Since OpenSSL decided not to use the regular ciphers but make this a
separate option, we now make this a separate option as well.
So there is ::ciphers for <=TLSv1.2 and ::ciphersuites for TLSv1.3
More documentation will follow.
Patch from 'i' in https://bugs.unrealircd.org/view.php?id=5149
Add the ASCII character codes for strikethrough (0x1E, 30) and
monospace (0x11, 17) to the _StripControlCodes function. This
addresses those formatting characters not being filtered when the
"nocodes" module is loaded.
See https://modern.ircdocs.horse/formatting.html#characters
any other bans that will cause the user to be disconnected.
For technical details see the banned_client() function.
It's likely I made some mistakes somewhere => testing required!!
from antirandom checking because they frequently cause false positives.
This new behavior can be disabled via:
set { antirandom { except-webirc no; }; };
Suggested by The_Myth in https://bugs.unrealircd.org/view.php?id=5007
This is meant to blacklist modules that are in modules.default.conf (or
elsewhere). The 'loadmodule' line for any such module is effective ignored.
https://bugs.unrealircd.org/view.php?id=5118
Note: I had to move the loadmodule code. Previously this was done as each
config file (include) was loaded into memory. Now it is done after *ALL*
config files have been read into memory. This shouldn't matter for module
devs, though..
Compiling already works (this is already tested by AppVeyor for quite a
while), but the installer in git required VS 2015. The actual releases
up to now required VS 2012.
To be more precise, either VS 2015 Redist or VS 2017 Redist is enough,
the x86 version that is, as they are binary compatible and both provide
"version 14". So if one of those is installed, the installer just runs.
If neither of these is installed we tell the user to install the VS 2017
Redist package, not mentioning 2015 as it would only cause confusion.
is found. This fixes an issue on Ubuntu 18 where the library is
stored in /usr/include/x86_64-linux-gnu and ./Config doesn't detect
it and thus reverts to using local-curl.
curl enabled but without system curl, the build could fail with
an libCURL configure error. This is is because it imported the
CURLDIR but it referred to an old UnrealIRCd directory.
Reported by The_Myth (#5106)
For example Ubuntu 16.04 LTS with OpenSSL 1.0.2g.
Especially in strict config it would error 'No shared ciphers'.
Had to do with #if(def) ordering. SSL_CTX_set_ecdh_auto() is
still required in 1.0.x even if SSL_CTX_set1_curves_list() is
used. Understandable.
Change from this TLSv1.2 and TLSv1.3 message:
*** You are connected with TLSv1.2-ECDHE-RSA-AES256-GCM-SHA384-256bits
*** You are connected with TLSv1.3-TLS_AES_256_GCM_SHA384-256bits
To this:
*** You are connected with TLSv1.2-ECDHE-RSA-AES256-GCM-SHA384
*** You are connected with TLSv1.3-TLS_AES_256_GCM_SHA384
Since: 1) those bits are redundant (AES 256 is already mentioned),
and 2) Bits are also not an universal method to measure strength across
algorithms (think: elliptic curve).
(Not too surprising when add is 0 and delete is 1)
Not fatal, as error was still handled & send, but it went to
all opers instead of just the one person adding it..
the following remarks:
* We only set these curves if SSL_CTX_set1_curves_list() is available
(OpenSSL 1.0.2 or later, LibreSSL 2.5.1 or later)
* The X25519 curve is only added if it is available (OpenSSL 1.1.0+)
This requires OpenSSL 1.0.2 or newer (released on 22 Jan 2015).
Also fix a bug with OpenSSL 1.1.0+ where - due to removal of an API
function - we accidentally forced curve P-256 rather than automatic
selection. That sucks because the automatic selection (since 1.0.2+)
allows supporting multiple curves and selecting the highest one.
+dnl This is purely for charsys.c... I like it so we can easily read
+dnl this for non-utf8. We can remove it once we ditch non-utf8 some day
+dnl of course, or decide to ignore me and encode them.
-int hooktype_mode_deop(aClient *sptr, aClient *victim, aChannel *chptr, u_int what, char modechar, long my_access, char **badmode);
+int hooktype_mode_deop(aClient *sptr, aClient *victim, aChannel *chptr, u_int what, int modechar, long my_access, char **badmode);
.. this to get rid of a compiler warning and potential problem.
Can't safely use shorts with variable argument functions I think,
or maybe only with reduced type checking which is not what we want.
-void hooktype_channel_synced(aChannel *chptr, unsigned short merge, unsigned short removetheirs, unsigned short nomode);
+void hooktype_channel_synced(aChannel *chptr, int merge, int removetheirs, int nomode);
m_pass and m_topic.c when duplicating strings with a length limit.
+/* strldup(str,max) copies a string and ensures the new buffer
+ * is at most 'max' size, including nul byte. The syntax is pretty
+ * much identical to strlcpy() except that the buffer is newly
+ * allocated.
+ * If you wonder why not use strndup() instead?
+ * I feel that mixing code with strlcpy() and strndup() would be
+ * rather confusing since strlcpy() assumes buffer size including
+ * the nul byte and strndup() assumes without the nul byte and
+ * will write one character extra. Hence this strldup(). -- Syzop
+ */
The output of /IRCOPS isn't meant to be client parsable anyway (which
can be seen by the use of bold text and such), so using a generic
numeric rather than wasting two others seems sensible.
Reported by The_Myth in #5066.
We only parsed the first A record reply, so if the blacklist returned
multiple results /and/ you would not have all those types in your
blacklist { } block then you could miss a hit (false negative).
On *NIX now always redirect stdin, stdout and stderr to /dev/null for
safety and to prevent any ssh hanging as reported by mbw (#5087).
This code needs some testing on non-Linux though it should be all
POSIX, unless I missed something... :)
This is for easier parsing of the "MODE yournick" response.
From:
:maintest.test.net 008 testuser :Server notice mask (+kcfjvGqSso)
To:
:maintest.test.net 008 testuser +kcfjvGqSso :Server notice mask
Reported by emerson in #5079.
listen::ssl-options, sni::ssl-options or link::outgoing::ssl-options
are used. In short: it only reloaded the ones from set::ssl until
now. Bug reported by Mr_Smoke (#5072)
Built-in time synchronization was added in 2006 when many computers did not
do time synchronization by default. Nowadays nearly all operating systems,
including many Linux distro's, Windows and OS X have time synchronization
enabled out-of-the box.
You can still re-enable the built-in timesynch feature via:
set { timesynch { enable yes; }; };
..but you should really use NTP instead.
This affected the following errors:
* Max SendQ exceeded
* Excess Flood
* Flood from unknown connection
* SSL Handshake flood detected
* Rejected link without SSL/TLS
* Various errors from the websocket module
* Other errors generated by 3rd party modules
This posed a limitation with utf8 PROTOCTL NICKCHARS=... and
potentially PROTOCTL SERVERS=... if having more than 32 servers.
The limitation has now been removed (buffer length = 512)
Also call the UTF8 charsys support experimental. Not so much because
of issues in UnrealIRCd that are unique to utf8 but because of the many
"but's" such as lack of services support. And people suddenly waking up
and realizing there never was improved CASEMAPPING and "visually identical
character checks" in original charsys either.
This is the "non breaking space" outside UTF8 and thus was previously
blacklisted. Keeping it blacklisted even if it appears in UTF8 is not
really an option as it means some UTF8 characters can never be used,
like the letter "nun" in Hebrew, and likely others.
module but at least the code can be updated on the fly (or replaced
with some other secondary alternative module in the future).
src/charsys.c -> src/modules/charsys.c
This also means everyone needs to load the modules/charsys module.
See https://www.unrealircd.org/docs/Nick_Character_Sets
Example: set { allowed-nickchars { latin-utf8; }; };
Important remarks:
* All your servers must be on UnrealIRCd 4.0.17 (or later)
* Most(?) services do not support this, so users using UTF8 nicknames
won't be able to register at NickServ.
* In set::allowed-nickchars you must either choose an utf8 language
or a non-utf8 character set. You cannot combine the two.
* You also cannot combine multiple scripts/alphabets, such as:
latin, greek, cyrillic and hebrew. You must choose one.
* If you are already using set::allowed-nickchars on your network
(eg: 'latin1') then be careful when migrating (to eg: 'latin-utf8'):
* Your clients may still assume non-UTF8
* If users registered nicks with accents or other special characters
at NickServ then they may not be able to access their account
after the migration to UTF8.
[!] Work in progress [!]
"SSL_accept(): Internal OpenSSL error or protocol error: tls_process_client_hello: unsupported protocol"
rather than just
"SSL_accept(): Internal OpenSSL error or protocol error"
Perhaps it can be shortened in a later version if this is acceptable.
This can help with tracing server linking errors, and/or
if using the junk snomask (MODE nick +s +j).
Naturally this is only available if the extbans/timedban module is
loaded and you should do so on all your servers on the same network
if you want to avoid confusion/desynchs.
These are bans that are automatically removed by the server.
The duration is in minutes and the mask can be any ban mask.
=> Note that you need to load the extbans/timedban module!
Some examples:
* A 5 minute ban on a host:
+b ~t:5:*!*@host
* A 5 minute quiet ban on a host (unable to speak):
+b ~t:5:~q:*!*@host
* An invite exception for 1440m/24hrs
+I ~t:1440:*!*@host
* A temporary exempt ban for a services account
+e ~t:1440:~a:Account
* Allows someone to speak through +m for the next 24hrs:
+e ~t:1440:~m:moderated:*!*@host
* And any other crazy ideas you can come up with...
For example if you had:
set { restrict-extendedbans "a"; };
Then this would be rejected:
MODE #chan +b ~a:Account
However, you could still set:
MODE #chan +b ~q:~a:Account
Now this is properly rejected as well.
Fix case where conv_param() returns NULL (ban rejected)
causing is_ok() function not to be called so the user
never sees the error. We now try to call the is_ok after
conv_param returns NULL.
So not really an API change, more like a fix.
the WEBIRC gateway gives us some assurance that the
client<->webirc gateway connection is also secure (eg: https).
This is the regular WEBIRC format:
WEBIRC password gateway hostname ip
This indicates a secure client connection (NEW):
WEBIRC password gateway hostname ip :secure
Naturally, WEBIRC gateways MUST NOT send the "secure" option if
the client is using http or some other insecure protocol.
https://github.com/ircv3/ircv3-ideas/issues/12
In 3.2.x we didn't fix these bugs since servers are trusted and
should send correct commands. In 4.0.x we changed this so we would
fix them when we come across such issues at normal priority (not
consider them security issues). I now took it a step further and
actively checked/looked for these issues and a bunch of them were
found. Almost all are NULL pointer dereferences, with some exceptions.
* S2S: MODE: check conv_param return value (NULL ptr crash)
* S2S: MODE: floodprot: More checks (NULL ptr crash)
* S2S: MODE: OOB write of NULL (write NULL past last element in an array)
* S2S: NICK: old compat fixes (NULL ptr crash)
* S2S: PROTOCTL: Check for double SID=
* S2S: SERVER: require at least 3 parameters (NULL ptr crash)
* S2S: SJOIN: require at least 3 parameters (NULL ptr crash)
* S2S: SJOIN: Fix OOB read (read 1 byte past buffer)
* S2S: TKL: validate set_at and expire_at (NULL ptr crash)
* S2S: TKL: require at least 9 parameters for spamf, not 8 (NULL ptr crash)
* S2S: TKL: ignore invalid spamfilter matching type (remove abort() call)
* S2S: TOPIC: querying for topic is not permitted (NULL ptr crash)
* S2S: UID: require 12 parameters (NULL ptr crash)
* S2S: WATCH: this is not a server command (NULL ptr crash)
* Fix OOB read (1 byte beyond string) for timevals. This was reachable
from config code, TKL (S2S) and /*LINE (Oper). In practice no crash.
* MODE: make code less confusing (effectively no change)
* TRACE: remove strange output in case of 0 lines of output
* Fix unimportant memory leak on boot (#4713, reported by dg)
* Fix small memory leak upon 'DNS i' (oper only command)
* Always work on a copy in clean_ban_mask(). This fixes a bug that could
result in a strlcpy(buf, buf, sizeof(buf)). So, overlapping strings,
which is undefined behavior.
* API change for HOOKTYPE_PRE_INVITE:
(aClient *sptr, aClient *target, aChannel *chptr, int *override)
Modules must now send the error message instead of only returning
HOOK_DENY. Also check for operoverride and set *override=1.
This so modules can send their own error messages instead of the
default message being sent ("channel is +V" - which is not true).
Reported by Gottem (#5023).
2) Use 'iscc' rather than 'compil32' since the latter pops up a
dialog box which blocks the entire build process.
3) Apparently the VS2017 image has a broken VS2012 since it bails
on winsock.h. So try to use different images for both builds.
set::handshake-delay of 2 seconds by default. This will allow (most)
DNSBL checking to be finished before the user comes online, while
still allowing a smooth user experience.
If your DNS(BL) is slow then you could raise this setting slightly.
https://www.unrealircd.org/docs/Link_verification
This is only outputted if both sides are 4.0.16+ so we can use spkifp
and use the same instruction on both sides of the link.
(If we would do it for previous versions then we would only give
half of the instructions to the users, which makes no sense)
password "AHMYBevUxXKU/S3pdBSjXP4zi4VOetYQQVJXoNYiBR0=" { spkifp; };
This value will stay the same even for new SSL/TLS certificates,
as long as the key stays the same. This can be useful in case of
Let's Encrypt (if you use a tool that keeps the same key, that is,
certbot does not at the moment). Suggested by grawity (#5014).
Also make auth type 'sslclientcert' available as 'cert' and
make 'sslclientcertfp' available as 'certfp'.
There is now '/spamfilter del' which will output all spamfilter along with
the appropriate command to delete each spamfilter (by unique ID).
This way it should be easy for anyone to delete an existing spamfilter.
We also refer to this new feature from '/spamfilter', '/stats spamfilter',
etc.
places by spamfilters (and some other systems) to be placed not on *@ip
but rather on user@ip. Note that this won't work for ZLINE/GZLINE since
no ident/username lookups are done in such cases.
Bit of a niche feature but okay..
on the IP and thus result in an XX.YY.ZZ.IP cloaked host.
This so you can have "IP cloaking" without disabling DNS lookups.
GLINES on hosts still work and IRCOps (and yourself) can still see
the host in /WHOIS.
Requested in 4957 by Gottem and The_Myth.
and set::sasl-server is not set by the administrator. Looks like this:
*** Services server 'services.test.net' provides SASL authentication, good! I'm setting set::sasl-server to 'services.test.net' internally.
Hopefully this will increase SASL availability significantly.
That is, once anope and atheme start sending the saslmechlist to us,
of course ;) (see commit d6e26d59e5)
This so saslmechs are properly sent in case of services (re)connect,
otherwise the CAP NEW is sent too early when the saslmechs are
not known yet.
NOTE: This makes sending "EOS" mandatory for any SASL servers.
You should be doing this since 14 years ago (it was added
in 3.2beta18 in August 2003) so hopefully that is the case.
Anope is good anyway :)
Fix force-rejoin not working if doing SVSMODE -x/+x (Koragg, #5015).
Note to module coders:
Please use the following procedure in case of an user/host change:
* userhost_save_current(acptr);
* << change username or hostname here (or both) >>
* userhost_changed(acptr);
This function will take care of notifying other clients about
the userhost change, such as doing PART+JOIN+MODE if force-rejoin
is enabled, and sending :xx CHGHOST user host messages to
"CAP chghost" capable clients.
Also, small note to everyone:
If force-rejoin is enabled we will not send the PART+JOIN+MODE to
"CAP chghost" capable clients. Doing so is just a hack to notify
people of a userhost change. "CAP chghost" users can thus benefit
from the reduced noise in this respect.
would allow you to use -f even if the IRCd is suid or sgid.
This is not anything we or you ever want to permit since this is
a major security problem. This setting is now gone. I doubt
anyone used it.
You should always use https://www.unrealircd.org/ for stable releases.
In case you wondered what happened with 4.0.15: that version consists
of cherry-picked / backports of the two crash fixes from this 'unreal40'
development branch. The current code simply wasn't ready yet for a
rushed security release.
Delete CAP CLEAR as it's use is discouraged (too much trouble).
Delete CAP ACK (from client2server) as this is only for CAP's with
ack modifiers. This is something we don't use, and which has been
deprecated in v3.2 of the spec.
This permits multiple blocks like..
webirc {
mask *;
password "....." { sslclientcertfp; };
};
..should you need it.
In other words: we don't stop matching upon an authentication failure.
because so many people had a broken system/wget/curl, that is: without
the appropriate trusted CA certificates installed. If this is still
the case, then: too bad. People who DO have a proper setup shouldn't
be held back with regards to security by such users.
This so upcoming UnrealIRCd version will work with TLSv1.3 whenever it
becomes an official standard and is included in OpenSSL/LibreSSL.
(Verified to work with openssl git master branch)
to validate the certificate of the link, making sure that:
1) The certificate is issued by a trusted Certificate Authority (CA).
2) The name on the certificate matches the name of the link block.
Some things still need to be done: documentation, more testing, and
using the X509_check_host() function when available.
Nobody used this option and it only caused the following confusing
(and potentially insecure) behavior:
Previously if you had 'verify-certificate' enabled then the certificate
would be checked, BUT if it was a self-signed certificate (and thus
not passing verify-cert) it was STILL allowed unless you also
specified the 'no-self-signed' option. This might be correct as per
documentation but is way too confusing for the user.
Now you simply have to choose whether you verify the certificate or
not. No special handling for self-signed certificates.
connected to a server introducing himself as irc2.test.net. This
was rather confusing, of course. Wasn't much of a security issue since
this only happened in outgoing connects and naturally all authentication
need to pass as well.
This is done for users on shared IRCd shells[*] which may be used to (or
forced to) connect services via their alias IP rather than 127.0.0.1
due to bind restrictions. This, in turn, to ease the transition to
set::plaintext-policy::server deny.
[*] Side-note: The UnrealIRCd team recommends using a VPS and not a
shared shell, as the latter is considerably less secure.
* The 'ban too broad' checking was broken. This permitted glines such
as 192.168.0.0/1 being set. Now it rejects CIDR of /15 and lower.
To disable this safety measure you can (still) use:
set { options { allow-insane-bans; }; };
Docs: https://www.unrealircd.org/docs/Set_block#set::ssl::sts-policy::port
Example:
set {
ssl {
certificate "ssl/server.cert.pem";
key "ssl/server.key.pem";
sts-policy {
port 6697;
duration 180d;
};
};
};
IMPORTANT: Only use this if you know what STS is and what the
implications are. The most important things being A) set a correct
port and B) you need a 'real' SSL certificate and not a self-signed
certificate.
More documentation may follow at another place.
Module coders:
* The cap->visible(void) callback function is now cap->visible(aClient *)
* There is a new cap->parameter(aClient *) callback function.
* Various updates to subfunctions to pass 'sptr' (due to the above),
including clicap_find(sptr, ...)
* New CLICAP_FLAGS_UNREQABLE flag
Other:
* There is a new (src/)modules/cap directory containing the sts module,
well.. once I commit it :D
value needs to be much higher than the number of clients the IRCd
should be able to hold. The new value is 10k which should allow
at least 1-2k clients.
and at some other places (any place which uses the 'mask' system).
This allows things like:
deny channel { channel "#help*"; };
allow channel { channel "#help-nolan"; mask !192.168.*; };
allow channel { channel "#help-lan"; mask 192.168.*; };
Similarly in vhost blocks etc etc..
This so you can easily add allow/deny channel blocks for IP ranges.
Possibly not so useful for services-networks (ban/akick is very similar)
but has some use on serviceless networks.
For example: '+f [5j#i1,5m#m1,3n]:3' and then '+f [5j#i1,5m]:3'
In that case the '3n' was not removed and still effective, as
could be seen by a '/MODE #chan'. Reported by The_Myth (#4883).
[warning] Your server is not listening on any SSL ports. It is recommended to listen on port 6697.
[warning] Consider adding this to your unrealircd.conf: listen { ip *; port 6697; options { ssl; }; };
services software send this which cause a crash. Now simply rejecting at
the start of the function.
To services coders: you must maintain client lists/state, not do silly things
Note that they are NOT loaded by default at this time.
The modules are:
* extbans/textban - +b ~T:censor:*badword*
* usermodes/privdeaf - user mode +D: cannot receive PM's
* antirandom - "randomness" detector against drone attacks
* hideserver - hide servers (not real security, but requested)
* jumpserver - redirect users to another server during maintenance
* m_ircops - show which ircops are online (/IRCOPS command)
* m_staff - show custom file (/STAFF command)
* nocodes - don't just strip/block colors, do the same for reverse/bold/..
