1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-08 22:43:13 +02:00
Commit Graph

9187 Commits

Author SHA1 Message Date
Bram Matthys 7ff4a3e897 Add the promised support of security group functionality in except ban { }
So now the example in the release notes actually works:
except ban {
    mask { security-group irccloud; }
    type { blacklist; connect-flood; handshake-data-flood; }
}
2022-05-25 08:01:05 +02:00
Bram Matthys d8ff86e739 Fix for compiling on Windows
[skip ci]
2022-05-23 18:48:10 +02:00
Bram Matthys 3ee199fb6f Makefile.windows: add securitygroup.obj
[skip ci]
2022-05-23 17:42:43 +02:00
Bram Matthys b6843488a9 Update release notes
[skip ci]
2022-05-23 14:29:49 +02:00
Bram Matthys b4ac25fba6 Update release notes with all the work that has been done.
[skip ci]
2022-05-23 14:25:40 +02:00
Bram Matthys e8fbe461f0 Document JSON logging changes of today
[skip ci]
2022-05-23 12:56:21 +02:00
Bram Matthys 35b2579dcb Fix compiler warning 2022-05-23 12:55:48 +02:00
Bram Matthys 60eba7c501 Add to JSON logging output, for users: "channels"
The list of channels (which is an array) is limited to a total
of 384 characters after JSON expansion. If it is limited then
the last item will be "...".
2022-05-23 12:45:27 +02:00
Bram Matthys 7280ffdc57 Add to JSON logging output, for users: "idle_since".
Suggested by westor in https://bugs.unrealircd.org/view.php?id=6083

For technical reasons this field is only available for local users.
2022-05-23 11:53:58 +02:00
Bram Matthys af8418fb3e Add to JSON logging output, for users: "vhost" and "cloakedhost"
Suggested by westor in https://bugs.unrealircd.org/view.php?id=6083

The "vhost" field is added if the visible host of the user differs
from the real hostname, such as +x with cloaking or +xt with a vhost.

The "cloakedhost" is always included, even if the user does not
currently have a cloaked host at all (eg is -x or using a vhost).

Both make it easier to search log files based on user reports.
Eg a user mentions a vhost or cloaked host from their user logs
and then a server admin searches the UnrealIRCd logs on this to
retrieve the real host / ip / user based on that.
2022-05-23 11:31:56 +02:00
Bram Matthys c04ad96357 Add to JSON logging output: "geoip" with subitem "country_code".
Suggested by westor in https://bugs.unrealircd.org/view.php?id=6083

(It is not under "user" because the info can be useful before someone
 is considered a user, eg when flooding/rejected/etc)
2022-05-23 11:20:59 +02:00
Bram Matthys 0f7555e4c5 Add to JSON logging output: "tls" with subitems "cipher" and "certfp".
Suggested by westor in https://bugs.unrealircd.org/view.php?id=6083

(It is not under "user" because it is for servers too)
2022-05-23 11:07:08 +02:00
Bram Matthys 16264e944f Add HOOKTYPE_JSON_EXPAND_CLIENT etc. so modules can add more fields when
clients etc. are expanded in the logging routines.

HOOKTYPE_JSON_EXPAND_CLIENT - for all clients
HOOKTYPE_JSON_EXPAND_CLIENT_USER - for clients that are users
HOOKTYPE_JSON_EXPAND_CLIENT_SERVER - for clients that are servers
HOOKTYPE_JSON_EXPAND_CHANNEL - for channels
2022-05-23 11:02:05 +02:00
Bram Matthys 7740d64042 Limit individual JSON strings to 512 bytes and call StripControlCodes()
on each string. Note that the entire JSON dump may still be much larger,
this is just about each individual string item within an object.

This commit also adds a more flexible StripControlCodesEx() function
to the core (which is used by the logging system), the existing
StripControlCodes() function is unchanged and can still be used.

