See https://www.unrealircd.org/docs/Extended_server_bans
Examples with ELINE:
/ELINE ~a:TrustedAccount kg 0 This user can bypass kline/gline when using SASL
/ELINE ~S:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef kgf 0 Trusted user with this certificate fingerprint
It also works with bans, although this would be less common:
/GLINE ~a:EvilAccount
A more useful purpose would be to use ~r (realname):
/GLINE ~r:*some*stupid*real*name*
(Although you could already ban realnames via spamfilter 'u')
For third party module coders:
If you have an extban in group 3 (a "matcher"-extban) then you
can opt-in to support this. You do so at extban registration time:
req.options = EXTBOPT_TKL;
or, if you already had another flag set, like for +I, then:
req.options = EXTBOPT_INVEX|EXTBOPT_TKL;
In any case, you set the .options before you call ExtbanAdd().
Note that if you do indicate support then your is_ok function
will be called like:
extban->is_ok(client, NULL, mask, EXBCHK_PARAM, MODE_ADD, EXBTYPE_TKL);
Important here is the NULL channel (since there is none)
Similarly your is_banned function will be called with BANCHK_CONNECT:
extban->is_banned(client, NULL, banstr, BANCHK_JOIN, &msg, &errmsg);
Here too, it is important to note that channel is NULL.
In the configuration item you can now achieve the same via:
except ban { mask 1.2.3.4; type maxperip; }
Or even:
except ban { mask { 1.2.3.4; 8.8.8.8; }; type maxperip; }
etc.
Suggested by The_Myth in https://bugs.unrealircd.org/view.php?id=5507
Also, fixed an issue where the IRCd was counting servers as
clients for maxperip, which doesn't make much sense in practice,
so it only counts users now.
just like hooks now. Yeah we've messed up a few times by now.
Seems only Gottem uses them :D
So now it would call for example: prio -10, prio 0, 10, 20, cmd.
This matches the behavior of hook priorities (and swhois etc.)
session after a 15 seconds timeout. The exact timeout value can be
changed by adjusting set::sasl-timeout, which should be (quite a bit)
less than set::handshake-timeout by the way. 15<30 now, so fine.
This so I - and others - don't constantly have to wonder whether the client
is called sptr, cptr or acptr in a simple routine.
Insane --> 212 files changed, 6814 insertions(+), 6945 deletions(-)
Couldn't just mass-replace of course since there are places where there
are multiple clients involved. So had to check each function.
Also renamed some 'acptr' to 'target' and such.
I will write a page with new style rules later.. but in short if there is
only 1 client involved it will now be called 'client'.
anymore if you run latest anope 2.0.6. You need the fix from Feb 9, 2019:
https://github.com/anope/anope/commit/da6e2730c259d6d6356a0a948e85730ae34663ab
(.. which also fixes SASL problems with anope + UnrealIRCd 4 by the way)
or just run anope latest git (2.0 branch).
Not sure about atheme... should test this.
Technical details: we used a pseudo ID / sasl cookie until recently,
this has always been planned to be phased out when we got UID's.
I didn't phase it out in U4 (but could have done so) but just did now in U5.
This simplifies everything as now you can just refer from the services
side to the user with the UID/SID. This also makes it so services can now
target the user in other functions as well, like NOTICE.
(Feel free to request other functions if something isn't working)
Merge check_init and AllowClient into one single AllowClient()
and make it use the more logic 1 and 0 return values for allow / deny.
Similarly, use logic 1 / 0 return values for verify_link.
Module coders:
HOOKTYPE_CHECK_INIT and HOOKTYPE_PRE_LOCAL_CONNECT, changed the
return value, you should now use HOOK_*, eg HOOK_DENY to stop
processing (eg client killed).
code changes in UnrealIRCd itself:
1) Clients are no longer freed directly by exit_client. Most fields
are freed, but 'sptr' itself is not, so you can use IsDead() on it.
2) exit_client now returns void rather than int
3) ALL command functions return void rather than int.
Of course this also affects do_cmd, command overrides, etc.
This is a direct consequence of the removal of 'cptr' earlier, as that
was used to signal certain things that are now no longer possible
(and it raises the question if things were always correctly signaled
in the first place, so may fix some bugs).
It also makes the code more resillient against cases where you forgot
to check if the client was freed. Still, you are encouraged to do an
IsDead(sptr) if you are calling functions that may kill clients,
such as command functions or things that may use spamfilter.
More changes will follow, such as the removal of FLUSH_BUFFER.
'sptr' is sufficient and in most cases the only one you should care about.
Should you need it, you can access sptr->direction in cases where you
need the old information (usually only for some sendto_* functions
and some protoctl checks), so 'cptr' was redundant too.
[!] This change likely introduces some bugs. This was many hours of work.
I only cut some corners in 4 functions, which will be fixed at a later
stage..... yes, more major changes to come.
On the plus side, I likely fixed some bugs in the process. Situations
where cptr vs sptr usage was incorrect. Eg using cptr->name (near server)
when sptr->name should be used (the actual source server), etc....
how you use websockets in the configuration file:
In addition to loading the websocket module you now ALSO have to mark
specific listen blocks with listen::options::websocket, and you have
to specify a type as well. Example:
listen {
ip *;
port 1234;
options {
websocket { type binary; }
}
}
The type 'text' is compatible with kiwi although this is currently
completely untested. Also I should add something to the release notes
about this change. Tomorrow...
to be a bit less ugly. The module is loaded by default so you can
still use set::options::identd-check like before, even though I
hate ident... it's old shit... still, other's seem to like it.
More changes will follow later. There is still some ident stuff
in the core at the moment and the module is currently PERM, which
largely (but not entirely) defeats the purpose of being a module.
That will be fixed at a later time as well.
Bram Matthys