/* Copyright (c) 2001-2004, Roger Dingledine. * Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson. */ /* See LICENSE for licensing information */ /* $Id$ */ const char policies_c_id[] = \ "$Id$"; /** * \file policies.c * \brief Code to parse and use address policies and exit policies. **/ #include "or.h" static int expand_exit_policy_aliases(smartlist_t *entries, int assume_action); static addr_policy_t *socks_policy = NULL; static addr_policy_t *dir_policy = NULL; static addr_policy_t *authdir_reject_policy = NULL; static addr_policy_t *authdir_invalid_policy = NULL; /** Parsed addr_policy_t describing which addresses we believe we can start * circuits at. */ static addr_policy_t *reachable_or_addr_policy = NULL; /** Parsed addr_policy_t describing which addresses we believe we can connect * to directories at. */ static addr_policy_t *reachable_dir_addr_policy = NULL; /** * Given a linked list of config lines containing "allow" and "deny" * tokens, parse them and append the result to dest. Return -1 * if any tokens are malformed, else return 0. */ static int parse_addr_policy(config_line_t *cfg, addr_policy_t **dest, int assume_action) { addr_policy_t **nextp; smartlist_t *entries; int r = 0; if (!cfg) return 0; nextp = dest; while (*nextp) nextp = &((*nextp)->next); entries = smartlist_create(); for (; cfg; cfg = cfg->next) { smartlist_split_string(entries, cfg->value, ",", SPLIT_SKIP_SPACE|SPLIT_IGNORE_BLANK, 0); if (expand_exit_policy_aliases(entries,assume_action)<0) { r = -1; continue; } SMARTLIST_FOREACH(entries, const char *, ent, { log_debug(LD_CONFIG,"Adding new entry '%s'",ent); *nextp = router_parse_addr_policy_from_string(ent, assume_action); if (*nextp) { if (addr_mask_get_bits((*nextp)->msk)<0) { log_warn(LD_CONFIG, "Address policy element '%s' can't be expressed " "as a bit prefix.", ent); } /* Advance nextp to the end of the policy. */ while (*nextp) nextp = &((*nextp)->next); } else { log_warn(LD_CONFIG,"Malformed policy '%s'.", ent); r = -1; } }); SMARTLIST_FOREACH(entries, char *, ent, tor_free(ent)); smartlist_clear(entries); } smartlist_free(entries); return r; } /** Helper: parse the Reachable(Dir|OR)?Addresses fields into * reachable_(or|dir)_addr_policy. */ static void parse_reachable_addresses(void) { or_options_t *options = get_options(); if (options->ReachableDirAddresses && options->ReachableORAddresses && options->ReachableAddresses) { log_warn(LD_CONFIG, "Both ReachableDirAddresses and ReachableORAddresses are set. " "ReachableAddresses setting will be ignored."); } addr_policy_free(reachable_or_addr_policy); reachable_or_addr_policy = NULL; if (!options->ReachableORAddresses && options->ReachableAddresses) log_info(LD_CONFIG, "Using ReachableAddresses as ReachableORAddresses."); if (parse_addr_policy(options->ReachableORAddresses ? options->ReachableORAddresses : options->ReachableAddresses, &reachable_or_addr_policy, ADDR_POLICY_ACCEPT)) { log_warn(LD_CONFIG, "Error parsing Reachable%sAddresses entry; ignoring.", options->ReachableORAddresses ? "OR" : ""); } addr_policy_free(reachable_dir_addr_policy); reachable_dir_addr_policy = NULL; if (!options->ReachableDirAddresses && options->ReachableAddresses) log_info(LD_CONFIG, "Using ReachableAddresses as ReachableDirAddresses"); if (parse_addr_policy(options->ReachableDirAddresses ? options->ReachableDirAddresses : options->ReachableAddresses, &reachable_dir_addr_policy, ADDR_POLICY_ACCEPT)) { if (options->ReachableDirAddresses) log_warn(LD_CONFIG, "Error parsing ReachableDirAddresses entry; ignoring."); } } /** Return