policies.h (9109B)
1 /* Copyright (c) 2001 Matej Pfajfar. 2 * Copyright (c) 2001-2004, Roger Dingledine. 3 * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. 4 * Copyright (c) 2007-2021, The Tor Project, Inc. */ 5 /* See LICENSE for licensing information */ 6 7 /** 8 * \file policies.h 9 * \brief Header file for policies.c. 10 **/ 11 12 #ifndef TOR_POLICIES_H 13 #define TOR_POLICIES_H 14 15 /* (length of 16 * "accept6 [ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]/128:65535-65535\n" 17 * plus a terminating NUL, rounded up to a nice number.) 18 */ 19 #define POLICY_BUF_LEN 72 20 21 #define EXIT_POLICY_IPV6_ENABLED (1 << 0) 22 #define EXIT_POLICY_REJECT_PRIVATE (1 << 1) 23 #define EXIT_POLICY_ADD_DEFAULT (1 << 2) 24 #define EXIT_POLICY_REJECT_LOCAL_INTERFACES (1 << 3) 25 #define EXIT_POLICY_ADD_REDUCED (1 << 4) 26 #define EXIT_POLICY_OPTION_MAX EXIT_POLICY_ADD_REDUCED 27 /* All options set: used for unit testing */ 28 #define EXIT_POLICY_OPTION_ALL ((EXIT_POLICY_OPTION_MAX << 1) - 1) 29 30 typedef enum firewall_connection_t { 31 FIREWALL_OR_CONNECTION = 0, 32 FIREWALL_DIR_CONNECTION = 1 33 } firewall_connection_t; 34 35 typedef int exit_policy_parser_cfg_t; 36 37 /** Outcome of applying an address policy to an address. */ 38 typedef enum { 39 /** The address was accepted */ 40 ADDR_POLICY_ACCEPTED=0, 41 /** The address was rejected */ 42 ADDR_POLICY_REJECTED=-1, 43 /** Part of the address was unknown, but as far as we can tell, it was 44 * accepted. */ 45 ADDR_POLICY_PROBABLY_ACCEPTED=1, 46 /** Part of the address was unknown, but as far as we can tell, it was 47 * rejected. */ 48 ADDR_POLICY_PROBABLY_REJECTED=2, 49 } addr_policy_result_t; 50 51 /** A single entry in a parsed policy summary, describing a range of ports. */ 52 typedef struct short_policy_entry_t { 53 uint16_t min_port, max_port; 54 } short_policy_entry_t; 55 56 /** A short_poliy_t is the parsed version of a policy summary. */ 57 typedef struct short_policy_t { 58 /** True if the members of 'entries' are port ranges to accept; false if 59 * they are port ranges to reject */ 60 unsigned int is_accept : 1; 61 /** The actual number of values in 'entries'. */ 62 unsigned int n_entries : 31; 63 /** An array of 0 or more short_policy_entry_t values, each describing a 64 * range of ports that this policy accepts or rejects (depending on the 65 * value of is_accept). 66 */ 67 short_policy_entry_t entries[FLEXIBLE_ARRAY_MEMBER]; 68 } short_policy_t; 69 70 int firewall_is_fascist_or(void); 71 int firewall_is_fascist_dir(void); 72 int reachable_addr_use_ipv6(const or_options_t *options); 73 int reachable_addr_prefer_ipv6_orport(const or_options_t *options); 74 int reachable_addr_prefer_ipv6_dirport(const or_options_t *options); 75 76 int reachable_addr_allows_addr(const tor_addr_t *addr, 77 uint16_t port, 78 firewall_connection_t fw_connection, 79 int pref_only, int pref_ipv6); 80 81 int reachable_addr_allows_rs(const routerstatus_t *rs, 82 firewall_connection_t fw_connection, 83 int pref_only); 84 int reachable_addr_allows_node(const node_t *node, 85 firewall_connection_t fw_connection, 86 int pref_only); 87 int reachable_addr_allows_dir_server(const dir_server_t *ds, 88 firewall_connection_t fw_connection, 89 int pref_only); 90 91 void reachable_addr_choose_from_rs(const routerstatus_t *rs, 92 firewall_connection_t fw_connection, 93 int pref_only, tor_addr_port_t* ap); 94 void reachable_addr_choose_from_ls(const smartlist_t *lspecs, 95 int pref_only, tor_addr_port_t* ap); 96 void reachable_addr_choose_from_node(const node_t *node, 97 firewall_connection_t fw_connection, 98 int pref_only, tor_addr_port_t* ap); 99 void reachable_addr_choose_from_dir_server(const dir_server_t *ds, 100 firewall_connection_t fw_connection, 101 int pref_only, tor_addr_port_t* ap); 102 103 int dir_policy_permits_address(const tor_addr_t *addr); 104 int socks_policy_permits_address(const tor_addr_t *addr); 105 int metrics_policy_permits_address(const