+/** Strip color, bold, underline, and reverse codes from a string.
+ * @param text                 The input text
+ * @param output               The buffer for the output text
+ * @param outputlen            The length of the output buffer
+ * @param strip_all_low_ascii  If set to 1 then all ASCII < 32 is stripped
+ *                             (the ASCII control codes), otherwise we only
+ *                             strip the IRC control- and color codes.
+ * @returns The new string, which will be 'output', or in unusual cases (outputlen==0) will be NULL.
+ */
+const char *StripControlCodesEx(const char *text, char *output, size_t outputlen, int strip_all_low_ascii)
 {
2022-05-23 10:35:52 +02:00
Bram Matthys 3fbdb7fd4b Move StripControlCodes() from message.c to misc.c.
Because I need in the core (again) due to early calls / calls during
rehashes / etc...
2022-05-23 10:10:47 +02:00
Bram Matthys 8c1a858d2e Fix crash on empty set::default-ipv6-clone-mask in config file.
set { default-ipv6-clone-mask; }
2022-05-23 08:36:25 +02:00
westor 111ab9fada Show [shunned] in connect oper notice (#206)
When someone is trying to connect and he/she is shunned , it will be displayed on connection server notice, yeah sometimes it might be helpful, why not..

Suggested by armyn https://bugs.unrealircd.org/view.php?id=6106
2022-05-23 08:18:49 +02:00
Bram Matthys 9075e2fa70 Move all the security group and mask code to src/securitygroup.c 2022-05-16 13:54:52 +02:00
Bram Matthys 5d9a201df8 Don't show security-groups of ulines like NickServ (since it is irrelevant anyway).
Reported by Lord255.
2022-05-16 11:22:57 +02:00
Bram Matthys 5443dff327 Clarify in release notes that the country value is a country code
Reported by westor
[skip ci]
2022-05-16 10:46:54 +02:00
Bram Matthys c09d2e40a3 Update release notes a bit: better markdown, improve TLD example,
mention the 5 modules that now have an ::except which is also a mask item.
[skip ci]
2022-05-16 10:37:22 +02:00
Bram Matthys 2108bb48fa Run labeled-response through the quick path. 2022-05-16 09:53:23 +02:00
Bram Matthys 519d027a62 Fix geoip_base_unserialize() check being the wrong way around.
Could have caused a memory leak but likely did not happen at all
in practice.
2022-05-15 19:34:46 +02:00
Bram Matthys c037486263 Add blacklist::except for exempting users from individual blacklists,
this is a https://www.unrealircd.org/docs/Mask_item so very flexible.

Note that most people would want to use except ban { } instead to
simply exempt from ALL blacklists. (that one does not yet have the
flexible mask capability though.. but it wil have it soon..)
2022-05-15 15:13:19 +02:00
Bram Matthys fc79cbb3f0 Fix memory leak in new security group code from past 48hrs 2022-05-15 07:50:40 +02:00
Bram Matthys 0b45e34e62 Simplifly RPL_HOSTHIDDEN notification.
Pretty much everywhere we had:
0001 userhost_changed(client);
0002 if (MyUser(client))
0003         sendnumeric(client, RPL_HOSTHIDDEN, client->user->virthost);

Lines 2-3 are now integrated in userhost_changed().

Also fix two issues with CHGHOST in make_oper():
* if user was -x, modes had +x and a vhost, it would send the cloaked
  host in the original vhost, while it should have been the real host
* if user was -x and went +x without vhost (so only uncloaked to cloaked)
  then no CHGHOST message was sent at all
2022-05-15 07:45:00 +02:00
Bram Matthys b52c6406de ExtbanAdd(): remove remaining NULL checks for 'module'. It is never NULL. 2022-05-15 06:52:44 +02:00
Bram Matthys a1c8292a1d Fix incorrect sizeof() in commit from yesterday. 2022-05-15 06:49:58 +02:00
Bram Matthys c25582bff2 Mention that this is work in progress
[skip ci]
2022-05-14 19:11:53 +02:00
Bram Matthys 9e0340d4c1 Change restrict-commands to use ::except which is a
https://www.unrealircd.org/docs/Mask_item so has more functionality.

The old style config still works and UnrealIRCd won't complain
about it for now.
2022-05-14 18:50:24 +02:00
Bram Matthys 517d93bea8 Fix crash / support NULL secgroup in user_allowed_by_security_group() 2022-05-14 16:29:38 +02:00
Bram Matthys 5f3931b08d Update modules.optional.conf so it actually loads.
Also fix ::mask style II.
2022-05-14 15:40:09 +02:00
Bram Matthys 3241338cf3 Add set::connthrottle::except, which is a mask item.
Automatically convert the old options ::sasl-bypass, ::webirc-bypass
and ::minimum-reputation-score, so nobody needs to update their config.

