18 #define POLICIES_PRIVATE
34 #include "trunnel/ed25519_cert.h"
45 #define MAX_EXITPOLICY_SUMMARY_LEN 1000
79 unsigned int accepted:1;
89 "0.0.0.0/8",
"169.254.0.0/16",
90 "127.0.0.0/8",
"192.168.0.0/16",
"10.0.0.0/8",
"172.16.0.0/12",
92 "[fc00::]/7",
"[fe80::]/10",
"[fec0::]/10",
"[ff00::]/8",
"[::]/127",
102 int reject_interface_addresses,
103 int reject_configured_port_addresses,
104 int add_default_policy,
105 int add_reduced_policy);
112 uint16_t port_min, port_max;
123 if (! p->is_private) {
134 &newpolicy.
maskbits, &port_min, &port_max)<0) {
135 tor_assert_unreached();
140 } SMARTLIST_FOREACH_END(p);
142 smartlist_free(*policy);
159 if (family == AF_INET6 || family == AF_INET || p->is_private) {
161 }
else if (family == AF_UNSPEC) {
168 if (p->maskbits != 0) {
169 log_warn(
LD_BUG,
"AF_UNSPEC policy with maskbits==%d", p->maskbits);
175 (
const uint8_t *)
"\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0");
180 log_warn(
LD_BUG,
"Funny-looking address policy with family %d", family);
183 } SMARTLIST_FOREACH_END(p);
185 smartlist_free(*policy);
213 for (; cfg; cfg = cfg->next) {
215 SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0);
217 log_debug(
LD_CONFIG,
"Adding new entry '%s'",ent);
223 }
else if (malformed_list) {
225 log_warn(
LD_CONFIG,
"Malformed policy '%s'. Discarding entire policy "
231 log_debug(
LD_CONFIG,
"Ignored policy '%s' due to non-fatal error. "
232 "The remainder of the policy list will be used.",
235 } SMARTLIST_FOREACH_END(ent);
239 smartlist_free(entries);
241 addr_policy_list_free(result);
248 smartlist_free(result);
271 "Both ReachableDirAddresses and ReachableORAddresses are set. "
272 "ReachableAddresses setting will be ignored.");
278 "Using ReachableAddresses as ReachableORAddresses.");
284 "Error parsing Reachable%sAddresses entry; ignoring.",
293 "Using ReachableAddresses as ReachableDirAddresses");
300 "Error parsing ReachableDirAddresses entry; ignoring.");
308 log_warn(
LD_CONFIG,
"Tor cannot connect to the Internet if "
309 "ReachableAddresses, ReachableORAddresses, or "
310 "ReachableDirAddresses reject all addresses. Please accept "
311 "some addresses in these options.");
315 log_warn(
LD_CONFIG,
"You have set ClientUseIPv4 1, but "
316 "ReachableAddresses, ReachableORAddresses, or "
317 "ReachableDirAddresses reject all IPv4 addresses. "
318 "Tor will not connect using IPv4.");
322 log_warn(
LD_CONFIG,
"You have configured tor to use or prefer IPv6 "
323 "(or UseBridges 1), but "
324 "ReachableAddresses, ReachableORAddresses, or "
325 "ReachableDirAddresses reject all IPv6 addresses. "
326 "Tor will not connect using IPv6.");
344 firewall_is_fascist_impl(
void)
392 log_warn(
LD_BUG,
"Unexpected result: %d", (
int)p);
415 int pref_only,
int pref_ipv6)
494 if (pref_ipv6 >= 0) {
516 if (pref_ipv6 >= 0) {
537 firewall_connection_t fw_connection,
538 int pref_only,
int pref_ipv6)
540 if (fw_connection == FIREWALL_OR_CONNECTION) {
543 pref_only, pref_ipv6);
544 }
else if (fw_connection == FIREWALL_DIR_CONNECTION) {
547 pref_only, pref_ipv6);
549 log_warn(
LD_BUG,
"Bad firewall_connection_t value %d.",
562 firewall_connection_t fw_connection,
563 int pref_only,
int pref_ipv6)
567 fw_connection, pref_only,
579 uint16_t ipv4_dirport,
580 const tor_addr_t *ipv6_addr, uint16_t ipv6_orport,
581 uint16_t ipv6_dirport,
582 firewall_connection_t fw_connection,
583 int pref_only,
int pref_ipv6)
586 (fw_connection == FIREWALL_OR_CONNECTION
590 pref_only, pref_ipv6)) {
595 (fw_connection == FIREWALL_OR_CONNECTION
599 pref_only, pref_ipv6)) {
609 firewall_connection_t fw_connection,
610 int pref_only,
int pref_ipv6)
619 ri->ipv6_orport, ri->ipv4_dirport,
620 fw_connection, pref_only, pref_ipv6);
626 firewall_connection_t fw_connection,
627 int pref_only,
int pref_ipv6)
637 fw_connection, pref_only, pref_ipv6);
648 firewall_connection_t fw_connection,
int pref_only)
657 int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
672 firewall_connection_t fw_connection,
673 int pref_only,
int pref_ipv6)
680 if (fw_connection == FIREWALL_DIR_CONNECTION) {
686 fw_connection, pref_only,
694 firewall_connection_t fw_connection,
701 node_assert_ok(node);
703 const int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
710 pref_only, pref_ipv6)) {
732 firewall_connection_t fw_connection,
