1
0
mirror of https://github.com/unrealircd/unrealircd.git synced 2026-07-06 16:53:11 +02:00
Commit Graph

10157 Commits

Author SHA1 Message Date
Bram Matthys e238eb7a4f Update release notes a bit
[skip ci]
2024-09-23 12:34:28 +02:00
Bram Matthys afbb0c283b Accept multiple masks in ban ip { } and ban nick { } such as:
ban ip {
	mask { 1.1.1.1; 2.2.2.2; 3.3.3.3; }
	reason "Go away";
}

Or the alternate form:

ban ip {
	mask 1.1.1.1;
	mask 2.2.2.2;
	mask 3.3.3.3;
	reason "Go away";
}

Suggested by magic000 in https://bugs.unrealircd.org/view.php?id=4599

Note that this is not a Mask item, these are special, hence the
special code.
2024-09-23 12:29:35 +02:00
Bram Matthys 403b055756 Fix duplicate_security_group() not inheriting 'ip' entries.
There was a typo where it was inheriting exclude-ip entries as
ip entries. This could have been very dangerous but fortunately
exclude-ip was broken so it was impossible to add exclude-ip
entries and that list was always empty / NULL.

This only affected proxy { } blocks with type forwarded/x-forwarded/
cloudflare. The proxy block worked fine, but we also tried to exempt
these IPs from blacklist checking and connect-flood and this was
NOT effective due to this bug... even though the entries were shown
in "STATS except" with these IPs (because 'printable_list' was
correctly duplicated).

Other than that very particular use-case, this function is not used
at the moment.
2024-09-20 19:28:15 +02:00
Bram Matthys 5ffcefe50a Update release notes on features added today.
[skip ci]
2024-09-20 18:10:39 +02:00
Bram Matthys 7dc3c230a7 Now that we support $variables, add set::oper-vhost so you can set a default
vhost for opers, such as: set { oper-vhost $operclass.admin.example.net; }

If the oper has an oper::vhost then that one will override.

https://www.unrealircd.org/docs/Set_block#set::oper-vhost
2024-09-20 17:54:39 +02:00
Bram Matthys 9a2d54cd01 Support $variables in oper::vhost (for variables see previous commit)
Eg: vhost "$operlogin@$operclass.example.net";

Also add potentially_valid_vhost() function which can be used in
config code to ignore invalid $vars. Then at runtime you use the
real valid_vhost() function after variable expansion by
unreal_expand_string().
2024-09-20 17:26:16 +02:00
Bram Matthys 4557036cd6 Move unreal_expand_string() to an efunc so all code can access it
and use it not only from vhost { } block code but also for like
blacklist::reason.

This so the same variables with the same names are available at
those places.

Supported are:
$nick, $username, $realname, $ip, $hostname, $server, $account,
$operlogin, $operclass, $country_code (xx for unknown),
$asn (0 for unknown).
2024-09-20 17:13:23 +02:00
Bram Matthys 60c0ab8da2 Make vhost::vhost support $variables. Currently supported are:
$nick, $username, $realname, $ip, $account, $operlogin, $operclass,
$country_code (xx for unknown), $asn (0 for unknown).

Note that if a $variable fails to expand, eg $operlogin but the
user is not oper, then the vhost will not be applied. A warning
is sent to the vhost snomask (+s +v) in such a case.

Examples:

/* Set authenticated users to $account.example.org */
vhost { auto-login yes; vhost $account.example.org; mask { identified yes; } }

/* Obviously not really a good idea, but.. to illustrate: */
vhost { auto-login yes; vhost $country_code.example.org; mask *; }

Also, when vhost { } blocks are read and need to be matched, they
are read top-down now, which is the most logical way. First match wins.

All this needs testing :)
2024-09-20 16:48:22 +02:00
Bram Matthys e9ffe5b5e7 Add vhost::auto-login: checks on-connect if user meets ::mask criteria
and if so, it sets the vhost on the user. Except when the user already
has a vhost (eg from anope during SASL).
If vhost::auto-login is 'yes' then you don't need ::login and ::password.