tor_addr_t *addr); 106 int authdir_policy_permits_address(const tor_addr_t *addr, uint16_t port); 107 int authdir_policy_valid_address(const tor_addr_t *addr, uint16_t port); 108 int authdir_policy_badexit_address(const tor_addr_t *addr, uint16_t port); 109 int authdir_policy_middleonly_address(const tor_addr_t *addr, uint16_t port); 110 111 int policy_using_default_exit_options(const or_options_t *or_options); 112 int validate_addr_policies(const or_options_t *options, char **msg); 113 void policy_expand_private(smartlist_t **policy); 114 void policy_expand_unspec(smartlist_t **policy); 115 int policies_parse_from_options(const or_options_t *options); 116 117 addr_policy_t *addr_policy_get_canonical_entry(addr_policy_t *ent); 118 int addr_policies_eq(const smartlist_t *a, const smartlist_t *b); 119 MOCK_DECL(addr_policy_result_t, compare_tor_addr_to_addr_policy, 120 (const tor_addr_t *addr, uint16_t port, const smartlist_t *policy)); 121 addr_policy_result_t compare_tor_addr_to_node_policy(const tor_addr_t *addr, 122 uint16_t port, const node_t *node); 123 124 int policies_parse_exit_policy_from_options( 125 const or_options_t *or_options, 126 const tor_addr_t *ipv4_local_address, 127 const tor_addr_t *ipv6_local_address, 128 smartlist_t **result); 129 struct config_line_t; 130 int policies_parse_exit_policy(struct config_line_t *cfg, smartlist_t **dest, 131 exit_policy_parser_cfg_t options, 132 const smartlist_t *configured_addresses); 133 void policies_parse_exit_policy_reject_private( 134 smartlist_t **dest, 135 int ipv6_exit, 136 const smartlist_t *configured_addresses, 137 int reject_interface_addresses, 138 int reject_configured_port_addresses); 139 void policies_exit_policy_append_reject_star(smartlist_t **dest); 140 void addr_policy_append_reject_addr(smartlist_t **dest, 141 const tor_addr_t *addr); 142 void addr_policy_append_reject_addr_list(smartlist_t **dest, 143 const smartlist_t *addrs); 144 void policies_set_node_exitpolicy_to_reject_all(node_t *exitrouter); 145 int exit_policy_is_general_exit(smartlist_t *policy); 146 int policy_is_reject_star(const smartlist_t *policy, sa_family_t family, 147 int reject_by_default); 148 char * policy_dump_to_string(const smartlist_t *policy_list, 149 int include_ipv4, 150 int include_ipv6); 151 int getinfo_helper_policies(control_connection_t *conn, 152 const char *question, char **answer, 153 const char **errmsg); 154 int policy_write_item(char *buf, size_t buflen, const addr_policy_t *item, 155 int format_for_desc); 156 157 void addr_policy_list_free_(smartlist_t *p); 158 #define addr_policy_list_free(lst) \ 159 FREE_AND_NULL(smartlist_t, addr_policy_list_free_, (lst)) 160 void addr_policy_free_(addr_policy_t *p); 161 #define addr_policy_free(p) \ 162 FREE_AND_NULL(addr_policy_t, addr_policy_free_, (p)) 163 void policies_free_all(void); 164 165 char *policy_summarize(smartlist_t *policy, sa_family_t family); 166 167 short_policy_t *parse_short_policy(const char *summary); 168 char *write_short_policy(const short_policy_t *policy); 169 void short_policy_free_(short_policy_t *policy); 170 #define short_policy_free(p) \ 171 FREE_AND_NULL(short_policy_t, short_policy_free_, (p)) 172 int short_policy_is_reject_star(const short_policy_t *policy); 173 addr_policy_result_t compare_tor_addr_to_short_policy( 174 const tor_addr_t *addr, uint16_t port, 175 const short_policy_t *policy); 176 177 #ifdef POLICIES_PRIVATE 178 STATIC void append_exit_policy_string(smartlist_t **policy, const char *more); 179 STATIC int reachable_addr_allows(const tor_addr_t *addr, 180 uint16_t port, 181 smartlist_t *firewall_policy, 182 int pref_only, int pref_ipv6); 183 STATIC const tor_addr_port_t * reachable_addr_choose( 184 const tor_addr_port_t *a, 185 const tor_addr_port_t *b, 186 int want_a, 187 firewall_connection_t fw_connection, 188 int pref_only, int pref_ipv6); 189 190 #endif /* defined(POLICIES_PRIVATE) */ 191 192 #endif /* !defined(TOR_POLICIES_H) */