757 firewall_connection_t fw_connection,
758 int pref_only,
int pref_ipv6)
774 if (use_a && use_b) {
776 return (want_a ? use_a : use_b);
779 return (use_a ? use_a : use_b);
795 firewall_connection_t fw_connection,
796 int pref_only,
int pref_ipv6)
802 if (pref_only || pref) {
826 uint16_t ipv4_orport,
827 uint16_t ipv4_dirport,
829 uint16_t ipv6_orport,
830 uint16_t ipv6_dirport,
831 firewall_connection_t fw_connection,
837 const int want_ipv4 = !pref_ipv6;
847 ipv4_ap.port = (fw_connection == FIREWALL_OR_CONNECTION
853 ipv6_ap.port = (fw_connection == FIREWALL_OR_CONNECTION
859 fw_connection, pref_only,
864 ap->port = result->port;
875 firewall_connection_t fw_connection,
895 int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
902 fw_connection, pref_only, pref_ipv6,
916 int have_v4 = 0, have_v6 = 0;
917 uint16_t port_v4 = 0, port_v6 = 0;
922 if (lspecs == NULL) {
923 log_warn(
LD_BUG,
"Unknown or missing link specifiers");
926 if (smartlist_len(lspecs) == 0) {
927 log_warn(
LD_PROTOCOL,
"Link specifiers are empty");
938 switch (link_specifier_get_ls_type(ls)) {
941 if (have_v4)
continue;
943 link_specifier_get_un_ipv4_addr(ls));
944 port_v4 = link_specifier_get_un_ipv4_port(ls);
950 if (have_v6)
continue;
952 link_specifier_getconstarray_un_ipv6_addr(ls));
953 port_v6 = link_specifier_get_un_ipv6_port(ls);
960 } SMARTLIST_FOREACH_END(ls);
963 if (!have_v4 && !have_v6) {
965 log_warn(
LD_PROTOCOL,
"None of our link specifiers have IPv4 or IPv6");
967 log_warn(
LD_PROTOCOL,
"None of our link specifiers have IPv4");
978 &addr_v6, port_v6, 0,
979 FIREWALL_OR_CONNECTION,
980 pref_only, pref_ipv6,
989 firewall_connection_t fw_connection,
1001 node_assert_ok(node);
1003 const int pref_ipv6_node = (fw_connection == FIREWALL_OR_CONNECTION
1019 ipv4_dir_ap.port, &ipv6_or_ap.addr,
1020 ipv6_or_ap.port, ipv6_dir_ap.port,
1021 fw_connection, pref_only,
1022 pref_ipv6_node, ap);
1028 firewall_connection_t fw_connection,
1136 #define REJECT(arg) \
1137 STMT_BEGIN *msg = tor_strdup(arg); goto err; STMT_END
1161 REJECT(
"Error in ExitPolicy entry.");
1164 static int warned_about_nonexit = 0;
1168 warned_about_nonexit = 1;
1169 log_notice(
LD_CONFIG,
"By default, Tor does not run as an exit relay. "
1170 "If you want to be an exit relay, "
1171 "set ExitRelay to 1. To suppress this message in the future, "
1172 "set ExitRelay to 0.");
1178 REJECT(
"Error in DirPolicy entry.");
1180 REJECT(
"Error in SocksPolicy entry.");
1182 ADDR_POLICY_REJECT))
1183 REJECT(
"Error in AuthDirReject entry.");
1185 ADDR_POLICY_REJECT))
1186 REJECT(
"Error in AuthDirInvalid entry.");
1188 ADDR_POLICY_REJECT))
1189 REJECT(
"Error in AuthDirBadExit entry.");
1191 ADDR_POLICY_REJECT))
1192 REJECT(
"Error in AuthDirMiddleOnly entry.");
1195 ADDR_POLICY_ACCEPT))
1196 REJECT(
"Error in ReachableAddresses entry.");
1198 ADDR_POLICY_ACCEPT))
1199 REJECT(
"Error in ReachableORAddresses entry.");
1201 ADDR_POLICY_ACCEPT))
1202 REJECT(
"Error in ReachableDirAddresses entry.");
1205 addr_policy_list_free(addr_policy);
1206 return *msg ? -1 : 0;
1220 int killed_any_ports = 0;
1221 addr_policy_list_free(*policy);
1230 if (n->prt_min > 1 || n->prt_max != 65535) {
1232 memcpy(&newp, n,
sizeof(newp));
1238 addr_policy_free(n);
1239 killed_any_ports = 1;
1241 } SMARTLIST_FOREACH_END(n);
1243 if (killed_any_ports) {
1244 log_warn(
LD_CONFIG,
"Ignoring ports in %s option.", option_name);
1303 #define CMP_FIELD(field) do { \
1304 if (a->field != b->field) { \
1308 CMP_FIELD(policy_type);
1309 CMP_FIELD(is_private);
1314 CMP_FIELD(maskbits);
1327 int len_a = a ? smartlist_len(a) : 0;
1328 int len_b = b ? smartlist_len(b) : 0;
1333 for (i = 0; i < len_a; ++i) {
1363 memset(&aa, 0,
sizeof(aa));
1377 return (
unsigned) siphash24g(&aa,
sizeof(aa));
1396 found = HT_FIND(policy_map, &policy_root, &search);
1400 found->policy->is_canonical = 1;
1401 found->policy->refcnt = 0;
1402 HT_INSERT(policy_map, &policy_root, found);
1406 ++found->policy->refcnt;
1407 return found->policy;
1419 if (tmpe->addr.family == AF_UNSPEC) {
1420 log_warn(
LD_BUG,
"Policy contains an AF_UNSPEC address, which only "
1421 "matches other AF_UNSPEC addresses.");
1426 if (port >= tmpe->prt_min && port <= tmpe->prt_max) {
1428 return tmpe->policy_type == ADDR_POLICY_ACCEPT ?
