aboutsummaryrefslogtreecommitdiff
path: root/src/core/or/policies.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/core/or/policies.c')
-rw-r--r--src/core/or/policies.c300
1 files changed, 126 insertions, 174 deletions
diff --git a/src/core/or/policies.c b/src/core/or/policies.c
index 2bf2dc7005..5f578d9b1a 100644
--- a/src/core/or/policies.c
+++ b/src/core/or/policies.c
@@ -48,6 +48,8 @@
static smartlist_t *socks_policy = NULL;
/** Policy that addresses for incoming directory connections must match. */
static smartlist_t *dir_policy = NULL;
+/** Policy for incoming MetricsPort connections that must match. */
+static smartlist_t *metrics_policy = NULL;
/** Policy that addresses for incoming router descriptors must match in order
* to be published by us. */
static smartlist_t *authdir_reject_policy = NULL;
@@ -311,7 +313,7 @@ parse_reachable_addresses(void)
"ReachableAddresses, ReachableORAddresses, or "
"ReachableDirAddresses reject all IPv4 addresses. "
"Tor will not connect using IPv4.");
- } else if (fascist_firewall_use_ipv6(options)
+ } else if (reachable_addr_use_ipv6(options)
&& (policy_is_reject_star(reachable_or_addr_policy, AF_INET6, 0)
|| policy_is_reject_star(reachable_dir_addr_policy, AF_INET6, 0))) {
log_warn(LD_CONFIG, "You have configured tor to use or prefer IPv6 "
@@ -389,19 +391,6 @@ addr_policy_permits_tor_addr(const tor_addr_t *addr, uint16_t port,
}
}
-/** Return true iff <b> policy</b> (possibly NULL) will allow a connection to
- * <b>addr</b>:<b>port</b>. <b>addr</b> is an IPv4 address given in host
- * order. */
-/* XXXX deprecate when possible. */
-static int
-addr_policy_permits_address(uint32_t addr, uint16_t port,
- smartlist_t *policy)
-{
- tor_addr_t a;
- tor_addr_from_ipv4h(&a, addr);
- return addr_policy_permits_tor_addr(&a, port, policy);
-}
-
/** Return true iff we think our firewall will let us make a connection to
* addr:port.
*
@@ -412,12 +401,12 @@ addr_policy_permits_address(uint32_t addr, uint16_t port,
* - if ClientUseIPv4 is 0, or
* if pref_only and pref_ipv6 are both true;
* - return false for all IPv6 addresses:
- * - if fascist_firewall_use_ipv6() is 0, or
+ * - if reachable_addr_use_ipv6() is 0, or
* - if pref_only is true and pref_ipv6 is false.
*
* Return false if addr is NULL or tor_addr_is_null(), or if port is 0. */
STATIC int
-fascist_firewall_allows_address(const tor_addr_t *addr,
+reachable_addr_allows(const tor_addr_t *addr,
uint16_t port,
smartlist_t *firewall_policy,
int pref_only, int pref_ipv6)
@@ -440,7 +429,7 @@ fascist_firewall_allows_address(const tor_addr_t *addr,
/* Clients and Servers won't use IPv6 unless it's enabled (and in most
* cases, IPv6 must also be preferred before it will be used). */
if (tor_addr_family(addr) == AF_INET6 &&
- (!fascist_firewall_use_ipv6(options) || (pref_only && !pref_ipv6))) {
+ (!reachable_addr_use_ipv6(options) || (pref_only && !pref_ipv6))) {
return 0;
}
@@ -456,7 +445,7 @@ fascist_firewall_allows_address(const tor_addr_t *addr,
* port: it supports bridge client per-node IPv6 preferences.
*/
int
-fascist_firewall_use_ipv6(const or_options_t *options)
+reachable_addr_use_ipv6(const or_options_t *options)
{
/* Clients use IPv6 if it's set, or they use bridges, or they don't use
* IPv4, or they prefer it.
@@ -471,7 +460,7 @@ fascist_firewall_use_ipv6(const or_options_t *options)
* If we're unsure, return -1, otherwise, return 1 for IPv6 and 0 for IPv4.
*/
static int
-fascist_firewall_prefer_ipv6_impl(const or_options_t *options)
+reachable_addr_prefer_ipv6_impl(const or_options_t *options)
{
/*
Cheap implementation of config options ClientUseIPv4 & ClientUseIPv6 --
@@ -479,7 +468,7 @@ fascist_firewall_prefer_ipv6_impl(const or_options_t *options)
If IPv4 is disabled, use IPv6.
