tor  0.4.1.1-alpha-dev
Data Structures | Macros | Typedefs | Enumerations | Functions
policies.h File Reference

Go to the source code of this file.

Data Structures

struct  short_policy_entry_t
 
struct  short_policy_t
 

Macros

#define POLICY_BUF_LEN   72
 
#define EXIT_POLICY_IPV6_ENABLED   (1 << 0)
 
#define EXIT_POLICY_REJECT_PRIVATE   (1 << 1)
 
#define EXIT_POLICY_ADD_DEFAULT   (1 << 2)
 
#define EXIT_POLICY_REJECT_LOCAL_INTERFACES   (1 << 3)
 
#define EXIT_POLICY_ADD_REDUCED   (1 << 4)
 
#define EXIT_POLICY_OPTION_MAX   EXIT_POLICY_ADD_REDUCED
 
#define EXIT_POLICY_OPTION_ALL   ((EXIT_POLICY_OPTION_MAX << 1) - 1)
 
#define addr_policy_list_free(lst)   FREE_AND_NULL(smartlist_t, addr_policy_list_free_, (lst))
 
#define addr_policy_free(p)   FREE_AND_NULL(addr_policy_t, addr_policy_free_, (p))
 
#define short_policy_free(p)   FREE_AND_NULL(short_policy_t, short_policy_free_, (p))
 

Typedefs

typedef enum firewall_connection_t firewall_connection_t
 
typedef int exit_policy_parser_cfg_t
 
typedef struct short_policy_entry_t short_policy_entry_t
 
typedef struct short_policy_t short_policy_t
 

Enumerations

enum  firewall_connection_t { FIREWALL_OR_CONNECTION = 0, FIREWALL_DIR_CONNECTION = 1 }
 
enum  addr_policy_result_t { ADDR_POLICY_ACCEPTED =0, ADDR_POLICY_REJECTED =-1, ADDR_POLICY_PROBABLY_ACCEPTED =1, ADDR_POLICY_PROBABLY_REJECTED =2 }
 

Functions

int firewall_is_fascist_or (void)
 
int firewall_is_fascist_dir (void)
 
int fascist_firewall_use_ipv6 (const or_options_t *options)
 
 MOCK_DECL (int, fascist_firewall_rand_prefer_ipv6_addr,(void))
 
int fascist_firewall_prefer_ipv6_orport (const or_options_t *options)
 
int fascist_firewall_prefer_ipv6_dirport (const or_options_t *options)
 
int fascist_firewall_allows_address_addr (const tor_addr_t *addr, uint16_t port, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
 
int fascist_firewall_allows_rs (const routerstatus_t *rs, firewall_connection_t fw_connection, int pref_only)
 
int fascist_firewall_allows_node (const node_t *node, firewall_connection_t fw_connection, int pref_only)
 
int fascist_firewall_allows_dir_server (const dir_server_t *ds, firewall_connection_t fw_connection, int pref_only)
 
void fascist_firewall_choose_address_rs (const routerstatus_t *rs, firewall_connection_t fw_connection, int pref_only, tor_addr_port_t *ap)
 
void fascist_firewall_choose_address_ls (const smartlist_t *lspecs, int pref_only, tor_addr_port_t *ap)
 
void fascist_firewall_choose_address_node (const node_t *node, firewall_connection_t fw_connection, int pref_only, tor_addr_port_t *ap)
 
void fascist_firewall_choose_address_dir_server (const dir_server_t *ds, firewall_connection_t fw_connection, int pref_only, tor_addr_port_t *ap)
 
int dir_policy_permits_address (const tor_addr_t *addr)
 
int socks_policy_permits_address (const tor_addr_t *addr)
 
int authdir_policy_permits_address (uint32_t addr, uint16_t port)
 
int authdir_policy_valid_address (uint32_t addr, uint16_t port)
 
int authdir_policy_badexit_address (uint32_t addr, uint16_t port)
 
int validate_addr_policies (const or_options_t *options, char **msg)
 
void policy_expand_private (smartlist_t **policy)
 
void policy_expand_unspec (smartlist_t **policy)
 
int policies_parse_from_options (const or_options_t *options)
 
addr_policy_taddr_policy_get_canonical_entry (addr_policy_t *ent)
 
int addr_policies_eq (const smartlist_t *a, const smartlist_t *b)
 
