1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-01 12:46:38 +02:00
Commit Graph

914 Commits

Author SHA1 Message Date
Bram Matthys ce47440abd Make config_detect_duplicate() externally accessible. Fix some coverity warnings,
mostly with regards to memory leaks if duplicate config directives are used.
Eg using allow::password twice in the same allow block, or using
link::outgoing::tls-options twice in the same link block. Unusual stuff.
2025-01-26 13:23:32 +01:00
Bram Matthys 42caa34b5c Fix small memory leak if running in DEBUGMODE (mostly for me :D). 2024-12-11 18:25:55 +01:00
Bram Matthys 1f57a606a4 Make binarytohex() from src/misc.c available and use it in certfp code. 2024-11-27 12:37:27 +01:00
Bram Matthys 9a2d54cd01 Support $variables in oper::vhost (for variables see previous commit)
Eg: vhost "$operlogin@$operclass.example.net";

Also add potentially_valid_vhost() function which can be used in
config code to ignore invalid $vars. Then at runtime you use the
real valid_vhost() function after variable expansion by
unreal_expand_string().
2024-09-20 17:26:16 +02:00
Bram Matthys 4557036cd6 Move unreal_expand_string() to an efunc so all code can access it
and use it not only from vhost { } block code but also for like
blacklist::reason.

This so the same variables with the same names are available at
those places.

Supported are:
$nick, $username, $realname, $ip, $hostname, $server, $account,
$operlogin, $operclass, $country_code (xx for unknown),
$asn (0 for unknown).
2024-09-20 17:13:23 +02:00
Bram Matthys fe751fdc9d Move all vhost { } block handling to vhost module.
* Convert to use module-based config handling
* Split part of VHOST command into do_vhost() for later
* Use AppendListItem instead of AddListItem so they are in config-order.
  This is not really important atm but will matter later if we go auto.
* No other code changes at this point
2024-09-20 14:45:52 +02:00
Bram Matthys c39d763e00 Move 416 lines from src/misc.c to src/modules/quit.c: exit_client() etc.
This so if there is ever an issue, we can hot-patch it. This affects
exit_client(), exit_client_fmt(), exit_client_ex(), banned_client(),
and various (internal) help functions.

This also means you cannot call these functions during TEST/INIT (eg
during REHASH) since the 'quit' module which provides these modules
may not be loaded yet. I don't think that's a situation/problem but
this needs some more testing.
2024-09-15 17:45:25 +02:00
Bram Matthys 2ef39497c7 Similar to previous commit, move maxperip stuff from core to module.
This was in src/hash.c, src/list.c and src/modules/stats.c.
Now all in src/modules/nick.c... or should this go into a new module?

Again, this needs some more testing, like previous commit.
2024-09-14 20:18:22 +02:00
Bram Matthys 710afe7cc7 Move throttling code from src/hash.c to src/modules/connect-flood.c
Better to have this all in one place. Though, must admit, the
config checking is still in src/conf.c and a bit of a hassle to move.

Some testing may be wise to see if everything still works ;)
2024-09-14 19:55:43 +02:00
Bram Matthys fdfe5ba482 Remove raw_client_ip() since we now have client->rawip. 2024-09-14 19:19:21 +02:00
Bram Matthys ee1d6818b4 Add +b/+e/+I ~inherit:#channel to inherit channel bans from another channel
Several notes:
* This only checks on-JOIN (not on nick change, message, etc)
  for performance reasons
* If the #channel in ~inherit:#channel also contains ~inherit
  entries then those are not processed (no recursion and no looping)
* Only a limited number of ~inherit entries is permitted.
  This will be moved to set:: items in a future commit so you
  can set different amounts for +b/+e/+I ~inherit.
* This is work in progress, UnrealIRCd or the entire world could explode
* Documentation will follow later

Developers:
* Sadly, clean_ban_mask() needed to be changed to have two more
  parameters, 'ban_type' and 'channel' were added at different positions.
  This because the module needs the ban type (EXBTYPE_BAN, EXBTYPE_EXCEPT,
  EXBTYPE_INVEX) and channel because it rejects based on number of
  existing ~inherit entries in the channel... and while is_ok() is called
  for local clients and has all this information, for services clients
  is_ok() is not called so the only way to reject the +beI is through
  xxx_conv_param() which comes from clean_ban_mask().
2024-09-07 21:02:15 +02:00
Bram Matthys 4f3e524602 Add function set_client_ip() and call HOOKTYPE_IP_CHANGE there if needed.
This to replace the scattered IP setting. It is very important to always
use set_client_ip() from this point. Everywhere!