*/
- if (server_mode(options) || !fascist_firewall_use_ipv6(options)) {
+ if (server_mode(options) || !reachable_addr_use_ipv6(options)) {
return 0;
}
@@ -495,9 +484,9 @@ fascist_firewall_prefer_ipv6_impl(const or_options_t *options)
* per-node IPv6 preferences.
*/
int
-fascist_firewall_prefer_ipv6_orport(const or_options_t *options)
+reachable_addr_prefer_ipv6_orport(const or_options_t *options)
{
- int pref_ipv6 = fascist_firewall_prefer_ipv6_impl(options);
+ int pref_ipv6 = reachable_addr_prefer_ipv6_impl(options);
if (pref_ipv6 >= 0) {
return pref_ipv6;
@@ -517,9 +506,9 @@ fascist_firewall_prefer_ipv6_orport(const or_options_t *options)
* preferences. There's no reason to use it instead of this function.)
*/
int
-fascist_firewall_prefer_ipv6_dirport(const or_options_t *options)
+reachable_addr_prefer_ipv6_dirport(const or_options_t *options)
{
- int pref_ipv6 = fascist_firewall_prefer_ipv6_impl(options);
+ int pref_ipv6 = reachable_addr_prefer_ipv6_impl(options);
if (pref_ipv6 >= 0) {
return pref_ipv6;
@@ -541,16 +530,16 @@ fascist_firewall_prefer_ipv6_dirport(const or_options_t *options)
* If pref_only is false, ignore pref_ipv6, and return true if addr is allowed.
*/
int
-fascist_firewall_allows_address_addr(const tor_addr_t *addr, uint16_t port,
+reachable_addr_allows_addr(const tor_addr_t *addr, uint16_t port,
firewall_connection_t fw_connection,
int pref_only, int pref_ipv6)
{
if (fw_connection == FIREWALL_OR_CONNECTION) {
- return fascist_firewall_allows_address(addr, port,
+ return reachable_addr_allows(addr, port,
reachable_or_addr_policy,
pref_only, pref_ipv6);
} else if (fw_connection == FIREWALL_DIR_CONNECTION) {
- return fascist_firewall_allows_address(addr, port,
+ return reachable_addr_allows(addr, port,
reachable_dir_addr_policy,
pref_only, pref_ipv6);
} else {
@@ -563,34 +552,15 @@ fascist_firewall_allows_address_addr(const tor_addr_t *addr, uint16_t port,
/** Return true iff we think our firewall will let us make a connection to
* addr:port (ap). Uses ReachableORAddresses or ReachableDirAddresses based on
* fw_connection.
- * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
+ * pref_only and pref_ipv6 work as in reachable_addr_allows_addr().
*/
static int
-fascist_firewall_allows_address_ap(const tor_addr_port_t *ap,
+reachable_addr_allows_ap(const tor_addr_port_t *ap,
firewall_connection_t fw_connection,
int pref_only, int pref_ipv6)
{
tor_assert(ap);
- return fascist_firewall_allows_address_addr(&ap->addr, ap->port,
- fw_connection, pref_only,
- pref_ipv6);
-}
-
-/* Return true iff we think our firewall will let us make a connection to
- * ipv4h_or_addr:ipv4_or_port. ipv4h_or_addr is interpreted in host order.
- * Uses ReachableORAddresses or ReachableDirAddresses based on
- * fw_connection.
- * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
- */
-static int
-fascist_firewall_allows_address_ipv4h(uint32_t ipv4h_or_addr,
- uint16_t ipv4_or_port,
- firewall_connection_t fw_connection,
- int pref_only, int pref_ipv6)
-{
- tor_addr_t ipv4_or_addr;
- tor_addr_from_ipv4h(&ipv4_or_addr, ipv4h_or_addr);
- return fascist_firewall_allows_address_addr(&ipv4_or_addr, ipv4_or_port,
+ return reachable_addr_allows_addr(&ap->addr, ap->port,
fw_connection, pref_only,
pref_ipv6);
}
@@ -599,17 +569,17 @@ fascist_firewall_allows_address_ipv4h(uint32_t ipv4h_or_addr,
* ipv4h_addr/ipv6_addr. Uses ipv4_orport/ipv6_orport/ReachableORAddresses or
* ipv4_dirport/ipv6_dirport/ReachableDirAddresses based on IPv4/IPv6 and
* <b>fw_connection</b>.
- * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
+ * pref_only and pref_ipv6 work as in reachable_addr_allows_addr().