 MOCK_DECL (addr_policy_result_t, compare_tor_addr_to_addr_policy,(const tor_addr_t *addr, uint16_t port, const smartlist_t *policy))
 
addr_policy_result_t compare_tor_addr_to_node_policy (const tor_addr_t *addr, uint16_t port, const node_t *node)
 
int policies_parse_exit_policy_from_options (const or_options_t *or_options, uint32_t local_address, const tor_addr_t *ipv6_local_address, smartlist_t **result)
 
int policies_parse_exit_policy (struct config_line_t *cfg, smartlist_t **dest, exit_policy_parser_cfg_t options, const smartlist_t *configured_addresses)
 
void policies_parse_exit_policy_reject_private (smartlist_t **dest, int ipv6_exit, const smartlist_t *configured_addresses, int reject_interface_addresses, int reject_configured_port_addresses)
 
void policies_exit_policy_append_reject_star (smartlist_t **dest)
 
void addr_policy_append_reject_addr (smartlist_t **dest, const tor_addr_t *addr)
 
void addr_policy_append_reject_addr_list (smartlist_t **dest, const smartlist_t *addrs)
 
void policies_set_node_exitpolicy_to_reject_all (node_t *exitrouter)
 
int exit_policy_is_general_exit (smartlist_t *policy)
 
int policy_is_reject_star (const smartlist_t *policy, sa_family_t family, int reject_by_default)
 
char * policy_dump_to_string (const smartlist_t *policy_list, int include_ipv4, int include_ipv6)
 
int getinfo_helper_policies (control_connection_t *conn, const char *question, char **answer, const char **errmsg)
 
int policy_write_item (char *buf, size_t buflen, const addr_policy_t *item, int format_for_desc)
 
void addr_policy_list_free_ (smartlist_t *p)
 
void addr_policy_free_ (addr_policy_t *p)
 
void policies_free_all (void)
 
char * policy_summarize (smartlist_t *policy, sa_family_t family)
 
short_policy_tparse_short_policy (const char *summary)
 
char * write_short_policy (const short_policy_t *policy)
 
void short_policy_free_ (short_policy_t *policy)
 
int short_policy_is_reject_star (const short_policy_t *policy)
 
addr_policy_result_t compare_tor_addr_to_short_policy (const tor_addr_t *addr, uint16_t port, const short_policy_t *policy)
 

Detailed Description

Header file for policies.c.

Definition in file policies.h.

Typedef Documentation

◆ short_policy_entry_t

A single entry in a parsed policy summary, describing a range of ports.

◆ short_policy_t

A short_poliy_t is the parsed version of a policy summary.

Enumeration Type Documentation

◆ addr_policy_result_t

Outcome of applying an address policy to an address.

Enumerator
ADDR_POLICY_ACCEPTED 

The address was accepted

ADDR_POLICY_REJECTED 

The address was rejected

ADDR_POLICY_PROBABLY_ACCEPTED 

Part of the address was unknown, but as far as we can tell, it was accepted.

ADDR_POLICY_PROBABLY_REJECTED 

Part of the address was unknown, but as far as we can tell, it was rejected.

Definition at line 38 of file policies.h.

Function Documentation

◆ addr_policies_eq()

int addr_policies_eq ( const smartlist_t a,
const smartlist_t b 
)

As single_addr_policy_eq, but compare every element of two policies.

Definition at line 1405 of file policies.c.

Referenced by router_differences_are_cosmetic().

◆ addr_policy_append_reject_addr()

void addr_policy_append_reject_addr ( smartlist_t **  dest,
const tor_addr_t addr 
)

Add "reject <b>addr</b>:*" to dest, creating the list as needed.