Suggested by PeGaSuS.

Support for variables like $account in vhost::vhost, more examples and
a release notes entry will follow in later commit(s).
2024-09-20 15:43:55 +02:00
Bram Matthys 55c04d9887 vhost: move struct as well, reorder and document. 2024-09-20 14:51:50 +02:00
Bram Matthys fe751fdc9d Move all vhost { } block handling to vhost module.
* Convert to use module-based config handling
* Split part of VHOST command into do_vhost() for later
* Use AppendListItem instead of AddListItem so they are in config-order.
  This is not really important atm but will matter later if we go auto.
* No other code changes at this point
2024-09-20 14:45:52 +02:00
Bram Matthys 51c055d4f0 Mention log.send in release notes
[skip ci]
2024-09-20 13:26:47 +02:00
Bram Matthys a5caf8d625 Update release notes a bit
[skip ci]
2024-09-20 13:20:49 +02:00
Bram Matthys 8e8384628b Fix decode_authenticate_plain() reading OOB.
This is a helper function for modules, it is not actually used by
UnrealIRCd itself.
2024-09-18 15:49:53 +02:00
Valerie Liu 71798963e0 rpc/log: Add ability to send log messages via RPC log.send (#299) 2024-09-17 15:40:03 +00:00
Bram Matthys 7396e6bd77 Fix crash when a server sends an invalid REHASH command.
(This can only be sent by linked trusted servers)

Reported by CaoS in https://bugs.unrealircd.org/view.php?id=6447
2024-09-16 16:42:53 +02:00
Bram Matthys 72c4b718f6 Move remove_dcc_references() to dccallow module. 2024-09-15 17:58:48 +02:00
Bram Matthys c39d763e00 Move 416 lines from src/misc.c to src/modules/quit.c: exit_client() etc.
This so if there is ever an issue, we can hot-patch it. This affects
exit_client(), exit_client_fmt(), exit_client_ex(), banned_client(),
and various (internal) help functions.

This also means you cannot call these functions during TEST/INIT (eg
during REHASH) since the 'quit' module which provides these modules
may not be loaded yet. I don't think that's a situation/problem but
this needs some more testing.
2024-09-15 17:45:25 +02:00
Bram Matthys a41ab32d16 maxperip: use siphash_raw(client->rawip.... 2024-09-14 20:33:57 +02:00
Bram Matthys 2ef39497c7 Similar to previous commit, move maxperip stuff from core to module.
This was in src/hash.c, src/list.c and src/modules/stats.c.
Now all in src/modules/nick.c... or should this go into a new module?

Again, this needs some more testing, like previous commit.
2024-09-14 20:18:22 +02:00
Bram Matthys 710afe7cc7 Move throttling code from src/hash.c to src/modules/connect-flood.c
Better to have this all in one place. Though, must admit, the
config checking is still in src/conf.c and a bit of a hassle to move.

Some testing may be wise to see if everything still works ;)
2024-09-14 19:55:43 +02:00
Bram Matthys fdfe5ba482 Remove raw_client_ip() since we now have client->rawip. 2024-09-14 19:19:21 +02:00
Bram Matthys ca7e4ab966 Prevent +b ~inherit:#chan in #chan. This didn't cause any problem but
doesn't make any sense either, so just reject it. Reported by alice.
2024-09-14 19:07:15 +02:00
Bram Matthys 4504adf149 Remove confusing comment in is_banned...
"Strange things could happen if this is called outside standard ban checking"
that was 15yrs ago when we had global vars like 'ban_ip' and such.
https://github.com/unrealircd/unrealircd/commit/7dee0cdcf17524a072236ff9d27c68c3da665c0a#diff-403251a2e50ed7323ab9c39abb604fd77db527cbb85c2c8ce360249e8ece4907R491-R497