*/
static int
-fascist_firewall_allows_base(uint32_t ipv4h_addr, uint16_t ipv4_orport,
+reachable_addr_allows_base(const tor_addr_t *ipv4_addr, uint16_t ipv4_orport,
uint16_t ipv4_dirport,
const tor_addr_t *ipv6_addr, uint16_t ipv6_orport,
uint16_t ipv6_dirport,
firewall_connection_t fw_connection,
int pref_only, int pref_ipv6)
{
- if (fascist_firewall_allows_address_ipv4h(ipv4h_addr,
+ if (reachable_addr_allows_addr(ipv4_addr,
(fw_connection == FIREWALL_OR_CONNECTION
? ipv4_orport
: ipv4_dirport),
@@ -618,7 +588,7 @@ fascist_firewall_allows_base(uint32_t ipv4h_addr, uint16_t ipv4_orport,
return 1;
}
- if (fascist_firewall_allows_address_addr(ipv6_addr,
+ if (reachable_addr_allows_addr(ipv6_addr,
(fw_connection == FIREWALL_OR_CONNECTION
? ipv6_orport
: ipv6_dirport),
@@ -630,9 +600,9 @@ fascist_firewall_allows_base(uint32_t ipv4h_addr, uint16_t ipv4_orport,
return 0;
}
-/** Like fascist_firewall_allows_base(), but takes ri. */
+/** Like reachable_addr_allows_base(), but takes ri. */
static int
-fascist_firewall_allows_ri_impl(const routerinfo_t *ri,
+reachable_addr_allows_ri_impl(const routerinfo_t *ri,
firewall_connection_t fw_connection,
int pref_only, int pref_ipv6)
{
@@ -641,15 +611,15 @@ fascist_firewall_allows_ri_impl(const routerinfo_t *ri,
}
/* Assume IPv4 and IPv6 DirPorts are the same */
- return fascist_firewall_allows_base(ri->addr, ri->or_port, ri->dir_port,
- &ri->ipv6_addr, ri->ipv6_orport,
- ri->dir_port, fw_connection, pref_only,
- pref_ipv6);
+ return reachable_addr_allows_base(&ri->ipv4_addr, ri->ipv4_orport,
+ ri->ipv4_dirport, &ri->ipv6_addr,
+ ri->ipv6_orport, ri->ipv4_dirport,
+ fw_connection, pref_only, pref_ipv6);
}
-/** Like fascist_firewall_allows_rs, but takes pref_ipv6. */
+/** Like reachable_addr_allows_rs, but takes pref_ipv6. */
static int
-fascist_firewall_allows_rs_impl(const routerstatus_t *rs,
+reachable_addr_allows_rs_impl(const routerstatus_t *rs,
firewall_connection_t fw_connection,
int pref_only, int pref_ipv6)
{
@@ -658,20 +628,20 @@ fascist_firewall_allows_rs_impl(const routerstatus_t *rs,
}
/* Assume IPv4 and IPv6 DirPorts are the same */
- return fascist_firewall_allows_base(rs->addr, rs->or_port, rs->dir_port,
- &rs->ipv6_addr, rs->ipv6_orport,
- rs->dir_port, fw_connection, pref_only,
- pref_ipv6);
+ return reachable_addr_allows_base(&rs->ipv4_addr, rs->ipv4_orport,
+ rs->ipv4_dirport, &rs->ipv6_addr,
+ rs->ipv6_orport, rs->ipv4_dirport,
+ fw_connection, pref_only, pref_ipv6);
}
-/** Like fascist_firewall_allows_base(), but takes rs.
+/** Like reachable_addr_allows_base(), but takes rs.
* When rs is a fake_status from a dir_server_t, it can have a reachable
* address, even when the corresponding node does not.
* nodes can be missing addresses when there's no consensus (IPv4 and IPv6),
* or when there is a microdescriptor consensus, but no microdescriptors
* (microdescriptors have IPv6, the microdesc consensus does not). */
int
-fascist_firewall_allows_rs(const routerstatus_t *rs,
+reachable_addr_allows_rs(const routerstatus_t *rs,
firewall_connection_t fw_connection, int pref_only)
{
if (!rs) {
@@ -682,20 +652,20 @@ fascist_firewall_allows_rs(const routerstatus_t *rs,
* generic IPv6 preference instead. */
const or_options_t *options = get_options();
int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
- ? fascist_firewall_prefer_ipv6_orport(options)
- : fascist_firewall_prefer_ipv6_dirport(options));
+ ? reachable_addr_prefer_ipv6_orport(options)
+ : reachable_addr_prefer_ipv6_dirport(options));
- return fascist_firewall_allows_rs_impl(rs, fw_connection, pref_only,
+ return reachable_addr_allows_rs_impl(rs, fw_connection, pref_only,
pref_ipv6);
}
/** Return true iff we think our firewall will let us make a connection to
* ipv6_addr:ipv6_orport based on ReachableORAddresses.
