Tor  0.4.7.0-alpha-dev
policies.h
Go to the documentation of this file.
1 /* Copyright (c) 2001 Matej Pfajfar.
2  * Copyright (c) 2001-2004, Roger Dingledine.
3  * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
4  * Copyright (c) 2007-2021, The Tor Project, Inc. */
5 /* See LICENSE for licensing information */
6 
7 /**
8  * \file policies.h
9  * \brief Header file for policies.c.
10  **/
11 
12 #ifndef TOR_POLICIES_H
13 #define TOR_POLICIES_H
14 
15 /* (length of
16  * "accept6 [ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]/128:65535-65535\n"
17  * plus a terminating NUL, rounded up to a nice number.)
18  */
19 #define POLICY_BUF_LEN 72
20 
21 #define EXIT_POLICY_IPV6_ENABLED (1 << 0)
22 #define EXIT_POLICY_REJECT_PRIVATE (1 << 1)
23 #define EXIT_POLICY_ADD_DEFAULT (1 << 2)
24 #define EXIT_POLICY_REJECT_LOCAL_INTERFACES (1 << 3)
25 #define EXIT_POLICY_ADD_REDUCED (1 << 4)
26 #define EXIT_POLICY_OPTION_MAX EXIT_POLICY_ADD_REDUCED
27 /* All options set: used for unit testing */
28 #define EXIT_POLICY_OPTION_ALL ((EXIT_POLICY_OPTION_MAX << 1) - 1)
29 
30 typedef enum firewall_connection_t {
31  FIREWALL_OR_CONNECTION = 0,
32  FIREWALL_DIR_CONNECTION = 1
33 } firewall_connection_t;
34 
35 typedef int exit_policy_parser_cfg_t;
36 
37 /** Outcome of applying an address policy to an address. */
38 typedef enum {
39  /** The address was accepted */
40  ADDR_POLICY_ACCEPTED=0,
41  /** The address was rejected */
42  ADDR_POLICY_REJECTED=-1,
43  /** Part of the address was unknown, but as far as we can tell, it was
44  * accepted. */
45  ADDR_POLICY_PROBABLY_ACCEPTED=1,
46  /** Part of the address was unknown, but as far as we can tell, it was
47  * rejected. */
48  ADDR_POLICY_PROBABLY_REJECTED=2,
49 } addr_policy_result_t;
50 
51 /** A single entry in a parsed policy summary, describing a range of ports. */
52 typedef struct short_policy_entry_t {
53  uint16_t min_port, max_port;
54 } short_policy_entry_t;
55 
56 /** A short_poliy_t is the parsed version of a policy summary. */
57 typedef struct short_policy_t {
58  /** True if the members of 'entries' are port ranges to accept; false if
59  * they are port ranges to reject */
60  unsigned int is_accept : 1;
61  /** The actual number of values in 'entries'. */
62  unsigned int n_entries : 31;
63  /** An array of 0 or more short_policy_entry_t values, each describing a
64  * range of ports that this policy accepts or rejects (depending on the
65  * value of is_accept).
66  */
67  short_policy_entry_t entries[FLEXIBLE_ARRAY_MEMBER];
68 } short_policy_t;
69 
70 int firewall_is_fascist_or(void);
71 int firewall_is_fascist_dir(void);
72 int reachable_addr_use_ipv6(const or_options_t *options);
73 int reachable_addr_prefer_ipv6_orport(const or_options_t *options);
74 int reachable_addr_prefer_ipv6_dirport(const or_options_t *options);
75 
76 int reachable_addr_allows_addr(const tor_addr_t *addr,
77  uint16_t port,
78  firewall_connection_t fw_connection,
79  int pref_only, int pref_ipv6);
80 
81 int reachable_addr_allows_rs(const routerstatus_t *rs,
82  firewall_connection_t fw_connection,
83  int pref_only);
84 int reachable_addr_allows_node(const node_t *node,
85  firewall_connection_t fw_connection,
86  int pref_only);
87 int reachable_addr_allows_dir_server(const dir_server_t *ds,
88  firewall_connection_t fw_connection,
89  int pref_only);
90 
91 void reachable_addr_choose_from_rs(const routerstatus_t *rs,
92  firewall_connection_t fw_connection,
93  int pref_only, tor_addr_port_t* ap);
94 void reachable_addr_choose_from_ls(const smartlist_t *lspecs,
95  int pref_only, tor_addr_port_t* ap);
96 void reachable_addr_choose_from_node(const node_t *node,
97  firewall_connection_t fw_connection,
98  int pref_only, tor_addr_port_t* ap);
99 void reachable_addr_choose_from_dir_server(const dir_server_t *ds,
100  firewall_connection_t fw_connection,
101  int pref_only, tor_addr_port_t* ap);
102 
103 int dir_policy_permits_address(const tor_addr_t *addr);
104 int socks_policy_permits_address(const tor_addr_t *addr);
105 int metrics_policy_permits_address(const tor_addr_t *addr);
