, as it follows accept/reject *:* rules for both "
1996  "IPv4 and IPv6. They will be removed from the exit policy. (Use "
1997  "accept/reject *:* as the last entry in any exit policy.)",
1998  line);
1999  }
2000 }
2001 
2002 #define DEFAULT_EXIT_POLICY \
2003  "reject *:25,reject *:119,reject *:135-139,reject *:445," \
2004  "reject *:563,reject *:1214,reject *:4661-4666," \
2005  "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
2006 
2007 #define REDUCED_EXIT_POLICY \
2008  "accept *:20-23,accept *:43,accept *:53,accept *:79-81,accept *:88," \
2009  "accept *:110,accept *:143,accept *:194,accept *:220,accept *:389," \
2010  "accept *:443,accept *:464,accept *:465,accept *:531,accept *:543-544," \
2011  "accept *:554,accept *:563,accept *:587,accept *:636,accept *:706," \
2012  "accept *:749,accept *:873,accept *:902-904,accept *:981,accept *:989-995," \
2013  "accept *:1194,accept *:1220,accept *:1293,accept *:1500,accept *:1533," \
2014  "accept *:1677,accept *:1723,accept *:1755,accept *:1863," \
2015  "accept *:2082-2083,accept *:2086-2087,accept *:2095-2096," \
2016  "accept *:2102-2104,accept *:3128,accept *:3389,accept *:3690," \
2017  "accept *:4321,accept *:4643,accept *:5050,accept *:5190," \
2018  "accept *:5222-5223,accept *:5228,accept *:5900,accept *:6660-6669," \
2019  "accept *:6679,accept *:6697,accept *:8000,accept *:8008,accept *:8074," \
2020  "accept *:8080,accept *:8082,accept *:8087-8088,accept *:8232-8233," \
2021  "accept *:8332-8333,accept *:8443,accept *:8888,accept *:9418," \
2022  "accept *:9999,accept *:10000,accept *:11371,accept *:19294," \
2023  "accept *:19638,accept *:50002,accept *:64738,reject *:*"
2024 
2052 static int
2054  smartlist_t **dest,
2055  int ipv6_exit,
2056  int rejectprivate,
2057  const smartlist_t *configured_addresses,
2058  int reject_interface_addresses,
2059  int reject_configured_port_addresses,
2060  int add_default_policy,
2061  int add_reduced_policy)
2062 {
2063  if (!ipv6_exit) {
2064  append_exit_policy_string(dest, "reject *6:*");
2065  }
2066  if (rejectprivate) {
2067  /* Reject IPv4 and IPv6 reserved private netblocks */
2068  append_exit_policy_string(dest, "reject private:*");
2069  }
2070 
2071  /* Consider rejecting IPv4 and IPv6 advertised relay addresses, outbound bind
2072  * addresses, publicly routable addresses, and configured port addresses
2073  * on this exit relay */
2075  configured_addresses,
2076  reject_interface_addresses,
2077  reject_configured_port_addresses);
2078 
2079  if (parse_addr_policy(cfg, dest, -1))
2080  return -1;
2081 
2082  /* Before we add the default policy and final rejects, check to see if
2083  * there are any lines after accept *:* or reject *:*. These lines have no
2084  * effect, and are most likely an error. */
2086 
2087  if (add_reduced_policy) {
2088  append_exit_policy_string(dest, REDUCED_EXIT_POLICY);
2089  } else if (add_default_policy) {
2090  append_exit_policy_string(dest, DEFAULT_EXIT_POLICY);
2091  } else {
2092  append_exit_policy_string(dest, "reject *4:*");
2093  append_exit_policy_string(dest, "reject *6:*");
2094  }
2096 
2097  return 0;
2098 }
2099 
2120 int
2122  exit_policy_parser_cfg_t options,
2123  const smartlist_t *configured_addresses)
2124 {
2125  int ipv6_enabled = (options & EXIT_POLICY_IPV6_ENABLED) ? 1 : 0;
2126  int reject_private = (options & EXIT_POLICY_REJECT_PRIVATE) ? 1 : 0;
2127  int add_default = (options & EXIT_POLICY_ADD_DEFAULT) ? 1 : 0;
2128  int reject_local_interfaces = (options &
2129  EXIT_POLICY_REJECT_LOCAL_INTERFACES) ? 1 : 0;
2130  int add_reduced = (options & EXIT_POLICY_ADD_REDUCED) ? 1 : 0;
2131 
2132  return policies_parse_exit_policy_internal(cfg,dest,ipv6_enabled,
2133  reject_private,
2134  configured_addresses,
2135  reject_local_interfaces,
2136  reject_local_interfaces,
2137  add_default,
2138  add_reduced);
2139 }
2140 
2146 static void
2148 {
2149  if (addr && !tor_addr_is_null(addr)) {
2150  tor_addr_t *addr_copy = tor_malloc(sizeof(tor_addr_t));
2151  tor_addr_copy(addr_copy, addr);
2152  smartlist_add(addr_list, addr_copy);
2153  }
2154 }
2155 
2162 static void
2163 policies_copy_ipv4h_to_smartlist(smartlist_t *addr_list, uint32_t ipv4h_addr)
2164 {
2165  if (ipv4h_addr) {
2166  tor_addr_t ipv4_tor_addr;
2167  tor_addr_from_ipv4h(&ipv4_tor_addr, ipv4h_addr);
2168  policies_copy_addr_to_smartlist(addr_list, &ipv4_tor_addr);
2169  }
2170 }
2171 
2179 static void
2181  const or_options_t *or_options)
2182 {
2183  if (or_options) {
2184  for (int i=0;i<OUTBOUND_ADDR_MAX;i++) {
2185  for (int j=0;j<2;j++) {
2186  if (!tor_addr_is_null(&or_options->OutboundBindAddresses[i][j])) {
2188  &or_options->OutboundBindAddresses[i][j]);
2189  }
2190  }
2191  }
2192  }
2193 }
2194 
2219 int
2221  uint32_t local_address,
2222  const tor_addr_t *ipv6_local_address,
2223  smartlist_t **result)
2224 {
2225  exit_policy_parser_cfg_t parser_cfg = 0;
2226  smartlist_t *configured_addresses = NULL;
2227  int rv = 0;
2228 
2229  /* Short-circuit for non-exit relays, or for relays where we didn't specify
2230  * ExitPolicy or ReducedExitPolicy or IPv6Exit and ExitRelay is auto. */
2231  if (or_options->ExitRelay == 0 ||
2232  policy_using_default_exit_options(or_options)) {
2233  append_exit_policy_string(result, "reject *4:*");
2234  append_exit_policy_string(result, "reject *6:*");
2235  return 0;
2236  }
2237 
2238  configured_addresses = smartlist_new();
2239 
2240  /* Configure the parser */
2241  if (or_options->IPv6Exit) {
2242  parser_cfg |= EXIT_POLICY_IPV6_ENABLED;
2243  }
2244 
2245  if (or_options->ExitPolicyRejectPrivate) {
2246  parser_cfg |= EXIT_POLICY_REJECT_PRIVATE;
2247  }
2248 
2249  if (!or_options->BridgeRelay) {
2250  if (or_options->ReducedExitPolicy)
2251  parser_cfg |= EXIT_POLICY_ADD_REDUCED;
2252  else
2253  parser_cfg |= EXIT_POLICY_ADD_DEFAULT;
2254  }
2255 
2256  if (or_options->ExitPolicyRejectLocalInterfaces) {
2257  parser_cfg |= EXIT_POLICY_REJECT_LOCAL_INTERFACES;
2258  }
2259 
2260  /* Copy the configured addresses into the tor_addr_t* list */
2261  if (or_options->ExitPolicyRejectPrivate) {
2262  policies_copy_ipv4h_to_smartlist(configured_addresses, local_address);
2263  policies_copy_addr_to_smartlist(configured_addresses, ipv6_local_address);
2264  }
2265 
2266  if (or_options->ExitPolicyRejectLocalInterfaces) {
2267  policies_copy_outbound_addresses_to_smartlist(configured_addresses,
2268  or_options);
2269  }
2270 
2271  rv = policies_parse_exit_policy(or_options->ExitPolicy, result, parser_cfg,
2272  configured_addresses);
2273 
2274  SMARTLIST_FOREACH(configured_addresses, tor_addr_t *, a, tor_free(a));
2275  smartlist_free(configured_addresses);
2276 
2277  return rv;
