for "unknown-users" and "known-users".
As a reminder, by default, "known-users" are users who are identified
to services OR are on an IP that has been connected for over 2 hours
in the past X days.
See https://www.unrealircd.org/docs/FAQ#new-anti-flood-block
for more information on the layout of the new block.
NOTE: This actual feature, the relase notes and the documentation
are all work in progress.
I think people will understand both and it is currently rather long.
And a bit confusing too with all the spaces, easy to overlook something eg
in /STATS S where it is being used.
is now 5000 lines / 31 days. For unregistered it is 200 lines / 31 days.
Previous setting was 200 lines / 7 days for both.
Admins can tweak these settings, see:
https://www.unrealircd.org/docs/Set_block#set::history
More code to deal with corner issues will follow later.
UnrealIRCd module coders [!]:
This also changes the channel mode API conv_param. You can use
the UNREAL_VERSION_TIME >= 202120 condition to detect this.
Eg:
#if UNREAL_VERSION_TIME < 202120
int my_conv_param(char *para, Client *client);
#else
int my_conv_param(char *para, Client *client, Channel *channel);
#endif
the file is allowed to no longer exist. This so you can do things
like only connecting an USB stick during UnrealIRCd boot and then
pull it out once booted.
Suggested by Amiga600 in https://bugs.unrealircd.org/view.php?id=5784
This also fixes a bug with log::maxsize on Windows (cannot overwrite
existing file with .old).
It simplifies the logging code a little and makes it a tad more readable.
And it adds an unreal_strftime() function to make things easy.
When booting no log files are open yet as we have not parsed any log { }
entries yet. On *NIX we log to stderr during that stage.
On Windows it varies: when running in GUI mode we save the log to a
buffer and display it after booting in a dialog.
When running as a service on Windows we previously wrote SOME entries
to service.log, but other entries were not logged or shown anywhere.
This makes both GUI and Service-mode on windows log all ircd_log()
calls with LOG_ERROR, instead of only config_status(), config_warn()
and config_error() messages.
This also removes config_progress() which isn't used by anything.
Oh, and it also fixes a memory leak in the Windows boot code, a leak
that nobody would have noticed anyway, but still.
* There are two security groups by default: known-users and unknown-users.
See https://www.unrealircd.org/docs/Security-group_block
* New extended ban ~G:securitygroupname, with the typical usage being
MODE #chan +b ~G:unknown-users, which will ban all users from the
channel that are not identified to services and have a reputation
score below 25.
by armyn in https://bugs.unrealircd.org/view.php?id=5769.
The default behavior in 5.x is to continue matching:
allow { ip *@*; class clients; maxperip 2; }
allow { ip *@*; password "iwantmore"; class clients; maxperip 10; }
This so users who provide a password get additional rights,
such as a higher maxperip or a different class, etc.
If the user connects without a password then we simply continue
to the next block and use the general block with only 2 maxperip.
However, some people want to use passwords to keep other users out.
That is entirely understandable as it is an 'allow block' after all.
For example:
allow { ip *@*; class clients; maxperip 2; }
allow { ip *@*.nl; password "tehdutch"; class clients; maxperip 2; options { reject-on-auth-failure; } }
In this case anyone without the correct password will be rejected access.
That option specified a Diffie Hellman parameter file. Since
UnrealIRCd 5.0.0 we no longer process this option.
This option has never been documented in the wiki docs.
We prefer and use ECDHE/EECDH with SSL_OP_SINGLE_ECDH_USE since 2015
to provide Forward Secrecy in SSL/TLS. And indeed, by now in 2020,
any properly maintained software uses it and old DH(E) usage has
fallen to less than 1%.
What this patch does is remove the unused code (since Dec 2019) and
show a warning if you have a ::dh config directive, so that at least
you are informed that it is unused/ignored. Since it was undocumented
it probably hardly affects anyone, but still, it is proper to inform.
This should be rare, since modes-on-connect is in the example
configuration file with +ixw since 2003, but still... just in
case someone completely misses the modes-on-connect configuration
item, then make sure that we have a safe and good default.
We will extend the option later in UnrealIRCd 5.0.5.
This purely has to do with keeping the changes for 5.0.4 small and
contained since that will be mostly a bug fix release.
Since 5.0.5 will have more configurable options for hide-idle-time, I
have already renamed the single option that is exposed in 5.0.4
to set::hide-idle-time::policy since set::hide-idle-time is a
configuration block now, see docs at:
https://www.unrealircd.org/docs/Set_block#set%3A%3Ahide-idle-time
I think nowadays, with more attention to privacy, we should make this
option settable by users.
See previous commit for more information, or just visit the doc page at
https://www.unrealircd.org/docs/Set_block#set%3A%3Ahide-idle-time
if you want to use a different setting.
form an insecure connection. There we explain a bit on the why and how to
configure some random IRC clients.
This also silently adds support for multi-line messages in
set::plaintext-policy::user-message (for warn) and
set::plaintext-policy::oper-message (for warn and deny).
Remove old option set::ban-include-username and replace it with a more
generic option which defines what target a ban should apply to.
Also add some parts of set::manual-ban-target which will follow soon.
Turning these errors into warnings instead should be fine and makes
the upgrade process (and instructions) easier.
* set::oper-only-stats is now a warning
* except tkl is auto-transformed into except ban and is now a warning
Both warnings contain clear instructions on what to do to get rid of
the warning message.
until you restart the server.
Yeah it's really too much hassle atm to make that particular setting
/rehash'able, this will probably never change.
Fortunately changing that is rather rare. At least printing the
warning should help those users doing it.
* Cannot use include within an @if
..but you can just use an include and then within that file use
an if, to work around it.
* Cannot use loadmodule within an @if
For both this is because include & loadmodule are processed before
the rest. I think most people will be fine with those restrictions,
though.
reported in https://bugs.unrealircd.org/view.php?id=5281
It was not removing parts properly if an if didn't match,
leading to a use-after-free bug on-boot (or on rehash).
In the process I renamed config_entry_free to config_entry_free_all
since that is what it does. And I created a new config_entry_free(ce)
to free only 'ce' stuff... which is what we want from the
preprocessor.