Also, in addition to client->ip, this adds client->rawip that contains
the IP in network byte order. In older UnrealIRCd versions we always had
the raw IP but not the IP as a string, so we moved to IP as a string,
but it can be useful to have both in terms of optimizations.
Of course, then the client->ip and client->rawip always need to 100% match,
hence the set_client_ip().

This also changes IsIPV6() to do A BUGFIX, it changes it from:
* if local user is the user connected over IPv6? Otherwise, does it have ':' in the IP?
To:
* check if the IPv6 flag is set (which is set if IP contains ':')
This may seem insignificant but it means that for spoofed IP addresses,
such as WEBIRC or transparant proxy, we use the correct transport.
Previously, if the proxy was IPv6 then even if the spoofed user was using
IPv4, the ident check would still be tried over IPv6. That sort of fun.
From now in, in such a situation client->local->socket_type will be
SOCKET_TYPE_IPV6 but since client->ip (and rawip) will contain IPv4
the IsIPV6() will actually return false, as it should be.

Also, in the HOOKTYPE_IP_CHANGE, enforce that if HOOK_DENY is returned,
the the user is killed by dead_link(). The user must be killed because
that is what we expect, and you cannot use exit_client() because from
some code paths that would be too much freed structures / hassle,
as a comment in src/modules/connect-flood.c correctly states:
/* There are two reasons why we can't use exit_client() here:
 * 1) Because the HOOKTYPE_IP_CHANGE call may be too deep.
 *    Eg: read_packet -> webserver_packet_in ->
 *    webserver_handle_request_header -> webserver_handle_request ->
 *    RunHook().... and then returning without touching anything
 *    after an exit_client() would not be feasible.
 * 2) Because in HOOKTYPE_ACCEPT we always need to use dead_socket
 *    if we want to print a friendly message to TLS users.
 */
2024-07-20 12:22:26 +02:00
Bram Matthys e5e000508e UNIX sockets: show in boot screen and properly when adding/removing listen block
Was previously shown as like :0 when removing/adding a listen block
with a UNIX socket. Now shows the file, as you would expect.

And in the boot screen it was like:
[info] IPv4: 127.0.0.1:6697(TLS), 127.0.0.1:6667
[info] IPv6: *:6667, *:6697(TLS)
And now also:
[info] Unix Sockets: /home/unrealircd/unrealircd/data/rpc.socket
2024-07-13 08:11:54 +02:00
Bram Matthys e03a5dfd5f Support ::destination and ::exclude-destination in security groups / mask items
at selected places (there needs to be explicit code in place to handle this).
At the moment it is supported at two places only:
* For spamfilters (was already possible via crules via ::rule with
  a destination('xyz') but now non-crule destination "#xyz"; works as well, eg:
  spamfilter {
          ...
          except {
                  destination "#main";
          }
  }
  Note that if you want to exempt a destination in all spamfilters,
  we already have set::spamfilter::except for that!
* In restrict commands for like channel-message and such:
  set {
          restrict-commands {
                  channel-message {
                          except {
                                  connect-time 600;
                                  destination "#test";
                          }
                  }
           }
  }

Allow passing a crule_context via user_allowed_by_security_group_context()
and make user_allowed_by_security_group() call that.

Actually document spamfilter::except online in the docs (yeah you
won't see it in this commit, just mentioning...)

And yeah, by now i wonder if we should really call it crule_context
since it is more like a security group matching context, but.. whatever.
2024-07-06 09:16:53 +02:00
Bram Matthys 0b7162f3cf Free old operclass blocks on REHASH (memory leak)
This wasn't caught by Address Sanitizer because we simply never removed
it from the linked list, and thus it was a reachable pointer.

Found this bug when adding the rpc-class { } stuff.
2024-07-05 11:11:13 +02:00
Bram Matthys b9de933378 Similar to oper and operclass, this adds an rpc-class block.
This so you can restrict the JSON Methods that can be called, eg:

rpc-class limited {
    privileges {
        server { list; get; }
        channel { list; get; }
        user { list; get; }
    }
}

rpc-user xyz {
    match { ip 127.0.0.1; }
    password "test";
    rpc-class limited;
}

NOTE: This is work in progress
1) Things are NOT yet fully contained, as i need to lock down
   rpc.add_timer still :)
2) Some more work, eg rpc.info would be nice to show some
   information about the restriction (??)
3) Need to fix a memory leak
4) Possibly more
2024-07-05 10:21:45 +02:00
Bram Matthys bc7c69dd20 Make ban user::mask and require authentication::mask a Mask item. Finally.
As requested in
https://bugs.unrealircd.org/view.php?id=6159 by PeGaSuS
https://bugs.unrealircd.org/view.php?id=6319 by BlackBishop
https://bugs.unrealircd.org/view.php?id=6397 by Valware

The mask item https://www.unrealircd.org/docs/Mask_item
means you can use all the power of mask items and security groups and
multiple matching criteria.