2278 }
2279 
2282 void
2284 {
2285  append_exit_policy_string(dest, "reject *4:*");
2286  append_exit_policy_string(dest, "reject *6:*");
2287 }
2288 
2290 void
2292 {
2293  node->rejects_all = 1;
2294 }
2295 
2298 static int
2300 {
2301  uint32_t mask, ip, i;
2302  /* Is this /8 rejected (1), or undecided (0)? */
2303  char subnet_status[256];
2304 
2305  memset(subnet_status, 0, sizeof(subnet_status));
2306  SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, p) {
2307  if (tor_addr_family(&p->addr) != AF_INET)
2308  continue; /* IPv4 only for now */
2309  if (p->prt_min > port || p->prt_max < port)
2310  continue; /* Doesn't cover our port. */
2311  mask = 0;
2312  tor_assert(p->maskbits <= 32);
2313 
2314  if (p->maskbits)
2315  mask = UINT32_MAX<<(32-p->maskbits);
2316  ip = tor_addr_to_ipv4h(&p->addr);
2317 
2318  /* Calculate the first and last subnet that this exit policy touches
2319  * and set it as loop boundaries. */
2320  for (i = ((mask & ip)>>24); i <= (~((mask & ip) ^ mask)>>24); ++i) {
2321  tor_addr_t addr;
2322  if (subnet_status[i] != 0)
2323  continue; /* We already reject some part of this /8 */
2324  tor_addr_from_ipv4h(&addr, i<<24);
2325  if (tor_addr_is_internal(&addr, 0) &&
2326  !get_options()->DirAllowPrivateAddresses) {
2327  continue; /* Local or non-routable addresses */
2328  }
2329  if (p->policy_type == ADDR_POLICY_ACCEPT) {
2330  if (p->maskbits > 8)
2331  continue; /* Narrower than a /8. */
2332  /* We found an allowed subnet of at least size /8. Done
2333  * for this port! */
2334  return 1;
2335  } else if (p->policy_type == ADDR_POLICY_REJECT) {
2336  subnet_status[i] = 1;
2337  }
2338  }
2339  } SMARTLIST_FOREACH_END(p);
2340  return 0;
2341 }
2342 
2346 int
2348 {
2349  if (!policy) /*XXXX disallow NULL policies? */
2350  return 0;
2351 
2352  return (exit_policy_is_general_exit_helper(policy, 80) &&
2353  exit_policy_is_general_exit_helper(policy, 443));
2354 }
2355 
2360 int
2362  int default_reject)
2363 {
2364  if (!policy)
2365  return default_reject;
2366  SMARTLIST_FOREACH_BEGIN(policy, const addr_policy_t *, p) {
2367  if (p->policy_type == ADDR_POLICY_ACCEPT &&
2368  (tor_addr_family(&p->addr) == family ||
2369  tor_addr_family(&p->addr) == AF_UNSPEC)) {
2370  return 0;
2371  } else if (p->policy_type == ADDR_POLICY_REJECT &&
2372  p->prt_min <= 1 && p->prt_max == 65535 &&
2373  p->maskbits == 0 &&
2374  (tor_addr_family(&p->addr) == family ||
2375  tor_addr_family(&p->addr) == AF_UNSPEC)) {
2376  return 1;
2377  }
2378  } SMARTLIST_FOREACH_END(p);
2379  return default_reject;
2380 }
2381 
2384 int
2385 policy_write_item(char *buf, size_t buflen, const addr_policy_t *policy,
2386  int format_for_desc)
2387 {
2388  size_t written = 0;
2389  char addrbuf[TOR_ADDR_BUF_LEN];
2390  const char *addrpart;
2391  int result;
2392  const int is_accept = policy->policy_type == ADDR_POLICY_ACCEPT;
2393  const sa_family_t family = tor_addr_family(&policy->addr);
2394  const int is_ip6 = (family == AF_INET6);
2395 
2396  tor_addr_to_str(addrbuf, &policy->addr, sizeof(addrbuf), 1);
2397 
2398  /* write accept/reject 1.2.3.4 */
2399  if (policy->is_private) {
2400  addrpart = "private";
2401  } else if (policy->maskbits == 0) {
2402  if (format_for_desc)
2403  addrpart = "*";
2404  else if (family == AF_INET6)
2405  addrpart = "*6";
2406  else if (family == AF_INET)
2407  addrpart = "*4";
2408  else
2409  addrpart = "*";
2410  } else {
2411  addrpart = addrbuf;
2412  }
2413 
2414  result = tor_snprintf(buf, buflen, "%s%s %s",
2415  is_accept ? "accept" : "reject",
2416  (is_ip6&&format_for_desc)?"6":"",
2417  addrpart);
2418  if (result < 0)
2419  return -1;
2420  written += strlen(buf);
2421  /* If the maskbits is 32 (IPv4) or 128 (IPv6) we don't need to give it. If
2422  the mask is 0, we already wrote "*". */
2423  if (policy->maskbits < (is_ip6?128:32) && policy->maskbits > 0) {
2424  if (tor_snprintf(buf+written, buflen-written, "/%d", policy->maskbits)<0)
2425  return -1;
2426  written += strlen(buf+written);
2427  }
2428  if (policy->prt_min <= 1 && policy->prt_max == 65535) {
2429  /* There is no port set; write ":*" */
2430  if (written+4 > buflen)
2431  return -1;
2432  strlcat(buf+written, ":*", buflen-written);
2433  written += 2;
2434  } else if (policy->prt_min == policy->prt_max) {
2435  /* There is only one port; write ":80". */
2436  result = tor_snprintf(buf+written, buflen-written, ":%d", policy->prt_min);
2437  if (result<0)
2438  return -1;
2439  written += result;
2440  } else {
2441  /* There is a range of ports; write ":79-80". */
2442  result = tor_snprintf(buf+written, buflen-written, ":%d-%d",
2443  policy->prt_min, policy->prt_max);
2444  if (result<0)
2445  return -1;
2446  written += result;
2447  }
2448  if (written < buflen)
2449  buf[written] = '\0';
2450  else
2451  return -1;
2452 
2453  return (int)written;
2454 }
2455 
2458 /* XXXX This entire thing will do most stuff in O(N^2), or worse. Use an
2459  * RB-tree if that turns out to matter. */
2460 static smartlist_t *
2462 {
2463  smartlist_t *summary;
2464  policy_summary_item_t* item;
2465 
2466  item = tor_malloc_zero(sizeof(policy_summary_item_t));
2467  item->prt_min = 1;
2468  item->prt_max = 65535;
2469  item->reject_count = 0;
2470  item->accepted = 0;
2471 
2472  summary = smartlist_new();
2473  smartlist_add(summary, item);
2474 
2475  return summary;
2476 }
2477 
2484 static policy_summary_item_t*
2486 {
2487  policy_summary_item_t* new;
2488 
2489  new = tor_malloc_zero(sizeof(policy_summary_item_t));
2490  new->prt_min = new_starts;
2491  new->prt_max = old->prt_max;
2492  new->reject_count = old->reject_count;
2493  new->accepted = old->accepted;
2494 
2495  old->prt_max = new_starts-1;
2496 
2497  tor_assert(old->prt_min <= old->prt_max);
2498  tor_assert(new->prt_min <= new->prt_max);
2499  return new;
2500 }
2501 
2502 /* XXXX Nick says I'm going to hell for this. If he feels charitably towards
2503  * my immortal soul, he can clean it up himself. */
2504 #define AT(x) ((policy_summary_item_t*)smartlist_get(summary, x))
2505 
2506 #define IPV4_BITS (32)
2507 /* Every IPv4 address is counted as one rejection */
2508 #define REJECT_CUTOFF_SCALE_IPV4 (0)
2509 /* Ports are rejected in an IPv4 summary if they are rejected in more than two
2510  * IPv4 /8 address blocks */
2511 #define REJECT_CUTOFF_COUNT_IPV4 (UINT64_C(1) << \
2512  (IPV4_BITS - REJECT_CUTOFF_SCALE_IPV4 - 7))
2513 
2514 #define IPV6_BITS (128)
2515 /* IPv6 /64s are counted as one rejection, anything smaller is ignored */
2516 #define REJECT_CUTOFF_SCALE_IPV6 (64)
2517 /* Ports are rejected in an IPv6 summary if they are rejected in more than one
2518  * IPv6 /16 address block.