1432 } SMARTLIST_FOREACH_END(tmpe);
1447 int maybe_accept = 0, maybe_reject = 0;
1450 if (tmpe->addr.family == AF_UNSPEC) {
1451 log_warn(
LD_BUG,
"Policy contains an AF_UNSPEC address, which only "
1452 "matches other AF_UNSPEC addresses.");
1456 if (tmpe->prt_min <= 1 && tmpe->prt_max >= 65535) {
1458 if (tmpe->policy_type == ADDR_POLICY_ACCEPT) {
1469 if (tmpe->policy_type == ADDR_POLICY_REJECT)
1475 } SMARTLIST_FOREACH_END(tmpe);
1490 int maybe_accept = 0, maybe_reject = 0;
1493 if (tmpe->addr.family == AF_UNSPEC) {
1494 log_warn(
LD_BUG,
"Policy contains an AF_UNSPEC address, which only "
1495 "matches other AF_UNSPEC addresses.");
1497 if (tmpe->prt_min <= port && port <= tmpe->prt_max) {
1498 if (tmpe->maskbits == 0) {
1500 if (tmpe->policy_type == ADDR_POLICY_ACCEPT) {
1511 if (tmpe->policy_type == ADDR_POLICY_REJECT)
1517 } SMARTLIST_FOREACH_END(tmpe);
1543 log_info(
LD_BUG,
"Rejecting null address with 0 port (family %d)",
1548 }
else if (port == 0) {
1608 tmp.value = (
char*) more;
1611 log_warn(
LD_BUG,
"Unable to parse internally generated policy %s",more);
1623 memset(&p, 0,
sizeof(p));
1634 log_debug(
LD_CONFIG,
"Adding a reject ExitPolicy 'reject %s:*'",
1640 tor_addr_is_public_for_reject(
const tor_addr_t *addr)
1652 addr_policy_append_reject_addr_filter(
smartlist_t **dest,
1661 if (tor_addr_is_public_for_reject(addr)) {
1665 if ((is_ipv4 && ipv4_rules) || (!is_ipv4 && ipv6_rules)) {
1682 } SMARTLIST_FOREACH_END(addr);
1697 addr_policy_append_reject_addr_filter(dest, addr, ipv4_rules, ipv6_rules);
1698 } SMARTLIST_FOREACH_END(addr);
1711 int kill_v4=0, kill_v6=0;
1712 for (i = 0; i < smartlist_len(dest); ++i) {
1714 ap = smartlist_get(dest, i);
1716 if ((family == AF_INET && kill_v4) ||
1717 (family == AF_INET6 && kill_v6)) {
1719 addr_policy_free(ap);
1725 if (family == AF_INET) {
1727 }
else if (family == AF_INET6) {
1736 for (i = 0; i < smartlist_len(dest)-1; ++i) {
1737 ap = smartlist_get(dest, i);
1738 for (j = i+1; j < smartlist_len(dest); ++j) {
1739 tmp = smartlist_get(dest, j);
1742 char p1[POLICY_BUF_LEN], p2[POLICY_BUF_LEN];
1745 log_debug(
LD_CONFIG,
"Removing exit policy %s (%d). It is made "
1746 "redundant by %s (%d).", p1, j, p2, i);
1748 addr_policy_free(tmp);
1760 for (i = 0; i < smartlist_len(dest)-1; ++i) {
1761 ap = smartlist_get(dest, i);
1762 for (j = i+1; j < smartlist_len(dest); ++j) {
1765 tmp = smartlist_get(dest, j);
1771 char p1[POLICY_BUF_LEN], p2[POLICY_BUF_LEN];
1774 log_debug(
LD_CONFIG,
"Removing exit policy %s. It is already "
1775 "covered by %s.", p1, p2);
1777 addr_policy_free(ap);
1809 int reject_interface_addresses,
1810 int reject_configured_port_addresses)
1815 if (configured_addresses) {
1821 if (reject_configured_port_addresses) {
1827 if (!port->is_unix_addr) {
1828 addr_policy_append_reject_addr_filter(dest, &port->addr, 1, ipv6_exit);
1830 } SMARTLIST_FOREACH_END(port);
1834 if (reject_interface_addresses) {
1840 interface_address6_list_free(public_addresses);
1847 interface_address6_list_free(public_addresses);
1864 int found_final_effective_entry = 0;
1865 int first_redundant_entry = 0;
1869 int found_ipv4_wildcard = 0, found_ipv6_wildcard = 0;
1870 const int i = p_sl_idx;
1873 if (p->prt_min <= 1 && p->prt_max == 65535 && p->maskbits == 0) {
1879 if (family == AF_INET || family == AF_UNSPEC) {
1880 found_ipv4_wildcard = 1;
1882 if (family == AF_INET6 || family == AF_UNSPEC) {
1883 found_ipv6_wildcard = 1;
1890 if (found_ipv4_wildcard && found_ipv6_wildcard) {
1891 found_final_effective_entry = 1;
1893 if (i < smartlist_len(policy) - 1) {
1894 first_redundant_entry = i + 1;
1898 } SMARTLIST_FOREACH_END(p);
1901 if (found_final_effective_entry && first_redundant_entry > 0) {
1908 tor_assert(first_redundant_entry < smartlist_len(policy));
1909 p = smartlist_get(policy, first_redundant_entry);
1913 log_warn(
LD_DIR,
"Exit policy '%s' and all following policies are "
1914 "redundant, as it follows accept/reject *:* rules for both "
1915 "IPv4 and IPv6. They will be removed from the exit policy. (Use "
1916 "accept/reject *:* as the last entry in any exit policy.)",
1921 #define DEFAULT_EXIT_POLICY \
1922 "reject *:25,reject *:119,reject *:135-139,reject *:445," \
1923 "reject *:563,reject *:1214,reject *:4661-4666," \
1924 "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
1926 #define REDUCED_EXIT_POLICY \
1927 "accept *:20-23,accept *:43,accept *:53,accept *:79-81,accept *:88," \
1928 "accept *:110,accept *:143,accept *:194,accept *:220,accept *:389," \
1929 "accept *:443,accept *:464,accept *:465,accept *:531,accept *:543-544," \
