1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-07 11:03:12 +02:00
Commit Graph

185 Commits

Author SHA1 Message Date
Bram Matthys 1741da6d2a Fix another instance of "STATS spamfilter" accidentally containing spaces
When using multi-targets like spamfilter { action { report; block; } }
it would output in stats like "report, block". Now changed to "report,block"
2023-10-06 07:44:24 +02:00
Bram Matthys 97630b4717 Allow setting reputation in https://www.unrealircd.org/docs/Actions via
action { set REPUTATION--; } and similar.

Also enhancement to reputation S2S traffic, to support decreasing:
  *
+ * Since UnrealIRCd 6.0.2+ there is now also asterisk-score-asterisk:
+ * :server REPUTATION 1.2.3.4 *2*
+ * The leading asterisk means no reply will be sent back, ever, and the
+ * trailing asterisk will mean it is a "FORCED SET", which means that
+ * servers should set the reputation to that value, even if it is lower.
+ * This way reputation can be reduced and the reducation can be synced
+ * across servers, which was not possible before 6.0.2.
+ *

So if you are actually decreasing reputation, you need all servers on
6.0.2 or higher for it to work properly, otherwise the other servers
don't decrease it, and next connect the highest wins again, etc.
2023-09-17 09:39:55 +02:00
Bram Matthys cd19198e3b Spamfilter fixes: prevent actions that are currently config-only from
being added by other servers and being able to spread to areas of
which the code is currently not ready for ('set', 'report', 'stop').
2023-07-20 14:50:40 +02:00
Bram Matthys 937236126f Add new spamfilter type 'raw' which matches against a raw command/protocol line.
SPAMFILTER add -simple R block - Hi_there! LIST*

Though it is more useful in complex spamfilter rules in the conf, presumably.
2023-07-16 19:47:43 +02:00
Bram Matthys a153a2cce3 Change definition of parse_ban_action_config(), was too easy to leak memory.
Often you have default values for the config, and then a subsequent config
parsing run would overwrite the return value (= memory leak), merging/appending
would make no sense either, so it would force a free in all code before
calling us, well... let's just deal with it ourselves instead then ;)
2023-07-14 08:08:47 +02:00
Bram Matthys 4c3d2a6d6d Fix write bug in tkldb and add spamfilter::action stop.
The spamfilter::action stop ill prevent processing other spamfilters.
This would normally be a bit unusual, and potentially dangerous when you
do exclude things this way, but can be useful in some circumstances.

Stopping only affects the same type of spamfilters (general or central
spamfilters), so they don't interfere.

The tkldb write DB bug had to do with that it was processing
central spamfilters, which should be skipped just like config
based spamfilters were already skipped.
2023-07-11 14:32:11 +02:00
Bram Matthys f277880fb3 Add set::central-spamfilter::limit-ban-action and ::limit-ban-time
to limit actions to limit-ban-action as the highest, and limit
ban times to limit-ban-time the highest, see
https://www.unrealircd.org/docs/Central_Spamfilter

This also changes highest_spamfilter_action() to highest_ban_action().
2023-07-11 10:17:51 +02:00
Bram Matthys d25fdeb950 Some more BanAction fixes/improvements:
* stats S one thingy (multi-actions)
* STATS spamfilter (multi-actions)
* warn w/user target ('u') if using multi-actions
* moving some code
2023-07-09 16:27:40 +02:00
Bram Matthys dec9aa0341 Reporting spam to DroneBL now works, see https://www.unrealircd.org/docs/Spamreport_block
This uses the RPC2 API. Tested with staging.

Note that there are likely some bugs here or there, like memory leaks,
but the functionality is there.

Also still need to implement various stuff, including spamreport::rate-limit
2023-07-09 13:07:29 +02:00
Bram Matthys 64f57ae243 Add spamfilter::action report (work in progress) 2023-07-08 19:24:15 +02:00
Bram Matthys def77c4d52 Initial work on spamreport { } block. Not really useful yet.
Early commit before i make it actually work and implement the rest
and hunting for memory leaks etc...
2023-07-08 15:35:08 +02:00
Bram Matthys 01dd042089 Add support for spamfilter::id (currently not used or displayed anywhere)
For config-file only atm.
2023-07-08 12:34:21 +02:00
Bram Matthys d998846c64 Support setting tags via spamfilter { } blocks 2023-07-06 18:25:43 +02:00
Bram Matthys 6bbcdfd1b3 Add spamfilter::rule (preconditions), add context to crule parser,
and add the first functions: online_time() and reputation().