2519  * This is roughly equivalent to the IPv4 cutoff, as only five IPv6 /12s (and
2520  * some scattered smaller blocks) have been allocated to the RIRs.
2521  * Network providers are typically allocated one or more IPv6 /32s.
2522  */
2523 #define REJECT_CUTOFF_COUNT_IPV6 (UINT64_C(1) << \
2524  (IPV6_BITS - REJECT_CUTOFF_SCALE_IPV6 - 16))
2525 
2529 static int
2531  uint16_t prt_min, uint16_t prt_max)
2532 {
2533  int start_at_index;
2534 
2535  int i = 0;
2536 
2537  while (AT(i)->prt_max < prt_min)
2538  i++;
2539  if (AT(i)->prt_min != prt_min) {
2540  policy_summary_item_t* new_item;
2541  new_item = policy_summary_item_split(AT(i), prt_min);
2542  smartlist_insert(summary, i+1, new_item);
2543  i++;
2544  }
2545  start_at_index = i;
2546 
2547  while (AT(i)->prt_max < prt_max)
2548  i++;
2549  if (AT(i)->prt_max != prt_max) {
2550  policy_summary_item_t* new_item;
2551  new_item = policy_summary_item_split(AT(i), prt_max+1);
2552  smartlist_insert(summary, i+1, new_item);
2553  }
2554 
2555  return start_at_index;
2556 }
2557 
2560 static void
2562  uint16_t prt_min, uint16_t prt_max,
2563  sa_family_t family)
2564 {
2565  tor_assert_nonfatal_once(family == AF_INET || family == AF_INET6);
2566  uint64_t family_reject_count = ((family == AF_INET) ?
2567  REJECT_CUTOFF_COUNT_IPV4 :
2568  REJECT_CUTOFF_COUNT_IPV6);
2569 
2570  int i = policy_summary_split(summary, prt_min, prt_max);
2571  while (i < smartlist_len(summary) &&
2572  AT(i)->prt_max <= prt_max) {
2573  if (!AT(i)->accepted &&
2574  AT(i)->reject_count <= family_reject_count)
2575  AT(i)->accepted = 1;
2576  i++;
2577  }
2578  tor_assert(i < smartlist_len(summary) || prt_max==65535);
2579 }
2580 
2583 static void
2585  maskbits_t maskbits,
2586  uint16_t prt_min, uint16_t prt_max,
2587  sa_family_t family)
2588 {
2589  tor_assert_nonfatal_once(family == AF_INET || family == AF_INET6);
2590 
2591  int i = policy_summary_split(summary, prt_min, prt_max);
2592 
2593  /* The length of a single address mask */
2594  int addrbits = (family == AF_INET) ? IPV4_BITS : IPV6_BITS;
2595  tor_assert_nonfatal_once(addrbits >= maskbits);
2596 
2597  /* We divide IPv6 address counts by (1 << scale) to keep them in a uint64_t
2598  */
2599  int scale = ((family == AF_INET) ?
2600  REJECT_CUTOFF_SCALE_IPV4 :
2601  REJECT_CUTOFF_SCALE_IPV6);
2602 
2603  tor_assert_nonfatal_once(addrbits >= scale);
2604  if (maskbits > (addrbits - scale)) {
2605  tor_assert_nonfatal_once(family == AF_INET6);
2606  /* The address range is so small, we'd need billions of them to reach the
2607  * rejection limit. So we ignore this range in the reject count. */
2608  return;
2609  }
2610 
2611  uint64_t count = 0;
2612  if (addrbits - scale - maskbits >= 64) {
2613  tor_assert_nonfatal_once(family == AF_INET6);
2614  /* The address range is so large, it's an automatic rejection for all ports
2615  * in the range. */
2616  count = UINT64_MAX;
2617  } else {
2618  count = (UINT64_C(1) << (addrbits - scale - maskbits));
2619  }
2620  tor_assert_nonfatal_once(count > 0);
2621  while (i < smartlist_len(summary) &&
2622  AT(i)->prt_max <= prt_max) {
2623  if (AT(i)->reject_count <= UINT64_MAX - count) {
2624  AT(i)->reject_count += count;
2625  } else {
2626  /* IPv4 would require a 4-billion address redundant policy to get here,
2627  * but IPv6 just needs to have ::/0 */
2628  if (family == AF_INET) {
2629  tor_assert_nonfatal_unreached_once();
2630  }
2631  /* If we do get here, use saturating arithmetic */
2632  AT(i)->reject_count = UINT64_MAX;
2633  }
2634  i++;
2635  }
2636  tor_assert(i < smartlist_len(summary) || prt_max==65535);
2637 }
2638 
2648 static void
2650 {
2651  if (p->policy_type == ADDR_POLICY_ACCEPT) {
2652  if (p->maskbits == 0) {
2653  policy_summary_accept(summary, p->prt_min, p->prt_max, p->addr.family);
2654  }
2655  } else if (p->policy_type == ADDR_POLICY_REJECT) {
2656 
2657  int is_private = 0;
2658  int i;
2659  for (i = 0; private_nets[i]; ++i) {
2660  tor_addr_t addr;
2661  maskbits_t maskbits;
2662  if (tor_addr_parse_mask_ports(private_nets[i], 0, &addr,
2663  &maskbits, NULL, NULL)<0) {
2664  tor_assert(0);
2665  }
2666  if (tor_addr_compare(&p->addr, &addr, CMP_EXACT) == 0 &&
2667  p->maskbits == maskbits) {
2668  is_private = 1;
2669  break;
2670  }
2671  }
2672 
2673  if (!is_private) {
2674  policy_summary_reject(summary, p->maskbits, p->prt_min, p->prt_max,
2675  p->addr.family);
2676  }
2677  } else
2678  tor_assert(0);
2679 }
2680 
2689 char *
2691 {
2692  smartlist_t *summary = policy_summary_create();
2693  smartlist_t *accepts, *rejects;
2694  int i, last, start_prt;
2695  size_t accepts_len, rejects_len;
2696  char *accepts_str = NULL, *rejects_str = NULL, *shorter_str, *result;
2697  const char *prefix;
2698 
2699  tor_assert(policy);
2700 
2701  /* Create the summary list */
2702  SMARTLIST_FOREACH_BEGIN(policy, addr_policy_t *, p) {
2703  sa_family_t f = tor_addr_family(&p->addr);
2704  if (f != AF_INET && f != AF_INET6) {
2705  log_warn(LD_BUG, "Weird family when summarizing address policy");
2706  }
2707  if (f != family)
2708  continue;
2709  policy_summary_add_item(summary, p);
2710  } SMARTLIST_FOREACH_END(p);
2711 
2712  /* Now create two lists of strings, one for accepted and one
2713  * for rejected ports. We take care to merge ranges so that
2714  * we avoid getting stuff like "1-4,5-9,10", instead we want
2715  * "1-10"
2716  */
2717  i = 0;
2718  start_prt = 1;
2719  accepts = smartlist_new();
2720  rejects = smartlist_new();
2721  while (1) {
2722  last = i == smartlist_len(summary)-1;
2723  if (last ||
2724  AT(i)->accepted != AT(i+1)->accepted) {
2725  char buf[POLICY_BUF_LEN];
2726 
2727  if (start_prt == AT(i)->prt_max)
2728  tor_snprintf(buf, sizeof(buf), "%d", start_prt);
2729  else
2730  tor_snprintf(buf, sizeof(buf), "%d-%d", start_prt, AT(i)->prt_max);
2731 
2732  if (AT(i)->accepted)
2733  smartlist_add_strdup(accepts, buf);
2734  else
2735  smartlist_add_strdup(rejects, buf);
2736 
2737  if (last)
2738  break;
2739 
2740  start_prt = AT(i+1)->prt_min;
2741  };
2742  i++;
2743  };
2744 
2745  /* Figure out which of the two stringlists will be shorter and use