This requires a bit more testing as username/hostname are NULL now
so some code paths may have to be adjusted. The function call to add
server bans has changed too. And, really need to check that soft bans
are not broken... because they might be ;D
2024-06-30 19:06:37 +02:00
Bram Matthys f6643f283c Support spamreport::url for type central-spamreport too.
This so you can get the same spamreport data to your own custom system.
It works similar to set::central-blocklist::url but then on a
spamreport { } basis which is better, since then you can still
submit to UnrealIRCd central spamreport too.

So you can have two blocks:
spamreport unrealircd { type central-spamreport; }
spamreport custom { type central-spamreport; url 'https://www.example.org/xyz'; }

And then a /SPAMREPORT or 'report;' action will report it to BOTH.

Requested by Chris
2024-06-26 14:01:13 +02:00
Bram Matthys 3c3d8a5605 Add user_matches_extended_server_ban() which works similar to
match_user_extended_server_ban except that it works by name/value.

This can then be used by crules or in other mods, like:
user_matches_extended_server_ban(client, "country", "NL");

If the performance impact isn't too bad (of the extra work) then
this prevents duplicate code in the handler for things like
that: account, country, certfp, and whatever we add in the future..
2024-05-20 08:54:53 +02:00
Bram Matthys c3a7ed2c99 These efuncs need to be MODVAR (dllimport) for Windows... 2024-05-15 17:15:32 +02:00
Bram Matthys e12559ad78 Allow modules to provide SASL locally, by hooking into AUTHENTICATE.
Note that this is still a dumb interface and not a real proper
authentication framework.

This adds HOOKTYPE_SASL_AUTHENTICATE and HOOKTYPE_SASL_MECHS and
also provides 3 functions: sasl_succeeded(), sasl_failed() and
a helper function decode_authenticate_plain() for AUTHENTICATE PLAIN.
2024-05-13 13:23:59 +02:00
Bram Matthys e9da1a867b Using @if with a variable like @if $VAR == "something" was always false.
Reported by BlackBishop.

This rename free_config_defines() to init_config_defines and calls it from
config_read_start() so caller doesn't have to think about it.
2024-05-06 09:22:53 +02:00
Bram Matthys fb2381b1ad Deal better with lack of an internet connection when booting the first time.
* When booting for the first time (without any cached files) the IRCd
  downloads GeoIP.dat. If that fails, e.g. due to lack of internet connectivity,
  we now show a warning and continue booting instead of it being a hard error.
  Note that we already dealt with this properly after the file has been cached
  (so after first download), see "What if your web server is down" in
  [Remote includes](https://www.unrealircd.org/docs/Remote_includes#What_if_your_web_server_is_down).
2024-05-03 13:04:16 +02:00
Bram Matthys 585b73158a Add extern void vsendto_one, requested by Valware.
[skip ci]
2024-04-05 08:53:22 +02:00
Bram Matthys 2b328374a5 Fix whowasdb module causing WHOWAS entries to vanish (way too soon) 2024-03-29 09:41:48 +01:00
Bram Matthys ae0206a92a Add oper::auto-join. This setting overrides set::oper-auto-join.
Suggested by Chris_dc in https://bugs.unrealircd.org/view.php?id=6255
2024-01-10 17:06:35 +01:00
Bram Matthys 64ea1d09d6 Move 'reserved clients' stuff to runtime, since 'ulimit -n' could be lower.
This fixes a bug where if you run ./Config with 'auto' file descriptors,
and then have an unusually low 'ulimit -n' of like 150, you would end up
with a negative amount of file descriptors available for use.

This fix moves it from compile-time setting of reserved fd's to runtime
setting.

All this is wrong, by the way, but that is for another major overhaul,
at least this bug is fixed now :D
2023-12-28 09:00:09 +01:00
Bram Matthys 96b18946ca Include oper name on /SPAMREPORT (for central spamreport) 2023-12-01 07:58:01 +01:00
Bram Matthys 4da58dde41 Update central spamreport, https://www.unrealircd.org/docs/Central_spamreport
set::central-blocklist::spamreport and ::spamreport-enabled are now GONE.
We now require a normal spamreport block, just like for other spamreport
functionality. So, if you want to enable this feature, use:
spamreport unrealircd { type central-spamreport; }

See https://www.unrealircd.org/docs/Central_spamreport for all info.