true iff the firewall options might block any address:port * combination. */ int firewall_is_fascist_or(void) { return !!reachable_or_addr_policy; } /** Return true iff policy (possibly NULL) will allow a * connection to addr:port. */ static int addr_policy_permits_address(uint32_t addr, uint16_t port, addr_policy_t *policy) { addr_policy_result_t p; p = compare_addr_to_addr_policy(addr, port, policy); switch (p) { case ADDR_POLICY_PROBABLY_ACCEPTED: case ADDR_POLICY_ACCEPTED: return 1; case ADDR_POLICY_PROBABLY_REJECTED: case ADDR_POLICY_REJECTED: return 0; default: log_warn(LD_BUG, "Unexpected result: %d", (int)p); return 0; } } int fascist_firewall_allows_address_or(uint32_t addr, uint16_t port) { return addr_policy_permits_address(addr, port, reachable_or_addr_policy); } int fascist_firewall_allows_address_dir(uint32_t addr, uint16_t port) { return addr_policy_permits_address(addr, port, reachable_dir_addr_policy); } /** Return 1 if addr is permitted to connect to our dir port, * based on dir_policy. Else return 0. */ int dir_policy_permits_address(uint32_t addr) { return addr_policy_permits_address(addr, 1, dir_policy); } /** Return 1 if addr is permitted to connect to our socks port, * based on socks_policy. Else return 0. */ int socks_policy_permits_address(uint32_t addr) { return addr_policy_permits_address(addr, 1, socks_policy); } /** Return 1 if addr:port is permitted to publish to our * directory, based on authdir_reject_policy. Else return 0. */ int authdir_policy_permits_address(uint32_t addr, uint16_t port) { return addr_policy_permits_address(addr, port, authdir_reject_policy); } /** Return 1 if addr:port is considered valid in our * directory, based on authdir_invalid_policy. Else return 0. */ int authdir_policy_valid_address(uint32_t addr, uint16_t port) { return addr_policy_permits_address(addr, port, authdir_invalid_policy); } #define REJECT(arg) \ do { *msg = tor_strdup(arg); goto err; } while (0) int validate_addr_policies(or_options_t *options, char **msg) { addr_policy_t *addr_policy=NULL; *msg = NULL; if (policies_parse_exit_policy(options->ExitPolicy, &addr_policy, options->ExitPolicyRejectPrivate)) REJECT("Error in ExitPolicy entry."); /* The rest of these calls *append* to addr_policy. So don't actually * use the results for anything other than checking if they parse! */ if (parse_addr_policy(options->DirPolicy, &addr_policy, -1)) REJECT("Error in DirPolicy entry."); if (parse_addr_policy(options->SocksPolicy, &addr_policy, -1)) REJECT("Error in SocksPolicy entry."); if (parse_addr_policy(options->ReachableAddresses, &addr_policy, ADDR_POLICY_ACCEPT)) REJECT("Error in ReachableAddresses entry."); if (parse_addr_policy(options->ReachableORAddresses, &addr_policy, ADDR_POLICY_ACCEPT)) REJECT("Error in ReachableORAddresses entry."); if (parse_addr_policy(options->ReachableDirAddresses, &addr_policy, ADDR_POLICY_ACCEPT)) REJECT("Error in ReachableDirAddresses entry."); if (parse_addr_policy(options->AuthDirReject, &addr_policy, ADDR_POLICY_REJECT)) REJECT("Error in AuthDirReject entry."); if (parse_addr_policy(options->AuthDirInvalid, &addr_policy, ADDR_POLICY_REJECT)) REJECT("Error in AuthDirInvalid entry."); err: addr_policy_free(addr_policy); return *msg ? -1 : 0; #undef REJECT } /* Parse string in the same way that the exit policy * is parsed, and put the processed version in *policy. * Ignore port specifiers. */ static void load_policy_from_option(config_line_t *config, addr_policy_t **policy, int assume_action) { addr_policy_t *n; addr_policy_free(*policy); *policy = NULL; parse_addr_policy(config, policy, assume_action); /* ports aren't used. */ for (n=*policy; n; n = n->next) { n->prt_min = 1; n->prt_max = 65535; } } void policies_parse_from_options(or_options_t *options) { load_policy_from_option(options->SocksPolicy, &socks_policy, -1); load_policy_from_option(options->DirPolicy, &dir_policy, -1); load_policy_from_option(options->AuthDirReject, &authdir_reject_policy, ADDR_POLICY_REJECT); load_policy_from_option(options->AuthDirInvalid, &authdir_invalid_policy, ADDR_POLICY_REJECT); parse_reachable_addresses(); } /** Compare two provided address policy items, and return -1, 0, or 1 * if the first is less than, equal to, or greater than the second. */ static int cmp_single_addr_policy(addr_policy_t *a, addr_policy_t *b) { int r; if ((r=((int)a->policy_type - (int)b->policy_type))) return r; if ((r=((int)a->addr - (int)b->addr))) return r; if ((r=((int)a->msk - (int)b->msk))) return r; if ((r=((int)a->prt_min - (int)b->prt_min))) return r; if ((r=((int)a->prt_max - (int)b->prt_max))) return r; return 0; } /** Like cmp_single_addr_policy() above, but looks at the * whole set of policies in each case. */ int cmp_addr_policies(addr_policy_t *a, addr_policy_t *b) { int r; while (a && b) { if ((r=cmp_single_addr_policy(a,b))) return r; a = a->next; b = b->next; } if (!a && !b) return 0; if (a) return -1; else return 1; } /** Decide whether a given addr:port is definitely accepted, * definitely rejected, probably accepted, or probably rejected by a * given policy. If addr is 0, we don't know the IP of the * target address. If port is 0, we don't know the port of the * target address. * * For now, the algorithm is pretty simple: we look for definite and * uncertain matches. The first definite match is what we guess; if * it was preceded by no uncertain matches of the opposite policy, * then the guess is definite; otherwise it is probable. (If we * have a known addr and port, all matches are definite; if we have an * unknown addr/port, any address/port ranges other than "all" are * uncertain.) * * We could do better by assuming that some ranges never match typical * addresses (127.0.0.1, and so on). But we'll try this for now. */ addr_policy_result_t compare_addr_to_addr_policy(uint32_t addr, uint16_t port, addr_policy_t *policy) { int maybe_reject = 0; int maybe_accept = 0; int match = 0; int maybe = 0; addr_policy_t *tmpe; for (tmpe=policy; tmpe; tmpe=tmpe->next) { maybe = 0; if (!addr) { /* Address is unknown. */ if ((port >= tmpe->prt_min && port <= tmpe->prt_max) || (!port && tmpe->prt_min<=1 && tmpe->prt_max>=65535)) { /* The port definitely matches. */ if (tmpe->msk == 0) { match = 1; } else { maybe = 1; } } else if (!port) { /* The port maybe matches. */ maybe = 1; } } else { /* Address is known */ if ((addr & tmpe->msk) == (tmpe->addr & tmpe->msk)) { if (port >= tmpe->prt_min && port <= tmpe->prt_max) { /* Exact match for the policy */ match = 1; } else if (!port) { maybe = 1; } } } if (maybe) { if (tmpe->policy_type == ADDR_POLICY_REJECT) maybe_reject = 1; else maybe_accept = 1; } if (match) { if (tmpe->policy_type == ADDR_POLICY_ACCEPT) { /* If we already hit a clause that might trigger a 'reject', than we * can't be sure of this certain 'accept'.