[or-cvs] Append default exit policy before checking for implicit int...
Nick Mathewson
nickm at seul.org
Sat May 14 00:13:19 UTC 2005
Update of /home/or/cvsroot/tor/src/or
In directory moria.mit.edu:/tmp/cvs-serv20642/src/or
Modified Files:
config.c or.h router.c routerlist.c test.c
Log Message:
Append default exit policy before checking for implicit internal addresses: fix bug 129.
Index: config.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/config.c,v
retrieving revision 1.343
retrieving revision 1.344
diff -u -d -r1.343 -r1.344
--- config.c 9 May 2005 04:31:00 -0000 1.343
+++ config.c 14 May 2005 00:13:16 -0000 1.344
@@ -1574,6 +1574,7 @@
log_fn(LOG_WARN, "Error in Exit Policy entry.");
result = -1;
}
+ config_append_default_exit_policy(&addr_policy);
if (server_mode(options)) {
exit_policy_implicitly_allows_local_networks(addr_policy, 1);
}
@@ -2161,6 +2162,32 @@
return 0;
}
+#define DEFAULT_EXIT_POLICY "reject 0.0.0.0/8,reject 169.254.0.0/16,reject 127.0.0.0/8,reject 192.168.0.0/16,reject 10.0.0.0/8,reject 172.16.0.0/12,reject *:25,reject *:119,reject *:135-139,reject *:445,reject *:1214,reject *:4661-4666,reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
+
+void
+config_append_default_exit_policy(addr_policy_t **policy)
+{
+ struct config_line_t tmp;
+ addr_policy_t *ap;
+
+ tmp.key = NULL;
+ tmp.value = (char*)DEFAULT_EXIT_POLICY;
+ tmp.next = NULL;
+ config_parse_addr_policy(&tmp, policy);
+
+ /* Remove redundant parts, if any. */
+ for (ap=*policy; ap; ap=ap->next) {
+ if (ap->msk == 0 && ap->prt_min <= 1 && ap->prt_max >= 65535) {
+ if (ap->next) {
+ addr_policy_free(ap->next);
+ ap->next = NULL;
+ }
+ return;
+ }
+ }
+}
+
+
/**
* Given a linked list of config lines containing "allow" and "deny" tokens,
* parse them and append the result to <b>dest</b>. Return -1 if any tokens
Index: or.h
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/or.h,v
retrieving revision 1.607
retrieving revision 1.608
diff -u -d -r1.607 -r1.608
--- or.h 9 May 2005 04:31:00 -0000 1.607
+++ or.h 14 May 2005 00:13:16 -0000 1.608
@@ -1255,6 +1255,7 @@
int config_init_logs(or_options_t *options, int validate_only);
int config_parse_addr_policy(struct config_line_t *cfg,
addr_policy_t **dest);
+void config_append_default_exit_policy(addr_policy_t **policy);
void addr_policy_free(addr_policy_t *p);
int config_option_is_recognized(const char *key);
struct config_line_t *config_get_assigned_option(or_options_t *options,
Index: router.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/router.c,v
retrieving revision 1.172
retrieving revision 1.173
diff -u -d -r1.172 -r1.173
--- router.c 9 May 2005 04:31:00 -0000 1.172
+++ router.c 14 May 2005 00:13:17 -0000 1.173
@@ -577,31 +577,6 @@
directory_post_to_dirservers(DIR_PURPOSE_UPLOAD_DIR, s, strlen(s));
}
-#define DEFAULT_EXIT_POLICY "reject 0.0.0.0/8,reject 169.254.0.0/16,reject 127.0.0.0/8,reject 192.168.0.0/16,reject 10.0.0.0/8,reject 172.16.0.0/12,reject *:25,reject *:119,reject *:135-139,reject *:445,reject *:1214,reject *:4661-4666,reject *:6346-6429,reject *:6699,reject *:6881-6999,accept *:*"
-
-/** Set the exit policy on <b>router</b> to match the exit policy in the
- * current configuration file. If the exit policy doesn't have a catch-all
- * rule, then append the default exit policy as well.
- */
-static void router_add_exit_policy_from_config(routerinfo_t *router) {
- addr_policy_t *ep;
- struct config_line_t default_policy;
- config_parse_addr_policy(get_options()->ExitPolicy, &router->exit_policy);
-
- for (ep = router->exit_policy; ep; ep = ep->next) {
- if (ep->msk == 0 && ep->prt_min <= 1 && ep->prt_max >= 65535) {
- /* if exitpolicy includes a *:* line, then we're done. */
- return;
- }
- }
-
- /* Else, append the default exitpolicy. */
- default_policy.key = NULL;
- default_policy.value = (char*)DEFAULT_EXIT_POLICY;
- default_policy.next = NULL;
- config_parse_addr_policy(&default_policy, &router->exit_policy);
-}
-
/** OR only: Check whether my exit policy says to allow connection to
* conn. Return false if we accept; true if we reject.
