The extban module API is used behind the scenes. To the server admin
the functionality appears in a more natural way:
account { <list>; };
country { <list>; };
realname { <list>; };
certfp { <list>; };
In the same way, they appear as exclude-xxx options too:
exclude-account { <list>; };
exclude-country { <list>; };
exclude-realname { <list>; };
exclude-certfp { <list>; };
Modules can add additional fields (3rd party modules too!).
Module coders:
See src/modules/extbans/realname.c for a simple example. In short:
1) You need to register your extban in both MOD_TEST and MOD_INIT
2) Other than that, the existing rules for extended server bans apply:
a) Your req.is_banned_events needs to include BANCHK_TKL
b) Your req.options needs to include EXTBOPT_TKL
Be advised that for modules that are called in extended server bans
the client may be missing several fields, for example client->user could
be NULL, so be careful with accessing everything in your module.
It was missing for a lot of extbans (removing too little) and
for ~t it was removing too much (eg quiet bans).
Bug reported and changes suggested by k4be.
Coders:
Setting extban.options to EXTBOPT_CHSVSMODE has no effect anymore,
just didn't want to remove it so modules would still compile.
We now purely match based on .is_banned_events including BANCHK_JOIN.
* Now ban_check_types (previously checktype):
this is one or more of BANCHK_* OR'd together, eg BANCHK_JOIN, BANCHK_MSG..
* Now ban_type (previously what2):
this is the type of the ban, eg EXBTYPE_BAN, EXBTYPE_EXCEPT, etc.
* Now is_ok_check (previously is_ok_checktype)
this is one of EXBCHK_* for is_ok, eg EXBCHK_PARAM to check parameter.
can't have dependencies, so if you change a .h file, it fails to
recompile the other dependencies. Grmpf!
This does mean that we require GNU Make (gmake) from now on.
which BANCHK_* events you want to listen, eg BANCHK_JOIN, BANCHK_MSG.
You can use BANCHK_ALL to watch on all events.
Only BANCHK_TKL is not included there and needs an explicit
BANCHK_ALL|BANCHK_TKL.
The caller will now take care of BANCHK_* filtering so we won't
waste any CPU on calling an is_banned() function that isn't
interested at all in the event that we have.
Also, no longer require an extban->is_banned function, since some
extbans don't use it. This too saves useless calls.
The .conv_param() now receives the ban minus the ~own-extban.
And it should also return the part minus the ~own-extban.
Changes to findmod_by_bantype():
1) Takes a string now, rather than a single char value,
so it is ready for named extbans.
2) Second parameter added so you can easily jump to the remainder.
Eg:
extban = findmod_by_bantype(b->banstr, &nextbanstr);
[..check if extban is non-NULL and then..]
b->banstr = nextbanstr;
When extban->is_ok() is called the banstr now no longer points
to "~x:something" but to "something".
Just like we did for extban->is_banned().
Again, need this for later too...
Just as a reminder: don't blindly assume that if anything is set here
that the user is logged in, there is IsLoggedIn(client) for that.
Reason: if the account name starts with a digit or is "*" then the
user isn't actually logged in ;)
~a:0: match all unauthenticated users
~a:*: match all authenticated users
~a:SomeUser: match only SomeUser, also allow wildcards here, even
though that is usually a very bad idea :D
* There are two security groups by default: known-users and unknown-users.
See https://www.unrealircd.org/docs/Security-group_block
* New extended ban ~G:securitygroupname, with the typical usage being
MODE #chan +b ~G:unknown-users, which will ban all users from the
channel that are not identified to services and have a reputation
score below 25.
Reported by Adanaran in https://bugs.unrealircd.org/view.php?id=5698
Although voiced users normally bypass bans, it is not really logical
for them to bypass filtering of banned words, since that is normally
a policy decission by channel management. So +v will not bypass it.
1) The problem is that this is enforced at the ban layer API. The extban
routines, textban in this case, are not called when the user is voiced,
because voiced users bypass bans. If we would change that in the ban API
then voiced users can also no longer talk through (=bypass) regular +b or
other extended +b such as ~a (account) etc.
2) I figured we would then make +T not use the ban API but the
can_send_to_channel hook instead. However, then you have to do manual
looping through bans and such, it's rather ugly from a coding point of view,
and you risk "missing" things like ~T stacked with ~t.
3) Then I went back to look if the ban API could be changed by having the
textban module set a flag and then the ban api would call that specific
module still for voiced users. While starting on that, unfortunately things
(variables, arguments) cascaded quickly into having to change all kinds of
underlying functions that would break the module API.
4) I then went back to option 2 and implemented it, trying to deal
with all its caveats.
See https://www.unrealircd.org/docs/Extended_server_bans
Examples with ELINE:
/ELINE ~a:TrustedAccount kg 0 This user can bypass kline/gline when using SASL
/ELINE ~S:1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcdef kgf 0 Trusted user with this certificate fingerprint
It also works with bans, although this would be less common:
/GLINE ~a:EvilAccount
A more useful purpose would be to use ~r (realname):
/GLINE ~r:*some*stupid*real*name*
(Although you could already ban realnames via spamfilter 'u')
For third party module coders:
If you have an extban in group 3 (a "matcher"-extban) then you
can opt-in to support this. You do so at extban registration time:
req.options = EXTBOPT_TKL;
or, if you already had another flag set, like for +I, then:
req.options = EXTBOPT_INVEX|EXTBOPT_TKL;
In any case, you set the .options before you call ExtbanAdd().
Note that if you do indicate support then your is_ok function
will be called like:
extban->is_ok(client, NULL, mask, EXBCHK_PARAM, MODE_ADD, EXBTYPE_TKL);
Important here is the NULL channel (since there is none)
Similarly your is_banned function will be called with BANCHK_CONNECT:
extban->is_banned(client, NULL, banstr, BANCHK_JOIN, &msg, &errmsg);
Here too, it is important to note that channel is NULL.
than scattered checks - which are sometimes different - everywhere in
the source code.
Also extban handler "is_ok" was being called with EXBTYPE_EXCEPT
rather than EXBTYPE_INVEX for +I. (Not reported by anyone)
deal with servers with different set::allowed-channelchars settings:
* We reject the link if set::allowed-channelchars settings differ between
UnrealIRCd 5 servers.
* For the case where you have a mixed network consisting of UnrealIRCd 4.x
and UnrealIRCd 5.x servers we try not to desync, BUT will not allow
anyone to join the invalid channels locally. For IRCOps a message is
printed with additional information on such a failed JOIN attempt.
See https://www.unrealircd.org/docs/Set_block#set::allowed-channelchars
for the different settings, which are best and U4<->U5 advice.