2010-07-23 20:51:25 +02:00
|
|
|
/* Copyright (c) 2001 Matej Pfajfar.
|
|
|
|
* Copyright (c) 2001-2004, Roger Dingledine.
|
|
|
|
* Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson.
|
2016-02-27 18:48:19 +01:00
|
|
|
* Copyright (c) 2007-2016, The Tor Project, Inc. */
|
2010-07-23 20:51:25 +02:00
|
|
|
/* See LICENSE for licensing information */
|
|
|
|
|
|
|
|
/**
|
|
|
|
* \file policies.h
|
2010-07-28 17:42:33 +02:00
|
|
|
* \brief Header file for policies.c.
|
2010-07-23 20:51:25 +02:00
|
|
|
**/
|
|
|
|
|
2012-10-12 18:13:10 +02:00
|
|
|
#ifndef TOR_POLICIES_H
|
|
|
|
#define TOR_POLICIES_H
|
2010-07-23 20:51:25 +02:00
|
|
|
|
2013-08-26 17:30:09 +02:00
|
|
|
/* (length of
|
|
|
|
* "accept6 [ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff]/128:65535-65535\n"
|
|
|
|
* plus a terminating NUL, rounded up to a nice number.)
|
2010-07-23 20:51:25 +02:00
|
|
|
*/
|
2013-08-26 17:30:09 +02:00
|
|
|
#define POLICY_BUF_LEN 72
|
2010-07-23 20:51:25 +02:00
|
|
|
|
2014-09-13 15:25:48 +02:00
|
|
|
#define EXIT_POLICY_IPV6_ENABLED (1 << 0)
|
|
|
|
#define EXIT_POLICY_REJECT_PRIVATE (1 << 1)
|
|
|
|
#define EXIT_POLICY_ADD_DEFAULT (1 << 2)
|
|
|
|
|
2015-12-14 07:23:10 +01:00
|
|
|
typedef enum firewall_connection_t {
|
|
|
|
FIREWALL_OR_CONNECTION = 0,
|
|
|
|
FIREWALL_DIR_CONNECTION = 1
|
|
|
|
} firewall_connection_t;
|
|
|
|
|
2014-09-13 15:25:48 +02:00
|
|
|
typedef int exit_policy_parser_cfg_t;
|
|
|
|
|
2016-01-03 14:35:22 +01:00
|
|
|
int firewall_is_fascist_or(void);
|
2016-01-21 02:58:59 +01:00
|
|
|
int firewall_is_fascist_dir(void);
|
2016-01-03 14:35:22 +01:00
|
|
|
int fascist_firewall_use_ipv6(const or_options_t *options);
|
|
|
|
int fascist_firewall_prefer_ipv6_orport(const or_options_t *options);
|
|
|
|
int fascist_firewall_prefer_ipv6_dirport(const or_options_t *options);
|
|
|
|
|
2016-02-20 10:09:07 +01:00
|
|
|
int fascist_firewall_allows_address_addr(const tor_addr_t *addr,
|
|
|
|
uint16_t port,
|
2015-12-14 07:23:10 +01:00
|
|
|
firewall_connection_t fw_connection,
|
2016-02-20 10:04:01 +01:00
|
|
|
int pref_only, int pref_ipv6);
|
2016-02-20 10:09:07 +01:00
|
|
|
|
2015-12-14 07:23:10 +01:00
|
|
|
int fascist_firewall_allows_rs(const routerstatus_t *rs,
|
|
|
|
firewall_connection_t fw_connection,
|
|
|
|
int pref_only);
|
|
|
|
int fascist_firewall_allows_node(const node_t *node,
|
|
|
|
firewall_connection_t fw_connection,
|
|
|
|
int pref_only);
|
|
|
|
int fascist_firewall_allows_dir_server(const dir_server_t *ds,
|
|
|
|
firewall_connection_t fw_connection,
|
|
|
|
int pref_only);
|
|
|
|
|
|
|
|
int fascist_firewall_choose_address_rs(const routerstatus_t *rs,
|
|
|
|
firewall_connection_t fw_connection,
|
|
|
|
int pref_only, tor_addr_port_t* ap);
|
|
|
|
int fascist_firewall_choose_address_node(const node_t *node,
|
|
|
|
firewall_connection_t fw_connection,
|
|
|
|
int pref_only, tor_addr_port_t* ap);
|
|
|
|
int fascist_firewall_choose_address_dir_server(const dir_server_t *ds,
|
|
|
|
firewall_connection_t fw_connection,
|