* If <b>fw_connection</b> is FIREWALL_DIR_CONNECTION, returns 0.
- * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
+ * pref_only and pref_ipv6 work as in reachable_addr_allows_addr().
*/
static int
-fascist_firewall_allows_md_impl(const microdesc_t *md,
+reachable_addr_allows_md_impl(const microdesc_t *md,
firewall_connection_t fw_connection,
int pref_only, int pref_ipv6)
{
@@ -709,15 +679,15 @@ fascist_firewall_allows_md_impl(const microdesc_t *md,
}
/* Also can't check IPv4, doesn't have that either */
- return fascist_firewall_allows_address_addr(&md->ipv6_addr, md->ipv6_orport,
+ return reachable_addr_allows_addr(&md->ipv6_addr, md->ipv6_orport,
fw_connection, pref_only,
pref_ipv6);
}
-/** Like fascist_firewall_allows_base(), but takes node, and looks up pref_ipv6
+/** Like reachable_addr_allows_base(), but takes node, and looks up pref_ipv6
* from node_ipv6_or/dir_preferred(). */
int
-fascist_firewall_allows_node(const node_t *node,
+reachable_addr_allows_node(const node_t *node,
firewall_connection_t fw_connection,
int pref_only)
{
@@ -733,15 +703,15 @@ fascist_firewall_allows_node(const node_t *node,
/* Sometimes, the rs is missing the IPv6 address info, and we need to go
* all the way to the md */
- if (node->ri && fascist_firewall_allows_ri_impl(node->ri, fw_connection,
+ if (node->ri && reachable_addr_allows_ri_impl(node->ri, fw_connection,
pref_only, pref_ipv6)) {
return 1;
- } else if (node->rs && fascist_firewall_allows_rs_impl(node->rs,
+ } else if (node->rs && reachable_addr_allows_rs_impl(node->rs,
fw_connection,
pref_only,
pref_ipv6)) {
return 1;
- } else if (node->md && fascist_firewall_allows_md_impl(node->md,
+ } else if (node->md && reachable_addr_allows_md_impl(node->md,
fw_connection,
pref_only,
pref_ipv6)) {
@@ -753,9 +723,9 @@ fascist_firewall_allows_node(const node_t *node,
}
}
-/** Like fascist_firewall_allows_rs(), but takes ds. */
+/** Like reachable_addr_allows_rs(), but takes ds. */
int
-fascist_firewall_allows_dir_server(const dir_server_t *ds,
+reachable_addr_allows_dir_server(const dir_server_t *ds,
firewall_connection_t fw_connection,
int pref_only)
{
@@ -766,8 +736,8 @@ fascist_firewall_allows_dir_server(const dir_server_t *ds,
/* A dir_server_t always has a fake_status. As long as it has the same
* addresses/ports in both fake_status and dir_server_t, this works fine.
* (See #17867.)
- * fascist_firewall_allows_rs only checks the addresses in fake_status. */
- return fascist_firewall_allows_rs(&ds->fake_status, fw_connection,
+ * reachable_addr_allows_rs only checks the addresses in fake_status. */
+ return reachable_addr_allows_rs(&ds->fake_status, fw_connection,
pref_only);
}
@@ -775,10 +745,10 @@ fascist_firewall_allows_dir_server(const dir_server_t *ds,
* choose one based on want_a and return it.
* Otherwise, return whichever is allowed.
* Otherwise, return NULL.
- * pref_only and pref_ipv6 work as in fascist_firewall_allows_address_addr().
+ * pref_only and pref_ipv6 work as in reachable_addr_allows_addr().