It no longer applies to the current situation.
[skip ci]
2024-09-11 18:44:53 +02:00
Valerie Liu e0459943a3 Show port number in DEBUG_TLS_FATAL_ERROR (#298) 2024-09-10 14:40:33 +00:00
alice 255dfe6bf7 Fix redefinition of struct RPCClient within struct.h, which occurs if you have an old compiler. (#296)
Reported in https://bugs.unrealircd.org/view.php?id=6469 by hughmungus
2024-09-10 14:31:33 +00:00
Bram Matthys b6cdca5525 Fix b->ban_type not being set properly at all places (BanContext).
This probably didn't cause any issues earlier, or maybe it did
with some 3rd party mods, but is relevant now that we have ~inherit.
2024-09-09 16:44:57 +02:00
Bram Matthys 10ec67d163 Fix +I ~inherit:#chan (invite exceptions) 2024-09-09 16:28:22 +02:00
Bram Matthys 1a2d93778e Add small note on +e/+I not working yet for ~inherit. TODO item.
[skip ci]
2024-09-09 16:07:21 +02:00
Bram Matthys 554281d6eb Update curl-ca-bundle.crt to Tue Jul 2 03:12:04 2024 GMT
https://curl.se/docs/caextract.html
[skip ci]
2024-09-09 11:52:31 +02:00
Bram Matthys a9874bc51f Update shipped c-ares to 1.33.1 (Aug 23, 2024) 2024-09-09 11:46:39 +02:00
Bram Matthys bd5c5ca59e In some situations users would hang during the handshake due to forever
waiting DNS lookups. This had to do with c-ares query cache causing a
different (unexpected) code path in UnrealIRCd.
And, somewhat related, c-ares also didn't obey our DNS timeout, as that
value is a "hint" nowadays, so now we set the "max timeout" value.

Fun.
2024-09-08 19:42:11 +02:00
Valerie Liu 879e365ed5 extbans/partmsg.c: Actually check if there's a matching ban before removing the part message (#295) 2024-09-08 16:52:01 +00:00
Bram Matthys 7d62fe9548 Update HELPOP EXTBANS on ~inherit.
[skip ci]
2024-09-08 17:49:01 +02:00
Bram Matthys 8fa8476831 Typoooos in the release notes
[skip ci]
2024-09-08 17:39:42 +02:00
Bram Matthys 70a98d3af2 Update release notes a bit
[skip ci]
2024-09-08 17:36:48 +02:00
Bram Matthys 3c1ef65a00 Add set::max-inherit-extended-bans to configure limits for ~inherit extban:
Looks like this, with the current defaults:
set {
        max-inherit-extended-bans {
                ban 1;
                ban-exception 1;
                invite-exception 1;
        }
}
2024-09-08 17:15:26 +02:00
Bram Matthys decaeec484 HELPOP EXTBANS sorting and some whitespace changes
[skip ci]
2024-09-08 16:41:33 +02:00
Valerie Liu 4c46be691b Update help.conf: Add ~asn to extbans help output (#293) 2024-09-08 14:38:36 +00:00
Valerie Liu ae8b039831 Fix $nick log string in debug message re spamfilter tag (#294) 2024-09-08 14:37:26 +00:00
Bram Matthys c4c72ecaca Fix spamfilter.get unable to retrieve config-based spamfilters.
Reported in https://bugs.unrealircd.org/view.php?id=6467 by adator.
2024-09-08 10:16:15 +02:00
Bram Matthys ee1d6818b4 Add +b/+e/+I ~inherit:#channel to inherit channel bans from another channel
Several notes:
* This only checks on-JOIN (not on nick change, message, etc)
  for performance reasons
* If the #channel in ~inherit:#channel also contains ~inherit
  entries then those are not processed (no recursion and no looping)
* Only a limited number of ~inherit entries is permitted.
  This will be moved to set:: items in a future commit so you
  can set different amounts for +b/+e/+I ~inherit.
* This is work in progress, UnrealIRCd or the entire world could explode
* Documentation will follow later

