1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-05 08:13:15 +02:00
Commit Graph

3210 Commits

Author SHA1 Message Date
Bram Matthys a41ab32d16 maxperip: use siphash_raw(client->rawip.... 2024-09-14 20:33:57 +02:00
Bram Matthys 2ef39497c7 Similar to previous commit, move maxperip stuff from core to module.
This was in src/hash.c, src/list.c and src/modules/stats.c.
Now all in src/modules/nick.c... or should this go into a new module?

Again, this needs some more testing, like previous commit.
2024-09-14 20:18:22 +02:00
Bram Matthys 710afe7cc7 Move throttling code from src/hash.c to src/modules/connect-flood.c
Better to have this all in one place. Though, must admit, the
config checking is still in src/conf.c and a bit of a hassle to move.

Some testing may be wise to see if everything still works ;)
2024-09-14 19:55:43 +02:00
Bram Matthys ca7e4ab966 Prevent +b ~inherit:#chan in #chan. This didn't cause any problem but
doesn't make any sense either, so just reject it. Reported by alice.
2024-09-14 19:07:15 +02:00
Bram Matthys b6cdca5525 Fix b->ban_type not being set properly at all places (BanContext).
This probably didn't cause any issues earlier, or maybe it did
with some 3rd party mods, but is relevant now that we have ~inherit.
2024-09-09 16:44:57 +02:00
Bram Matthys 10ec67d163 Fix +I ~inherit:#chan (invite exceptions) 2024-09-09 16:28:22 +02:00
Valerie Liu 879e365ed5 extbans/partmsg.c: Actually check if there's a matching ban before removing the part message (#295) 2024-09-08 16:52:01 +00:00
Bram Matthys 3c1ef65a00 Add set::max-inherit-extended-bans to configure limits for ~inherit extban:
Looks like this, with the current defaults:
set {
        max-inherit-extended-bans {
                ban 1;
                ban-exception 1;
                invite-exception 1;
        }
}
2024-09-08 17:15:26 +02:00
Valerie Liu ae8b039831 Fix $nick log string in debug message re spamfilter tag (#294) 2024-09-08 14:37:26 +00:00
Bram Matthys c4c72ecaca Fix spamfilter.get unable to retrieve config-based spamfilters.
Reported in https://bugs.unrealircd.org/view.php?id=6467 by adator.
2024-09-08 10:16:15 +02:00
Bram Matthys ee1d6818b4 Add +b/+e/+I ~inherit:#channel to inherit channel bans from another channel
Several notes:
* This only checks on-JOIN (not on nick change, message, etc)
  for performance reasons
* If the #channel in ~inherit:#channel also contains ~inherit
  entries then those are not processed (no recursion and no looping)
* Only a limited number of ~inherit entries is permitted.
  This will be moved to set:: items in a future commit so you
  can set different amounts for +b/+e/+I ~inherit.
* This is work in progress, UnrealIRCd or the entire world could explode
* Documentation will follow later

Developers:
* Sadly, clean_ban_mask() needed to be changed to have two more
  parameters, 'ban_type' and 'channel' were added at different positions.
  This because the module needs the ban type (EXBTYPE_BAN, EXBTYPE_EXCEPT,
  EXBTYPE_INVEX) and channel because it rejects based on number of
  existing ~inherit entries in the channel... and while is_ok() is called
  for local clients and has all this information, for services clients
  is_ok() is not called so the only way to reject the +beI is through
  xxx_conv_param() which comes from clean_ban_mask().
2024-09-07 21:02:15 +02:00
Bram Matthys e17e11dd73 Make "MD" S2S command support BIGLINES. We don't need it now but maybe
in the future we will, or some third party module. And then it would
be nice if all servers on the IRC network support it, of course.
2024-09-05 20:06:58 +02:00
Bram Matthys 99bc061a74 Fix require authentication { } not allowing SASL users in.
It was behaving like a ban user { } block.