1930 "accept *:554,accept *:563,accept *:587,accept *:636,accept *:706," \
1931 "accept *:749,accept *:873,accept *:902-904,accept *:981,accept *:989-995," \
1932 "accept *:1194,accept *:1220,accept *:1293,accept *:1500,accept *:1533," \
1933 "accept *:1677,accept *:1723,accept *:1755,accept *:1863," \
1934 "accept *:2082-2083,accept *:2086-2087,accept *:2095-2096," \
1935 "accept *:2102-2104,accept *:3128,accept *:3389,accept *:3690," \
1936 "accept *:4321,accept *:4643,accept *:5050,accept *:5190," \
1937 "accept *:5222-5223,accept *:5228,accept *:5900,accept *:6660-6669," \
1938 "accept *:6679,accept *:6697,accept *:8000,accept *:8008,accept *:8074," \
1939 "accept *:8080,accept *:8082,accept *:8087-8088,accept *:8232-8233," \
1940 "accept *:8332-8333,accept *:8443,accept *:8888,accept *:9418," \
1941 "accept *:9999,accept *:10000,accept *:11371,accept *:19294," \
1942 "accept *:19638,accept *:50002,accept *:64738,reject *:*"
1977 int reject_interface_addresses,
1978 int reject_configured_port_addresses,
1979 int add_default_policy,
1980 int add_reduced_policy)
1985 if (rejectprivate) {
1994 configured_addresses,
1995 reject_interface_addresses,
1996 reject_configured_port_addresses);
2006 if (add_reduced_policy) {
2008 }
else if (add_default_policy) {
2041 exit_policy_parser_cfg_t options,
2044 int ipv6_enabled = (options & EXIT_POLICY_IPV6_ENABLED) ? 1 : 0;
2045 int reject_private = (options & EXIT_POLICY_REJECT_PRIVATE) ? 1 : 0;
2046 int add_default = (options & EXIT_POLICY_ADD_DEFAULT) ? 1 : 0;
2047 int reject_local_interfaces = (options &
2048 EXIT_POLICY_REJECT_LOCAL_INTERFACES) ? 1 : 0;
2049 int add_reduced = (options & EXIT_POLICY_ADD_REDUCED) ? 1 : 0;
2053 configured_addresses,
2054 reject_local_interfaces,
2055 reject_local_interfaces,
2088 for (
int j=0;j<2;j++) {
2128 exit_policy_parser_cfg_t parser_cfg = 0;
2145 parser_cfg |= EXIT_POLICY_IPV6_ENABLED;
2149 parser_cfg |= EXIT_POLICY_REJECT_PRIVATE;
2154 parser_cfg |= EXIT_POLICY_ADD_REDUCED;
2156 parser_cfg |= EXIT_POLICY_ADD_DEFAULT;
2160 parser_cfg |= EXIT_POLICY_REJECT_LOCAL_INTERFACES;
2175 configured_addresses);
2178 smartlist_free(configured_addresses);
2204 uint32_t mask, ip, i;
2206 char subnet_status[256];
2208 memset(subnet_status, 0,
sizeof(subnet_status));
2212 if (p->prt_min > port || p->prt_max < port)
2218 mask = UINT32_MAX<<(32-p->maskbits);
2223 for (i = ((mask & ip)>>24); i <= (~((mask & ip) ^ mask)>>24); ++i) {
2225 if (subnet_status[i] != 0)
2228 if (tor_addr_is_internal(&addr, 0) &&
2232 if (p->policy_type == ADDR_POLICY_ACCEPT) {
2233 if (p->maskbits > 8)
2238 }
else if (p->policy_type == ADDR_POLICY_REJECT) {
2239 subnet_status[i] = 1;
2242 } SMARTLIST_FOREACH_END(p);
2268 return default_reject;
2270 if (p->policy_type == ADDR_POLICY_ACCEPT &&
2274 }
else if (p->policy_type == ADDR_POLICY_REJECT &&
2275 p->prt_min <= 1 && p->prt_max == 65535 &&
2281 } SMARTLIST_FOREACH_END(p);
2282 return default_reject;
2289 int format_for_desc)
2293 const char *addrpart;
2295 const int is_accept = policy->
policy_type == ADDR_POLICY_ACCEPT;
2297 const int is_ip6 = (family == AF_INET6);
2303 addrpart =
"private";
2304 }
else if (policy->
maskbits == 0) {
2305 if (format_for_desc)
2307 else if (family == AF_INET6)
2309 else if (family == AF_INET)
2318 is_accept ?
"accept" :
"reject",
2319 (is_ip6&&format_for_desc)?
"6":
"",
2323 written += strlen(buf);
2329 written += strlen(buf+written);
2333 if (written+4 > buflen)
2335 strlcat(buf+written,
":*", buflen-written);
2345 result =
tor_snprintf(buf+written, buflen-written,
":%d-%d",
2351 if (written < buflen)
2352 buf[written] =
'\0';
2356 return (
int)written;
2393 new->prt_min = new_starts;
2396 new->accepted = old->accepted;
2407 #define AT(x) ((policy_summary_item_t*)smartlist_get(summary, x))
2409 #define IPV4_BITS (32)
2411 #define REJECT_CUTOFF_SCALE_IPV4 (0)
2414 #define REJECT_CUTOFF_COUNT_IPV4 (UINT64_C(1) << \
2415 (IPV4_BITS - REJECT_CUTOFF_SCALE_IPV4 - 7))
2417 #define IPV6_BITS (128)
2419 #define REJECT_CUTOFF_SCALE_IPV6 (64)
2426 #define REJECT_CUTOFF_COUNT_IPV6 (UINT64_C(1) << \
2427 (IPV6_BITS - REJECT_CUTOFF_SCALE_IPV6 - 16))
2434 uint16_t prt_min, uint16_t prt_max)
2440 while (AT(i)->prt_max < prt_min)
2442 if (AT(i)->prt_min != prt_min) {
2450 while (AT(i)->prt_max < prt_max)
2452 if (AT(i)->prt_max != prt_max) {
2458 return start_at_index;
2465 uint16_t prt_min, uint16_t prt_max,
2468 tor_assert_nonfatal_once(family == AF_INET || family == AF_INET6);
2469 uint64_t family_reject_count = ((family == AF_INET) ?