Definition at line 1698 of file policies.c.

References addr_policy_t::addr, addr_policy_t::maskbits, addr_policy_t::policy_type, addr_policy_t::prt_max, addr_policy_t::prt_min, tor_addr_copy(), tor_addr_family(), and tor_assert().

Referenced by addr_policy_append_reject_addr_list().

◆ addr_policy_append_reject_addr_list()

void addr_policy_append_reject_addr_list ( smartlist_t **  dest,
const smartlist_t addrs 
)

Add "reject addr:*" to dest, for each addr in addrs, creating the list as needed.

Definition at line 1755 of file policies.c.

References addr_policy_append_reject_addr(), SMARTLIST_FOREACH_BEGIN, and tor_assert().

◆ addr_policy_free_()

void addr_policy_free_ ( addr_policy_t p)

Release all storage held by p.

Definition at line 3193 of file policies.c.

References addr_policy_t::is_canonical, addr_policy_t::refcnt, tor_assert(), and tor_free.

◆ addr_policy_list_free_()

void addr_policy_list_free_ ( smartlist_t lst)

Release all storage held by p.

Definition at line 3183 of file policies.c.

References SMARTLIST_FOREACH.

◆ authdir_policy_badexit_address()

int authdir_policy_badexit_address ( uint32_t  addr,
uint16_t  port 
)

Return 1 if addr:port should be marked as a bad exit, based on authdir_badexit_policy. Else return 0.

Definition at line 1235 of file policies.c.

References addr_is_in_cc_list(), addr_policy_permits_address(), and authdir_badexit_policy.

◆ authdir_policy_permits_address()

int authdir_policy_permits_address ( uint32_t  addr,
uint16_t  port 
)

Return 1 if addr:port is permitted to publish to our directory, based on authdir_reject_policy. Else return 0.

Definition at line 1213 of file policies.c.

References addr_is_in_cc_list(), addr_policy_permits_address(), and authdir_reject_policy.

◆ authdir_policy_valid_address()

int authdir_policy_valid_address ( uint32_t  addr,
uint16_t  port 
)

Return 1 if addr:port is considered valid in our directory, based on authdir_invalid_policy. Else return 0.

Definition at line 1224 of file policies.c.

References addr_is_in_cc_list(), addr_policy_permits_address(), and authdir_invalid_policy.

◆ compare_tor_addr_to_node_policy()

addr_policy_result_t compare_tor_addr_to_node_policy ( const tor_addr_t addr,
uint16_t  port,
const node_t node 
)

Decide whether addr:port is probably or definitely accepted or rejected by node. See compare_tor_addr_to_addr_policy for details on addr/port interpretation.

Definition at line 3004 of file policies.c.

References ADDR_POLICY_PROBABLY_REJECTED, ADDR_POLICY_REJECTED, compare_tor_addr_to_short_policy(), routerinfo_t::exit_policy, microdesc_t::exit_policy, routerinfo_t::ipv6_exit_policy, microdesc_t::ipv6_exit_policy, node_t::rejects_all, and tor_addr_family().

Referenced by circuit_stream_is_being_handled(), connection_ap_get_begincell_flags(), and router_exit_policy_all_nodes_reject().

◆ compare_tor_addr_to_short_policy()

addr_policy_result_t compare_tor_addr_to_short_policy ( const tor_addr_t addr,
uint16_t  port,
const short_policy_t policy 
)

See whether the addr:port address is likely to be accepted or rejected by the summarized policy policy. Return values are as for compare_tor_addr_to_addr_policy. Unlike the regular addr_policy functions, requires the port be specified.

Definition at line 2939 of file policies.c.

References tor_addr_is_null(), and tor_assert().

Referenced by compare_tor_addr_to_node_policy(), and router_compare_to_my_exit_policy().

◆ dir_policy_permits_address()

int dir_policy_permits_address ( const tor_addr_t addr)

Return 1 if addr is permitted to connect to our dir port, based on dir_policy. Else return 0.