Reported by Jellis in https://bugs.unrealircd.org/view.php?id=6464
2024-08-30 20:01:20 +02:00
Bram Matthys 5092fa985d Central Blocklist: fix issue with clients being killed if too slow.
We already allow users in after 10 seconds if CBL is too slow, and
that part worked correctly. However 5 seconds later, when the URL
API 15 second timeout hits, it would try to allow the user in AGAIN.
This caused the user to be introduced twice, causing remote servers
to kill the user, and also screwing up user counts.

Reported by multiple people, including Jellis who actually filed
a report with logs, and alice providing logs as well, all when CBL
was temporarily down for a few hours in August 2024. In hindsight
this bug was already reported by k4be back in November 2023 but
was more rare at the time and mistaken for another very similar
bug that was fixed in 6.1.3.

With this patch, we check before we call cbl_allow(), but also
cbl_allow() itself checks the "user already allowed in?".

Oh yeah and this is hot patchable, within the hour I will make
this work: ./unrealircd hot-patch cbl-timeout-fix
2024-08-20 13:29:08 +02:00
Bram Matthys 4f3e524602 Add function set_client_ip() and call HOOKTYPE_IP_CHANGE there if needed.
This to replace the scattered IP setting. It is very important to always
use set_client_ip() from this point. Everywhere!

Also, in addition to client->ip, this adds client->rawip that contains
the IP in network byte order. In older UnrealIRCd versions we always had
the raw IP but not the IP as a string, so we moved to IP as a string,
but it can be useful to have both in terms of optimizations.
Of course, then the client->ip and client->rawip always need to 100% match,
hence the set_client_ip().

This also changes IsIPV6() to do A BUGFIX, it changes it from:
* if local user is the user connected over IPv6? Otherwise, does it have ':' in the IP?
To:
* check if the IPv6 flag is set (which is set if IP contains ':')
This may seem insignificant but it means that for spoofed IP addresses,
such as WEBIRC or transparant proxy, we use the correct transport.
Previously, if the proxy was IPv6 then even if the spoofed user was using
IPv4, the ident check would still be tried over IPv6. That sort of fun.
From now in, in such a situation client->local->socket_type will be
SOCKET_TYPE_IPV6 but since client->ip (and rawip) will contain IPv4
the IsIPV6() will actually return false, as it should be.

Also, in the HOOKTYPE_IP_CHANGE, enforce that if HOOK_DENY is returned,
the the user is killed by dead_link(). The user must be killed because
that is what we expect, and you cannot use exit_client() because from
some code paths that would be too much freed structures / hassle,
as a comment in src/modules/connect-flood.c correctly states:
/* There are two reasons why we can't use exit_client() here:
 * 1) Because the HOOKTYPE_IP_CHANGE call may be too deep.
 *    Eg: read_packet -> webserver_packet_in ->
 *    webserver_handle_request_header -> webserver_handle_request ->
 *    RunHook().... and then returning without touching anything
 *    after an exit_client() would not be feasible.
 * 2) Because in HOOKTYPE_ACCEPT we always need to use dead_socket
 *    if we want to print a friendly message to TLS users.
 */
2024-07-20 12:22:26 +02:00
Bram Matthys 9232db12ae Remove an annoying BLACKLIST_RESOLVER_CALLBACK message in DEBUGMODE
[skip ci]
2024-07-18 08:00:06 +02:00
Bram Matthys 5ad5c4cfe2 JSON-RPC whowas.get: add geoip object with country_code, asn and asname.
(only if the information is available, of course)
2024-07-17 17:15:10 +02:00
Bram Matthys 5c810d0c63 In WHOWAS also show country and ASN information to IRCOps 2024-07-17 17:03:49 +02:00
Bram Matthys cabd7c1ede Fix memory leak in rpc-user::rpc-class (at least this one is small) 2024-07-16 09:33:45 +02:00
Bram Matthys 34d23c8b5c Fix memory leak in ASN code
Contrary to retrieving country code / country name, the AS organisation
name that was returned needs to be freed by *US*. Makes sense, though
a bit inconsistent, heh.