2746  * that to build the result
2747  */
2748  if (smartlist_len(accepts) == 0) { /* no exits at all */
2749  result = tor_strdup("reject 1-65535");
2750  goto cleanup;
2751  }
2752  if (smartlist_len(rejects) == 0) { /* no rejects at all */
2753  result = tor_strdup("accept 1-65535");
2754  goto cleanup;
2755  }
2756 
2757  accepts_str = smartlist_join_strings(accepts, ",", 0, &accepts_len);
2758  rejects_str = smartlist_join_strings(rejects, ",", 0, &rejects_len);
2759 
2760  if (rejects_len > MAX_EXITPOLICY_SUMMARY_LEN-strlen("reject")-1 &&
2761  accepts_len > MAX_EXITPOLICY_SUMMARY_LEN-strlen("accept")-1) {
2762  char *c;
2763  shorter_str = accepts_str;
2764  prefix = "accept";
2765 
2766  c = shorter_str + (MAX_EXITPOLICY_SUMMARY_LEN-strlen(prefix)-1);
2767  while (*c != ',' && c >= shorter_str)
2768  c--;
2769  tor_assert(c >= shorter_str);
2770  tor_assert(*c == ',');
2771  *c = '\0';
2772 
2773  } else if (rejects_len < accepts_len) {
2774  shorter_str = rejects_str;
2775  prefix = "reject";
2776  } else {
2777  shorter_str = accepts_str;
2778  prefix = "accept";
2779  }
2780 
2781  tor_asprintf(&result, "%s %s", prefix, shorter_str);
2782 
2783  cleanup:
2784  /* cleanup */
2786  smartlist_free(summary);
2787 
2788  tor_free(accepts_str);
2789  SMARTLIST_FOREACH(accepts, char *, s, tor_free(s));
2790  smartlist_free(accepts);
2791 
2792  tor_free(rejects_str);
2793  SMARTLIST_FOREACH(rejects, char *, s, tor_free(s));
2794  smartlist_free(rejects);
2795 
2796  return result;
2797 }
2798 
2802 parse_short_policy(const char *summary)
2803 {
2804  const char *orig_summary = summary;
2805  short_policy_t *result;
2806  int is_accept;
2807  int n_entries;
2808  short_policy_entry_t entries[MAX_EXITPOLICY_SUMMARY_LEN]; /* overkill */
2809  char *next;
2810 
2811  if (!strcmpstart(summary, "accept ")) {
2812  is_accept = 1;
2813  summary += strlen("accept ");
2814  } else if (!strcmpstart(summary, "reject ")) {
2815  is_accept = 0;
2816  summary += strlen("reject ");
2817  } else {
2818  log_fn(LOG_PROTOCOL_WARN, LD_DIR, "Unrecognized policy summary keyword");
2819  return NULL;
2820  }
2821 
2822  n_entries = 0;
2823  for ( ; *summary; summary = next) {
2824  if (n_entries == MAX_EXITPOLICY_SUMMARY_LEN) {
2825  log_fn(LOG_PROTOCOL_WARN, LD_DIR, "Impossibly long policy summary %s",
2826  escaped(orig_summary));
2827  return NULL;
2828  }
2829 
2830  unsigned low, high;
2831  int ok;
2832  low = (unsigned) tor_parse_ulong(summary, 10, 1, 65535, &ok, &next);
2833  if (!ok) {
2834  if (! TOR_ISDIGIT(*summary) || *summary == ',') {
2835  /* Unrecognized format: skip it. */
2836  goto skip_ent;
2837  } else {
2838  goto bad_ent;
2839  }
2840  }
2841 
2842  switch (*next) {
2843  case ',':
2844  ++next;
2845  /* fall through */
2846  case '\0':
2847  high = low;
2848  break;
2849  case '-':
2850  high = (unsigned) tor_parse_ulong(next+1, 10, low, 65535, &ok, &next);
2851  if (!ok)
2852  goto bad_ent;
2853 
2854  if (*next == ',')
2855  ++next;
2856  else if (*next != '\0')
2857  goto bad_ent;
2858 
2859  break;
2860  default:
2861  goto bad_ent;
2862  }
2863 
2864  entries[n_entries].min_port = low;
2865  entries[n_entries].max_port = high;
2866  n_entries++;
2867 
2868  continue;
2869  skip_ent:
2870  next = strchr(next, ',');
2871  if (!next)
2872  break;
2873  ++next;
2874  }
2875 
2876  if (n_entries == 0) {
2877  log_fn(LOG_PROTOCOL_WARN, LD_DIR,
2878  "Found no port-range entries in summary %s", escaped(orig_summary));
2879  return NULL;
2880  }
2881 
2882  {
2883  size_t size = offsetof(short_policy_t, entries) +
2884  sizeof(short_policy_entry_t)*(n_entries);
2885  result = tor_malloc_zero(size);
2886 
2887  tor_assert( (char*)&result->entries[n_entries-1] < ((char*)result)+size);
2888  }
2889 
2890  result->is_accept = is_accept;
2891  result->n_entries = n_entries;
2892  memcpy(result->entries, entries, sizeof(short_policy_entry_t)*n_entries);
2893  return result;
2894 
2895  bad_ent:
2896  log_fn(LOG_PROTOCOL_WARN, LD_DIR,"Found bad entry in policy summary %s",
2897  escaped(orig_summary));
2898  return NULL;
2899 }
2900 
2902 char *
2904 {
2905  int i;
2906  char *answer;
2907  smartlist_t *sl = smartlist_new();
2908 
2909  smartlist_add_asprintf(sl, "%s", policy->is_accept ? "accept " : "reject ");
2910 
2911  for (i=0; i < policy->n_entries; i++) {
2912  const short_policy_entry_t *e = &policy->entries[i];
2913  if (e->min_port == e->max_port) {
2914  smartlist_add_asprintf(sl, "%d", e->min_port);
2915  } else {
2916  smartlist_add_asprintf(sl, "%d-%d", e->min_port, e->max_port);
2917  }
2918  if (i < policy->n_entries-1)
2919  smartlist_add_strdup(sl, ",");
2920  }
2921  answer = smartlist_join_strings(sl, "", 0, NULL);
2922  SMARTLIST_FOREACH(sl, char *, a, tor_free(a));
2923  smartlist_free(sl);
2924  return answer;
2925 }
2926 
2928 void
2930 {
2931  tor_free(policy);
2932 }
2933 
2940  const short_policy_t *policy)
2941 {
2942  int i;
2943  int found_match = 0;
2944  int accept_;
2945 
2946  tor_assert(port != 0);
2947 
2948  if (addr && tor_addr_is_null(addr))
2949  addr = NULL; /* Unspec means 'no address at all,' in this context. */
2950 
2951  if (addr && get_options()->ClientRejectInternalAddresses &&
2952  (tor_addr_is_internal(addr, 0) || tor_addr_is_loopback(addr)))
2953  return ADDR_POLICY_REJECTED;
2954 
2955  for (i=0; i < policy->n_entries; ++i) {
2956  const short_policy_entry_t *e = &policy->entries[i];
2957  if (e->min_port <= port && port <= e->max_port) {
2958  found_match = 1;
2959  break;
2960  }
2961  }
2962 
2963  if (found_match)
2964  accept_ = policy->is_accept;
2965  else
2966  accept_ = ! policy->is_accept;
2967 
2968  /* ???? are these right? -NM */
2969  /* We should be sure not to return ADDR_POLICY_ACCEPTED in the accept
2970  * case here, because it would cause clients to believe that the node
2971  * allows exit enclaving. Trying it anyway would open up a cool attack
2972  * where the node refuses due to exitpolicy, the client reacts in
2973  * surprise by rewriting the node's exitpolicy to reject *:*, and then
2974  * an adversary targets users by causing them to attempt such connections
2975  * to 98% of the exits.
