tor
master
|
Header file for policies.c. More...
Go to the source code of this file.
Macros | |
#define | POLICY_BUF_LEN 72 |
#define | EXIT_POLICY_IPV6_ENABLED (1 << 0) |
#define | EXIT_POLICY_REJECT_PRIVATE (1 << 1) |
#define | EXIT_POLICY_ADD_DEFAULT (1 << 2) |
#define | EXIT_POLICY_REJECT_LOCAL_INTERFACES (1 << 3) |
#define | EXIT_POLICY_ADD_REDUCED (1 << 4) |
#define | EXIT_POLICY_OPTION_MAX EXIT_POLICY_ADD_REDUCED |
#define | EXIT_POLICY_OPTION_ALL ((EXIT_POLICY_OPTION_MAX << 1) - 1) |
#define | addr_policy_list_free(lst) FREE_AND_NULL(smartlist_t, addr_policy_list_free_, (lst)) |
#define | addr_policy_free(p) FREE_AND_NULL(addr_policy_t, addr_policy_free_, (p)) |
#define | short_policy_free(p) FREE_AND_NULL(short_policy_t, short_policy_free_, (p)) |
Typedefs | |
typedef enum firewall_connection_t | firewall_connection_t |
typedef int | exit_policy_parser_cfg_t |
Enumerations | |
enum | firewall_connection_t { FIREWALL_OR_CONNECTION = 0, FIREWALL_DIR_CONNECTION = 1 } |
Functions | |
int | firewall_is_fascist_or (void) |
int | firewall_is_fascist_dir (void) |
int | fascist_firewall_use_ipv6 (const or_options_t *options) |
int | fascist_firewall_prefer_ipv6_orport (const or_options_t *options) |
int | fascist_firewall_prefer_ipv6_dirport (const or_options_t *options) |
int | fascist_firewall_allows_address_addr (const tor_addr_t *addr, uint16_t port, firewall_connection_t fw_connection, int pref_only, int pref_ipv6) |
int | fascist_firewall_allows_rs (const routerstatus_t *rs, firewall_connection_t fw_connection, int pref_only) |
int | fascist_firewall_allows_node (const node_t *node, firewall_connection_t fw_connection, int pref_only) |
int | fascist_firewall_allows_dir_server (const dir_server_t *ds, firewall_connection_t fw_connection, int pref_only) |
void | fascist_firewall_choose_address_rs (const routerstatus_t *rs, firewall_connection_t fw_connection, int pref_only, tor_addr_port_t *ap) |
void | fascist_firewall_choose_address_node (const node_t *node, firewall_connection_t fw_connection, int pref_only, tor_addr_port_t *ap) |
void | fascist_firewall_choose_address_dir_server (const dir_server_t *ds, firewall_connection_t fw_connection, int pref_only, tor_addr_port_t *ap) |
int | dir_policy_permits_address (const tor_addr_t *addr) |
int | socks_policy_permits_address (const tor_addr_t *addr) |
int | authdir_policy_permits_address (uint32_t addr, uint16_t port) |
int | authdir_policy_valid_address (uint32_t addr, uint16_t port) |
int | authdir_policy_badexit_address (uint32_t addr, uint16_t port) |
int | validate_addr_policies (const or_options_t *options, char **msg) |
void | policy_expand_private (smartlist_t **policy) |
void | policy_expand_unspec (smartlist_t **policy) |
int | policies_parse_from_options (const or_options_t *options) |
addr_policy_t * | addr_policy_get_canonical_entry (addr_policy_t *ent) |
int | addr_policies_eq (const smartlist_t *a, const smartlist_t *b) |
MOCK_DECL (addr_policy_result_t, compare_tor_addr_to_addr_policy,(const tor_addr_t *addr, uint16_t port, const smartlist_t *policy)) | |
addr_policy_result_t | compare_tor_addr_to_node_policy (const tor_addr_t *addr, uint16_t port, const node_t *node) |
int | policies_parse_exit_policy_from_options (const or_options_t *or_options, uint32_t local_address, const tor_addr_t *ipv6_local_address, smartlist_t **result) |
int | policies_parse_exit_policy (config_line_t *cfg, smartlist_t **dest, exit_policy_parser_cfg_t options, const smartlist_t *configured_addresses) |
void | policies_parse_exit_policy_reject_private (smartlist_t **dest, int ipv6_exit, const smartlist_t *configured_addresses, int reject_interface_addresses, int reject_configured_port_addresses) |
void | policies_exit_policy_append_reject_star (smartlist_t **dest) |
void | addr_policy_append_reject_addr (smartlist_t **dest, const tor_addr_t *addr) |
void | addr_policy_append_reject_addr_list (smartlist_t **dest, const smartlist_t *addrs) |
void | policies_set_node_exitpolicy_to_reject_all (node_t *exitrouter) |