*/
static const tor_addr_port_t *
-fascist_firewall_choose_address_impl(const tor_addr_port_t *a,
+reachable_addr_choose_impl(const tor_addr_port_t *a,
const tor_addr_port_t *b,
int want_a,
firewall_connection_t fw_connection,
@@ -787,12 +757,12 @@ fascist_firewall_choose_address_impl(const tor_addr_port_t *a,
const tor_addr_port_t *use_a = NULL;
const tor_addr_port_t *use_b = NULL;
- if (fascist_firewall_allows_address_ap(a, fw_connection, pref_only,
+ if (reachable_addr_allows_ap(a, fw_connection, pref_only,
pref_ipv6)) {
use_a = a;
}
- if (fascist_firewall_allows_address_ap(b, fw_connection, pref_only,
+ if (reachable_addr_allows_ap(b, fw_connection, pref_only,
pref_ipv6)) {
use_b = b;
}
@@ -816,13 +786,13 @@ fascist_firewall_choose_address_impl(const tor_addr_port_t *a,
* - Otherwise, return whichever is preferred.
* Otherwise, return NULL. */
STATIC const tor_addr_port_t *
-fascist_firewall_choose_address(const tor_addr_port_t *a,
+reachable_addr_choose(const tor_addr_port_t *a,
const tor_addr_port_t *b,
int want_a,
firewall_connection_t fw_connection,
int pref_only, int pref_ipv6)
{
- const tor_addr_port_t *pref = fascist_firewall_choose_address_impl(
+ const tor_addr_port_t *pref = reachable_addr_choose_impl(
a, b, want_a,
fw_connection,
1, pref_ipv6);
@@ -834,7 +804,7 @@ fascist_firewall_choose_address(const tor_addr_port_t *a,
} else {
/* If there's no preferred address, and we can return addresses that are
* not preferred, use an address that's allowed */
- return fascist_firewall_choose_address_impl(a, b, want_a, fw_connection,
+ return reachable_addr_choose_impl(a, b, want_a, fw_connection,
0, pref_ipv6);
}
}
@@ -849,7 +819,7 @@ fascist_firewall_choose_address(const tor_addr_port_t *a,
* If both addresses could be chosen (they are both preferred or both allowed)
* choose IPv6 if pref_ipv6 is true, otherwise choose IPv4. */
static void
-fascist_firewall_choose_address_base(const tor_addr_t *ipv4_addr,
+reachable_addr_choose_base(const tor_addr_t *ipv4_addr,
uint16_t ipv4_orport,
uint16_t ipv4_dirport,
const tor_addr_t *ipv6_addr,
@@ -881,7 +851,7 @@ fascist_firewall_choose_address_base(const tor_addr_t *ipv4_addr,
? ipv6_orport
: ipv6_dirport);
- result = fascist_firewall_choose_address(&ipv4_ap, &ipv6_ap,
+ result = reachable_addr_choose(&ipv4_ap, &ipv6_ap,
want_ipv4,
fw_connection, pref_only,
pref_ipv6);
@@ -892,41 +862,13 @@ fascist_firewall_choose_address_base(const tor_addr_t *ipv4_addr,
}
}
-/** Like fascist_firewall_choose_address_base(), but takes a host-order IPv4
- * address as the first parameter. */
-static void
-fascist_firewall_choose_address_ipv4h(uint32_t ipv4h_addr,
- uint16_t ipv4_orport,
- uint16_t ipv4_dirport,
- const tor_addr_t *ipv6_addr,
- uint16_t ipv6_orport,
- uint16_t ipv6_dirport,
- firewall_connection_t fw_connection,
- int pref_only,
- int pref_ipv6,
- tor_addr_port_t* ap)
-{
- tor_addr_t ipv4_addr;
- tor_addr_from_ipv4h(&ipv4_addr, ipv4h_addr);
- tor_assert(ap);
-
- tor_addr_make_null(&ap->addr, AF_UNSPEC);
- ap->port = 0;
-
- fascist_firewall_choose_address_base(&ipv4_addr, ipv4_orport,
- ipv4_dirport, ipv6_addr,
- ipv6_orport, ipv6_dirport,
- fw_connection, pref_only,
- pref_ipv6, ap);
-}
-
-/** Like fascist_firewall_choose_address_base(), but takes <b>rs</b>.
+/** Like reachable_addr_choose_base(), but takes <b>rs</b>.
* Consults the corresponding node, then falls back to rs if node is NULL.
* This should only happen when there's no valid consensus, and rs doesn't
* correspond to a bridge client's bridge.