2976  *
2977  * Once microdescriptors can handle addresses in special cases (e.g. if
2978  * we ever solve ticket 1774), we can provide certainty here. -RD */
2979  if (accept_)
2981  else
2982  return ADDR_POLICY_REJECTED;
2983 }
2984 
2986 int
2988 {
2989  /* This doesn't need to be as much on the lookout as policy_is_reject_star,
2990  * since policy summaries are from the consensus or from consensus
2991  * microdescs.
2992  */
2993  tor_assert(policy);
2994  /* Check for an exact match of "reject 1-65535". */
2995  return (policy->is_accept == 0 && policy->n_entries == 1 &&
2996  policy->entries[0].min_port == 1 &&
2997  policy->entries[0].max_port == 65535);
2998 }
2999 
3004 compare_tor_addr_to_node_policy(const tor_addr_t *addr, uint16_t port,
3005  const node_t *node)
3006 {
3007  if (node->rejects_all)
3008  return ADDR_POLICY_REJECTED;
3009 
3010  if (addr && tor_addr_family(addr) == AF_INET6) {
3011  const short_policy_t *p = NULL;
3012  if (node->ri)
3013  p = node->ri->ipv6_exit_policy;
3014  else if (node->md)
3015  p = node->md->ipv6_exit_policy;
3016  if (p)
3017  return compare_tor_addr_to_short_policy(addr, port, p);
3018  else
3019  return ADDR_POLICY_REJECTED;
3020  }
3021 
3022  if (node->ri) {
3023  return compare_tor_addr_to_addr_policy(addr, port, node->ri->exit_policy);
3024  } else if (node->md) {
3025  if (node->md->exit_policy == NULL)
3026  return ADDR_POLICY_REJECTED;
3027  else
3028  return compare_tor_addr_to_short_policy(addr, port,
3029  node->md->exit_policy);
3030  } else {
3032  }
3033 }
3034 
3041 char *
3043  int include_ipv4,
3044  int include_ipv6)
3045 {
3046  smartlist_t *policy_string_list;
3047  char *policy_string = NULL;
3048 
3049  policy_string_list = smartlist_new();
3050 
3051  SMARTLIST_FOREACH_BEGIN(policy_list, addr_policy_t *, tmpe) {
3052  char *pbuf;
3053  int bytes_written_to_pbuf;
3054  if ((tor_addr_family(&tmpe->addr) == AF_INET6) && (!include_ipv6)) {
3055  continue; /* Don't include IPv6 parts of address policy */
3056  }
3057  if ((tor_addr_family(&tmpe->addr) == AF_INET) && (!include_ipv4)) {
3058  continue; /* Don't include IPv4 parts of address policy */
3059  }
3060 
3061  pbuf = tor_malloc(POLICY_BUF_LEN);
3062  bytes_written_to_pbuf = policy_write_item(pbuf,POLICY_BUF_LEN, tmpe, 1);
3063 
3064  if (bytes_written_to_pbuf < 0) {
3065  log_warn(LD_BUG, "policy_dump_to_string ran out of room!");
3066  tor_free(pbuf);
3067  goto done;
3068  }
3069 
3070  smartlist_add(policy_string_list,pbuf);
3071  } SMARTLIST_FOREACH_END(tmpe);
3072 
3073  policy_string = smartlist_join_strings(policy_string_list, "\n", 0, NULL);
3074 
3075  done:
3076  SMARTLIST_FOREACH(policy_string_list, char *, str, tor_free(str));
3077  smartlist_free(policy_string_list);
3078 
3079  return policy_string;
3080 }
3081 
3084 int
3086  const char *question, char **answer,
3087  const char **errmsg)
3088 {
3089  (void) conn;
3090  (void) errmsg;
3091  if (!strcmp(question, "exit-policy/default")) {
3092  *answer = tor_strdup(DEFAULT_EXIT_POLICY);
3093  } else if (!strcmp(question, "exit-policy/reject-private/default")) {
3094  smartlist_t *private_policy_strings;
3095  const char **priv = private_nets;
3096 
3097  private_policy_strings = smartlist_new();
3098 
3099  while (*priv != NULL) {
3100  /* IPv6 addresses are in "[]" and contain ":",
3101  * IPv4 addresses are not in "[]" and contain "." */
3102  smartlist_add_asprintf(private_policy_strings, "reject %s:*", *priv);
3103  priv++;
3104  }
3105 
3106  *answer = smartlist_join_strings(private_policy_strings,
3107  ",", 0, NULL);
3108 
3109  SMARTLIST_FOREACH(private_policy_strings, char *, str, tor_free(str));
3110  smartlist_free(private_policy_strings);
3111  } else if (!strcmp(question, "exit-policy/reject-private/relay")) {
3112  const or_options_t *options = get_options();
3113  int err = 0;
3114  const routerinfo_t *me = router_get_my_routerinfo_with_err(&err);
3115 
3116  if (!me) {
3117  *errmsg = routerinfo_err_to_string(err);
3118  return routerinfo_err_is_transient(err) ? -1 : 0;
3119  }
3120 
3121  if (!options->ExitPolicyRejectPrivate &&
3122  !options->ExitPolicyRejectLocalInterfaces) {
3123  *answer = tor_strdup("");
3124  return 0;
3125  }
3126 
3127  smartlist_t *private_policy_list = smartlist_new();
3128  smartlist_t *configured_addresses = smartlist_new();
3129 
3130  /* Copy the configured addresses into the tor_addr_t* list */
3131  if (options->ExitPolicyRejectPrivate) {
3132  policies_copy_ipv4h_to_smartlist(configured_addresses, me->addr);
3133  policies_copy_addr_to_smartlist(configured_addresses, &me->ipv6_addr);
3134  }
3135 
3136  if (options->ExitPolicyRejectLocalInterfaces) {
3137  policies_copy_outbound_addresses_to_smartlist(configured_addresses,
3138  options);
3139  }
3140 
3142  &private_policy_list,
3143  options->IPv6Exit,
3144  configured_addresses,
3147  *answer = policy_dump_to_string(private_policy_list, 1, 1);
3148 
3149  addr_policy_list_free(private_policy_list);
3150  SMARTLIST_FOREACH(configured_addresses, tor_addr_t *, a, tor_free(a));
3151  smartlist_free(configured_addresses);
3152  } else if (!strcmpstart(question, "exit-policy/")) {
3153  int include_ipv4 = 0;
3154  int include_ipv6 = 0;
3155 
3156  int err = 0;
3157  const routerinfo_t *me = router_get_my_routerinfo_with_err(&err);
3158 
3159  if (!me) {
3160  *errmsg = routerinfo_err_to_string(err);
3161  return routerinfo_err_is_transient(err) ? -1 : 0;
3162  }
3163 
3164  if (!strcmp(question, "exit-policy/ipv4")) {
3165  include_ipv4 = 1;
3166  } else if (!strcmp(question, "exit-policy/ipv6")) {
3167  include_ipv6 = 1;
3168  } else if (!strcmp(question, "exit-policy/full")) {
3169  include_ipv4 = include_ipv6 = 1;
3170  } else {
3171  return 0; /* No such key. */
3172  }
3173 
3174  *answer = router_dump_exit_policy_to_string(me,include_ipv4,
3175  include_ipv6);
3176  }
3177 
3178  return 0;
3179 }
3180 
3182 void
3184 {
3185  if (!lst)
3186  return;
3187  SMARTLIST_FOREACH(lst, addr_policy_t *, policy, addr_policy_free(policy));
3188  smartlist_free(lst);
3189 }
3190 
3192 void
3194 {
3195  if (!p)
3196  return;
3197 
3198  if (--p->refcnt <= 0) {
3199  if (p->is_canonical) {
3200  policy_map_ent_t search, *found;