Definition at line 1177 of file policies.c.

References addr_policy_permits_tor_addr(), and dir_policy.

◆ exit_policy_is_general_exit()

int exit_policy_is_general_exit ( smartlist_t policy)

Return true iff ri is "useful as an exit node", meaning it allows exit to at least one /8 address space for each of ports 80 and 443.

Definition at line 2347 of file policies.c.

References exit_policy_is_general_exit_helper().

◆ fascist_firewall_allows_address_addr()

int fascist_firewall_allows_address_addr ( const tor_addr_t addr,
uint16_t  port,
firewall_connection_t  fw_connection,
int  pref_only,
int  pref_ipv6 
)

Return true iff we think our firewall will let us make a connection to addr:port. Uses ReachableORAddresses or ReachableDirAddresses based on fw_connection. If pref_only is true, return true if addr is in the client's preferred address family, which is IPv6 if pref_ipv6 is true, and IPv4 otherwise. If pref_only is false, ignore pref_ipv6, and return true if addr is allowed.

Definition at line 557 of file policies.c.

Referenced by bridge_passes_guard_filter(), and fascist_firewall_allows_address_ap().

◆ fascist_firewall_allows_dir_server()

int fascist_firewall_allows_dir_server ( const dir_server_t ds,
firewall_connection_t  fw_connection,
int  pref_only 
)

Like fascist_firewall_allows_rs(), but takes ds.

Definition at line 771 of file policies.c.

References dir_server_t::fake_status, and fascist_firewall_allows_rs().

◆ fascist_firewall_allows_node()

int fascist_firewall_allows_node ( const node_t node,
firewall_connection_t  fw_connection,
int  pref_only 
)

Like fascist_firewall_allows_base(), but takes node, and looks up pref_ipv6 from node_ipv6_or/dir_preferred().

Definition at line 733 of file policies.c.

Referenced by node_passes_guard_filter().

◆ fascist_firewall_allows_rs()

int fascist_firewall_allows_rs ( const routerstatus_t rs,
firewall_connection_t  fw_connection,
int  pref_only 
)

Like fascist_firewall_allows_base(), but takes rs. When rs is a fake_status from a dir_server_t, it can have a reachable address, even when the corresponding node does not. nodes can be missing addresses when there's no consensus (IPv4 and IPv6), or when there is a microdescriptor consensus, but no microdescriptors (microdescriptors have IPv6, the microdesc consensus does not).

Definition at line 687 of file policies.c.

Referenced by fascist_firewall_allows_dir_server().

◆ fascist_firewall_choose_address_dir_server()

void fascist_firewall_choose_address_dir_server ( const dir_server_t ds,
firewall_connection_t  fw_connection,
int  pref_only,
tor_addr_port_t ap 
)

◆ fascist_firewall_choose_address_ls()

void fascist_firewall_choose_address_ls ( const smartlist_t lspecs,
int  pref_only,
tor_addr_port_t ap 
)

Like fascist_firewall_choose_address_base(), but takes in a smartlist lspecs consisting of one or more link specifiers. We assume fw_connection is FIREWALL_OR_CONNECTION as link specifiers cannot contain DirPorts.

Definition at line 1025 of file policies.c.

References tor_assert().

◆ fascist_firewall_choose_address_node()

void fascist_firewall_choose_address_node ( const node_t node,
firewall_connection_t  fw_connection,
int  pref_only,
tor_addr_port_t ap 
)

Like fascist_firewall_choose_address_base(), but takes node, and looks up the node's IPv6 preference rather than taking an argument for pref_ipv6.

Definition at line 1100 of file policies.c.

References tor_addr_make_null(), and tor_assert().

Referenced by extend_info_from_node().

◆ fascist_firewall_choose_address_rs()

void fascist_firewall_choose_address_rs ( const routerstatus_t rs,
firewall_connection_t  fw_connection,
int  pref_only,
tor_addr_port_t ap 
)

Like fascist_firewall_choose_address_base(), but takes rs. Consults the corresponding node, then falls back to rs if node is NULL. This should only happen when there's no valid consensus, and rs doesn't correspond to a bridge client's bridge.