*/ return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED : ADDR_POLICY_ACCEPTED; } else { return maybe_accept ? ADDR_POLICY_PROBABLY_REJECTED : ADDR_POLICY_REJECTED; } } } /* accept all by default. */ return maybe_reject ? ADDR_POLICY_PROBABLY_ACCEPTED : ADDR_POLICY_ACCEPTED; } /** Return true iff the address policy a covers every case that * would be covered by b, so that a,b is redundant. */ static int addr_policy_covers(addr_policy_t *a, addr_policy_t *b) { /* We can ignore accept/reject, since "accept *:80, reject *:80" reduces * to "accept *:80". */ if (a->msk & ~b->msk) { /* There's a wildcard bit in b->msk that's not a wildcard in a. */ return 0; } if ((a->addr & a->msk) != (b->addr & a->msk)) { /* There's a fixed bit in a that's set differently in b. */ return 0; } return (a->prt_min <= b->prt_min && a->prt_max >= b->prt_max); } /** Return true iff the address policies a and b intersect, * that is, there exists an address/port that is covered by a that * is also covered by b. */ static int addr_policy_intersects(addr_policy_t *a, addr_policy_t *b) { /* All the bits we care about are those that are set in both * netmasks. If they are equal in a and b's networkaddresses * then the networks intersect. If there is a difference, * then they do not. */ if (((a->addr ^ b->addr) & a->msk & b->msk) != 0) return 0; if (a->prt_max < b->prt_min || b->prt_max < a->prt_min) return 0; return 1; } /** Add the exit policy described by more to policy. */ static void append_exit_policy_string(addr_policy_t **policy, const char *more) { config_line_t tmp; tmp.key = NULL; tmp.value = (char*) more; tmp.next = NULL; parse_addr_policy(&tmp, policy, -1); } static int expand_exit_policy_aliases(smartlist_t *entries, int assume_action) { static const char *prefixes[] = { "0.0.0.0/8", "169.254.0.0/16", "127.0.0.0/8", "192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12",NULL }; int i; char *pre=NULL, *post=NULL; int expanded_any = 0; pre = smartlist_join_strings(entries,",",0,NULL); for (i = 0; i < smartlist_len(entries); ++i) { char *v = smartlist_get(entries, i); const char *cp, *ports; const char *action; int prefix_idx; if (!strcasecmpstart(v, "accept")) { action = "accept "; cp = v+strlen("accept"); } else if (!strcasecmpstart(v, "reject")) { action = "reject "; cp = v+strlen("reject"); } else if (assume_action >= 0) { action = ""; cp = v; } else { log_warn(LD_CONFIG,"Policy '%s' didn't start with accept or reject.", v); tor_free(pre); return -1; } cp = eat_whitespace(cp); if (strcmpstart(cp, "private")) continue; /* No need to expand. */ cp += strlen("private"); cp = eat_whitespace(cp); if (*cp && *cp != ':') continue; /* It wasn't "private" after all. */ ports = cp; /* Okay. We're going to replace entries[i] with a bunch of new entries, * in order. */ smartlist_del_keeporder(entries, i); for (prefix_idx = 0; prefixes[prefix_idx]; ++prefix_idx) { size_t replacement_len = 16+strlen(prefixes[prefix_idx])+strlen(ports); char *replacement = tor_malloc(replacement_len); tor_snprintf(replacement, replacement_len, "%s%s%s", action, prefixes[prefix_idx], ports); smartlist_insert(entries, i++, replacement); } tor_free(v); expanded_any = 1; --i; } post = smartlist_join_strings(entries,",",0,NULL); if (expanded_any) log_info(LD_CONFIG, "Expanded '%s' to '%s'", pre, post); tor_free(pre); tor_free(post); return expanded_any; } /** Detect and excise "dead code" from the policy *dest. */ static void exit_policy_remove_redundancies(addr_policy_t **dest) { addr_policy_t *ap, *tmp, *victim, *previous; /* Step one: find a *:* entry and cut off everything after it. */ for (ap=*dest; ap; ap=ap->next) { if (ap->msk == 0 && ap->prt_min <= 1 && ap->prt_max >= 65535) { /* This is a catch-all line -- later lines are unreachable. */ if (ap->next) { addr_policy_free(ap->next); ap->next = NULL; } } } /* Step two: for every entry, see if there's