The existing README and sample configuration files for these modules
will later be added to the official UnrealIRCd documentation on
https://www.unrealircd.org/docs/Main_Page (just search on the module name).
This allows you to for example specify a specific certificate/key on an
serversonly port and in link block (a self-signed 10 year valid certificate)
and use a short-lived (XX day) Let's Encrypt certificate on the other ports.
And several other uses, of course.
so you can use IRC directly from HTML5/JS. It is still considered experimental
but feel free to test it out. To do so, add this to your unrealircd.conf:
loadmodule "websocket";
This module was sponsored by Aberrant Software Inc.
Previously <= 0 would stop processing. Now this has changed to:
>0: continue and parse as-is (this was already the case)
0: don't parse but continue reading next packet (if there's any data)
-1: stop parsing, don't read any packets (client may be killed/FLUSH_BUFFER)
Services coders: you can now set "SVSMODE Nick +d" to set the 'deaf' user
mode. Note that "SVSMODE Nick +d svsidhere" also still works. This should
be a harmless change, unless some services packages are accidentally trying
to set emtpy svsids like "SVSMODE Nick +d "... if you do, then the target
nick will be deaf now..
Only build main binary with -fPIE, not the modules. It's called Position
Independent EXECUTABLE after all. And apparently not all compilers or
linkers ignore the option if building shared objects (mine did..).
as it is the default in 4.0.8+. However, it shouldn't break the build if
specified. Fixed damn silly reversed logic at a few places that caused this...
We now set LDFLAGS during configure with -Wl,-rpath=/home/xyz/unrealircd/lib so
the curl test won't fail (or more precisely, curl's c-ares test).
Could theoretically fix other issues as well, but could not reproduce.
First of all, system-wide curl is much preffered, but if not available
then UnrealIRCd will offer to install curl for you during ./Config.
The prompt looks the same as before but we no longer install the curl
library in ~/curl but rather in ~/unrealircd/lib (or wherever you put
your installation).
Basically, it now behaves exactly the same as c-ares, TRE and PCRE.
Downside: curl will be re-compiled each time you re-run ./Config
Upside: curl will be re-compiled each time... :D.. will thus be kept
more up to date.
**
Also: complain if <curlinstall>/bin/curl-config cannot be found.
This ensures we error after ./Config rather than after the whole of
configure has been ran.
then change the default value to /usr (or similar) during ./Config and
output a warning.
We do this since system-wide cURL is under almost all circumstances
preferred as it is maintained by your OS/distro and hence receives bug
fixes and security updates on a regular basis (or should, anyway).
Experience shows that ~/curl is rarely kept up to date since "it works".
In the past, many years ago, system wide cURL did not have AsynchDNS.
Nowadays nearly all distros build cURL with some sort of AsynchDNS
which makes things much more useable.
this on the basis that cURL may be using one c-ares version and UnrealIRCd
another c-ares version, something which obviously can lead to failure due
to ABI differences..
Many years have passed since then and cURL is now frequently build with
AsynchDNS support but without the help of c-ares (eg: on Debian). We can
support this configuration without requiring --with-system-cares since
c-ares is not used by cURL and there's no conflict.
options by default. This enables full RELRO (GOT and PLT being read-only),
stack protection and address space layout randomization (by enabling PIE,
the actual ASLR is left up to kernel).
Will cleanup some silly stuff later.. and have a go at the libs stuff..
code clutter and was broken anyway (especially CHROOTDIR)...
For a CHROOTDIR replacement we suggest using AppArmor, SELinux, FreeBSD jails, ..
For a IRC_USER/IRC_GROUP replacement you can use start-stop-daemon or similar.
Accepted values are: All (enable all), TLSv1, TLSv1.1, TLSv1.2
You can use + and - modifiers, in fact you are encouraged to.
Example: set { ssl { protocols "All,-TLSv1,-TLSv1.1"; }; };
This will only allow TLSv1.2 at time of writing, and later whenever
TLSv1.3 is released it will allow TLSv1.2 and TLSv1.3.
Note that 'SSLv2' and 'SSLv3' do not exist, as UnrealIRCd 4.x never
supported these old versions (and never will).
Tech: MODE_EXCEPT and MODE_INVEX and had a parameter=0 count in cFlagTab
causing parse_chanmode() not to eat the 'e' and 'I' parameters. Thus
causing the wrong parameter (target) to be returned by parse_chanmode().
users didn't read and close the error screen. Instead they hit the "rehash" command
from the sytem tray and this would crash UnrealIRCd. From now on if you do that a
messagebox will show up saying you should pay attention to the error screen ;)
Fix SQUIT documentation, send ERR_USERSDONTMATCH when trying to change modes for other users, fix some typos, remove old HTM stuff. Resolves#2549, #3691 and more.
Tizen, DBoyz and Valdebrick helped tracing the issue.
Removed MATCH_USE_IDENT since it had no useful purpose.. for all cases one has to check identd first and then non-identd anyway.
* Updates to make UnrealIRCd use LibreSSL
* Fix HTTPS support in cURL
* Forgot to ship curl-ca-bundle.crt
(Note: all 3 points from above only affect Windows)
2) link::outgoing::bind-ip is an IPv4 address, and
3) link::outgoing::hostname is a hostname, and
4) this hostname has both A and AAAA records,
then connect by IPv4 only, which is what the user expects (#4615).
The user is not 'registered' yet at this point, so manually inform
services of their IP address (the syntax is "H <realhost> <ip>").
Services might use this when informing the user of failed auth attempts,
or when ratelimiting bruteforce.
Patch used only with minor changes: one %i should have been %s, some annoying (char *) casts removed which existed in the original code as well, moved 'tmp' variable, collapsed NULL initalization, ..
There were a few flaws in the code: 1) it should close the listener on /rehash,
shouldnt't matter if there are clients or not, 2) then there was a bug where it
would properly close the listener but it would be re-opened by add_listener2.
Also added a "IRCd no longer listening on .." message if you remove a listen block.
You can still see the full list of loaded modules by using "/MODULE -all".
Also fix /MODULE <server>, this was broken in earlier versions by nen.... you know who.
extban +e/+I ~S:xxx worked fine (only checked locally). But this also prevented services from being
informed, IOTW: services could not make use of this new certfp feature yet.
When a user is shunned (eg /tempshun user ), the command PING cannot be used (PONG can so answer server PING).
Some clients like irssi are using PING command to compute the server lag, so when an irssi user is shunned, the lag displayed in irssi start ton increase, giving a way ton know if he is shunned.
After 320 sec of lag, irssi will reconnect, bypassing automatically the tempshun.
This resulted in 5-10 changes in the existing code where parameters were off.
Hopefully I didn't make too many mistakes when writing the hook prototypes as it was a tedious job.
An (unintentional) benefit of this new system is that you can see the hook prototypes in include/modules.h like:
/* Hook prototypes */
int hooktype_local_quit(aClient *sptr, char *comment);
....
Though, the wiki is likely a better place: https://www.unrealircd.org/docs/Dev:Hook_API
PROTOCTL EAUTH=servername,protocolversion,flags,unrealversiontext
This makes deny link { } work again and gives a bit more information too.
Bug reported by GLolol (#4408).
AUTH is a valid nickname so sending notices to it is probably not
a good idea. Use * as the target instead as done with numerics
when the nick is not available.
This mimics the behaviour in Charybdis, IRCD-Hybrid, InspIRCd 2.2,
Plexus 4, etc.
Re-implemented PROTOCTL SERVERS= which nenolod ripped out (#4355).
Add 2nd argument to PROTOCTL EAUTH=servername,unrealprotocol
Change UnrealProtocol from 2350 to 2351
No UnrealIRCd code reads from parv[0] anymore.
Perhaps later, after a few stable versions, we'll turn this into something more useful. Or not. But not soon.
Added swhois_add / swhois_delete functions which also take care of broadcasting
New remove_oper_privileges() function, will move the rest to use this (svsnoop svsmode etc)
Not finished yet...
Change MOD_TEST/MOD_LOAD/etc macro's (this breaks all modules). Now just use this:
MOD_INIT(modulename)
{
// you can access modinfo here.. or other stuff...
}
(Similar to the CMD_FUNC() macro)
Rather than:
DLLFUNC int MOD_INIT(name)(ModuleInfo *modinfo)
{
//...
}
with a default of 3:90 (3 joins per 90 seconds). There's rarely any need
to configure this on a per-channel basis and this way it's enabled by
default for everyone (unless you decide not to load load the module)
easily deal with "parameter eating" of unknown channel modes.
Now, 12 years later, finally added the code to do this.
This prevents some (serious) desynching if you have a parameter-eating
channel mode on one server and not on the other.
Obviously, you should always try to have the same featureset on all
servers, but sometimes this is not possible, like when upgrading..
Will still manage UnrealIRCd as a pref pane probably and system service, but should have an agent present so it's easier to admin when you're _logged in_
2) Call DNS routines more often, not just once per second.
2) Slightly lower the DNS timeout, max 2500 + 5000 = 7500ms now. Previously was 3000 + 6000 = 9000ms.
* remove netadmin, services-admin, admin, co-admin.
* remove all oper flags (there are some placeholders for the next... <24hrs..)
* ADMINCHAT and NACHAT are gone, since admin & netadmin no longer exist
* SVSO used oper flags, but this no longer exists, SVSO removed. maybe later we can add some sort of replacement.. maybe..
* re-style the m_oper code a bit
Not totally tested - I validated it built, I validated ACL validation worked, I validated that most of the ripped out functionality seemed to be absent, eg: we still set the modes (backwards compat w/ services?) but we don't actually check them anywhere, or add them to your whois.
Also make the '?' and '!' prefixes in channels in /WHOIS output more generic:
both mean you only get to see the channel because you are an ircop, but:
'?' means the channel is +s/+p too (so take extra care)
and '!' means the channel is public but for other reasons hidden in /WHOIS, like umode +p (later) or umode +S.
* detect "ircd not running" situations better
* ./unrealircd stop now kills the ircd in a more friendly matter.
* if you run './unrealircd restart' it will now also start the ircd even if it was not presently running.
Apparently neno.. ripped out this code so you could like run './unrealircd
start' 5 times and would then have 5 ircds running, of which 4 were not doing
particularly useful things.
Rather than just stating the error, we now also tell the user what to do.
* Change many configuration parse warnings into errors as this is (much)
more helpful to the user since the config file isn't going to load
properly anyway. Any subsequent 'missing xyz block' errors are not
shown on parse errors. That's good as they are often just missing
because of the parse errors so such errors would be confusing.
* Fix upgrade-conf strange behavior on \\ and \" in spamfilters. Was
actually caused by config parser (and not the updconf code).
* Remove .tmp file file which may be left if we crashed during upgrade-conf
Original file is (of course) backed up as .conf.old.
Currently handled changes in this upgrade: loadmodule, me, link, throttle, spamfilter, allow, vhost, oper.
I think those are all right now. Please report any failures / strange issues on bugs.unrealircd.org
Coders: added generic mask functions: unreal_mask_match(), unreal_add_masks() and unreal_delete_masks().
These deal with one or multiple masks and do all the work for you ;)
Still requires module and core hooks to be added, config test to be added, and to require these for perm validation - this enables core parser and querying of system though
* add general matching framework (aMatch type, unreal_match_xxx functions)
* change spamfilter { } block syntax
* add support for simple wildcard matching (non-regex, just '?' and '*')
This is the initial commit so the new lib is not in yet, 'regex' is not
functional (but 'posix' and 'simple' are working), linking has not been
fully tested and no warnings are printed yet. IOTW: work in progress!
you want to permit re-loading but not complete un-loading of your module.
This way you get the benefits of being able to upgrade code on-the-fly but
can still disallow the user to do something potentially unwise.
For services who allow you to log in by account name but still allow you to
use a different nick: when you're logged in you are now considered
registered as far as channel mode +M (only registered users may speak and
+R (only registered users may join) are concerned. Same for user mode +R
(only allow private messages from registered users).
Tech: whenever services set SVID and it's not * and does not start with a
number, then we consider this user to be 'logged in'.
Whenever a user is set +r (s)he is also considered 'logged in'.
This way it's compatible with both older and new services and doesn't
introduce security issues with older services using servicetimestamp
for nick tracking or other means.
This issue was reported by ShawnSmith (#4318).
1) No arguments: UnrealIRCd will prompt you to enter a password and hash
it with the bcrypt algorithm. This is the recommended method.
2) One argument: It will hash the provided password with bcrypt
3) Two arguments: It will use the hashing algorithm of your choice (1st arg)
to hash the provided password (2nd arg)
We recommend to use syntax #1 as bcrypt is the best algorithm available and
by using the prompt the password won't end up in your bash history (or
whatever shell you use) and can't be snooped by other people with a shell
on the same machine (by looking at the process list)
Now you can just add password "$ZaJw56to$uSEc[etc..]"; to your configuration file without needing an explicit { md5; }; or { sha1; };.
Naturally you can still specify an auth-type if you want to, and for types like 'sslclientcert' it's still required.
We no longer support builds without OpenSSL - consequently we have no reason to keep our custom MD5 implementation, and probably shouldn't keep it around
Parsing of commands based on permissions was incorret - if a command was not a user facing command explicitly, it would be denied for a user, furthermore if it was a server issuing the command, and it also was an oper command, it would be denied for similar reasons - corret parsing now in place.
Modules that take parameters to chanmodes cannot be unloaded at this time, we probably want to investigate adding this capability in the future so we can do dynamic updates of those modules
Modules or other resources could call ircd_log even if we are not fully booted, and we need to not fail in that situation, instead we should just emit the same warnings we usually do.
Not sure how this was supposed to originally work, if the sid is changed
the uid generator is not re-initied, and even if it was it would allow
id collisions if it ever uplinked to another ircd with the old id it
had.
I see no reason for this.
Not sure what this originally was supposed to do, but clicap_find is
normally called multiple times per cap request per client, so this makes
no sense at all.
structs such as Client, Channel, Member and Membership.
- Modules that define channel modes no longer need to be permanent. This
was already true for paramless chmodes, but is now true for all.
- Converted floodprot module (chmode +f) to use MoData. This means some
remains could be purged from the core and the module is now fully
reloadable (no longer permanent).
- This code is experimental, but seems to work...
By default this is set to 'yes' which means that once a spamfilter matches
UnrealIRCd will take action immediately and any additional (other)
spamfilters will not be processed.
When this is set to 'no' then after the first spamfilter match other
spamfilters will still be checked. All of these matches will be logged and a
message will go to IRCOps (snomask +S) for each one. The affected user,
however, will only see one spamfilter action (eg: block or kill) which will
be the spamfilter with the 'gravest action' (gzline is highest, block and
warn are lowest).
- Update example config for pending commands.so removal. (r0cb592422175)
- Implement support for TCP_DEFER_ACCEPT (synflood-hardening). (#4096) (r2ea87de39063)
- remove global flag from oper block as it is implied by netadmin. (#4092) (r491e69c8ede6)
bind to (for example) the loopback interface before connecting to the
remote server.
In addition to that, we now don't bind() at all when bind-ip is not
present or is set to "*".
While here, add a function to mark a range of characters as OK, and close
a possible integer underflow bug in the character attribute code.
Character tables derived from Atheme libguess.
This is technically in violation of RFC1459, however the general consensus
at the IRC3 discussion meetings is that it's the numeric which actually matters.
DH parameters files must be encoded in PEM format, and the path is
set using the ssl::dh config setting. This is based on a patch
submitted by wolfwood, with some modifications to avoid using stdio
unnecessarily and to avoid code duplication.
Instead, run check_tkls() when TKL changes are made directly.
While this is technically slower when more than one TKL is placed
at once, the value of getting it out of the check_pings event is
greater.
This is partially for the sake of Stskeeps, even though he left the
project long ago, but mainly so we can work towards dynamic ticks in
the event loop while guaranteeing latencies for connected clients,
even with fakelag.
are neither read nor write means that c-ares is no longer interested in the
socket. Thusly we unregister it. This is probably wrong, but it seems to
work fine.
With this change, it is possible to completely disconnect read_message() from the mainloop,
and have a fairly responsive ircd (noticably more responsive than what we had before I
started on this).
The "fakelag" stuff has been replaced with charybdis's deferred command processing logic,
which is more efficient and does the same thing without punishing behaving clients.
- Rename Changes to Changes.old
- In the Mercurial repository the Changes file no longer exists (except
for a dummy file). You now need to run ./createchangelog to generate it.
Of course in official releases the Changes file will be present and
contain all details.
- From now on, the Changes file is based on the history of the Mercurial
repository. This means we no longer have to write text manually to the
Changes file. This simple change helps a lot in future development
because patches will no longer break when they are being ported from
one branch to another.
unreal32docs.gr.html (outdated since 2006-12-02), and
unreal32docs.nl.html (outdated since 2009-01-18, possibly 2007-07-12).
These translations are out of date for many years and are causing
problems for the people who are reading this out of date information.
If you want to update these translations, or (maybe better) redo
the translation of unreal32docs in these languages, then send an
e-mail to syzop@unrealircd.com.
Note that for all these languages we have had people in the past
offering to help out, but in the end we never heard back from them,
so please ONLY contact us if you: 1) are serious, and 2) have
sufficient time available to work on this project.
That said, users in your language will greatly appreciate your work!
Of course, if you want to translate documents in any other language
then you are welcome to contact us as well.
method to authenticate users with SSL client certificates based
on SHA256 fingerprints. This can be used instead of the already
existing 'sslclientcert' so you don't have to use an external file.
One way to get the SHA256 fingerprint would be:
openssl x509 -in name-of-pem-file.pem -sha256 -noout -fingerprint
Suggested and patch supplied by Jobe (#4019).
- Added documentation on the new sslclientcertfp
- Moved documentation on authentication types to one place and refer
to it from each section (oper::password, vhost::password,
link::password-receive, etc).
- Disable USE_POLL on Windows, since it doesn't work with XP and has
no advantage anyway. Reported by nenolod (#4129).
- Various updates to makefile.win32 and .iss file, found during
building new versions of zlib, openssl, and curl.
Any attempt to /OPER by someone who doesn't have one of the listed
usermodes is rejected. This can be used to restrict oper blocks to
registered nicks (+r) or secure clients (SSL, +z).
server.cert.pem exists, and check it if the file doesn't exist.
You can still change the setting, just the default is correct now.
The code for this was already there but was not working correctly
causing users to go through the generation process upon each install.
If this is not set, then SASL is off and not advertised.
If the specified server is not connected, then SASL is off as well.
This prevents unnecessary delay (and the inability for some clients to
get online) when SASL is not in use or when the SASL server is down.
This allows the IRCd to enforce MLOCKs that are set by services, which
eliminates clashes between users setting modes and services enforcing
it's mlock on channels. (#3055)
queued data on the receive queue (eg: due to fake lag) was not processed
unless we got new data from the client.
Now, better document this. Also, avoid calling dbuf_put with 0 length.
goes to the boot screen. When we are already booted it's sent to all
IRCOps with a limit of max. 1 message per 5 minutes.
- Refuse to boot when we can't write to any log file.
vmakebuf_local_withprefix. Then use this new function - which creates the
buffer-to-be-sent - at the top of functions like sendto_channel_butserv
and sendto_common_channels and send the prepared buffer in the loop that
comes after it. This means we only prepare the buffer once and then send
it many times, rather than both building and sending it XYZ times.
Benchmarking connect-join-quit of 10k clients:
100 users per channel: no noticeable speed improvement
1000 users per channel: 18% faster
10000 users in one channel: 50% faster
As you can see, unfortunately, for a typical irc network there isn't much
speed improvement. However, if you have a couple of 500+ user channels or
get attacked by clones then you may see some improvement in speed and/or lower
CPU usage.
- UnrealIRCd now supports poll() instead of select().
There are some minor speed benefits if you have more than 1K or 2K
clients, however the main noticeable difference is that on Linux you can
now easily enter a higher maximum connection count than 1024 in ./Config,
without having to edit system header files.
Of course, you still need to be allowed to use the # of sockets (type
'ulimit -n' on the shell).
Support for this is experimental at this stage, but enabled by default
so it can receive all the testing it deserves. If all goes well, it will
be the default for 3.2.10.
Stress testing is very much welcomed!
* use get_client_by_pollfd() function instead of pollfd_to_client[]
directly, so we can easily find and debug any mistakes.
* add some commenting
* add extra debugging and core dumping if fd or slot values are out of bounds
* fix race condition in read_authports() where send_authports() 2 lines up
could have closed the socket, resulting in a read from fd -1.
NOTE: I've updated the select (non-poll) code as well, should be harmless.
* move all (re-)initalization to reset_pollfd(), i'm
much more comfortable with that as it aids debugging a lot.