2016-02-20 10:04:01 +01:00
|
|
|
int pref_only, tor_addr_port_t* ap);
|
2015-12-14 07:23:10 +01:00
|
|
|
|
2010-07-23 20:51:25 +02:00
|
|
|
int dir_policy_permits_address(const tor_addr_t *addr);
|
|
|
|
int socks_policy_permits_address(const tor_addr_t *addr);
|
|
|
|
int authdir_policy_permits_address(uint32_t addr, uint16_t port);
|
|
|
|
int authdir_policy_valid_address(uint32_t addr, uint16_t port);
|
|
|
|
int authdir_policy_badexit_address(uint32_t addr, uint16_t port);
|
|
|
|
|
2011-06-14 19:01:38 +02:00
|
|
|
int validate_addr_policies(const or_options_t *options, char **msg);
|
2010-07-23 20:51:25 +02:00
|
|
|
void policy_expand_private(smartlist_t **policy);
|
2012-10-24 21:03:29 +02:00
|
|
|
void policy_expand_unspec(smartlist_t **policy);
|
2011-06-14 19:01:38 +02:00
|
|
|
int policies_parse_from_options(const or_options_t *options);
|
2010-07-23 20:51:25 +02:00
|
|
|
|
|
|
|
addr_policy_t *addr_policy_get_canonical_entry(addr_policy_t *ent);
|
|
|
|
int cmp_addr_policies(smartlist_t *a, smartlist_t *b);
|
2014-08-27 12:41:25 +02:00
|
|
|
MOCK_DECL(addr_policy_result_t, compare_tor_addr_to_addr_policy,
|
|
|
|
(const tor_addr_t *addr, uint16_t port, const smartlist_t *policy));
|
Initial conversion to use node_t throughout our codebase.
A node_t is an abstraction over routerstatus_t, routerinfo_t, and
microdesc_t. It should try to present a consistent interface to all
of them. There should be a node_t for a server whenever there is
* A routerinfo_t for it in the routerlist
* A routerstatus_t in the current_consensus.
(note that a microdesc_t alone isn't enough to make a node_t exist,
since microdescriptors aren't usable on their own.)
There are three ways to get a node_t right now: looking it up by ID,
looking it up by nickname, and iterating over the whole list of
microdescriptors.
All (or nearly all) functions that are supposed to return "a router"
-- especially those used in building connections and circuits --
should return a node_t, not a routerinfo_t or a routerstatus_t.
A node_t should hold all the *mutable* flags about a node. This
patch moves the is_foo flags from routerinfo_t into node_t. The
flags in routerstatus_t remain, but they get set from the consensus
and should not change.
Some other highlights of this patch are:
* Looking up routerinfo and routerstatus by nickname is now
unified and based on the "look up a node by nickname" function.
This tries to look only at the values from current consensus,
and not get confused by the routerinfo_t->is_named flag, which
could get set for other weird reasons. This changes the
behavior of how authorities (when acting as clients) deal with
nodes that have been listed by nickname.
* I tried not to artificially increase the size of the diff here
by moving functions around. As a result, some functions that
now operate on nodes are now in the wrong file -- they should
get moved to nodelist.c once this refactoring settles down.
This moving should happen as part of a patch that moves
functions AND NOTHING ELSE.
