when there is already another established link with a server with the same name.
For example, when there is a network issue and the "old server" is still
waiting to be timed out and the "new server" is already linking in.
This fixes a possible crash when using RPC with unix domain sockets,
reported by Valware.
This also adds a configure check so we use our own strlncat if the
C library does not have one, e.g. some non-Linux.
You could already have something like:
log { source { !debug; all; } destination { file "ircd.%Y-%m-%d.log"; } }
But now you can also have:
log { source { !debug; all; } destination { file "%Y-%m-%d/ircd.log"; } }
This is especially useful if you output to multiple log files and then
want them grouped by date in a directory.
Hopefully this fixes a crash when linking (succesfully authenticated) servers,
something which only happens with GCC and only for some people in some cases.
Reported by armyn in https://bugs.unrealircd.org/view.php?id=6147
This also adds a new function convert_regular_ban() which is now
used by both clean_ban_mask() and extban_conv_param_nuh().
This also moves some of the adding code (sending notice, broadcasting to
other servers, etc) to a function tkl_added().
We should probably do the same for deletion and not use the tkllayer
anymore for that?
Currently available:
* server_ban.list
* server_ban.get with params: name="*@1.2.3.4", type="kline"
This also adds server_ban_parse_mask() which is now used by both GLINE/etc
and the RPC API to parse the same way and convey the same error messages.
chunked encoding stuff is copied from the modulemanager and #if'd out.
The non-chunked is not OK yet either, as it must check the Content-Length,
while we currently assume a single packet == the complete request.
These deal with set::anti-flood::everyone::connect-flood and
set::max-unknown-connections-per-ip respectively.
This adds a new hook HOOKTYPE_ACCEPT, that is mostly meant for internal
usage by UnrealIRCd. Most module coders will want to use the existing
hook HOOKTYPE_HANDSHAKE instead.
This also gets of check_banned() which is now spread over the individual
modules (eg: checking banned is done in tkl on HOOKTYPE_ACCEPT and
HOOKTYPE_IP_CHANGE).
and other selectors in 'mask'. This allows for things like:
security-group Syzop { certfp "xyz"; }
oper Syzop {
mask { security-group Syzop; }
operclass netadmin-with-override;
class opers;
}
except ban {
mask { security-group Syzop; }
type all;
}
allow {
mask { security-group Syzop; }
class special;
maxperip 32;
}
etc...
We do error on the obvious case of mask * and mask *@* when no password
is set, but otherwise try not to stop all cases of user stupidity
(there are just too many...).
So you can just use mask { ip { 127.*; 192.168.*; } } without
having to worry about hostnames like 127.example.net.
(Of course you could also have used CIDR notation)
Another benefit is that, since we are dealing with IP's only,
the matching is faster than going through the more universal
match_user() routine.
So now the example in the release notes actually works:
except ban {
mask { security-group irccloud; }
type { blacklist; connect-flood; handshake-data-flood; }
}
on each string. Note that the entire JSON dump may still be much larger,
this is just about each individual string item within an object.
This commit also adds a more flexible StripControlCodesEx() function
to the core (which is used by the logging system), the existing
StripControlCodes() function is unchanged and can still be used.
+/** Strip color, bold, underline, and reverse codes from a string.
+ * @param text The input text
+ * @param output The buffer for the output text
+ * @param outputlen The length of the output buffer
+ * @param strip_all_low_ascii If set to 1 then all ASCII < 32 is stripped
+ * (the ASCII control codes), otherwise we only
+ * strip the IRC control- and color codes.
+ * @returns The new string, which will be 'output', or in unusual cases (outputlen==0) will be NULL.
+ */
+const char *StripControlCodesEx(const char *text, char *output, size_t outputlen, int strip_all_low_ascii)
{
(Also call it allow::match in the future, but accept allow::mask still)
This is the first of several commits to convert all ::mask items.
See https://www.unrealircd.org/docs/Mask_item for the consequences.
In short, you can now use all of the security-group items directly
in a mask, eg:
allow {
mask { account TrustedUser; }
class clients;
maxperip 10;
}
The extban module API is used behind the scenes. To the server admin
the functionality appears in a more natural way:
account { <list>; };
country { <list>; };
realname { <list>; };
certfp { <list>; };
In the same way, they appear as exclude-xxx options too:
exclude-account { <list>; };
exclude-country { <list>; };
exclude-realname { <list>; };
exclude-certfp { <list>; };
Modules can add additional fields (3rd party modules too!).
Module coders:
See src/modules/extbans/realname.c for a simple example. In short:
1) You need to register your extban in both MOD_TEST and MOD_INIT
2) Other than that, the existing rules for extended server bans apply:
a) Your req.is_banned_events needs to include BANCHK_TKL
b) Your req.options needs to include EXTBOPT_TKL
Be advised that for modules that are called in extended server bans
the client may be missing several fields, for example client->user could
be NULL, so be careful with accessing everything in your module.
been connected to IRC. See https://www.unrealircd.org/docs/Security-group_block
Slightly unrelated, for modules coders: new function get_connected_time(),
to see how long a client has been online. This works for local clients, in
which case it would just return TStime()-client->local->creationtime.
It also works for remote clients, for which it will use the newly added
"creationtime" moddata (commit f1a18ce37e),
so the info is only available for remote clients on newer servers.
If the info cannot be found it will return 0 (zero).
This existed in UnrealIRCd 3.2.x but was later removed when
switching to the new operclass system.