* add parenthesis.
update my own fd check code for poll support
on OpenFiles to be correct. This fixes a crash when f.e. 3rd party modules
have files open but don't increase OpenFiles. Might also fix a curl crash,
though nobody ever reported one.
and ensures that the user does not have any ircop-only user modes after
de-opering. This (only) fixes the just added +I umode case, but could
also prevent future bugs.
Now the UNREAL_VERSION_GENERATION, UNREAL_VERSION_MAJOR,
UNREAL_VERSION_MINOR, and UNREAL_VERSION_SUFFIX macros are
autogenerated from PACKAGE_VERSION.
now store a string (of max NICKLEN size) as service stamp. See
protoctl.txt and serverprotocol.html in doc/technical for more
information.
Patch from nenotopia (#3966).
connection was never actually sent (due to buffering). Hence, things like
the /SQUIT reason was never seen on the other side (just 'server closed
the connection'). This has now been fixed.
- Win32: Attempt to move to 100% winsock2 (the include, to be precise),
this means includes have to be in a very particular order (!)
- Win32: #define _WIN32_WINNT 0x0501 and force our own inet_ntop/pton,
otherwise you get an ntop runtime error on XP and earlier.
- Win32: Get rid of c-ares includes and library in our tree, and use the
DLL instead of static LIB, just like we do for ssl and zlib.
- Win32: Get rid of TRE lib and includes
- Win32: reorder includes to fix winsock errors with curl
mysterious error 'The specified module could not be found' even though the
file exists. This usually means that it depends on another DLL, but
apparently Microsoft decided not to mention that in the error message.
We now append some small text when such an error happens, saying that it
could be because of a missing dependency. Reported by Phil.
and ZLINE) and 'except tkl' (which can exempt from GLINE, GZLINE, SHUN,
QLINE, GQLINE and SHUN). Reported by Digerati (#0002535).
- Added except tkl::type 'all', which exempts from all TKL types (except
KLINE).
network. You can also specify options like '/REHASH -global -motd' to
rehash only the MOTD/RULES/etc. Just like /REHASH <servername> this is a
NetAdmin-only command. This command is fully backwards compatible with
older UnrealIRCd version in the sense that it will also REHASH old
Unreal's. Suggested by 'P' in #0001522.
'install as service' and 'encrypt SSL certificate', as they are
incompatible (a service cannot ask a user to enter a password).
- Win32 installer: Fixed long outstanding problem with some Vista / Windows 7
installations, which has to do with file permissions of the Unreal3.2
folder. Symptoms were error messages such as:
Unable to create file 'tmp/10D9D743.commands.dll': Permission denied
But also failing to create SSL certificates, nothing being logged, etc.
This is now fixed by setting write access on the Unreal3.2 folder to the
user running the install, unless the user chooses not to use this new
option (it can be unchecked), in which case the user is warned that he
should take care of this himself.
Reported by various persons, special thanks to Bock and goldenwolf for
helping us to track down this issue (#0003943).
- Some small updates to the extended channel mode system: it now has minimal
support for 'local channel modes'. This is really only meant for channel
mode +Z (upcase z), see next.
- Added Channel Mode Z which indicates if a channel is 'secure' or not.
This mode works in conjunction with +z (lower case z).
If +z is set ('only secure users may join'), then the IRCd scans to see
if everyone in the channel is connected through SSL. If so, then the
channel is set +Z as well ('channel is secure').
Whenever an insecure user manages to join, the channel is -Z. And whenever
all insecure users leave, the channel is set +Z.
The 'insecure user being present in a +z channel' can be because:
- An IRCOp joined the channel, and he's not secure
- When servers link together and a user on the other side is not secure
This only happens on net merge (equal time stamp).
On different time stamp, we still kick insecure users on the new side.
- At the time when +z is set, there are insecure users present.
This feature was implemented after a heavy discussion in bug #3720 by fez
and others, and was suggested by Stealth.
Tech note: +Z/-Z is handled locally by each server. Any attempt to
remotely set +Z/-Z (eg: by services) will be ignored.
- As mentioned above, +z can now be set even if any insecure users are
present. Previously, this was not permitted. Now, as soon as the last
non-SSL user leaves, the channel will be set +Z.
- An oper not connected through SSL previously had to /INVITE himself
to a channel and then /JOIN the channel with the key 'override'.
This 'override' key is no longer required, a simple JOIN will suffice.
- Sorted channel modes in /HELPOP ?CHMODES
- Re-enabled 'fishy timestamp' errors in MODE. For some reason this was
commented out, even though the (more annoying and less useful) code in
JOIN was enabled so that did not make a lot of sense. It also now logs to
ircd.log (or whatever you configure). This enables people to easier find
the cause of any timestamp issues (which usually is badly coded services).
commands.so. This module was written to help IRCd maintainers deal
with some sort of ``XPS'' attack in which javascript-initiated HTTP
POST form submissions were able to act as dummy IRC bots. These
simple bots were the cause of much spam. (#3893)
- Add a modules section to the documentation. This was created to put
all documentation specific to the m_post module in one, easy to find
place. The documentation on m_post is likely incomplete, however.
- Added support for "stacked" extbans. Put simply this allows extban combinations
such as ~q:~c:#test to only silence users on #test, for example. This feature
is enabled by default, but can be disabled during ./Config -advanced.
This feature was suggested by Shining Phoenix (#0003193), was then coded
by aquanight for U3.3, and later on backported and partially redone by Syzop.
Module coders:
In an extban ~x:~y:something where we call ~x the 1st, and ~y the 2nd extban:
Since stacked extbans only makes sense where the 1st one is an action
extended ban like ~q/~n/~j, most modules won't have to be changed, as
their extban never gets extended (just like ~c:~q: makes no sense).
However, you may still want to indicate in some cases that the extban your
module introduces also shouldn't be used as 2nd extban.
For example with a textban extban ~T it makes no sense to have ~n:~T.
The module can indicate this by setting EXTBOPT_NOSTACKCHILD in
the ExtbanInfo struct used by ExtbanAdd().
For completeness I note that action modifier extbans are indicated by
EXTBOPT_ACTMODIFIER. However, note that we currently assume all such
extbans use the extban_is_ok_nuh_extban and extban_conv_param_nuh_or_extban
functions. If you don't use these and use EXTBOPT_ACTMODIFIER, then things
will go wrong with regards to stack-counting.
Module coders should also note that stacked extbans are not available if
DISABLE_STACKED_EXTBANS is defined.
- Added extended ban ~R:<nick>, which only matches if <nick> is a registered
user (has identified to services). This is really only useful in ban
exemptions, like: +e ~R:Nick would allow Nick to go through all bans if he
has identified to NickServ. This is often safer than using +e n!u@h.
- Added Extended Invex. This is very much like extended bans, in fact it
supports some of the same flags. Syntax: +I ~character:mask
Currently supported are: ~c (channel), ~r (realname) and ~R (registered).
This can be useful when setting a channel invite only (+i) and then
setting invite exceptions such as +I ~c:#chan (or even ~c:+#chan), while
still being able to ban users.
Because action modifiers (~q/~n/~j) make no sense here, extended invex
stacking (+I ~a:~b:c) makes no sense either, and is not supported.
Suggested by DanPMK (#0002817), parts based on patch from ohnobinki.
Module coders: set EXTBOPT_INVEX in the ExtbanInfo struct used by
ExtbanAdd() to indicate that your extban may also be used in +I.
- Invex (+I) now always checks cloaked hosts as well. Just like with bans,
it checks them also when the user is not currently cloaked (eg: did -x, or
is currently using some VHOST).
- Fixed client desynch caused by (un)banning, reported by Sephiroth (#2837).
two groups: one that specifies ban actions (~q/~n/~j) and one that
introduces new criteria (~c/~r). Also added documentation for ~R which
does not exist yet, but will soon...
- Added information about ``oper::password::auth-type sslclientcert'' and the same for link::password-receive::auth-type. (#3133)
- A little bit more of interlinking and using id="" instead of <a name="" />
curl version is new enough and is not using a c-ares which is binary
incompatible. If the self-compiled curl version is (too) outdated, then we
now suggest to rename it and have the installer re-download and compile
it automatically. This avoids some potential crashes.
was not compiled with c-ares, which is clearly a bad idea as then the
entire IRCd can hang for several seconds or more...
We now check if they support asynch DNS, and skip them if they don't.
- Separate m4 macros into *.m4 files (it is much easier to run aclocal now).
- Remove unused DOMAINNAME macro and --with-hostname= options as the DOMAINNAME macro isn't used anywheres and its use shouldn't be encouraged.
- autogen.sh to bootstrap the buildsystem. We now maintain setup.h with autoheader.
- --disable-blah now does the opposite of --enable-blah. The same for --with-blah and --without-blah. (This makes Gentoo users happier).
- Remote MOTD support. Not adequately tested. Required restructuring of the asynchronous download callback and handler.
- Added some consts throughout url.c, etc.
- Fix segfault where the an include directive specifies a URL and cURL follows redirects, resulting in a different resultant URL. The remote includes code would look for the an include block using the resultant URL and assume that it would be found. The new code searches differently, has new checks, and ignores the resultant URL.
- Removed duplicated m_motd() and friends that were both in modules and s_serv.c. The copies in s_serv.c (core) were overriding the in-module functions.
- IPv6: it seems some recent Linux dists decided to make IPv6 sockets
IPv6-only, instead of accepting both IPv4&IPv6 on them like until now.
FreeBSD (and other *BSD's) already did that move a few years back,
requiring server admins to sysctl.
We now make use of a new option to explicitly disable "IPv6-only".
This should work fine on Linux.
Whether it provides a complete solution for FreeBSD, I don't know, testing
is welcome! In theory setting net.inet6.ip6.v6only to 0 should no longer
be needed, but you might still need to enable ipv6_ipv4mapping.
- Fix stupid issue where current CVS would no longer link TO an earlier
Unreal server (eg: outgoing connect to a 3.2.8 hub). Reported by ohnobinki
(#0003901).
against HTTP POST proxies, now added some extra text to say it also
protects against the Firefox XPS IRC Attack. Also made NOSPOOF enabled by
default on *NIX (this was already the case on Windows).
- Updated ./Config description for DPATH. Seems quite some people answer
this question wrong, and when that happens, you only get some obscure
error when running './unreal start'.
- Fixed 'unreal' script to give a better error if it cannot find the IRCd
binary.
Previously this caused some really odd behavior. Backslashes are now
treated as-is, so no special escaping is necessary. Reported by DelGurth
(#0003002).
- Removed old dgets() function
redundant and confusing. Also removed an old statement saying k-lines would
be erased on rehash which is not true. Documented '/rehash -dns'.
Reported by ohnobinki (#0003881).
curl detection, added checks to see if curl actually works (print out a
clear curl error during configure, instead of getting an error during
'make'), and we now error when using --enable-libcurl without
--with-system-cares if the system curl depends on c-ares. This is because
this can cause ABI incompatability between curl's c-ares and our c-ares,
which leads to odd issues such as:
Could not resolve host: www.example.net (Successful completion)
And possibly other weird issues, perhaps even crashes.
it to 'no', the default is 'yes' (on). Requested by Robin (#0003885) as
UHNAMES may increase the time of the nick list being loaded from 1 to 4
seconds when joining several channels with more than 1000 users. As this
problem is only present on some networks, we keep UHNAMES enabled by
default.
descriptors. Because of this, Unreal did not restart properly as you would
get an "Address already in use" error. This only seemed to happen when
logging to syslog, or when there was something wrong with syslogd.
Reported by Mouse (#0003882).
descriptors. Because of this, Unreal did not restart properly as you would
get an "Address already in use" error. This only seemed to happen when
logging to syslog.
- Fixed a similar issue with syslog (and debugmode) and closing fd's as well:
the first port we listened on would not open up, ircd did not log any error.
- Made ./Config description about remote includes a bit more clear.
- When you now answer Yes to Remote includes in ./Config and $HOME/curl does
not exist, it now asks you if you want to automatically download and
install curl (which is done by ./curlinstall).
This has been tested on Linux, further testing on f.e. FreeBSD is
required.
- Server protocol: added PROTOCTL EATH=servername, which allows us to
authenticate the server very early in the handshake process. That way,
certain commands and PROTOCTL tokens can 'trust' the server.
See doc/technical/protoctl.txt for details.
- Server protocol: between new Unreal servers we now do the handshake a
little bit different, so it waits with sending the SERVER command until
the first PROTOCTL is received. Needed for next.
- Server protocol: added PROTOCTL SERVERS=1,2,3,4,etc by which a server can
inform the other server which servers (server numeric, actually) it has
linked. See doc/technical/protoctl.txt and next for details.
- When our server was trying to link to some server, and at the same time
another server was also trying to link with us, this would lead to a
server collision: the server would link (twice) ok at first, but then a
second later or so both would quit with 'Server Exists' with quite some
mess as a result. This isn't unique to Unreal, btw.
This happened more often when you had a low connfreq in your link blocks
(aka: quick reconnects), or had multiple hubs on autoconnect (with same
connfreq), or when you (re)started all servers at the same time.
This should now be solved by a new server handshake design, which detects
this race condition and solves it by closing one of the two (or more)
connections to avoid the issue.
This also means that it should now be safe to have multiple hubs with low
connfreq's (eg: 10s) without risking that your network falls apart.
This new server handshake (protocol updates, etc) was actually quite some
work, especially for something that only happened sporadically. I felt it
was needed though, because (re)linking stability is extremely important.
This new feature/design/fix requires extensive testing.
This feature can be disabled by: set { new-linking-protocol 0; };
having to use a special SSL-only port, they can simply switch to SSL on
any port. This is currently only supported by few clients (such as KVIrc 4).
This functionality can be disabled by setting set::ssl::options::no-starttls,
for example if you don't want to offer SSL to your users and only want it
to be used for server to server links.
Naturally, the IRCd must be compiled with SSL support for STARTTLS to work.
- Fixed SSL_ERROR_WANT_READ in IRCd_ssl_write()
such as ~q:~c:#test to only silence users on #test, for example. This feature
is enabled by default, but can be disabled during ./Config -advanced. Module
support for this feature must note the following:
- For is_ok function, the extban can either assign extban_is_ok_nuh_extban, which
will deal checking a chained extban (including checking for restricted extbans),
or it can call that function from its own is_ok routine. For the latter case,
remember to pass only the mask part of your ban format (ie, don't just pass para as
otherwise it'll just call your is_ok again).
- For conv_param function, the extban can either assign extban_conv_param_nuh_or_extban,
which will automatically call conv_param for a chained extban, or pretty up a n!u@h mask.
- For is_banned, the extban should call ban_check_mask with the mask part of the parameter.
This will automatically call is_banned for a stacked extban, or match against a n!u@h. n!u@h
is checked against the current user (ie, with the info in the globals ban_ip, etc), so things
can get weird if you call this outside a normal ban check.
Modules must keep in mind that chained extban support is not available (and neither are the three
functions above) if DISABLE_STACKED_EXTBANS is #defined (this is controled by Config). Modules will
not compile/load if they try to use them anyway.
This change should not break extban modules, and should need some more extensive testing.
- Misc fix for disabling extban chains, should've done stuff in our autoconf
stuff instead of hacking configure directly :P .
load (for example when the webserver is down), then the most recent
version of that remote include will be used, and the ircd will still boot
and be able to rehash. Even though this is quite a simple feature, it
can make a key difference when deciding to roll out remote includes on
your network. Previously, servers would be unable to boot or rehash when
the webserver was down, which would be a big problem (often unacceptable).
The latest version of fetched urls are cached in the cache/ directory as
cache/<md5 hash of url>.
Obviously, if there's no 'latest version' and an url fails, the ircd will
still not be able to boot. This would be the case if you added or changed
the path of a remote include and it's trying to fetch it for the first time.
To disable this new behavior, check out REMOTEINC_SPECIALCACHE in
include/config.h.
(HOOKTYPE_PACKET). Replacing the 'text to be sent' to a client is
supported, which allows character(set) conversion in a module.
Note that modifying an incoming message by the hook is not supported.
from not binding to that ip when linking, to not being able to link at
all. Also fixed a very small memory leak upon /REHASH. Bug reported by
Mr_Smoke (#0003858).
timesynch) made autoconnect not work for the duration of the offset
(eg: -60 would make autoconnect wait 60 seconds after boot, instead of
autoconnecting almost immediately). Reported by aragon (#0003853).
* And force the use of at least the version shipped with Unreal
* (or at least one without known security issues).
*/
this text is fcked btw.. whatever...
printed out as a warning, when in fact it's an error (and was treated as
such). Same for ZIP on non-zip compile. Reported by Stealth (#0003833).
..& updated credits..
- When pkg-config is present but does not recognize --static, use
default c-ares library options.
- Set default c-ares library options to -lcares on FreeBSD and others.
Set to -lcares -lrt on Linux (previously was -lcares -lrt for all).
Thanks to goldenwolf for the bugreport (#0003803) and providing a test-
shell to trace this issue down.
such as 3 connections per 60 seconds. Previously that could result in 3
per 90 seconds due to timer inaccuracy, now max 65 seconds (max 5s
inaccuracy).
In the IRCd world correct time is very important. This means that time
should be correct when the IRCd is booted, either by running ntpd/ntpdate
on the system or some other synchronization software, or by using the
built-in timesync feature.
Whenever the clock is adjusted for more than a few seconds AFTER the IRCd
has booted, it can lead to dangerous effects ranging from unfair
timestamps
for nicks and channels (and hence the possibility to takeover channels),
to even completely stalling the IRCd (negative timeshift) or making it so
nobody can connect anymore due to throttling (positive timeshift).
We now try to 'fix' the worst effects such as the IRCd freeze and
throttling. This does not fix the whole problem, so I've added some big
warnings when the clock is adjusted, including an annoying one every 5
minutes if the clock was set backwards, until the time is OK again
(catches up with the original time).
This fixes#0003230 reported by Stealth, and #0002521 reported by durrie.
set::spamfilter::slowdetect-fatal, set::ssl::server-cipher-list,
set::ssl::renegotiate-bytes, set::ssl::renegotiate-timeout,
set::watch-away-notification and ./unreal gencloak. Reported by Bock
(#0003764).
- set::ssl::renegotiate-bytes: fix when specifying a value such as 10m.
- './unreal gencloak' now actually works
- Fix typo in user mode q notice, reported by Strawberry_Kittens and others
(#0003761).
- Possible fix for MAC OS X compile problem - UNCONFIRMED.
(NickServ client, NULL if not present). You can return 1 (HOOK_DENY) to
make the IRCd not send IDENTIFY to NickServ. Suggested by tabrisnet
(#0003739).
(sorry, previous half-commit to src/modules/m_nick.c was accidental)
- Win32: Made UnrealIRCd run as a service under non-privileged accounts
(ones that do not belong to the Administrator group). Reported by
skyflash, Bock, zer, etc... Thanks to BuHHunyx for some hints on how to
fix this.
server.
Should never happen except when using faulty services or when something
else
got horrible wrong (like a date which is 40 years ahead). Reported by
Darth Android (#0003738).
don't support this and will fail to compile UnrealIRCd. This fixes#3680,
reported by therock247uk.
- Upgraded c-ares to 1.6.0 (also now using pkg-config).
If you get a "undefined reference to `clock_gettime'" error, then you
might consider installing 'pkg-config' on your system, and then simply
re-run
./Config and make, should fix things.
__TODO__: win32 c-ares upgrade to 1.6.0 (and copy & fix header files).
__TODO__: testing! testing! i'd like to be sure this c-ares is stable!
'uname -a' at compile time. This fixes bug #1438 and #3320 reported by
Mouse and Monk, where because of previous behavior the IRCd sometimes
would not compile in certain environments.
'error setting max fd's to 9223372036854775807' which prevents the ircd
from booting up. Reported by btcentral and Bock. This hack might not be
totally correct though ;).
each time it executes, how LONG it takes to execute. When a certain
threshold
is reached the IRCd will warn or even remove the spamfilter. This will
prevent
a spamfilter (regex) from slowing down the IRCd too much, though it's
still not
a guarantee that it will never go to a halt (eg: in case it takes several
minutes to execute a regex or loops forever).
Warning can be configured via set::spamfilter::slowdetect-warn (default:
250 milliseconds) and automatic deletion of spamfilters if it takes too
long is set through set::spamfilter::slowdetect-fatal (default: 500 ms).
NOTE: slow spamfilter detection is currently not available on Windows.
NOTE 2: to disable slow detection you can set the warn and fatal settings
to 0 (zero). OR to really disable all code, remove SPAMFILTER_DETECTSLOW
from include/config.h and recompile.