* Some old code is now left around inside #if 0/1 blocks, and
should get removed once I've verified that I don't want it
sitting around to see how we used to do things.
There are still some unimplemented functions: these are flagged
with "UNIMPLEMENTED_NODELIST()." I'll work on filling in the
implementation here, piece by piece.
I wish this patch could have been smaller, but there did not seem to
be any piece of it that was independent from the rest. Moving flags
forces many functions that once returned routerinfo_t * to return
node_t *, which forces their friends to change, and so on.
2010-09-29 21:00:41 +02:00
|
|
|
addr_policy_result_t compare_tor_addr_to_node_policy(const tor_addr_t *addr,
|
|
|
|
uint16_t port, const node_t *node);
|
|
|
|
|
2015-11-16 05:54:57 +01:00
|
|
|
int policies_parse_exit_policy_from_options(
|
|
|
|
const or_options_t *or_options,
|
|
|
|
uint32_t local_address,
|
|
|
|
const tor_addr_t *ipv6_local_address,
|
|
|
|
smartlist_t **result);
|
2014-09-13 15:25:48 +02:00
|
|
|
int policies_parse_exit_policy(config_line_t *cfg, smartlist_t **dest,
|
|
|
|
exit_policy_parser_cfg_t options,
|
2015-11-16 10:40:17 +01:00
|
|
|
const smartlist_t *configured_addresses);
|
2015-11-16 05:54:57 +01:00
|
|
|
void policies_parse_exit_policy_reject_private(
|
|
|
|
smartlist_t **dest,
|
|
|
|
int ipv6_exit,
|
2015-11-16 10:40:17 +01:00
|
|
|
const smartlist_t *configured_addresses,
|
2015-11-16 05:54:57 +01:00
|
|
|
int reject_interface_addresses,
|
|
|
|
int reject_configured_port_addresses);
|
2011-02-22 20:06:28 +01:00
|
|
|
void policies_exit_policy_append_reject_star(smartlist_t **dest);
|
2013-03-12 04:37:47 +01:00
|
|
|
void addr_policy_append_reject_addr(smartlist_t **dest,
|
|
|
|
const tor_addr_t *addr);
|
2015-11-16 03:58:26 +01:00
|
|
|
void addr_policy_append_reject_addr_list(smartlist_t **dest,
|
|
|
|
const smartlist_t *addrs);
|
Initial conversion to use node_t throughout our codebase.
A node_t is an abstraction over routerstatus_t, routerinfo_t, and
microdesc_t. It should try to present a consistent interface to all
of them. There should be a node_t for a server whenever there is
* A routerinfo_t for it in the routerlist
* A routerstatus_t in the current_consensus.
(note that a microdesc_t alone isn't enough to make a node_t exist,
since microdescriptors aren't usable on their own.)
There are three ways to get a node_t right now: looking it up by ID,
looking it up by nickname, and iterating over the whole list of
microdescriptors.
All (or nearly all) functions that are supposed to return "a router"
-- especially those used in building connections and circuits --
should return a node_t, not a routerinfo_t or a routerstatus_t.
A node_t should hold all the *mutable* flags about a node. This
patch moves the is_foo flags from routerinfo_t into node_t. The
flags in routerstatus_t remain, but they get set from the consensus
and should not change.
Some other highlights of this patch are:
* Looking up routerinfo and routerstatus by nickname is now
unified and based on the "look up a node by nickname" function.
This tries to look only at the values from current consensus,
and not get confused by the routerinfo_t->is_named flag, which
could get set for other weird reasons. This changes the
behavior of how authorities (when acting as clients) deal with
nodes that have been listed by nickname.
* I tried not to artificially increase the size of the diff here
by moving functions around. As a result, some functions that
now operate on nodes are now in the wrong file -- they should
get moved to nodelist.c once this refactoring settles down.
This moving should happen as part of a patch that moves
functions AND NOTHING ELSE.