3201  search.policy = p;
3202  found = HT_REMOVE(policy_map, &policy_root, &search);
3203  if (found) {
3204  tor_assert(p == found->policy);
3205  tor_free(found);
3206  }
3207  }
3208  tor_free(p);
3209  }
3210 }
3211 
3213 void
3215 {
3216  addr_policy_list_free(reachable_or_addr_policy);
3217  reachable_or_addr_policy = NULL;
3218  addr_policy_list_free(reachable_dir_addr_policy);
3220  addr_policy_list_free(socks_policy);
3221  socks_policy = NULL;
3222  addr_policy_list_free(dir_policy);
3223  dir_policy = NULL;
3224  addr_policy_list_free(authdir_reject_policy);
3225  authdir_reject_policy = NULL;
3226  addr_policy_list_free(authdir_invalid_policy);
3227  authdir_invalid_policy = NULL;
3228  addr_policy_list_free(authdir_badexit_policy);
3229  authdir_badexit_policy = NULL;
3230 
3231  if (!HT_EMPTY(&policy_root)) {
3232  policy_map_ent_t **ent;
3233  int n = 0;
3234  char buf[POLICY_BUF_LEN];
3235 
3236  log_warn(LD_MM, "Still had %d address policies cached at shutdown.",
3237  (int)HT_SIZE(&policy_root));
3238 
3239  /* Note the first 10 cached policies to try to figure out where they
3240  * might be coming from. */
3241  HT_FOREACH(ent, policy_map, &policy_root) {
3242  if (++n > 10)
3243  break;
3244  if (policy_write_item(buf, sizeof(buf), (*ent)->policy, 0) >= 0)
3245  log_warn(LD_MM," %d [%d]: %s", n, (*ent)->policy->refcnt, buf);
3246  }
3247  }
3248  HT_CLEAR(policy_map, &policy_root);
3249 }
tor_addr_t OutboundBindAddresses[OUTBOUND_ADDR_MAX][2]
int ClientAutoIPv6ORPort
int fascist_firewall_prefer_ipv6_orport(const or_options_t *options)
Definition: policies.c:508
int ExitPolicyRejectLocalInterfaces
static int policy_using_default_exit_options(const or_options_t *or_options)
Definition: policies.c:1248
const char * tor_addr_to_str(char *dest, const tor_addr_t *addr, size_t len, int decorate)
Definition: address.c:328
struct short_policy_t * exit_policy
Definition: microdesc_st.h:78
HT_PROTOTYPE(HT_GENERATE2(policy_map, HT_GENERATE2(policy_map_ent_t, HT_GENERATE2(node, HT_GENERATE2(policy_hash, HT_GENERATE2(policy_eq)
Definition: policies.c:1461
Header for confline.c.
#define MAX_EXITPOLICY_SUMMARY_LEN
Definition: policies.c:45
int ClientPreferIPv6ORPort
addr_policy_result_t compare_tor_addr_to_short_policy(const tor_addr_t *addr, uint16_t port, const short_policy_t *policy)
Definition: policies.c:2939
char * policy_summarize(smartlist_t *policy, sa_family_t family)
Definition: policies.c:2690
void node_get_pref_ipv6_orport(const node_t *node, tor_addr_port_t *ap_out)
Definition: nodelist.c:1730
#define TOR_ADDR_BUF_LEN
Definition: address.h:205
Common functions for using (pseudo-)random number generators.
uint64_t reject_count
Definition: policies.c:72
Definition: node_st.h:28
static int policies_parse_exit_policy_internal(config_line_t *cfg, smartlist_t **dest, int ipv6_exit, int rejectprivate, const smartlist_t *configured_addresses, int reject_interface_addresses, int reject_configured_port_addresses, int add_default_policy, int add_reduced_policy)
Definition: policies.c:2053
uint16_t ipv6_orport
Definition: microdesc_st.h:74
int socks_policy_permits_address(const tor_addr_t *addr)
Definition: policies.c:1186
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
uint16_t sa_family_t
Definition: inaddr_st.h:77
#define SMARTLIST_REPLACE_CURRENT(sl, var, val)
static int parse_reachable_addresses(void)
Definition: policies.c:257
static const char * private_nets[]
Definition: policies.c:83
Definition: policies.h:52
void policies_parse_exit_policy_reject_private(smartlist_t **dest, int ipv6_exit, const smartlist_t *configured_addresses, int reject_interface_addresses, int reject_configured_port_addresses)
Definition: policies.c:1886
addr_policy_result_t
Definition: policies.h:38
static int addr_is_in_cc_list(uint32_t addr, const smartlist_t *cc_list)
Definition: policies.c:1194
static int addr_policy_permits_tor_addr(const tor_addr_t *addr, uint16_t port, smartlist_t *policy)
Definition: policies.c:374
struct policy_map_ent_t policy_map_ent_t
int we_use_microdescriptors_for_circuits(const or_options_t *options)
Definition: microdesc.c:1053
static int load_policy_from_option(config_line_t *config, const char *option_name, smartlist_t **policy, int assume_action)
Definition: policies.c:1318
void smartlist_add_strdup(struct smartlist_t *sl, const char *string)
int authdir_policy_valid_address(uint32_t addr, uint16_t port)
Definition: policies.c:1224
short_policy_entry_t entries[FLEXIBLE_ARRAY_MEMBER]
Definition: policies.h:67
static int addr_policy_intersects(addr_policy_t *a, addr_policy_t *b)
Definition: policies.c:1663
void node_get_pref_ipv6_dirport(const node_t *node, tor_addr_port_t *ap_out)
Definition: nodelist.c:1833
static const tor_addr_port_t * fascist_firewall_choose_address_impl(const tor_addr_port_t *a, const tor_addr_port_t *b, int want_a, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
Definition: policies.c:794
addr_policy_result_t compare_tor_addr_to_node_policy(const tor_addr_t *addr, uint16_t port, const node_t *node)
Definition: policies.c:3004
unsigned long tor_parse_ulong(const char *s, int base, unsigned long min, unsigned long max, int *ok, char **next)
Definition: parse_int.c:75
int fascist_firewall_allows_rs(const routerstatus_t *rs, firewall_connection_t fw_connection, int pref_only)
Definition: policies.c:687
int tor_addr_compare(const tor_addr_t *addr1, const tor_addr_t *addr2, tor_addr_comparison_t how)
Definition: address.c:954
int authdir_policy_permits_address(uint32_t addr, uint16_t port)
Definition: policies.c:1213
static addr_policy_result_t compare_known_tor_addr_to_addr_policy(const tor_addr_t *addr, uint16_t port, const smartlist_t *policy)
Definition: policies.c:1494
static void fascist_firewall_choose_address_base(const tor_addr_t *ipv4_addr, uint16_t ipv4_orport, uint16_t ipv4_dirport, const tor_addr_t *ipv6_addr, uint16_t ipv6_orport, uint16_t ipv6_dirport, firewall_connection_t fw_connection, int pref_only, int pref_ipv6, tor_addr_port_t *ap)
Definition: policies.c:865
char identity_digest[DIGEST_LEN]
#define LOG_INFO
Definition: log.h:43
struct short_policy_entry_t short_policy_entry_t
Header file for nodelist.c.