This new feature (away notify) is announced in 005 (ISUPPORT) as: WATCHOPTS=A
Format is: WATCH A +UserOne +UserTwo
New numerics to cope with away notification in WATCH are:
RPL_NOWISAWAY: to indicate the user is away _when adding_ it to WATCH list
RPL_GONEAWAY: user was not away, but is now
RPL_NOTAWAY: user was away, but is no longer away
RPL_NOWISAWAY: user was away, and still is, but the reason changed
Example:
WATCH A +Target
Request to add user 'Target' to the watch list with away notification
:maintest.test.net 609 MySelf Target ~blih test.testnet 1204309588 :not here atm
Reply to watch add: user is online and away, reason is provided
:maintest.test.net 599 MySelf Target ~blih test.testnet 1204309588 :is no longer away
User is back (no longer away)
:maintest.test.net 598 MySelf Target ~blih test.testnet 1204309722 :lunch
State change: user is now away, reason is provided
:maintest.test.net 597 MySelf Target ~blih test.testnet 1204309738 :shopping, bbl
User is still away, but reason changed.
The syntax for each numeric is:
<nickname> <username> <hostname> <awaysince> :<away reason>
In case of 599 (RPL_NOTAWAY) it is:
<nickname> <username> <hostname> <awaysince> :is no longer away
For the record, this is all based on a draft from codemastr from 2004, which was
implemented in Unreal3.3 (devel branch) in 2006. Today, in 2008 it was updated
with away reason support and backported to Unreal3.2. Because away notification
hasn't been used until now (due to it only being in Unreal3.3) we felt it was
safe to break some numerics.
now set a ban on *!*@*h.com and then later add one on *!*@*blah.com
without
any trouble. Previously the second one was rejected due to the former
already matching it. To change it back edit the include/config.h setting
SOCALLEDSMARTBANNING.
reported by Monk (#0003453). It should be large enough now. Also changed the
way we deal with this when it happens (if it ever happens again..): we now
close the server connection, instead of trying to continue, because continueing
is too dangerous.
trying to read unrealircd.conf. All due to strange chmod() behavior. We now no
longer try to set permissions on Mac OS X. Patch provided by Tibby (#3489).
properly (..again..), this was previously reported by pv2b.
- CGI:IRC + IPv6: Fixed issue where all cgiirc ipv4 clients were rejected with
the message 'Invalid IP address', reported by stskeeps (#0003311), nate
(#0003533) and others.
'::ffff:1.2.3.4' ips in the conf, they are now auto-converted to that).
Based on patch from tabrisnet.
- Fixed issue where the cgiirc block did not work with IPv6, reported by
djGrrr, fixed by previous change.
defines IRC_USER, IRC_GROUP which is a string specifiying what user name/
group name that should be changed into, instead of a hardcoded gid/uid.
This should make it easier for packaged binary releases to work (even
though this probably means Debian will take us in, ick .. Can't we pull
a new fight with debian-legal again?)
- #0003363 patched by adrianp, changing IRC_UID and IRC_GID into
defines IRC_USER, IRC_GROUP which is a string specifiying what user name/
group name that should be changed into, instead of a hardcoded gid/uid.
This should make it easier for packaged binary releases to work (even
though this probably means Debian will take us in, ick .. Can't we pull
a new fight with debian-legal again?)
- Retranslated the whole CDIR section (3.15)
- According to http://forditas.fsf.hu/html/node3.html the Hungarian expression for 'Internet Service Provider' should be written with a hypen (all occurrences fixed).
will be backwards compatible as well, SJOIN doesn't care (TM) and mode
doesn't either in case of a server sending it. So this will be just a
client protocol modification.
when trying to /connect to a server with wildcards (* and ?) in the link
block. We also raise an error if link::options::autoconnect is used
together with wildcards in hostname.
will now attempt to accept() up to LISTEN_SIZE (possibly saving CPU
through this under load, and speeding up connection).
- IRCd now also sets the &me fd as being non blocking (wasn't before, that
was odd..)
file descriptors being leaked upon every /REHASH.
So if you, for example, had 3 modules loaded and rehashed 30 times, it would cause
the ircd to consume 60 useless file descriptors (which often means 60 less file
descriptors being available to clients).
new commands SVSNOLAG/SVS2NOLAG (syntax: SVSNOLAG [+|-] NickName). Obviously, care
should be taken when giving such access to a user since he/she will be able to flood
at full speed and could possibly take down the entire IRCd (well, everyone on it).
Suggested by avb, coded by djGrrr.
- Made SAPART work for mulitple channels, just like SAJOIN. Reported by Snake and
SeigHart, patch provided by Bock (#0003064). This also fixes SAPART now being
announced to all opers globally, just like SAJOIN.
- Improved description of link::hub/leaf/leafdepth in unreal32docs.html reported by Bugz (#2623),
also fixed typo (leafdepth, not leaf-depth), reported by monas (#3083).
- Fixed bug where omitting class::connfreq would result in a huge connection attempt
flood when autoconnect was enabled. We now set class::connfreq to 60 if it's not
specified. Reported by Milliways (#0003018).
error, reported by Bock (#0003114).
- Added information about extbans to help.conf (/HELPOP ?EXTBANS). Patch from Bock
(#0003113).
- Made SAPART work for mulitple channels, just like SAJOIN. Patch provided by Bock
(#0003064). This also fixes SAPART now being announced to all opers globally, just
like SAJOIN.
- Finally fixed /RESTART issue on windows for good, should now always restart correctly.
Patch provided by BuHHunyx and Bock (#0002734).
- Fixed set::dns::bind-ip directive seen as duplicate, reported by aegis (#0003074).
- set::dns::* block is now no longer mandatory. All info has always been read from
/etc/resolv.conf (*NIX) or the registry (Win32), and the set::dns block is ignored
(except for set::dns::bind-ip, but that's a special case). Suggested by many including
djGrrr to make things slightly more logical (#0003019).
- As a consequence of the above, set::dns blocks were removed from doc/example*conf.
- Added two more characters to Catalan charset, reported by rmh (#0002995).
- Added set::pingpong-warning [yes|no] which decides whether to send the "** If you are
having problems connecting due to ping timeouts, please type /quote pong .." message
to each client when NOSPOOF is enabled (usually on Win32). The default is NO.
Previously this message was always sent if NOSPOOF was on, which often caused
confusion among users. The message was intended for non-confirming clients, but these
should be fixed by now, and those that were not fixed (self-made bots/etc) did often
not understand the message anyway. Anyway, you can still turn it on ;). (#2680).
user target string (nick!user@host:info), insteaf of doing it at like 5 places.
- Spamfilter target 'u' (user): the host field (nick!user@HOST:realname) is now escaped
with brackets if it's an IPv6 address, eg: blah!blah@[1:2:3:4:5:6:7:8]:hello, reported
by aquanight and others (#0003010).
instead of letting it magically reappear whenever +x is set. This means services can
now properly "unvhost" a user by sending a "SVSMODE User -x+x" (then any existing vhost
will be removed and user will have a cloaked host). Reported by avenger and others
(#0002933).
- Made Unreal use the original name in case of a CNAME, instead of the forwarded name,
reported by jerrcsnet (#0003054).
- The "looking up your hostname" message was always sent, regardless of show-connect-info.
though it always acted like it did in the MODE line sent to the channel. This bug caused
desynchs in some cases. Bug reported by Korfio (#0003048).
- Fixes to SVSNICK: case-change no longer causes a collision, don't return the value from
exit_client (which would be FLUSH_BUFFER), fix QUIT not being sent back on collision.
- Fix for above so it doesn't -r the client.
- Renamed unreal32docs.tk.html to unreal32docs.tr.html
- Module coders: Added HOOKTYPE_POST_SERVER_CONNECT (1 param: cptr) which is called when
a server connects, just like HOOTYPE_SERVER_CONNECT but this is actually called *after*
all clients and channels are synched. Obviously needed for some modules which must synch
data that refers to clients/channels that would otherwise not exist yet on the other side.
reported by Bock (as part of #2889).
- Fixed desynch problem with +Q, reported by tabrisnet (#0002992).
- Updated doc/coding-guidelines
- Added bugs.* url to /info, was still showing some email address.
including one reported by frigola on an old Sun Cobalt RAQ3.
It will probably also fix an issue with the just released curl 7.15.4, if compiling
with remote includes.
TODO: Update win32 (not urgent)
you do 'cd ..' and then 'cd -' again, make works just fine. This is going to be the most
stupid workaround in history... Reported by vonitsanet and others (#0002926).
- Fixed crash problem on win32 if TKL times were <0. Obviously it's hard to protect from such
invalid server traffic, but figured in this case it might be a good idea since *NIX does
not crash.
- Made a note about possessive quantifiers, they are scary :P.
+- Moved another 2K lines from core to modules, this means 31K lines are now in modules
+ and can be upgraded on the fly.
+- Real Command Aliases: This makes it possible to, for example, alias '/GLINEBOT' to
+ 'GLINE <param> 2d Bots are not permitted on this network, etcetc'. For more information,
+ see the docs on the alias block and/or search for "glinebot" in doc/example.conf.
added glinebot example @ real command aliases / updated description...
- Added 'real' aliases, this are aliases that map to real commands, so you can for example
map the command '/GLINEBOT <x>' to 'GLINE <x> 2d Bots are not allowed on this server, blabla'.
See the documentation on the alias block for more information. doc/example.conf contains an
example as well (search for "glinebot").
map the command '/BLAH 5' to 'NICK idiot5'. More info in docs on alias block.
- Modulized: badwords system (src/badwords.c is now gone) and StripColors/StripControlCodes
to m_message, multiple netsynch routines to m_server, send_list to m_list, a certain mode
routine to m_svsmode, all /MSG IRC.. webtv stuff to src/modules/webtv.c which is compiled
with m_message.
This means another ~1500 lines of code are now in modules (and thus can be upgraded on
the fly), which brings the total of modulized lines at 32K.
synchronize the IRCd clock (TSOffset) with a few good time servers. It currently only does
this on-boot, but it will hopefully help a lot of people with most of their time differences.
I still keep recommending anyone who can to run proper time-synchronization software such as
ntpd/ntpdate on their servers.
To disable time synchronization (eg: because you are already running ntp), you can simply
set set::timesynch::enabled to no.
The boot timeout for the timeserver response (=causes boot delay) can be configured via
set::timesynch::timeout and is set to 3 seconds by default (range is 1s-5s), there should
be no reason to change this.
The time server can be configured by setting set::timesynch::server, the default is to
use 3 time servers on 3 continents (US, EU, AU) which should be sufficient for anyone but
if you got a good one near you you can use that one instead.
The time protocol we use is (S)NTP v4.
this case ;p). Reported by KnAseN and many others (#0002581).
There might still be other operator count bugs, but these are triggered by a different bug
and may or may not be caused by services.
which basically means if it allows .*. If you want to require a parameter, use .+ (or
anything other in regex that requires at least one character). Suggested and patch provided
by Nazzy (#0002722).
far as we want to go with regards to relaxing "too broad" checking... Just continue to use
services AKILL for (other) "too broad cases", as many people (correctly) do. Change
suggested by salama (#0002911).
CALLBACKTYPE_CLOAK). This passes 'aClient *sptr, char *host' instead of only 'char *host'
to the cloaking module, which can be useful if you need to cloak on something other than
IP/host. Suggested by fez (#0002275).
Module may still provide only CALLBACKTYPE_CLOAK though, in fact this is what the official
cloaking module does. So no updating of cloaking modules needed.
A side-effect of this "extra cloaking" callback is that we needed to change make_virthost()
which now has an extra parameter in front, and another side-effect is that calling the
CALLBACKTYPE_CLOAK may not work since only *_EX might be available. To my knowledge there
are very few modules (only 1 I know) that will have a problem due to this, so sounds like
an affordable tradeoff.
some more odd problems from people (eg: people switching from GCC 3.x to 4.x and wondering
why they are crashing or getting other errors).
** actually, this was already comitted, but forgot to commit Changes :p **
a lot of crashes. Both are now fixed. Reported by Zell, Yamake, and others (#2875, #2704).
Fix provided by Xuefer. This also gets rid of some annoying and useless compile warnings
as well.
- When checking if a user is banned, we always check the cloakhost too. Previously we could
not do this if the user had a /VHOST (=a minority of the cases, but still...). In short,
this is some extra protection to combat ban evasion.
- Performance of is_banned() *slightly* improved (just 1-2 usec, but 7 usec if no bans).
- [Module coders] For extban routines, we now offer a routine extban_is_banned_helper(buf)
which can be used instead of the ban_realhost/etc static chars stuff, see
extban_modeq_is_banned for a (real-life) example of how this is used.
- [Services coders!] Added PROTOCTL CLK (requires NICKv2) which adds an extra field in the
NICK command (when a user connects) right before the infofield (gecos).
The added field contains the cloaked host, that is: the masked host if +x would have been
set. This field is ALWAYS sent, regardless of whether the user is actually +x or not.
Services can then store this field in memory, to know the host of the user if the user
is set +x (+x-t). This is a (better) alternative to PROTOCTL VHP, with no race conditions,
and avoids some other VHP problems.
VHP will stay supported though... so it's not mandatory to switch over.
- c-ares (currently, a forked off version) enhancements:
- '/quote dns i' now shows the nameserver settings (which is taken from /etc/resolv.conf
on *NIX, and from the registry on Windows)
- We no longer depend on a C++ compiler (was useless c-ares dependency caused by libtool)
- '/REHASH -dns' now rereads the resolver data from resolv.conf/registry, no IRCd restart
needed anymore. It's currently kinda experimental however, but I *think* it will work ok.
Unfortunately the above features required some ugly hacks if curl was enabled, so if you
use curl (Remote includes), feel free to test on your OS (Linux, but especially FreeBSD
and the other *NIXes) to see if things still compile (make clean; ./Config && make).
- '/quote dns i' now shows the nameserver settings (which is taken from /etc/resolv.conf
on *NIX, and from the registry on Windows)
- We no longer depend on a C++ compiler (was useless c-ares dependency caused by libtool)
- '/REHASH -dns' now rereads the resolver data from resolv.conf/registry, no IRCd restart
needed anymore. It's currently kinda experimental however, but I *think* it will work ok.
Unfortunately the above features required some ugly hacks if curl was enabled, so if you
use curl (Remote includes), feel free to test on your OS (Linux, but especially FreeBSD
and the other *NIXes) to see if things still compile (make clean; ./Config && make).
clients support it now (mIRC, xchat, epic, eggdrop, Klient, PJIRC, irssi, CGI:IRC, etc).
It has always been weird that win32 had it ON by default and *NIX OFF, anyway.
Naturally this change will be mentioned clearly in next release notes.
clients connecting trough a CGI:IRC gateway that is in cgiirc { }. This might also fix a bug
where (g)zlines were not applied to CGI:IRC clients, reported by devil (#0002850).
- Rephrased/editted part of example.conf and unreal32docs to make it a littttttle bit easier
for beginners / try to mention the FAQ a bit more explicitly.
- Modulized NAMES command (can now be upgraded on the fly, if ever needed).
- Added NAMESX support, seeing both mIRC (5.17) and XChat support this. What this does is
send all rights of all users on the channel in the NAMES reply (eg: @+Syzop if the user is +ov)
instead of only the highest one (@Syzop in previous example). We only do so if the client
explicitly requested this via a NAMESX in a PROTOCTL message (eg: 'PROTOCTL NAMESX').
Note that there is a glitch: since most clients only send the PROTOCTL NAMESX after they
see NAMESX listed in the 005 announce message this has the effect that if there are
set::auto-join channels present (where users are automatically joined to by the server) the
extended NAMES reply will not be sent for those channels, because from the IRC server' point
of view the join happened before the PROTOCTL and hence it does not know the client wanted
NAMESX at that point (the result is not catastrophic: the old-style NAMES is sent for those
channels). Anyway, for all non-autojoin channels this works great. So still worth adding IMO.
Originally suggested in #0000606.
Side note: this does not mean we dropped the idea of (also) having a challenge-response
system for good ;).
We now support the webirc ('webirc_password' in CGI:IRC) method, which is kinda superior
to the older method ('realhost_as_password').
See the Unreal documentation (section '4.36 - Cgiirc Block') for details on how to configure.
- Changed quoting color in unreal32docs.. looks better now IMO (only English docs updated).
"trusted" and the IRCd will show the users' _real_ host/ip everywhere on IRC, instead of the
_CGI:IRC-gateway_ host/ip.
To do so you must set 'realhost_as_password' to 1 in your cgiirc.conf. And add the
CGI:IRC gateway(s) you fully trust to set::cgiirc::hosts.
means no longer weird issues with +b *\* etc not banning nicks with \ in it.
ExtBan ~c/~r get special treatment and will use our match_esc [match with escaping]
routine, that way you can ban channels such as "#f*ck" via "+b ~c:#f\*ck".
Fix triggered by bugreport of vonitsanet (#0002782).
the switchover we were accidently using different ones which caused funny kill messages
like "You were killed by a.b.c (a!a.b.c (SOMENICK[N\A](?) <- d.e.f))." This also broke
some bans in pre2/rc1. Bug reported by HERZ (#0002772).
contains the (root) certificates of most major Certificate Authorities. It is basically
the default curl ca-bundle.crt plus cacert's certificates.
The 'curl-ca-bundle.crt' will be copied to the installation dir if needed.
It will from now on be used by Unreal for all remote includes (curl) related certificates.
If you want to use https but don't want to buy a certificate, we suggest you to apply for
a free certificate at CACert (www.CACert.org). Or, alternatively, add your own certificate
(PEM encoded) to curl-ca-bundle.crt, see 'SSLCERTS' in the curl package for more info.
but is actually understandable and has less bugs. This fixes +b ~c:#c\*t not properly
matching #c*t, reported by Jason (#0002752). Initial results look good, but this needs
some good testing ;).
- Updated unrealinst.iss: made it easier for me to have 2 curl versions, this is so we can
ship the SSL version of unreal with a curl that supports SSL (https, etc).
- Preperations for pre-1 (version change, etc)
- Changed the default maxbanlength from 1K to 2K, which means people can set more bans because
in pracitce the 60 (maxbans) limit was never met because the maxbanlimit was set so low.
set::maxbans in the configfile, note that you probably also want to enlarge set::maxbanlength
as well (see docs) or else you will hit that limit first.
- Changed the default maxbanlength from 1K to 2K, which in practice will mean people can set
a lot more bans since in practice the 60 (maxbans) limit was never met because the
maxbanlimit was set so low.
an error, since specifying usermask should not be done and is useless, since a (G)ZLINE
takes place BEFORE ident lookups.
- Did the same for /(G)ZLINE *@hostmask (should be *@ipmask), this already was a warning
in 3.2.3, and is an error now in 3.2.4.
- Redid some net synching code to make it more efficient (#2716).
- Fixed spamfilter crash problem: the action 'viruschan' is now no longer incompatible
with target 'user'. Reported by Monk (#0002570).
oper privileges on quarantined servers will be instantly killed. Bit ugly perhaps, but
then it actually does what it should (prevent opers on quarantine from getting GLOBAL
oper privileges). This "fixes" #2510, #2163 and #1968.
[forgot docs commit]
oper privileges on quarantined servers will be instantly killed. Bit ugly perhaps, but
then it actually does what it should (prevent opers on quarantine from getting GLOBAL
oper privileges). This "fixes" #2510, #2163 and #1968.
- Made ./Config better react to errors (no longer print a "everything is a big success"
kind of message when in fact everything went wrong).
- Made ./Config (configure) exit on openssl or zlib not found errors, instead of
silently continueing and then causing trouble later on. Also now printing _a bit_
more helpful error message.
you have to put 'spamfilter yes;' in every alias block you want to get filtered.
This is so you can have for example /MS filtered (due to heavy spam), while keeping
/NS and /CS unfiltered. Reported by Homer (#0002496).
- The memoserv aliases (/MS and /MEMOSERV) now have spamfiltering enabled by default.
in the function, reported by Robby22 (#0002696).
- Fixed set::static-part set to 'no' not working properly. Reported by Robby22 (#0002698).
- Fixed crash in new resolver, reported by firstof9.
unreal version that the user is using. I presume this can be helpful (although nobody ever
suggested it ;p). The macros (#define's) are:
UNREAL_VERSION_GENERATION The generation version number eg: 3 for 3.2.4
UNREAL_VERSION_MAJOR The major version number eg: 2 for 3.2.4
UNREAL_VERSION_MINOR The minor version number eg: 4 for 3.2.4
This can be negative for unstable,
alpha and beta versions.
UNREAL_VERSION_TIME Year + week of the day (starting eg: 200541
on Monday), this is updated on
the CVS server every week.
The first 3 are for nicely identifiying the version, the 4th can be useful in case
you want to support CVS and/or want some more control.