2470 REJECT_CUTOFF_COUNT_IPV4 :
2471 REJECT_CUTOFF_COUNT_IPV6);
2474 while (i < smartlist_len(summary) &&
2475 AT(i)->prt_max <= prt_max) {
2476 if (!AT(i)->accepted &&
2477 AT(i)->reject_count <= family_reject_count)
2478 AT(i)->accepted = 1;
2481 tor_assert(i < smartlist_len(summary) || prt_max==65535);
2489 uint16_t prt_min, uint16_t prt_max,
2492 tor_assert_nonfatal_once(family == AF_INET || family == AF_INET6);
2497 int addrbits = (family == AF_INET) ? IPV4_BITS : IPV6_BITS;
2498 tor_assert_nonfatal_once(addrbits >= maskbits);
2502 int scale = ((family == AF_INET) ?
2503 REJECT_CUTOFF_SCALE_IPV4 :
2504 REJECT_CUTOFF_SCALE_IPV6);
2506 tor_assert_nonfatal_once(addrbits >= scale);
2507 if (maskbits > (addrbits - scale)) {
2508 tor_assert_nonfatal_once(family == AF_INET6);
2515 if (addrbits - scale - maskbits >= 64) {
2516 tor_assert_nonfatal_once(family == AF_INET6);
2521 count = (UINT64_C(1) << (addrbits - scale - maskbits));
2523 tor_assert_nonfatal_once(count > 0);
2524 while (i < smartlist_len(summary) &&
2525 AT(i)->prt_max <= prt_max) {
2526 if (AT(i)->reject_count <= UINT64_MAX - count) {
2527 AT(i)->reject_count += count;
2531 if (family == AF_INET) {
2532 tor_assert_nonfatal_unreached_once();
2535 AT(i)->reject_count = UINT64_MAX;
2539 tor_assert(i < smartlist_len(summary) || prt_max==65535);
2558 }
else if (p->
policy_type == ADDR_POLICY_REJECT) {
2566 &maskbits, NULL, NULL)<0) {
2597 int i, last, start_prt;
2598 size_t accepts_len, rejects_len;
2599 char *accepts_str = NULL, *rejects_str = NULL, *shorter_str, *result;
2607 if (f != AF_INET && f != AF_INET6) {
2608 log_warn(
LD_BUG,
"Weird family when summarizing address policy");
2613 } SMARTLIST_FOREACH_END(p);
2625 last = i == smartlist_len(summary)-1;
2627 AT(i)->accepted != AT(i+1)->accepted) {
2628 char buf[POLICY_BUF_LEN];
2630 if (start_prt == AT(i)->prt_max)
2633 tor_snprintf(buf,
sizeof(buf),
"%d-%d", start_prt, AT(i)->prt_max);
2635 if (AT(i)->accepted)
2643 start_prt = AT(i+1)->prt_min;
2651 if (smartlist_len(accepts) == 0) {
2652 result = tor_strdup(
"reject 1-65535");
2655 if (smartlist_len(rejects) == 0) {
2656 result = tor_strdup(
"accept 1-65535");
2666 shorter_str = accepts_str;
2670 while (*c !=
',' && c >= shorter_str)
2676 }
else if (rejects_len < accepts_len) {
2677 shorter_str = rejects_str;
2680 shorter_str = accepts_str;
2689 smartlist_free(summary);
2693 smartlist_free(accepts);
2697 smartlist_free(rejects);
2707 const char *orig_summary = summary;
2716 summary += strlen(
"accept ");
2719 summary += strlen(
"reject ");
2721 log_fn(LOG_PROTOCOL_WARN,
LD_DIR,
"Unrecognized policy summary keyword");
2726 for ( ; *summary; summary = next) {
2728 log_fn(LOG_PROTOCOL_WARN,
LD_DIR,
"Impossibly long policy summary %s",
2737 if (! TOR_ISDIGIT(*summary) || *summary ==
',') {
2753 high = (unsigned)
tor_parse_ulong(next+1, 10, low, 65535, &ok, &next);
2759 else if (*next !=
'\0')
2767 entries[n_entries].min_port = low;
2768 entries[n_entries].max_port = high;
2773 next = strchr(next,
',');
2779 if (n_entries == 0) {
2781 "Found no port-range entries in summary %s",
escaped(orig_summary));
2788 result = tor_malloc_zero(size);
2799 log_fn(LOG_PROTOCOL_WARN,
LD_DIR,
"Found bad entry in policy summary %s",
2816 if (e->min_port == e->max_port) {
2821 if (i < policy->n_entries-1)
2846 int found_match = 0;
2854 if (addr &&
get_options()->ClientRejectInternalAddresses &&
2860 if (e->min_port <= port && port <= e->max_port) {
2899 policy->
entries[0].min_port == 1 &&
2900 policy->
entries[0].max_port == 65535);
2927 }
else if (node->md) {
2950 char *policy_string = NULL;
2956 int bytes_written_to_pbuf;
2964 pbuf = tor_malloc(POLICY_BUF_LEN);
2967 if (bytes_written_to_pbuf < 0) {
2968 log_warn(
LD_BUG,
"policy_dump_to_string ran out of room!");
2974 } SMARTLIST_FOREACH_END(tmpe);
2980 smartlist_free(policy_string_list);
2982 return policy_string;
2989 const char *question,
char **answer,
2990 const char **errmsg)
2994 if (!strcmp(question,
"exit-policy/default")) {
2995 *answer = tor_strdup(DEFAULT_EXIT_POLICY);
2996 }
else if (!strcmp(question,
"exit-policy/reject-private/default")) {
3002 while (*priv != NULL) {
3013 smartlist_free(private_policy_strings);
3014 }
else if (!strcmp(question,
"exit-policy/reject-private/relay")) {
3026 *answer = tor_strdup(
"");
3045 &private_policy_list,
3047 configured_addresses,
3052 addr_policy_list_free(private_policy_list);
3054 smartlist_free(configured_addresses);
3055 }
else if (!