Definition at line 985 of file policies.c.

References routerstatus_t::identity_digest, tor_addr_make_null(), and tor_assert().

Referenced by fascist_firewall_choose_address_dir_server().

◆ fascist_firewall_prefer_ipv6_dirport()

int fascist_firewall_prefer_ipv6_dirport ( const or_options_t options)

Do we prefer to connect to IPv6 DirPorts?

(node_ipv6_dir_preferred() doesn't support bridge client per-node IPv6 preferences. There's no reason to use it instead of this function.)

Definition at line 533 of file policies.c.

References or_options_t::ClientPreferIPv6DirPort, and fascist_firewall_prefer_ipv6_impl().

◆ fascist_firewall_prefer_ipv6_orport()

int fascist_firewall_prefer_ipv6_orport ( const or_options_t options)

Do we prefer to connect to IPv6 ORPorts? Use node_ipv6_or_preferred() whenever possible: it supports bridge client per-node IPv6 preferences.

Definition at line 508 of file policies.c.

References or_options_t::ClientAutoIPv6ORPort, or_options_t::ClientPreferIPv6ORPort, and fascist_firewall_prefer_ipv6_impl().

◆ fascist_firewall_use_ipv6()

int fascist_firewall_use_ipv6 ( const or_options_t options)

Is this client configured to use IPv6? Returns true if the client might use IPv6 for some of its connections (including dual-stack and IPv6-only clients), and false if it will never use IPv6 for any connections. Use node_ipv6_or/dir_preferred() when checking a specific node and OR/Dir port: it supports bridge client per-node IPv6 preferences.

Definition at line 459 of file policies.c.

References or_options_t::ClientAutoIPv6ORPort, or_options_t::ClientPreferIPv6DirPort, or_options_t::ClientPreferIPv6ORPort, or_options_t::ClientUseIPv4, or_options_t::ClientUseIPv6, and or_options_t::UseBridges.

Referenced by fascist_firewall_allows_address(), and fascist_firewall_prefer_ipv6_impl().

◆ firewall_is_fascist_dir()

int firewall_is_fascist_dir ( void  )

Return true iff the firewall options, including ClientUseIPv4 0 and ClientUseIPv6 0, might block any Dir address:port combination. Address preferences may still change which address is selected even if this function returns false.

Definition at line 365 of file policies.c.

References reachable_dir_addr_policy.

◆ firewall_is_fascist_or()

int firewall_is_fascist_or ( void  )

Return true iff the firewall options, including ClientUseIPv4 0 and ClientUseIPv6 0, might block any OR address:port combination. Address preferences may still change which address is selected even if this function returns false.

Definition at line 354 of file policies.c.

References reachable_or_addr_policy.

◆ getinfo_helper_policies()

int getinfo_helper_policies ( control_connection_t conn,
const char *  question,
char **  answer,
const char **  errmsg 
)

Implementation for GETINFO control command: knows the answer for questions about "exit-policy/..."

Definition at line 3085 of file policies.c.

◆ parse_short_policy()

short_policy_t* parse_short_policy ( const char *  summary)

Convert a summarized policy string into a short_policy_t. Return NULL if the string is not well-formed.

Definition at line 2802 of file policies.c.

◆ policies_exit_policy_append_reject_star()

void policies_exit_policy_append_reject_star ( smartlist_t **  dest)

Add "reject *:*" to the end of the policy in *dest, allocating *dest as needed.

Definition at line 2283 of file policies.c.

References append_exit_policy_string().

◆ policies_free_all()

void policies_free_all ( void  )

Release all storage held by policy variables.

Definition at line 3214 of file policies.c.

◆ policies_parse_exit_policy()

int policies_parse_exit_policy ( config_line_t cfg,
smartlist_t **  dest,
exit_policy_parser_cfg_t  options,
const smartlist_t configured_addresses 
)

Parse exit policy in cfg into dest smartlist.