a redundant entry * later on, and remove it. */ for (ap=*dest; ap; ap=ap->next) { tmp=ap; while (tmp) { if (tmp->next && addr_policy_covers(ap, tmp->next)) { log(LOG_INFO, LD_CONFIG, "Removing exit policy %s. It is made " "redundant by %s.", tmp->next->string, ap->string); victim = tmp->next; tmp->next = victim->next; victim->next = NULL; addr_policy_free(victim); } else { tmp=tmp->next; } } } /* Step three: for every entry A, see if there's an entry B making this one * redundant later on. This is the case if A and B are of the same type * (accept/reject), A is a subset of B, and there is no other entry of * different type in between those two that intersects with A. * * Anybody want to doublecheck the logic here? XXX */ ap = *dest; previous = NULL; while (ap) { for (tmp=ap->next; tmp; tmp=tmp->next) { if (ap->policy_type != tmp->policy_type && addr_policy_intersects(ap, tmp)) { tmp = NULL; /* so that we advance previous and ap */ break; } if (ap->policy_type == tmp->policy_type && addr_policy_covers(tmp, ap)) { log(LOG_INFO, LD_CONFIG, "Removing exit policy %s. It is made " "redundant by %s.", ap->string, tmp->string); victim = ap; ap = ap->next; if (previous) { assert(previous->next == victim); previous->next = victim->next; } else { assert(*dest == victim); *dest = victim->next; } victim->next = NULL; addr_policy_free(victim); break; } } if (!tmp) { previous = ap; ap = ap->next; } } } #define DEFAULT_EXIT_POLICY \ "reject *:25,reject *:119,reject *:135-139,reject *:445," \ "reject *:465,reject *:587,reject *:1214,reject *:4661-4666," \ "reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*" /** Parse the exit policy cfg into the linked list *dest. If * cfg doesn't end in an absolute accept or reject, add the default exit * policy afterwards. If rejectprivate is true, prepend * "reject private:*" to the policy. Return -1 if we can't parse cfg, * else return 0. * */ int policies_parse_exit_policy(config_line_t *cfg, addr_policy_t **dest, int rejectprivate) { if (rejectprivate) append_exit_policy_string(dest, "reject private:*"); if (parse_addr_policy(cfg, dest, -1)) return -1; append_exit_policy_string(dest, DEFAULT_EXIT_POLICY); exit_policy_remove_redundancies(dest); return 0; } /** Return true iff ri is "useful as an exit node", meaning * it allows exit to at least one /8 address space for at least * one of ports 80, 443, and 6667. */ int exit_policy_is_general_exit(addr_policy_t *policy) { static const int ports[] = { 80, 443, 6667 }; int n_allowed = 0; int i; for (i = 0; i < 3; ++i) { struct addr_policy_t *p = policy; for ( ; p; p = p->next) { if (p->prt_min > ports[i] || p->prt_max < ports[i]) continue; /* Doesn't cover our port. */ if ((p->msk & 0x00fffffful) != 0) continue; /* Narrower than a /8. */ if ((p->addr & 0xff000000ul) == 0x7f000000ul) continue; /* 127.x */ /* We have a match that is at least a /8. */ if (p->policy_type == ADDR_POLICY_ACCEPT) ++n_allowed; break; } } return n_allowed > 0; } /** Release all storage held by p */ void addr_policy_free(addr_policy_t *p) { addr_policy_t *e; while (p) { e = p; p = p->next; tor_free(e->string); tor_free(e); } } void policies_free_all(void) { addr_policy_free(reachable_or_addr_policy); reachable_or_addr_policy = NULL; addr_policy_free(reachable_dir_addr_policy); reachable_dir_addr_policy = NULL; addr_policy_free(socks_policy); socks_policy = NULL; addr_policy_free(dir_policy); dir_policy = NULL; addr_policy_free(authdir_reject_policy); authdir_reject_policy = NULL; addr_policy_free(authdir_invalid_policy); authdir_invalid_policy = NULL; }