strcmpstart(question,
"exit-policy/")) {
3056 int include_ipv4 = 0;
3057 int include_ipv6 = 0;
3067 if (!strcmp(question,
"exit-policy/ipv4")) {
3069 }
else if (!strcmp(question,
"exit-policy/ipv6")) {
3071 }
else if (!strcmp(question,
"exit-policy/full")) {
3072 include_ipv4 = include_ipv6 = 1;
3091 smartlist_free(lst);
3105 found = HT_REMOVE(policy_map, &policy_root, &search);
3138 if (!HT_EMPTY(&policy_root)) {
3141 char buf[POLICY_BUF_LEN];
3143 log_warn(
LD_MM,
"Still had %d address policies cached at shutdown.",
3144 (
int)HT_SIZE(&policy_root));
3148 HT_FOREACH(ent, policy_map, &policy_root) {
3152 log_warn(
LD_MM,
" %d [%d]: %s", n, (*ent)->policy->refcnt, buf);
3155 HT_CLEAR(policy_map, &policy_root);
Address policy structures.
void tor_addr_copy(tor_addr_t *dest, const tor_addr_t *src)
const char * tor_addr_to_str(char *dest, const tor_addr_t *addr, size_t len, int decorate)
void tor_addr_make_null(tor_addr_t *a, sa_family_t family)
int tor_addr_is_loopback(const tor_addr_t *addr)
int tor_addr_compare_masked(const tor_addr_t *addr1, const tor_addr_t *addr2, maskbits_t mbits, tor_addr_comparison_t how)
int tor_addr_is_v4(const tor_addr_t *addr)
int tor_addr_compare(const tor_addr_t *addr1, const tor_addr_t *addr2, tor_addr_comparison_t how)
int tor_addr_is_null(const tor_addr_t *addr)
int tor_addr_is_multicast(const tor_addr_t *a)
int tor_addr_parse_mask_ports(const char *s, unsigned flags, tor_addr_t *addr_out, maskbits_t *maskbits_out, uint16_t *port_min_out, uint16_t *port_max_out)
smartlist_t * get_interface_address6_list(int severity, sa_family_t family, int include_internal)
void tor_addr_copy_tight(tor_addr_t *dest, const tor_addr_t *src)
void tor_addr_from_ipv6_bytes(tor_addr_t *dest, const uint8_t *ipv6_bytes)
static sa_family_t tor_addr_family(const tor_addr_t *a)
static uint32_t tor_addr_to_ipv4h(const tor_addr_t *a)
#define tor_addr_from_ipv4h(dest, v4addr)
Header file for circuitbuild.c.
const smartlist_t * get_configured_ports(void)
const or_options_t * get_options(void)
Header file for config.c.
Common functions for using (pseudo-)random number generators.
Trusted/fallback directory server structure.
const char * escaped(const char *s)
const char * geoip_get_country_name(country_t num)
int geoip_get_country_by_addr(const tor_addr_t *addr)
HT_PROTOTYPE(hs_circuitmap_ht, circuit_t, hs_circuitmap_node, hs_circuit_hash_token, hs_circuits_have_same_token)
typedef HT_HEAD(hs_service_ht, hs_service_t) hs_service_ht
#define log_fn(severity, domain, args,...)
void tor_free_(void *mem)
void * tor_reallocarray_(void *ptr, size_t sz1, size_t sz2)
Header file for microdesc.c.
Microdescriptor structure.
Header file for networkstatus.c.
Node information structure.
void node_get_prim_orport(const node_t *node, tor_addr_port_t *ap_out)
void node_get_prim_dirport(const node_t *node, tor_addr_port_t *ap_out)
int node_ipv6_dir_preferred(const node_t *node)
void node_get_pref_ipv6_dirport(const node_t *node, tor_addr_port_t *ap_out)
const node_t * node_get_by_id(const char *identity_digest)
int node_ipv6_or_preferred(const node_t *node)
void node_get_pref_ipv6_orport(const node_t *node, tor_addr_port_t *ap_out)
Header file for nodelist.c.
Master header file for Tor-specific functionality.