The example.conf has been updated.
2022-05-14 15:31:30 +02:00
Bram Matthys 915b603a6a Add set::antirandom::except, which is a mask item.
Automatically convert the old style ::except-hosts and ::except-webirc
so nobody needs to update their config.
2022-05-14 15:17:29 +02:00
Bram Matthys f0ddbdaa44 Add set::antimixedutf8::except, which is a mask item too. 2022-05-14 15:07:33 +02:00
Bram Matthys 1626fda1ef Fix extbans on IRC not working due to latest changes. 2022-05-14 09:21:11 +02:00
Bram Matthys caabfe14e1 Document and give examples in release notes for new mask and security-group functionality. 2022-05-14 09:03:34 +02:00
Bram Matthys 4de3d512b8 Integrate security-group functionality in allow channel::mask and
deny channel::mask.
2022-05-14 08:36:19 +02:00
Bram Matthys e09470b0bd Integrate security-group functionality in link::incoming::mask. 2022-05-14 08:28:26 +02:00
Bram Matthys 67fdd63bc3 Integrate security-group functionality in vhost::mask. 2022-05-14 08:19:05 +02:00
Bram Matthys 8dff79ece2 Fix small memory leak on REHASH when tld block is used, ::mask was not freed.
(this leak was already there, it is unrelated to the activity of last 24hrs)
2022-05-14 08:13:53 +02:00
Bram Matthys ec4df2da7d Integrate security-group functionality in tld::mask. 2022-05-14 08:10:20 +02:00
Bram Matthys 759908ba3a Integrate security-group functionality in oper::mask. 2022-05-14 08:03:12 +02:00
Bram Matthys 510b4b5505 Integrate security-group functionality in allow::mask.
(Also call it allow::match in the future, but accept allow::mask still)

This is the first of several commits to convert all ::mask items.
See https://www.unrealircd.org/docs/Mask_item for the consequences.
In short, you can now use all of the security-group items directly
in a mask, eg:
allow {
    mask { account TrustedUser; }
    class clients;
    maxperip 10;
}
2022-05-14 07:51:51 +02:00
Bram Matthys 10bddc1232 Extended server bans are now more clearly exposed in security-group { }.
The extban module API is used behind the scenes. To the server admin
the functionality appears in a more natural way:
        account { <list>; };
        country { <list>; };
        realname { <list>; };
        certfp { <list>; };
In the same way, they appear as exclude-xxx options too:
        exclude-account { <list>; };
        exclude-country { <list>; };
        exclude-realname { <list>; };
        exclude-certfp { <list>; };

Modules can add additional fields (3rd party modules too!).

Module coders:
See src/modules/extbans/realname.c for a simple example. In short:
1) You need to register your extban in both MOD_TEST and MOD_INIT
2) Other than that, the existing rules for extended server bans apply:
   a) Your req.is_banned_events needs to include BANCHK_TKL
   b) Your req.options needs to include EXTBOPT_TKL
Be advised that for modules that are called in extended server bans
the client may be missing several fields, for example client->user could
be NULL, so be careful with accessing everything in your module.
2022-05-13 20:13:34 +02:00
Bram Matthys 378f1f0044 Split up security-group code for later code re-use. 2022-05-13 14:37:56 +02:00
Bram Matthys efa7fea88e Rename security-group::include-mask to ::mask. Both will work though for
a long long time. Change done to make it consistent with the rest.
2022-05-13 14:11:00 +02:00
Bram Matthys a544001eeb Add security-group::security-group, this as a shorthand for
security-group { mask ~security-group:xyz; }

Module coders (again, slightly unrelated):
Added unreal_add_names() function which can be used to transform
a list of names in the config to a linked list (NameList).
2022-05-13 14:07:05 +02:00
Bram Matthys 6751b066ab Prevent infinite loop (crash due to out of stack) when processing a
security group that references another (or itself), eg:
security-group abc {
	include-mask ~security-group:abc;
}
We now give up after a recursion depth of >8 and log a warning.
2022-05-13 13:37:48 +02:00
Bram Matthys de61fc4b50 Add connect-time to security-group, so you can match on how long a client has
been connected to IRC. See https://www.unrealircd.org/docs/Security-group_block

Slightly unrelated, for modules coders: new function get_connected_time(),
to see how long a client has been online. This works for local clients, in
which case it would just return TStime()-client->local->creationtime.
It also works for remote clients, for which it will use the newly added
"creationtime" moddata (commit f1a18ce37e),
so the info is only available for remote clients on newer servers.
If the info cannot be found it will return 0 (zero).
2022-05-13 13:23:02 +02:00