The more interesting stuff will follow later...
2023-07-06 16:14:26 +02:00
Bram Matthys 656ea105da First go at multi actions... 2023-07-06 11:51:55 +02:00
Bram Matthys c2d465c5dd Move chunk of code from start_of_normal_client_handshake() to
a function called start_dns_and_ident_lookup(). This can then
be easily called from other places as well, like the code k4be
did in src/modules/websocket.c to handle proxies.

Side-effect is that ident lookups would now be done, if we are
configured to do so, for forwarded webirc stuff (not that I
think many people use that feature at the moment...).
2023-05-26 11:24:01 +02:00
Bram Matthys 52472a9a88 Add support for set unknown-users { } and the like:
It is now possible to override some set settings per-security group by
having a set block with a name, like `set unknown-users { }`
* You could use this to set more limitations for unknown-users:
  ```
  set unknown-users {
          max-channels-per-user 5;
          static-quit "Quit";
          static-part yes;
  }
  ```
* Or to set higher values (higher than the normal set block)
  for trusted users:
  ```
  security-group trusted-bots {
          account { BotOne; BotTwo; }
  }
  set trusted-bots {
          max-channels-per-user 25;
  }
  ```
* Currently the following settings can be used in a set xxx { } block:
  set::auto-join, set::modes-on-connect, set::restrict-usermodes,
  set::max-channels-per-user, set::static-quit, set::static-part.
2023-05-22 12:07:43 +02:00
Bram Matthys 89075e532a Send throttling and some other error messages to SSL/TLS users (encrypted).
This is the start of "be more friendly to TLS users with disconnect
error messages" from https://bugs.unrealircd.org/view.php?id=5532

As that bug explains:
Consider doing the SSL/TLS handshake even for throttling errors and such
when the (reject) connection rate is below a certain amount per second.  If
it is higher than a certain rate, then fall back to the original behavior to
reject the user instantly without handshake or looking at any data.
Rationale: the current/original behavior is there so the ircd can handle
floods, both in terms of traffic and in terms of CPU usage (the SSL/TLS
handshake is quite costly after all).  The downside of the current behavior
is that TLS users don't see the error message, usually.  This feature
request tries to find a middle ground.

Still a TODO item:
* We don't detect high rates yet, so we only do this new behavior atm
  and not yet the old behavior during high connection rates.
* Verify that error messages/behavior hasn't changed (too) much,
  like the throttling and the banning disconnect messages.
2023-05-18 11:17:37 +02:00
Bram Matthys 2fd7c9cfc4 Set loop.terminating for RESTART also (so channeldb etc write the db) 2023-04-14 19:22:22 +02:00
Bram Matthys 254afbb9c6 Make set::hide-ban-reason not affect opers (eg. show full gline reason).
Suggested by Chris_dc in https://bugs.unrealircd.org/view.php?id=6252

This uses unrealircd.org/real-quit-reason internally, but is only
exposed to servers, never to users. It results in using that quit
reason for IRCOps, while using the regular quit reason for normal users.
2023-04-05 07:26:12 +02:00
Bram Matthys 1e315bb953 Add and use command_issued_by_rpc() helper function for internal logging
of commands issued by JSON-RPC.
2023-04-02 16:04:17 +02:00
Bram Matthys a3c151a16a RPC: add rpc.set_issuer, eg set to logged in user on the admin panel.
This so UnrealIRCd knows who is issuing the commands.
This information is then passed on to unrealircd.org/issued-by and
is planned to be used by the logging system too.

https://www.unrealircd.org/docs/JSON-RPC:Rpc#rpc.set_issuer
2023-03-31 12:55:31 +02:00
Bram Matthys 5871bd9463 Initial work on unrealircd.org/issued-by message tag.
This will communicate the original issuer of a command.
For example an "SAMODE #test +s" results in a SAMODE coming from
:maintest.test.net MODE ....etc....
And with this feature, we will communicate the IRCOp who did it:
@unrealircd.org/issued-by=OPER:Syzop..etc....
This tag is only sent to servers and to IRCOps, not to ordinary users.