106 int authdir_policy_permits_address(const tor_addr_t *addr, uint16_t port);
107 int authdir_policy_valid_address(const tor_addr_t *addr, uint16_t port);
108 int authdir_policy_badexit_address(const tor_addr_t *addr, uint16_t port);
109 
110 int validate_addr_policies(const or_options_t *options, char **msg);
111 void policy_expand_private(smartlist_t **policy);
112 void policy_expand_unspec(smartlist_t **policy);
113 int policies_parse_from_options(const or_options_t *options);
114 
115 addr_policy_t *addr_policy_get_canonical_entry(addr_policy_t *ent);
116 int addr_policies_eq(const smartlist_t *a, const smartlist_t *b);
117 MOCK_DECL(addr_policy_result_t, compare_tor_addr_to_addr_policy,
118  (const tor_addr_t *addr, uint16_t port, const smartlist_t *policy));
119 addr_policy_result_t compare_tor_addr_to_node_policy(const tor_addr_t *addr,
120  uint16_t port, const node_t *node);
121 
122 int policies_parse_exit_policy_from_options(
123  const or_options_t *or_options,
124  const tor_addr_t *ipv4_local_address,
125  const tor_addr_t *ipv6_local_address,
126  smartlist_t **result);
127 struct config_line_t;
128 int policies_parse_exit_policy(struct config_line_t *cfg, smartlist_t **dest,
129  exit_policy_parser_cfg_t options,
130  const smartlist_t *configured_addresses);
131 void policies_parse_exit_policy_reject_private(
132  smartlist_t **dest,
133  int ipv6_exit,
134  const smartlist_t *configured_addresses,
135  int reject_interface_addresses,
136  int reject_configured_port_addresses);
137 void policies_exit_policy_append_reject_star(smartlist_t **dest);
138 void addr_policy_append_reject_addr(smartlist_t **dest,
139  const tor_addr_t *addr);
140 void addr_policy_append_reject_addr_list(smartlist_t **dest,
141  const smartlist_t *addrs);
142 void policies_set_node_exitpolicy_to_reject_all(node_t *exitrouter);
143 int exit_policy_is_general_exit(smartlist_t *policy);
144 int policy_is_reject_star(const smartlist_t *policy, sa_family_t family,
145  int reject_by_default);
146 char * policy_dump_to_string(const smartlist_t *policy_list,
147  int include_ipv4,
148  int include_ipv6);
149 int getinfo_helper_policies(control_connection_t *conn,
150  const char *question, char **answer,
151  const char **errmsg);
152 int policy_write_item(char *buf, size_t buflen, const addr_policy_t *item,
153  int format_for_desc);
154 
155 void addr_policy_list_free_(smartlist_t *p);
156 #define addr_policy_list_free(lst) \
157  FREE_AND_NULL(smartlist_t, addr_policy_list_free_, (lst))
158 void addr_policy_free_(addr_policy_t *p);
159 #define addr_policy_free(p) \
160  FREE_AND_NULL(addr_policy_t, addr_policy_free_, (p))
161 void policies_free_all(void);
162 
163 char *policy_summarize(smartlist_t *policy, sa_family_t family);
164 
165 short_policy_t *parse_short_policy(const char *summary);
166 char *write_short_policy(const short_policy_t *policy);
167 void short_policy_free_(short_policy_t *policy);
168 #define short_policy_free(p) \
169  FREE_AND_NULL(short_policy_t, short_policy_free_, (p))
170 int short_policy_is_reject_star(const short_policy_t *policy);
171 addr_policy_result_t compare_tor_addr_to_short_policy(
172  const tor_addr_t *addr, uint16_t port,
173  const short_policy_t *policy);
174 
175 #ifdef POLICIES_PRIVATE
176 STATIC void append_exit_policy_string(smartlist_t **policy, const char *more);
177 STATIC int reachable_addr_allows(const tor_addr_t *addr,
178  uint16_t port,
179  smartlist_t *firewall_policy,
180  int pref_only, int pref_ipv6);
181 STATIC const tor_addr_port_t * reachable_addr_choose(
182  const tor_addr_port_t *a,
183  const tor_addr_port_t *b,
184  int want_a,
185  firewall_connection_t fw_connection,
186  int pref_only, int pref_ipv6);
187 
188 #endif /* defined(POLICIES_PRIVATE) */
189 
190 #endif /* !defined(TOR_POLICIES_H) */
sa_family_t
uint16_t sa_family_t
Definition: inaddr_st.h:77
reachable_addr_allows
STATIC int reachable_addr_allows(const tor_addr_t *addr, uint16_t port, smartlist_t *firewall_policy, int pref_only, int pref_ipv6)
Definition: policies.c:409
append_exit_policy_string
STATIC void append_exit_policy_string(smartlist_t **policy, const char *more)