int node_ipv6_or_preferred(const node_t *node)
Definition: nodelist.c:1664
int firewall_is_fascist_dir(void)
Definition: policies.c:365
void tor_addr_make_null(tor_addr_t *a, sa_family_t family)
Definition: address.c:235
void node_get_prim_orport(const node_t *node, tor_addr_port_t *ap_out)
Definition: nodelist.c:1694
int addr_policies_eq(const smartlist_t *a, const smartlist_t *b)
Definition: policies.c:1405
int firewall_is_fascist_or(void)
Definition: policies.c:354
void smartlist_add(smartlist_t *sl, void *element)
static smartlist_t * authdir_reject_policy
Definition: policies.c:53
int fascist_firewall_prefer_ipv6_dirport(const or_options_t *options)
Definition: policies.c:533
static policy_summary_item_t * policy_summary_item_split(policy_summary_item_t *old, uint16_t new_starts)
Definition: policies.c:2485
Header file for config.c.
STATIC int fascist_firewall_allows_address(const tor_addr_t *addr, uint16_t port, smartlist_t *firewall_policy, int pref_only, int pref_ipv6)
Definition: policies.c:420
Header file for microdesc.c.
static smartlist_t * reachable_or_addr_policy
Definition: policies.c:63
static uint32_t tor_addr_to_ipv4h(const tor_addr_t *a)
Definition: address.h:152
static int fascist_firewall_allows_base(uint32_t ipv4h_addr, uint16_t ipv4_orport, uint16_t ipv4_dirport, const tor_addr_t *ipv6_addr, uint16_t ipv6_orport, uint16_t ipv6_dirport, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
Definition: policies.c:618
int short_policy_is_reject_star(const short_policy_t *policy)
Definition: policies.c:2987
void policies_set_node_exitpolicy_to_reject_all(node_t *node)
Definition: policies.c:2291
STATIC void append_exit_policy_string(smartlist_t **policy, const char *more)
Definition: policies.c:1684
int strcmpstart(const char *s1, const char *s2)
Definition: util_string.c:206
#define tor_free(p)
Definition: malloc.h:52
int validate_addr_policies(const or_options_t *options, char **msg)
Definition: policies.c:1258
struct config_line_t * AuthDirReject
static unsigned int policy_hash(const policy_map_ent_t *ent)
Definition: policies.c:1440
unsigned int rejects_all
Definition: node_st.h:77
int authdir_policy_badexit_address(uint32_t addr, uint16_t port)
Definition: policies.c:1235
Header file for geoip.c.
void * tor_reallocarray_(void *ptr, size_t sz1, size_t sz2)
Definition: malloc.c:146
static int fascist_firewall_allows_rs_impl(const routerstatus_t *rs, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
Definition: policies.c:665
static int addr_policy_permits_address(uint32_t addr, uint16_t port, smartlist_t *policy)
Definition: policies.c:397
int tor_addr_is_v4(const tor_addr_t *addr)
Definition: address.c:749
void policy_expand_unspec(smartlist_t **policy)
Definition: policies.c:145
uint8_t maskbits_t
Definition: address.h:62
void smartlist_del_keeporder(smartlist_t *sl, int idx)
short_policy_t * parse_short_policy(const char *summary)
Definition: policies.c:2802
int ExitPolicyRejectPrivate
struct policy_summary_item_t policy_summary_item_t
const char * routerinfo_err_to_string(int err)
Definition: router.c:140
unsigned int n_entries
Definition: policies.h:62
static int fascist_firewall_prefer_ipv6_impl(const or_options_t *options)
Definition: policies.c:475
void policies_exit_policy_append_reject_star(smartlist_t **dest)
Definition: policies.c:2283
Header file for policies.c.
static int single_addr_policy_eq(const addr_policy_t *a, const addr_policy_t *b)
Definition: policies.c:1381
void fascist_firewall_choose_address_ls(const smartlist_t *lspecs, int pref_only, tor_addr_port_t *ap)
Definition: policies.c:1025
tor_assert(buffer)
uint16_t prt_max
#define tor_addr_from_ipv4h(dest, v4addr)
Definition: address.h:287
static smartlist_t * authdir_invalid_policy
Definition: policies.c:56
static addr_policy_result_t compare_known_tor_addr_to_addr_policy_noport(const tor_addr_t *addr, const smartlist_t *policy)
Definition: policies.c:1522
MOCK_IMPL(addr_policy_result_t, compare_tor_addr_to_addr_policy,(const tor_addr_t *addr, uint16_t port, const smartlist_t *policy))
Definition: policies.c:1615
void fascist_firewall_choose_address_rs(const routerstatus_t *rs, firewall_connection_t fw_connection, int pref_only, tor_addr_port_t *ap)
Definition: policies.c:985
static smartlist_t * dir_policy
Definition: policies.c:50
int dir_policy_permits_address(const tor_addr_t *addr)
Definition: policies.c:1177
Header file for routermode.c.
Header file for policy_parse.c.
int tor_asprintf(char **strp, const char *fmt,...)
Definition: printf.c:75
static smartlist_t * policy_summary_create(void)
Definition: policies.c:2461
static int addr_policy_covers(addr_policy_t *a, addr_policy_t *b)
Definition: policies.c:1639
smartlist_t * exit_policy
Definition: routerinfo_st.h:56
void addr_policy_free_(addr_policy_t *p)
Definition: policies.c:3193
static int fascist_firewall_allows_md_impl(const microdesc_t *md, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
Definition: policies.c:711
static smartlist_t * socks_policy
Definition: policies.c:48
int smartlist_contains_string_case(const smartlist_t *sl, const char *element)
Definition: smartlist.c:133
void tor_addr_from_ipv6_bytes(tor_addr_t *dest, const char *ipv6_bytes)
Definition: address.c:885
void smartlist_add_asprintf(struct smartlist_t *sl, const char *pattern,...)
Definition: smartlist.c:36
void node_get_prim_dirport(const node_t *node, tor_addr_port_t *ap_out)
Definition: nodelist.c:1795
Header file for circuitbuild.c.
Master header file for Tor-specific functionality.