The plan is to support the following variants:
Services: unrealircd.org/issued-by=SERVICES:NickServ@services.test.net
IRCOp:    unrealircd.org/issued-by=OPER:Syzop@maintest.test.net:Operblock_name
JSON-RPC: unrealircd.org/issued-by=RPC:adminpanel@irc1.test.net:Adminpanel_Actual_User

This first commit only adds SERVICES and OPER in the handlers of the
SVSNICK and SAMODE commands. The JSON-RPC variant and all of the other
commands have not been done yet.
2023-03-31 12:17:54 +02:00
Bram Matthys 7194799f93 Fix valid_vhost() rejecting user@host.
Reported by Lord255.
2023-03-24 13:19:57 +01:00
Bram Matthys e83c610b39 Add valid_vhost() and validate oper::vhost too just like vhost::vhost.
Actually make them both use this same function, even thought he original
vhost::vhost check was a bit more informational.

This also checks the vhost in other paths that lead to oper vhost setting.

Reported by ji in https://bugs.unrealircd.org/view.php?id=5910
2023-03-22 10:26:05 +01:00
Bram Matthys eccf108866 Forgot second part of the patch in previous commit. 2023-03-18 14:01:58 +01:00
Bram Matthys 3bccc63125 Fix +S stripping too much on incorrect color codes.
Reported by semioriginal in https://bugs.unrealircd.org/view.php?id=5908
with the patch also by semioriginal.
2023-03-18 13:58:59 +01:00
Bram Matthys c43753cd4b Support NO_COLOR environment variable, as per https://no-color.org 2023-03-11 17:58:21 +01:00
Bram Matthys b9fcdcdb19 Make server.rehash for remote servers use two possible code paths:
* If the remote server (and all servers in-between) support RRPC
  then forward the RPC request as RRPC and let remote handle the
  response. The response will be the verbose rehash response.
* If not supported, then simply return boolean true as a response,
  and use oldskool :source_server REHASH dest_server over the wire
2023-01-13 18:09:12 +01:00
Bram Matthys b8cbe63915 Support server.rehash for remote servers with full detailed response.
(Required RPC modules to be loaded on the remote server, tho)

This adds support for remote async RPC requests that take a little longer,
in such a case we don't call free_client() upon return of rpc_call().
2023-01-13 16:51:47 +01:00
Bram Matthys 6a4ae9d9ec Support RPC calls to remote servers, where the RPC request/response is
sent over the IRC network. This makes it possible to fetch information
from remote servers that is not known locally, and also it makes it
possible to do more things, or do it easier.

This does require the remote servers to enable RPC as well, though,
eg: include "rpc.modules.default.conf";
(They don't need any listener or rpc-user blocks)

Code-wise it looks nice, like from rpc_server_module_list it is a simple:
/* Forward to remote */
rpc_send_request_to_remote(client, targetserver, request);

This is work in progress. In particular, there is no handling yet of
timeouts (eg if the request to the remote server, or the response
from it takes ages). Nor does it handle the case where the server
quits half-way through the request/response... that is: it does free
the request and such, but does not notify the RPC client about it.
That will need to be added, of course, likely soon.

Over the IRC network this uses the new RRPC command:
:<server> RRPC <REQ|RES> <source> <destination> <requestid> [S|C|F] :<request data>
A request looks like this (assuming it is short):
:001 RRPC REQ 001ABCDEF 002 abc SF :..this is the json request...
And then the response (assuming it is long) is like:
:001 RRPC REQ 001ABCDEF 002 abc S :..this is the json response...
:001 RRPC REQ 001ABCDEF 002 abc C :..more...
:001 RRPC REQ 001ABCDEF 002 abc C :..more...
:001 RRPC REQ 001ABCDEF 002 abc F :..and that was it.
There is currently no request/response limit, it is limited by memory.

Right now the only call using this is server.module_list when called
with a param of "server":"some.remote.server"
2023-01-13 12:45:51 +01:00
Bram Matthys 4378979ad5 Add valid_username() so we can use it at multiple places.
This gets rid of duplicate code in SETIDENT, CHGIDENT, and soon
in the RPC call. It does not get rid of make_valid_username()
in src/modules/nick.c which does something slightly different.
2023-01-07 15:11:52 +01:00
Bram Matthys b33628b765 JSON-RPC over Websockets: Fix bug with >64Kb responses.
Eg if there are 10.000 users online and you do user.list.
The old websocket framing assumed no response was >64Kb.