int | exit_policy_is_general_exit (smartlist_t *policy) |
int | policy_is_reject_star (const smartlist_t *policy, sa_family_t family, int reject_by_default) |
char * | policy_dump_to_string (const smartlist_t *policy_list, int include_ipv4, int include_ipv6) |
int | getinfo_helper_policies (control_connection_t *conn, const char *question, char **answer, const char **errmsg) |
int | policy_write_item (char *buf, size_t buflen, const addr_policy_t *item, int format_for_desc) |
void | addr_policy_list_free_ (smartlist_t *p) |
void | addr_policy_free_ (addr_policy_t *p) |
void | policies_free_all (void) |
char * | policy_summarize (smartlist_t *policy, sa_family_t family) |
short_policy_t * | parse_short_policy (const char *summary) |
char * | write_short_policy (const short_policy_t *policy) |
void | short_policy_free_ (short_policy_t *policy) |
int | short_policy_is_reject_star (const short_policy_t *policy) |
addr_policy_result_t | compare_tor_addr_to_short_policy (const tor_addr_t *addr, uint16_t port, const short_policy_t *policy) |
Header file for policies.c.
int addr_policies_eq | ( | const smartlist_t * | a, |
const smartlist_t * | b | ||
) |
As single_addr_policy_eq, but compare every element of two policies.
void addr_policy_append_reject_addr | ( | smartlist_t ** | dest, |
const tor_addr_t * | addr | ||
) |
Add "reject <b>addr</b>:*" to dest, creating the list as needed.
void addr_policy_append_reject_addr_list | ( | smartlist_t ** | dest, |
const smartlist_t * | addrs | ||
) |
Add "reject addr:*" to dest, for each addr in addrs, creating the list as needed.
void addr_policy_free_ | ( | addr_policy_t * | p | ) |
Release all storage held by p.
void addr_policy_list_free_ | ( | smartlist_t * | lst | ) |
Release all storage held by p.
int authdir_policy_badexit_address | ( | uint32_t | addr, |
uint16_t | port | ||
) |
Return 1 if addr:port should be marked as a bad exit, based on authdir_badexit_policy. Else return 0.
int authdir_policy_permits_address | ( | uint32_t | addr, |
uint16_t | port | ||
) |
Return 1 if addr:port is permitted to publish to our directory, based on authdir_reject_policy. Else return 0.
int authdir_policy_valid_address | ( | uint32_t | addr, |
uint16_t | port | ||
) |
Return 1 if addr:port is considered valid in our directory, based on authdir_invalid_policy. Else return 0.
addr_policy_result_t compare_tor_addr_to_node_policy | ( | const tor_addr_t * | addr, |
uint16_t | port, | ||
const node_t * | node | ||
) |
Decide whether addr:port is probably or definitely accepted or rejected by node. See compare_tor_addr_to_addr_policy for details on addr/port interpretation.
addr_policy_result_t compare_tor_addr_to_short_policy | ( | const tor_addr_t * | addr, |
uint16_t | port, | ||
const short_policy_t * | policy | ||
) |
See whether the addr:port address is likely to be accepted or rejected by the summarized policy policy. Return values are as for compare_tor_addr_to_addr_policy. Unlike the regular addr_policy functions, requires the port be specified.
int dir_policy_permits_address | ( | const tor_addr_t * | addr | ) |
Return 1 if addr is permitted to connect to our dir port, based on dir_policy. Else return 0.
int exit_policy_is_general_exit | ( | smartlist_t * | policy | ) |
Return true iff ri is "useful as an exit node", meaning it allows exit to at least one /8 address space for each of ports 80 and 443.
int fascist_firewall_allows_address_addr | ( | const tor_addr_t * | addr, |
uint16_t | port, | ||
firewall_connection_t | fw_connection, | ||
int | pref_only, | ||
int | pref_ipv6 | ||
) |
Return true iff we think our firewall will let us make a connection to addr:port. Uses ReachableORAddresses or ReachableDirAddresses based on fw_connection. If pref_only is true, return true if addr is in the client's preferred address family, which is IPv6 if pref_ipv6 is true, and IPv4 otherwise. If pref_only is false, ignore pref_ipv6, and return true if addr is allowed.