*/
void
-fascist_firewall_choose_address_rs(const routerstatus_t *rs,
+reachable_addr_choose_from_rs(const routerstatus_t *rs,
firewall_connection_t fw_connection,
int pref_only, tor_addr_port_t* ap)
{
@@ -943,30 +885,29 @@ fascist_firewall_choose_address_rs(const routerstatus_t *rs,
const node_t *node = node_get_by_id(rs->identity_digest);
if (node) {
- fascist_firewall_choose_address_node(node, fw_connection, pref_only, ap);
+ reachable_addr_choose_from_node(node, fw_connection, pref_only, ap);
} else {
/* There's no node-specific IPv6 preference, so use the generic IPv6
* preference instead. */
int pref_ipv6 = (fw_connection == FIREWALL_OR_CONNECTION
- ? fascist_firewall_prefer_ipv6_orport(options)
- : fascist_firewall_prefer_ipv6_dirport(options));
+ ? reachable_addr_prefer_ipv6_orport(options)
+ : reachable_addr_prefer_ipv6_dirport(options));
- /* Assume IPv4 and IPv6 DirPorts are the same.
- * Assume the IPv6 OR and Dir addresses are the same. */
- fascist_firewall_choose_address_ipv4h(rs->addr, rs->or_port, rs->dir_port,
- &rs->ipv6_addr, rs->ipv6_orport,
- rs->dir_port, fw_connection,
- pref_only, pref_ipv6, ap);
+ reachable_addr_choose_base(&rs->ipv4_addr, rs->ipv4_orport,
+ rs->ipv4_dirport, &rs->ipv6_addr,
+ rs->ipv6_orport, rs->ipv4_dirport,
+ fw_connection, pref_only, pref_ipv6,
+ ap);
}
}
-/** Like fascist_firewall_choose_address_base(), but takes in a smartlist
+/** Like reachable_addr_choose_base(), but takes in a smartlist
* <b>lspecs</b> consisting of one or more link specifiers. We assume
* fw_connection is FIREWALL_OR_CONNECTION as link specifiers cannot
* contain DirPorts.
*/
void
-fascist_firewall_choose_address_ls(const smartlist_t *lspecs,
+reachable_addr_choose_from_ls(const smartlist_t *lspecs,
int pref_only, tor_addr_port_t* ap)
{
int have_v4 = 0, have_v6 = 0;
@@ -1028,20 +969,20 @@ fascist_firewall_choose_address_ls(const smartlist_t *lspecs,
/* Here, don't check for DirPorts as link specifiers are only used for
* ORPorts. */
const or_options_t *options = get_options();
- int pref_ipv6 = fascist_firewall_prefer_ipv6_orport(options);
+ int pref_ipv6 = reachable_addr_prefer_ipv6_orport(options);
/* Assume that the DirPorts are zero as link specifiers only use ORPorts. */
- fascist_firewall_choose_address_base(&addr_v4, port_v4, 0,
+ reachable_addr_choose_base(&addr_v4, port_v4, 0,
&addr_v6, port_v6, 0,
FIREWALL_OR_CONNECTION,
pref_only, pref_ipv6,
ap);
}
-/** Like fascist_firewall_choose_address_base(), but takes <b>node</b>, and
+/** Like reachable_addr_choose_base(), but takes <b>node</b>, and
* looks up the node's IPv6 preference rather than taking an argument
* for pref_ipv6. */
void
-fascist_firewall_choose_address_node(const node_t *node,
+reachable_addr_choose_from_node(const node_t *node,
firewall_connection_t fw_connection,
int pref_only, tor_addr_port_t *ap)
{
@@ -1071,16 +1012,16 @@ fascist_firewall_choose_address_node(const node_t *node,
node_get_pref_ipv6_dirport(node, &ipv6_dir_ap);
/* Assume the IPv6 OR and Dir addresses are the same. */
- fascist_firewall_choose_address_base(&ipv4_or_ap.addr, ipv4_or_ap.port,
+ reachable_addr_choose_base(&ipv4_or_ap.addr, ipv4_or_ap.port,
ipv4_dir_ap.port, &ipv6_or_ap.addr,
ipv6_or_ap.port, ipv6_dir_ap.port,
fw_connection, pref_only,
pref_ipv6_node, ap);
}
-/** Like fascist_firewall_choose_address_rs(), but takes <b>ds</b>. */
+/** Like reachable_addr_choose_from_rs(), but takes <b>ds</b>. */
void
-fascist_firewall_choose_address_dir_server(const dir_server_t *ds,
+reachable_addr_choose_from_dir_server(const dir_server_t *ds,
firewall_connection_t fw_connection,
int pref_only,
tor_addr_port_t *ap)
@@ -1097,9 +1038,9 @@ fascist_firewall_choose_address_dir_server(const dir_server_t *ds,
/* A dir_server_t always has a fake_status. As long as it has the same
* addresses/ports in both fake_status and dir_server_t, this works fine.
* (See #17867.)