This also creates a new function websocket_create_packet_ex()
2023-01-04 13:10:09 +01:00
Bram Matthys eca0035e8d Actually fix previous-previous-commit cdd0e4116d 2022-12-21 10:09:23 +01:00
Bram Matthys 7c8918e22d Update rpc_error() to use JsonRpcError (enum) and add more error values. 2022-06-20 19:02:52 +02:00
Bram Matthys 853f0685ed Split off big chunk of websocket module into websocket_common module.
And load the websocket_common module by default (which is just an API).
2022-06-19 13:13:33 +00:00
Bram Matthys 4a68008b81 Rename some more:
* WEB() now has handle_request() and handle_body(), makes more sense.
* webserver_handle_body_data() -> webserver_handle_body()
* and similar cases
2022-06-19 13:13:33 +00:00
Bram Matthys 12f2cd8555 Rename webserver_handle_body_data() -> webserver_handle_request_body() 2022-06-19 13:13:33 +00:00
Bram Matthys 9afdcb7ff0 Add request body handler in webserver -- only a beginning, the
chunked encoding stuff is copied from the modulemanager and #if'd out.
The non-chunked is not OK yet either, as it must check the Content-Length,
while we currently assume a single packet == the complete request.
2022-06-19 13:13:33 +00:00
Bram Matthys 1d613a592c Remove freeing of client->local->listener and refdec from exit_client()
to free_client().
2022-06-19 13:13:33 +00:00
Bram Matthys a09d4a7e88 Add CLIENT_STATUS_RPC and add SetRPC() and IsRPC(). 2022-06-19 13:13:33 +00:00
Bram Matthys 61ba3727df JSON-RPC: Use proper error response with error codes according to
the official specification (one of JSON_RPC_ERROR_*).

Add proper rpc_error() and rpc_error_fmt()

Don't steal reference in rpc_response().
2022-06-19 13:13:33 +00:00
Bram Matthys 4cd520d327 Make user.list() RPC API return a list of all users with details.
This is the 1st RPC API call that actually works :D
2022-06-19 13:13:33 +00:00
Bram Matthys 2397fb8a49 Split 'websocket' module up in 'webserver' and 'websocket' 2022-06-19 13:13:33 +00:00
Bram Matthys b4f6c83821 Fix multiline log messages not working, they showed up as single lines
with their content added together.
2022-05-30 08:59:44 +02:00
Bram Matthys 7740d64042 Limit individual JSON strings to 512 bytes and call StripControlCodes()
on each string. Note that the entire JSON dump may still be much larger,
this is just about each individual string item within an object.

This commit also adds a more flexible StripControlCodesEx() function
to the core (which is used by the logging system), the existing
StripControlCodes() function is unchanged and can still be used.

+/** Strip color, bold, underline, and reverse codes from a string.
+ * @param text                 The input text
+ * @param output               The buffer for the output text
+ * @param outputlen            The length of the output buffer
+ * @param strip_all_low_ascii  If set to 1 then all ASCII < 32 is stripped
+ *                             (the ASCII control codes), otherwise we only
+ *                             strip the IRC control- and color codes.
+ * @returns The new string, which will be 'output', or in unusual cases (outputlen==0) will be NULL.
+ */
+const char *StripControlCodesEx(const char *text, char *output, size_t outputlen, int strip_all_low_ascii)
 {
2022-05-23 10:35:52 +02:00
Bram Matthys 3fbdb7fd4b Move StripControlCodes() from message.c to misc.c.
Because I need in the core (again) due to early calls / calls during
rehashes / etc...
2022-05-23 10:10:47 +02:00
Bram Matthys 9075e2fa70 Move all the security group and mask code to src/securitygroup.c 2022-05-16 13:54:52 +02:00
Bram Matthys a1c8292a1d Fix incorrect sizeof() in commit from yesterday. 2022-05-15 06:49:58 +02:00
Bram Matthys 510b4b5505 Integrate security-group functionality in allow::mask.
(Also call it allow::match in the future, but accept allow::mask still)

This is the first of several commits to convert all ::mask items.
See https://www.unrealircd.org/docs/Mask_item for the consequences.
In short, you can now use all of the security-group items directly
in a mask, eg:
allow {
    mask { account TrustedUser; }
    class clients;
    maxperip 10;
}
2022-05-14 07:51:51 +02:00