Reported by Trocotronic (#0002659).
- Fixed a problem with entries in the hosts file (such as, usually, localhost), this would
cause an unresolved host and a 30s delay for the user, even though resolving succeeded.
This should get rid of some annoying untracable (and usually rare) crashbugs in the
old resolver. Besides that, it makes things look more clean and understandable.
This should be the fix for the following bugids (all the same issue): #2499, #2551, #2558,
#2559, #2603, #2642, #2502, #2501, #2618, #2616.
Feedback and testing is very much welcomed (syzop@unrealircd.com).
generated (for linkage by commands.so), are now used to generate the .so files of the
individual modules as well (eg: m_setname.o -link-> m_setname.so). This reduces compile
time ('make') on my machine by 33%, so it's quite noticable ;).
It also sends a numeric to the user saying the command has been processed, but a copy
has been sent to ircops. I feel this is a good idea for privacy reasons (anti-spy),
though I don't know how users will react to this. If you are using this on your network
and get users bothering you about it (or before that ;p), it's probably a good idea
to explain it somewhere on your site or FAQ :).
Example usage:
/spamfilter add p warn - Testing_mirc_decode_filter \$decode\(.*\)
[WARNING] The numeric text is likely to change in the next few weeks (early-cvs-commit).
- If a class block was removed and any other blocks would be referencing the class block
(such as: allow::class, oper::class, link::class), then this would cause a crash.
Reported by Mike_ (#0002646).
- CMDLINE_CONFIG behavior change: command line configuration is now still permitted
if #undef'ed (which is the default) if uid==euid && gid==egid, since it doesn't make
any sense to disable it then and is in fact just plain annoying.
- Added FAKELAG_CONFIGURABLE option in include/config.h, this enables an option called
class::options::nofakelag, which disables "fake lag" for a certain class (that is:
the artificial delay introduced by the ircd to prevent flooding is turned off,
allowing the user to flood at full speed).
IT'S USE IS DISCOURAGED UNLESS YOU REALLY KNOW WHAT YOU ARE DOING.
Sorry, option is not in ./Config -advanced since I don't get autoconf working, but it's
such a scary option that this might as well be a good idea to keep in config.h anyway.
This feature has been suggested for several years (and refused), but the final
suggestion (with implementation specific hints) came from Gilou in bug #0002207.
- changed a comment slightly in m_tkl.c to get rid of harmless warning ;)
a spamfilter, but cannot remove it" problems. In practice this means - depending on the
length of your spamfilter reason - regexes will be max ~300 characters.
Spamfilters set in the .conf can be slightly longer (which still causes them to be
truncated in '/stats f', but they don't have to be removed anyway so it's kinda
acceptable if it's really needed). This should fix bug #2083, reported by White_Magic.
'u' (user) target can cause severe problems (crashes, etc). For now, we have disabled
'viruschan' in combination with 'u'. A real fix will require quite some work, sorry.
escape them like in all bans (eg: to ban #* you need to +b ~c:#\*). As an additional
bonus, real wildcards are now accepted and processed (eg: +b ~c:#*sex*, just don't
forget to specify the #). Reported by PhantasyX (#2605).
- Sidenote on above: ~c:*chan* is not supported (use ~c:#*chan* instead) because it would
cause "hidden bans", therefore it now prints a message (which is useful anyway), but
does accept such remote bans. In 3.2.5 or so we could enable support for it, it's
not that important though... ;)
- Added ifdefs for mass closing of file descriptors on start, can now be disabled by
adding -DNOCLOSEFD as a compile option. Useful for valgrind w/--db-attach=yes, mpatrol,
and some other debugging tools (not useful for anyone normally running a server).
- Fixed a read-after-free: sptr->serv->aconf was freed but not NULL'ed in exit_client,
causing close_connection to read from it (when deciding on doing a quick reconnect).
Could have caused a crash, although nobody ever reported one...
- Removed useless strncpyzt with dest==src.
- Added -fno-strict-aliasing.. this might well be temporary, but we get tons of strict-
aliasing warnings, so it sounds good to disable this type of optimization for now.
and 2000 lines total that can be hotfixed if needed ;). The effort involved in moving all
this sucks a lot though :/. This might need some more testing to make sure it doesn't break
anything.
- Updated support OS list in documentation.
whenever a server is added to a network it has a lot of power that cannot simply be controlled
by things like unsetting operflags remotely or anything else. I don't want to encourage
anyone to use it.
- Redid include dependencies in Makefile, this makes things safer because on any .h change it
would force a recompile of all files, but it could mean things will be a bit slower for us
coders unless we tweak it later on.
- Changed whois a bit to print less useless results.
- Added several indicators to the "detect binary incompatible modules"-system such as detecting
of a ziplinks module on non-ziplinks (on windows this is ok however), nospoof module on a
a server without nospoof server, etc. Hopefully this will help some people preventing odd
crashes because they did not recompile or (re)install modules properly.
- Added './unreal backtrace', so far this has only been tested on Linux and FreeBSD.
- Fixed a bug making ./Config not load the previously stored settings on Solaris 10 and
probably other Unixes, reported by lion-o (#0002474).
system accept more characters. Basically what this means is that the (fast) badwords
system can now be used to properly block words with accents and things like that, just
the way you block English words. Bug reported by MJ12Helios (#0002311).
- Opers with can_override can now +qa/-qa even if they are not netadmins,
and they can also (un)set L/u.
- Fixed several SAMODE bugs, such as not completely working for non-netadmins and
not working if you were halfop'ed, etc.
Bugs reported by pak, aquanight, niphler, Bugz, and more.
If there are still any bugs left, please report them on http://bugs.unrealircd.org/
NOTE: some of these enhancements will produce desynchs if your net is not 100%
on current CVS / Unreal3.2.3 and an oper tries to use these 'new features'.
So use with care on mixed-version nets.
- Added 'czech-w1250' and 'slovak-w1250' (both might miss a few characters).
- Added 'windows-1250' group which contains czech-w1250, slovak-w1250, polish-w1250
and hungarian.
- Hungarian characters show both fine in w1250 and latin2, hence hungarian is included
both in 'windows-1250' and 'latin2'.
- Fixed bug: polish was not included in latin2
- If a locop now has can_override/can_gkline/can_gzline we will print out a warning and
convert it to globops. This is also what we always did for can_globalroute/can_gkill
(well, except the warning). Giving such NETWORK (GLOBAL) privileges to a LOCAL operator
does not make any sense and is therefore no longer allowed.
by Ron2K (#Ron2K).
- Module coders: using extcmode_default_requirechop is now depricated, check src/extcmodes.c
ctrl+f extcmode_default_requirechop for more details (solution: copy+paste & fill in modechar).
reported by seneces (#0002333).
- Fixed doc bug reported by Dukat (#0002374). Also fixed 2 error msgs related to
the nickchars system printing out incorrect set:: directives.
- spamfilter.conf and dccallow.conf are now also copied upon make install, reported by
TommyTheKid (#0002313).
- Build in some additional checks (especially for Chinese).
- Fixed a bug in chinese character range (affecting 3.2*)
- Relaxed nick character checking from remote servers (rely on NICKCHARS= PROTOCTL
to deal with problems). This is useful to prevent any kills in case we slightly
change the characters that are allowed in a language.
- Got rid of 'latin7', tiny mistake ;)
- Removed e' accent from German (used in borrow-words only), reported by Dukat.
- Added 'swiss-german', which is just German without es-zett, reported by Dukat.
- Added 'turkish', supplied by Ayberk Yancatoral.
If 2 servers try to link and the allowed nick characters do not fully match, then
the link will be rejected. Note that this will not prevent you from 3.2.2<->3.2.3/CVS
charsets mistakes, but only with linking CVS/3.2.3+ servers. Suggested by Troco (#0002360)
This might need some additional testing, but initial results are positive :).
- Renamed 'euro-west' to 'latin1' since that's more descriptive/fair ;)
- Added 'hungarian' [supplied by AngryWolf]
- Added category 'latin2': just Hungarian for now
- Added 'catalan' [supplied by Trocotronic]
- Added 'greek' [supplied by GSF]
- Added category 'latin7': alias for 'greek'
- Added category 'gbk': alias for 'chinese'
still cutoff if the nick is too long. Basically this is the same way as Hybrid does it
so it should work ok :).
- Added nick character system. This allows you to choose which (additional) characters
to allow in nicks via set::allowed-nickchars. See unreal32docs.html -> section 3.16
for a list of available languages and more info on how to use it.
Current list: dutch, french, german, italian, spanish, euro-west, chinese-trad,
chinese-simp, chinese-ja, chinese.
If you wonder why your language is not yet included or why a certain mistake is present,
then please understand that we are most likely not experienced (at all) in your language.
If you are a native of your language (or know the language well), and your language
is not included yet or you have some corrections, then contact syzop@vulnscan.org or
report it as a bug on http://bugs.unrealircd.org/
- If no log { } block is present a warning will be printed out and we will fallback
to a default of logging errors to ircd.log. Suggested by w00t (#0002327).
check if the user is voiced/halfoped/etc.. Especially useful for +e ~c. Idea from
Bugz (#0002198). Obviously all servers need to be upgraded to make this work.
throttle the number of joins per-user to X in Y seconds. Idea from Angrywolf (who
wrote a module that did this before). This might need some more testing :).
It's enabled by default but can be #undef'ed in include/config.h (line 449).
(perhaps this should be a different function?). Anyway, this means less diskspace
is needed (~1.5mb or more), and it also makes it a bit easier for RBAC (#2300).
- Made a new function DoMD5() which is ssl/non-ssl independent. Also made the cloaking
module and the auth functions use it. Hopefully I didn't break anything ;). Suggested
by Bugz (#2298).
- Modulized a lot of commands and related subfunctions: NICK (750 lines), USER (200),
MODE (2300), WATCH (250), JOIN (600), PART (250), MOTD (100), OPERMOTD (100),
BOTMOTD (100), LUSERS (100). More will follow soon (probably including more subfunctions
related to existing commands).
- [Module coders] Added new function: do_cmd(cptr, sptr, cmd, parc, parv) which is an
uniform method to call any other commands. For more info, see description in src/parcket.c.
This will be used for any further modulization of commands that need to call other
commands, like NICK (will be done soon).
translations.txt.
DEL: Unreal31_to_32.html & example.settings DUE TO outdated
MOD: Authors (added myself, updated griever end date), translations.txt (updated
to mention that it takes a lot of time, and added a note on using word/frontpage).
to send to normal users w/the snomask set.
- Fixed dcc filtering a bit more.
- Made usermode 'g' operonly since it didn't do much, reported by DukePyrolator (#0002024).
- Numeric audit: 15 small changes (int/long mismatches etc). This might have fixed some
bugs on architectures where 'long' and 'int' have different sizes (eg: opteron).
hardly ever seen (unless you have +s +j set). For example a bad link::bind-ip only caused
"Couldn't connect to xxxxxx" without any meaningful error message. Additionally, errors
sent to report_baderror() are now logged.
^^ way too long description for a small tweak :p
Gilou and Trankill for making me able to trace this issue down (#0002032).
- Fixed qline notices again: now gives msg #1 for local qlined-nick attempts, and
another msg in case of a remote client (eg: oper) using a qlined nick.
work just the same as the HOOKTYPE_LOCAL_* variants).
- Module coders: HOOKTYPE_REMOTE_CONNECT is now also called during net-merge. You can use
IsSynched(sptr->srvptr) to find out if it's called due to a net merge (0) or a connect (1).
- Added spamfiler 'user' (u) target. This regex is checked against nick!user@host:realname
when a user connects. This makes it easy to ban drones with simple patterns.
For example: '/spamfilter add u gzline 86400 Drone[0-9]+!.+@.+:Drone[0-9]'
would kill any drones that have both a nick and realname with 'Drone' followed by digits.
attacks (eg: rainbow) and prevents cracking of several passwords at once.
This change means /MKPASSWD will now just generate a different string than before.
Do note however, that the old syntax/encrypted passwords will still work and _will continue
to work_ in the future, for at least the whole 3.2* series.
If you are concerned with security and have some time, then converting your passwords
is probably a good idea... Just in case your configuration file gets stolen one day ;).
- MD5 password encryption is now always available on *NIX, even if SSL is disabled.
that you should pass the ZIP_LINKS etc options to 'nmake -f makefile.win32 custommodule'
many people didn't do this which caused odd problems when reading certain clientstructs.
Module coders: in the meantime, for 3.2.1 mods, use something like:
nmake -f makefile.win32 USE_ZIPLINKS=1 ZLIB_INC_DIR="c:\dev\zlib"
ZLIB_LIB_DIR="c:\dev\zlib\dll32" custommodule MODULEFILE=m_mymodule
For 3.2.2+ these additional parameters will no longer be needed (but wouldn't harm either).
weirdness, this also affected spamfilter (so any spamfilters added only at notice
and not at msg on windows would not work). Now using the real 'notice' parameter.
Also linked to a page with an unreal dev package which contains zlib+ssl+curl
precompiled. This basically means many people no longer need to compile zlib/ssl/curl
anymore themselves (which is a pain to do and takes a lot of time).
compiling modules and their (binary) compatability, zip links (zlib), ssl (OpenSSL)...
Remote includes (curl and c-ares) instructions still need to be added.
- Made 'Install as a service' unchecked by default, this should help beginners a lot.
/connect or autoconnect) and was not present in the cache. Reported and traced by sh0
(#0001976).
- Fixed compile bug at *NIX caused by ModuleGetErrorStr fix.
multiple reference count bugs, one related to sptr->serv->conf, and another one related
to sptr->serv->class. Both caused problems when someone did a /rehash when a server
was in the process of connecting (so it might also happen when connfreq was hit and you
did a /rehash). Original bug was reported by sh0 (#0001872).
- Updated example.conf: added all new flags we added in the example block, removed
old confusing comment on SEGV logging, config.h: ripped out lPATH since that define
isn't anywhere used and is only confusing.
because it's slightly faster (already replaced all of them in src/s_kline.c).
GetIP(acptr) will return the ip for local users and remote users that support NICKIP,
it returns NULL for remote users that are on non-NICKIP servers (or have non-NICKIP
servers along their path).
- internal: tkl_add_line now returns aTKline *
- Added some more hooks:
- HOOKTYPE_TKL_ADD [aClient *cptr, aClient *sptr, aTKline *tk]
- HOOKTYPE_TKL_DEL [aClient *cptr, aClient *sptr, aTKline *tk]
NOTE: 'NULL, NULL, tk' is used for *lines that are removed due to expiring
- HOOKTYPE_LOCAL_KILL [aClient *sptr, aClient *target, char *comment]
it will just accept it if it's from a remote server, and also ops/etc will be allowed
to REMOVE any unknown extbans (but not add new unknown ones).
- Added extended ban type ~n (nickchange ban), if a user matches this (s)he can not
change nicks (eg: +b ~n:*!*@*.aol.com) unless (s)he has voice or higher.
This can be useful as an overall measure for some +m chans (+b ~n:!*@*) or against
specific 'good' people that are just nickflooding due to a wrongly configured script.
- Added set::restrict-extendedbans by which you can disallow normal users to use
any extendedbans ("*") or disallow only certain ones (eg: "qc").
- Made the negative TS message a bit more annoying if time is off more than 10 seconds.
- Module coders: if CmdoverrideAdd() is called for an override that is already in place, it
now sets MODERR_EXISTS as errorcode and returns NULL (previously it added duplicates).
In the past module coders had many issues with PERM mods... you had to use weird tricks,
but now you can (and should!) just override on INIT and on HOOKTYPE_REHASH_COMPLETE.
- Moved register_user declaration to h.h, updated call in m_pingpong.c (due new 'ip' field).
- Usermode +v ('receive dcc send rejection notices') is oper-only now for privacy reasons.
- Added dcc allow { }, which allows one to make exceptions over deny dcc { }.
- Added deny dcc::soft and allow dcc::soft item, if set to 'yes' it allows someone
to explicitly override it per-person via /DCCALLOW (see next).
- Added DCCALLOW system, taken directly from bahamut.
With this system you can block certain (or all) DCC SENDs and then allow the user to
'override' this limit for every user he/she trusts via '/DCCALLOW +User'.
This is an attempt to stop (or at least limit) the spreading of viruses/etc.
See '/DCCALLOW HELP' for more info.
- Added example dccallow.conf which filters everything except some known
'safe types' (jpg, jpeg, png, gif, etc). Note that the purpose of this file
is NOT to get a complete list, rather to limit it to a few 'known safe' entries.
- Added set::maxdccallow: max number of entries of the DCCALLOW list (default: 10).
- Added release notes (no, we won't release 3.2.1 anytime soon.. just updating ;p).
- Added various extra messages to make it a bit more easier for people who are
upgrading (win32 commands.dll, cloaking mod).
- Made win32 ssl<->non-ssl modules binary compatible.
- Added ssl/non-ssl check in Mod_Version on *NIX.
- Added set::options::flat-map: This makes all servers look like they are linked
directly to the server you are on (/map, /links), thus you cannot see which server
is linked to which ("hopcount"). This can make it a bit harder for kiddies to find
any 'weak spots' (which server to attack/[D]DoS). Obviously opers will always
see the real map.
normal joins to the virus-help-channel. This way you could prevent users into
accidental (or tricked) joining of the virus-help-channel and becomming infected.
This feature is disabled by default. Requested by bleepy (#0001811).
- It now goes to <prefix> and higher, so '/notice +#chan hi!' goes to +vhoaq
- You need at least voice in order to be able to msg/notice +#chan, %#chan or @#chan
- You need at least ops in order to be able to msg/notice &#chan or ~#chan
- Any multi-prefix targets will be converted automatically (eg: ~&@#chan to @#chan).
- internal: use of the CHANOPPFX macro is now deprecated.
All of this was done to make it a bit more 'safe' and userfriendly (#0001812).
cd src;${MAKE}${MAKEARGS}MODULEFILE=${MODULEFILE}'EXLIBS=${EXLIBS}' custommodule
@if test -z "${MODULEFILE}";thenecho"Please set MODULEFILE when calling \`\`make custommodule''. For example, \`\`make custommodule MODULEFILE=callerid''." >&2;exit 1;fi
[](https://travis-ci.org/unrealircd/unrealircd)
[](https://ci.appveyor.com/project/syzop/unrealircd/branch/unreal40)
AC_ARG_WITH(disableusermod, [AC_HELP_STRING([--with-disableusermod], [Disable /set* and /chg*])],
AC_DEFINE(DISABLE_USERMOD))
AC_ARG_WITH(operoverride-verify, [AC_HELP_STRING([--with-operoverride-verify], [Require opers to invite themselves to +s/+p channels])],
AC_DEFINE(OPEROVERRIDE_VERIFY))
AC_ARG_WITH(disable-extendedban-stacking, [AC_HELP_STRING([--with-disable-extendedban-stacking], [Disable extended ban stacking])],
AC_DEFINE(DISABLE_STACKED_EXTBANS))
MODULES_WHICH=commandsandmodules
AC_MSG_CHECKING(for how much module building work we need to do)
AC_ARG_WITH(moduleswhich,
[ --with-moduleswhich=onlycommands|onlymodules|commandsandmodules What modules to build],
[ case "$withval" in
yes|no)
;;
* )
MODULES_WHICH="$withval"
;;
esac])
AC_SUBST(MODULES_WHICH)
AC_MSG_RESULT($MODULES_WHICH)
CHECK_SSL
CHECK_ZLIB
CHECK_LIBCURL
AC_ARG_ENABLE(dynamic-linking, [AC_HELP_STRING([--enable-dynamic-linking],[Make the IRCd dynamically link shared objects rather than statically])], [AC_ENABLE_DYN], [AC_DEFINE(STATIC_LINKING)])
AC_ARG_ENABLE(inet6, [AC_HELP_STRING([--enable-inet6],[Make the IRCd support IPv6])], [AC_ENABLE_INET6])
AC_SUBST(IRCDDIR)
AC_SUBST(BINDIR)
AC_MSG_CHECKING(if FD_SETSIZE is large enough to allow $ac_fd file descriptors)
AC_TRY_RUN([
#include <sys/types.h>
#include <sys/time.h>
int main() {
if (FD_SETSIZE >= $ac_fd)
exit(0);
exit(1);
}
], AC_MSG_RESULT(yes), [
FD_SETSIZE="-DFD_SETSIZE=$ac_fd"
AC_MSG_RESULT(no)
])
AC_SUBST(FD_SETSIZE)
case `uname -s` in
*SunOS*)
CFLAGS="$CFLAGS -D_SOLARIS"
IRCDLIBS="$IRCDLIBS -lresolv "
;;
*solaris*)
CFLAGS="$CFLAGS -D_SOLARIS"
IRCDLIBS="$IRCDLIBS -lresolv "
;;
esac
dnl REMEMBER TO CHANGE WITH A NEW PCRE RELEASE!
tre_version="7.2"
AC_MSG_RESULT(extracting PCRE regex library)
cur_dir=`pwd`
cd extras
dnl remove old tre directory to force a recompile...
dnl Save CFLAGS, use this when building the libraries like c-ares
orig_cflags="$CFLAGS"
dnl Save build directory early on (used in our m4 macros too)
BUILDDIR="`pwd`"
AC_SUBST(BUILDDIR)
dnl Calculate the versions. Perhaps the use of expr is a little too extravagant
# Generation version number (e.g.: X in X.Y.Z)
UNREAL_VERSION_GENERATION=["4"]
AC_DEFINE_UNQUOTED([UNREAL_VERSION_GENERATION], [$UNREAL_VERSION_GENERATION], [Generation version number (e.g.: X for X.Y.Z)])
# Major version number (e.g.: Y in X.Y.Z)
UNREAL_VERSION_MAJOR=["0"]
AC_DEFINE_UNQUOTED([UNREAL_VERSION_MAJOR], [$UNREAL_VERSION_MAJOR], [Major version number (e.g.: Y for X.Y.Z)])
# Minor version number (e.g.: Z in X.Y.Z)
UNREAL_VERSION_MINOR=["19"]
AC_DEFINE_UNQUOTED([UNREAL_VERSION_MINOR], [$UNREAL_VERSION_MINOR], [Minor version number (e.g.: Z for X.Y.Z)])
# The version suffix such as a beta marker or release candidate
# marker. (e.g.: -rcX for unrealircd-3.2.9-rcX). This macro is a
# string instead of an integer because it contains arbitrary data.
UNREAL_VERSION_SUFFIX=["-rc2"]
AC_DEFINE_UNQUOTED([UNREAL_VERSION_SUFFIX], ["$UNREAL_VERSION_SUFFIX"], [Version suffix such as a beta marker or release candidate marker. (e.g.: -rcX for unrealircd-3.2.9-rcX)])
AC_PROG_CC
if test "$ac_cv_prog_gcc" = "yes"; then
CFLAGS="$CFLAGS -funsigned-char"
AC_CACHE_CHECK(if gcc has a working -pipe, ac_cv_pipe, [
AC_DEFINE([POSIX_SIGNALS], [], [Define if you have POSIX signals])
elif test "$ac_cv_sigtype" = "BSD"; then
AC_DEFINE([BSD_RELIABLE_SIGNALS], [], [Define if you have BSD signals])
else
AC_DEFINE([SYSV_UNRELIABLE_SIGNALS], [], [Define if you have SYSV signals])
fi
AC_CHECK_FUNCS(strtoken,,AC_DEFINE([NEED_STRTOKEN], [], [Define if you need the strtoken function.]))