*/
@@ -702,7 +677,9 @@
if (options->BandwidthRate > options->MaxAdvertisedBandwidth)
ri->bandwidthrate = (int)options->MaxAdvertisedBandwidth;
- router_add_exit_policy_from_config(ri);
+ config_parse_addr_policy(get_options()->ExitPolicy, &ri->exit_policy);
+ config_append_default_exit_policy(&ri->exit_policy);
+
if (desc_routerinfo) /* inherit values */
ri->is_verified = desc_routerinfo->is_verified;
if (options->MyFamily) {
Index: routerlist.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/routerlist.c,v
retrieving revision 1.230
retrieving revision 1.231
diff -u -d -r1.230 -r1.231
--- routerlist.c 10 May 2005 22:33:45 -0000 1.230
+++ routerlist.c 14 May 2005 00:13:17 -0000 1.231
@@ -1171,8 +1171,9 @@
* its value, and every free bit set to 1. So if addr and addr2 are
* both in the policy, the range is covered by the policy.
*/
- if ((policy->addr & policy->msk) == (addr & policy->msk) &&
- (policy->addr & policy->msk) == (addr2 & policy->msk) &&
+ uint32_t p_addr = policy->addr & policy->msk;
+ if (p_addr == (addr & policy->msk) &&
+ p_addr == (addr2 & policy->msk) &&
(policy->prt_min <= 1 && policy->prt_max == 65535)) {
return 0;
}
@@ -1216,14 +1217,15 @@
};
for (i=0; private_networks[i].addr; ++i) {
p = NULL;
- if (policy_includes_addr_mask_implicitly(
+ /* log_fn(LOG_INFO,"Checking network %s", private_networks[i].network); */
+ if (policy_includes_addr_mask_implicitly(
policy, private_networks[i].addr, private_networks[i].mask, &p)) {
- if (warn)
- log_fn(LOG_WARN, "Exit policy %s implicitly accepts %s",
- p?p->string:"(default)",
- private_networks[i].network);
- r = 1;
- }
+ if (warn)
+ log_fn(LOG_WARN, "Exit policy %s implicitly accepts %s",
+ p?p->string:"(default)",
+ private_networks[i].network);
+ r = 1;
+ }
}
return r;
Index: test.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/or/test.c,v
retrieving revision 1.176
retrieving revision 1.177
diff -u -d -r1.176 -r1.177
--- test.c 2 May 2005 21:22:31 -0000 1.176
+++ test.c 14 May 2005 00:13:17 -0000 1.177
@@ -1316,6 +1316,40 @@
}
static void
+test_exit_policies(void)
+{
+ addr_policy_t *policy;
+
+ policy = router_parse_addr_policy_from_string("reject 192.168.0.0/16:*");
+ test_eq(NULL, policy->next);
+ test_eq(ADDR_POLICY_REJECT, policy->policy_type);
+ test_eq(0xc0a80000u, policy->addr);
+ test_eq(0xffff0000u, policy->msk);
+ test_eq(1, policy->prt_min);
+ test_eq(65535, policy->prt_max);
+ test_streq("reject 192.168.0.0/16:*", policy->string);
+
+ test_assert(exit_policy_implicitly_allows_local_networks(policy, 0));
+ test_eq(ADDR_POLICY_ACCEPTED,
+ router_compare_addr_to_addr_policy(0x01020304u, 2, policy));
+ test_eq(ADDR_POLICY_PROBABLY_ACCEPTED,
+ router_compare_addr_to_addr_policy(0, 2, policy));
+ test_eq(ADDR_POLICY_REJECTED,
+ router_compare_addr_to_addr_policy(0xc0a80102, 2, policy));
+
+ addr_policy_free(policy);
+
+ /* Copied from router.c */
+ policy = NULL;
+ config_append_default_exit_policy(&policy);
+ test_assert(policy);
+ test_assert(!exit_policy_implicitly_allows_local_networks(policy, 1));
+
+ addr_policy_free(policy);
+
+}
+
+static void
test_rend_fns(void)
{
char address1[] = "fooaddress.onion";
@@ -1386,6 +1420,8 @@
test_onion_handshake();
puts("\n========================= Directory Formats ===============");
test_dir_format();
+ puts("\n========================= Exit policies ===================");
+ test_exit_policies();
puts("\n========================= Rendezvous functionality ========");
test_rend_fns();
puts("");
More information about the tor-commits
mailing list