[skip ci]
2024-07-16 09:32:25 +02:00
k4be e950bb53bc Add ASN support for geoip_maxmind 2024-07-15 19:22:48 +02:00
Bram Matthys f6b448df2c Fix error with ASN lookups for IPv6
This line should not be here, it is for country lookups (also wasn't
there for IPv4, which actually does work)

[skip ci]
2024-07-13 07:48:34 +02:00
Bram Matthys 3efc62fc75 Allow +b ~operclass:xyz checking against remote users too.
Yeah not really important except for like SVSMODE -b nick, which
removes all bans that affect nick. That's the only type of code
that runs bans against external users.
2024-07-12 20:31:56 +02:00
Bram Matthys 1b4f987ab7 Move displaying of ASN in WHOIS to separate RPL_WHOISASN (569)
This is the numeric that the inspircd third party module uses
https://github.com/inspircd/inspircd-contrib/blob/master/4/m_asn.cpp
and it does not seem taken at
https://defs.ircdocs.horse/defs/numerics.html or
https://www.alien.net.au/irc/irc2numerics.html

This also means AS displaying is now separately configured via
set::whois-details::asn. By default only IRCOps can see it.
2024-07-12 12:17:39 +02:00
Bram Matthys da6cf4f6fa Add crule function match_asn(64496) 2024-07-12 11:37:18 +02:00
Bram Matthys 65c8a6e667 Some minor tweaks here and there
[skip ci]
2024-07-12 11:16:01 +02:00
Bram Matthys 0844f7243f Add ASN as extended server ban, mask item, secgroup. Eg: GLINE ~asn:64496 0 Bye!
This also automatically adds it as a security group and mask item:

ban user {
        mask { asn 64496; }
        reason "Testing ASN ban";
}

And yeah, it is a normal extban too (in +b and +I). Users usually
don't know the AS Number of other users, though, unless you change
the default configuration (at the cost of privacy).

Updated release notes a bit... more will follow.
2024-07-12 11:12:54 +02:00
Bram Matthys f33a0d2c1b Add initial ASN support:
* Including default download via unrealircd.org
* Shown in WHOIS - currently in RLP_WHOISCOUNTRY, not sure
  if that is correct.
* Shown in connect notices [asn: XYZ] [asname: BLAH BLAH]
* Shown in json user expansion (JSON logging and JSON-RPC)
* Only via geoip_classic at the moment
* Structs and serializing in geoip_base done
* Extbans not added yet
2024-07-12 10:31:52 +02:00
Bram Matthys 8bb0a934c6 Fix three small memory leaks, together 1KB per REHASH.
The list is as follows with the number of bytes in the test leaked,
but this can vary depending on your configuration:
* charsys with multibyte ranges (112 bytes)
* set::whois-details (909 bytes)
* +F default profile (7 bytes)

The whois one is in the default configuration, so likely
affected everyone. It's nothing catastrophic, as you need a 1000
REHASHes in order to reach 1MB but.. we shouldn't leak, of course.
2024-07-11 18:22:31 +02:00
Bram Matthys 9cc2918d5f Make set::spamfilter::except a Mask item
* [set::spamfilter::except](https://www.unrealircd.org/docs/Set_block#set::spamfilter::except)
  is now a [Mask item](https://www.unrealircd.org/docs/Mask_item) instead of
  only a list of exempted targets. A warning is created to existing users
  along with a suggestion of how to use the new syntax. Technically, this is
  not really new functionality as all this was already possible via
  the [Except ban block](https://www.unrealircd.org/docs/Except_ban_block)
  with type spamfilter, but it is more visible/logical to have this also.
2024-07-06 10:09:35 +02:00
Bram Matthys e03a5dfd5f Support ::destination and ::exclude-destination in security groups / mask items
at selected places (there needs to be explicit code in place to handle this).
At the moment it is supported at two places only:
* For spamfilters (was already possible via crules via ::rule with
  a destination('xyz') but now non-crule destination "#xyz"; works as well, eg:
  spamfilter {
          ...
          except {
                  destination "#main";
          }
  }
  Note that if you want to exempt a destination in all spamfilters,
  we already have set::spamfilter::except for that!
* In restrict commands for like channel-message and such:
  set {
          restrict-commands {
                  channel-message {
                          except {
                                  connect-time 600;
                                  destination "#test";
                          }
                  }
           }
  }

Allow passing a crule_context via user_allowed_by_security_group_context()
and make user_allowed_by_security_group() call that.