Requested by Valware in https://bugs.unrealircd.org/view.php?id=6041
Syntax: SVSO <uid|nick> <oper account> <operclass> <class> <modes> <snomask> <vhost>
All these parameters need to be set, you cannot leave any of them out,
HOWEVER some can be set to "-" to skip setting them, this is true for:
<class>, <modes>, <snomask>, <vhost>
In UnrealIRCd the <operclass> will be prefixed by "services:" if not already
present. It is up to you to include or omit it.
If you want to set any swhoises you need to use the SWHOIS s2s command,
other than that this command basically does everything for you,
in fact it uses the same code as the OPER command does.
Most of the "user is now ircop" code has been moved out of cmd_oper() to
a new function make_oper() that is called by both cmd_oper() and cmd_svso().
This function also changes the hook HOOKTYPE_LOCAL_OPER:
It no longer passes a ConfigItem_oper struct, since we can't do that for
remote opers. Instead it passes oper name and oper class.
The complete definition is now:
int hooktype_local_oper(Client *client, int add, const char *oper_block, const char *operclass);
rehash errors such as error: set::geoip-classic::ipv6-database:
cannot open file "/home/xxxx/unrealircd/data/https://www.unrealircd...
and possibly even a crash.
The initial boot of UnrealIRCd, however, was always fine, this only
happened when rehashing.
It also seemed to occur more with ftp:// includes or at least with
multiple parallel includes, that may or may not have different or
more latency. In any case it seemed to affect some remote includes
setups semi-consistently, and others not at all.
The root cause was a complex code path causing a read-after-free.
We now use a simplified code path which can no longer cause this.
The only downside is that rehashing may be delayed up to an extra
250ms (quarter of a second), but that should hardly be noticeable,
if at all.
Issue reported by Bun-Bun.
"./unrealircd reloadtls" and there is now also a "./unrealircd status"
The output is colorized if the terminal supports it (just like on the
boot screen) and also the exit status is 0 for success and non-0 for
failure. The purpose of all this is that you can easily detect rehash
errors on the command line.
These three commands communicate to UnrealIRCd via the new control
UNIX socket, which is in ~/data/unrealircd.ctl.
This also does a lot of other stuff because we now have an internal
tool called bin/unrealircdctl which is called by ./unrealircd for
some of the commands to communicate to the unrealircd.ctl socket.
Later on more of the existing functionality may be moved to that
tool and we may also provide it on Windows in CLI mode so people
have more of the same functionality as on *NIX.
Various things still need to be done: a lot more testing, ability to
set permissions on the file, #ifdef's because of lack of support
on Windows (currently won't compile), etc.
One thing that I don't intend to change is that I chose not to display
the socket in the host but have clients show up as 'localhost' (and
ip '127.0.0.1'). Doing it this way keeps things easy, otherwise we risk
a lot of breakage for nearly nothing gained, really.
Things can be tested via:
listen {
file "/tmp/listen";
}
and then with netcat:
nc -U /tmp/listen
USER x x x x
NICK hai
etc...
For example if the 1st DNS resolver is refusing or ignoring requests.
We forgot to call unrealdns_timeout() in the waiting loop, so DNS requests
never timed out and c-ares didn't try the 2nd/3rd server either.
Issue reported by Elodie.
using mixed UnrealIRCd 5 and UnrealIRCd 6 networks.
This is a slightly complex rewrite of make_mode_str() and do_mode(),
as we nog go from single mode lines to potentially multiple mode lines.
In short: whenever we would be near buffer cut-off point (the famous
512 byte limit) then previously we would prevent the mode, though not
succesfully in all cases where a network consists of mixed 5.x and 6.x.
From this point onward we no longer do that. Instead we convert one
MODE command to two MODE lines if that is needed.
The benefit of this is that we no longer prevent it BEFORE processing
the MODE, which is a flawed method and could be wrong (causing desyncs).
And also, we no longer partially ignore MODE lines from clients when
they would cause the limit to be exceeded, as we replace them with
two MODE lines instead.
These are more changes than I wanted at such a late point but.. they seem
to be necessary to prevent U5-U6 compatibility issues.
to expose to which users and in what detail.
The default configuration is as follows:
set {
whois-details {
basic { everyone full; }
modes { everyone none; self full; oper full; }
realhost { everyone none; self full; oper full; }
registered-nick { everyone full; }
channels { everyone limited; self full; oper full; }
server { everyone full; }
away { everyone full; }
oper { everyone limited; self full; oper full; }
secure { everyone limited; self full; oper full; }
bot { everyone full; }
services { everyone full; }
reputation { everyone none; self none; oper full; }
geo { everyone none; self none; oper full; }
certfp { everyone full; }
shunned { everyone none; self none; oper full; }
account { everyone full; }
swhois { everyone full; }
idle { everyone limited; self full; oper full; }
}
}
Oh, yeah, and for "secure" this also adds displaying of the TLS cipher
in /WHOIS for ircops and self by default. For all others it is limited
to just "is using a Secure Connection".
This also removes the newly added set::geoip::whois-for-anyone since
it is now configured via set::whois-details::geo.
Module coders: HOOKTYPE_WHOIS changed and you may no longer send
directly to the client from this hook. Instead, you should use
add to the NameValuePrioList, usually via the functions
add_nvplist_numeric() and add_nvplist_numeric_fmt().
For inspiration see bot_whois in src/modules/usermodes/bot.c
and reputation_whois in src/modules/reputation.c
Bram Matthys