AC_CHECK_FUNCS(strtok,,AC_DEFINE([NEED_STRTOK], [], [Define if you need the strtok function.]))
AC_CHECK_FUNCS(strerror,,AC_DEFINE([NEED_STRERROR], [], [Define if you need the strerror function.]))
AC_CHECK_FUNCS(index,,AC_DEFINE([NOINDEX], [], [Define if you do not have the index function.]))
AC_CHECK_FUNCS(strtoul,,STRTOUL="strtoul.o")
AC_CHECK_FUNCS(bcopy,,AC_DEFINE([NEED_BCOPY], [], [Define if you don't have bcopy]))
AC_CHECK_FUNCS(bcmp,,AC_DEFINE([NEED_BCMP], [], [Define if you don't have bcmp]))
AC_CHECK_FUNCS(bzero,,AC_DEFINE([NEED_BZERO], [], [Define if you need bzero]))
AC_CHECK_FUNCS(strcasecmp,AC_DEFINE([GOT_STRCASECMP], [], [Define if you have strcasecmp]))
save_libs="$LIBS"
LIBS="$LIBS $SOCKLIB $INETLIB"
AC_CHECK_FUNCS(inet_addr,,AC_DEFINE([NEED_INET_ADDR], [], [Define if you need inet_addr]))
AC_CHECK_FUNCS(inet_ntoa,,AC_DEFINE([NEED_INET_NTOA], [], [Define if you need inet_ntoa]))
LIBS="$save_libs"
AC_CHECK_FUNCS(syslog,AC_DEFINE([HAVE_SYSLOG], [], [Define if you have syslog]))
AC_SUBST(STRTOUL)
AC_SUBST(CRYPTOLIB)
AC_SUBST(MODULEFLAGS)
AC_SUBST(DYNAMIC_LDFLAGS)
AC_ARG_WITH(nick-history, [AS_HELP_STRING([--with-nick-history=length],[Specify the length of the nickname history])],
[AC_DEFINE_UNQUOTED([NICKNAMEHISTORYLENGTH], [$withval], [Set to the nickname history length you want])],
[AC_DEFINE([NICKNAMEHISTORYLENGTH], [2000], [Set to the nickname history length you want])])
AC_ARG_WITH([sendq], [AS_HELP_STRING([--with-sendq=maxsendq],[Specify the max sendq for the server])],
[AC_DEFINE_UNQUOTED([MAXSENDQLENGTH], [$withval], [Set to the max sendq you want])],
[AC_DEFINE([MAXSENDQLENGTH], [3000000], [Set to the max sendq you want])])
AC_ARG_WITH(permissions, [AS_HELP_STRING([--with-permissions=permissions], [Specify the default permissions for
configuration files])],
dnl We have an apparently out-of-place 0 here because of a MacOSX bug and because
dnl we assume that a user thinks that `chmod 0600 blah' is the same as `chmod 600 blah'
dnl (#3189)
[AC_DEFINE_UNQUOTED([DEFAULT_PERMISSIONS], [0$withval], [The default permissions for configuration files. Set to 0 to prevent unrealircd from calling chmod() on the files.])],
[AC_DEFINE([DEFAULT_PERMISSIONS], [0600], [The default permissions for configuration files. Set to 0 to prevent unrealircd from calling chmod() on the files.])])
AC_ARG_WITH(bindir, [AS_HELP_STRING([--with-bindir=path],[Specify the directory for the unrealircd binary])],
[AC_DEFINE_UNQUOTED([BINDIR], ["$withval"], [Define the directory where the unrealircd binary is located])
BINDIR="$withval"],
[AC_DEFINE_UNQUOTED([BINDIR], ["$HOME/unrealircd/bin"], [Define the directory where the unrealircd binary is located])
BINDIR="$HOME/unrealircd/bin"])
AC_ARG_WITH(scriptdir, [AS_HELP_STRING([--with-scriptdir=path],[Specify the directory for the unrealircd start-stop script])],
[AC_DEFINE_UNQUOTED([SCRIPTDIR], ["$withval"], [Define the directory where the unrealircd start stop scripts is located])
SCRIPTDIR="$withval"],
[AC_DEFINE_UNQUOTED([SCRIPTDIR], ["$HOME/unrealircd"], [Define the directory where the unrealircd start stop scripts is located])
SCRIPTDIR="$HOME/unrealircd"])
AC_ARG_WITH(confdir, [AS_HELP_STRING([--with-confdir=path],[Specify the directory where configuration files are stored])],
[AC_DEFINE_UNQUOTED([CONFDIR], ["$withval"], [Define the location of the configuration files])
CONFDIR="$withval"],
[AC_DEFINE_UNQUOTED([CONFDIR], ["$HOME/unrealircd/conf"], [Define the location of the configuration files])
CONFDIR="$HOME/unrealircd/conf"])
AC_ARG_WITH(modulesdir, [AS_HELP_STRING([--with-modulesdir=path],[Specify the directory for loadable modules])],
[AC_DEFINE_UNQUOTED([MODULESDIR], ["$withval"], [Define the location of the modules])
MODULESDIR="$withval"],
[AC_DEFINE_UNQUOTED([MODULESDIR], ["$HOME/unrealircd/modules"], [Define the location of the modules])
MODULESDIR="$HOME/unrealircd/modules"])
AC_ARG_WITH(logdir, [AS_HELP_STRING([--with-logdir=path],[Specify the directory where log files are stored])],
[AC_DEFINE_UNQUOTED([LOGDIR], ["$withval"], [Define the location of the log files])
LOGDIR="$withval"],
[AC_DEFINE_UNQUOTED([LOGDIR], ["$HOME/unrealircd/logs"], [Define the location of the log files])
LOGDIR="$HOME/unrealircd/logs"])
AC_ARG_WITH(cachedir, [AS_HELP_STRING([--with-cachedir=path],[Specify the directory where cached files are stored])],
[AC_DEFINE_UNQUOTED([CACHEDIR], ["$withval"], [Define the location of the cached remote include files])
CACHEDIR="$withval"],
[AC_DEFINE_UNQUOTED([CACHEDIR], ["$HOME/unrealircd/cache"], [Define the location of the cached remote include files])
CACHEDIR="$HOME/unrealircd/cache"])
AC_ARG_WITH(tmpdir, [AS_HELP_STRING([--with-tmpdir=path],[Specify the directory where private temporary files are stored. Should not be readable or writable by others, so not /tmp!!])],
[AC_DEFINE_UNQUOTED([TMPDIR], ["$withval"], [Define the location of private temporary files])
TMPDIR="$withval"],
[AC_DEFINE_UNQUOTED([TMPDIR], ["$HOME/unrealircd/tmp"], [Define the location of private temporary files])
TMPDIR="$HOME/unrealircd/tmp"])
AC_ARG_WITH(datadir, [AS_HELP_STRING([--with-datadir=path],[Specify the directory where permanent data is stored])],
[AC_DEFINE_UNQUOTED([PERMDATADIR], ["$withval"], [Define the location of permanent data files])
PERMDATADIR="$withval"],
[AC_DEFINE_UNQUOTED([DATADIR], ["$HOME/unrealircd/data"], [Define the location of permanent data files])
PERMDATADIR="$HOME/unrealircd/data"])
AC_ARG_WITH(docdir, [AS_HELP_STRING([--with-docdir=path],[Specify the directory where documentation is stored])],
[AC_DEFINE_UNQUOTED([DOCDIR], ["$withval"], [Define the location of the documentation])
DOCDIR="$withval"],
[AC_DEFINE_UNQUOTED([DOCDIR], ["$HOME/unrealircd/doc"], [Define the location of the documentation])
DOCDIR="$HOME/unrealircd/doc"])
AC_ARG_WITH(pidfile, [AS_HELP_STRING([--with-pidfile=path],[Specify the path of the pid file])],
[AC_DEFINE_UNQUOTED([PIDFILE], ["$withval"], [Define the path of the pid file])
PIDFILE="$withval"],
[AC_DEFINE_UNQUOTED([PIDFILE], ["$HOME/unrealircd/data/unrealircd.pid"], [Define the path of the pid file])
PIDFILE="$HOME/unrealircd/data/unrealircd.pid"])
dnl Ensure that this “feature” can be disabled as it makes it harder to package unrealircd.
dnl Users have always been able to specify “./configure LDFLAGS=-Wl,-rpath,/path/to/blah”—binki
AC_ARG_WITH(privatelibdir, [AS_HELP_STRING([--with-privatelibdir=path],[Specify the directory where private libraries are stored. Disable when building a package for a distro])],
[],
[with_privatelibdir="yes"])
AS_IF([test "x$with_privatelibdir" = "xno"],
[PRIVATELIBDIR=],
[test "x$with_privatelibdir" = "xyes"],
[PRIVATELIBDIR="$HOME/unrealircd/lib"],
[PRIVATELIBDIR="$with_privatelibdir"])
AS_IF([test "x$PRIVATELIBDIR" = "x"],
[LDFLAGS_PRIVATELIBS=""],
[AC_DEFINE_UNQUOTED([PRIVATELIBDIR], ["$PRIVATELIBDIR"], [Define the location of private libraries])
LDFLAGS_PRIVATELIBS="-Wl,-rpath,$PRIVATELIBDIR"
LDFLAGS="$LDFLAGS $LDFLAGS_PRIVATELIBS"
export LDFLAGS])
AC_SUBST(BINDIR)
AC_SUBST(SCRIPTDIR)
AC_SUBST(CONFDIR)
AC_SUBST(MODULESDIR)
AC_SUBST(LOGDIR)
AC_SUBST(CACHEDIR)
AC_SUBST(TMPDIR)
dnl Why o why PERMDATADIR and not DATADIR you ask?
dnl well, Because DATADIR conflicts with the Windows SDK header files.. amazing.
AC_SUBST(PERMDATADIR)
AC_SUBST(DOCDIR)
AC_SUBST(PIDFILE)
AC_SUBST(LDFLAGS_PRIVATELIBS)
AC_ARG_WITH(fd-setsize, [AS_HELP_STRING([--with-fd-setsize=size], [Specify the max file descriptors to use])],
[ac_fd=$withval],
[ac_fd=1024])
AC_DEFINE_UNQUOTED([MAXCONNECTIONS], [$ac_fd], [Set to the max connections you want])
AC_ARG_ENABLE([prefixaq],
[AS_HELP_STRING([--disable-prefixaq],[Disable chanadmin (+a) and chanowner (+q) prefixes])],
[],
[enable_prefixaq=yes])
AS_IF([test $enable_prefixaq = "yes"],
[AC_DEFINE([PREFIX_AQ], [], [Define if you want +a/+q prefixes])])
AC_ARG_WITH(showlistmodes,
[AS_HELP_STRING([--with-showlistmodes], [Specify whether modes are shown in /list])],
[AS_IF([test $withval = "yes"],
[AC_DEFINE([LIST_SHOW_MODES], [], [Define if you want modes shown in /list])])])
AC_ARG_WITH(topicisnuhost, [AS_HELP_STRING([--with-topicisnuhost], [Display nick!user@host as the topic setter])],
[AS_IF([test $withval = "yes"],
[AC_DEFINE([TOPIC_NICK_IS_NUHOST], [], [Define if you want nick!user@host shown for the topic setter])])])
AC_ARG_WITH(shunnotices, [AS_HELP_STRING([--with-shunnotices], [Notify a user when he/she is no longer shunned])],
[AS_IF([test $withval = "yes"],
[AC_DEFINE([SHUN_NOTICES], [], [Define if you want users to be notified when their shun is removed])])])
[AC_DEFINE([NO_OPEROVERRIDE], [], [Define if you want OperOverride disabled])])])
AC_ARG_WITH(disableusermod, [AS_HELP_STRING([--with-disableusermod], [Disable /set* and /chg*])],
[AS_IF([test $withval = "yes"],
[AC_DEFINE([DISABLE_USERMOD], [], [Define if you want to disable /set* and /chg*])])])
AC_ARG_WITH(operoverride-verify, [AS_HELP_STRING([--with-operoverride-verify], [Require opers to invite themselves to +s/+p channels])],
[AS_IF([test $withval = "yes"],
[AC_DEFINE([OPEROVERRIDE_VERIFY], [], [Define if you want opers to have to use /invite to join +s/+p channels])])])
AC_ARG_WITH(disable-extendedban-stacking, [AS_HELP_STRING([--with-disable-extendedban-stacking], [Disable extended ban stacking])],
[AS_IF([test $withval = "yes"],
[AC_DEFINE([DISABLE_STACKED_EXTBANS], [], [Define to disable extended ban stacking (~q:~c:\#chan, etc)])])])
AC_ARG_WITH(system-tre, [AS_HELP_STRING([--with-system-tre], [Use the system tre package instead of bundled, discovered using pkg-config])], [], [with_system_tre=no])
AC_ARG_WITH(system-pcre2, [AS_HELP_STRING([--with-system-pcre2], [Use the system pcre2 package instead of bundled, discovered using pkg-config])], [], [with_system_pcre2=no])
AC_ARG_WITH(system-cares, [AS_HELP_STRING([--without-system-cares], [Use bundled version instead of system c-ares. Normally autodetected via pkg-config.])], [], [with_system_cares=yes])
CHECK_SSL
CHECK_SSL_CTX_SET1_CURVES_LIST
AC_ARG_ENABLE(dynamic-linking, [AS_HELP_STRING([--disable-dynamic-linking], [Make the IRCd statically link with shared objects rather than dynamically (noone knows if disabling dynamic linking actually does anything or not)])],
<blockquote><p><ahref="#S9_1">9.1 Table for SJB64 (NICK and SJOIN).</a></p></blockquote>
<blockquote><p><ahref="#S9_2">9.2 Table for NICKIP.</a></p></blockquote>
<hr/>
<h1><aname="S1"></a>1 Introduction</h1>
<p>This document describes the UnrealIRCd server-to-server protocol as of protocol 2307 (Unreal 3.2.4).</p>
<h2>A word about clocks.</h2>
<p>Unreal is very time-dependant. Users and channels, for example, are timestamped, and if server clocks are not synchronized properly, things can go very wrong very fast. See <ahref="http://vulnscan.org/UnrealIrcd/faq/#67">http://vulnscan.org/UnrealIrcd/faq/#67</a> for more information on this. Note that there is a slight difference between server time and what is actually reported by the UNIX date command or by the C time() function. Unreal can apply an offset to the real time to create the server time, allowing servers to be virtually synchronized when synchronizing the real clocks is not possible (such as on shell servers).