int fascist_firewall_allows_dir_server | ( | const dir_server_t * | ds, |
firewall_connection_t | fw_connection, | ||
int | pref_only | ||
) |
int fascist_firewall_allows_node | ( | const node_t * | node, |
firewall_connection_t | fw_connection, | ||
int | pref_only | ||
) |
Like fascist_firewall_allows_base(), but takes node, and looks up pref_ipv6 from node_ipv6_or/dir_preferred().
int fascist_firewall_allows_rs | ( | const routerstatus_t * | rs, |
firewall_connection_t | fw_connection, | ||
int | pref_only | ||
) |
Like fascist_firewall_allows_base(), but takes rs. When rs is a fake_status from a dir_server_t, it can have a reachable address, even when the corresponding node does not. nodes can be missing addresses when there's no consensus (IPv4 and IPv6), or when there is a microdescriptor consensus, but no microdescriptors (microdescriptors have IPv6, the microdesc consensus does not).
void fascist_firewall_choose_address_dir_server | ( | const dir_server_t * | ds, |
firewall_connection_t | fw_connection, | ||
int | pref_only, | ||
tor_addr_port_t * | ap | ||
) |
void fascist_firewall_choose_address_node | ( | const node_t * | node, |
firewall_connection_t | fw_connection, | ||
int | pref_only, | ||
tor_addr_port_t * | ap | ||
) |
Like fascist_firewall_choose_address_base(), but takes node, and looks up the node's IPv6 preference rather than taking an argument for pref_ipv6.
void fascist_firewall_choose_address_rs | ( | const routerstatus_t * | rs, |
firewall_connection_t | fw_connection, | ||
int | pref_only, | ||
tor_addr_port_t * | ap | ||
) |
Like fascist_firewall_choose_address_base(), but takes rs. Consults the corresponding node, then falls back to rs if node is NULL. This should only happen when there's no valid consensus, and rs doesn't correspond to a bridge client's bridge.
int fascist_firewall_prefer_ipv6_dirport | ( | const or_options_t * | options | ) |
Do we prefer to connect to IPv6 DirPorts?
(node_ipv6_dir_preferred() doesn't support bridge client per-node IPv6 preferences. There's no reason to use it instead of this function.)
int fascist_firewall_prefer_ipv6_orport | ( | const or_options_t * | options | ) |
Do we prefer to connect to IPv6 ORPorts? Use node_ipv6_or_preferred() whenever possible: it supports bridge client per-node IPv6 preferences.
int fascist_firewall_use_ipv6 | ( | const or_options_t * | options | ) |
Is this client configured to use IPv6? Returns true if the client might use IPv6 for some of its connections (including dual-stack and IPv6-only clients), and false if it will never use IPv6 for any connections. Use node_ipv6_or/dir_preferred() when checking a specific node and OR/Dir port: it supports bridge client per-node IPv6 preferences.
int firewall_is_fascist_dir | ( | void | ) |
Return true iff the firewall options, including ClientUseIPv4 0 and ClientUseIPv6 0, might block any Dir address:port combination. Address preferences may still change which address is selected even if this function returns false.
int firewall_is_fascist_or | ( | void | ) |
Return true iff the firewall options, including ClientUseIPv4 0 and ClientUseIPv6 0, might block any OR address:port combination. Address preferences may still change which address is selected even if this function returns false.
int getinfo_helper_policies | ( | control_connection_t * | conn, |
const char * | question, | ||
char ** | answer, | ||
const char ** | errmsg | ||
) |
Implementation for GETINFO control command: knows the answer for questions about "exit-policy/..."
short_policy_t* parse_short_policy | ( | const char * | summary | ) |
Convert a summarized policy string into a short_policy_t. Return NULL if the string is not well-formed.
void policies_exit_policy_append_reject_star | ( | smartlist_t ** | dest | ) |
Add "reject *:*" to the end of the policy in *dest, allocating *dest as needed.
void policies_free_all | ( | void | ) |
Release all storage held by policy variables.
int policies_parse_exit_policy | ( | config_line_t * | cfg, |
smartlist_t ** | dest, | ||
exit_policy_parser_cfg_t | options, | ||
const smartlist_t * | configured_addresses | ||
) |
Parse exit policy in cfg into dest smartlist.