Actually document spamfilter::except online in the docs (yeah you
won't see it in this commit, just mentioning...)

And yeah, by now i wonder if we should really call it crule_context
since it is more like a security group matching context, but.. whatever.
2024-07-06 09:16:53 +02:00
Bram Matthys a804b24150 Add set::hide-killed-by which shortens the quit to "Killed (Reason)".
* New option [set::hide-killed-by](https://www.unrealircd.org/docs/Set_block#set::hide-killed-by):
  We normally show the nickname of the oper who did the /KILL in the quit message.
  When set to `yes` the quit message becomes shortened to "Killed (Reason)".
  This can prevent oper harassment.

Suggested by PeGaSuS in https://bugs.unrealircd.org/view.php?id=6425
2024-07-06 08:12:11 +02:00
Bram Matthys 667eae41dd Add warning when rpc-user::rpc-class is missing. Add default 'full' and 'read-only'.
The reason for the warning is that in some future UnrealIRCd version I want the
rpc-user::rpc-class to become a required item.

This commit also adds rpc-class.default.conf which is by default
included from rpc.modules.default.conf.

This also completes the TODO list from b9de933378
(the rpc.add_timer was never a loophole and i kept rpc.info as-is)
2024-07-05 11:45:49 +02:00
Bram Matthys 0b7162f3cf Free old operclass blocks on REHASH (memory leak)
This wasn't caught by Address Sanitizer because we simply never removed
it from the linked list, and thus it was a reachable pointer.

Found this bug when adding the rpc-class { } stuff.
2024-07-05 11:11:13 +02:00
Bram Matthys b9de933378 Similar to oper and operclass, this adds an rpc-class block.
This so you can restrict the JSON Methods that can be called, eg:

rpc-class limited {
    privileges {
        server { list; get; }
        channel { list; get; }
        user { list; get; }
    }
}

rpc-user xyz {
    match { ip 127.0.0.1; }
    password "test";
    rpc-class limited;
}

NOTE: This is work in progress
1) Things are NOT yet fully contained, as i need to lock down
   rpc.add_timer still :)
2) Some more work, eg rpc.info would be nice to show some
   information about the restriction (??)
3) Need to fix a memory leak
4) Possibly more
2024-07-05 10:21:45 +02:00
Val Lorentz 2a3f5dc500 MODE: Reply with ERR_NOSUCHCHANNEL when the target is a channel (#287) 2024-07-05 07:28:12 +00:00
Bram Matthys 3bc1e0c932 Fix tkldb issue caused by making ban user::mask a mask item.
The build tests were failing for tkldb save & restore. Cause was this:

if (tkl->ptr.serverban->match)
^ this is wrong.. because it doesn't check if tkl is a server ban

So it could be tkl->ptr.spamfilter->whatever_is_at_that_memory_offset
which is non-NULL.

Could have updated the code to an if (IsServerBan... && tkl->..etc..)
but decided to ditch this needless code altogether.

As this wasn't needed at all since it already skips config-based.
And all mask items bans are config-based.