I should make it quite clear that GMT time is used for everything. To be specific, timestamps in unreal are 32-bit integer values (actually, however many bits the time_t type is, which is 32 on 32-bit systems such as x86). This integer value is the number of seconds that have elapsed since Midnight January 1, 1970 GMT (can be referred to as Epoch time in the UNIX world). This means that timezones are no problem, nor is daylight savings time (or whatever your country of choice calls it).</p>
<hr/>
<h1><aname="S2"></a>2 Server Negotiation</h1>
<p>The first step to establish a server-to-server communication is to negotiate the connection as a server. Negotiation is done using standard IRC commands - no PROTOCTL options are in force until the link is established. The first step is to open a TCP/IP connection to the target server. The target port must be one described by a listen {} block in the remote server's configuration, and that listen block must not have the clientsonly option. After the connection is open, you will be treated as any other connection and be greeted with the "Looking up your hostname..." and "Checking identd..." notices as you would for a client. As these are NOTICE messages and your session as a server isn't established, they should simply be ignored. Use the commands below to introduce a server connection.</p>
<p>The PASS command is used to transmit the password required for a server link. It must match the password specified in the remote server's link::password-receive (which can be crypted), otherwise the link will be rejected. This should be the first message sent.</p>
<h2><aname="S2_2"></a>2.2 PROTOCTL - Server Protocol Negotiation</h2>
<p>The PROTOCTL command sets several protocol options. The tokens supported are listed below.</p>
<ul>
<li>NOQUIT : When a netsplit occurs, only send a SQUIT message for each server lost. This server will assume that clients on these servers were also lost and will send the appropriate QUIT messages to local clients and to any non-NOQUIT servers.</li>
<li>TOKEN : Use tokenized commands. Tokens are case-sensitive, shortened versions of command names. Tokens will be usually one or two characters.</li>
<li>NICKv2 : Use extended NICK message for introducing users. See the NICK command for information about this.</li>
<li>VHP : When introducing a user, send his cloaked host as if it were a vhost. Usually used for services to avoid having duplicate code.</li>
<li>SJOIN : Supports SJOIN version 1 which is no longer in use. Use with SJ3.</li>
<li>SJOIN2 : Supports SJOIN version 2 which is no longer in use. Use with SJ3.</li>
<li>UMODE2 : Supports the UMODE2 command, which is a shortened version of MODE for usermode changes.</li>
<li>VL : Supports V:Line information. Extends the SERVER message to include version information used in deny version{} blocks. Note that this is assumed - unreal will always send its own version information.</li>
<li>SJ3 : Supports SJOIN version 3.</li>
<li>NS : Supports server numerics which provides a shorthand for server names. In any circumstance where a :server.name is permitted (the server is the message's real source), @servernumeric may be used instead. In addition, the server.name parameter in the NICK message may be simply the server's numeric. Requires VL support.</li>
<li>SJB64 : Timestamps in NICK and SJOIN are expressed in base64 rather than base10.</li>
<li>TKLEXT : Supports exntended TKL messages for spamfilter support.</li>
<li>NICKIP : Adds an IP parameter to the NICK message, which is the base64 encoding of the user's ip address (in network byte order). Requires NICKv2.</li>
<li>NICKCHARS : Indicates the set of enabled nickchar options (see the regular documention for info about this).</li>
<li>CHANMODES : (Not required to be sent) This is the same as the CHANMODES value in the 005 for client connections. Useful for autodetecting things like what modes are valid for ChanServ MLOCK, for example.</li>
<li>CLK : Supports an extra field in NICK for sending the cloaked host (not vhost).</li>
</ul>
<p>The syntax examples here follow the conventions for TOKEN and also NS in cases of server-only messages.</p>
<h2><aname="S2_3"></a>2.3 SERVER - Server Negotiation</h2>
<p><b>Note:</b> This message is also used for introducing additional servers, the format of this message in those cases is described later.</p>
<p><b>Syntax (with VL and NS):</b><tt>SERVER <i>server.name</i> 1 :U<i>protocolversion</i>-<i>protocolflags</i>-<i>servernumeric</i><i>server description</i></tt></p>
<p>The literal 1 in the parameter list is the hopcount parameter. Since you are a direct link, your own hopcount will be 1.</p>
<p>The server.name is the same as that in the remote server's link:: block. When received from unreal servers, this will be the value of that server's me::name. The protocol version is the numeric protocol version (2306 for example), and the protocol flags are the server's compilation flags (described below). These two fields are checked against the deny version {} blocks in the remote server's configuration. A value of 0 for either field prevents deny version{} checking for that field. The server description can be anything. When received from unreal servers, it'll be the value of me::description.</p>
<p>The following version numbers have been used previously:</p>
<ul>
<li>2309 - Unreal 3.2.6</li>
<li>2308 - Unreal 3.2.5</li>
<li>2307 - Unreal 3.2.4</li>
<li>2306 - Unreal 3.2.3</li>
<li>2305 - Unreal 3.2.2</li>
<li>2304 - Unreal 3.2.1</li>
<li>2303 - Unreal 3.2beta* through 3.2 Release</li>
<li>2302 - Unreal 3.1.1 through 3.1.4</li>
<li>2301 - Unreal 3.1 Release</li>
<li>2300 - Unreal 3.0 Release</li>
</ul>
<p>The compile flags as specified in protocol flags are:</p>
<ul>
<li>c : Server is chrooted (#define CHROOTDIR).</li>
<li>C : Server has command line config (-f option) enabled (#define CMDLINE_CONFIG).</li>
<li>D : Server is in debugmode (#define DEBUGMODE).</li>
<li>F : Using filedescriptor lists.</li>
<li>h : Server is compiled with hub support (#define HUB or answer "Hub" to relevant ./Config prompt).</li>
<li>i : Server shows invisible users in /TRACE.</li>
<li>n : NOSPOOF (pingcookies) is enabled (#define NOSPOOF or answer "Yes" to relevant ./Config prompt).</li>
<li>V : Server is using valloc().</li>
<li>W : Windows IRCd.</li>
<li>Y : Syslog logging enabled.</li>
<li>6 : Server has IPv6 support (#define INET6 or answer "yes" to relevant ./Config prompt).</li>
<li>X : Server has badword stripping (user and channel modes +G) (#define STRIPBADWORDS).</li>
<li>P : Server is using poll().</li>
<li>e : Server has SSL Support (#define USE_SSL or answer "yes" (and have ssl libraries installed) to relevant ./Config prompt).</li>
<li>O : Server has OperOverride enabled (#undef NO_OPEROVERRIDE or answer "no" to relevant ./Config prompt).</li>
<li>o : Server has disabled Oper verify (#undef OPEROVERRIDE_VERIFY or answer "no" to relevant ./Config prompt).</li>
<li>Z : Server has ziplink support (#define ZIP_LINKS or answer "yes" to relevant ./Config prompt AND have the zlib dev libraries).</li>
<li>E : Server has extended channel mode support.</li>
<li>3 : 3rd party modules are loaded or some system libraries are wonky.</li>
<li>m : Private message handling is 'tainted' (one or modules registered a USERMSG hook).</li>
<li>M : Channel message handling is 'tainted' (one or modules registered a CHANMSG hook).</li>
<li>Additional Version flags can be added by 3rd-party modules.</li>
</ul>
<h2><aname="S2_4"></a>2.4 EOS - End Of Synch (TOKEN: ES)</h2>
<p><b>Syntax:</b> ES</p>
<p>Marks the end of the synching process. This is really optional, but it might be a good idea to send it anyway when you really are done synching. Once you send this, unreal will announce "Client connecting" or "Client exiting" notices (to those with snomask +F) for users (unless your server is U:Lined), and joins will be counted toward channel flood controls (chanmode +f).</p>
<p>Sending EOS only marks your server as synched, but does not do so for servers behind you. EOS would need to be sent on those servers' behalf as well.</p>
<h2><aname="S2_5"></a>2.5 NETINFO - Network Information (TOKEN: AO)</h2>
<p><b>Syntax:</b> AO <i>maxglobal</i><i>currenttime</i><i>protocolversion</i><i>cloakhash</i> 0 0 0 :<i>networkname</i></p>
<p>This tells the other server your current network configuration. The max global is the highest number of concurrent users network-wide that this server has seen. The current time is a timestamp value. Protocolversion is the same as that in the SERVER command. Cloakhash is a hash representing the configured cloak keys. It may be a * if you are implementing services. The network name is that specified in set::network-name. The cloak-prefix is currently not sent here (and thus unreal won't generate warning for mismatching cloak prefixes, but they should be the same anyway).</p>
<p>It is NETINFO, not EOS, that triggers the "Link bla bla bla is now synched" notices, but NETINFO does not imply synching is actually complete (see EOS).</p>
<hr/>
<h1><aname="S3"></a>3 User Operations</h1>
<p>One important function of servers is it must notify all other servers about all of the users behind it. These commands represent the operations that can result in the change of a user's global state.</p>
<h2><aname="S3_1"></a>3.1 NICK - User Introduction and Nick Change (TOKEN: &)</h2>
<p>This format of the NICK message indicates an existing user is changing his or her nickname. If a collision occurs, see the section on Nick Collisions below. The timestamp is the new nickname's timestamp.</p>
<p><b>Note:</b> Because each server normally does its own cloak generation, Unreal does not expect to receive NICK messages with the CLK info, so do not send it. It will send this info to a server it has received a PROTOCTL CLK from however.</p>
<p>This format of the NICK message introduces a new user to the network. If PROTOCTL VHP is enabled, the user's cloaked host is put in the virtualhost field, otherwise it'll be * unless the user is +t. With the addition of CLK, VHP is no longer necessary for determining the cloak host.</p>
<h3><aname="S3_1_1"></a>3.1.1 Nick Collisions</h3>
<p>A nick collision occurs when a server receives a NICK message (or & token) introducing a user that the server already sees on the network. When a collision occurs, one or both of the colliding clients must be disconnected. The timestamp is examined to determine which client loses. The client with the earlier timestamp remains. If both clients have equal timestamps, both are removed. Currently, Unreal handles NICK collisions both passively and agressively:</p>
<ul>
<li><b>Aggressive Handling:</b> The server actively sends a KILL message back across the link to terminate that end's client.</li>
<li><b>Passive Handling:</b> Upon receipt of a NICK message that should "win", the server simply silently exits it's own client.</li>
</ul>
<h2><aname="S3_2"></a>3.2 MODE, UMODE2 - User Mode Change (TOKEN: G or |)</h2>
<p><b>Syntax (MODE):</b><tt>:<i>user</i> G <i>user</i><i>modechange</i></tt></p>
<p>This indicates a usermode change. The modechange can consist of zero or more strings of characters, each prefixed with either a + or -; the only delimiter between them being said + or -. If no + or - is at the beginning of the mode string, a + should be implied.</p>
<p>Some user modes are never sent between servers. Specifically, usermode +s and +O are not sent between servers. Modules can define additional usermodes that also might not be sent between servers. The UMODE2 saves bandwidth by not including the redundant target field for usermode changes, so use it when possible.</p>
<h2><aname="S3_3"></a>3.3 QUIT - User Disconnect (TOKEN: ,)</h2>
<p>This command indicates that a user has disconnected. The reason field is filled in with the reason the user disconnected, which will be any of: quit message provided by the user in a /quit command, kill message for local operator kills, "Client exited" if the user does a brutal quit (clean (by TCP's definition) disconnect without sending a QUIT message), or a socket error message if present.</p>
<p>The QUIT message must NOT be prefixed when passing on to other servers. Only local user quit messages are affected by set::prefix-quit.</p>
<h2><aname="S3_4"></a>3.4 KILL - Force Disconnect (TOKEN: .)</h2>
<p>Used to indicate that an operator has used KILL on a user not on the same server. Anything beyond the last ! in the kill path is used as the reason. The source (reason) part is simply a standard used by Unreal. As each server passes on a KILL message, it usually prepends the bottommost part (up to the first .) of it's name followed by a ! character. When unreal receives a KILL from a directly connected irc operator, it will usually add that oper's vhost (or realhost if -x) as the first hop in the kill path, then follow with it's own name as mentioned before if it is passing to another server.</p>
<p>A server can also send KILLs on it's own. This is done in cases involving nickname collisions, fake senders, bad direction, and other cases of protocol errors. Usually, in these cases, the server puts it's own name as the source, and also prefixes with <i>bottompart</i>! like for any other ircop on that server. For example: @3 . someone :irc!irc.example.com (Nick collision)</p>
<h2><aname="S3_5"></a>3.5 SETHOST/CHGHOST - Change virtual host (TOKEN: AA or AL)</h2>
<p><b>Syntax (SETHOST):</b><tt>:<i>source</i> AA <i>newvhost</i></tt></p>
<p><b>Syntax (CHGHOST):</b><tt>:<i>source</i> AL <i>target</i><i>newvhost</i></tt></p>
<p>Indicates the change of a user's virtual host. Currently, servers are expected to assume UMODE2 +xt on the target user in both commands. (In the case of SETHOST, the target is the sender.) Servers using PROTOCTL VHP will receive the cloaked host in a SETHOST message when a user activates his cloaked host. A server can also send CHGHOST (from one of it's opered clients) to change a user's hostname. This is generally used by HostServ implementations. To disable a cloaked host, use CHGHOST to set the user's virtual host equal to his real host, or use SVSMODE -xt, but the latter requires services.</p>
<h2><aname="S3_6"></a>3.6 SETIDENT/CHGIDENT - Change a user's username (TOKEN: AD or AZ)</h2>
<p><b>Syntax (SETIDENT):</b><tt>:<i>source</i> AD <i>newusername</i></tt></p>
<p><b>Syntax (CHGIDENT):</b><tt>:<i>source</i> AZ <i>target</i><i>newusername</i></tt></p>
<p>Indicates the change of a user's username. No usermode change is associated with this. Unreal does not use a distinguished virtual username, so servers should only keep the original username (from the NICK message) if they intend to allow the user to reset the original username. Servers can use CHGIDENT to change a user's username.</p>
<h2><aname="S3_7"></a>3.7 SETNAME/CHGNAME - Change a user's realname (TOKEN: AE or BK)</h2>
<p><b>Syntax (CHGNAME):</b><tt>:<i>source</i> BK <i>target</i> :<i>newrealname</i></tt></p>
<p>Indicates the change of a user's realname. No usermode change is associated with this. Unreal does not use a distinguished virtual realname, so servers should only keep the original realname (from the NICK message) if they intend to allow the user to reset the original realname. Servers can use CHGNAME to change a user's username. Note that servers must NOT check that the sender be an IRCop in SETNAME - normal users are permitted to use SETNAME.</p>
<h2><aname="#S3_8"></a>3.8 WHOIS - User Information (TOKEN: #)</h2>
<p>Requests the information on a user. This works exactly like the user /whois command - in fact, the source parameter must be a user, or the command will do nothing. <i>from-server</i> is the server to request the information from; if a server recives a WHOIS message without this parameter, it should return its own information on the user, otherwise it should pass the message to the given server. Note that <i>from-server</i> may name a user instead of a server (such as when a user uses /whois nick nick), in which case the the nick should be interpreted as naming the server that user is on. <i>nick</i> may be several users seperated by commas, but may not contain wildcards.</p>
<p>The reply to a WHOIS message uses the same numeric replies as the user command.</p>
<hr/>
<h1><aname="S4"></a>4 Server Operations</h1>
<p>This is different from server negotiation. Negotiation is when you are first connecting. Server introduction is used for introducing additional servers behind an existing server (aka hubbing). Hubbing is limited as specified by the hub, leaf, and leafdepth parameters in the link block and attempted violation of a hub restriction results in termination of the link. If no hub or leaf directive is given your server is a leaf by default, so any introduction of any server behind you would be an automatic drop. U:Lines don't matter here; services must be configured as a hub in the link block. The reason is U:Line is a permission rule, but hub privilege is a network structure rule.</p>
<h2><aname="S4_1"></a>4.1 SERVER - Server Introduction (TOKEN: ')</h2>
<p><b>Note: This command is also used for negotiation. Be warned that the token for this command is NOT VALID at that time! See section 2.3 for the syntax for negotiation.</b></p>
<p><b>Syntax (without PROTOCTL NS):</b><tt>:<i>source</i> SERVER <i>new.server</i><i>hopcount</i> :<i>description</i></tt></p>
<p><b>Syntax (with PROTOCTL NS):</b><tt>@<i>sourcenumeric</i> SERVER <i>new.server</i><i>hopcount</i><i>numeric</i> :<i>description</i></tt></p>
<p>The command indicates that the server named new.server is being introduced by the source (the source is the server which new.server is directly linked to). The hopcount will be the number of links the receiving server would have to cross to reach new.server. In other words, new.server introduced itself with a hopcount of 1, and as the SERVER message is passed along, hopcount is incremented.</p>
<p>As an example, a services server faking a SERVER message for JUPE functionality would use a hopcount of 2.</p>
<h2><aname="S4_2"></a>4.2 SQUIT - Server Removal (TOKEN: -)</h2>
<p>From an IRCop or when server.name is not behind the source, this command requests the removal of the specified server.name. The command in this case is treated very much like KILL in the respect that the message is broadcasted to all servers, except server.name and any servers behind it. When the SQUIT reaches server.name's uplink, that server closes the link to server.name (which would then generate it's own SQUIT on behalf of it's uplink for the servers behind it).</p>
<p>A server can also use SQUIT in the same manner as QUIT to note the removal of a server behind it, or that it itself is quitting. In the former case, server.name is behind source, and the message is forward on to all other servers. In the latter case, source and server.name are equal, the receiving server closes the link and forwards the SQUIT message.</p>
<p>Unreal closes a direct link by simply sending an ERROR message and then closing the TCP connection. This typically causes the other end to generate an SQUIT bearing the message "Client exited" or similar, however, the ERROR will usually cause the server to send a message to all IRCops.</p>
<h2><aname="S4_3"></a>4.3 SDESC - Server Description (TOKEN: AG)</h2>
<p><b>Syntax:</b><tt>:<i>source</i> AG :<i>newdesc</i></tt></p>
<p>The server to which source is connected to should have it's description updated to newdesc. This does NOT include the VL inforamtion.</p>
<h2><aname="S4_4">4.4 PING - Live Connection Query (TOKEN: 8)</a></h2>
<p>Used to check if a connection is still live if it has been "quiet" for a certain amount of time. Typically, unreal will send PING requests at intervals determined by the class::pingfreq setting. PINGs originating from the direct uplink will use the token, but it seems PINGs originating from a distant server will not.</p>
<p>The response to a PING is sent with the <ahref="#S4_5">PONG</a> command.</p>
<p>When receiving a two-parameter PING, the second parameter is the target. If the target isn't you, you can either reply on behalf of that target (using its name instead of yours), or if there is a real connection representing the target, forward the PING to the target.</p>
<h2><aname="S4_5">4.5 PONG - Live Connection Reply (TOKEN: 9)</a></h2>
<p>Used to respond to a <ahref="#S4_4">PING</a> query.</p>
<p><b>Responding to a ping:</b> Once a PING is received, you usually have an amount of time to respond equal to your class::pingfreq. The correct response will always have two parameters. If you received one parameter, then the received parameter becomes the second parameter of your response, and the first parameter is your server name. If you received two parameters, the response returns both parameters in reverse order.</p>
<p>For example, the response to <tt>8 uplink.server</tt> is <tt>9 my.name uplink.server</tt>, while the response to <tt>PING distant.server your.server</tt> is <tt>9 your.server distant.server</tt>. Unreal typically includes a : prior to the last parameter. This isn't required if that parameter contains no spaces, but it is especially important to not include the colon when reversing the parameters, or else Unreal mistake it for a single-parameter PONG.
<p>If a two-parameter PONG is received, the second parameter names the target. If the target is not you, and a real connection represents that target, you should forward the PONG message via that connection.</p>
<h2><aname="#S4_6"></a>4.6 STATS - Server Stats (TOKEN: 2)</h2>
<p>Requests statistics or configuration information from a server. This command is used to transport cross-server STATS requests from users (eg: /stats o other.server), and should only be sent from a user (not a server). With no parameters, this will cause unreal to simply dump its help output. <i>type</i> is the type of stats to request, <i>server</i> names a server (or a user on that server) to request stats from, and <i>extended-params</i> is used to filter output from STATS G, etc. When received, it is up to the receiver to determine what stats to support and how to reply, but generally numeric replies are used. For the list of unreal's stats types, type /stats in a client for the helptext dump.</p>
<p><b>Note:</b> Stats set as oper-only (see set::oper-only-stats) will be refused from a server. In this case, it will be necessary to send the stats request from a psuedo-oper (such as a services agent, etc) for services/stats/etc.</p>
<hr/>
<h1><aname="S5"></a>5 Channel Operations</h1>
<p>These commands deal with the state of channels across the network. Unreal only supports Network Channels, where the first character is a # character.</p>
<p>Timestamp is the channel timestamp and can be !b64 as defined by PROTOCTL SJB64. Modes should only include those in the last three mode sets listed in CHANMODES. Modeparams is one parameter for each mode character that requires one. Memberlist is a series of users (all of which must at least be behind the server sending the SJOIN), each user is prefixed with one or more characters indicating their status. Owners (+q) are prefixed with *, admins (+a) ~, ops (+o) @, halfops (+h) %, voices (+v) +. Normal users are not prefixed with anything. Ban, ban exception, and invite exception masks are also included, with bans prefixed with &, ban exceptions prefixed with ", and invite exceptions with '. Note that when a &, " or ' is encountered as the first character, further processing of ~, *, @, %, or + characters must not continue because ban, exempt, and invite masks can contain any of those characters. (Plus it's just not right for a ban mask to be marked as a channel admin...)</p>
<p>If the channel didn't already exist it is created with the information given in the SJOIN. Otherwise the timestamp is used to determine how the SJOIN information is handled. As a given, all members are joined into the channel, regardless. The mode information (modes, modeparams, memberlist prefixes, bans, exempts, and invites) is subject to the timestamp rules:</p>
<ul>
<li>If the channel's current timestamp is equal to the timestamp in SJOIN, then the mode information is merged.</li>
<li>If the channel's current timestamp is less than the SJOIN timestamp, then the mode information is ignored.</li>
<li>If the channel's current timestamp is greater than the SJOIN timestamp, then the channel's existing mode information is cleared (for example, deop, etc all local clients), and the SJOIN mode information is added.</li>
</ul>
<p>When merging modes, conflicting modes (including +p vs +s, differing +l limits or +k keys, etc) are handled as follows:</p>
<ul>
<li><b>Private (+p) vs. Secret (+s):</b> Secret (+s) is preferred. Private (+p) is removed. (Note: there is a <ahref="http://bugs.unrealircd.org/view.php?id=2391">bug</a> in Unreal versions prior to 3.2.3 in which a desynch will occur in which one side is +p and the other is +s. Update to Unreal 3.2.4 if you have problems with this.)</li>
<li><b>Strip Color (+S) vs. Block Color (+c):</b> Block (+c) is preferred. Strip (+S) is removed. (Note: Bug for +p vs. +s in prior unreal versions apply here as well.)</li>
<li><b>Channel Limit:</b> Numericly larger limit is preferred (for example, +l 30 versus +l 15 : +l 30 wins).</li>
<li><b>Channel Key:</b>"Larger" key (as defined by strcmp) is preferred (for example, +k moo versus +k meow : +k moo wins).</li>
<li><b>Channel Link:</b>"Larger" link name (as defined by stricmp - not case sensitive) is preferred (for example, +L #moo versus +L #meow : +L #moo wins, but +L #Meow versus +L #meow : values are equal).</li>
<li><b>Flood String:</b> Not really sure on this. I think larger value in each component wins.</li>
<li><b>Join-Throttle:</b> Highest of time period wins, if equal, highest of join amount wins (so +j 3:40 beats +j 5:20 but +j 5:20 beats +j 3:20).</li>
<li>Parameterized modes in third party modules will define their own conflict resolution formula.</li>
<p><b>Syntax:</b><tt>:<i>source</i> C <i>#channel</i></tt></p>
<p>Indicates a user has joined a channel. Only one channel is sent this way, and the key is not sent even if the user gave one one joining. If the channel parameter is the special "0" case, the server must interpret the message as a PART for all channels the user is on.</p>
<h2><aname="S5_3"></a>5.3 PART - Channel Part (TOKEN: D)</h2>
<p><b>Syntax:</b><tt>:<i>source</i> D <i>#channel</i>[ :<i>reason</i></tt>]</p>
<p>Indicates a user has left a channel. Only one channel is sent this way. The reason parameter may be left out if no reason was given.</p>
<p><b>Syntax:</b><tt>:<i>source</i> H <i>#channel</i><i>user</i> :<i>reason</i></tt></p>
<p>Orders the forced removal of user from #channel with the given reason. When updating state for this command, it should be the same as if :user PART #channel had been received - the user is removed from #channel's memberlist.</p>
<p><b>Note:</b> This is the same command as that used for usermode changes.</p>
<p><b>Syntax:</b><tt>:<i>source</i> G <i>#channel</i><i>modechange</i><i>modeparams</i>[ <i>timestamp</i>]</tt></p>
<p>Changes the specified modes on the given channel. If the source is a server and the last parameter is numeric, it is interpreted as timestamp (although it can also be consumed as a parameter for modes. For example: :server.name MODE #channel +l 4 <-- 4 will be a timestamp and the +l parameter). When a mode change is timestamped in this way, the mode is treated as it is with SJOIN: the MODE message is ignored if the timestamp is greater than the channel timestamp. (If the timestamp is equal, the mode is simply added replacing any conflicting modes already in place.)</p>
<p>A services implementation can easily clear all entries in a list mode such as bans with SVSMODE (see below).</p>
<h2><aname="S5_6"></a>5.6 INVITE - Invite a user to a channel (TOKEN: *)</h2>
<p>Sends to target an invitation to join #channel. If the source is a channel operator on #channel, or a U:Lined server, the invitation grants the user the temporary ability to join the channel regardless of any bans or some restricting channel modes (not +O or +A).</p>
<h2><aname="S5_7"></a>5.7 SAJOIN - Channel Force Join (TOKEN: AX)</h2>
<p>This requests the forced join of targetuser to #channel. This type of forced join overrides bans, and most modes. The server to which targetuser is connected to must actually acknowledge the join for it to occur. Service implementations may ignore this command, as they would only ever receive it if an SAJOIN was targeted at a service client, in which case it should be ignored...</p>
<h2><aname="S5_8"></a>5.8 SAPART - Channel Force Part (TOKEN: AY)</h2>
<p><b>Syntax:</b><tt>:<i>source</i> AY <i>targetuser</i><i>#channel</i>[ :<i>reason</i>]</tt></p>
<p>This requests the forced part of targetuser from #channel. This is slightly different from a KICK in that the user's removal is announced with PART. The server to which targetuser is connected to must actually acknowledge the part for it to occur. Service implementations may ignore this command, as they would only ever receive it if an SAPART was targeted at a service client, in which case it should be ignored...</p>
<p>The reason field is optional. If provided the acknowledging PART message should prefix the message with "SAPart:".</p>
<h2><aname="S5_9"></a>5.9 SAMODE - Channel Force Mode (TOKEN: o)</h2>
<p><b>Syntax:</b><tt>:<i>source</i> o <i>#channel</i><i>modechange</i><i>modeparams</i></tt></p>
<p>This has the same parameters as for MODE. The only difference is that servers probably will never receive this (but is best to document just in case), and that absolutely NO permission checking is done on anything.</p>
<p>Changes the channel topic information. This format is used when synching, as well as when a topic is changed normally. Nick is the user who changed the topic (depending on compile options, it can be just nick or a full nick!user@host), timestamp is when the change occured, and topic is the new topic text. Normally, only a newer timestamp will actually change the topic, but a U:Lined server can use an older timestamp as well (such as for TOPICLOCK).