- * This function relies on fascist_firewall_choose_address_rs looking up the
+ * This function relies on reachable_addr_choose_from_rs looking up the
* node if it can, because that will get the latest info for the relay. */
- fascist_firewall_choose_address_rs(&ds->fake_status, fw_connection,
+ reachable_addr_choose_from_rs(&ds->fake_status, fw_connection,
pref_only, ap);
}
@@ -1121,20 +1062,26 @@ socks_policy_permits_address(const tor_addr_t *addr)
return addr_policy_permits_tor_addr(addr, 1, socks_policy);
}
+/** Return 1 if <b>addr</b> is permitted to connect to our metrics port,
+ * based on <b>socks_policy</b>. Else return 0.
+ */
+int
+metrics_policy_permits_address(const tor_addr_t *addr)
+{
+ return addr_policy_permits_tor_addr(addr, 1, metrics_policy);
+}
+
/** Return true iff the address <b>addr</b> is in a country listed in the
* case-insensitive list of country codes <b>cc_list</b>. */
static int
-addr_is_in_cc_list(uint32_t addr, const smartlist_t *cc_list)
+addr_is_in_cc_list(const tor_addr_t *addr, const smartlist_t *cc_list)
{
country_t country;
const char *name;
- tor_addr_t tar;
if (!cc_list)
return 0;
- /* XXXXipv6 */
- tor_addr_from_ipv4h(&tar, addr);
- country = geoip_get_country_by_addr(&tar);
+ country = geoip_get_country_by_addr(addr);
name = geoip_get_country_name(country);
return smartlist_contains_string_case(cc_list, name);
}
@@ -1143,9 +1090,9 @@ addr_is_in_cc_list(uint32_t addr, const smartlist_t *cc_list)
* directory, based on <b>authdir_reject_policy</b>. Else return 0.
*/
int
-authdir_policy_permits_address(uint32_t addr, uint16_t port)
+authdir_policy_permits_address(const tor_addr_t *addr, uint16_t port)
{
- if (! addr_policy_permits_address(addr, port, authdir_reject_policy))
+ if (!addr_policy_permits_tor_addr(addr, port, authdir_reject_policy))
return 0;
return !addr_is_in_cc_list(addr, get_options()->AuthDirRejectCCs);
}
@@ -1154,9 +1101,9 @@ authdir_policy_permits_address(uint32_t addr, uint16_t port)
* directory, based on <b>authdir_invalid_policy</b>. Else return 0.
*/
int
-authdir_policy_valid_address(uint32_t addr, uint16_t port)
+authdir_policy_valid_address(const tor_addr_t *addr, uint16_t port)
{
- if (! addr_policy_permits_address(addr, port, authdir_invalid_policy))
+ if (!addr_policy_permits_tor_addr(addr, port, authdir_invalid_policy))
return 0;
return !addr_is_in_cc_list(addr, get_options()->AuthDirInvalidCCs);
}
@@ -1165,9 +1112,9 @@ authdir_policy_valid_address(uint32_t addr, uint16_t port)
* based on <b>authdir_badexit_policy</b>. Else return 0.
*/
int
-authdir_policy_badexit_address(uint32_t addr, uint16_t port)
+authdir_policy_badexit_address(const tor_addr_t *addr, uint16_t port)
{
- if (! addr_policy_permits_address(addr, port, authdir_badexit_policy))
+ if (!addr_policy_permits_tor_addr(addr, port, authdir_badexit_policy))
return 1;
return addr_is_in_cc_list(addr, get_options()->AuthDirBadExitCCs);
}
@@ -1282,6 +1229,22 @@ load_policy_from_option(config_line_t *config, const char *option_name,
return 0;
}
+/** Helper: Parse the MetricsPortPolicy option into the metrics_policy and set
+ * the reject all by default.
