From dc40d27cd855703ec5d286f75d3f20876e721e06 Mon Sep 17 00:00:00 2001 From: Bram Matthys Date: Sun, 28 Feb 2021 07:47:58 +0100 Subject: [PATCH] Move set::anti-flood::unknown-flood-* to set::anti-flood::handshake-data-flood which is a new block, documented at: https://www.unrealircd.org/docs/Set_block#set::anti-flood::handshake-data-flood The reason for this is better naming and allowing to tweak ban-action. --- doc/RELEASE-NOTES.md | 5 +++ doc/conf/help/help.conf | 30 +++++++------- doc/conf/help/help.nl.conf | 2 +- doc/conf/help/help.pl.conf | 34 +++++++-------- include/dynconf.h | 12 +++--- include/h.h | 1 - include/struct.h | 2 +- src/conf.c | 85 +++++++++++++++++++++++++++++++------- src/modules/stats.c | 7 ++-- src/modules/tkl.c | 44 ++++++++++---------- src/parse.c | 25 ++++++----- 11 files changed, 151 insertions(+), 96 deletions(-) diff --git a/doc/RELEASE-NOTES.md b/doc/RELEASE-NOTES.md index 197faeee8..443c0997b 100644 --- a/doc/RELEASE-NOTES.md +++ b/doc/RELEASE-NOTES.md @@ -30,6 +30,11 @@ Fixes: Changes: * Add doc/KEYS which contains the public key(s) used to sign UnrealIRCd releases +* The options set::anti-flood::unknown-flood-* have been renamed and +integrated in a new block called +[set::anti-flood::handshake-data-flood](https://www.unrealircd.org/docs/Set_block#set::anti-flood::handshake-data-flood). +The ban-action can now also be changed. Note that almost nobody will have to +change this setting since it has a good default. Reminder: UnrealIRCd 4 is no longer supported ---------------------------------------------- diff --git a/doc/conf/help/help.conf b/doc/conf/help/help.conf index 89fc144d1..1e40002ee 100644 --- a/doc/conf/help/help.conf +++ b/doc/conf/help/help.conf @@ -955,21 +955,21 @@ help Eline { " Example: ELINE *@unrealircd.org kGF 0 This user is exempt"; " Valid are:"; " ==-Type--------Name---------------------------Explanation-----------------------=="; - " k | K-Line | Bypass K-Lines "; - " G | G-Line | Bypass G-Lines "; - " z | Z-Line | Bypass Z-Lines "; - " Z | GZ-Line | Bypass Global Z-Lines "; - " Q | Q-Line | Bypass Q-Lines "; - " s | shun | Bypass Shuns "; - " F | spamfilter | Bypass spamfilter checking "; - " b | blacklist | Bypass blacklist checking "; - " c | connect flood | Bypass set::anti-flood::connect-flood "; - " d | unknown flood | Bypass unknown data flood checking "; - " | | (no ZLINE on too much data before registration) "; - " m | maxperip | Bypass allow::maxperip restriction "; - " r | antirandom | Bypass antirandom module "; - " 8 | antimixedutf8 | Bypass antimixedutf8 module "; - " v | version | Bypass ban version { } blocks "; + " k | K-Line | Bypass K-Lines "; + " G | G-Line | Bypass G-Lines "; + " z | Z-Line | Bypass Z-Lines "; + " Z | GZ-Line | Bypass Global Z-Lines "; + " Q | Q-Line | Bypass Q-Lines "; + " s | shun | Bypass Shuns "; + " F | spamfilter | Bypass spamfilter checking "; + " b | blacklist | Bypass blacklist checking "; + " c | connect flood | Bypass set::anti-flood::connect-flood "; + " d | handshake flood | Bypass handshake data flood checking "; + " | | (no ZLINE on too much data before registration) "; + " m | maxperip | Bypass allow::maxperip restriction "; + " r | antirandom | Bypass antirandom module "; + " 8 | antimixedutf8 | Bypass antimixedutf8 module "; + " v | version | Bypass ban version { } blocks "; " ==------------------------------------------------------------------------------=="; " -"; " Extended server bans (more info at https://www.unrealircd.org/docs/Extended_server_bans)"; diff --git a/doc/conf/help/help.nl.conf b/doc/conf/help/help.nl.conf index 9256f83c0..17772218f 100644 --- a/doc/conf/help/help.nl.conf +++ b/doc/conf/help/help.nl.conf @@ -965,7 +965,7 @@ help Eline { " F | spamfilter | Bypass spamfilter controle "; "b | blacklist | Bypass blacklist checking "; " c | connect flood | Bypass set::anti-flood::connect-flood "; - " d | unknown flood | Bypass unknown data flood checking "; + " d | handshake flood | Bypass handshake data flood checking "; " | (geen ZLINE op te veel gegevens voor de registratie) "; " m | maxperip | Bypass toestaan::maxperip beperking "; " r | antirandom | Bypass antirandom module "; diff --git a/doc/conf/help/help.pl.conf b/doc/conf/help/help.pl.conf index a04a2f8f8..4f9ee49ac 100644 --- a/doc/conf/help/help.pl.conf +++ b/doc/conf/help/help.pl.conf @@ -984,22 +984,22 @@ help Eline { " Przykład: ELINE *@unrealircd.org kGf 0 Ten użytkownik ma wyjątek"; " Dostępne to:"; " ==-Typ---------Nazwa--------------------------Wyjaśnienie-----------------------=="; - " k | K-Line | Omija K-Line "; - " G | G-Line | Omija G-Line "; - " z | Z-Line | Omija Z-Line "; - " Z | GZ-Line | Omija globalne Z-Line "; - " Q | Q-Line | Omija Q-Line "; - " s | shun | Omija Shun "; - " F | spamfilter | Omija sprawdzanie spamfiltrów "; - " b | blacklist | Omija sprawdzanie czarnych list "; - " c | connect flood | Omija ustawienie set::anti-flood::connect-flood "; - " d | unknown flood | Omija detekcję floodu danymi z nieznanych połączeń "; - " | | (nie będzie ZLINE przy wysłaniu zbyt wielu danych "; - " | | przed rejestracją połączenia) "; - " m | maxperip | Omija restrykcję allow::maxperipon "; - " r | antirandom | Omija działanie modułu 'antirandom' "; - " 8 | antimixedutf8 | Omija działanie modułu 'antimixedutf8' "; - " v | version | Omija bany ustawione jako 'ban version { }' "; + " k | K-Line | Omija K-Line "; + " G | G-Line | Omija G-Line "; + " z | Z-Line | Omija Z-Line "; + " Z | GZ-Line | Omija globalne Z-Line "; + " Q | Q-Line | Omija Q-Line "; + " s | shun | Omija Shun "; + " F | spamfilter | Omija sprawdzanie spamfiltrów "; + " b | blacklist | Omija sprawdzanie czarnych list "; + " c | connect flood | Omija ustawienie set::anti-flood::connect-flood "; + " d | handshake flood | Omija detekcję floodu danymi z nieznanych połączeń "; + " | | (nie będzie ZLINE przy wysłaniu zbyt wielu danych "; + " | | przed rejestracją połączenia) "; + " m | maxperip | Omija restrykcję allow::maxperipon "; + " r | antirandom | Omija działanie modułu 'antirandom' "; + " 8 | antimixedutf8 | Omija działanie modułu 'antimixedutf8' "; + " v | version | Omija bany ustawione jako 'ban version { }' "; " ==------------------------------------------------------------------------------=="; " -"; " Rozszerzone bany serwerowe (więcej informacji na https://www.unrealircd.org/docs/Extended_server_bans)"; @@ -1025,7 +1025,7 @@ help Rehash { " Dodanie -global spowoduje zadziałanie na wszystkich serwerach w sieci."; " -"; " Flagi służą do wyboru innych plików konfiguracyjnych do przeładowania. Dostępne"; - " flagi to:"; + " flagi to:"; " -dns - Ponownie inicjalizuje i przeładowuje narzędzie rozpoznawania nazw DNS?"; " -garbage - Wymusza zadziałanie mechanizmu oczyszczania (garbage collection)"; " -motd - Odświeża tylko wszystkie pliki MOTD, BOTMOTD, OPERMOTD i RULES"; diff --git a/include/dynconf.h b/include/dynconf.h index 5276e07c4..5d60eddb0 100644 --- a/include/dynconf.h +++ b/include/dynconf.h @@ -113,8 +113,9 @@ struct Configuration { char *restrict_channelmodes; char *restrict_extendedbans; char *channel_command_prefix; - long unknown_flood_bantime; - long unknown_flood_amount; + long handshake_data_flood_amount; + long handshake_data_flood_ban_time; + int handshake_data_flood_ban_action; struct ChMode modes_on_join; int level_on_join; unsigned char away_count; @@ -230,8 +231,6 @@ extern MODVAR int ipv6_disabled; #define THROTTLING_PERIOD iConf.throttle_period #define THROTTLING_COUNT iConf.throttle_count #define USE_BAN_VERSION iConf.use_ban_version -#define UNKNOWN_FLOOD_BANTIME iConf.unknown_flood_bantime -#define UNKNOWN_FLOOD_AMOUNT iConf.unknown_flood_amount #define MODES_ON_JOIN iConf.modes_on_join.mode #define LEVEL_ON_JOIN iConf.level_on_join @@ -326,8 +325,9 @@ struct SetCheck { unsigned has_restrict_channelmodes:1; unsigned has_restrict_extendedbans:1; unsigned has_channel_command_prefix:1; - unsigned has_anti_flood_unknown_flood_bantime:1; - unsigned has_anti_flood_unknown_flood_amount:1; + unsigned has_anti_flood_handshake_data_flood_amount:1; + unsigned has_anti_flood_handshake_data_flood_ban_action:1; + unsigned has_anti_flood_handshake_data_flood_ban_time:1; unsigned has_modes_on_join:1; unsigned has_level_on_join:1; unsigned has_anti_flood_away_count:1; diff --git a/include/h.h b/include/h.h index 210710cf2..2a262a205 100644 --- a/include/h.h +++ b/include/h.h @@ -885,7 +885,6 @@ extern CMD_FUNC(cmd_rehash); extern CMD_FUNC(cmd_die); extern CMD_FUNC(cmd_restart); extern void cmd_alias(Client *client, MessageTag *recv_mtags, int parc, char *parv[], char *cmd); /* special! */ -extern void ban_flooder(Client *cptr); extern char *pcre2_version(void); extern int get_terminal_width(void); extern int has_common_channels(Client *c1, Client *c2); diff --git a/include/struct.h b/include/struct.h index 293268743..54167d526 100644 --- a/include/struct.h +++ b/include/struct.h @@ -880,7 +880,7 @@ typedef void (*OverrideCmdFunc)(CommandOverride *ovr, Client *client, MessageTag #define TKL_BLACKLIST 0x0001000 #define TKL_CONNECT_FLOOD 0x0002000 #define TKL_MAXPERIP 0x0004000 -#define TKL_UNKNOWN_DATA_FLOOD 0x0008000 +#define TKL_HANDSHAKE_DATA_FLOOD 0x0008000 #define TKL_ANTIRANDOM 0x0010000 #define TKL_ANTIMIXEDUTF8 0x0020000 #define TKL_BAN_VERSION 0x0040000 diff --git a/src/conf.c b/src/conf.c index 4935de883..381ac3231 100644 --- a/src/conf.c +++ b/src/conf.c @@ -1625,8 +1625,9 @@ void config_setdefaultsettings(Configuration *i) { char tmp[512]; - i->unknown_flood_amount = 4; - i->unknown_flood_bantime = 600; + i->handshake_data_flood_amount = 4096; + i->handshake_data_flood_ban_action = BAN_ACT_ZLINE; + i->handshake_data_flood_ban_time = 600; safe_strdup(i->oper_snomask, SNO_DEFOPER); i->ident_read_timeout = 7; i->ident_connect_timeout = 3; @@ -6592,7 +6593,7 @@ int _conf_ban(ConfigFile *conf, ConfigEntry *ce) else if (!strcmp(cep->ce_varname, "reason")) safe_strdup(ca->reason, cep->ce_vardata); else if (!strcmp(cep->ce_varname, "action")) - ca ->action = banact_stringtoval(cep->ce_vardata); + ca->action = banact_stringtoval(cep->ce_vardata); } AddListItem(ca, conf_ban); return 0; @@ -7468,11 +7469,20 @@ int _conf_set(ConfigFile *conf, ConfigEntry *ce) } } else if (!strcmp(cep->ce_varname, "anti-flood")) { - for (cepp = cep->ce_entries; cepp; cepp = cepp->ce_next) { - if (!strcmp(cepp->ce_varname, "unknown-flood-bantime")) - tempiConf.unknown_flood_bantime = config_checkval(cepp->ce_vardata,CFG_TIME); - else if (!strcmp(cepp->ce_varname, "unknown-flood-amount")) - tempiConf.unknown_flood_amount = atol(cepp->ce_vardata); + for (cepp = cep->ce_entries; cepp; cepp = cepp->ce_next) + { + if (!strcmp(cepp->ce_varname, "handshake-data-flood")) + { + for (ceppp = cepp->ce_entries; ceppp; ceppp = ceppp->ce_next) + { + if (!strcmp(ceppp->ce_varname, "amount")) + tempiConf.handshake_data_flood_amount = config_checkval(ceppp->ce_vardata, CFG_SIZE); + else if (!strcmp(ceppp->ce_varname, "ban-time")) + tempiConf.handshake_data_flood_ban_time = config_checkval(ceppp->ce_vardata, CFG_TIME); + else if (!strcmp(ceppp->ce_varname, "ban-action")) + tempiConf.handshake_data_flood_ban_action = banact_stringtoval(ceppp->ce_vardata); + } + } else if (!strcmp(cepp->ce_varname, "away-count")) tempiConf.away_count = atol(cepp->ce_vardata); else if (!strcmp(cepp->ce_varname, "away-period")) @@ -8291,8 +8301,10 @@ int _test_set(ConfigFile *conf, ConfigEntry *ce) need_34_upgrade = 1; continue; } - else if (!strcmp(cep->ce_varname, "anti-flood")) { - for (cepp = cep->ce_entries; cepp; cepp = cepp->ce_next) { + else if (!strcmp(cep->ce_varname, "anti-flood")) + { + for (cepp = cep->ce_entries; cepp; cepp = cepp->ce_next) + { if (!strcmp(cepp->ce_varname, "max-concurrent-conversations")) { for (ceppp = cepp->ce_entries; ceppp; ceppp = ceppp->ce_next) @@ -8329,15 +8341,56 @@ int _test_set(ConfigFile *conf, ConfigEntry *ce) } continue; /* required here, due to checknull directly below */ } - if (!strcmp(cepp->ce_varname, "unknown-flood-bantime")) + else if (!strcmp(cepp->ce_varname, "unknown-flood-amount") || + !strcmp(cepp->ce_varname, "unknown-flood-bantime")) { - CheckNull(cepp); - CheckDuplicate(cepp, anti_flood_unknown_flood_bantime, "anti-flood::unknown-flood-bantime"); + config_error("%s:%i: set::anti-flood::%s: this setting has been moved. " + "See https://www.unrealircd.org/docs/Set_block#set::anti-flood::handshake-data-flood", + cepp->ce_fileptr->cf_filename, cepp->ce_varlinenum, cepp->ce_varname); + errors++; + continue; } - else if (!strcmp(cepp->ce_varname, "unknown-flood-amount")) + else if (!strcmp(cepp->ce_varname, "handshake-data-flood")) { - CheckNull(cepp); - CheckDuplicate(cepp, anti_flood_unknown_flood_amount, "anti-flood::unknown-flood-amount"); + for (ceppp = cepp->ce_entries; ceppp; ceppp = ceppp->ce_next) + { + if (!strcmp(ceppp->ce_varname, "amount")) + { + long v; + CheckNull(ceppp); + CheckDuplicate(ceppp, anti_flood_handshake_data_flood_amount, "anti-flood::handshake-data-flood::amount"); + v = config_checkval(ceppp->ce_vardata, CFG_SIZE); + if (v < 1024) + { + config_error("%s:%i: set::anti-flood::handshake-data-flood::amount must be at least 1024 bytes", + ceppp->ce_fileptr->cf_filename, ceppp->ce_varlinenum); + errors++; + } + } else + if (!strcmp(ceppp->ce_varname, "ban-action")) + { + CheckNull(ceppp); + CheckDuplicate(ceppp, anti_flood_handshake_data_flood_ban_action, "anti-flood::handshake-data-flood::ban-action"); + if (!banact_stringtoval(ceppp->ce_vardata)) + { + config_error("%s:%i: set::anti-flood::handshake-data-flood::ban-action has unknown action type '%s'", + ceppp->ce_fileptr->cf_filename, ceppp->ce_varlinenum, + ceppp->ce_vardata); + errors++; + } + } else + if (!strcmp(ceppp->ce_varname, "ban-time")) + { + CheckNull(ceppp); + CheckDuplicate(ceppp, anti_flood_handshake_data_flood_ban_time, "anti-flood::handshake-data-flood::ban-time"); + } else + { + config_error_unknownopt(ceppp->ce_fileptr->cf_filename, + ceppp->ce_varlinenum, "set::anti-flood::handshake-data-flood", + ceppp->ce_varname); + errors++; + } + } } else if (!strcmp(cepp->ce_varname, "away-count")) { diff --git a/src/modules/stats.c b/src/modules/stats.c index 72bc3644b..a377a4e38 100644 --- a/src/modules/stats.c +++ b/src/modules/stats.c @@ -866,12 +866,11 @@ int stats_set(Client *client, char *para) if (LINK_BINDIP) sendtxtnumeric(client, "link::bind-ip: %s", LINK_BINDIP); sendtxtnumeric(client, "anti-flood::connect-flood: %d per %s", THROTTLING_COUNT, pretty_time_val(THROTTLING_PERIOD)); - sendtxtnumeric(client, "anti-flood::unknown-flood-bantime: %s", pretty_time_val(UNKNOWN_FLOOD_BANTIME)); - sendtxtnumeric(client, "anti-flood::unknown-flood-amount: %ldKB", UNKNOWN_FLOOD_AMOUNT); + sendtxtnumeric(client, "anti-flood::handshake-data-flood::amount: %ld bytes", iConf.handshake_data_flood_amount); + sendtxtnumeric(client, "anti-flood::handshake-data-flood::ban-action: %s", banact_valtostring(iConf.handshake_data_flood_ban_action)); + sendtxtnumeric(client, "anti-flood::handshake-data-flood::ban-time: %s", pretty_time_val(iConf.handshake_data_flood_ban_time)); if (AWAY_PERIOD) - { sendtxtnumeric(client, "anti-flood::away-flood: %d per %s", AWAY_COUNT, pretty_time_val(AWAY_PERIOD)); - } sendtxtnumeric(client, "anti-flood::nick-flood: %d per %s", NICK_COUNT, pretty_time_val(NICK_PERIOD)); sendtxtnumeric(client, "handshake-timeout: %s", pretty_time_val(iConf.handshake_timeout)); sendtxtnumeric(client, "sasl-timeout: %s", pretty_time_val(iConf.sasl_timeout)); diff --git a/src/modules/tkl.c b/src/modules/tkl.c index 4c5387413..fbc48a299 100644 --- a/src/modules/tkl.c +++ b/src/modules/tkl.c @@ -123,27 +123,27 @@ struct TKLTypeTable */ TKLTypeTable tkl_types[] = { /* */ - { "gline", 'G', TKL_KILL | TKL_GLOBAL, "G-Line", 1, 1 }, - { "kline", 'k', TKL_KILL, "K-Line", 1, 1 }, - { "gzline", 'Z', TKL_ZAP | TKL_GLOBAL, "Global Z-Line", 1, 1 }, - { "zline", 'z', TKL_ZAP, "Z-Line", 1, 1 }, - { "spamfilter", 'F', TKL_SPAMF | TKL_GLOBAL, "Spamfilter", 1, 1 }, - { "qline", 'Q', TKL_NAME | TKL_GLOBAL, "Q-Line", 1, 1 }, - { "except", 'E', TKL_EXCEPTION | TKL_GLOBAL, "Exception", 1, 0 }, - { "shun", 's', TKL_SHUN | TKL_GLOBAL, "Shun", 1, 1 }, - { "local-qline", 'q', TKL_NAME, "Local Q-Line", 1, 0 }, - { "local-spamfilter", 'e', TKL_EXCEPTION, "Local Exception", 1, 0 }, - { "local-exception", 'f', TKL_SPAMF, "Local Spamfilter", 1, 0 }, - { "blacklist", 'b', TKL_BLACKLIST, "Blacklist", 0, 1 }, - { "connect-flood", 'c', TKL_CONNECT_FLOOD, "Connect flood", 0, 1 }, - { "maxperip", 'm', TKL_MAXPERIP, "Max-per-IP", 0, 1 }, - { "unknown-data-flood", 'd', TKL_UNKNOWN_DATA_FLOOD, "Unknown data flood", 0, 1 }, - { "antirandom", 'r', TKL_ANTIRANDOM, "Antirandom", 0, 1 }, - { "antimixedutf8", '8', TKL_ANTIMIXEDUTF8, "Antimixedutf8", 0, 1 }, - { "ban-version", 'v', TKL_BAN_VERSION, "Ban Version", 0, 1 }, - { NULL, '\0', 0, NULL, 0, 0 }, + { "gline", 'G', TKL_KILL | TKL_GLOBAL, "G-Line", 1, 1 }, + { "kline", 'k', TKL_KILL, "K-Line", 1, 1 }, + { "gzline", 'Z', TKL_ZAP | TKL_GLOBAL, "Global Z-Line", 1, 1 }, + { "zline", 'z', TKL_ZAP, "Z-Line", 1, 1 }, + { "spamfilter", 'F', TKL_SPAMF | TKL_GLOBAL, "Spamfilter", 1, 1 }, + { "qline", 'Q', TKL_NAME | TKL_GLOBAL, "Q-Line", 1, 1 }, + { "except", 'E', TKL_EXCEPTION | TKL_GLOBAL, "Exception", 1, 0 }, + { "shun", 's', TKL_SHUN | TKL_GLOBAL, "Shun", 1, 1 }, + { "local-qline", 'q', TKL_NAME, "Local Q-Line", 1, 0 }, + { "local-spamfilter", 'e', TKL_EXCEPTION, "Local Exception", 1, 0 }, + { "local-exception", 'f', TKL_SPAMF, "Local Spamfilter", 1, 0 }, + { "blacklist", 'b', TKL_BLACKLIST, "Blacklist", 0, 1 }, + { "connect-flood", 'c', TKL_CONNECT_FLOOD, "Connect flood", 0, 1 }, + { "maxperip", 'm', TKL_MAXPERIP, "Max-per-IP", 0, 1 }, + { "handshake-data-flood", 'd', TKL_HANDSHAKE_DATA_FLOOD, "Handshake data flood", 0, 1 }, + { "antirandom", 'r', TKL_ANTIRANDOM, "Antirandom", 0, 1 }, + { "antimixedutf8", '8', TKL_ANTIMIXEDUTF8, "Antimixedutf8", 0, 1 }, + { "ban-version", 'v', TKL_BAN_VERSION, "Ban Version", 0, 1 }, + { NULL, '\0', 0, NULL, 0, 0 }, }; -#define ALL_VALID_EXCEPTION_TYPES "kline, gline, zline, gzline, spamfilter, shun, qline, blacklist, connect-flood, unknown-data-flood, antirandom, antimixedutf8, ban-version" +#define ALL_VALID_EXCEPTION_TYPES "kline, gline, zline, gzline, spamfilter, shun, qline, blacklist, connect-flood, handshake-data-flood, antirandom, antimixedutf8, ban-version" int max_stats_matches = 1000; @@ -1527,7 +1527,7 @@ void eline_syntax(Client *client) sendnotice(client, "F: Spamfilter"); sendnotice(client, "b: Blacklist checking"); sendnotice(client, "c: Connect flood (bypass set::anti-flood::connect-flood))"); - sendnotice(client, "d: Unknown data flood (no ZLINE on too much data before registration)"); + sendnotice(client, "d: Handshake data flood (no ZLINE on too much data before registration)"); sendnotice(client, "m: Bypass allow::maxperip restriction"); sendnotice(client, "r: Bypass antirandom module"); sendnotice(client, "8: Bypass antimixedutf8 module"); @@ -2645,7 +2645,7 @@ static void add_default_exempts(void) /* The exempted ban types are only ones that will affect other connections as well, * such as gline, and not policy decissions such as maxperip exempt or bypass qlines. * Currently the list is: gline, kline, gzline, zline, shun, blacklist, - * connect-flood, unknown-data-flood. + * connect-flood, handshake-data-flood. */ tkl_add_banexception(TKL_EXCEPTION, "*", "127.