Prepend an entry that rejects all IPv6 destinations unless EXIT_POLICY_IPV6_ENABLED bit is set in options bitmask.

If EXIT_POLICY_REJECT_PRIVATE bit is set in options:

  • prepend an entry that rejects all destinations in all netblocks reserved for private use.
  • prepend entries that reject the advertised relay addresses in configured_addresses If EXIT_POLICY_REJECT_LOCAL_INTERFACES bit is set in options:
  • prepend entries that reject publicly routable addresses on this exit relay by calling policies_parse_exit_policy_internal
  • prepend entries that reject the outbound bind addresses in configured_addresses
  • prepend entries that reject all configured port addresses

If EXIT_POLICY_ADD_DEFAULT bit is set in options, append default exit policy entries to result smartlist.

Definition at line 2121 of file policies.c.

◆ policies_parse_exit_policy_from_options()

int policies_parse_exit_policy_from_options ( const or_options_t or_options,
uint32_t  local_address,
const tor_addr_t ipv6_local_address,
smartlist_t **  result 
)

Parse ExitPolicy member of or_options into result smartlist. If or_options->IPv6Exit is false, prepend an entry that rejects all IPv6 destinations.

If or_options->ExitPolicyRejectPrivate is true:

  • prepend an entry that rejects all destinations in all netblocks reserved for private use.
  • if local_address is non-zero, treat it as a host-order IPv4 address, and add it to the list of configured addresses.
  • if ipv6_local_address is non-NULL, and not the null tor_addr_t, add it to the list of configured addresses. If or_options->ExitPolicyRejectLocalInterfaces is true:
  • if or_options->OutboundBindAddresses[][0] (=IPv4) is not the null tor_addr_t, add it to the list of configured addresses.
  • if or_options->OutboundBindAddresses[][1] (=IPv6) is not the null tor_addr_t, add it to the list of configured addresses.

If or_options->BridgeRelay is false, append entries of default Tor exit policy into result smartlist.

If or_options->ExitRelay is false, or is auto without specifying an exit policy, then make our exit policy into "reject *:*" regardless.

Definition at line 2220 of file policies.c.

References append_exit_policy_string(), or_options_t::ExitRelay, or_options_t::IPv6Exit, and policy_using_default_exit_options().

Referenced by validate_addr_policies().

◆ policies_parse_exit_policy_reject_private()

void policies_parse_exit_policy_reject_private ( smartlist_t **  dest,
int  ipv6_exit,
const smartlist_t configured_addresses,
int  reject_interface_addresses,
int  reject_configured_port_addresses 
)

Reject private helper for policies_parse_exit_policy_internal: rejects publicly routable addresses on this exit relay.

Add reject entries to the linked list *dest:

  • if configured_addresses is non-NULL, add entries that reject each tor_addr_t in the list as a destination.
  • if reject_interface_addresses is true, add entries that reject each public IPv4 and IPv6 address of each interface on this machine.
  • if reject_configured_port_addresses is true, add entries that reject each IPv4 and IPv6 address configured for a port.

IPv6 entries are only added if ipv6_exit is true. (All IPv6 addresses are already blocked by policies_parse_exit_policy_internal if ipv6_exit is false.)

The list in dest is created as needed.

Definition at line 1886 of file policies.c.

References addr_policy_append_reject_addr_list_filter(), SMARTLIST_FOREACH_BEGIN, and tor_assert().

Referenced by policies_parse_exit_policy_internal().

◆ policies_parse_from_options()

int policies_parse_from_options ( const or_options_t options)

◆ policies_set_node_exitpolicy_to_reject_all()

void policies_set_node_exitpolicy_to_reject_all ( node_t node)

Replace the exit policy of node with reject *:*

Definition at line 2291 of file policies.c.

References node_t::rejects_all.