Developers:
* Sadly, clean_ban_mask() needed to be changed to have two more
  parameters, 'ban_type' and 'channel' were added at different positions.
  This because the module needs the ban type (EXBTYPE_BAN, EXBTYPE_EXCEPT,
  EXBTYPE_INVEX) and channel because it rejects based on number of
  existing ~inherit entries in the channel... and while is_ok() is called
  for local clients and has all this information, for services clients
  is_ok() is not called so the only way to reject the +beI is through
  xxx_conv_param() which comes from clean_ban_mask().
2024-09-07 21:02:15 +02:00
Bram Matthys e17e11dd73 Make "MD" S2S command support BIGLINES. We don't need it now but maybe
in the future we will, or some third party module. And then it would
be nice if all servers on the IRC network support it, of course.
2024-09-05 20:06:58 +02:00
Bram Matthys 99bc061a74 Fix require authentication { } not allowing SASL users in.
It was behaving like a ban user { } block.

Reported by Jellis in https://bugs.unrealircd.org/view.php?id=6464
2024-08-30 20:01:20 +02:00
Bram Matthys bfb41612c8 Sync release notes with upcoming 6.1.7.2 dot release.
6.1.7.2 does not exist in git and will be:
* Version bumped from 6.1.7.1 to 6.1.7.2
* 5092fa985d (cbl-timeout-fix)
* 624d1d189c (remove curlinstall)

[skip ci]
2024-08-24 08:16:04 +02:00
Bram Matthys 21476d6896 Fix ./unrealircd hot-patch in case of zero byte patch file.
Such a file is served if the UnrealIRCd version is unaffected.
It printed "This UnrealIRCd version does not require that patch"
but then instead of stopping it continued.. which wasn't all
that bad before GPG/PGP but now it causes failures and scary
warnings.

(See also 035f487684 which
 introduced GPG/PGP)

[skip ci]
2024-08-20 13:46:36 +02:00
Bram Matthys 5092fa985d Central Blocklist: fix issue with clients being killed if too slow.
We already allow users in after 10 seconds if CBL is too slow, and
that part worked correctly. However 5 seconds later, when the URL
API 15 second timeout hits, it would try to allow the user in AGAIN.
This caused the user to be introduced twice, causing remote servers
to kill the user, and also screwing up user counts.

Reported by multiple people, including Jellis who actually filed
a report with logs, and alice providing logs as well, all when CBL
was temporarily down for a few hours in August 2024. In hindsight
this bug was already reported by k4be back in November 2023 but
was more rare at the time and mistaken for another very similar
bug that was fixed in 6.1.3.

With this patch, we check before we call cbl_allow(), but also
cbl_allow() itself checks the "user already allowed in?".

Oh yeah and this is hot patchable, within the hour I will make
this work: ./unrealircd hot-patch cbl-timeout-fix
2024-08-20 13:29:08 +02:00
Bram Matthys 035f487684 Add GPG/PGP signature verification for ./unrealircd hot-patch/cold-patch.
Similar to what we already do in './unrealircd upgrade' (in fact, code
stolen from that extras/unrealircd-upgrade-script.in file)
2024-08-10 15:58:35 +02:00
Bram Matthys 624d1d189c Remove curlinstall script. As https remote includes work without cURL,
most people don't need cURL support anymore anyway.
For those who do, they can install curl as a system library.

This also warns and unsets curl on ./unrealircd upgrade
and during ./Config when upgrading, but only for the 'curlinstall'
cases. Not for people who use system curl, since that is
totally fine to use :).
2024-08-10 14:54:03 +02:00
Bram Matthys a31394dd52 Shut up a warning related to unchecked set_client_ip() 2024-07-22 08:07:40 +02:00