You can use CBL with central spamreport or central spamreport without CBL.
All explained at that URL.
2023-11-25 11:50:25 +01:00
Bram Matthys 7d024f8086 URL API: add request->connect_timeout & request->transfer_timeout
... in case you want to do fine-tuning.

Defaults to DOWNLOAD_CONNECT_TIMEOUT (15 seconds) and
DOWNLOAD_TRANSFER_TIMEOUT (20 seconds).

For example, the module manager uses a shorter timeout of 7 and 20.
(that was already the case, but now it uses the generic api so
 it needed an option to set it to those values)
2023-11-24 14:38:20 +01:00
Bram Matthys 36323f4294 Replace modulemanager HTTPS code with the generic URL code.
We now have a synchronous_http_request() which can be used for that
(NOTE: that function is NOT for use in unrealircd modules)
2023-11-24 13:22:55 +01:00
Bram Matthys 1282d2f2be URL API: Response callback is now two structs so we can easily extend.
callback(OutgoingWebRequest *request, OutgoingWebResponse *response)
2023-11-24 12:31:49 +01:00
Bram Matthys eed9d22e3b URL API: work towards callback w/struct -- actually this is an interim step 2023-11-24 12:04:28 +01:00
Bram Matthys 3548b7e2af New URL API (not really a unrealircd module api tho) - work in progress.
No longer url_start_async(a,b,c,d,e,f,g,...) but usings structs so
simply url_start_async(tehstruct);
makes it easy to add fields later without forcing all modules to
change the prototype.

Work in progress....
2023-11-24 11:27:39 +01:00
Bram Matthys be586531bc Make get_central_api_key() an efunction rather than doing things by hooks.
An efunction with a default that returns NULL, so you don't need to
load the module if you don't want the functionality.
2023-11-24 09:24:10 +01:00
Bram Matthys d85ed7a51f For set::hide-ban-reason add a new option auto and make it the default.
This will hide the *LINE reason to other users if the *LINE contains the
IP of the user. This to protect the privacy of the user for cases such
as a KLINE due to a blacklist with a DroneBL URL.
Other possible settings are `no` (never hide, the previous default) and
`yes` to always hide the *LINE reason. In all cases the user affected by
the server ban can still see the reason and IRCOps too.

https://bugs.unrealircd.org/view.php?id=6362
2023-11-22 14:48:14 +01:00
k4be fb6711c671 Improve MONITOR/WATCH extensibility.
The `watch-check` function now has a new argument which can be used to pass data to watch_notify callbacks.
New `watch_add` and `watch_del` hooks are called whenever new entries are created or removed.
New `monitor_notification` hook is called whenever a RPL_MONONLINE or RPL_MONOFFLINE is being sent, so a module can add its own notification besides it.
2023-11-19 14:01:16 +01:00
Bram Matthys 5b7e375213 Limit operclass name to a-zA-Z0-9_- and use the same validation in ~operclass extban.
This fixes the issue where +e/+I ~operclass:name gets cut off if the
name contains any digits.

Reported by BlackBishop in https://bugs.unrealircd.org/view.php?id=6353

Also, we previously allowed any characters in the operclass, which is not
a great idea.
2023-10-23 09:51:01 +02:00
Bram Matthys a04295c588 Add set::dns and increase DNS timeout for DNSBL (3000ms first, then on retry 6000ms).
This is quite a bit higher than client DNS lookups (1500ms first, on retry 3000ms)
and is because some DNSBL are reported to be quite a bit slower than ordinary DNS.
(Maybe just some, but.. the higher timeout does not hurt anyone anyway)

Note that all this has no effect on client handshake times, as DNSBL checks are
done in the background. Only side-effect is that if we do get a "late hit" then
you may now see a kill a few seconds after the client is online (which was actually
already possible before too for quick clients, but.. yeah...)

These settings can be overriden via set::dns, these are the defaults:

set {
        dns {
                client {
                        timeout 1500;
                        retry 2;
                }
                dnsbl {
                        timeout 3000;
                        retry 2;
                }
        }
}

When you REHASH we will check if the values are different than the current
c-ares settings and if so, reinitialize the resolver. Reinitializing the
resolver will destroy outstanding DNS requests, eg DNS lookups for clients
currently connecting, but so be it. Not a super-huge issue since changing
this is rare.