◆ policy_dump_to_string()

char* policy_dump_to_string ( const smartlist_t policy_list,
int  include_ipv4,
int  include_ipv6 
)

Given policy_list, a list of addr_policy_t, produce a string representation of the list. If include_ipv4 is true, include IPv4 entries. If include_ipv6 is true, include IPv6 entries.

Definition at line 3042 of file policies.c.

References SMARTLIST_FOREACH_BEGIN, and tor_addr_family().

◆ policy_expand_private()

void policy_expand_private ( smartlist_t **  policy)

Replace all "private" entries in *policy with their expanded equivalents.

Definition at line 105 of file policies.c.

References addr_policy_t::addr, addr_policy_t::is_canonical, addr_policy_t::is_private, addr_policy_t::maskbits, private_nets, smartlist_add(), SMARTLIST_FOREACH_BEGIN, and tor_addr_parse_mask_ports().

◆ policy_expand_unspec()

void policy_expand_unspec ( smartlist_t **  policy)

Expand each of the AF_UNSPEC elements in *policy (which indicate protocol-neutral wildcards) into a pair of wildcard elements: one IPv4- specific and one IPv6-specific.

Definition at line 145 of file policies.c.

References addr_policy_t::is_canonical, smartlist_add(), SMARTLIST_FOREACH_BEGIN, and tor_addr_family().

◆ policy_is_reject_star()

int policy_is_reject_star ( const smartlist_t policy,
sa_family_t  family,
int  default_reject 
)

Return false if policy might permit access to some addr:port; otherwise if we are certain it rejects everything, return true. If no part of policy matches, return default_reject. NULL policies are allowed, and treated as empty.

Definition at line 2361 of file policies.c.

References SMARTLIST_FOREACH_BEGIN, and tor_addr_family().

◆ policy_summarize()

char* policy_summarize ( smartlist_t policy,
sa_family_t  family 
)

Create a string representing a summary for an exit policy. The summary will either be an "accept" plus a comma-separated list of port ranges or a "reject" plus port-ranges, depending on which is shorter.

If no exits are allowed at all then "reject 1-65535" is returned. If no ports are blocked instead of "reject " we return "accept 1-65535". (These are an exception to the shorter-representation-wins rule).

Definition at line 2690 of file policies.c.

◆ policy_write_item()

int policy_write_item ( char *  buf,
size_t  buflen,
const addr_policy_t policy,
int  format_for_desc 
)

Write a single address policy to the buf_len byte buffer at buf. Return the number of characters written, or -1 on failure.

Definition at line 2385 of file policies.c.

References addr_policy_t::addr, addr_policy_t::is_private, addr_policy_t::maskbits, addr_policy_t::policy_type, addr_policy_t::prt_max, addr_policy_t::prt_min, TOR_ADDR_BUF_LEN, tor_addr_family(), tor_addr_to_str(), and tor_snprintf().

◆ short_policy_free_()

void short_policy_free_ ( short_policy_t policy)

Release all storage held in policy.

Definition at line 2929 of file policies.c.

References tor_free.

◆ short_policy_is_reject_star()

int short_policy_is_reject_star ( const short_policy_t policy)

Return true iff policy seems reject all ports

Definition at line 2987 of file policies.c.

References short_policy_t::entries, short_policy_t::is_accept, short_policy_t::n_entries, and tor_assert().

Referenced by node_exit_policy_rejects_all().

◆ socks_policy_permits_address()

int socks_policy_permits_address ( const tor_addr_t addr)

Return 1 if addr is permitted to connect to our socks port, based on socks_policy. Else return 0.

Definition at line 1186 of file policies.c.

References addr_policy_permits_tor_addr(), and socks_policy.

◆ validate_addr_policies()

int validate_addr_policies ( const or_options_t options,
char **  msg 
)

Config helper: If there's any problem with the policy configuration options in options, return -1 and set msg to a newly allocated description of the error. Else return 0.

Definition at line 1258 of file policies.c.

References policies_parse_exit_policy_from_options().

◆ write_short_policy()

char* write_short_policy ( const short_policy_t policy)