unsigned long tor_parse_ulong(const char *s, int base, unsigned long min, unsigned long max, int *ok, char **next)
void addr_policy_append_reject_addr(smartlist_t **dest, const tor_addr_t *addr)
static smartlist_t * metrics_policy
void addr_policy_free_(addr_policy_t *p)
int addr_policies_eq(const smartlist_t *a, const smartlist_t *b)
static int addr_policy_permits_tor_addr(const tor_addr_t *addr, uint16_t port, smartlist_t *policy)
static int addr_policy_intersects(addr_policy_t *a, addr_policy_t *b)
static int addr_policy_covers(addr_policy_t *a, addr_policy_t *b)
int reachable_addr_prefer_ipv6_dirport(const or_options_t *options)
static smartlist_t * dir_policy
int policies_parse_exit_policy_from_options(const or_options_t *or_options, const tor_addr_t *ipv4_local_address, const tor_addr_t *ipv6_local_address, smartlist_t **result)
static int parse_reachable_addresses(void)
static int exit_policy_is_general_exit_helper(smartlist_t *policy, int port)
static int single_addr_policy_eq(const addr_policy_t *a, const addr_policy_t *b)
#define MAX_EXITPOLICY_SUMMARY_LEN
static smartlist_t * authdir_invalid_policy
static int reachable_addr_prefer_ipv6_impl(const or_options_t *options)
static void policy_summary_add_item(smartlist_t *summary, addr_policy_t *p)
int reachable_addr_prefer_ipv6_orport(const or_options_t *options)
static smartlist_t * authdir_middleonly_policy
void policy_expand_private(smartlist_t **policy)
static const char * private_nets[]
int reachable_addr_allows_rs(const routerstatus_t *rs, firewall_connection_t fw_connection, int pref_only)
static smartlist_t * policy_summary_create(void)
int firewall_is_fascist_or(void)
int metrics_policy_permits_address(const tor_addr_t *addr)
STATIC int reachable_addr_allows(const tor_addr_t *addr, uint16_t port, smartlist_t *firewall_policy, int pref_only, int pref_ipv6)
void policies_parse_exit_policy_reject_private(smartlist_t **dest, int ipv6_exit, const smartlist_t *configured_addresses, int reject_interface_addresses, int reject_configured_port_addresses)
static void policy_summary_accept(smartlist_t *summary, uint16_t prt_min, uint16_t prt_max, sa_family_t family)
short_policy_t * parse_short_policy(const char *summary)
static int reachable_addr_allows_md_impl(const microdesc_t *md, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
void addr_policy_append_reject_addr_list(smartlist_t **dest, const smartlist_t *addrs)
static int reachable_addr_allows_rs_impl(const routerstatus_t *rs, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
static const tor_addr_port_t * reachable_addr_choose_impl(const tor_addr_port_t *a, const tor_addr_port_t *b, int want_a, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
static void policies_copy_outbound_addresses_to_smartlist(smartlist_t *addr_list, const or_options_t *or_options)
static int addr_is_in_cc_list(const tor_addr_t *addr, const smartlist_t *cc_list)
int reachable_addr_allows_addr(const tor_addr_t *addr, uint16_t port, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
void reachable_addr_choose_from_node(const node_t *node, firewall_connection_t fw_connection, int pref_only, tor_addr_port_t *ap)
void reachable_addr_choose_from_dir_server(const dir_server_t *ds, firewall_connection_t fw_connection, int pref_only, tor_addr_port_t *ap)
char * policy_dump_to_string(const smartlist_t *policy_list, int include_ipv4, int include_ipv6)
int reachable_addr_allows_node(const node_t *node, firewall_connection_t fw_connection, int pref_only)
static void exit_policy_remove_redundancies(smartlist_t *dest)
static void policy_summary_reject(smartlist_t *summary, maskbits_t maskbits, uint16_t prt_min, uint16_t prt_max, sa_family_t family)
static void addr_policy_append_reject_addr_list_filter(smartlist_t **dest, const smartlist_t *addrs, int ipv4_rules, int ipv6_rules)
int getinfo_helper_policies(control_connection_t *conn, const char *question, char **answer, const char **errmsg)
void reachable_addr_choose_from_ls(const smartlist_t *lspecs, int pref_only, tor_addr_port_t *ap)
STATIC void append_exit_policy_string(smartlist_t **policy, const char *more)
void reachable_addr_choose_from_rs(const routerstatus_t *rs, firewall_connection_t fw_connection, int pref_only, tor_addr_port_t *ap)
static addr_policy_result_t compare_known_tor_addr_to_addr_policy_noport(const tor_addr_t *addr, const smartlist_t *policy)
int policies_parse_from_options(const or_options_t *options)
int authdir_policy_badexit_address(const tor_addr_t *addr, uint16_t port)
int reachable_addr_allows_dir_server(const dir_server_t *ds, firewall_connection_t fw_connection, int pref_only)
static void policies_log_first_redundant_entry(const smartlist_t *policy)
void policies_set_node_exitpolicy_to_reject_all(node_t *node)
static policy_summary_item_t * policy_summary_item_split(policy_summary_item_t *old, uint16_t new_starts)
static smartlist_t * reachable_or_addr_policy
static int load_policy_from_option(config_line_t *config, const char *option_name, smartlist_t **policy, int assume_action)
addr_policy_result_t compare_tor_addr_to_addr_policy(const tor_addr_t *addr, uint16_t port, const smartlist_t *policy)
char * write_short_policy(const short_policy_t *policy)
static addr_policy_result_t compare_unknown_tor_addr_to_addr_policy(uint16_t port, const smartlist_t *policy)
int policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest, exit_policy_parser_cfg_t options, const smartlist_t *configured_addresses)
static smartlist_t * reachable_dir_addr_policy
static int policy_using_default_exit_options(const or_options_t *or_options)
static addr_policy_result_t compare_known_tor_addr_to_addr_policy(const tor_addr_t *addr, uint16_t port, const smartlist_t *policy)
int reachable_addr_use_ipv6(const or_options_t *options)