Definition: policies.c:1583
reachable_addr_choose
STATIC const tor_addr_port_t * reachable_addr_choose(const tor_addr_port_t *a, const tor_addr_port_t *b, int want_a, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
Definition: policies.c:789
addr_policy_append_reject_addr
void addr_policy_append_reject_addr(smartlist_t **dest, const tor_addr_t *addr)
Definition: policies.c:1597
policies_set_node_exitpolicy_to_reject_all
void policies_set_node_exitpolicy_to_reject_all(node_t *exitrouter)
Definition: policies.c:2174
addr_policy_free_
void addr_policy_free_(addr_policy_t *p)
Definition: policies.c:3076
addr_policies_eq
int addr_policies_eq(const smartlist_t *a, const smartlist_t *b)
Definition: policies.c:1304
reachable_addr_prefer_ipv6_dirport
int reachable_addr_prefer_ipv6_dirport(const or_options_t *options)
Definition: policies.c:509
policies_parse_exit_policy_from_options
int policies_parse_exit_policy_from_options(const or_options_t *or_options, const tor_addr_t *ipv4_local_address, const tor_addr_t *ipv6_local_address, smartlist_t **result)
Definition: policies.c:2103
policies_parse_exit_policy
int policies_parse_exit_policy(struct config_line_t *cfg, smartlist_t **dest, exit_policy_parser_cfg_t options, const smartlist_t *configured_addresses)
Definition: policies.c:2020
reachable_addr_prefer_ipv6_orport
int reachable_addr_prefer_ipv6_orport(const or_options_t *options)
Definition: policies.c:487
policy_expand_private
void policy_expand_private(smartlist_t **policy)
Definition: policies.c:107
reachable_addr_allows_rs
int reachable_addr_allows_rs(const routerstatus_t *rs, firewall_connection_t fw_connection, int pref_only)
Definition: policies.c:644
firewall_is_fascist_or
int firewall_is_fascist_or(void)
Definition: policies.c:356
metrics_policy_permits_address
int metrics_policy_permits_address(const tor_addr_t *addr)
Definition: policies.c:1069
policies_parse_exit_policy_reject_private
void policies_parse_exit_policy_reject_private(smartlist_t **dest, int ipv6_exit, const smartlist_t *configured_addresses, int reject_interface_addresses, int reject_configured_port_addresses)
Definition: policies.c:1785
parse_short_policy
short_policy_t * parse_short_policy(const char *summary)
Definition: policies.c:2685
addr_policy_append_reject_addr_list
void addr_policy_append_reject_addr_list(smartlist_t **dest, const smartlist_t *addrs)
Definition: policies.c:1654
reachable_addr_allows_addr
int reachable_addr_allows_addr(const tor_addr_t *addr, uint16_t port, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
Definition: policies.c:533
reachable_addr_choose_from_node
void reachable_addr_choose_from_node(const node_t *node, firewall_connection_t fw_connection, int pref_only, tor_addr_port_t *ap)
Definition: policies.c:985
reachable_addr_choose_from_dir_server
void reachable_addr_choose_from_dir_server(const dir_server_t *ds, firewall_connection_t fw_connection, int pref_only, tor_addr_port_t *ap)
Definition: policies.c:1024
policy_dump_to_string
char * policy_dump_to_string(const smartlist_t *policy_list, int include_ipv4, int include_ipv6)
Definition: policies.c:2925
reachable_addr_allows_node
int reachable_addr_allows_node(const node_t *node, firewall_connection_t fw_connection, int pref_only)
Definition: policies.c:690
addr_policy_list_free_
void addr_policy_list_free_(smartlist_t *p)
Definition: policies.c:3066
getinfo_helper_policies
int getinfo_helper_policies(control_connection_t *conn, const char *question, char **answer, const char **errmsg)
Definition: policies.c:2968
reachable_addr_choose_from_ls
void reachable_addr_choose_from_ls(const smartlist_t *lspecs, int pref_only, tor_addr_port_t *ap)
Definition: policies.c:910
reachable_addr_choose_from_rs
void reachable_addr_choose_from_rs(const routerstatus_t *rs, firewall_connection_t fw_connection, int pref_only, tor_addr_port_t *ap)
Definition: policies.c:871
policies_parse_from_options
int policies_parse_from_options(const or_options_t *options)
Definition: policies.c:1251
authdir_policy_badexit_address
int authdir_policy_badexit_address(const tor_addr_t *addr, uint16_t port)