* Some old code is now left around inside #if 0/1 blocks, and
should get removed once I've verified that I don't want it
sitting around to see how we used to do things.
There are still some unimplemented functions: these are flagged
with "UNIMPLEMENTED_NODELIST()." I'll work on filling in the
implementation here, piece by piece.
I wish this patch could have been smaller, but there did not seem to
be any piece of it that was independent from the rest. Moving flags
forces many functions that once returned routerinfo_t * to return
node_t *, which forces their friends to change, and so on.
2010-09-29 21:00:41 +02:00
|
|
|
void policies_set_node_exitpolicy_to_reject_all(node_t *exitrouter);
|
2010-07-23 20:51:25 +02:00
|
|
|
int exit_policy_is_general_exit(smartlist_t *policy);
|
2012-11-15 02:51:41 +01:00
|
|
|
int policy_is_reject_star(const smartlist_t *policy, sa_family_t family);
|
2015-11-16 13:02:49 +01:00
|
|
|
char * policy_dump_to_string(const smartlist_t *policy_list,
|
|
|
|
int include_ipv4,
|
|
|
|
int include_ipv6);
|
2010-07-23 20:51:25 +02:00
|
|
|
int getinfo_helper_policies(control_connection_t *conn,
|
|
|
|
const char *question, char **answer,
|
|
|
|
const char **errmsg);
|
2015-12-09 17:04:56 +01:00
|
|
|
int policy_write_item(char *buf, size_t buflen, const addr_policy_t *item,
|
2010-07-23 20:51:25 +02:00
|
|
|
int format_for_desc);
|
|
|
|
|
|
|
|
void addr_policy_list_free(smartlist_t *p);
|
|
|
|
void addr_policy_free(addr_policy_t *p);
|
|
|
|
void policies_free_all(void);
|
|
|
|
|
2012-10-24 21:03:29 +02:00
|
|
|
char *policy_summarize(smartlist_t *policy, sa_family_t family);
|
2010-07-23 20:51:25 +02:00
|
|
|
|
2010-10-02 00:12:30 +02:00
|
|
|
short_policy_t *parse_short_policy(const char *summary);
|
2012-10-22 23:34:05 +02:00
|
|
|
char *write_short_policy(const short_policy_t *policy);
|
2010-10-02 00:12:30 +02:00
|
|
|
void short_policy_free(short_policy_t *policy);
|
|
|
|
int short_policy_is_reject_star(const short_policy_t *policy);
|
|
|
|
addr_policy_result_t compare_tor_addr_to_short_policy(
|
|
|
|
const tor_addr_t *addr, uint16_t port,
|
|
|
|
const short_policy_t *policy);
|
|
|
|
|
2015-11-16 10:40:17 +01:00
|
|
|
#ifdef POLICIES_PRIVATE
|
2015-11-20 16:51:19 +01:00
|
|
|
STATIC void append_exit_policy_string(smartlist_t **policy, const char *more);
|
2015-12-14 07:23:10 +01:00
|
|
|
STATIC int fascist_firewall_allows_address(const tor_addr_t *addr,
|
|
|
|
uint16_t port,
|
|
|
|
smartlist_t *firewall_policy,
|
|
|
|
int pref_only, int pref_ipv6);
|
2016-02-20 10:09:07 +01:00
|
|
|
STATIC const tor_addr_port_t * fascist_firewall_choose_address(
|
|
|
|
const tor_addr_port_t *a,
|
|
|
|
const tor_addr_port_t *b,
|
|
|
|
int want_a,
|
|
|
|
firewall_connection_t fw_connection,
|
2016-02-20 10:04:01 +01:00
|
|
|
int pref_only, int pref_ipv6);
|
2016-02-20 10:09:07 +01:00
|
|
|
|
2015-11-16 10:40:17 +01:00
|
|
|
#endif
|
|
|
|
|
2010-07-23 20:51:25 +02:00
|
|
|
#endif
|
|
|
|
|