addr_policy_result_t compare_tor_addr_to_short_policy(const tor_addr_t *addr, uint16_t port, const short_policy_t *policy)
int firewall_is_fascist_dir(void)
static smartlist_t * authdir_badexit_policy
static unsigned int policy_hash(const policy_map_ent_t *ent)
int dir_policy_permits_address(const tor_addr_t *addr)
void policy_expand_unspec(smartlist_t **policy)
addr_policy_t * addr_policy_get_canonical_entry(addr_policy_t *e)
int authdir_policy_permits_address(const tor_addr_t *addr, uint16_t port)
void policies_free_all(void)
void addr_policy_list_free_(smartlist_t *lst)
void short_policy_free_(short_policy_t *policy)
static smartlist_t * socks_policy
static int reachable_addr_allows_ri_impl(const routerinfo_t *ri, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
int validate_addr_policies(const or_options_t *options, char **msg)
int authdir_policy_middleonly_address(const tor_addr_t *addr, uint16_t port)
int socks_policy_permits_address(const tor_addr_t *addr)
static void policies_copy_addr_to_smartlist(smartlist_t *addr_list, const tor_addr_t *addr)
STATIC const tor_addr_port_t * reachable_addr_choose(const tor_addr_port_t *a, const tor_addr_port_t *b, int want_a, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
int policy_is_reject_star(const smartlist_t *policy, sa_family_t family, int default_reject)
static smartlist_t * authdir_reject_policy
addr_policy_result_t compare_tor_addr_to_node_policy(const tor_addr_t *addr, uint16_t port, const node_t *node)
int authdir_policy_valid_address(const tor_addr_t *addr, uint16_t port)
static void reachable_addr_choose_base(const tor_addr_t *ipv4_addr, uint16_t ipv4_orport, uint16_t ipv4_dirport, const tor_addr_t *ipv6_addr, uint16_t ipv6_orport, uint16_t ipv6_dirport, firewall_connection_t fw_connection, int pref_only, int pref_ipv6, tor_addr_port_t *ap)
static int policies_parse_exit_policy_internal(config_line_t *cfg, smartlist_t **dest, int ipv6_exit, int rejectprivate, const smartlist_t *configured_addresses, int reject_interface_addresses, int reject_configured_port_addresses, int add_default_policy, int add_reduced_policy)
int short_policy_is_reject_star(const short_policy_t *policy)
static int policy_summary_split(smartlist_t *summary, uint16_t prt_min, uint16_t prt_max)
static int parse_metrics_port_policy(const or_options_t *options)
static int reachable_addr_allows_base(const tor_addr_t *ipv4_addr, uint16_t ipv4_orport, uint16_t ipv4_dirport, const tor_addr_t *ipv6_addr, uint16_t ipv6_orport, uint16_t ipv6_dirport, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
int exit_policy_is_general_exit(smartlist_t *policy)
char * policy_summarize(smartlist_t *policy, sa_family_t family)
static int parse_addr_policy(config_line_t *cfg, smartlist_t **dest, int assume_action)
void policies_exit_policy_append_reject_star(smartlist_t **dest)
int policy_write_item(char *buf, size_t buflen, const addr_policy_t *policy, int format_for_desc)
static int reachable_addr_allows_ap(const tor_addr_port_t *ap, firewall_connection_t fw_connection, int pref_only, int pref_ipv6)
Header file for policies.c.
@ ADDR_POLICY_PROBABLY_ACCEPTED
@ ADDR_POLICY_PROBABLY_REJECTED
addr_policy_t * router_parse_addr_policy_item_from_string(const char *s, int assume_action, int *malformed_list)
Header file for policy_parse.c.
Listener port configuration structure.
int tor_asprintf(char **strp, const char *fmt,...)
int tor_snprintf(char *str, size_t size, const char *format,...)
const char * routerinfo_err_to_string(int err)
const routerinfo_t * router_get_my_routerinfo_with_err(int *err)
char * router_dump_exit_policy_to_string(const routerinfo_t *router, int include_ipv4, int include_ipv6)
int routerinfo_err_is_transient(int err)
Header file for router.c.
Router descriptor structure.
int public_server_mode(const or_options_t *options)
int server_mode(const or_options_t *options)
Header file for routermode.c.
Routerstatus (consensus entry) structure.
int smartlist_contains_string_case(const smartlist_t *sl, const char *element)
void smartlist_add_asprintf(struct smartlist_t *sl, const char *pattern,...)
char * smartlist_join_strings(smartlist_t *sl, const char *join, int terminate, size_t *len_out)
void smartlist_insert(smartlist_t *sl, int idx, void *val)
void smartlist_add_all(smartlist_t *s1, const smartlist_t *s2)
smartlist_t * smartlist_new(void)
void smartlist_add_strdup(struct smartlist_t *sl, const char *string)
void smartlist_add(smartlist_t *sl, void *element)
void smartlist_clear(smartlist_t *sl)
void smartlist_del_keeporder(smartlist_t *sl, int idx)
#define SMARTLIST_REPLACE_CURRENT(sl, var, val)
#define SMARTLIST_FOREACH_BEGIN(sl, type, var)
#define SMARTLIST_FOREACH(sl, type, var, cmd)
int smartlist_split_string(smartlist_t *sl, const char *str, const char *sep, int flags, int max)
addr_policy_action_bitfield_t policy_type
unsigned int is_canonical
routerstatus_t fake_status
struct short_policy_t * exit_policy
struct short_policy_t * ipv6_exit_policy
struct config_line_t * AuthDirInvalid
int ClientPreferIPv6DirPort
struct config_line_t * AuthDirReject
int ExitPolicyRejectPrivate
struct config_line_t * AuthDirMiddleOnly
struct config_line_t * MetricsPortPolicy
int ClientPreferIPv6ORPort
struct config_line_t * SocksPolicy
struct config_line_t * ReachableORAddresses
struct config_line_t * ReachableDirAddresses
tor_addr_t OutboundBindAddresses[OUTBOUND_ADDR_MAX][2]
int ExitPolicyRejectLocalInterfaces
struct config_line_t * DirPolicy
struct config_line_t * ExitPolicy
struct config_line_t * ReachableAddresses
struct config_line_t * AuthDirBadExit
smartlist_t * exit_policy
struct short_policy_t * ipv6_exit_policy
char identity_digest[DIGEST_LEN]
short_policy_entry_t entries[FLEXIBLE_ARRAY_MEMBER]
#define MOCK_IMPL(rv, funcname, arglist)
int strcmpstart(const char *s1, const char *s2)