Definition: policies.c:1115
reachable_addr_allows_dir_server
int reachable_addr_allows_dir_server(const dir_server_t *ds, firewall_connection_t fw_connection, int pref_only)
Definition: policies.c:728
policy_write_item
int policy_write_item(char *buf, size_t buflen, const addr_policy_t *item, int format_for_desc)
Definition: policies.c:2268
compare_tor_addr_to_addr_policy
addr_policy_result_t compare_tor_addr_to_addr_policy(const tor_addr_t *addr, uint16_t port, const smartlist_t *policy)
Definition: policies.c:1516
write_short_policy
char * write_short_policy(const short_policy_t *policy)
Definition: policies.c:2786
reachable_addr_use_ipv6
int reachable_addr_use_ipv6(const or_options_t *options)
Definition: policies.c:448
compare_tor_addr_to_short_policy
addr_policy_result_t compare_tor_addr_to_short_policy(const tor_addr_t *addr, uint16_t port, const short_policy_t *policy)
Definition: policies.c:2822
policy_is_reject_star
int policy_is_reject_star(const smartlist_t *policy, sa_family_t family, int reject_by_default)
Definition: policies.c:2244
firewall_is_fascist_dir
int firewall_is_fascist_dir(void)
Definition: policies.c:367
dir_policy_permits_address
int dir_policy_permits_address(const tor_addr_t *addr)
Definition: policies.c:1051
policy_expand_unspec
void policy_expand_unspec(smartlist_t **policy)
Definition: policies.c:147
authdir_policy_permits_address
int authdir_policy_permits_address(const tor_addr_t *addr, uint16_t port)
Definition: policies.c:1093
addr_policy_result_t
addr_policy_result_t
Definition: policies.h:38
ADDR_POLICY_PROBABLY_ACCEPTED
@ ADDR_POLICY_PROBABLY_ACCEPTED
Definition: policies.h:45
ADDR_POLICY_ACCEPTED
@ ADDR_POLICY_ACCEPTED
Definition: policies.h:40
ADDR_POLICY_PROBABLY_REJECTED
@ ADDR_POLICY_PROBABLY_REJECTED
Definition: policies.h:48
ADDR_POLICY_REJECTED
@ ADDR_POLICY_REJECTED
Definition: policies.h:42
policies_free_all
void policies_free_all(void)
Definition: policies.c:3097
short_policy_free_
void short_policy_free_(short_policy_t *policy)
Definition: policies.c:2812
validate_addr_policies
int validate_addr_policies(const or_options_t *options, char **msg)
Definition: policies.c:1138
addr_policy_get_canonical_entry
addr_policy_t * addr_policy_get_canonical_entry(addr_policy_t *ent)
Definition: policies.c:1369
socks_policy_permits_address
int socks_policy_permits_address(const tor_addr_t *addr)
Definition: policies.c:1060
compare_tor_addr_to_node_policy
addr_policy_result_t compare_tor_addr_to_node_policy(const tor_addr_t *addr, uint16_t port, const node_t *node)
Definition: policies.c:2887
authdir_policy_valid_address
int authdir_policy_valid_address(const tor_addr_t *addr, uint16_t port)
Definition: policies.c:1104
short_policy_is_reject_star
int short_policy_is_reject_star(const short_policy_t *policy)
Definition: policies.c:2870
exit_policy_is_general_exit
int exit_policy_is_general_exit(smartlist_t *policy)
Definition: policies.c:2230
policy_summarize
char * policy_summarize(smartlist_t *policy, sa_family_t family)
Definition: policies.c:2573
policies_exit_policy_append_reject_star
void policies_exit_policy_append_reject_star(smartlist_t **dest)
Definition: policies.c:2166
addr_policy_t
Definition: addr_policy_st.h:26
config_line_t
Definition: confline.h:29
control_connection_t
Definition: control_connection_st.h:19
dir_server_t
Definition: dir_server_st.h:23
node_t
Definition: node_st.h:34
or_options_t
Definition: or_options_st.h:64
routerstatus_t
Definition: routerstatus_st.h:19
short_policy_entry_t
Definition: policies.h:52
short_policy_t
Definition: policies.h:57
short_policy_t::n_entries
unsigned int n_entries
Definition: policies.h:62
short_policy_t::is_accept
unsigned int is_accept
Definition: policies.h:60
short_policy_t::entries
short_policy_entry_t entries[FLEXIBLE_ARRAY_MEMBER]
Definition: policies.h:67
smartlist_t
Definition: smartlist_core.h:26
tor_addr_port_t
Definition: address.h:81
tor_addr_t
Definition: address.h:69
STATIC
#define STATIC
Definition: testsupport.h:32
MOCK_DECL
#define MOCK_DECL(rv, funcname, arglist)
Definition: testsupport.h:127
Generated by doxygen 1.9.1