void policy_expand_private(smartlist_t **policy)
Definition: policies.c:105
routerstatus_t fake_status
Definition: dir_server_st.h:46
struct config_line_t * ExitPolicy
Definition: or_options_st.h:99
addr_policy_action_bitfield_t policy_type
static void policies_copy_outbound_addresses_to_smartlist(smartlist_t *addr_list, const or_options_t *or_options)
Definition: policies.c:2180
int tor_addr_parse_mask_ports(const char *s, unsigned flags, tor_addr_t *addr_out, maskbits_t *maskbits_out, uint16_t *port_min_out, uint16_t *port_max_out)
Definition: address.c:543
static smartlist_t * reachable_dir_addr_policy
Definition: policies.c:66
int crypto_rand_int(unsigned int max)
static int exit_policy_is_general_exit_helper(smartlist_t *policy, int port)
Definition: policies.c:2299
struct config_line_t * ReachableORAddresses
static int fascist_firewall_allows_address_ap(const tor_addr_port_t *ap, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
Definition: policies.c:582
static smartlist_t * authdir_badexit_policy
Definition: policies.c:59
int routerinfo_err_is_transient(int err)
Definition: router.c:169
static int parse_addr_policy(config_line_t *cfg, smartlist_t **dest, int assume_action)
Definition: policies.c:194
tor_addr_t ipv6_addr
int tor_addr_is_null(const tor_addr_t *addr)
Definition: address.c:770
char * policy_dump_to_string(const smartlist_t *policy_list, int include_ipv4, int include_ipv6)
Definition: policies.c:3042
static void policy_summary_add_item(smartlist_t *summary, addr_policy_t *p)
Definition: policies.c:2649
int fascist_firewall_allows_address_addr(const tor_addr_t *addr, uint16_t port, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
Definition: policies.c:557
void tor_free_(void *mem)
Definition: malloc.c:227
static int policy_summary_split(smartlist_t *summary, uint16_t prt_min, uint16_t prt_max)
Definition: policies.c:2530
static void policies_copy_addr_to_smartlist(smartlist_t *addr_list, const tor_addr_t *addr)
Definition: policies.c:2147
int policy_is_reject_star(const smartlist_t *policy, sa_family_t family, int default_reject)
Definition: policies.c:2361
static void exit_policy_remove_redundancies(smartlist_t *dest)
Definition: policies.c:1784
int tor_addr_is_loopback(const tor_addr_t *addr)
Definition: address.c:795
struct config_line_t * DirPolicy
tor_addr_t ipv6_addr
Definition: microdesc_st.h:72
static void policy_summary_accept(smartlist_t *summary, uint16_t prt_min, uint16_t prt_max, sa_family_t family)
Definition: policies.c:2561
int tor_addr_is_multicast(const tor_addr_t *a)
Definition: address.c:1530
maskbits_t maskbits
static void addr_policy_append_reject_addr_list_filter(smartlist_t **dest, const smartlist_t *addrs, int ipv4_rules, int ipv6_rules)
Definition: policies.c:1769
struct short_policy_t * ipv6_exit_policy
Definition: routerinfo_st.h:60
int exit_policy_is_general_exit(smartlist_t *policy)
Definition: policies.c:2347
#define LD_DIR
Definition: log.h:86
const char * geoip_get_country_name(country_t num)
Definition: geoip.c:441
void policies_free_all(void)
Definition: policies.c:3214
struct config_line_t * AuthDirInvalid
void fascist_firewall_choose_address_dir_server(const dir_server_t *ds, firewall_connection_t fw_connection, int pref_only, tor_addr_port_t *ap)
Definition: policies.c:1150
int ClientPreferIPv6DirPort
int tor_snprintf(char *str, size_t size, const char *format,...)
Definition: printf.c:27
struct config_line_t * ReachableDirAddresses
char * smartlist_join_strings(smartlist_t *sl, const char *join, int terminate, size_t *len_out)
Definition: smartlist.c:279
#define SMARTLIST_FOREACH(sl, type, var, cmd)
int policies_parse_from_options(const or_options_t *options)
Definition: policies.c:1355
Header file for router.c.
const char * escaped(const char *s)
Definition: escape.c:126
int policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest, exit_policy_parser_cfg_t options, const smartlist_t *configured_addresses)
Definition: policies.c:2121
unsigned int is_accept
Definition: policies.h:60
void addr_policy_list_free_(smartlist_t *lst)
Definition: policies.c:3183
struct short_policy_t * ipv6_exit_policy
Definition: microdesc_st.h:80
#define fmt_addr(a)
Definition: address.h:211
int fascist_firewall_allows_node(const node_t *node, firewall_connection_t fw_connection, int pref_only)
Definition: policies.c:733
uint16_t dir_port
Definition: routerinfo_st.h:21
struct config_line_t * ReachableAddresses
#define log_fn(severity, domain, args,...)
Definition: log.h:274
struct config_line_t * AuthDirBadExit
void smartlist_add_all(smartlist_t *s1, const smartlist_t *s2)
static void policy_summary_reject(smartlist_t *summary, maskbits_t maskbits, uint16_t prt_min, uint16_t prt_max, sa_family_t family)
Definition: policies.c:2584
static void fascist_firewall_choose_address_ipv4h(uint32_t ipv4h_addr, uint16_t ipv4_orport, uint16_t ipv4_dirport, const tor_addr_t *ipv6_addr, uint16_t ipv6_orport, uint16_t ipv6_dirport, firewall_connection_t fw_connection, int pref_only, int pref_ipv6, tor_addr_port_t *ap)
Definition: policies.c:911
int fascist_firewall_allows_dir_server(const dir_server_t *ds, firewall_connection_t fw_connection, int pref_only)
Definition: policies.c:771
void addr_policy_append_reject_addr(smartlist_t **dest, const tor_addr_t *addr)
Definition: policies.c:1698
void fascist_firewall_choose_address_node(const node_t *node, firewall_connection_t fw_connection, int pref_only, tor_addr_port_t *ap)
Definition: policies.c:1100
void addr_policy_append_reject_addr_list(smartlist_t **dest, const smartlist_t *addrs)
Definition: policies.c:1755
char * router_dump_exit_policy_to_string(const routerinfo_t *router, int include_ipv4, int include_ipv6)
Definition: router.c:3049
char * write_short_policy(const short_policy_t *policy)
Definition: policies.c:2903
unsigned int is_canonical
static int fascist_firewall_allows_ri_impl(const routerinfo_t *ri, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
Definition: policies.c:648
void short_policy_free_(short_policy_t *policy)
Definition: policies.c:2929
uint32_t addr
Definition: routerinfo_st.h:19
int node_is_a_configured_bridge(const node_t *node)
Definition: bridges.c:348
uint16_t ipv6_orport
int policy_write_item(char *buf, size_t buflen, const addr_policy_t *policy, int format_for_desc)
Definition: policies.c:2385
int tor_addr_compare_masked(const tor_addr_t *addr1, const tor_addr_t *addr2, maskbits_t mbits, tor_addr_comparison_t how)
Definition: address.c:975
void smartlist_insert(smartlist_t *sl, int idx, void *val)
int getinfo_helper_policies(control_connection_t *conn, const char *question, char **answer, const char **errmsg)
Definition: policies.c:3085
uint16_t prt_min
tor_addr_t ipv6_addr
Definition: routerinfo_st.h:27
void tor_addr_copy(tor_addr_t *dest, const tor_addr_t *src)
Definition: address.c:904
void tor_addr_copy_tight(tor_addr_t *dest, const tor_addr_t *src)
Definition: address.c:918
static void policies_copy_ipv4h_to_smartlist(smartlist_t *addr_list, uint32_t ipv4h_addr)
Definition: policies.c:2163
#define LD_PROTOCOL
Definition: log.h:70
void smartlist_clear(smartlist_t *sl)
#define LD_MM
Definition: log.h:72
static addr_policy_result_t compare_unknown_tor_addr_to_addr_policy(uint16_t port, const smartlist_t *policy)
Definition: policies.c:1565
unsigned int is_private
Header file for networkstatus.c.
#define LD_BUG
Definition: log.h:84
#define LD_CONFIG
Definition: log.h:66
static void policies_log_first_redundant_entry(const smartlist_t *policy)
Definition: policies.c:1943
tor_addr_t addr
uint16_t or_port
Definition: routerinfo_st.h:20
int policies_parse_exit_policy_from_options(const or_options_t *or_options, uint32_t local_address, const tor_addr_t *ipv6_local_address, smartlist_t **result)
Definition: policies.c:2220
struct config_line_t * SocksPolicy
static sa_family_t tor_addr_family(const tor_addr_t *a)
Definition: address.h:179
int fascist_firewall_use_ipv6(const or_options_t *options)
Definition: policies.c:459
int node_ipv6_dir_preferred(const node_t *node)
Definition: nodelist.c:1772
int smartlist_split_string(smartlist_t *sl, const char *str, const char *sep, int flags, int max)
STATIC const tor_addr_port_t * fascist_firewall_choose_address(const tor_addr_port_t *a, const tor_addr_port_t *b, int want_a, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
Definition: policies.c:832