Prepend an entry that rejects all IPv6 destinations unless EXIT_POLICY_IPV6_ENABLED bit is set in options bitmask.
If EXIT_POLICY_REJECT_PRIVATE bit is set in options:
If EXIT_POLICY_ADD_DEFAULT bit is set in options, append default exit policy entries to result smartlist.
int policies_parse_exit_policy_from_options | ( | const or_options_t * | or_options, |
uint32_t | local_address, | ||
const tor_addr_t * | ipv6_local_address, | ||
smartlist_t ** | result | ||
) |
Parse ExitPolicy member of or_options into result smartlist. If or_options->IPv6Exit is false, prepend an entry that rejects all IPv6 destinations.
If or_options->ExitPolicyRejectPrivate is true:
If or_options->BridgeRelay is false, append entries of default Tor exit policy into result smartlist.
If or_options->ExitRelay is false, then make our exit policy into "reject *:*" regardless.
void policies_parse_exit_policy_reject_private | ( | smartlist_t ** | dest, |
int | ipv6_exit, | ||
const smartlist_t * | configured_addresses, | ||
int | reject_interface_addresses, | ||
int | reject_configured_port_addresses | ||
) |
Reject private helper for policies_parse_exit_policy_internal: rejects publicly routable addresses on this exit relay.
Add reject entries to the linked list *dest:
IPv6 entries are only added if ipv6_exit is true. (All IPv6 addresses are already blocked by policies_parse_exit_policy_internal if ipv6_exit is false.)
The list in dest is created as needed.
int policies_parse_from_options | ( | const or_options_t * | options | ) |
Set all policies based on options, which should have been validated first by validate_addr_policies.
void policies_set_node_exitpolicy_to_reject_all | ( | node_t * | node | ) |
Replace the exit policy of node with reject *:*
char* policy_dump_to_string | ( | const smartlist_t * | policy_list, |
int | include_ipv4, | ||
int | include_ipv6 | ||
) |
Given policy_list, a list of addr_policy_t, produce a string representation of the list. If include_ipv4 is true, include IPv4 entries. If include_ipv6 is true, include IPv6 entries.
void policy_expand_private | ( | smartlist_t ** | policy | ) |
Replace all "private" entries in *policy with their expanded equivalents.
void policy_expand_unspec | ( | smartlist_t ** | policy | ) |
Expand each of the AF_UNSPEC elements in *policy (which indicate protocol-neutral wildcards) into a pair of wildcard elements: one IPv4- specific and one IPv6-specific.
int policy_is_reject_star | ( | const smartlist_t * | policy, |
sa_family_t | family, | ||
int | default_reject | ||
) |
Return false if policy might permit access to some addr:port; otherwise if we are certain it rejects everything, return true. If no part of policy matches, return default_reject. NULL policies are allowed, and treated as empty.
char* policy_summarize | ( | smartlist_t * | policy, |
sa_family_t | family | ||
) |
Create a string representing a summary for an exit policy. The summary will either be an "accept" plus a comma-separated list of port ranges or a "reject" plus port-ranges, depending on which is shorter.
If no exits are allowed at all then "reject 1-65535" is returned. If no ports are blocked instead of "reject " we return "accept 1-65535". (These are an exception to the shorter-representation-wins rule).
int policy_write_item | ( | char * | buf, |
size_t | buflen, | ||
const addr_policy_t * | policy, | ||
int | format_for_desc | ||
) |
Write a single address policy to the buf_len byte buffer at buf. Return the number of characters written, or -1 on failure.
void short_policy_free_ | ( | short_policy_t * | policy | ) |
Release all storage held in policy.
int short_policy_is_reject_star | ( | const short_policy_t * | policy | ) |
Return true iff policy seems reject all ports
int socks_policy_permits_address | ( | const tor_addr_t * | addr | ) |
Return 1 if addr is permitted to connect to our socks port, based on socks_policy. Else return 0.
int validate_addr_policies | ( | const or_options_t * | options, |
char ** | msg | ||
) |
Config helper: If there's any problem with the policy configuration options in options, return -1 and set msg to a newly allocated description of the error. Else return 0.
char* write_short_policy | ( | const short_policy_t * | policy | ) |
Write policy back out into a string.