One of those rare cases where trying to be extra careful actually
causes a fuckup.
2024-07-01 18:56:29 +02:00
Bram Matthys c12864f81b Fix crash in server_ban.list JSON-RPC call as well.
Hmm... we should probably use json_expand_tkl() differently for match items
instead of returning "<match-item>" literally. Consider this a TODO item :D
This only happens for config-based bans that can't be removed anyway, so..
2024-06-30 19:59:41 +02:00
Bram Matthys 58d7a274f6 Fix crash in new ban user { } code, as predicted two commits ago. 2024-06-30 19:47:04 +02:00
Bram Matthys 53d97e020f Fix for last commit: except ban { } was not checked for ban user { } blocks 2024-06-30 19:26:02 +02:00
Bram Matthys bc7c69dd20 Make ban user::mask and require authentication::mask a Mask item. Finally.
As requested in
https://bugs.unrealircd.org/view.php?id=6159 by PeGaSuS
https://bugs.unrealircd.org/view.php?id=6319 by BlackBishop
https://bugs.unrealircd.org/view.php?id=6397 by Valware

The mask item https://www.unrealircd.org/docs/Mask_item
means you can use all the power of mask items and security groups and
multiple matching criteria.

This requires a bit more testing as username/hostname are NULL now
so some code paths may have to be adjusted. The function call to add
server bans has changed too. And, really need to check that soft bans
are not broken... because they might be ;D
2024-06-30 19:06:37 +02:00
Bram Matthys f6643f283c Support spamreport::url for type central-spamreport too.
This so you can get the same spamreport data to your own custom system.
It works similar to set::central-blocklist::url but then on a
spamreport { } basis which is better, since then you can still
submit to UnrealIRCd central spamreport too.

So you can have two blocks:
spamreport unrealircd { type central-spamreport; }
spamreport custom { type central-spamreport; url 'https://www.example.org/xyz'; }

And then a /SPAMREPORT or 'report;' action will report it to BOTH.

Requested by Chris
2024-06-26 14:01:13 +02:00
Valerie Liu 54a8fc140b restrict-commands: add option 'channel-create' (channel creation) (#285)
* restrict-commands: add option 'channel-create' for managing who may create new channels.
This has been a commonly requested feature with different requested options, I think it makes sense to do it properly from here
2024-06-14 13:05:34 +00:00
Bram Matthys 58646bafbb Reorder some if's and comment them to make sense.
[skip ci]
2024-06-14 14:36:34 +02:00
Bram Matthys 33c6eb0bcf Destroy channel if 0 users and can_join() rejects the user.
Reported by Valware. E.g. if HOOKTYPE_CAN_JOIN rejects the join
when it is a new channel.

( And yeah... +P channels are not destroyed... handled in
  sub1_from_channel() -> HOOKTYPE_CHANNEL_DESTROY already. )
2024-06-14 14:28:11 +02:00
Bram Matthys c37dc9334b Attempt to fix KICK OperOverride message if you are not +o but have +h/+a/+q.
There was an incorrect OperOverride message if you were had +h, +a or +q
and was kicking someone that you should normally be able to (without override).

This requires quite a bit of further testing, though, it's so easy to get
this wrong. The FIXME still stands to fix this for good some day.

Reported by Valware in https://bugs.unrealircd.org/view.php?id=6423
2024-06-14 10:45:41 +02:00
alice a77ff1f2c8 Fix OPEROVERRIDE_VERIFY option. (#278)
Reported by hnj in https://bugs.unrealircd.org/view.php?id=6418

Appears to have been introduced as part of the 6.x refactor of secret/private channel modes in 8066c13876

Also adjust message for ERR_OPERSPVERIFY to include channel name.
This is to correspond closer to other similar numerics around this area, as well as agreeing with the definition within modern.
2024-06-14 07:22:19 +00:00
Bram Matthys 9d91f61206 Crule: forgot a context && context->client check. Just in case the
crule is used outside security groups / spamfilter, like in
deny link { }.

Also update the match_realname() since via the extban code it would
use match_esc() which is rather confusing if you have double (or
perhaps even triple) escaping when using this in the conf.
2024-05-20 09:31:29 +02:00
Bram Matthys 899955b47d Crule: forgot match_realname('*xyz*'). Now we should be at 100% :) 2024-05-20 09:11:25 +02:00
Bram Matthys 0e9280e731 Crule: add match_account(), match_country(), match_certfp(). 2024-05-20 09:06:11 +02:00