Requested by BlackBishop in https://bugs.unrealircd.org/view.php?id=6306
2023-10-11 19:04:06 +02:00
Bram Matthys 59c11d8b23 Add support for "REHASH -centralspamfilter" (alias "REHASH -cs") to force
an immediate fetch+load of central spamfilter rules, so you don't have
to wait an hour (or whatever is configured).
2023-10-06 08:49:43 +02:00
alice 1d34753f18 Fix minor compiler warning on conflicting types for Auth_Hash (PR #261)
auth.c:569:13: error: conflicting types for 'Auth_Hash' due to enum/integer mismatch; have 'const char *(AuthenticationType,  const char *)' [-Werror=enum-int-mismatch]
  569 | const char *Auth_Hash(AuthenticationType type, const char *text)
In file included from include/unrealircd.h:32, from auth.c:21:
include/h.h:547:26: note: previous declaration of 'Auth_Hash' with type 'const char *(int,  const char *)'
  547 | extern const char       *Auth_Hash(int type, const char *para);
2023-10-05 05:43:17 +00:00
Bram Matthys b234e13358 Don't bump reputation scores anymore for users who are in no channels or
when they are only in channel(s) with very low member counts.

This because some typical bot/drone behavior is not to join any channels.
This kinda forces them to expose themselves a bit more (and if they don't,
they don't get more reputation).

The downside is for the unusual case where a legit chatter would be on
the network but not joining any channels, but that is rare. In any case,
this setting can be adjusted if that is typical or more normal behavior
on your network :D.

* The [reputation score](https://www.unrealircd.org/docs/Reputation_score)
  of connected users (actually IP's) is increased every 5 minutes. We still
  do this, but only for users who are at least in one channel that has 3
  or more members. This setting is tweakable via
  [set::reputation::score-bump-timer-minimum-channel-members](https://www.unrealircd.org/docs/Set_block#set::reputation).
  Setting this to 0 means to bump scores also for people who are in no
  channels at all, which was the behavior in previous UnrealIRCd versions.
2023-09-17 11:47:34 +02:00
Bram Matthys 97630b4717 Allow setting reputation in https://www.unrealircd.org/docs/Actions via
action { set REPUTATION--; } and similar.

Also enhancement to reputation S2S traffic, to support decreasing:
  *
+ * Since UnrealIRCd 6.0.2+ there is now also asterisk-score-asterisk:
+ * :server REPUTATION 1.2.3.4 *2*
+ * The leading asterisk means no reply will be sent back, ever, and the
+ * trailing asterisk will mean it is a "FORCED SET", which means that
+ * servers should set the reputation to that value, even if it is lower.
+ * This way reputation can be reduced and the reducation can be synced
+ * across servers, which was not possible before 6.0.2.
+ *

So if you are actually decreasing reputation, you need all servers on
6.0.2 or higher for it to work properly, otherwise the other servers
don't decrease it, and next connect the highest wins again, etc.
2023-09-17 09:39:55 +02:00
Bram Matthys cd19198e3b Spamfilter fixes: prevent actions that are currently config-only from
being added by other servers and being able to spread to areas of
which the code is currently not ready for ('set', 'report', 'stop').
2023-07-20 14:50:40 +02:00
Bram Matthys b272b6700a Add security-group::rule support, see https://www.unrealircd.org/docs/Crule 2023-07-16 12:09:01 +02:00
Bram Matthys 13bb09aa4b crule: add inchannel('#xyz'), and inchannel('@#needopshere') works too 2023-07-16 11:22:02 +02:00
Bram Matthys 9b11366a8e crule: code cleanups / conform a bit more to unrealircd style 2023-07-16 10:52:03 +02:00
Bram Matthys 08cb0fc05d Move crule to a module, so we can hot-patch if needed in the future.
This is a mandatory module to load, and included in modules.default.conf.

This also meant that the crule_test() etc efunctions are available
before running config test routines, so we now have a flag for
early efuncs. I guess we could consider doing that for all efuncs
though, so not sure if this flag is really needed.
2023-07-16 10:33:25 +02:00
Bram Matthys cdc14569a9 Warn on plaintext oper::password in conf and even go as far as
generating the password hashes and suggesting using those.

This also starts the initial work on set::best-practices
https://www.unrealircd.org/docs/Set_block#set::best-practices
with hashed-passwords as the first setting there.
2023-07-15 19:02:31 +02:00
Bram Matthys a153a2cce3 Change definition of parse_ban_action_config(), was too easy to leak memory.
Often you have default values for the config, and then a subsequent config
parsing run would overwrite the return value (= memory leak), merging/appending
would make no sense either, so it would force a free in all code before
calling us, well... let's just deal with it ourselves instead then ;)
2023-07-14 08:08:47 +02:00