+ *
+ * Return 0 on success else -1. */
+static int
+parse_metrics_port_policy(const or_options_t *options)
+{
+ if (load_policy_from_option(options->MetricsPortPolicy, "MetricsPortPolicy",
+ &metrics_policy, -1) < 0) {
+ return -1;
+ }
+ /* It is a reject all by default. */
+ append_exit_policy_string(&metrics_policy, "reject *:*");
+ return 0;
+}
+
/** Set all policies based on <b>options</b>, which should have been validated
* first by validate_addr_policies. */
int
@@ -1303,6 +1266,9 @@ policies_parse_from_options(const or_options_t *options)
if (load_policy_from_option(options->AuthDirBadExit, "AuthDirBadExit",
&authdir_badexit_policy, ADDR_POLICY_REJECT) < 0)
ret = -1;
+ if (parse_metrics_port_policy(options) < 0) {
+ ret = -1;
+ }
if (parse_reachable_addresses() < 0)
ret = -1;
return ret;
@@ -1883,7 +1849,7 @@ policies_log_first_redundant_entry(const smartlist_t *policy)
int found_ipv4_wildcard = 0, found_ipv6_wildcard = 0;
const int i = p_sl_idx;
- /* Look for accept/reject *[4|6|]:* entires */
+ /* Look for accept/reject *[4|6|]:* entries */
if (p->prt_min <= 1 && p->prt_max == 65535 && p->maskbits == 0) {
family = tor_addr_family(&p->addr);
/* accept/reject *:* may have already been expanded into
@@ -2086,22 +2052,6 @@ policies_copy_addr_to_smartlist(smartlist_t *addr_list, const tor_addr_t *addr)
}
}
-/** Helper function that adds ipv4h_addr to a smartlist as a tor_addr_t *,
- * as long as it is not tor_addr_is_null(), by converting it to a tor_addr_t
- * and passing it to policies_add_addr_to_smartlist.
- *
- * The caller is responsible for freeing all the tor_addr_t* in the smartlist.
- */
-static void
-policies_copy_ipv4h_to_smartlist(smartlist_t *addr_list, uint32_t ipv4h_addr)
-{
- if (ipv4h_addr) {
- tor_addr_t ipv4_tor_addr;
- tor_addr_from_ipv4h(&ipv4_tor_addr, ipv4h_addr);
- policies_copy_addr_to_smartlist(addr_list, &ipv4_tor_addr);
- }
-}
-
/** Helper function that adds copies of or_options->OutboundBindAddresses
* to a smartlist as tor_addr_t *, as long as or_options is non-NULL, and
* the addresses are not tor_addr_is_null(), by passing them to
@@ -2133,8 +2083,8 @@ policies_copy_outbound_addresses_to_smartlist(smartlist_t *addr_list,
* If <b>or_options->ExitPolicyRejectPrivate</b> is true:
* - prepend an entry that rejects all destinations in all netblocks reserved
* for private use.
- * - if local_address is non-zero, treat it as a host-order IPv4 address, and
- * add it to the list of configured addresses.
+ * - if ipv4_local_address is non-zero, treat it as a host-order IPv4 address,
+ * and add it to the list of configured addresses.
* - if ipv6_local_address is non-NULL, and not the null tor_addr_t, add it
* to the list of configured addresses.
* If <b>or_options->ExitPolicyRejectLocalInterfaces</b> is true:
@@ -2151,7 +2101,7 @@ policies_copy_outbound_addresses_to_smartlist(smartlist_t *addr_list,
*/
int
policies_parse_exit_policy_from_options(const or_options_t *or_options,
- uint32_t local_address,
+ const tor_addr_t *ipv4_local_address,
const tor_addr_t *ipv6_local_address,
smartlist_t **result)
{
@@ -2192,7 +2142,7 @@ policies_parse_exit_policy_from_options(const or_options_t *or_options,
/* Copy the configured addresses into the tor_addr_t* list */
if (or_options->ExitPolicyRejectPrivate) {
- policies_copy_ipv4h_to_smartlist(configured_addresses, local_address);
+ policies_copy_addr_to_smartlist(configured_addresses, ipv4_local_address);
policies_copy_addr_to_smartlist(configured_addresses, ipv6_local_address);
}
@@ -3062,7 +3012,7 @@ getinfo_helper_policies(control_connection_t *conn,
/* Copy the configured addresses into the tor_addr_t* list */
if (options->ExitPolicyRejectPrivate) {
- policies_copy_ipv4h_to_smartlist(configured_addresses, me->addr);
+ policies_copy_addr_to_smartlist(configured_addresses, &me->ipv4_addr);
policies_copy_addr_to_smartlist(configured_addresses, &me->ipv6_addr);
}
@@ -3154,6 +3104,8 @@ policies_free_all(void)
socks_policy = NULL;
addr_policy_list_free(dir_policy);
dir_policy = NULL;
+ addr_policy_list_free(metrics_policy);
+ metrics_policy = NULL;
addr_policy_list_free(authdir_reject_policy);
authdir_reject_policy = NULL;
addr_policy_list_free(authdir_invalid_policy);
7apu2bq3rhoylwmucxizk54afw5jyda7pho4j5zdcqpwkufke7zdzwad.onion