<hr/>
<h1><aname="S6"></a>6 Services Commands</h1>
<p>These are commands typically employed by a service implementation, in addition to some of the normal commands. All of the commands listed here require the sender to be correctly U:Lined. This means that the services server name must appear within a ulines {} block in the unrealircd.conf configuration for ALL servers in the network. All servers and clients behind a U:Lined server are themselves U:Lined.</p>
<h2><aname="S6_1"></a>6.1 SVSKILL - Force Disconnect by Service (TOKEN: h)</h2>
<p><b>Syntax:</b><tt>:<i>source</i> h <i>target</i> :<i>reason</i></tt></p>
<p>This command is similar to KILL but differs in several ways. First of all: there is no mutilation of the reason value. The reason given is the exact reason used to generate QUIT messages sent to users. Second, it is silent; no server notice is generated in response to this command. Third, it can only be used by a U:Lined server or client (such as services).</p>
<p>Because this command can be dangerous in the hands of an abusive person, service implementations should avoid granting humans control over the reason parameter. In cases of commands where a person has control over such parameter, either use a regular KILL instead, or otherwise modify the reason so that operators can be held accountable if necessary.</p>
<h2><aname="S6_2"></a>6.2 SVSMODE, SVS2MODE - Force User Mode Change (TOKEN: n or v)</h2>
<p><b>Syntax (SVSMODE):</b><tt>:<i>source</i> n <i>target</i> +<i>usermodes</i></tt></p>
<p><b>Syntax (SVS2MODE):</b><tt>:<i>source</i> v <i>target</i> +<i>usermodes</i></tt></p>
<p>Judging by these commands alone, you'd think they are identical. Both commands force a usermode change to occur. This is typically used by services to set +r on a user who has successfully identified. They differ in that SVS2MODE also sends the mode change to the user, while SVSMODE does not (hidden mode change).</p>
<p>SVSMODE and SVS2MODE also give special treatment to usermode +d. Rather than setting the deaf mode like you might expect, SVS(2)MODE +d allows services to change a user's services stamp (which is given in the NICK message). This could allow services to set the service stamp to an easily identifiable value that could then be used to say "hey, this person identified already". The syntax of this is: +d <i>newservicestamp</i> and can be combined with setting other usermodes as well. The deaf mode <b>can</b> be set by using +d without the service stamp parameter; however, in this case you <b>cannot</b> set the service stamp in the same SVS(2)MODE message.</p>
<p><b>Note:</b> Do <b>NOT</b> use SVSMODE to remove IRCop status from a user. Use the SVSO command for that instead.</p>
<p>Alternatively, target can name a channel. In this case, the mode change parameter can consist of a - character, followed by any or all of: b, e, I, q, a, o, h, or v. These characters cause the corresponding lists to be cleared of all entries. For example: SVSMODE #channel -b removes ALL bans from #channel, and SVSMODE #channel -qaohv turns ALL users on #channel into normal users (removes all owner, admin, op, halfop, and voice status). In this case, the uplink will acknowledge with a MODE listing the bans, etc that were removed.</p>
<p>To completely clear a channel of all modes: MODE #channel -cfijklmnprstzACGMKLNOQRSTVu (plus any added by third-party module) followed by SVSMODE #channel -beIqaohv.</p>
<p>Changes a user's snomasks. The difference between SVSSNO and SVS2SNO is the same as with SVSMODE versus SVS2MODE. If the user is not +s, you must add it via SVSMODE +s. For example:</p>
<pre>:OperServ v someuser +s
:OperServ BW someuser +ks</pre>
<h2><aname="S6_4"></a>6.4 SVSNICK - Forced Nick Change (TOKEN: e)</h2>
<p><b>Syntax:</b><tt>:<i>source</i> e <i>target</i><i>newnick</i> :<i>newtimestamp</i></tt></p>
<p>Forces the specified user to change his nick to newnick and also sets the nick timestamp to newtimestamp (so, for example, services could protect identified users from a nick collision by simply setting the nick timestamp to something way less than "now" - though currently this requires actually changing the nick too). SVSNICK requires the server to which the target is connected to acknowledge the nick change. If the user specified by newnick already exists, then target will be disconnected (even if it's something like a case-change).</p>
<p>This is identical to SAJOIN with a few exceptions: 1) It is U:Line-only. 2) No opernotice on use. 3) Bans and restricting modes are respected, a prior INVITE message must be sent to cause bans to be ignored.</p>
<h2><aname="S6_6"></a>6.6 SVSPART - Forced Part (TOKEN: BT)</h2>
<p>Also identical to SAPART with a few exceptions: no static prefix on the optional part reason, and no global notice, and requires a U:Line. Usage recommendation of SVSPART versus KICK is the same as for SVSKILL versus KILL.</p>
<p>This allows a service to add or remove IRCop permission flags for a user. Flagchanges is formatted similar to that of MODE with the exception that operflags are used instead of usermodes. If the change string consists only of -, then all oper permissions, usermodes, and snomasks are removed (as if the user had himself typed MODE nick -Oo).</p>
<p>If you are granting IRCop permissions to a user who is not currently an IRCop, you should follow up with an SVSMODE +o or SVSMODE +O as appropriate. For example:</p>
<pre>:OperServ BB somenick +o
:OperServ BW somenick +cefknoqsSv
:OperServ AL somenick local.oper.somethinghere.net
<p><b>Syntax:</b><tt>:<i>source</i> f <i>(op)</i><i>server.name</i></tt></p>
<p>The (op) parameter is either a + or - indicating if NOOP mode should be activated (+) or deactivated (-). When NOOP mode is activated, all IRCops on the server are deopered (including local operators) and the /oper command is disabled. IRCop privileges can still be granted through use of SVSO. On UnrealIRCd, it is not necessary to masskill all IRCops on the nooped server, as they are deopered automatically.</p>
<h2><aname="S6_9"></a>6.9 SVSNLINE - RealName Ban (TOKEN: BR)</h2>
<p>Op is either + (add) or - (remove). In the case of +, reason is a space-escaped string (all space chars are encoded as _). If -, reason is ignored.</p>
<h2><aname="S6_10"></a>6.10 SVSFLINE - File Ban (TOKEN: BC)</h2>
<p><b>Syntax (add):</b><tt>:<i>source</i> BC + <i>filemask</i> :<i>reason</i></tt></p>
<p><b>Syntax (remove):</b><tt>:<i>source</i> BC - <i>filemask</i></tt></p>
<p><b>Syntax (clear):</b><tt>:<i>source</i> BC *</tt></p>
<p>Adds or removes a DCCDENY item for the specified filemask on all servers. These DCCDENYs are hard dccdenies - the /dccallow command cannot override it. The last form removes all dccdenies added via SVSFLINE.</p>
<hr/>
<h1><aname="S7"></a>7 Messaging</h1>
<p>What good is Internet Relay <b>CHAT</b> if users cannot <b>CHAT</b>? This section addresses the commands through which arbitrary user messages are sent.</p>
<p><b>NOTICE Syntax:</b><tt>:<i>source</i> B <i>target</i> :<i>message</i></tt></p>
<p>Sends a messages to the given target. The target either names a single client, or identifies a list of clients in which the message is to be sent to. The available targets include:</p>
<ul>
<li><i>nickname</i>: Names a single user to whom the message is delivered.</li>
<li><i>nickname</i>@<i>servermask</i>: Also names a single user, but the message will only be delivered if the user is connected to a server matching the specified servermask. This is typically used for sending messages to services. The target must not be changed at any point along the path it must travel for delivery, even up to the final receipt of the message by the target. This allows the target to know it has been sent a message in this way.</li>
<li>#<i>channelname</i>: Sends a message to all users on the specified channel (except when channel is a moderated auditorium (+mu), in which case the wierd +mu sending behavior goes off).</li>
<li><i>modeprefix</i>#<i>channelname</i>: Sends a message to all users on the given channel having the given status or higher. For example: + means all voices, halfops, etc.</li>
<li>$<i>servermask</i>: Sends a message to ALL users on all servers matching the specified servermask (known as a server broadcast message). The RFC requirements of having a TLD with no wildcards is not applied to U:Lined clients.</li>
</ul>
<p>Unreal does not support the #hostmask format.</p>
<h2><aname="S7_2"></a>7.2 SENDUMODE, SMO - Usermode-based Delivery (TOKEN: AP or AU)</h2>
<p><b>Syntax:</b><tt>@<i>servernumeric</i> AU <i>umode</i> :<i>message</i></tt></p>
<p>Sends the specified message to all users with the given mode. Only one usermode may be given. This is a server-only command if you can't tell from the sender prefix :) .</p>
<p>The message will be displayed as coming from the receiving client's own server. It may be appropriate to add a "*** Notice (or other leader here) -- from blah:" if you wish to clarify where the message is from.</p>
<p><b>Syntax:</b><tt>@<i>servernumeric</i> Ss <i>snomask</i> :<i>message</i></tt></p>
<p>Sends the specified message to all users with the given snomask. Only one snomask may be given. This is a server-only command if you can't tell from the sender prefix :) .</p>
<p>The message will be displayed as coming from the receiving client's own server. It may be appropriate to add a "*** Notice (or other leader here) -- from blah:" if you wish to clarify where the message is from.</p>
<p><b>Syntax:</b><tt>:<i>source</i> AC :<i>message</i></tt></p>
<p>Send the message to all Network Admins (usermode +N).</p>
<hr/>
<h1><aname="S8"></a>8 Ban Control</h1>
<p>Sometimes, you have the misfortune of encountering a user who has no purpose but to serve as an annoyance to your server or network. These commands transmit network-wide ban information amongst each other.</p>
<h2><aname="S8_1"></a>8.1 TKL - Master Ban Control (TOKEN: BD)</h2>
<p>The TKL command seems to have one oddity about it: the real ban source is included in the TKL command rather than in the sender prefix. Most likely this is done for synching reasons (so that the *line ban can be credited to the proper person even if he/she is offline). For this reason, the command syntax is given without any sender prefix at all. It is still permissible to use one, however.</p>
<p><b>Add Syntax (TKL):</b><tt>BD + G <i>userpart</i><i>hostpart</i><i>source</i><i>expiretimestamp</i><i>settimestamp</i> :<i>reason</i></tt></p>
<p><b>Remove Syntax (TKL):</b><tt>BD - G <i>userpart</i><i>hostpart</i><i>source</i></tt></p>
<p>Adds and Removes Network-wide user@host bans, known as G:Lines. The GLINE command itself must not be used. The userpart and hostpart are the user portion and hostname portion of the ban mask. The expiretimestamp is 0 if the G:Line should not expire, otherwise it will expire at the given time. It is an absolute time, not relative, thus it's imperitive to have reasonably synchrnoized clocks or bans may be removed too early or even immediately!</p>
<h3><aname="S8_1_2"></a>8.1.2 GZLINE - Network-wide IP ban</h3>
<p><b>Add Syntax (TKL):</b><tt>BD + Z * <i>ipmask</i><i>source</i><i>expiretimestamp</i><i>settimestamp</i> :<i>reason</i></tt></p>
<p><b>Remove Syntax (TKL):</b><tt>BD - Z * <i>ipmask</i><i>source</i></tt></p>
<p>Adds and Removes Network-wide IP bans, known as Global Z:Lines. The GZLINE command itself must not be used. Ipmask permits CIDR notation as well as wildcard masks.</p>
<h3><aname="S8_1_3"></a>8.1.3 SQLINE, UNSQLINE - Network-wide Nickname ban (TOKEN: c or d)</h3>
<p><b>Remove Syntax (UNSQLINE):</b><tt>:<i>source</i> d <i>nickmask</i></tt></p>
<p>In the TKL syntax, the hold parameter is either a * to mark the qline as a nick ban, or an H to mark it as a services hold. A services hold does not trigger qline rejection notice, and is typically used by NickServ to reserve registered nicks until they are released by the owner. The (UN)SQLINE syntax can only be used by a server, but any user can be used as the source for the TKL syntax. Unlike G and GZ lines, Q:Lines do not cause existing matching users to be disconnected or otherwise affected.</p>
<p>The TKL syntax is preferred, since it is more flexible, but (UN)SQLINE is permitted for compatibility.</p>
<p>Proper use of spamfilter in TKL commands requires use of PROTOCTL TKLEXT, which increases the number of parameters allowed in TKL.</p>
<p><b>Add Syntax (TKL):</b><tt>BD + F <i>target(s)</i><i>action</i><i>source</i> 0 <i>settimestamp</i><i>tklduration</i><i>tklreason</i> :<i>regex</i></tt></p>
<p><b>Remove Syntax (TKL):</b><tt>BD - F <i>target(s)</i><i>action</i><i>source</i> 0 <i>settimestap</i> :<i>regex</i></tt></p>
<p>Adds and Removes network-wide spamfilters. The SPAMFILTER command itself must not be used. See <ahref="http://vulnscan.org/UnrealIrcd/unreal32docs.html#feature_spamfilter">http://vulnscan.org/UnrealIrcd/unreal32docs.html#feature_spamfilter</a> for a list of valid targets. For actions, a single character is used to identify the action to be taken:</p>
<ul>
<li>K (kill) - The user is simply disconnected, with the reason given.</li>
<li>S (tempshun) - A temporary shun is placed on the user. This shun is applied only to that user, and disappears if the user reconnects.</li>
<li>s (shun) - A regular shun on the user's IP address is added. This causes all users with the same hostname to be shunned, but they will also stay shunned if they reconnect.</li>
<li>k (kline) - A K:Line is added on the user's IP address.</li>
<li>z (zline) - A Z:Line is added on the user's IP address.</li>
<li>g (gline) - A G:Line is added on the user's IP address.</li>
<li>Z (gzline) - A Global Z:Line is added on the user's IP address.</li>
<li>b (block) - Messages (or users!) matching the filter are simply blocked.</li>
<li>d (dccblock) - The user is prevented from sending files using DCC for the remainder of his session (in other words, until he quits).</li>
<li>v (viruschan) - User is removed from all channels, joined to the viruschan as defined in conf, and cannot message anything but that channel.</li>
<li>w (warn) - No action on the user is taken. Only the Spamfilter notice is sent to opers with snomask +S.</li>
</ul>
<h1><aname="S9">9 Base64 Tables</a></h1>
<p>Unreal uses base64 encoding to allow saving bandwidth by encoding numbers in a more compact format. Unreal uses two different variations of base64, one used for the SJB64 PROTOCTL option (in NICK and SJOIN), and one used for NICKIP.</p>
<h2><aname="S9_1">9.1 Table for SJB64 (NICK and SJOIN).</a></h2>
<p>In NICK and SJOIN, remember that the timestamp will be prefixed with ! to signal a base64 timestamp.</p>
<p>Just like in base10, the least significant "digit" is last.</p>
<pre> 0 0 17 H 34 Y 51 p
1 1 18 I 35 Z 52 q
2 2 19 J 36 a 53 r
3 3 20 K 37 b 54 s
4 4 21 L 38 c 55 t
5 5 22 M 39 d 56 u
6 6 23 N 40 e 57 v
7 7 24 O 41 f 58 w
8 8 25 P 42 g 59 x
9 9 26 Q 43 h 60 y
10 A 27 R 44 i 61 z
11 B 28 S 45 j 62 {
12 C 29 T 46 k 63 }
13 D 30 U 47 l
14 E 31 V 48 m
15 F 32 W 49 n
16 G 33 X 50 o</pre>
<h2><aname="S9_2">9.2 Table for NICKIP.</a></h2>
<p>In this table, the IP is encoded in network byte order. In terms of IPs, this means the first byte of the address really is first. Each "digit" in the base64 encoded IP corresponds to 6 bits of the IP address.</p>
<p>An IPv4 address is 32 bits, so 6 base64 "digits" are needed. Since base64 requires values to come in multiples of 4 "digits", padding characters (=) need to be added if a value comes up short. In the case of IPv4 addresses, two are needed.</p>
<p>IPv6 addresses are 128-bit. They therefore need 22 base64 "digits" plus 2 pad characters.</p>
These are 3rd party programs modules, or unsupported modules.
Custom modules are compiled by copying them to src/modules
and running from the root directory
$ make custommodule MODULEFILE=modulename
This will produce a .so you can load. Upon load, this will show a "3" in the
/version flags, as it contains third party modules (we do not support if it
crashes because of the tainted module)
======================
Name: burst.c
Description:
Little program to test out the different aspects of the unreal protocol and
produce net.burst dumps
=======================
Name: m_rawto.c
Is a 3rd party module
Description:
Implements the RAWTO command, will allow U:lines to send raw data to
anywhere it pleases.
:uline.server RAWTO towho :what to send
=========================
Name: channeldumper.c
Is a 3rd party module
Description:
Dumps a list of non secret channels to ircd.channels or something every 5 seconds,
C #channel topic
M member1
M member2
C #channel2 topic
M member3
You can't rely on topic being there
Some files were not shown because too many files have changed in this diff
Show More
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Bram Matthys