*", "localhost is always exempt", "-default-", 0, TStime(), 0, "GkZzsbcd", TKL_FLAG_CONFIG); diff --git a/src/parse.c b/src/parse.c index 33d3af455..717ce1294 100644 --- a/src/parse.c +++ b/src/parse.c @@ -35,6 +35,7 @@ static void remove_unknown(Client *, char *); static void parse2(Client *client, Client **fromptr, MessageTag *mtags, char *ch); static void parse_addlag(Client *client, int cmdbytes); static int client_lagged_up(Client *client); +static void ban_handshake_data_flooder(Client *client); /** Put a packet in the client receive queue and process the data (if * the 'fake lag' rules permit doing so). @@ -60,14 +61,13 @@ int process_packet(Client *client, char *readbuf, int length, int killsafely) return 0; /* flood from unknown connection */ - if (IsUnknown(client) && (DBufLength(&client->local->recvQ) > UNKNOWN_FLOOD_AMOUNT*1024)) + if (IsUnknown(client) && (DBufLength(&client->local->recvQ) > iConf.handshake_data_flood_amount)) { - sendto_snomask(SNO_FLOOD, "Flood from unknown connection %s detected", - client->local->sockhost); + sendto_snomask(SNO_FLOOD, "Handshake data flood from %s detected", client->local->sockhost); if (!killsafely) - ban_flooder(client); + ban_handshake_data_flooder(client); else - dead_socket(client, "Flood from unknown connection"); + dead_socket(client, "Handshake data flood detected"); return 0; } @@ -193,11 +193,10 @@ void parse(Client *cptr, char *buffer, int length) if (IsDeadSocket(cptr)) return; - if ((cptr->local->receiveK >= UNKNOWN_FLOOD_AMOUNT) && IsUnknown(cptr)) + if ((cptr->local->receiveK >= iConf.handshake_data_flood_amount/1024) && IsUnknown(cptr)) { - sendto_snomask(SNO_FLOOD, "Flood from unknown connection %s detected", - cptr->local->sockhost); - ban_flooder(cptr); + sendto_snomask(SNO_FLOOD, "Handshake data flood from %s detected", cptr->local->sockhost); + ban_handshake_data_flooder(cptr); return; } @@ -533,20 +532,20 @@ static void parse2(Client *cptr, Client **fromptr, MessageTag *mtags, char *ch) * Note that "lots" in terms of IRC is a few KB's, since more is rather unusual. * @param client The client. */ -void ban_flooder(Client *client) +static void ban_handshake_data_flooder(Client *client) { - if (find_tkl_exception(TKL_UNKNOWN_DATA_FLOOD, client)) + if (find_tkl_exception(TKL_HANDSHAKE_DATA_FLOOD, client)) { /* If the user is exempt we will still KILL the client, since it is * clearly misbehaving. We just won't ZLINE the host, so it won't * affect any other connections from the same IP address. */ - exit_client(client, NULL, "Flood from unknown connection"); + exit_client(client, NULL, "Handshake data flood detected"); } else { /* place_host_ban also takes care of removing any other clients with same host/ip */ - place_host_ban(client, BAN_ACT_ZLINE, "Flood from unknown connection", UNKNOWN_FLOOD_BANTIME); + place_host_ban(client, iConf.handshake_data_flood_ban_action, "Handshake data flood detected", iConf.handshake_data_flood_ban_time); } }